afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master'

Browse Source
This commit is contained in:
Jochen Schneider 2020-01-16 11:13:23 +01:00
commit 6c4740a401
93 changed files with 6288 additions and 2382 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@ -4,5 +4,7 @@ wazuh-elastic_stack-distributed.yml
wazuh-elastic_stack-single.yml wazuh-elastic_stack-single.yml
wazuh-elastic.yml wazuh-elastic.yml
wazuh-kibana.yml wazuh-kibana.yml
wazuh-logstash.yml
wazuh-manager.yml wazuh-manager.yml
*.pyc
Pipfile.lock
*.swp

16
.yamllint Normal file
View File

@ -0,0 +1,16 @@
extends: default
rules:
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
line-length: disable
# NOTE(retr0h): Templates no longer fail this lint rule.
# Uncomment if running old Molecule templates.
# truthy: disable
ignore: |
.travis.yml
config.yml

180
CHANGELOG.md Normal file → Executable file
View File

@ -1,6 +1,178 @@
# Change Log # Change Log
All notable changes to this project will be documented in this file. All notable changes to this project will be documented in this file.
## [v3.11.1_7.5.1]
### Added
- Update to Wazuh v3.11.1
## [v3.11.0_7.5.1]
### Added
- Update to Wazuh v3.11.0
- Implemented changes to configure Wazuh API using the `wazuh.yml` file ([@xr09](https://github.com/xr09)) [PR#342](https://github.com/wazuh/wazuh-ansible/pull/342)
- Wazuh Agent registration task now explicitly notify restart ([@jm404](https://github.com/jm404)) [PR#302](https://github.com/wazuh/wazuh-ansible/pull/302)
- Support both IP and DNS when creating elastic cluster ([@xr09](https://github.com/xr09)) [PR#252](https://github.com/wazuh/wazuh-ansible/pull/252)
- Added config tag to the Wazuh Agent's enable task ([@xr09](https://github.com/xr09)) [PR#261](https://github.com/wazuh/wazuh-ansible/pull/261)
- Implement task to configure Elasticsearch user on every cluster node ([@xr09](https://github.com/xr09)) [PR#270](https://github.com/wazuh/wazuh-ansible/pull/270)
- Added SCA to Wazuh Agent and Manager installation ([@jm404](https://github.com/jm404)) [PR#260](https://github.com/wazuh/wazuh-ansible/pull/260)
- Added support for environments with low disk space ([@xr09](https://github.com/xr09)) [PR#281](https://github.com/wazuh/wazuh-ansible/pull/281)
- Add parameters to configure an Elasticsearch coordinating node ([@jm404](https://github.com/jm404)) [PR#292](https://github.com/wazuh/wazuh-ansible/pull/292)
### Changed
- Updated Filebeat and Elasticsearch templates ([@manuasir](https://github.com/manuasir)) [PR#285](https://github.com/wazuh/wazuh-ansible/pull/285)
- Make ossec.conf file more readable by removing trailing whitespaces ([@jm404](https://github.com/jm404)) [PR#286](https://github.com/wazuh/wazuh-ansible/pull/286)
- Wazuh repositories can now be configured to different sources URLs ([@jm404](https://github.com/jm404)) [PR#288](https://github.com/wazuh/wazuh-ansible/pull/288)
- Wazuh App URL is now flexible ([@jm404](https://github.com/jm404)) [PR#304](https://github.com/wazuh/wazuh-ansible/pull/304)
- Agent installation task now does not hardcodes the "-1" sufix ([@jm404](https://github.com/jm404)) [PR#310](https://github.com/wazuh/wazuh-ansible/pull/310)
- Enhanced task importation in Wazuh Manager role and removed deprecated warnings ([@xr09](https://github.com/xr09)) [PR#320](https://github.com/wazuh/wazuh-ansible/pull/320)
- Wazuh API installation task have been upgraded ([@rshad](https://github.com/rshad)) [PR#330](https://github.com/wazuh/wazuh-ansible/pull/330)
- It's now possible to install Wazuh Manager and Agent from sources ([@jm404](https://github.com/jm404)) [PR#329](https://github.com/wazuh/wazuh-ansible/pull/329)
### Fixed
- Ansible upgrade from 6.x to 7.x ([@jm404](https://github.com/jm404)) [PR#252](https://github.com/wazuh/wazuh-ansible/pull/251)
- Wazuh Agent registration using agent name has been fixed ([@jm404](https://github.com/jm404)) [PR#298](https://github.com/wazuh/wazuh-ansible/pull/298)
- Fix Wazuh repository and installation conditionals ([@jm404](https://github.com/jm404)) [PR#299](https://github.com/wazuh/wazuh-ansible/pull/299)
- Fixed Wazuh Agent registration using an Agent's name ([@jm404](https://github.com/jm404)) [PR#334](https://github.com/wazuh/wazuh-ansible/pull/334)
## [v3.11.0_7.3.2]
### Added
- Update to Wazuh v3.11.0
### Changed
- Moved molecule folder to Wazuh QA Repository [manuasir](https://github.com/manuasir) [#120ed16](https://github.com/wazuh/wazuh-ansible/commit/120ed163b6f131315848938beca65c1f1cad7f1b)
- Refactored XPack Security configuration tasks [@jm404](https://github.com/jm404) [#246](https://github.com/wazuh/wazuh-ansible/pull/246)
### Fixed
- Fixed ES bootstrap password configuration [@jm404](https://github.com/jm404) [#b8803de](https://github.com/wazuh/wazuh-ansible/commit/b8803de85fb71edf090b0c076d4fe3684cd7cb36)
## [v3.10.0_7.3.2]
### Added
- Update to Wazuh v3.10.0
### Changed
- Updated Kibana [@jm404](https://github.com/jm404) [#237](https://github.com/wazuh/wazuh-ansible/pull/237)
- Updated agent.conf template [@moodymob](https://github.com/moodymob) [#222](https://github.com/wazuh/wazuh-ansible/pull/222)
- Improved molecule tests [@rshad](https://github.com/rshad) [#223](https://github.com/wazuh/wazuh-ansible/pull/223/files)
- Moved "run_cluster_mode.sh" script to molecule folder [@jm404](https://github.com/jm404) [#a9d2c52](https://github.com/wazuh/wazuh-ansible/commit/a9d2c5201047c273c2c4fead5a54e576111da455)
### Fixed
- Fixed typo in the `agent.conf` template [@joey1a2b3c](https://github.com/joey1a2b3c) [#227](https://github.com/wazuh/wazuh-ansible/pull/227)
- Updated conditionals in tasks to fix Amazon Linux installation [@jm404](https://github.com/jm404) [#229](https://github.com/wazuh/wazuh-ansible/pull/229)
- Fixed Kibana installation in Amazon Linux [@jm404](https://github.com/jm404) [#232](https://github.com/wazuh/wazuh-ansible/pull/232)
- Fixed Windows Agent installation and configuration [@jm404](https://github.com/jm404) [#234](https://github.com/wazuh/wazuh-ansible/pull/234)
### Fixed
- Removed registry key check on Wazuh Agent installation in windows [@jm404](https://github.com/jm404) [#265](https://github.com/wazuh/wazuh-ansible/pull/265)
