From 337e3de09fe1f0cb2fd4161317867da6e3bc60d6 Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 30 Jul 2019 14:26:15 +0200 Subject: [PATCH 01/46] Add master_certs_destination parameter --- roles/elastic-stack/ansible-elasticsearch/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml index 1340dabb..fa84ec81 100644 --- a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml @@ -23,6 +23,8 @@ node_certs_generator_ip: 172.16.0.161 node_certs_source: /usr/share/elasticsearch node_certs_destination: /etc/elasticsearch/certs +master_certs_destination: /es_certs + # Rsync rsync_path: /usr/bin/rsync rsync_user: vagrant From 5d4e53b089cec4b0aa5071902dbdcda8cbd9948f Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 30 Jul 2019 14:27:10 +0200 Subject: [PATCH 02/46] Modified task propagation of certificates --- .../ansible-elasticsearch/tasks/main.yml | 137 ++++++++++++------ 1 file changed, 89 insertions(+), 48 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index 48c25b98..de1e4fa4 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -110,55 +110,83 @@ register: certs_file_generated tags: xpack-security +# - name: Unzip generated certs.zip +# unarchive: +# src: "{{node_certs_source}}/certs.zip" +# dest: "{{node_certs_source}}/" +# remote_src: yes +# when: +# - node_certs_generator +# - elasticsearch_xpack_security +# - certs_file_generated is defined +# - not certificate_file_exists.stat.exists +# tags: xpack-security + +# - name: Copy key & certificate files in generator node (locally) +# synchronize: +# src: "{{node_certs_source}}/{{elasticsearch_node_name}}/" +# dest: "{{node_certs_destination}}/" +# delegate_to: "{{ node_certs_generator_ip }}" +# when: +# - node_certs_generator +# - elasticsearch_xpack_security +# tags: xpack-security + +# - name: Copy ca certificate file in generator node (locally) +# synchronize: +# src: "{{node_certs_source}}/ca/" +# dest: "{{node_certs_destination}}/" +# delegate_to: "{{ node_certs_generator_ip }}" +# register: check_certs_permissions +# when: +# - node_certs_generator +# - elasticsearch_xpack_security +# tags: xpack-security + +- name: Create the certificates directory + file: + path: "{{master_certs_destination}}" + state: directory + mode: '0700' + delegate_to: "127.0.0.1" + when: + - node_certs_generator + - elasticsearch_xpack_security + +- name: Copying certificates to Ansible master + fetch: + src: "{{node_certs_source}}/certs.zip" + dest: "{{master_certs_destination}}/" + flat: yes + mode: 0700 + when: + - node_certs_generator + - elasticsearch_xpack_security + tags: xpack-security + - name: Unzip generated certs.zip unarchive: - src: "{{node_certs_source}}/certs.zip" - dest: "{{node_certs_source}}/" - remote_src: yes - when: - - node_certs_generator - - elasticsearch_xpack_security - - certs_file_generated is defined - - not certificate_file_exists.stat.exists - tags: xpack-security - -- name: Copy key & certificate files in generator node (locally) - synchronize: - src: "{{node_certs_source}}/{{elasticsearch_node_name}}/" - dest: "{{node_certs_destination}}/" - delegate_to: "{{ node_certs_generator_ip }}" + src: "{{master_certs_destination}}/certs.zip" + dest: "{{master_certs_destination}}/" + become: true + delegate_to: "127.0.0.1" when: - node_certs_generator - elasticsearch_xpack_security tags: xpack-security -- name: Copy ca certificate file in generator node (locally) - synchronize: - src: "{{node_certs_source}}/ca/" - dest: "{{node_certs_destination}}/" - delegate_to: "{{ node_certs_generator_ip }}" - register: check_certs_permissions - when: - - node_certs_generator - - elasticsearch_xpack_security - tags: xpack-security - -- name: Importing key & certificate files from generator node - shell: "{{rsync_path}} {{rsync_extra_parameters}} {{rsync_user}}@{{node_certs_generator_ip}}:{{node_certs_source}}/{{elasticsearch_node_name}}/ {{node_certs_destination}}/" - when: - - not node_certs_generator - - elasticsearch_xpack_security - - not certificate_file_exists.stat.exists - tags: xpack-security - -- name: Importing ca certificate file from generator node - shell: "{{rsync_path}} {{rsync_extra_parameters}} {{rsync_user}}@{{node_certs_generator_ip}}:{{node_certs_source}}/ca/ {{node_certs_destination}}/" - when: - - not node_certs_generator - - elasticsearch_xpack_security - - not certificate_file_exists.stat.exists - register: check_certs_permissions - tags: xpack-security +# - name: Unzip generated certs.zip +# unarchive: +# src: "/tmp/elastic_certificates/certs.zip" +# dest: "/tmp/elastic_certificates" +# become: true +# when: +# - node_certs_generator +# - elasticsearch_xpack_security +# - certs_file_generated is defined +# - not certificate_file_exists.stat.exists +# tags: xpack-security + - name: Ensuring certificates folder owner shell: "chown -R elasticsearch: {{node_certs_destination}}/" @@ -173,15 +201,28 @@ - check_certs_permissions is defined - elasticsearch_xpack_security tags: xpack-security - -- name: Remove generated certs file - shell: /bin/rm -f {{node_certs_source}}/certs.zip* - when: - - node_certs_generator - - elasticsearch_xpack_security + +# Importing certificates + +- name: Copying node's certificate from master + copy: + src: "{{item}}" + dest: "{{node_certs_destination}}/" + with_items: + - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" + - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" + - "{{master_certs_destination}}/ca/ca.crt" tags: xpack-security + +# - name: Remove generated certs file +# shell: /bin/rm -f {{node_certs_source}}/certs.zip* +# when: +# - node_certs_generator +# - elasticsearch_xpack_security +# tags: xpack-security + - name: Configure Elasticsearch. template: src: elasticsearch.yml.j2 From db44b6f450a0b56f2adf7c0b9e55f9cfb57793ab Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 30 Jul 2019 14:27:33 +0200 Subject: [PATCH 03/46] Modified template to accept newly defined variables --- .../ansible-elasticsearch/templates/instances.yml.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/templates/instances.yml.j2 b/roles/elastic-stack/ansible-elasticsearch/templates/instances.yml.j2 index 6279c380..c74b1700 100644 --- a/roles/elastic-stack/ansible-elasticsearch/templates/instances.yml.j2 +++ b/roles/elastic-stack/ansible-elasticsearch/templates/instances.yml.j2 @@ -4,10 +4,10 @@ {% if node_certs_generator %} instances: -{% for node in instances %} -- name: "{{ node.name }}" +{% for (key,value) in instances.iteritems() %} +- name: "{{ value.name }}" ip: - - "{{ node.ip }}" + - "{{ value.ip }}" {% endfor %} -{% endif %} \ No newline at end of file +{% endif %} From 55635383f2a9b5b96eea3cc5df72bad38990f0a7 Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 30 Jul 2019 14:30:23 +0200 Subject: [PATCH 04/46] Changed instances list format --- playbooks/wazuh-elastic_stack-distributed.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/playbooks/wazuh-elastic_stack-distributed.yml b/playbooks/wazuh-elastic_stack-distributed.yml index a422e50b..42f4cf03 100644 --- a/playbooks/wazuh-elastic_stack-distributed.yml +++ b/playbooks/wazuh-elastic_stack-distributed.yml @@ -20,14 +20,15 @@ vars: instances: - - name: node-1 # Important: must be equal to elasticsearch_node_name. - ip: # When unzipping, the node will search for its node name folder to get the cert. - - - name: node-2 - ip: - - - name: node-3 - ip: + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. + ip: 172.16.0.161 # When unzipping, the node will search for its node name folder to get the cert. + node2: + name: node-2 + ip: 172.16.0.162 + node3: + name: node-3 + ip: 172.16.0.163 - hosts: roles: From b1faf023df41461c8302088e4b14075e85cebc0b Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 30 Jul 2019 14:30:34 +0200 Subject: [PATCH 05/46] Update instances list --- playbooks/wazuh-elastic_stack-distributed.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/playbooks/wazuh-elastic_stack-distributed.yml b/playbooks/wazuh-elastic_stack-distributed.yml index 42f4cf03..b582df9b 100644 --- a/playbooks/wazuh-elastic_stack-distributed.yml +++ b/playbooks/wazuh-elastic_stack-distributed.yml @@ -22,13 +22,13 @@ instances: node1: name: node-1 # Important: must be equal to elasticsearch_node_name. - ip: 172.16.0.161 # When unzipping, the node will search for its node name folder to get the cert. + ip: # When unzipping, the node will search for its node name folder to get the cert. node2: name: node-2 - ip: 172.16.0.162 + ip: node3: name: node-3 - ip: 172.16.0.163 + ip: - hosts: roles: From d877738d45c97be4994d053eb909b84ec072a1f2 Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 30 Jul 2019 15:18:55 +0200 Subject: [PATCH 06/46] Removing unneeded blocks and commenting latest implementation for centos and trusty --- .../ansible-elasticsearch/tasks/main.yml | 93 +++++++------------ 1 file changed, 36 insertions(+), 57 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index de1e4fa4..80f23884 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -175,19 +175,6 @@ - elasticsearch_xpack_security tags: xpack-security -# - name: Unzip generated certs.zip -# unarchive: -# src: "/tmp/elastic_certificates/certs.zip" -# dest: "/tmp/elastic_certificates" -# become: true -# when: -# - node_certs_generator -# - elasticsearch_xpack_security -# - certs_file_generated is defined -# - not certificate_file_exists.stat.exists -# tags: xpack-security - - - name: Ensuring certificates folder owner shell: "chown -R elasticsearch: {{node_certs_destination}}/" when: @@ -202,9 +189,6 @@ - elasticsearch_xpack_security tags: xpack-security - -# Importing certificates - - name: Copying node's certificate from master copy: src: "{{item}}" @@ -215,14 +199,6 @@ - "{{master_certs_destination}}/ca/ca.crt" tags: xpack-security - -# - name: Remove generated certs file -# shell: /bin/rm -f {{node_certs_source}}/certs.zip* -# when: -# - node_certs_generator -# - elasticsearch_xpack_security -# tags: xpack-security - - name: Configure Elasticsearch. template: src: elasticsearch.yml.j2 @@ -238,49 +214,52 @@ when: - elasticsearch_xpack_security -- name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.conf - lineinfile: - path: /etc/security/limits.conf - line: elasticsearch - memlock unlimited - create: yes - become: true - when: - - ansible_distribution == "Ubuntu" - - ansible_distribution_major_version | int == 14 - changed_when: false +# - name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.conf +# lineinfile: +# path: /etc/security/limits.conf +# line: elasticsearch - memlock unlimited +# create: yes +# become: true +# when: +# - ansible_distribution == "Ubuntu" +# - ansible_distribution_major_version | int == 14 +# changed_when: false -- name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.d/elasticsearch.conf - lineinfile: - path: /etc/security/limits.d/elasticsearch.conf - line: elasticsearch - memlock unlimited - create: yes - become: true - changed_when: false - when: - - ansible_distribution == "Ubuntu" - - ansible_distribution_major_version | int == 14 +# - name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.d/elasticsearch.conf +# lineinfile: +# path: /etc/security/limits.d/elasticsearch.conf +# line: elasticsearch - memlock unlimited +# create: yes +# become: true +# changed_when: false +# when: +# - ansible_distribution == "Ubuntu" +# - ansible_distribution_major_version | int == 14 -- name: Distribution != one of [ centos 6.*, trusty ] | Reload systemd - systemd: daemon_reload=true - ignore_errors: true - when: - - not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") - - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<')) - - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) - - not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<')) +# - name: Distribution != one of [ centos 6.*, trusty ] | Reload systemd +# systemd: daemon_reload=true +# ignore_errors: true +# when: +# - not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") +# - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<')) +# - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) +# - not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<')) -- name: Distribution is centos 6.* | Enable Elasticsearch - service: name=elasticsearch enabled=yes +# - name: Distribution is centos 6.* | Enable Elasticsearch +# service: name=elasticsearch enabled=yes -- name: Distribution is centos 6.* | Start Elasticsearch - service: name=elasticsearch state=started - ignore_errors: true +# - name: Distribution is centos 6.* | Start Elasticsearch +# service: name=elasticsearch state=started +# ignore_errors: true - name: Ensure Elasticsearch started and enabled service: name: elasticsearch enabled: true state: started + tags: + - configure + - init - name: Make sure Elasticsearch is running before proceeding wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=300 From fbbf79a15359fb34d322b96488c045d76b12084d Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 30 Jul 2019 17:35:20 +0200 Subject: [PATCH 07/46] Remove daemon reload and centos 6 blocks --- .../ansible-elasticsearch/tasks/main.yml | 83 +++++-------------- 1 file changed, 20 insertions(+), 63 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index 80f23884..904a565a 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -214,44 +214,27 @@ when: - elasticsearch_xpack_security -# - name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.conf -# lineinfile: -# path: /etc/security/limits.conf -# line: elasticsearch - memlock unlimited -# create: yes -# become: true -# when: -# - ansible_distribution == "Ubuntu" -# - ansible_distribution_major_version | int == 14 -# changed_when: false - -# - name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.d/elasticsearch.conf -# lineinfile: -# path: /etc/security/limits.d/elasticsearch.conf -# line: elasticsearch - memlock unlimited -# create: yes -# become: true -# changed_when: false -# when: -# - ansible_distribution == "Ubuntu" -# - ansible_distribution_major_version | int == 14 - -# - name: Distribution != one of [ centos 6.*, trusty ] | Reload systemd -# systemd: daemon_reload=true -# ignore_errors: true -# when: -# - not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") -# - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<')) -# - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) -# - not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<')) - -# - name: Distribution is centos 6.* | Enable Elasticsearch -# service: name=elasticsearch enabled=yes - -# - name: Distribution is centos 6.