## [v3.9.5_7.2.1]
### Added
- Update to Wazuh v3.9.5
- Update to Elastic Stack to v7.2.1
## [v3.9.4_7.2.0]
### Added
- Support for registring agents behind NAT [@jheikki100](https://github.com/jheikki100) [#208](https://github.com/wazuh/wazuh-ansible/pull/208)
### Changed
- Default protocol to TCP [@ionphractal](https://github.com/ionphractal) [#204](https://github.com/wazuh/wazuh-ansible/pull/204).
### Fixed
- Fixed network.host is not localhost [@rshad](https://github.com/rshad) [#204](https://github.com/wazuh/wazuh-ansible/pull/212).
## [v3.9.3_7.2.0]
### Added
- Update to Wazuh v3.9.3 ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#))
- Added Versioning Control for Wazuh stack's components installation, so now it's possible to specify which package to install for wazuh-manager, wazuh-agent, Filebeat, Elasticsearch and Kibana. ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#))
- Fixes for Molecule testing issues. Issues such as Ansible-Lint and None-Idempotent tasks. ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#))
- Fixes for Wazuh components installations' related issues. Such issues were related to determined OS distributions such as `Ubuntu Trusty` and `CetOS 6`. ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#))
- Created Ansible playbook and role in order to automate the uninstallation of already installed Wazuh components. ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#))
## [v3.9.2_7.1.1]
### Added
- Update to Wazuh v3.9.2
- Support for Elastic 7
- Ability to deploy an Elasticsearch cluster [#6b95e3](https://github.com/wazuh/wazuh-ansible/commit/6b95e304b6ac4dfec08df5cd0fe29be9cc7dc22c)
## [v3.9.2_6.8.0]
### Added
- Update to Wazuh v3.9.2
## [v3.9.1]
### Added
- Update to Wazuh v3.9.1
- Support for ELK v6.8.0
## [v3.9.0]
### Added
- Update to Wazuh Wazuh v3.9.0 ([manuasir](https://github.com/manuasir) [#177](https://github.com/wazuh/wazuh-ansible/pull/177)).
- Support for Elasticsearch v6.7.1 ([LuisGi91](https://github.com/LuisGi91) [#168](https://github.com/wazuh/wazuh-ansible/pull/168)).
- Added Molecule testing suit ([JJediny](https://github.com/JJediny) [#151](https://github.com/wazuh/wazuh-ansible/pull/151)).
- Added Molecule tests for Wazuh Manager ([dj-wasabi](https://github.com/dj-wasabi) [#169](https://github.com/wazuh/wazuh-ansible/pull/169)).
- Added Molecule tests for Wazuh Agent ([dj-wasabi](https://github.com/dj-wasabi) [#174](https://github.com/wazuh/wazuh-ansible/pull/174)).
### Changed
- Updated network commands ([kravietz](https://github.com/kravietz) [#159](https://github.com/wazuh/wazuh-ansible/pull/159)).
- Enable active response section ([kravietz](https://github.com/kravietz) [#155](https://github.com/wazuh/wazuh-ansible/pull/155)).
### Fixed
- Fix default active response ([LuisGi93](https://github.com/LuisGi93) [#164](https://github.com/wazuh/wazuh-ansible/pull/164)).
- Changing from Oracle Java to OpenJDK ([LuisGi93](https://github.com/LuisGi93) [#173](https://github.com/wazuh/wazuh-ansible/pull/173)).
- Adding alias to agent config file template ([LuisGi93](https://github.com/LuisGi93) [#163](https://github.com/wazuh/wazuh-ansible/pull/163)).
## [v3.8.2] ## [v3.8.2]
### Changed ### Changed
@ -9,9 +181,10 @@ All notable changes to this project will be documented in this file.
## [v3.8.1] ## [v3.8.1]
### Changed ### Changed
- Update to Wazuh version v3.8.1. ([#148](https://github.com/wazuh/wazuh-ansible/pull/148)) - Update to Wazuh version v3.8.1. ([#148](https://github.com/wazuh/wazuh-ansible/pull/148))
## [v3.8.0] ## [v3.8.0]
### Added ### Added
@ -20,7 +193,7 @@ All notable changes to this project will be documented in this file.
- Adapt ossec.conf file for windows agents ([#118](https://github.com/wazuh/wazuh-ansible/pull/118)) - Adapt ossec.conf file for windows agents ([#118](https://github.com/wazuh/wazuh-ansible/pull/118))
- Added labels to ossec.conf ([#135](https://github.com/wazuh/wazuh-ansible/pull/135)) - Added labels to ossec.conf ([#135](https://github.com/wazuh/wazuh-ansible/pull/135))
### Changed ### Changed
- Changed Windows installation directory ([#116](https://github.com/wazuh/wazuh-ansible/pull/116)) - Changed Windows installation directory ([#116](https://github.com/wazuh/wazuh-ansible/pull/116))
- move redundant tags to the outer block ([#133](https://github.com/wazuh/wazuh-ansible/pull/133)) - move redundant tags to the outer block ([#133](https://github.com/wazuh/wazuh-ansible/pull/133))
@ -56,7 +229,7 @@ All notable changes to this project will be documented in this file.
- Changed windows agent version. ([#89](https://github.com/wazuh/wazuh-ansible/pull/89)) - Changed windows agent version. ([#89](https://github.com/wazuh/wazuh-ansible/pull/89))
- Updating to Elastic Stack to 6.5.3 and Wazuh 3.7.1. ([#108](https://github.com/wazuh/wazuh-ansible/pull/108)) - Updating to Elastic Stack to 6.5.3 and Wazuh 3.7.1. ([#108](https://github.com/wazuh/wazuh-ansible/pull/108))
### Fixed ### Fixed
- Solve the conflict betwwen tha agent configuration and the shared master configuration. Also include monitoring for `/var/log/auth.log`. ([#90](https://github.com/wazuh/wazuh-ansible/pull/90)) - Solve the conflict betwwen tha agent configuration and the shared master configuration. Also include monitoring for `/var/log/auth.log`. ([#90](https://github.com/wazuh/wazuh-ansible/pull/90))
@ -97,7 +270,6 @@ Ansible starting point.
Roles: Roles:
- Elastic Stack: - Elastic Stack:
- ansible-elasticsearch: This role is prepared to install elasticsearch on the host that runs it. - ansible-elasticsearch: This role is prepared to install elasticsearch on the host that runs it.
- ansible-logstash: This role involves the installation of logstash on the host that runs it.
- ansible-kibana: Using this role we will install Kibana on the host that runs it. - ansible-kibana: Using this role we will install Kibana on the host that runs it.
- Wazuh: - Wazuh:
- ansible-filebeat: This role is prepared to install filebeat on the host that runs it. - ansible-filebeat: This role is prepared to install filebeat on the host that runs it.

25
README.md
View File

@ -18,7 +18,6 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack.
│ ├── roles │ ├── roles
│ │ ├── elastic-stack │ │ ├── elastic-stack
│ │ │ ├── ansible-elasticsearch │ │ │ ├── ansible-elasticsearch
│ │ │ ├── ansible-logstash
│ │ │ ├── ansible-kibana │ │ │ ├── ansible-kibana
│ │ │ │
│ │ ├── wazuh │ │ ├── wazuh
@ -35,7 +34,6 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack.
│ │ ├── wazuh-elastic_stack-distributed.yml │ │ ├── wazuh-elastic_stack-distributed.yml
│ │ ├── wazuh-elastic_stack-single.yml │ │ ├── wazuh-elastic_stack-single.yml
│ │ ├── wazuh-kibana.yml │ │ ├── wazuh-kibana.yml
│ │ ├── wazuh-logstash.yml
│ │ ├── wazuh-manager.yml │ │ ├── wazuh-manager.yml
│ ├── README.md │ ├── README.md
@ -48,6 +46,29 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack.
* `stable` branch on correspond to the last Wazuh-Ansible stable version. * `stable` branch on correspond to the last Wazuh-Ansible stable version.
* `master` branch contains the latest code, be aware of possible bugs on this branch. * `master` branch contains the latest code, be aware of possible bugs on this branch.
## Testing
1. Get the `wazuh-ansible` folder from the `wazuh-qa` [repository](https://github.com/wazuh/wazuh-qa/tree/master/ansible/wazuh-ansible).
```
git clone https://github.com/wazuh/wazuh-qa
```
2. Copy the `Pipfile` and the `molecule` folder into the root wazuh-ansible directory:
```
cp wazuh-qa/ansible/wazuh-ansible/* . -R
```
3. Follow these steps for launching the tests. Check the Pipfile for running different scenarios:
```
pip install pipenv
sudo pipenv install
pipenv run test
pipenv run agent
```
## Contribute ## Contribute
If you want to contribute to our repository, please fork our Github repository and submit a pull request. If you want to contribute to our repository, please fork our Github repository and submit a pull request.

4
VERSION
View File

@ -1,2 +1,2 @@
WAZUH-ANSIBLE_VERSION="v3.8.2" WAZUH-ANSIBLE_VERSION="v3.11.1"
REVISION="3801" REVISION="31110"

3
playbooks/wazuh-agent.yml
View File

@ -1,3 +1,4 @@
---
- hosts: <your wazuh agents hosts> - hosts: <your wazuh agents hosts>
roles: roles:
- /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-agent - /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-agent
@ -5,7 +6,7 @@
wazuh_managers: wazuh_managers:
- address: <your manager IP> - address: <your manager IP>
port: 1514 port: 1514
protocol: udp protocol: tcp
api_port: 55000 api_port: 55000
api_proto: 'http' api_proto: 'http'
api_user: ansible api_user: ansible

6
playbooks/wazuh-elastic.yml
View File

@ -1,3 +1,5 @@
- hosts: <your elasticsearch host> ---
- hosts: <YOUR_ELASTICSEARCH_IP>
roles: roles:
- {role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: 'your elasticsearch IP'} - role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch
elasticsearch_network_host: '<YOUR_ELASTICSEARCH_IP>'

96
playbooks/wazuh-elastic_stack-distributed.yml
View File

@ -1,9 +1,91 @@
- hosts: <your wazuh server host> ---
- hosts: <node-1 IP>
roles: roles:
- role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-manager - role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch
- {role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-filebeat, filebeat_output_logstash_hosts: 'your elastic stack server IP'} elasticsearch_network_host: <node-1 IP>
- hosts: <your elastic stack server host> node_name: node-1
elasticsearch_bootstrap_node: true
elasticsearch_cluster_nodes:
- <node-1 IP>
- <node-2 IP>
- <node-3 IP>
elasticsearch_discovery_nodes:
- <node-1 IP>
- <node-2 IP>
- <node-3 IP>
elasticsearch_xpack_security: true
node_certs_generator: true
elasticsearch_xpack_security_password: elastic_pass
single_node: false
vars:
instances:
node1:
name: node-1 # Important: must be equal to elasticsearch_node_name.
ip: <node-1 IP> # When unzipping, the node will search for its node name folder to get the cert.
node2:
name: node-2
ip: <node-2 IP>
node3:
name: node-3
ip: <node-3 IP>
- hosts: <node-2 IP>
roles: roles:
- {role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: 'localhost'} - role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch
- {role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-logstash, logstash_input_beats: true, elasticsearch_network_host: 'localhost'} elasticsearch_network_host: <node-2 IP>
- {role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-kibana, elasticsearch_network_host: 'localhost'} elasticsearch_node_name: node-2
single_node: false
elasticsearch_xpack_security: true
elasticsearch_master_candidate: true
elasticsearch_discovery_nodes:
- <node-1 IP>
- <node-2 IP>
- <node-3 IP>
- hosts: <node-3 IP>
roles:
- role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch
elasticsearch_network_host: <node-3 IP>
elasticsearch_node_name: node-3
single_node: false
elasticsearch_xpack_security: true
elasticsearch_master_candidate: true
elasticsearch_discovery_nodes:
- <node-1 IP>
- <node-2 IP>
- <node-3 IP>
# - hosts: 172.16.0.162
# roles:
# - role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-manager
# - role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-filebeat
# filebeat_output_elasticsearch_hosts: 172.16.0.161:9200
# filebeat_xpack_security: true
# filebeat_node_name: node-2
# node_certs_generator: false
# elasticsearch_xpack_security_password: elastic_pass
# - role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch
# elasticsearch_network_host: 172.16.0.162
# node_name: node-2
# elasticsearch_bootstrap_node: false
# elasticsearch_master_candidate: true
# elasticsearch_discovery_nodes:
# - 172.16.0.161
# - 172.16.0.162
# elasticsearch_xpack_security: true
# node_certs_generator: false
# - hosts: 172.16.0.163
# roles:
# - role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-kibana
# kibana_xpack_security: true
# kibana_node_name: node-3
# elasticsearch_network_host: 172.16.0.161
# node_certs_generator: false
# elasticsearch_xpack_security_password: elastic_pass