* | Start Elasticsearch -# service: name=elasticsearch state=started -# ignore_errors: true +- name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.conf + lineinfile: + path: /etc/security/limits.conf + line: elasticsearch - memlock unlimited + create: yes + become: true + when: + - ansible_distribution == "Ubuntu" + - ansible_distribution_major_version | int == 14 + changed_when: false +- name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.d/elasticsearch.conf + lineinfile: + path: /etc/security/limits.d/elasticsearch.conf + line: elasticsearch - memlock unlimited + create: yes + become: true + changed_when: false + when: + - ansible_distribution == "Ubuntu" + - ansible_distribution_major_version | int == 14 - name: Ensure Elasticsearch started and enabled service: name: elasticsearch @@ -267,32 +250,6 @@ - configure - init -- name: Check for Wazuh Alerts template (http) - uri: - url: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}/_template/wazuh" - method: GET - status_code: 200, 404 - when: - - elasticsearch_bootstrap_node or single_node - - not elasticsearch_xpack_security - poll: 30 - register: wazuh_alerts_template_exits - until: wazuh_alerts_template_exits is succeeded - tags: init - -- name: Installing Wazuh Alerts template (http) - uri: - url: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}/_template/wazuh" - method: PUT - status_code: 200 - body_format: json - body: "{{ lookup('template','wazuh-elastic7-template-alerts.json.j2') }}" - when: - - wazuh_alerts_template_exits.status is defined - - wazuh_alerts_template_exits.status != 200 - - not elasticsearch_xpack_security - tags: init - - import_tasks: "RMRedHat.yml" when: ansible_os_family == "RedHat" From 431bc16343ae59f141f3d53521cbeceb145fb9dc Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 30 Jul 2019 17:35:39 +0200 Subject: [PATCH 08/46] Add default value master_certs_destination for kibana --- roles/elastic-stack/ansible-kibana/defaults/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index dcaa0f59..4de06f9b 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -19,6 +19,9 @@ node_certs_generator_ip: 172.16.0.161 node_certs_source: /usr/share/elasticsearch node_certs_destination: /etc/kibana/certs +master_certs_destination: /es_certs + + # Rsync rsync_path: /usr/bin/rsync rsync_user: vagrant From 2656feac52303962aa84a3a01fa6fba5ccbecad2 Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 30 Jul 2019 17:36:09 +0200 Subject: [PATCH 09/46] Update kibana certs importing --- .../ansible-kibana/tasks/main.yml | 56 +++---------------- 1 file changed, 8 insertions(+), 48 deletions(-) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index 4e12b1b2..512d3198 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -14,54 +14,14 @@ - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) - not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<')) -- name: Check if certificate exists locally - stat: - path: "{{ node_certs_destination }}/{{ kibana_node_name }}.crt" - register: certificate_file_exists - when: - - kibana_xpack_security - -- name: Copy key & certificate files in generator node (locally) - synchronize: - src: "{{ node_certs_source }}/{{ kibana_node_name }}/" - dest: "{{ node_certs_destination }}/" - delegate_to: "{{ node_certs_generator_ip }}" - when: - - node_certs_generator - - kibana_xpack_security - - not certificate_file_exists.stat.exists - tags: xpack-security - -- name: Copy ca certificate file in generator node (locally) - synchronize: - src: "{{ node_certs_source }}/ca/" - dest: "{{ node_certs_destination }}/" - delegate_to: "{{ node_certs_generator_ip }}" - when: - - node_certs_generator - - kibana_xpack_security - - not certificate_file_exists.stat.exists - tags: xpack-security - -- name: Importing key & certificate files from generator node - command: >- - {{ rsync_path }} {{ rsync_extra_parameters }} {{ rsync_user }}@{{ node_certs_generator_ip }}: - {{ node_certs_source }}/{{ kibana_node_name }}/ {{ node_certs_destination }}/ - when: - - not node_certs_generator - - kibana_xpack_security - - not certificate_file_exists.stat.exists - tags: xpack-security - -- name: Importing ca certificate file from generator node - command: >- - {{ rsync_path }} {{ rsync_extra_parameters }} {{ rsync_user }}@{{ node_certs_generator_ip }}: - {{ node_certs_source }}/ca/ {{ node_certs_destination }}/ - when: - - not node_certs_generator - - kibana_xpack_security - - not certificate_file_exists.stat.exists - register: check_certs_permissions +- name: Copying node's certificate from master + copy: + src: "{{item}}" + dest: "{{node_certs_destination}}/" + with_items: + - "{{master_certs_destination}}/{{kibana_node_name}}/{{ kibana_node_name }}.key" + - "{{master_certs_destination}}/{{kibana_node_name}}/{{ kibana_node_name }}.crt" + - "{{master_certs_destination}}/ca/ca.crt" tags: xpack-security - name: Ensuring certificates folder owner From 229f273e275210fb44409fe27fed43ce2504f16b Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 30 Jul 2019 17:36:31 +0200 Subject: [PATCH 10/46] Fix Kibana APP installation by becoming user kibana --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index 512d3198..dfec0f05 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -78,14 +78,14 @@ tags: install - name: Install Wazuh-APP (can take a while) - shell: "/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-{{ wazuh_version }}_{{ elastic_stack_version }}.zip" + shell: "/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-{{ wazuh_version }}_{{ elastic_stack_version }}.zip" environment: NODE_OPTIONS: "--max-old-space-size=3072" args: executable: /bin/bash creates: /usr/share/kibana/plugins/wazuh/package.json notify: restart kibana - ignore_errors: "{{ kibana_plugin_install_ignore_error }}" + become_user: kibana tags: - install - skip_ansible_lint From a305d4ff6fac2c2659e71d9689bb907df3d0937e Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 30 Jul 2019 17:37:05 +0200 Subject: [PATCH 11/46] Add Filebeat default parameter --- roles/wazuh/ansible-filebeat/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/wazuh/ansible-filebeat/defaults/main.yml b/roles/wazuh/ansible-filebeat/defaults/main.yml index 103d61eb..cf0cb5a1 100644 --- a/roles/wazuh/ansible-filebeat/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat/defaults/main.yml @@ -39,6 +39,8 @@ node_certs_generator_ip: 172.16.0.161 node_certs_source: /usr/share/elasticsearch node_certs_destination: /etc/filebeat/certs +master_certs_destination: /es_certs + # Rsync rsync_path: /usr/bin/rsync rsync_user: vagrant From c6e14f23a01e4c19184773b41c72d590bf058396 Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 30 Jul 2019 17:44:37 +0200 Subject: [PATCH 12/46] Update Filebeat certificate imports --- roles/wazuh/ansible-filebeat/tasks/main.yml | 57 +++------------------ 1 file changed, 8 insertions(+), 49 deletions(-) diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 7bafcc79..7b89d80d 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -26,55 +26,14 @@ tags: - init -- name: Check if certificate exists locally - stat: - path: "{{ node_certs_destination }}/{{ filebeat_node_name }}.crt" - register: certificate_file_exists - when: - - filebeat_xpack_security - -- name: Copy key & certificate files in generator node (locally) - synchronize: - src: "{{ node_certs_source }}/{{ filebeat_node_name }}/" - dest: "{{ node_certs_destination }}/" - delegate_to: "{{ node_certs_generator_ip }}" - when: - - node_certs_generator - - filebeat_xpack_security - - not certificate_file_exists.stat.exists - tags: xpack-security - -- name: Copy ca certificate file in generator node (locally) - synchronize: - src: "{{ node_certs_source }}/ca/" - dest: "{{ node_certs_destination }}/" - delegate_to: "{{ node_certs_generator_ip }}" - when: - - node_certs_generator - - filebeat_xpack_security - - not certificate_file_exists.stat.exists - register: check_certs_permissions - tags: xpack-security - -- name: Importing key & certificate files from generator node - command: >- - {{ rsync_path }} {{ rsync_extra_parameters }} {{ rsync_user }}@{{ node_certs_generator_ip }}: - {{ node_certs_source }}/{{ filebeat_node_name }}/ {{ node_certs_destination }}/ - when: - - not node_certs_generator - - filebeat_xpack_security - - not certificate_file_exists.stat.exists - tags: xpack-security - -- name: Importing ca certificate file from generator node - command: >- - {{ rsync_path }} {{ rsync_extra_parameters }} {{ rsync_user }}@{{ node_certs_generator_ip }}: - {{ node_certs_source }}/ca/ {{ node_certs_destination }}/ - when: - - not node_certs_generator - - filebeat_xpack_security - - not certificate_file_exists.stat.exists - register: check_certs_permissions +- name: Copying node's certificate from master + copy: + src: "{{item}}" + dest: "{{node_certs_destination}}/" + with_items: + - "{{master_certs_destination}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.key" + - "{{master_certs_destination}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.crt" + - "{{master_certs_destination}}/ca/ca.crt" tags: xpack-security - name: Ensuring certificates folder owner From d027092f6368c9aeb2cdf6f67d388107d5ef126b Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 31 Jul 2019 00:45:57 +0200 Subject: [PATCH 13/46] Remove "elasticsearch_network" parameter --- roles/elastic-stack/ansible-elasticsearch/defaults/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml index e5eb7547..fa84ec81 100644 --- a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml @@ -3,7 +3,6 @@ elasticsearch_cluster_name: wazuh elasticsearch_node_name: node-1 elasticsearch_http_port: 9200 elasticsearch_network_host: 127.0.0.1 -elasticsearch_host: 127.0.0.1 elasticsearch_jvm_xms: null elastic_stack_version: 7.2.0 single_node: false From ed4b2e7947f40e7745d3d057a96e1336c65724be Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 31 Jul 2019 00:46:22 +0200 Subject: [PATCH 14/46] Add unzip dependency installation --- .../elastic-stack/ansible-elasticsearch/tasks/main.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index f3f2f568..07519d4f 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -10,6 +10,16 @@ when: - ansible_service_mgr == "systemd" +- name: Install unzip dependency. + package: + name: unzip + state: present + delegate_to: "127.0.0.1" + when: + - node_certs_generator + - elasticsearch_xpack_security + + - name: Configure Elasticsearch System Resources. template: src: elasticsearch_systemd.conf.j2 From 45356ee3ef68bd3a3d20b578d81e2df77fd26cac Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 31 Jul 2019 00:46:54 +0200 Subject: [PATCH 15/46] Delete certs.zip in generator node --- roles/elastic-stack/ansible-elasticsearch/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index 07519d4f..29dbbbbf 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -143,6 +143,14 @@ - elasticsearch_xpack_security tags: xpack-security +- name: Delete certs.zip in Generator node + file: + state: absent + path: "{{ node_certs_source }}/certs.zip" + when: + - node_certs_generator + - elasticsearch_xpack_security + - name: Unzip generated certs.zip unarchive: src: "{{master_certs_destination}}/certs.zip" From 2104183cdb569a5e94f7849387fc21cbe9a7892f Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 31 Jul 2019 00:48:20 +0200 Subject: [PATCH 16/46] Modify wait_for with previous variable --- roles/elastic-stack/ansible-elasticsearch/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index 29dbbbbf..d9811180 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -242,7 +242,7 @@ - init - name: Make sure Elasticsearch is running before proceeding - wait_for: host={{ elasticsearch_host }} port={{ elasticsearch_http_port }} delay=3 timeout=400 + wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=400 tags: - configure - init From 1d8f8c525364d36f4e91b6e42780e91be10d394e Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 31 Jul 2019 00:49:25 +0200 Subject: [PATCH 17/46] Fix shell comands --- .../ansible-elasticsearch/tasks/main.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index d9811180..0a91d94a 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -111,9 +111,9 @@ - elasticsearch_xpack_security - name: Generating certificates for Elasticsearch security - command: >- - "/usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in - {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip" + shell: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in + {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip when: - node_certs_generator - elasticsearch_xpack_security @@ -205,10 +205,10 @@ tags: configure - name: Set elasticsearch bootstrap password - shell: | - set -o pipefail - "echo '{{ elasticsearch_xpack_security_password }}' | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf 'bootstrap.password'" + shell: >- + echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password when: + - node_certs_generator - elasticsearch_xpack_security - name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.conf From 5c18d5bed554658941e3b97b1d47135fa63efcc4 Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 31 Jul 2019 00:49:43 +0200 Subject: [PATCH 18/46] Update conditionals --- roles/elastic-stack/ansible-elasticsearch/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index 0a91d94a..def0b46d 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -118,7 +118,6 @@ - node_certs_generator - elasticsearch_xpack_security - not xpack_certs_zip.stat.exists - - not certificate_file_exists.stat.exists register: certs_file_generated tags: xpack-security @@ -170,7 +169,6 @@ owner: elasticsearch group: elasticsearch when: - - check_certs_permissions is defined - elasticsearch_xpack_security tags: xpack-security @@ -180,7 +178,6 @@ mode: '0770' recurse: yes when: - - check_certs_permissions is defined - elasticsearch_xpack_security tags: xpack-security @@ -192,6 +189,8 @@ - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" - "{{master_certs_destination}}/ca/ca.crt" + when: + - elasticsearch_xpack_security tags: xpack-security - name: Configure Elasticsearch. @@ -210,7 +209,7 @@ when: - node_certs_generator - elasticsearch_xpack_security - + - name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.conf lineinfile: path: /etc/security/limits.conf @@ -232,6 +231,7 @@ when: - ansible_distribution == "Ubuntu" - ansible_distribution_major_version | int == 14 + - name: Ensure Elasticsearch started and enabled service: name: elasticsearch From 9734ac23041f40b343b2602c2616357c3f06e298 Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 31 Jul 2019 00:50:17 +0200 Subject: [PATCH 19/46] Remove check_certs_permission parameter --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 2 -- roles/wazuh/ansible-filebeat/tasks/main.yml | 2 -- 2 files changed, 4 deletions(-) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index