12
playbooks/wazuh-elastic_stack-single.yml
View File

@ -1,6 +1,8 @@
- hosts: <your single server host> ---
- hosts: <your server host>
roles: roles:
- {role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-manager} - {role: ../roles/wazuh/ansible-wazuh-manager}
- {role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: 'localhost'} - role: ../roles/wazuh/ansible-filebeat
- { role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-logstash, elasticsearch_network_host: 'localhost' } filebeat_output_elasticsearch_hosts: localhost:9200
- { role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-kibana, elasticsearch_network_host: 'localhost' } - {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '0.0.0.0', single_node: true}
- { role: ../roles/elastic-stack/ansible-kibana, elasticsearch_network_host: '0.0.0.0', elasticsearch_reachable_host: 'localhost' }

7
playbooks/wazuh-kibana.yml
View File

@ -1,3 +1,6 @@
- hosts: <your kibana host> ---
- hosts: <KIBANA_HOST>
roles: roles:
- {role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-kibana, elasticsearch_network_host: 'your elasticsearch IP'} - role: ../roles/elastic-stack/ansible-kibana
elasticsearch_network_host: <YOUR_ELASTICSEARCH_IP>

3
playbooks/wazuh-logstash.yml
View File

@ -1,3 +0,0 @@
- hosts: <your logstash host>
roles:
- {role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-logstash, elasticsearch_network_host: ["localhost"]}

10
playbooks/wazuh-manager.yml
View File

@ -1,4 +1,8 @@
- hosts: <your wazuh server host> ---
- hosts: <WAZUH_MANAGER_HOST>
roles: roles:
- role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-manager - role: ../roles/wazuh/ansible-wazuh-manager
- {role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-filebeat, filebeat_output_logstash_hosts: 'your logstash IP'} - role: ../roles/wazuh/ansible-filebeat
filebeat_output_elasticsearch_hosts: <YOUR_ELASTICSEARCH_IP>:9200

26
roles/ansible-galaxy/meta/main.yml
View File

@ -5,7 +5,7 @@ dependencies: []
galaxy_info: galaxy_info:
author: Wazuh author: Wazuh
categories: categories:
- monitoring - monitoring
company: wazuh.com company: wazuh.com
description: Installing, deploying and configuring Wazuh Manager. description: Installing, deploying and configuring Wazuh Manager.
galaxy_tags: galaxy_tags:
@ -15,15 +15,15 @@ galaxy_info:
license: license (GPLv3) license: license (GPLv3)
min_ansible_version: 2.0 min_ansible_version: 2.0
platforms: platforms:
- name: Debian - name: Debian
versions: versions:
- all - all
- name: EL - name: EL
versions: versions:
- all - all
- name: Fedora - name: Fedora
versions: versions:
- all - all
- name: Ubuntu - name: Ubuntu
versions: versions:
- all - all

97
roles/elastic-stack/ansible-elasticsearch/README.md
View File

@ -12,6 +12,8 @@ This role will work on:
* Fedora * Fedora
* Debian * Debian
* Ubuntu * Ubuntu
For the elasticsearch role with XPack security the `unzip` command must be available on the Ansible master.
Role Variables Role Variables
-------------- --------------
@ -30,12 +32,105 @@ Defaults variables are listed below, along with its values (see `defaults/main.y
Example Playbook Example Playbook
---------------- ----------------
- Single-node
``` ```
- hosts: elasticsearch - hosts: elasticsearch
roles: roles:
- { role: ansible-role-elasticsearch, elasticsearch_network_host: '192.168.33.182' } - { role: ansible-role-elasticsearch, elasticsearch_network_host: '192.168.33.182', single_host: true }
``` ```
- Three nodes Elasticsearch cluster
```
---
- hosts: 172.16.0.161
roles:
- {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '172.16.0.161', elasticsearch_bootstrap_node: true, elasticsearch_cluster_nodes: ['172.16.0.162','172.16.0.163','172.16.0.161']}
- hosts: 172.16.0.162
roles:
- {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '172.16.0.162', elasticsearch_node_master: true, elasticsearch_cluster_nodes: ['172.16.0.162','172.16.0.163','172.16.0.161']}
- hosts: 172.16.0.163
roles:
- {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '172.16.0.163', elasticsearch_node_master: true, elasticsearch_cluster_nodes: ['172.16.0.162','172.16.0.163','172.16.0.161']}
```
- Three nodes Elasticsearch cluster with XPack security
```
---
- hosts: elastic-1
roles:
- role: ../roles/elastic-stack/ansible-elasticsearch
elasticsearch_network_host: 172.16.0.111
elasticsearch_node_name: node-1
single_node: false
elasticsearch_node_master: true
elasticsearch_bootstrap_node: true
elasticsearch_cluster_nodes:
- 172.16.0.111
- 172.16.0.112
- 172.16.0.113
elasticsearch_discovery_nodes:
- 172.16.0.111
- 172.16.0.112
- 172.16.0.113
elasticsearch_xpack_security: true
node_certs_generator: true
node_certs_generator_ip: 172.16.0.111
vars:
instances:
node-1:
name: node-1
ip: 172.16.0.111
node-2:
name: node-2
ip: 172.16.0.112
node-3:
name: node-3
ip: 172.16.0.113
- hosts: elastic-2
roles:
- role: ../roles/elastic-stack/ansible-elasticsearch
elasticsearch_network_host: 172.16.0.112
elasticsearch_node_name: node-2
single_node: false
elasticsearch_xpack_security: true
elasticsearch_node_master: true
node_certs_generator_ip: 172.16.0.111
elasticsearch_discovery_nodes:
- 172.16.0.111
- 172.16.0.112
- 172.16.0.113
- hosts: elastic-3
roles:
- role: ../roles/elastic-stack/ansible-elasticsearch
elasticsearch_network_host: 172.16.0.113
elasticsearch_node_name: node-3
single_node: false
elasticsearch_xpack_security: true
elasticsearch_node_master: true
node_certs_generator_ip: 172.16.0.111
elasticsearch_discovery_nodes:
- 172.16.0.111
- 172.16.0.112
- 172.16.0.113
vars:
elasticsearch_xpack_users:
anne:
password: 'PasswordHere'
roles: '["kibana_user", "monitoring_user"]'
jack:
password: 'PasswordHere'
roles: '["superuser"]'
```
It is possible to define users directly on the playbook, these must be defined on a variable `elasticsearch_xpack_users` on the last node of the cluster as in the example.
License and copyright License and copyright
--------------------- ---------------------

42
roles/elastic-stack/ansible-elasticsearch/defaults/main.yml
View File

@ -1,12 +1,40 @@
--- ---
elasticsearch_cluster_name: wazuh
elasticsearch_node_name: node-1
elasticsearch_http_port: 9200 elasticsearch_http_port: 9200
elasticsearch_network_host: 127.0.0.1 elasticsearch_network_host: 127.0.0.1
elasticsearch_reachable_host: 127.0.0.1
elasticsearch_jvm_xms: null elasticsearch_jvm_xms: null
elastic_stack_version: 6.5.4 elastic_stack_version: 7.5.1
elasticsearch_shards: 5 elasticsearch_lower_disk_requirements: false
elasticsearch_replicas: 1
elasticsearch_install_java: yes elasticrepo_server: https://artifacts.elastic.co/packages/7.x/apt
elasticrepo_gpg_keyserver: pool.sks-keyservers.net elasticrepo_gpg_keyserver: pool.sks-keyservers.net
elasticrepo_server: https://artifacts.elastic.co/packages/6.x/apt
# Cluster Settings
single_node: true
elasticsearch_cluster_name: wazuh
elasticsearch_node_name: node-1
elasticsearch_bootstrap_node: false
elasticsearch_node_master: false
elasticsearch_cluster_nodes:
- 127.0.0.1
elasticsearch_discovery_nodes:
- 127.0.0.1
elasticsearch_node_data: true
elasticsearch_node_ingest: true
# X-Pack Security
elasticsearch_xpack_security: false
elasticsearch_xpack_security_user: elastic
elasticsearch_xpack_security_password: elastic_pass
node_certs_generator: false
node_certs_source: /usr/share/elasticsearch
node_certs_destination: /etc/elasticsearch/certs
# CA generation
master_certs_path: /es_certs
generate_CA: true
ca_key_name: ""
ca_cert_name: ""
ca_password: ""

24
roles/elastic-stack/ansible-elasticsearch/meta/main.yml
View File

@ -6,18 +6,18 @@ galaxy_info:
license: license (GPLv3) license: license (GPLv3)
min_ansible_version: 2.0 min_ansible_version: 2.0
platforms: platforms:
- name: EL - name: EL
versions: versions:
- all - all
- name: Ubuntu - name: Ubuntu
versions: versions:
- all - all
- name: Debian - name: Debian
versions: versions:
- all - all
- name: Fedora - name: Fedora
versions: versions:
- all - all
galaxy_tags: galaxy_tags:
- web - web
- system - system

56
roles/elastic-stack/ansible-elasticsearch/tasks/Debian.yml
View File

@ -1,50 +1,52 @@
--- ---
- name: Debian/Ubuntu | Install apt-transport-https and ca-certificates - name: Debian/Ubuntu | Install apt-transport-https and ca-certificates
apt: apt:
name: "{{ item }}" name:
- apt-transport-https
- ca-certificates
state: present state: present
cache_valid_time: 3600 register: elasticsearch_ca_packages_installed
with_items: until: elasticsearch_ca_packages_installed is succeeded
- apt-transport-https
- ca-certificates
- when: elasticsearch_install_java - name: Update and upgrade apt packages
block: become: true
- name: Debian/Ubuntu | Setting webupd8 repository apt:
apt_repository: upgrade: yes
repo: 'ppa:webupd8team/java' update_cache: yes
codename: 'xenial' cache_valid_time: 86400 #One day
update_cache: yes when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version | int == 14
- name: Debian/Ubuntu | Accept Oracle Java 8 license - name: Update and upgrade apt packages
debconf: become: true
name: oracle-java8-installer apt:
question: shared/accepted-oracle-license-v1-1 upgrade: yes
value: true update_cache: yes
vtype: boolean cache_valid_time: 86400 #One day
when:
- name: Debian/Ubuntu | Oracle Java 8 installer - ansible_distribution == "Ubuntu"
apt: - ansible_distribution_major_version | int == 14
name: oracle-java8-installer
state: present
cache_valid_time: 3600
tags: install
- name: Debian/Ubuntu | Add Elasticsearch GPG key. - name: Debian/Ubuntu | Add Elasticsearch GPG key.
apt_key: apt_key:
keyserver: "{{ elasticrepo_gpg_keyserver }}" keyserver: "{{ elasticrepo_gpg_keyserver }}"
id: 46095ACC8548582C1A2699A9D27D666CD88E42B4 id: 46095ACC8548582C1A2699A9D27D666CD88E42B4
- name: Debian/Ubuntu | Install Elastic repo - name: Debian/Ubuntu | Install Elastic repo
apt_repository: apt_repository:
repo: "deb {{ elasticrepo_server }} stable main" repo: "deb {{ elasticrepo_server }} stable main"
state: present state: present
filename: 'elastic_repo' filename: 'elastic_repo_7'
update_cache: yes update_cache: true
changed_when: false
- name: Debian/Ubuntu | Install Elasticsarch - name: Debian/Ubuntu | Install Elasticsarch
apt: apt:
name: "elasticsearch={{ elastic_stack_version }}" name: "elasticsearch={{ elastic_stack_version }}"
state: present state: present
cache_valid_time: 3600 cache_valid_time: 3600
register: elasticsearch_main_packages_installed
until: elasticsearch_main_packages_installed is succeeded
tags: install tags: install

3
roles/elastic-stack/ansible-elasticsearch/tasks/RMDebian.yml
View File

@ -1,5 +1,6 @@
--- ---
- name: Debian/Ubuntu | Removing Elasticsearch repository - name: Debian/Ubuntu | Removing Elasticsearch repository
apt_repository: apt_repository:
repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main repo: deb https://artifacts.elastic.co/packages/7.x/apt stable main
state: absent state: absent
changed_when: false

1
roles/elastic-stack/ansible-elasticsearch/tasks/RMRedHat.yml
View File

@ -3,3 +3,4 @@
yum_repository: yum_repository:
name: elastic_repo name: elastic_repo
state: absent state: absent
changed_when: false