dfec0f05..26c4f16a 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -32,7 +32,6 @@ owner: kibana group: kibana when: - - check_certs_permissions is defined - kibana_xpack_security tags: xpack-security @@ -42,7 +41,6 @@ mode: '0770' recurse: yes when: - - check_certs_permissions is defined - kibana_xpack_security tags: xpack-security diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 7b89d80d..0be4be83 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -41,9 +41,7 @@ path: "{{ node_certs_destination }}/" mode: '0770' recurse: yes - when: - - check_certs_permissions is defined - filebeat_xpack_security tags: xpack-security From 0cc4838e1da6cbb651052481f1a15cacd5dd9fa4 Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 31 Jul 2019 00:51:49 +0200 Subject: [PATCH 20/46] Copy certificates from master now depends on xpack enabled --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 2 ++ roles/wazuh/ansible-filebeat/tasks/main.yml | 3 +++ 2 files changed, 5 insertions(+) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index 26c4f16a..0f3dd7a1 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -23,6 +23,8 @@ - "{{master_certs_destination}}/{{kibana_node_name}}/{{ kibana_node_name }}.crt" - "{{master_certs_destination}}/ca/ca.crt" tags: xpack-security + when: + - elasticsearch_xpack_security - name: Ensuring certificates folder owner file: diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 0be4be83..59bc163c 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -35,6 +35,9 @@ - "{{master_certs_destination}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.crt" - "{{master_certs_destination}}/ca/ca.crt" tags: xpack-security + when: + - elasticsearch_xpack_security + - name: Ensuring certificates folder owner file: From 9580056b747d44144391985984ab012ba38165a7 Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 31 Jul 2019 01:16:36 +0200 Subject: [PATCH 21/46] Fix naming on xpack security conditionals --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 2 +- roles/wazuh/ansible-filebeat/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index 0f3dd7a1..fe91221b 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -24,7 +24,7 @@ - "{{master_certs_destination}}/ca/ca.crt" tags: xpack-security when: - - elasticsearch_xpack_security + - kibana_xpack_security - name: Ensuring certificates folder owner file: diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 59bc163c..2b566ed5 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -36,7 +36,7 @@ - "{{master_certs_destination}}/ca/ca.crt" tags: xpack-security when: - - elasticsearch_xpack_security + - filebeat_xpack_security - name: Ensuring certificates folder owner From f8bda2f7c7c58e9559101c8b5fd224391913ed0f Mon Sep 17 00:00:00 2001 From: Jose M Date: Mon, 5 Aug 2019 12:34:42 +0200 Subject: [PATCH 22/46] Move xpack_security tasks from main.yml to xpack_security.yml --- .../ansible-elasticsearch/tasks/main.yml | 137 +----------------- .../tasks/xpack_security.yml | 126 ++++++++++++++++ 2 files changed, 128 insertions(+), 135 deletions(-) create mode 100644 roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index def0b46d..85706199 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -10,16 +10,6 @@ when: - ansible_service_mgr == "systemd" -- name: Install unzip dependency. - package: - name: unzip - state: present - delegate_to: "127.0.0.1" - when: - - node_certs_generator - - elasticsearch_xpack_security - - - name: Configure Elasticsearch System Resources. template: src: elasticsearch_systemd.conf.j2 @@ -73,126 +63,10 @@ - import_tasks: "RMRedHat.yml" when: ansible_os_family == "RedHat" -- name: Check if certificate exists locally - stat: - path: "{{ node_certs_destination }}/{{ elasticsearch_node_name }}.crt" - register: certificate_file_exists +- import_tasks: "xpack_security.yml" when: - elasticsearch_xpack_security -- name: Write the instances.yml file in the selected node (force = no) - template: - src: instances.yml.j2 - dest: "{{ node_certs_source }}/instances.yml" - force: no - register: instances_file_exists - tags: - - config - - xpack-security - when: - - node_certs_generator - - elasticsearch_xpack_security - - not certificate_file_exists.stat.exists - -- name: Update instances.yml status after generation - stat: - path: "{{ node_certs_source }}/instances.yml" - register: instances_file_exists - when: - - node_certs_generator - - elasticsearch_xpack_security - -- name: Check if the certificates ZIP file exists - stat: - path: "{{ node_certs_source }}/certs.zip" - register: xpack_certs_zip - when: - - node_certs_generator - - elasticsearch_xpack_security - -- name: Generating certificates for Elasticsearch security - shell: >- - /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in - {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip - when: - - node_certs_generator - - elasticsearch_xpack_security - - not xpack_certs_zip.stat.exists - register: certs_file_generated - tags: xpack-security - -- name: Create the certificates directory - file: - path: "{{master_certs_destination}}" - state: directory - mode: '0700' - delegate_to: "127.0.0.1" - when: - - node_certs_generator - - elasticsearch_xpack_security - -- name: Copying certificates to Ansible master - fetch: - src: "{{node_certs_source}}/certs.zip" - dest: "{{master_certs_destination}}/" - flat: yes - mode: 0700 - when: - - node_certs_generator - - elasticsearch_xpack_security - tags: xpack-security - -- name: Delete certs.zip in Generator node - file: - state: absent - path: "{{ node_certs_source }}/certs.zip" - when: - - node_certs_generator - - elasticsearch_xpack_security - -- name: Unzip generated certs.zip - unarchive: - src: "{{master_certs_destination}}/certs.zip" - dest: "{{master_certs_destination}}/" - become: true - delegate_to: "127.0.0.1" - when: - - node_certs_generator - - elasticsearch_xpack_security - tags: xpack-security - -- name: Ensuring certificates folder owner - file: - path: "{{ node_certs_destination }}/" - state: directory - recurse: yes - owner: elasticsearch - group: elasticsearch - when: - - elasticsearch_xpack_security - tags: xpack-security - -- name: Ensuring certificates folder owner - file: - path: "{{ node_certs_destination }}/" - mode: '0770' - recurse: yes - when: - - elasticsearch_xpack_security - tags: xpack-security - -- name: Copying node's certificate from master - copy: - src: "{{item}}" - dest: "{{node_certs_destination}}/" - with_items: - - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" - - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" - - "{{master_certs_destination}}/ca/ca.crt" - when: - - elasticsearch_xpack_security - tags: xpack-security - - name: Configure Elasticsearch. template: src: elasticsearch.yml.j2 @@ -202,14 +76,7 @@ mode: 0660 notify: restart elasticsearch tags: configure - -- name: Set elasticsearch bootstrap password - shell: >- - echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password - when: - - node_certs_generator - - elasticsearch_xpack_security - + - name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.conf lineinfile: path: /etc/security/limits.conf diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml new file mode 100644 index 00000000..3d9f3f7d --- /dev/null +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -0,0 +1,126 @@ + +- name: Install unzip dependency. + package: + name: unzip + state: present + delegate_to: "127.0.0.1" + when: + - node_certs_generator + +- name: Check if certificate exists locally + stat: + path: "{{ node_certs_destination }}/{{ elasticsearch_node_name }}.crt" + register: certificate_file_exists + +- name: Write the instances.yml file in the selected node (force = no) + template: + src: instances.yml.j2 + dest: "{{ node_certs_source }}/instances.yml" + force: no + register: instances_file_exists + tags: + - config + - xpack-security + when: + - node_certs_generator + - not certificate_file_exists.stat.exists + +- name: Update instances.yml status after generation + stat: + path: "{{ node_certs_source }}/instances.yml" + register: instances_file_exists + when: + - node_certs_generator + +- name: Check if the certificates ZIP file exists + stat: + path: "{{ node_certs_source }}/certs.zip" + register: xpack_certs_zip + when: + - node_certs_generator + +- name: Generating certificates for Elasticsearch security (generating CA) + shell: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in + {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip + when: + - node_certs_generator + - not xpack_certs_zip.stat.exists + tags: xpack-security + +- name: Generating certificates for Elasticsearch security (using provided CA) + shell: /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-key /usr/share/elasticsearch/myCA.key --ca-cert /usr/share/elasticsearch/myCA.pem --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip + when: + - node_certs_generator + - not xpack_certs_zip.stat.exists + tags: xpack-security + +- name: Create the certificates directory + file: + path: "{{master_certs_destination}}" + state: directory + mode: '0700' + delegate_to: "127.0.0.1" + when: + - node_certs_generator + +- name: Copying certificates to Ansible master + fetch: + src: "{{node_certs_source}}/certs.zip" + dest: "{{master_certs_destination}}/" + flat: yes + mode: 0700 + when: + - node_certs_generator + tags: xpack-security + +- name: Delete certs.zip in Generator node + file: + state: absent + path: "{{ node_certs_source }}/certs.zip" + when: + - node_certs_generator + + +- name: Unzip generated certs.zip + unarchive: + src: "{{master_certs_destination}}/certs.zip" + dest: "{{master_certs_destination}}/" + become: true + delegate_to: "127.0.0.1" + when: + - node_certs_generator + tags: xpack-security + +- name: Ensuring certificates folder owner + file: + path: "{{ node_certs_destination }}/" + state: directory + recurse: yes + owner: elasticsearch + group: elasticsearch + tags: xpack-security + +- name: Ensuring certificates folder owner + file: + path: "{{ node_certs_destination }}/" + mode: '0770' + recurse: yes + tags: xpack-security + +- name: Copying node's certificate from master + copy: + src: "{{item}}" + dest: "{{node_certs_destination}}/" + with_items: + - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" + - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" + - "{{master_certs_destination}}/ca/ca.crt" + tags: xpack-security + +- name: Set elasticsearch bootstrap password + shell: >- + echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password + when: + - node_certs_generator + \ No newline at end of file From 8234bb11d2ba24ac94eef7ebba1c1b76f64b7926 Mon Sep 17 00:00:00 2001 From: Jose M Date: Mon, 5 Aug 2019 15:00:00 +0200 Subject: [PATCH 23/46] Add required variables to use custom CA. --- roles/elastic-stack/ansible-elasticsearch/defaults/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml index fa84ec81..bcbcc819 100644 --- a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml @@ -25,6 +25,12 @@ node_certs_destination: /etc/elasticsearch/certs master_certs_destination: /es_certs +# CA generation +generate_CA: false + +ca_key_name: myCA.key +ca_cert_name: myCA.pem + # Rsync rsync_path: /usr/bin/rsync rsync_user: vagrant From 01d4cfc1288adaa0d7c2f78e7fe19ca4eba880ec Mon Sep 17 00:00:00 2001 From: Jose M Date: Mon, 5 Aug 2019 15:01:21 +0200 Subject: [PATCH 24/46] Implemented tasks to import custom key and cert from Ansible master --- .../tasks/xpack_security.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 3d9f3f7d..d84e1c31 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -39,6 +39,22 @@ when: - node_certs_generator +- name: Importing custom CA key + copy: + src: "{{ master_certs_destination }}/ca/{{ ca_key_name }}" + dest: "{{ node_certs_source }}/{{ ca_key_name }}" + when: + - not generate_CA + tags: xpack-security + +- name: Importing custom CA cert + copy: + src: "{{ master_certs_destination }}/ca/{{ ca_cert_name }}" + dest: "{{ node_certs_source }}/{{ ca_cert_name }}" + when: + - not generate_CA + tags: xpack-security + - name: Generating certificates for Elasticsearch security (generating CA) shell: >- /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in From 39d8e5978b0857b8a41207d2d26e73189ef8de9d Mon Sep 17 00:00:00 2001 From: Jose M Date: Mon, 5 Aug 2019 15:01:59 +0200 Subject: [PATCH 25/46] Fix conditionals of custom CA --- .../ansible-elasticsearch/tasks/xpack_security.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index d84e1c31..5d1c528b 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -62,6 +62,7 @@ when: - node_certs_generator - not xpack_certs_zip.stat.exists + - generate_CA tags: xpack-security - name: Generating certificates for Elasticsearch security (using provided CA) @@ -69,6 +70,7 @@ when: - node_certs_generator - not xpack_certs_zip.stat.exists + - not generate_CA tags: xpack-security - name: Create the certificates directory From 4b8303ece281ffb3a61d9407e51484bb8686325e Mon Sep 17 00:00:00 2001 From: Jose M Date: Mon, 5 Aug 2019 15:02:33 +0200 Subject: [PATCH 26/46] Fix custom CA generation command --- .../ansible-elasticsearch/tasks/xpack_security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 5d1c528b..f8166f94 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -66,7 +66,7 @@ tags: xpack-security - name: Generating certificates for Elasticsearch security (using provided CA) - shell: /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-key /usr/share/elasticsearch/myCA.key --ca-cert /usr/share/elasticsearch/myCA.pem --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip + shell: /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip when: - node_certs_generator - not xpack_certs_zip.stat.exists From c547e905027f226867667dbe1c1ede8545efd616 Mon Sep 17 00:00:00 2001 From: Jose M Date: Mon, 5 Aug 2019 15:04:05 +0200 Subject: [PATCH 27/46] Add verification to ensure ca folder is created --- .../ansible-elasticsearch/tasks/xpack_security.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index f8166f94..2578b05c 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -73,6 +73,14 @@ - not generate_CA tags: xpack-security +- name: Verify the Elastic certificates directory + file: + path: "{{ master_certs_destination }}" + state: directory + mode: '0700' + delegate_to: "127.0.0.1" + when: + - node_certs_generator - name: Create the certificates directory file: path: "{{master_certs_destination}}" From 101a0061784f829b3257814067342e61ffd3fdd7 Mon Sep 17 00:00:00 2001 From: Jose M Date: Mon, 5 Aug 2019 15:04:27 +0200 Subject: [PATCH 28/46] Add folder verification and fix linting --- .../ansible-elasticsearch/tasks/xpack_security.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 2578b05c..3825c3b2 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -81,9 +81,10 @@ delegate_to: "127.0.0.1" when: - node_certs_generator -- name: Create the certificates directory + +- name: Verify the Certificates Authority directory file: - path: "{{master_certs_destination}}" + path: "{{ master_certs_destination }}/ca/" state: directory mode: '0700' delegate_to: "127.0.0.1" @@ -92,8 +93,8 @@ - name: Copying certificates to Ansible master fetch: - src: "{{node_certs_source}}/certs.zip" - dest: "{{master_certs_destination}}/" + src: "{{ node_certs_source }}/certs.zip" + dest: "{{ master_certs_destination }}/" flat: yes mode: 0700 when: From 09647b731b2d2d9498040ec811c8c268b72c52a9 Mon Sep 17 00:00:00 2001 From: Jose M Date: Mon, 5 Aug 2019 15:05:17 +0200 Subject: [PATCH 29/46] Fix typo in task name --- .../ansible-elasticsearch/tasks/xpack_security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 3825c3b2..8fabf6eb 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -128,7 +128,7 @@ group: elasticsearch tags: xpack-security -- name: Ensuring certificates folder owner +- name: Ensuring certificates folder permissions file: path: "{{ node_certs_destination }}/" mode: '0770' From af0e2f0756ff004acb44ec7fb00b9f3c20244f9d Mon Sep 17 00:00:00 2001 From: Jose M Date: Mon, 5 Aug 2019 15:05:49 +0200 Subject: [PATCH 30/46] Add copy block to import node's certificate with custom CA name --- .../tasks/xpack_security.yml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 8fabf6eb..890db757 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -108,7 +108,6 @@ when: - node_certs_generator - - name: Unzip generated certs.zip unarchive: src: "{{master_certs_destination}}/certs.zip" @@ -139,10 +138,24 @@ copy: src: "{{item}}" dest: "{{node_certs_destination}}/" - with_items: + with_items: - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" - "{{master_certs_destination}}/ca/ca.crt" + when: + - generate_CA + tags: xpack-security + +- name: Copying node's certificate from master (Custom CA) + copy: + src: "{{item}}" + dest: "{{node_certs_destination}}/" + with_items: + - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" + - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" + - "{{master_certs_destination}}/ca/{{ca_cert_name}}" + when: + - not generate_CA tags: xpack-security - name: Set elasticsearch bootstrap password From 5ca223726462dc2dac77938bb2adc6059ad4803f Mon Sep 17 00:00:00 2001 From: Jose M Date: Mon, 5 Aug 2019 15:06:04 +0200 Subject: [PATCH 31/46] Updated template to avoid hardcoding the ca format. --- .../templates/elasticsearch.yml.j2 | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 b/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 index f851e900..3cd386da 100644 --- a/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 @@ -34,12 +34,19 @@ xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.key: {{node_certs_destination}}/{{ elasticsearch_node_name }}.key -xpack.security.transport.ssl.certificate: {{node_certs_destination}}/{{ elasticsearch_node_name }}.crt +xpack.security.transport.ssl.certificate: {{node_certs_destination}}/{{ elasticsearch_node_name }}.crt +{% if generate_CA == true %} xpack.security.transport.ssl.certificate_authorities: [ "{{ node_certs_destination }}/ca.crt" ] - +{% elif generate_CA == false %} +xpack.security.transport.ssl.certificate_authorities: [ "{{ node_certs_destination }}/{{ca_cert_name}}" ] +{% endif %} xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode: certificate xpack.security.http.ssl.key: {{node_certs_destination}}/{{ elasticsearch_node_name }}.key xpack.security.http.ssl.certificate: {{node_certs_destination}}/{{ elasticsearch_node_name }}.crt +{% if generate_CA == true %} xpack.security.http.ssl.certificate_authorities: [ "{{ node_certs_destination }}/ca.crt" ] +{% elif generate_CA == false %} +xpack.security.http.ssl.certificate_authorities: [ "{{ node_certs_destination }}/{{ca_cert_name}}" ] +{% endif %} {% endif %} \ No newline at end of file From 3d3b3bc1d05b3edfc8f933b8e438a1619d572b28 Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 8 Aug 2019 17:41:53 +0200 Subject: [PATCH 32/46] Fix permissions and add password option --- .../tasks/xpack_security.yml | 80 +++++++++++-------- 1 file changed, 48 insertions(+), 32 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 890db757..e64b71df 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -41,18 +41,22 @@ - name: Importing custom CA key copy: - src: "{{ master_certs_destination }}/ca/{{ ca_key_name }}" + src: "{{ master_certs_path }}/ca/{{ ca_key_name }}" dest: "{{ node_certs_source }}/{{ ca_key_name }}" + mode: '0664' when: - not generate_CA + - node_certs_generator tags: xpack-security - name: Importing custom CA cert copy: - src: "{{ master_certs_destination }}/ca/{{ ca_cert_name }}" + src: "{{ master_certs_path }}/ca/{{ ca_cert_name }}" dest: "{{ node_certs_source }}/{{ ca_cert_name }}" + mode: '0664' when: - not generate_CA + - node_certs_generator tags: xpack-security - name: Generating certificates for Elasticsearch security (generating CA) @@ -65,17 +69,34 @@ - generate_CA tags: xpack-security -- name: Generating certificates for Elasticsearch security (using provided CA) - shell: /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip +- name: Generating certificates for Elasticsearch security (using provided CA | Without CA Password) + shell: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert + --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} + --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip when: - node_certs_generator - not xpack_certs_zip.stat.exists - not generate_CA - tags: xpack-security + - ca_password == "" + tags: xpack-security +- name: Generating certificates for Elasticsearch security (using provided CA | Using CA Password) + shell: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert + --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} + --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip + --ca-pass {{ca_password}} + when: + - node_certs_generator + - not xpack_certs_zip.stat.exists + - not generate_CA + - ca_password != "" + tags: xpack-security + - name: Verify the Elastic certificates directory file: - path: "{{ master_certs_destination }}" + path: "{{ master_certs_path }}" state: directory mode: '0700' delegate_to: "127.0.0.1" @@ -84,7 +105,7 @@ - name: Verify the Certificates Authority directory file: - path: "{{ master_certs_destination }}/ca/" + path: "{{ master_certs_path }}/ca/" state: directory mode: '0700' delegate_to: "127.0.0.1" @@ -94,7 +115,7 @@ - name: Copying certificates to Ansible master fetch: src: "{{ node_certs_source }}/certs.zip" - dest: "{{ master_certs_destination }}/" + dest: "{{ master_certs_path }}/" flat: yes mode: 0700 when: @@ -110,38 +131,22 @@ - name: Unzip generated certs.zip unarchive: - src: "{{master_certs_destination}}/certs.zip" - dest: "{{master_certs_destination}}/" + src: "{{master_certs_path}}/certs.zip" + dest: "{{master_certs_path}}/" become: true delegate_to: "127.0.0.1" when: - node_certs_generator tags: xpack-security -- name: Ensuring certificates folder owner - file: - path: "{{ node_certs_destination }}/" - state: directory - recurse: yes - owner: elasticsearch - group: elasticsearch - tags: xpack-security - -- name: Ensuring certificates folder permissions - file: - path: "{{ node_certs_destination }}/" - mode: '0770' - recurse: yes - tags: xpack-security - - name: Copying node's certificate from master copy: src: "{{item}}" dest: "{{node_certs_destination}}/" with_items: - - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" - - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" - - "{{master_certs_destination}}/ca/ca.crt" + - "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" + - "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" + - "{{master_certs_path}}/ca/ca.crt" when: - generate_CA tags: xpack-security @@ -151,13 +156,24 @@ src: "{{item}}" dest: "{{node_certs_destination}}/" with_items: - - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" - - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" - - "{{master_certs_destination}}/ca/{{ca_cert_name}}" + - "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" + - "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" + - "{{master_certs_path}}/ca/{{ca_cert_name}}" when: - not generate_CA tags: xpack-security +- name: Ensuring folder permissions + file: + path: "{{ node_certs_destination }}/" + mode: '0774' + state: directory + recurse: yes + when: + - elasticsearch_xpack_security + - generate_CA + tags: xpack-security + - name: Set elasticsearch bootstrap password shell: >- echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password From b2876d15e453636d9c7f946bb63d7ccd8ad9aee3 Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 8 Aug 2019 17:43:30 +0200 Subject: [PATCH 33/46] Update attributes, remove rsync parameters. --- .../ansible-elasticsearch/defaults/main.yml | 18 ++++++------------ .../ansible-kibana/defaults/main.yml | 12 ++++-------- roles/wazuh/ansible-filebeat/defaults/main.yml | 10 ++++------ 3 files changed, 14 insertions(+), 26 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml index bcbcc819..63b953f8 100644 --- a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml @@ -19,23 +19,17 @@ elasticsearch_xpack_security_user: elastic elasticsearch_xpack_security_password: elastic_pass node_certs_generator: false -node_certs_generator_ip: 172.16.0.161 node_certs_source: /usr/share/elasticsearch node_certs_destination: /etc/elasticsearch/certs -master_certs_destination: /es_certs + # CA generation -generate_CA: false - -ca_key_name: myCA.key -ca_cert_name: myCA.pem - -# Rsync -rsync_path: /usr/bin/rsync -rsync_user: vagrant -rsync_extra_parameters: -avg -e 'ssh -o StrictHostKeyChecking=no' --rsync-path='sudo rsync' - +master_certs_path: /es_certs +generate_CA: true +ca_key_name: "" +ca_cert_name: "" +ca_password: "" diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index 4de06f9b..f8dece59 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -15,14 +15,10 @@ elasticsearch_xpack_security_user: elastic elasticsearch_xpack_security_password: elastic_pass node_certs_generator: false -node_certs_generator_ip: 172.16.0.161 node_certs_source: /usr/share/elasticsearch node_certs_destination: /etc/kibana/certs -master_certs_destination: /es_certs - - -# Rsync -rsync_path: /usr/bin/rsync -rsync_user: vagrant -rsync_extra_parameters: -avg -e 'ssh -o StrictHostKeyChecking=no' --rsync-path='sudo rsync' +# CA Generation +master_certs_path: /es_certs +generate_CA: true +ca_cert_name: "" diff --git a/roles/wazuh/ansible-filebeat/defaults/main.yml b/roles/wazuh/ansible-filebeat/defaults/main.yml index cf0cb5a1..cbf8cc9d 100644 --- a/roles/wazuh/ansible-filebeat/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat/defaults/main.yml @@ -35,13 +35,11 @@ elasticsearch_xpack_security_user: elastic elasticsearch_xpack_security_password: elastic_pass node_certs_generator : false -node_certs_generator_ip: 172.16.0.161 node_certs_source: /usr/share/elasticsearch node_certs_destination: /etc/filebeat/certs -master_certs_destination: /es_certs -# Rsync -rsync_path: /usr/bin/rsync -rsync_user: vagrant -rsync_extra_parameters: -avg -e 'ssh -o StrictHostKeyChecking=no' --rsync-path='sudo rsync' +# CA Generation +master_certs_path: /es_certs +generate_CA: true +ca_cert_name: "" From 7006f99209ad8d28970f36ae5de7f318f6eded80 Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 8 Aug 2019 17:43:40 +0200 Subject: [PATCH 34/46] Add import to kibana --- .../ansible-kibana/tasks/main.yml | 23 +++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index fe91221b..ada29886 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -19,12 +19,27 @@ src: "{{item}}" dest: "{{node_certs_destination}}/" with_items: - - "{{master_certs_destination}}/{{kibana_node_name}}/{{ kibana_node_name }}.key" - - "{{master_certs_destination}}/{{kibana_node_name}}/{{ kibana_node_name }}.crt" - - "{{master_certs_destination}}/ca/ca.crt" + - "{{master_certs_path}}/{{kibana_node_name}}/{{ kibana_node_name }}.key" + - "{{master_certs_path}}/{{kibana_node_name}}/{{ kibana_node_name }}.crt" + - "{{master_certs_path}}/ca/ca.crt" tags: xpack-security when: - kibana_xpack_security + - generate_CA + +- name: Copying node's certificate from master (Custom CA) + copy: + src: "{{item}}" + dest: "{{node_certs_destination}}/" + mode: '0664' + with_items: + - "{{master_certs_path}}/{{kibana_node_name}}/{{ kibana_node_name }}.key" + - "{{master_certs_path}}/{{kibana_node_name}}/{{ kibana_node_name }}.crt" + - "{{master_certs_path}}/ca/{{ca_cert_name}}" + when: + - kibana_xpack_security + - not generate_CA + tags: xpack-security - name: Ensuring certificates folder owner file: @@ -52,7 +67,7 @@ dest: /etc/kibana/kibana.yml owner: root group: root - mode: 0664 + mode: '0664' notify: restart kibana tags: configure From 625970675586b8544404e67b20c8cf259dadbfba Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 8 Aug 2019 17:43:50 +0200 Subject: [PATCH 35/46] Update kibana template --- roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 b/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 index 76a3c2c4..0f2ef606 100644 --- a/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 +++ b/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 @@ -109,6 +109,10 @@ elasticsearch.username: "{{ elasticsearch_xpack_security_user }}" elasticsearch.password: "{{ elasticsearch_xpack_security_password }}" server.ssl.enabled: true server.ssl.key: "{{node_certs_destination}}/{{ kibana_node_name }}.key" -server.ssl.certificate: "{{node_certs_destination}}/{{ kibana_node_name }}.crt" +server.ssl.certificate: "{{node_certs_destination}}/{{ kibana_node_name }}.crt" +{% if generate_CA == true %} elasticsearch.ssl.certificateAuthorities: ["{{ node_certs_destination }}/ca.crt"] +{% elif generate_CA == false %} +elasticsearch.ssl.certificateAuthorities: ["{{ node_certs_destination }}/{{ca_cert_name}}"] +{% endif %} {% endif %} \ No newline at end of file From bb0c79c455cf3cd0ac1a41bce5ce950e8339fe11 Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 8 Aug 2019 17:43:57 +0200 Subject: [PATCH 36/46] Update filebeat template --- roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 b/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 index 0a47af9d..466d9a89 100644 --- a/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 +++ b/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 @@ -57,8 +57,14 @@ output.elasticsearch: username: {{ elasticsearch_xpack_security_user }} password: {{ elasticsearch_xpack_security_password }} protocol: https +{% if generate_CA == true %} ssl.certificate_authorities: - {{node_certs_destination}}/ca.crt +{% elif generate_CA == false %} + ssl.certificate_authorities: + - {{node_certs_destination}}/{{ca_cert_name}} +{% endif %} + ssl.certificate: "{{node_certs_destination}}/{{ filebeat_node_name }}.crt" ssl.key: "{{node_certs_destination}}/{{ filebeat_node_name }}.key" {% endif %} From fb76622080c24a3dc626379d73fc8f898c157297 Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 8 Aug 2019 17:44:08 +0200 Subject: [PATCH 37/46] Add import to --- roles/wazuh/ansible-filebeat/tasks/main.yml | 28 +++++++++++++++------ 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 2b566ed5..a968e62d 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -31,18 +31,32 @@ src: "{{item}}" dest: "{{node_certs_destination}}/" with_items: - - "{{master_certs_destination}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.key" - - "{{master_certs_destination}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.crt" - - "{{master_certs_destination}}/ca/ca.crt" - tags: xpack-security + - "{{master_certs_path}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.key" + - "{{master_certs_path}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.crt" + - "{{master_certs_path}}/ca/ca.crt" when: + - generate_CA - filebeat_xpack_security + tags: xpack-security + +- name: Copying node's certificate from master (Custom CA) + copy: + src: "{{item}}" + dest: "{{node_certs_destination}}/" + with_items: + - "{{master_certs_path}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.key" + - "{{master_certs_path}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.crt" + - "{{master_certs_path}}/ca/{{ca_cert_name}}" + when: + - not generate_CA + - filebeat_xpack_security + tags: xpack-security - -- name: Ensuring certificates folder owner +- name: Ensuring folder & certs permissions file: path: "{{ node_certs_destination }}/" - mode: '0770' + mode: '0774' + state: directory recurse: yes when: - filebeat_xpack_security From 9f08ca93f86f3773ff1810e70b2b1ae73b17400d Mon Sep 17 00:00:00 2001 From: manuasir Date: Wed, 18 Sep 2019 15:35:29 +0200 Subject: [PATCH 38/46] Removed molecule from root folder --- Pipfile | 35 -------- README.md | 15 ++++ molecule/default/Dockerfile.j2 | 14 --- molecule/default/INSTALL.rst | 16 ---- molecule/default/create.yml | 85 ------------------- molecule/default/destroy.yml | 32 ------- molecule/default/molecule.yml.template | 47 ----------- molecule/default/playbook.yml | 19 ----- molecule/default/playbook.yml.template | 19 ----- molecule/default/prepare.yml | 36 -------- molecule/default/tests/test_default.py | 89 -------------------- molecule/elasticsearch/Dockerfile.j2 | 14 --- molecule/elasticsearch/INSTALL.rst | 22 ----- molecule/elasticsearch/molecule.yml | 57 ------------- molecule/elasticsearch/molecule.yml.template | 57 ------------- molecule/elasticsearch/playbook.yml | 6 -- molecule/elasticsearch/playbook.yml.template | 6 -- molecule/elasticsearch/tests/test_default.py | 20 ----- molecule/kibana/Dockerfile.j2 | 14 --- molecule/kibana/INSTALL.rst | 22 ----- molecule/kibana/molecule.yml.template | 40 --------- molecule/kibana/playbook.yml | 6 -- molecule/kibana/playbook.yml.template | 6 -- molecule/kibana/prepare.yml | 36 -------- molecule/kibana/tests/test_default.py | 24 ------ molecule/run_cluster_mode.sh | 43 ---------- molecule/wazuh-agent/Dockerfile.j2 | 14 --- molecule/wazuh-agent/INSTALL.rst | 22 ----- molecule/wazuh-agent/molecule.yml | 89 -------------------- molecule/wazuh-agent/molecule.yml.template | 89 -------------------- molecule/wazuh-agent/playbook.yml | 18 ---- molecule/wazuh-agent/playbook.yml.template | 18 ---- molecule/wazuh-agent/prepare.yml | 43 ---------- molecule/wazuh-agent/tests/test_agents.py | 28 ------ molecule/wazuh-agent/tests/test_manager.py | 15 ---- molecule/worker/Dockerfile.j2 | 14 --- molecule/worker/molecule.yml.template | 53 ------------ molecule/worker/playbook.yml | 21 ----- molecule/worker/playbook.yml.template | 21 ----- molecule/worker/tests/test_default.py | 85 ------------------- 40 files changed, 15 insertions(+), 1295 deletions(-) delete mode 100644 Pipfile delete mode 100644 molecule/default/Dockerfile.j2 delete mode 100644 molecule/default/INSTALL.rst delete mode 100644 molecule/default/create.yml delete mode 100644 molecule/default/destroy.yml delete mode 100644 molecule/default/molecule.yml.template delete mode 100644 molecule/default/playbook.yml delete mode 100644 molecule/default/playbook.yml.template delete mode 100644 molecule/default/prepare.yml delete mode 100644 molecule/default/tests/test_default.py delete mode 100644 molecule/elasticsearch/Dockerfile.j2 delete mode 100644 molecule/elasticsearch/INSTALL.rst delete mode 100644 molecule/elasticsearch/molecule.yml delete mode 100644 molecule/elasticsearch/molecule.yml.template delete mode 100644 molecule/elasticsearch/playbook.yml delete mode 100644 molecule/elasticsearch/playbook.yml.template delete mode 100644 molecule/elasticsearch/tests/test_default.py delete mode 100644 molecule/kibana/Dockerfile.j2 delete mode 100644 molecule/kibana/INSTALL.rst delete mode 100644 molecule/kibana/molecule.yml.template delete mode 100644 molecule/kibana/playbook.yml delete mode 100644 molecule/kibana/playbook.yml.template delete mode 100644 molecule/kibana/prepare.yml delete mode 100644 molecule/kibana/tests/test_default.py delete mode 100644 molecule/run_cluster_mode.sh delete mode 100644 molecule/wazuh-agent/Dockerfile.j2 delete mode 100644 molecule/wazuh-agent/INSTALL.rst delete mode 100644 molecule/wazuh-agent/molecule.yml delete mode 100644 molecule/wazuh-agent/molecule.yml.template delete mode 100644 molecule/wazuh-agent/playbook.yml delete mode 100644 molecule/wazuh-agent/playbook.yml.template delete mode 100644 molecule/wazuh-agent/prepare.yml delete mode 100644 molecule/wazuh-agent/tests/test_agents.py delete mode 100644 molecule/wazuh-agent/tests/test_manager.py delete mode 100644 molecule/worker/Dockerfile.j2 delete mode 100644 molecule/worker/molecule.yml.template delete mode 100644 molecule/worker/playbook.yml delete mode 100644 molecule/worker/playbook.yml.template delete mode 100644 molecule/worker/tests/test_default.py diff --git a/Pipfile b/Pipfile deleted file mode 100644 index 6f709455..00000000 --- a/Pipfile +++ /dev/null @@ -1,35 +0,0 @@ -[[source]] -url = "https://pypi.org/simple" -verify_ssl = true -name = "pypi" - -[packages] -docker-py = "*" -ansible = "==2.7.13" -molecule = "==2.20.2" - -[dev-packages] - -[requires] -python_version = "2.7" - -[scripts] -test ="molecule test --destroy=never" -worker ="molecule test -s worker --destroy=never" -agent ="molecule test -s wazuh-agent --destroy=never" -elasticsearch ="molecule test -s elasticsearch --destroy=never" -kibana ="molecule test -s kibana --destroy=never" - -# Verify .. -verify ="molecule verify" -verify_worker ="molecule verify -s worker" -verify_agent ="molecule verify -s agent" -verify_elasticsearch ="molecule verify -s elasticsearch" -verify_kibana ="molecule verify -s kibana" - -# Destroy .. -destroy ="molecule destroy" -destroy_worker ="molecule destroy -s worker" -destroy_agent ="molecule destroy -s agent" -destroy_elasticsearch ="molecule destroy -s elasticsearch" -destroy_kibana ="molecule destroy -s kibana" diff --git a/README.md b/README.md index f684d1a8..257d15cc 100644 --- a/README.md +++ b/README.md @@ -47,6 +47,21 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack. * `master` branch contains the latest code, be aware of possible bugs on this branch. ## Testing + +1. Get the `wazuh-ansible` folder from the `wazuh-qa` [repository](https://github.com/wazuh/wazuh-qa/tree/master/ansible/wazuh-ansible). + +``` +git clone https://github.com/wazuh/wazuh-qa +``` + +2. Copy the `Pipfile` and the `molecule` folder into the root wazuh-ansible directory: + +``` +cp wazuh-qa/ansible/wazuh-ansible/* . -R +``` + +3. Follow these steps for launching the tests. Check the Pipfile for running different scenarios: + ``` pip install pipenv sudo pipenv install diff --git a/molecule/default/Dockerfile.j2 b/molecule/default/Dockerfile.j2 deleted file mode 100644 index 19692c20..00000000 --- a/molecule/default/Dockerfile.j2 +++ /dev/null @@ -1,14 +0,0 @@ -# Molecule managed - -{% if item.registry is defined %} -FROM {{ item.registry.url }}/{{ item.image }} -{% else %} -FROM {{ item.image }} -{% endif %} - -RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ - elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python2-dnf bash && dnf clean all; \ - elif [ $(command -v yum) ]; then yum makecache fast && yum update -y && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ - elif [ $(command -v zypper) ]; then zypper refresh && zypper update -y && zypper install -y python sudo bash python-xml && zypper clean -a; \ - elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ - elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O; fi diff --git a/molecule/default/INSTALL.rst b/molecule/default/INSTALL.rst deleted file mode 100644 index e26493b8..00000000 --- a/molecule/default/INSTALL.rst +++ /dev/null @@ -1,16 +0,0 @@ -******* -Install -******* - -Requirements -============ - -* Docker Engine -* docker-py - -Install -======= - -.. code-block:: bash - - $ sudo pip install docker-py diff --git a/molecule/default/create.yml b/molecule/default/create.yml deleted file mode 100644 index 0b25ec81..00000000 --- a/molecule/default/create.yml +++ /dev/null @@ -1,85 +0,0 @@ ---- -- name: Create - hosts: localhost - connection: local - gather_facts: false - no_log: false - tasks: - - name: Log into a Docker registry - docker_login: - username: "{{ item.registry.credentials.username }}" - password: "{{ item.registry.credentials.password }}" - email: "{{ item.registry.credentials.email | default(omit) }}" - registry: "{{ item.registry.url }}" - docker_host: "{{ item.docker_host | default('unix://var/run/docker.sock') }}" - with_items: "{{ molecule_yml.platforms }}" - when: - - item.registry is defined - - item.registry.credentials is defined - - item.registry.credentials.username is defined - - - name: Create Dockerfiles from image names - template: - src: "{{ molecule_scenario_directory }}/Dockerfile.j2" - dest: "{{ molecule_ephemeral_directory }}/Dockerfile_{{ item.image | regex_replace('[^a-zA-Z0-9_]', '_') }}" - with_items: "{{ molecule_yml.platforms }}" - register: platforms - - - name: Discover local Docker images - docker_image_facts: - name: "molecule_local/{{ item.item.name }}" - docker_host: "{{ item.item.docker_host | default('unix://var/run/docker.sock') }}" - with_items: "{{ platforms.results }}" - register: docker_images - - - name: Build an Ansible compatible image - docker_image: - path: "{{ molecule_ephemeral_directory }}" - name: "molecule_local/{{ item.item.image }}" - docker_host: "{{ item.item.docker_host | default('unix://var/run/docker.sock') }}" - dockerfile: "{{ item.item.dockerfile | default(item.invocation.module_args.dest) }}" - force: "{{ item.item.force | default(true) }}" - with_items: "{{ platforms.results }}" - when: platforms.changed or docker_images.results | map(attribute='images') | select('equalto', []) | list | count >= 0 - - - name: Create docker network(s) - docker_network: - name: "main" - state: present - - - name: Sleep 5 seconds till the network gets created if it's not - # Pause for 5 minutes to build app cache. - pause: - seconds: 10 - - - name: Create molecule instance(s) - docker_container: - name: "{{ item.name }}" - docker_host: "{{ item.docker_host | default('unix://var/run/docker.sock') }}" - hostname: "{{ item.name }}" - image: "molecule_local/{{ item.image }}" - state: started - recreate: false - log_driver: json-file - command: "{{ item.command | default('bash -c \"while true; do sleep 10000; done\"') }}" - privileged: "{{ item.privileged | default(omit) }}" - volumes: "{{ item.volumes | default(omit) }}" - capabilities: "{{ item.capabilities | default(omit) }}" - exposed_ports: "{{ item.exposed_ports | default(omit) }}" - published_ports: "{{ item.published_ports | default(omit) }}" - ulimits: "{{ item.ulimits | default(omit) }}" - networks: - - name: "main" - dns_servers: "{{ item.dns_servers | default(omit) }}" - register: server - with_items: "{{ molecule_yml.platforms }}" - async: 7200 - poll: 0 - - - name: Wait for instance(s) creation to complete - async_status: - jid: "{{ item.ansible_job_id }}" - register: docker_jobs - until: docker_jobs.finished - retries: 300 - with_items: "{{ server.results }}" \ No newline at end of file diff --git a/molecule/default/destroy.yml b/molecule/default/destroy.yml deleted file mode 100644 index ddf7062b..00000000 --- a/molecule/default/destroy.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -- name: Destroy - hosts: localhost - connection: local - gather_facts: false - no_log: false - tasks: - - name: Destroy molecule instance(s) - docker_container: - name: "{{ item.name }}" - docker_host: "{{ item.docker_host | default('unix://var/run/docker.sock') }}" - state: absent - force_kill: "{{ item.force_kill | default(true) }}" - register: server - with_items: "{{ molecule_yml.platforms }}" - async: 7200 - poll: 0 - - - name: Wait for instance(s) deletion to complete - async_status: - jid: "{{ item.ansible_job_id }}" - register: docker_jobs - until: docker_jobs.finished - retries: 300 - with_items: "{{ server.results }}" - - - name: Delete docker network(s) - docker_network: - name: "{{ item }}" - docker_host: "{{ item.docker_host | default('unix://var/run/docker.sock') }}" - state: absent - with_items: "{{ molecule_yml.platforms | molecule_get_docker_networks }}" diff --git a/molecule/default/molecule.yml.template b/molecule/default/molecule.yml.template deleted file mode 100644 index f46226c2..00000000 --- a/molecule/default/molecule.yml.template +++ /dev/null @@ -1,47 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: docker -lint: - name: yamllint - enabled: false -platforms: - - name: manager_platform_ - image: imagename - command: /sbin/init - ulimits: - - nofile:262144:262144 - privileged: true - memory_reservation: 2048m -provisioner: - name: ansible - config_options: - defaults: - hash_behaviour: merge - env: - ANSIBLE_ROLES_PATH: ../../roles - lint: - name: ansible-lint - enabled: true -scenario: - name: default - test_sequence: - - lint - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - side_effect - - verify - - cleanup - - destroy -verifier: - name: testinfra - lint: - name: flake8 - enabled: true diff --git a/molecule/default/playbook.yml b/molecule/default/playbook.yml deleted file mode 100644 index d4561c1b..00000000 --- a/molecule/default/playbook.