24
roles/elastic-stack/ansible-elasticsearch/tasks/RedHat.yml
View File

@ -1,28 +1,14 @@
--- ---
- when: elasticsearch_install_java
block:
- name: RedHat/CentOS/Fedora | download Oracle Java RPM
get_url:
url: https://download.oracle.com/otn-pub/java/jdk/8u202-b08/1961070e4c9b4e26a04e7f5a083f551e/jre-8u202-linux-x64.rpm
dest: /tmp/jre-8-linux-x64.rpm
headers: 'Cookie:oraclelicense=accept-securebackup-cookie'
register: oracle_java_task_rpm_download
- name: RedHat/CentOS/Fedora | Install Oracle Java RPM
package: name=/tmp/jre-8-linux-x64.rpm state=present
when: oracle_java_task_rpm_download is defined
register: oracle_java_task_rpm_installed
tags: install
- name: RedHat/CentOS/Fedora | Install Elastic repo - name: RedHat/CentOS/Fedora | Install Elastic repo
yum_repository: yum_repository:
name: elastic_repo name: elastic_repo_7
description: Elastic repository for 6.x packages description: Elastic repository for 7.x packages
baseurl: https://artifacts.elastic.co/packages/6.x/yum baseurl: https://artifacts.elastic.co/packages/7.x/yum
gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
gpgcheck: yes gpgcheck: true
changed_when: false
- name: RedHat/CentOS/Fedora | Install Elasticsarch - name: RedHat/CentOS/Fedora | Install Elasticsarch
package: name=elasticsearch-{{ elastic_stack_version }} state=present package: name=elasticsearch-{{ elastic_stack_version }} state=present
when: not elasticsearch_install_java or oracle_java_task_rpm_installed is defined
tags: install tags: install

115
roles/elastic-stack/ansible-elasticsearch/tasks/main.yml
View File

@ -48,16 +48,6 @@
- ansible_service_mgr != "systemd" - ansible_service_mgr != "systemd"
- ansible_os_family == "RedHat" - ansible_os_family == "RedHat"
- name: Configure Elasticsearch.
template:
src: elasticsearch.yml.j2
dest: /etc/elasticsearch/elasticsearch.yml
owner: root
group: elasticsearch
mode: 0660
notify: restart elasticsearch
tags: configure
- name: Configure Elasticsearch JVM memmory. - name: Configure Elasticsearch JVM memmory.
template: template:
src: jvm.options.j2 src: jvm.options.j2
@ -68,46 +58,95 @@
notify: restart elasticsearch notify: restart elasticsearch
tags: configure tags: configure
- name: Reload systemd # fix in new PR (ignore_errors)
systemd: daemon_reload=yes
ignore_errors: yes - import_tasks: "RMRedHat.yml"
when: when: ansible_os_family == "RedHat"
- not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA")
- not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<')) - import_tasks: "xpack_security.yml"
- not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) when:
- elasticsearch_xpack_security
- name: Configure Elasticsearch.
template:
src: elasticsearch.yml.j2
dest: /etc/elasticsearch/elasticsearch.yml
owner: root
group: elasticsearch
mode: 0660
notify: restart elasticsearch
tags: configure
- name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.conf
lineinfile:
path: /etc/security/limits.conf
line: elasticsearch - memlock unlimited
create: yes
become: true
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version | int == 14
changed_when: false
- name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.d/elasticsearch.conf
lineinfile:
path: /etc/security/limits.d/elasticsearch.conf
line: elasticsearch - memlock unlimited
create: yes
become: true
changed_when: false
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version | int == 14
- name: Ensure Elasticsearch started and enabled - name: Ensure Elasticsearch started and enabled
service: service:
name: elasticsearch name: elasticsearch
enabled: yes enabled: true
state: started state: started
- name: Make sure Elasticsearch is running before proceeding
wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=300
tags: tags:
- configure - configure
- init - init
- name: Check for Wazuh Alerts template - name: Make sure Elasticsearch is running before proceeding
uri: wait_for: host={{ elasticsearch_reachable_host }} port={{ elasticsearch_http_port }} delay=3 timeout=400
url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh" tags:
method: GET - configure
status_code: 200, 404 - init
register: wazuh_alerts_template_exits
tags: init
- name: Installing Wazuh Alerts template
uri:
url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh"
method: PUT
status_code: 200
body_format: json
body: "{{ lookup('template','wazuh-elastic6-template-alerts.json.j2') }}"
when: wazuh_alerts_template_exits.status != 200
tags: init
- import_tasks: "RMRedHat.yml" - import_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat" when: ansible_os_family == "RedHat"
- import_tasks: "RMDebian.yml" - import_tasks: "RMDebian.yml"
when: ansible_os_family == "Debian" when: ansible_os_family == "Debian"
- name: Wait for Elasticsearch API
uri:
url: "https://{{ node_certs_generator_ip }}:{{ elasticsearch_http_port }}/_cluster/health/"
user: "elastic" # Default Elasticsearch user is always "elastic"
password: "{{ elasticsearch_xpack_security_password }}"
validate_certs: no
status_code: 200,401
return_content: yes
timeout: 4
register: _result
until: ( _result.json is defined) and (_result.json.status == "green")
retries: 24
delay: 5
when:
- elasticsearch_xpack_users is defined
- name: Create elasticsearch users
uri:
url: "https://{{ node_certs_generator_ip }}:{{ elasticsearch_http_port }}/_security/user/{{ item.key }}"
method: POST
body_format: json
user: "elastic"
password: "{{ elasticsearch_xpack_security_password }}"
body: '{ "password" : "{{ item.value["password"] }}", "roles" : {{ item.value["roles"] }} }'
validate_certs: no
loop: "{{ elasticsearch_xpack_users|default({})|dict2items }}"
register: http_response
failed_when: http_response.status != 200
when:
- elasticsearch_xpack_users is defined

195
roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml Normal file
View File