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: wazuh/ansible-wazuh-manager - vars: - wazuh_manager_config: - cluster: - disable: 'no' - name: 'wazuh' - node_name: 'manager' - node_type: 'master' - key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa' - port: '1516' - bind_addr: '0.0.0.0' - nodes: - - 'manager_bionic' - hidden: 'no' - - { role: wazuh/ansible-filebeat, filebeat_output_elasticsearch_hosts: 'elasticsearch_bionic:9200' } \ No newline at end of file diff --git a/molecule/default/playbook.yml.template b/molecule/default/playbook.yml.template deleted file mode 100644 index f73659e9..00000000 --- a/molecule/default/playbook.yml.template +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: wazuh/ansible-wazuh-manager - vars: - wazuh_manager_config: - cluster: - disable: 'no' - name: 'wazuh' - node_name: 'manager' - node_type: 'master' - key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa' - port: '1516' - bind_addr: '0.0.0.0' - nodes: - - 'manager_platform' - hidden: 'no' - - { role: wazuh/ansible-filebeat, filebeat_output_elasticsearch_hosts: 'elasticsearch_platform:9200' } \ No newline at end of file diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml deleted file mode 100644 index f3dc9aac..00000000 --- a/molecule/default/prepare.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -- name: Prepare - hosts: all - gather_facts: true - tasks: - - - name: "Install Python packages for Trusty to solve trust issues" - package: - name: - - python-setuptools - - python-pip - state: latest - register: wazuh_manager_trusty_packages_installed - until: wazuh_manager_trusty_packages_installed is succeeded - when: - - ansible_distribution == "Ubuntu" - - ansible_distribution_major_version | int == 14 - - - name: "Install dependencies" - package: - name: - - curl - - net-tools - state: latest - register: wazuh_manager_dependencies_packages_installed - until: wazuh_manager_dependencies_packages_installed is succeeded - - - name: "Install (RedHat) dependencies" - package: - name: - - initscripts - state: latest - register: wazuh_manager_dependencies_packages_installed - until: wazuh_manager_dependencies_packages_installed is succeeded - when: - - ansible_os_family == 'RedHat' diff --git a/molecule/default/tests/test_default.py b/molecule/default/tests/test_default.py deleted file mode 100644 index 03fe99d4..00000000 --- a/molecule/default/tests/test_default.py +++ /dev/null @@ -1,89 +0,0 @@ -import os -import pytest - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') - - -def get_wazuh_version(): - """This return the version of Wazuh.""" - return "3.10.0" - - -def test_wazuh_packages_are_installed(host): - """Test if the main packages are installed.""" - manager = host.package("wazuh-manager") - api = host.package("wazuh-api") - - distribution = host.system_info.distribution.lower() - if distribution == 'centos': - if host.system_info.release == "7": - assert manager.is_installed - assert manager.version.startswith(get_wazuh_version()) - assert api.is_installed - assert api.version.startswith(get_wazuh_version()) - elif host.system_info.release.startswith("6"): - assert manager.is_installed - assert manager.version.startswith(get_wazuh_version()) - elif distribution == 'ubuntu': - assert manager.is_installed - assert manager.version.startswith(get_wazuh_version()) - - -def test_wazuh_services_are_running(host): - """Test if the services are enabled and running. - - When assert commands are commented, this means that the service command has - a wrong exit code: https://github.com/wazuh/wazuh-ansible/issues/107 - """ - manager = host.service("wazuh-manager") - api = host.service("wazuh-api") - - distribution = host.system_info.distribution.lower() - if distribution == 'centos': - # assert manager.is_running - assert manager.is_enabled - # assert not api.is_running - assert not api.is_enabled - elif distribution == 'ubuntu': - # assert manager.is_running - assert manager.is_enabled - # assert api.is_running - assert api.is_enabled - - -@pytest.mark.parametrize("wazuh_file, wazuh_owner, wazuh_group, wazuh_mode", [ - ("/var/ossec/etc/sslmanager.cert", "root", "root", 0o640), - ("/var/ossec/etc/sslmanager.key", "root", "root", 0o640), - ("/var/ossec/etc/rules/local_rules.xml", "root", "ossec", 0o640), - ("/var/ossec/etc/lists/audit-keys", "root", "ossec", 0o640), -]) -def test_wazuh_files(host, wazuh_file, wazuh_owner, wazuh_group, wazuh_mode): - """Test if Wazuh related files exist and have proper owners and mode.""" - wazuh_file_host = host.file(wazuh_file) - - assert wazuh_file_host.user == wazuh_owner - assert wazuh_file_host.group == wazuh_group - assert wazuh_file_host.mode == wazuh_mode - - -def test_open_ports(host): - """Test if the main port is open and the agent-auth is not open.""" - distribution = host.system_info.distribution.lower() - if distribution == 'ubuntu': - assert host.socket("tcp://0.0.0.0:1516").is_listening - assert host.socket("tcp://0.0.0.0:1515").is_listening - assert host.socket("tcp://0.0.0.0:1514").is_listening - elif distribution == 'centos': - assert host.socket("tcp://0.0.0.0:1516").is_listening - assert host.socket("tcp://127.0.0.1:1515").is_listening - assert host.socket("tcp://127.0.0.1:1514").is_listening - - -def test_filebeat_is_installed(host): - """Test if the elasticsearch package is installed.""" - filebeat = host.package("filebeat") - assert filebeat.is_installed - assert filebeat.version.startswith('7.3.2') diff --git a/molecule/elasticsearch/Dockerfile.j2 b/molecule/elasticsearch/Dockerfile.j2 deleted file mode 100644 index e6aa95d3..00000000 --- a/molecule/elasticsearch/Dockerfile.j2 +++ /dev/null @@ -1,14 +0,0 @@ -# Molecule managed - -{% if item.registry is defined %} -FROM {{ item.registry.url }}/{{ item.image }} -{% else %} -FROM {{ item.image }} -{% endif %} - -RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ - elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash && dnf clean all; \ - elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ - elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml && zypper clean -a; \ - elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ - elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O; fi diff --git a/molecule/elasticsearch/INSTALL.rst b/molecule/elasticsearch/INSTALL.rst deleted file mode 100644 index 6a44bde9..00000000 --- a/molecule/elasticsearch/INSTALL.rst +++ /dev/null @@ -1,22 +0,0 @@ -******* -Docker driver installation guide -******* - -Requirements -============ - -* Docker Engine - -Install -======= - -Please refer to the `Virtual environment`_ documentation for installation best -practices. If not using a virtual environment, please consider passing the -widely recommended `'--user' flag`_ when invoking ``pip``. - -.. _Virtual environment: https://virtualenv.pypa.io/en/latest/ -.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site - -.. code-block:: bash - - $ pip install 'molecule[docker]' diff --git a/molecule/elasticsearch/molecule.yml b/molecule/elasticsearch/molecule.yml deleted file mode 100644 index 11d8902f..00000000 --- a/molecule/elasticsearch/molecule.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: docker -lint: - name: yamllint - options: - config-data: - ignore: .virtualenv -bionics: - - name: elasticsearch_bionic - image: solita/ubuntu-systemd:bionic - command: /sbin/init - ulimits: - - nofile:262144:262144 - privileged: true - memory_reservation: 2048m -provisioner: - name: ansible - config_options: - defaults: - hash_behaviour: merge - playbooks: - docker: - create: ../default/create.yml - destroy: ../default/destroy.yml - prepare: ../default/prepare.yml - env: - ANSIBLE_ROLES_PATH: ../../roles - lint: - name: ansible-lint - enabled: true - inventory: - group_vars: - all: - elasticsearch_jvm_xms: 512 -scenario: - name: elasticsearch - test_sequence: - - lint - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - #- idempotence - - side_effect - - verify - - cleanup - - destroy -verifier: - name: testinfra - lint: - name: flake8 diff --git a/molecule/elasticsearch/molecule.yml.template b/molecule/elasticsearch/molecule.yml.template deleted file mode 100644 index baba140e..00000000 --- a/molecule/elasticsearch/molecule.yml.template +++ /dev/null @@ -1,57 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: docker -lint: - name: yamllint - options: - config-data: - ignore: .virtualenv -platforms: - - name: elasticsearch_platform_ - image: imagename - command: /sbin/init - ulimits: - - nofile:262144:262144 - privileged: true - memory_reservation: 2048m -provisioner: - name: ansible - config_options: - defaults: - hash_behaviour: merge - playbooks: - docker: - create: ../default/create.yml - destroy: ../default/destroy.yml - prepare: ../default/prepare.yml - env: - ANSIBLE_ROLES_PATH: ../../roles - lint: - name: ansible-lint - enabled: true - inventory: - group_vars: - all: - elasticsearch_jvm_xms: 512 -scenario: - name: elasticsearch - test_sequence: - - lint - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - side_effect - - verify - - cleanup - - destroy -verifier: - name: testinfra - lint: - name: flake8 diff --git a/molecule/elasticsearch/playbook.yml b/molecule/elasticsearch/playbook.yml deleted file mode 100644 index 6b5c44f8..00000000 --- a/molecule/elasticsearch/playbook.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: elastic-stack/ansible-elasticsearch - elasticsearch_network_host: 'elasticsearch_bionic' diff --git a/molecule/elasticsearch/playbook.yml.template b/molecule/elasticsearch/playbook.yml.template deleted file mode 100644 index 0b2f9d5a..00000000 --- a/molecule/elasticsearch/playbook.yml.template +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: elastic-stack/ansible-elasticsearch - elasticsearch_network_host: 'elasticsearch_platform' diff --git a/molecule/elasticsearch/tests/test_default.py b/molecule/elasticsearch/tests/test_default.py deleted file mode 100644 index f4021876..00000000 --- a/molecule/elasticsearch/tests/test_default.py +++ /dev/null @@ -1,20 +0,0 @@ -import os - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') - - -def test_elasticsearch_is_installed(host): - """Test if the elasticsearch package is installed.""" - elasticsearch = host.package("elasticsearch") - assert elasticsearch.is_installed - assert elasticsearch.version.startswith('7.3.2') - - -def test_elasticsearch_is_running(host): - """Test if the services are enabled and running.""" - elasticsearch = host.service("elasticsearch") - assert elasticsearch.is_enabled - assert elasticsearch.is_running diff --git a/molecule/kibana/Dockerfile.j2 b/molecule/kibana/Dockerfile.j2 deleted file mode 100644 index e6aa95d3..00000000 --- a/molecule/kibana/Dockerfile.j2 +++ /dev/null @@ -1,14 +0,0 @@ -# Molecule managed - -{% if item.registry is defined %} -FROM {{ item.registry.url }}/{{ item.image }} -{% else %} -FROM {{ item.image }} -{% endif %} - -RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ - elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash && dnf clean all; \ - elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ - elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml && zypper clean -a; \ - elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ - elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O; fi diff --git a/molecule/kibana/INSTALL.rst b/molecule/kibana/INSTALL.rst deleted file mode 100644 index 6a44bde9..00000000 --- a/molecule/kibana/INSTALL.rst +++ /dev/null @@ -1,22 +0,0 @@ -******* -Docker driver installation guide -******* - -Requirements -============ - -* Docker Engine - -Install -======= - -Please refer to the `Virtual environment`_ documentation for installation best -practices. If not using a virtual environment, please consider passing the -widely recommended `'--user' flag`_ when invoking ``pip``. - -.. _Virtual environment: https://virtualenv.pypa.io/en/latest/ -.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site - -.. code-block:: bash - - $ pip install 'molecule[docker]' diff --git a/molecule/kibana/molecule.yml.template b/molecule/kibana/molecule.yml.template deleted file mode 100644 index eec8f6e3..00000000 --- a/molecule/kibana/molecule.yml.template +++ /dev/null @@ -1,40 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: docker -lint: - name: yamllint - options: - config-data: - ignore: .virtualenv -platforms: - - name: kibana_platform_ - image: imagename - command: /sbin/init - ulimits: - - nofile:262144:262144 - privileged: true - memory_reservation: 1024m -provisioner: - name: ansible - config_options: - defaults: - hash_behaviour: merge - playbooks: - docker: - create: ../default/create.yml - destroy: ../default/destroy.yml - env: - ANSIBLE_ROLES_PATH: ../../roles - lint: - name: ansible-lint - enabled: true - inventory: - group_vars: - all: - elasticsearch_jvm_xms: 256 -verifier: - name: testinfra - lint: - name: flake8 diff --git a/molecule/kibana/playbook.yml b/molecule/kibana/playbook.yml deleted file mode 100644 index 6af17723..00000000 --- a/molecule/kibana/playbook.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: elastic-stack/ansible-kibana - elasticsearch_network_host: 'elasticsearch_bionic' \ No newline at end of file diff --git a/molecule/kibana/playbook.yml.template b/molecule/kibana/playbook.yml.template deleted file mode 100644 index b166ac28..00000000 --- a/molecule/kibana/playbook.yml.template +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: elastic-stack/ansible-kibana - elasticsearch_network_host: 'elasticsearch_platform' \ No newline at end of file diff --git a/molecule/kibana/prepare.yml b/molecule/kibana/prepare.yml deleted file mode 100644 index c5592219..00000000 --- a/molecule/kibana/prepare.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -- name: Prepare - hosts: all - gather_facts: true - pre_tasks: - - - name: "Install Python packages for Trusty to solve trust issues" - package: - name: - - python-setuptools - - python-pip - state: latest - register: wazuh_manager_trusty_packages_installed - until: wazuh_manager_trusty_packages_installed is succeeded - when: - - ansible_distribution == "Ubuntu" - - ansible_distribution_major_version | int == 14 - - - name: "Install dependencies" - package: - name: - - curl - - net-tools - state: latest - register: wazuh_manager_dependencies_packages_installed - until: wazuh_manager_dependencies_packages_installed is succeeded - - - name: "Install (RedHat) dependencies" - package: - name: - - initscripts - state: latest - register: wazuh_manager_dependencies_packages_installed - until: wazuh_manager_dependencies_packages_installed is succeeded - when: - - ansible_os_family == 'RedHat' diff --git a/molecule/kibana/tests/test_default.py b/molecule/kibana/tests/test_default.py deleted file mode 100644 index ccd4d4f2..00000000 --- a/molecule/kibana/tests/test_default.py +++ /dev/null @@ -1,24 +0,0 @@ -import os - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') - - -def test_port_kibana_is_open(host): - """Test if the port 5601 is open and listening to connections.""" - host.socket("tcp://0.0.0.0:5601").is_listening - - -def test_find_correct_elasticsearch_version(host): - """Test if we find the kibana/elasticsearch version in package.json""" - kibana = host.file("/usr/share/kibana/plugins/wazuh/package.json") - assert kibana.contains("7.3.2") - - -def test_wazuh_plugin_installed(host): - """Make sure there is a plugin wazuh directory.""" - kibana = host.file("/usr/share/kibana/plugins/wazuh/") - - assert kibana.is_directory diff --git a/molecule/run_cluster_mode.sh b/molecule/run_cluster_mode.sh deleted file mode 100644 index c1a0941d..00000000 --- a/molecule/run_cluster_mode.sh +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/bash - -paths=( "molecule/default/" "molecule/worker/" "molecule/elasticsearch/" "molecule/kibana/" ) -images=( "solita/ubuntu-systemd:bionic" "solita/ubuntu-systemd:xenial" "milcom/centos7-systemd" "ubuntu:trusty" "centos:6" ) -platform=( "bionic" "xenial" "centos7" "trusty" "centos6" ) - -echo "Please select an image. " - -select IMAGE in "${images[@]}"; -do - echo "You picked $IMAGE ($REPLY)" - break -done - -index=$(($REPLY - 1)) - -if [ -z "$IMAGE" ] -then - echo "Platform not selected. Please select a platform of [bionuc, xenial or centos7]. => Aborting" - exit -else - for i in "${paths[@]}" - do - cp "$i/playbook.yml.template" "$i/playbook.yml" - sed -i "s/platform/${platform[$index]}/g" "$i/playbook.yml" - - cp "$i/molecule.yml.template" "$i/molecule.yml" - sed -i "s|imagename|${images[$index]}|g" "$i/molecule.yml" - sed -i "s/platform_/${platform[$index]}/g" "$i/molecule.yml" - - done -fi - -sudo pipenv run elasticsearch -sudo pipenv run test -sudo pipenv run worker -sudo pipenv run kibana - -sudo pipenv run destroy -sudo pipenv run destroy_worker -sudo pipenv run destroy_elasticsearch -sudo pipenv run destroy_kibana - diff --git a/molecule/wazuh-agent/Dockerfile.j2 b/molecule/wazuh-agent/Dockerfile.j2 deleted file mode 100644 index e6aa95d3..00000000 --- a/molecule/wazuh-agent/Dockerfile.j2 +++ /dev/null @@ -1,14 +0,0 @@ -# Molecule managed - -{% if item.registry is defined %} -FROM {{ item.registry.url }}/{{ item.image }} -{% else %} -FROM {{ item.image }} -{% endif %} - -RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ - elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash && dnf clean all; \ - elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ - elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml && zypper clean -a; \ - elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ - elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O; fi diff --git a/molecule/wazuh-agent/INSTALL.rst b/molecule/wazuh-agent/INSTALL.rst deleted file mode 100644 index 6a44bde9..00000000 --- a/molecule/wazuh-agent/INSTALL.rst +++ /dev/null @@ -1,22 +0,0 @@ -******* -Docker driver installation guide -******* - -Requirements -============ - -* Docker Engine - -Install -======= - -Please refer to the `Virtual environment`_ documentation for installation best -practices. If not using a virtual environment, please consider passing the -widely recommended `'--user' flag`_ when invoking ``pip``. - -.. _Virtual environment: https://virtualenv.pypa.io/en/latest/ -.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site - -.. code-block:: bash - - $ pip install 'molecule[docker]' diff --git a/molecule/wazuh-agent/molecule.yml b/molecule/wazuh-agent/molecule.yml deleted file mode 100644 index a0b050b1..00000000 --- a/molecule/wazuh-agent/molecule.yml +++ /dev/null @@ -1,89 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: docker - #lint: - # name: yamllint -lint: - name: yamllint - options: - config-data: - ignore: .virtualenv -platforms: - #- name: wazuh_server_centos7 - # image: milcom/centos7-systemd - # networks: - # - name: wazuh - # privileged: true - # groups: - # - manager - - name: wazuh_agent_bionic - image: ubuntu:bionic - networks: - - name: wazuh - groups: - - agent - #- name: wazuh_agent_xenial - # image: solita/ubuntu-systemd:xenial - # privileged: true - # command: /sbin/init - # networks: - # - name: wazuh - # groups: - # - agent - #- name: wazuh_agent_trusty - # image: ubuntu:trusty - # networks: - # - name: wazuh - # groups: - # - agent - #- name: wazuh_agent_centos6 - # image: centos:6 - # networks: - # - name: wazuh - # groups: - # - agent - #- name: wazuh_agent_centos7 - # image: milcom/centos7-systemd - # privileged: true - # networks: - # - name: wazuh - # groups: - # - agent -provisioner: - name: ansible - config_options: - defaults: - hash_behaviour: merge - playbooks: - docker: - create: ../default/create.yml - destroy: ../default/destroy.yml - env: - ANSIBLE_ROLES_PATH: ../../roles - inventory: - group_vars: - agent: - api_pass: password - wazuh_managers: - - address: "{{ wazuh_manager_ip }}" - port: 1514 - protocol: tcp - api_port: 55000 - api_proto: 'http' - api_user: null - wazuh_agent_authd: - enable: true - port: 1515 - ssl_agent_ca: null - ssl_agent_cert: null - ssl_agent_key: null - ssl_auto_negotiate: 'no' - lint: - name: ansible-lint - enabled: true -verifier: - name: testinfra - lint: - name: flake8 diff --git a/molecule/wazuh-agent/molecule.yml.template b/molecule/wazuh-agent/molecule.yml.template deleted file mode 100644 index a0b050b1..00000000 --- a/molecule/wazuh-agent/molecule.yml.template +++ /dev/null @@ -1,89 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: docker - #lint: - # name: yamllint -lint: - name: yamllint - options: - config-data: - ignore: .virtualenv -platforms: - #- name: wazuh_server_centos7 - # image: milcom/centos7-systemd - # networks: - # - name: wazuh - # privileged: true - # groups: - # - manager - - name: wazuh_agent_bionic - image: ubuntu:bionic - networks: - - name: wazuh - groups: - - agent - #- name: wazuh_agent_xenial - # image: solita/ubuntu-systemd:xenial - # privileged: true - # command: /sbin/init - # networks: - # - name: wazuh - # groups: - # - agent - #- name: wazuh_agent_trusty - # image: ubuntu:trusty - # networks: - # - name: wazuh - # groups: - # - agent - #- name: wazuh_agent_centos6 - # image: centos:6 - # networks: - # - name: wazuh - # groups: - # - agent - #- name: wazuh_agent_centos7 - # image: milcom/centos7-systemd - # privileged: true - # networks: - # - name: wazuh - # groups: - # - agent -provisioner: - name: ansible - config_options: - defaults: - hash_behaviour: merge - playbooks: - docker: - create: ../default/create.yml - destroy: ../default/destroy.yml - env: - ANSIBLE_ROLES_PATH: ../../roles - inventory: - group_vars: - agent: - api_pass: password - wazuh_managers: - - address: "{{ wazuh_manager_ip }}" - port: 1514 - protocol: tcp - api_port: 55000 - api_proto: 'http' - api_user: null - wazuh_agent_authd: - enable: true - port: 1515 - ssl_agent_ca: null - ssl_agent_cert: null - ssl_agent_key: null - ssl_auto_negotiate: 'no' - lint: - name: ansible-lint - enabled: true -verifier: - name: testinfra - lint: - name: flake8 diff --git a/molecule/wazuh-agent/playbook.yml b/molecule/wazuh-agent/playbook.yml deleted file mode 100644 index 4feac0c2..00000000 --- a/molecule/wazuh-agent/playbook.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: wazuh/ansible-wazuh-agent - vars: - wazuh_managers: - - address: 'manager_platform' - port: 1514 - protocol: tcp - api_port: 55000 - api_proto: 'http' - api_user: ansible - wazuh_agent_authd: - enable: true - port: 1515 - ssl_agent_ca: null - ssl_auto_negotiate: 'no' diff --git a/molecule/wazuh-agent/playbook.yml.template b/molecule/wazuh-agent/playbook.yml.template deleted file mode 100644 index 4feac0c2..00000000 --- a/molecule/wazuh-agent/playbook.yml.template +++ /dev/null @@ -1,18 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: wazuh/ansible-wazuh-agent - vars: - wazuh_managers: - - address: 'manager_platform' - port: 1514 - protocol: tcp - api_port: 55000 - api_proto: 'http' - api_user: ansible - wazuh_agent_authd: - enable: true - port: 1515 - ssl_agent_ca: null - ssl_auto_negotiate: 'no' diff --git a/molecule/wazuh-agent/prepare.yml b/molecule/wazuh-agent/prepare.yml deleted file mode 100644 index ddb1bbe1..00000000 --- a/molecule/wazuh-agent/prepare.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- -- name: Prepare - hosts: manager - gather_facts: true - tasks: - - - name: "Install dependencies" - package: - name: - - curl - - net-tools - state: latest - register: wazuh_manager_dependencies_packages_installed - until: wazuh_manager_dependencies_packages_installed is succeeded - - roles: - - role: wazuh/ansible-wazuh-manager - -- name: Prepare - hosts: agent - gather_facts: true - tasks: - - - name: "Install Python packages for Trusty to solve trust issues" - package: - name: - - python-setuptools - - python-pip - state: latest - register: wazuh_manager_trusty_packages_installed - until: wazuh_manager_trusty_packages_installed is succeeded - when: - - ansible_distribution == "Ubuntu" - - ansible_distribution_major_version | int == 14 - - - name: "Install dependencies" - package: - name: - - curl - - net-tools - state: latest - register: wazuh_agent_dependencies_packages_installed - until: wazuh_agent_dependencies_packages_installed is succeeded diff --git a/molecule/wazuh-agent/tests/test_agents.py b/molecule/wazuh-agent/tests/test_agents.py deleted file mode 100644 index 1846d3fe..00000000 --- a/molecule/wazuh-agent/tests/test_agents.py +++ /dev/null @@ -1,28 +0,0 @@ -import os -import pytest - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('agent') - - -def get_wazuh_version(): - """This return the version of Wazuh.""" - return "3.10.0" - - -def test_ossec_package_installed(Package): - ossec = Package('wazuh-agent') - assert ossec.is_installed - - -@pytest.mark.parametrize("wazuh_service, wazuh_owner", ( - ("ossec-agentd", "ossec"), - ("ossec-execd", "root"), - ("ossec-syscheckd", "root"), - ("wazuh-modulesd", "root"), -)) -def test_wazuh_processes_running(host, wazuh_service, wazuh_owner): - master = host.process.get(user=wazuh_owner, comm=wazuh_service) - assert master.args == "/var/ossec/bin/" + wazuh_service diff --git a/molecule/wazuh-agent/tests/test_manager.py b/molecule/wazuh-agent/tests/test_manager.py deleted file mode 100644 index 9b085b2b..00000000 --- a/molecule/wazuh-agent/tests/test_manager.py +++ /dev/null @@ -1,15 +0,0 @@ -import os - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('manager') - - -def test_agents_registered_on_manager(host): - cmd = host.run("/var/ossec/bin/manage_agents -l") - assert 'wazuh_agent_bionic' in cmd.stdout - assert 'wazuh_agent_xenial' in cmd.stdout - assert 'wazuh_agent_trusty' in cmd.stdout - assert 'wazuh_agent_centos6' in cmd.stdout - assert 'wazuh_agent_centos7' in cmd.stdout diff --git a/molecule/worker/Dockerfile.j2 b/molecule/worker/Dockerfile.j2 deleted file mode 100644 index e6aa95d3..00000000 --- a/molecule/worker/Dockerfile.j2 +++ /dev/null @@ -1,14 +0,0 @@ -# Molecule managed - -{% if item.registry is defined %} -FROM {{ item.registry.url }}/{{ item.image }} -{% else %} -FROM {{ item.image }} -{% endif %} - -RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ - elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash && dnf clean all; \ - elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ - elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml && zypper clean -a; \ - elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ - elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O; fi diff --git a/molecule/worker/molecule.yml.template b/molecule/worker/molecule.yml.template deleted file mode 100644 index ecfe6469..00000000 --- a/molecule/worker/molecule.yml.template +++ /dev/null @@ -1,53 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: docker -lint: - name: yamllint - options: - config-data: - ignore: .virtualenv -platforms: - - name: worker_platform_ - image: imagename - command: /sbin/init - ulimits: - - nofile:262144:262144 - privileged: true - memory_reservation: 2048m -provisioner: - name: ansible - config_options: - defaults: - hash_behaviour: merge - playbooks: - docker: - create: ../default/create.yml - destroy: ../default/destroy.yml - prepare: ../default/prepare.yml - env: - ANSIBLE_ROLES_PATH: ../../roles - lint: - name: ansible-lint - enabled: true -scenario: - name: worker - test_sequence: - - lint - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - side_effect - - verify - - cleanup - - destroy -verifier: - name: testinfra - lint: - name: flake8 diff --git a/molecule/worker/playbook.yml b/molecule/worker/playbook.yml deleted file mode 100644 index a59f93f2..00000000 --- a/molecule/worker/playbook.