@ -0,0 +1,195 @@
- name: Check if certificate exists locally
stat:
path: "{{ node_certs_destination }}/{{ elasticsearch_node_name }}.crt"
register: certificate_file_exists
- name: Write the instances.yml file in the selected node (force = no)
template:
src: instances.yml.j2
dest: "{{ node_certs_source }}/instances.yml"
force: no
register: instances_file_exists
tags:
- config
- xpack-security
when:
- node_certs_generator
- not certificate_file_exists.stat.exists
- name: Update instances.yml status after generation
stat:
path: "{{ node_certs_source }}/instances.yml"
register: instances_file_exists
when:
- node_certs_generator
- name: Check if the certificates ZIP file exists
stat:
path: "{{ node_certs_source }}/certs.zip"
register: xpack_certs_zip
when:
- node_certs_generator
- name: Importing custom CA key
copy:
src: "{{ master_certs_path }}/ca/{{ ca_key_name }}"
dest: "{{ node_certs_source }}/{{ ca_key_name }}"
mode: '0664'
when:
- not generate_CA
- node_certs_generator
tags: xpack-security
- name: Importing custom CA cert
copy:
src: "{{ master_certs_path }}/ca/{{ ca_cert_name }}"
dest: "{{ node_certs_source }}/{{ ca_cert_name }}"
mode: '0664'
when:
- not generate_CA
- node_certs_generator
tags: xpack-security
- name: Generating certificates for Elasticsearch security (generating CA)
command: >-
/usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem
--in {{ node_certs_source }}/instances.yml
--out {{ node_certs_source }}/certs.zip
when:
- node_certs_generator
- not xpack_certs_zip.stat.exists
- generate_CA
tags:
- xpack-security
- molecule-idempotence-notest
- name: Generating certificates for Elasticsearch security (using provided CA | Without CA Password)
command: >-
/usr/share/elasticsearch/bin/elasticsearch-certutil cert
--ca-key {{ node_certs_source }}/{{ ca_key_name }}
--ca-cert {{ node_certs_source }}/{{ ca_cert_name }}
--pem --in {{ node_certs_source }}/instances.yml
--out {{ node_certs_source }}/certs.zip
when:
- node_certs_generator
- not xpack_certs_zip.stat.exists
- not generate_CA
- ca_password | length == 0
tags:
- xpack-security
- molecule-idempotence-notest
- name: Generating certificates for Elasticsearch security (using provided CA | Using CA Password)
command: >-
/usr/share/elasticsearch/bin/elasticsearch-certutil cert
--ca-key {{ node_certs_source }}/{{ ca_key_name }}
--ca-cert {{ node_certs_source }}/{{ ca_cert_name }}
--pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip
--ca-pass {{ ca_password }}
when:
- node_certs_generator
- not xpack_certs_zip.stat.exists
- not generate_CA
- ca_password | length > 0
tags:
- xpack-security
- molecule-idempotence-notest
- name: Verify the Elastic certificates directory
file:
path: "{{ master_certs_path }}"
state: directory
mode: '0700'
delegate_to: "127.0.0.1"
when:
- node_certs_generator
- name: Verify the Certificates Authority directory
file:
path: "{{ master_certs_path }}/ca/"
state: directory
mode: '0700'
delegate_to: "127.0.0.1"
when:
- node_certs_generator
- name: Copying certificates to Ansible master
fetch:
src: "{{ node_certs_source }}/certs.zip"
dest: "{{ master_certs_path }}/"
flat: yes
mode: 0700
when:
- node_certs_generator
tags:
- xpack-security
- molecule-idempotence-notest
- name: Delete certs.zip in Generator node
file:
state: absent
path: "{{ node_certs_source }}/certs.zip"
when:
- node_certs_generator
tags: molecule-idempotence-notest
- name: Unzip generated certs.zip
unarchive:
src: "{{ master_certs_path }}/certs.zip"
dest: "{{ master_certs_path }}/"
delegate_to: "127.0.0.1"
when:
- node_certs_generator
tags:
- xpack-security
- molecule-idempotence-notest
- name: Copying node's certificate from master
copy:
src: "{{ item }}"
dest: "{{ node_certs_destination }}/"
with_items:
- "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key"
- "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt"
- "{{ master_certs_path }}/ca/ca.crt"
when:
- generate_CA
tags:
- xpack-security
- molecule-idempotence-notest
- name: Copying node's certificate from master (Custom CA)
copy:
src: "{{ item }}"
dest: "{{ node_certs_destination }}/"
with_items:
- "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key"
- "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt"
- "{{ master_certs_path }}/ca/{{ ca_cert_name }}"
when:
- not generate_CA
tags:
- xpack-security
- molecule-idempotence-notest
- name: Ensuring folder permissions
file:
path: "{{ node_certs_destination }}/"
mode: '0774'
state: directory
recurse: yes
when:
- elasticsearch_xpack_security
- generate_CA
tags: xpack-security
- name: Set elasticsearch bootstrap password
shell: |
set -o pipefail
echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password
args:
executable: /bin/bash
when:
- node_certs_generator
tags: molecule-idempotence-notest

139
roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2
View File

@ -1,89 +1,64 @@
# {{ ansible_managed }} # {{ ansible_managed }}
# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
# Before you set out to tweak and tune the configuration, make sure you
# understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: {{ elasticsearch_cluster_name }} cluster.name: {{ elasticsearch_cluster_name }}
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
node.name: {{ elasticsearch_node_name }} node.name: {{ elasticsearch_node_name }}
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /var/lib/elasticsearch path.data: /var/lib/elasticsearch
#
# Path to log files:
#
path.logs: /var/log/elasticsearch path.logs: /var/log/elasticsearch
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
bootstrap.memory_lock: true bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: {{ elasticsearch_network_host }} network.host: {{ elasticsearch_network_host }}
#
# Set a custom port for HTTP: {% if single_node %}
# discovery.type: single-node
#http.port: 9200 {% elif elasticsearch_bootstrap_node %}
# node.master: true
# For more information, consult the network module documentation. cluster.initial_master_nodes:
# {% for item in elasticsearch_cluster_nodes %}
# --------------------------------- Discovery ---------------------------------- - {{ item }}
# {% endfor %}
# Pass an initial list of hosts to perform discovery when new node is started: discovery.seed_hosts:
# The default list of hosts is ["127.0.0.1", "[::1]"] {% for item in elasticsearch_discovery_nodes %}
# - {{ item }}
#discovery.zen.ping.unicast.hosts: ["host1", "host2"] {% endfor %}
# {% else %}
# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1): node.master: {{ elasticsearch_node_master|lower }}
# {% if elasticsearch_node_data|lower == 'false' %}
#discovery.zen.minimum_master_nodes: 3 node.data: false
# {% endif %}
# For more information, consult the zen discovery module documentation. {% if elasticsearch_node_ingest|lower == 'false' %}
# node.ingest: false
# ---------------------------------- Gateway ----------------------------------- {% endif %}
# discovery.seed_hosts:
# Block initial recovery after a full cluster restart until N nodes are started: {% for item in elasticsearch_discovery_nodes %}
# - {{ item }}
#gateway.recover_after_nodes: 3 {% endfor %}
# {% endif %}
# For more information, consult the gateway module documentation.
# {% if elasticsearch_lower_disk_requirements %}
# ---------------------------------- Various ----------------------------------- cluster.routing.allocation.disk.threshold_enabled: true
# cluster.routing.allocation.disk.watermark.flood_stage: 200mb
# Require explicit names when deleting indices: cluster.routing.allocation.disk.watermark.low: 500mb
# cluster.routing.allocation.disk.watermark.high: 300mb
#action.destructive_requires_name: true {% endif %}
{% if elasticsearch_xpack_security %}
# XPACK Security
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: {{node_certs_destination}}/{{ elasticsearch_node_name }}.key
xpack.security.transport.ssl.certificate: {{node_certs_destination}}/{{ elasticsearch_node_name }}.crt
{% if generate_CA == true %}
xpack.security.transport.ssl.certificate_authorities: [ "{{ node_certs_destination }}/ca.crt" ]
{% elif generate_CA == false %}
xpack.security.transport.ssl.certificate_authorities: [ "{{ node_certs_destination }}/{{ca_cert_name}}" ]
{% endif %}
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: {{node_certs_destination}}/{{ elasticsearch_node_name }}.key
xpack.security.http.ssl.certificate: {{node_certs_destination}}/{{ elasticsearch_node_name }}.crt
{% if generate_CA == true %}
xpack.security.http.ssl.certificate_authorities: [ "{{ node_certs_destination }}/ca.crt" ]
{% elif generate_CA == false %}
xpack.security.http.ssl.certificate_authorities: [ "{{ node_certs_destination }}/{{ca_cert_name}}" ]
{% endif %}
{% endif %}