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: wazuh/ansible-wazuh-manager - vars: - wazuh_manager_config: - cluster: - disable: 'no' - name: 'wazuh' - node_name: 'worker-01' - node_type: 'worker' - key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa' - port: '1516' - bind_addr: '0.0.0.0' - nodes: - - 'manager_bionic' - hidden: 'no' - - { role: wazuh/ansible-filebeat, filebeat_output_elasticsearch_hosts: 'elasticsearch_bionic:9200' } - - diff --git a/molecule/worker/playbook.yml.template b/molecule/worker/playbook.yml.template deleted file mode 100644 index 45b12d1d..00000000 --- a/molecule/worker/playbook.yml.template +++ /dev/null @@ -1,21 +0,0 @@ ---- -- name: Converge - hosts: all - roles: - - role: wazuh/ansible-wazuh-manager - vars: - wazuh_manager_config: - cluster: - disable: 'no' - name: 'wazuh' - node_name: 'worker-01' - node_type: 'worker' - key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa' - port: '1516' - bind_addr: '0.0.0.0' - nodes: - - 'manager_platform' - hidden: 'no' - - { role: wazuh/ansible-filebeat, filebeat_output_elasticsearch_hosts: 'elasticsearch_platform:9200' } - - diff --git a/molecule/worker/tests/test_default.py b/molecule/worker/tests/test_default.py deleted file mode 100644 index 4de03dc3..00000000 --- a/molecule/worker/tests/test_default.py +++ /dev/null @@ -1,85 +0,0 @@ -import os -import pytest - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') - - -def get_wazuh_version(): - """This return the version of Wazuh.""" - return "3.10.0" - - -def test_wazuh_packages_are_installed(host): - """Test if the main packages are installed.""" - manager = host.package("wazuh-manager") - api = host.package("wazuh-api") - - distribution = host.system_info.distribution.lower() - if distribution == 'centos': - if host.system_info.release == "7": - assert manager.is_installed - assert manager.version.startswith(get_wazuh_version()) - assert api.is_installed - assert api.version.startswith(get_wazuh_version()) - elif host.system_info.release.startswith("6"): - assert manager.is_installed - assert manager.version.startswith(get_wazuh_version()) - elif distribution == 'ubuntu': - assert manager.is_installed - assert manager.version.startswith(get_wazuh_version()) - - -def test_wazuh_services_are_running(host): - """Test if the services are enabled and running. - - When assert commands are commented, this means that the service command has - a wrong exit code: https://github.com/wazuh/wazuh-ansible/issues/107 - """ - manager = host.service("wazuh-manager") - api = host.service("wazuh-api") - - distribution = host.system_info.distribution.lower() - if distribution == 'centos': - # assert manager.is_running - assert manager.is_enabled - # assert not api.is_running - assert not api.is_enabled - elif distribution == 'ubuntu': - # assert manager.is_running - assert manager.is_enabled - # assert api.is_running - assert api.is_enabled - - -@pytest.mark.parametrize("wazuh_file, wazuh_owner, wazuh_group, wazuh_mode", [ - ("/var/ossec/etc/sslmanager.cert", "root", "root", 0o640), - ("/var/ossec/etc/sslmanager.key", "root", "root", 0o640), - ("/var/ossec/etc/rules/local_rules.xml", "root", "ossec", 0o640), - ("/var/ossec/etc/lists/audit-keys", "root", "ossec", 0o640), -]) -def test_wazuh_files(host, wazuh_file, wazuh_owner, wazuh_group, wazuh_mode): - """Test if Wazuh related files exist and have proper owners and mode.""" - wazuh_file_host = host.file(wazuh_file) - - assert wazuh_file_host.user == wazuh_owner - assert wazuh_file_host.group == wazuh_group - assert wazuh_file_host.mode == wazuh_mode - - -def test_open_ports(host): - """Test if the main port is open and the agent-auth is not open.""" - distribution = host.system_info.distribution.lower() - if distribution == 'ubuntu': - assert host.socket("tcp://0.0.0.0:1514").is_listening - elif distribution == 'centos': - assert host.socket("tcp://127.0.0.1:1514").is_listening - - -def test_filebeat_is_installed(host): - """Test if the elasticsearch package is installed.""" - filebeat = host.package("filebeat") - assert filebeat.is_installed - assert filebeat.version.startswith('7.3.2') From a1359495a98a966851f171f238b7f372c46f8a78 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Tue, 24 Sep 2019 10:57:23 +0200 Subject: [PATCH 39/46] Fix linting: trailing whitespace --- roles/elastic-stack/ansible-elasticsearch/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index 85706199..af17e528 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -76,7 +76,7 @@ mode: 0660 notify: restart elasticsearch tags: configure - + - name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.conf lineinfile: path: /etc/security/limits.conf From 02425e0c85a15157882f5db6f559acd12383a945 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Tue, 24 Sep 2019 11:09:21 +0200 Subject: [PATCH 40/46] Fix linting errors Fixed linting on xpack_security.yml --- .../tasks/xpack_security.yml | 67 +++++++++---------- 1 file changed, 33 insertions(+), 34 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index e64b71df..046c3382 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -39,7 +39,7 @@ when: - node_certs_generator -- name: Importing custom CA key +- name: Importing custom CA key copy: src: "{{ master_certs_path }}/ca/{{ ca_key_name }}" dest: "{{ node_certs_source }}/{{ ca_key_name }}" @@ -61,7 +61,7 @@ - name: Generating certificates for Elasticsearch security (generating CA) shell: >- - /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in + /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip when: - node_certs_generator @@ -70,37 +70,37 @@ tags: xpack-security - name: Generating certificates for Elasticsearch security (using provided CA | Without CA Password) - shell: >- - /usr/share/elasticsearch/bin/elasticsearch-certutil cert - --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} + shell: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert + --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip when: - node_certs_generator - not xpack_certs_zip.stat.exists - not generate_CA - - ca_password == "" + - ca_password | length == 0 tags: xpack-security - name: Generating certificates for Elasticsearch security (using provided CA | Using CA Password) - shell: >- - /usr/share/elasticsearch/bin/elasticsearch-certutil cert - --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} - --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip - --ca-pass {{ca_password}} + shell: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert + --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} + --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip + --ca-pass {{ ca_password }} when: - node_certs_generator - not xpack_certs_zip.stat.exists - not generate_CA - - ca_password != "" - tags: xpack-security - + - ca_password | length > 0 + tags: xpack-security + - name: Verify the Elastic certificates directory file: path: "{{ master_certs_path }}" state: directory mode: '0700' delegate_to: "127.0.0.1" - when: + when: - node_certs_generator - name: Verify the Certificates Authority directory @@ -109,7 +109,7 @@ state: directory mode: '0700' delegate_to: "127.0.0.1" - when: + when: - node_certs_generator - name: Copying certificates to Ansible master @@ -118,7 +118,7 @@ dest: "{{ master_certs_path }}/" flat: yes mode: 0700 - when: + when: - node_certs_generator tags: xpack-security @@ -126,39 +126,39 @@ file: state: absent path: "{{ node_certs_source }}/certs.zip" - when: + when: - node_certs_generator - + - name: Unzip generated certs.zip unarchive: - src: "{{master_certs_path}}/certs.zip" - dest: "{{master_certs_path}}/" + src: "{{ master_certs_path }}/certs.zip" + dest: "{{ master_certs_path }}/" become: true delegate_to: "127.0.0.1" - when: + when: - node_certs_generator tags: xpack-security - name: Copying node's certificate from master copy: - src: "{{item}}" - dest: "{{node_certs_destination}}/" + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" with_items: - - "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" - - "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" - - "{{master_certs_path}}/ca/ca.crt" + - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key" + - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt" + - "{{ master_certs_path }}/ca/ca.crt" when: - generate_CA tags: xpack-security - name: Copying node's certificate from master (Custom CA) copy: - src: "{{item}}" - dest: "{{node_certs_destination}}/" - with_items: - - "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" - - "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" - - "{{master_certs_path}}/ca/{{ca_cert_name}}" + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" + with_items: + - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key" + - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt" + - "{{ master_certs_path }}/ca/{{ ca_cert_name }}" when: - not generate_CA tags: xpack-security @@ -179,4 +179,3 @@ echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password when: - node_certs_generator - \ No newline at end of file From 534704f115628b6d92a8f81100f56d7b64a1c1b2 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Tue, 24 Sep 2019 12:47:28 +0200 Subject: [PATCH 41/46] Fix linting errors on vars --- roles/wazuh/ansible-filebeat/tasks/main.yml | 26 ++++++++++----------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 7cd01cbd..85bd17e1 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -28,25 +28,25 @@ - name: Copying node's certificate from master copy: - src: "{{item}}" - dest: "{{node_certs_destination}}/" - with_items: - - "{{master_certs_path}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.key" - - "{{master_certs_path}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.crt" - - "{{master_certs_path}}/ca/ca.crt" + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" + with_items: + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt" + - "{{ master_certs_path }}/ca/ca.crt" when: - generate_CA - filebeat_xpack_security tags: xpack-security - + - name: Copying node's certificate from master (Custom CA) copy: - src: "{{item}}" - dest: "{{node_certs_destination}}/" - with_items: - - "{{master_certs_path}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.key" - - "{{master_certs_path}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.crt" - - "{{master_certs_path}}/ca/{{ca_cert_name}}" + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" + with_items: + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt" + - "{{ master_certs_path }}/ca/{{ ca_cert_name }}" when: - not generate_CA - filebeat_xpack_security From 4f955fe4988b19c433342daeed87e1bc852b5c78 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Tue, 24 Sep 2019 12:49:26 +0200 Subject: [PATCH 42/46] Switch tasks from shell to command --- .../tasks/xpack_security.yml | 23 +++++++++++-------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 046c3382..650692c5 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -60,9 +60,10 @@ tags: xpack-security - name: Generating certificates for Elasticsearch security (generating CA) - shell: >- - /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in - {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip + command: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem + --in {{ node_certs_source }}/instances.yml + --out {{ node_certs_source }}/certs.zip when: - node_certs_generator - not xpack_certs_zip.stat.exists @@ -70,10 +71,12 @@ tags: xpack-security - name: Generating certificates for Elasticsearch security (using provided CA | Without CA Password) - shell: >- + command: >- /usr/share/elasticsearch/bin/elasticsearch-certutil cert - --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} - --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip + --ca-key {{ node_certs_source }}/{{ ca_key_name }} + --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} + --pem --in {{ node_certs_source }}/instances.yml + --out {{ node_certs_source }}/certs.zip when: - node_certs_generator - not xpack_certs_zip.stat.exists @@ -82,9 +85,10 @@ tags: xpack-security - name: Generating certificates for Elasticsearch security (using provided CA | Using CA Password) - shell: >- + command: >- /usr/share/elasticsearch/bin/elasticsearch-certutil cert - --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} + --ca-key {{ node_certs_source }}/{{ ca_key_name }} + --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip --ca-pass {{ ca_password }} when: @@ -175,7 +179,8 @@ tags: xpack-security - name: Set elasticsearch bootstrap password - shell: >- + command: >- + set -o pipefail echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password when: - node_certs_generator From de70f4eecd1ae6d25e907a0124625952305e07a0 Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 24 Sep 2019 18:36:44 +0200 Subject: [PATCH 43/46] Add single_node:false to ES distributed playbook --- playbooks/wazuh-elastic_stack-distributed.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/playbooks/wazuh-elastic_stack-distributed.yml b/playbooks/wazuh-elastic_stack-distributed.yml index b582df9b..8c6bc567 100644 --- a/playbooks/wazuh-elastic_stack-distributed.yml +++ b/playbooks/wazuh-elastic_stack-distributed.yml @@ -17,6 +17,7 @@ elasticsearch_xpack_security: true node_certs_generator: true elasticsearch_xpack_security_password: elastic_pass + single_node: false vars: instances: @@ -35,6 +36,7 @@ - role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch elasticsearch_network_host: elasticsearch_node_name: node-2 + single_node: false elasticsearch_xpack_security: true elasticsearch_master_candidate: true elasticsearch_discovery_nodes: @@ -47,6 +49,7 @@ - role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch elasticsearch_network_host: elasticsearch_node_name: node-3 + single_node: false elasticsearch_xpack_security: true elasticsearch_master_candidate: true elasticsearch_discovery_nodes: From b8803de85fb71edf090b0c076d4fe3684cd7cb36 Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 24 Sep 2019 18:37:14 +0200 Subject: [PATCH 44/46] Fix set bootstrap password task. Linting OK --- .../ansible-elasticsearch/tasks/xpack_security.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 650692c5..d05c3241 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -179,8 +179,8 @@ tags: xpack-security - name: Set elasticsearch bootstrap password - command: >- - set -o pipefail - echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password + shell: >- + set -o pipefail; + echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password when: - node_certs_generator From a0d4967b1fd0ab19e5bfa4fab571345253bef2ba Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 25 Sep 2019 09:48:07 +0200 Subject: [PATCH 45/46] Add filebeat_module_folder to default variables --- roles/wazuh/ansible-filebeat/defaults/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/wazuh/ansible-filebeat/defaults/main.yml b/roles/wazuh/ansible-filebeat/defaults/main.yml index 78a47cf8..46d65654 100644 --- a/roles/wazuh/ansible-filebeat/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat/defaults/main.yml @@ -28,6 +28,8 @@ filebeat_ssl_certificate_file: "" filebeat_ssl_key_file: "" filebeat_ssl_insecure: "false" +filebeat_module_folder: /usr/share/filebeat/module/wazuh + # Xpack Security filebeat_xpack_security: false @@ -43,3 +45,5 @@ node_certs_destination: /etc/filebeat/certs master_certs_path: /es_certs generate_CA: true ca_cert_name: "" + + From 744193008199987e8c589093c45186e3e47c466a Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 25 Sep 2019 11:49:56 +0200 Subject: [PATCH 46/46] Add default filebeat module variables --- roles/wazuh/ansible-filebeat/defaults/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/wazuh/ansible-filebeat/defaults/main.yml b/roles/wazuh/ansible-filebeat/defaults/main.yml index 46d65654..d38565d9 100644 --- a/roles/wazuh/ansible-filebeat/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat/defaults/main.yml @@ -28,6 +28,9 @@ filebeat_ssl_certificate_file: "" filebeat_ssl_key_file: "" filebeat_ssl_insecure: "false" +filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz +filebeat_module_package_path: /tmp/ +filebeat_module_destination: /usr/share/filebeat/module filebeat_module_folder: /usr/share/filebeat/module/wazuh # Xpack Security