17
roles/elastic-stack/ansible-elasticsearch/templates/instances.yml.j2 Normal file
View File

@ -0,0 +1,17 @@
# {{ ansible_managed }}
# TO-DO
{% if node_certs_generator %}
instances:
{% for (key,value) in instances.items() %}
- name: "{{ value.name }}"
{% if value.ip is defined and value.ip | length > 0 %}
ip:
- "{{ value.ip }}"
{% elif value.dns is defined and value.dns | length > 0 %}
dns:
- "{{ value.dns }}"
{% endif %}
{% endfor %}
{% endif %}

621
roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic6-template-alerts.json.j2
View File

@ -1,621 +0,0 @@
{
"order": 0,
"template": "wazuh-alerts-3.x-*",
"settings": {
"index.refresh_interval": "5s"
},
"mappings": {
"wazuh": {
"dynamic_templates": [
{
"string_as_keyword": {
"match_mapping_type": "string",
"mapping": {
"type": "keyword",
"doc_values": "true"
}
}
}
],
"properties": {
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"@version": {
"type": "text"
},
"agent": {
"properties": {
"ip": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"name": {
"type": "keyword",
"doc_values": "true"
}
}
},
"manager": {
"properties": {
"name": {
"type": "keyword",
"doc_values": "true"
}
}
},
"cluster": {
"properties": {
"name": {
"type": "keyword",
"doc_values": "true"
}
}
},
"AlertsFile": {
"type": "keyword",
"doc_values": "true"
},
"full_log": {
"type": "text"
},
"previous_log": {
"type": "text"
},
"GeoLocation": {
"properties": {
"area_code": {
"type": "long"
},
"city_name": {
"type": "keyword",
"doc_values": "true"
},
"continent_code": {
"type": "text"
},
"coordinates": {
"type": "double"
},
"country_code2": {
"type": "text"
},
"country_code3": {
"type": "text"
},
"country_name": {
"type": "keyword",
"doc_values": "true"
},
"dma_code": {
"type": "long"
},
"ip": {
"type": "keyword",
"doc_values": "true"
},
"latitude": {
"type": "double"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "double"
},
"postal_code": {
"type": "keyword"
},
"real_region_name": {
"type": "keyword",
"doc_values": "true"
},
"region_name": {
"type": "keyword",
"doc_values": "true"
},
"timezone": {
"type": "text"
}
}
},
"host": {
"type": "keyword",
"doc_values": "true"
},
"syscheck": {
"properties": {
"path": {
"type": "keyword",
"doc_values": "true"
},
"sha1_before": {
"type": "keyword",
"doc_values": "true"
},
"sha1_after": {
"type": "keyword",
"doc_values": "true"
},
"uid_before": {
"type": "keyword",
"doc_values": "true"
},
"uid_after": {
"type": "keyword",
"doc_values": "true"
},
"gid_before": {
"type": "keyword",
"doc_values": "true"
},
"gid_after": {
"type": "keyword",
"doc_values": "true"
},
"perm_before": {
"type": "keyword",
"doc_values": "true"
},
"perm_after": {
"type": "keyword",
"doc_values": "true"
},
"md5_after": {
"type": "keyword",
"doc_values": "true"
},
"md5_before": {
"type": "keyword",
"doc_values": "true"
},
"gname_after": {
"type": "keyword",
"doc_values": "true"
},
"gname_before": {
"type": "keyword",
"doc_values": "true"
},
"inode_after": {
"type": "keyword",
"doc_values": "true"
},
"inode_before": {
"type": "keyword",
"doc_values": "true"
},
"mtime_after": {
"type": "date",
"format": "dateOptionalTime",
"doc_values": "true"
},
"mtime_before": {
"type": "date",
"format": "dateOptionalTime",
"doc_values": "true"
},
"uname_after": {
"type": "keyword",
"doc_values": "true"
},
"uname_before": {
"type": "keyword",
"doc_values": "true"
},
"size_before": {
"type": "long",
"doc_values": "true"
},
"size_after": {
"type": "long",
"doc_values": "true"
},
"diff": {
"type": "keyword",
"doc_values": "true"
},
"event": {
"type": "keyword",
"doc_values": "true"
}
}
},
"location": {
"type": "keyword",
"doc_values": "true"
},
"message": {
"type": "text"
},
"offset": {
"type": "keyword"
},
"rule": {
"properties": {
"description": {
"type": "keyword",
"doc_values": "true"
},
"groups": {
"type": "keyword",
"doc_values": "true"
},
"level": {
"type": "long",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"cve": {
"type": "keyword",
"doc_values": "true"
},
"info": {
"type": "keyword",
"doc_values": "true"
},
"frequency": {
"type": "long",
"doc_values": "true"
},
"firedtimes": {
"type": "long",
"doc_values": "true"
},
"cis": {
"type": "keyword",
"doc_values": "true"
},
"pci_dss": {
"type": "keyword",
"doc_values": "true"
},
"gdpr": {
"type": "keyword",
"doc_values": "true"
},
"gpg13": {
"type": "keyword",
"doc_values": "true"
}
}
},
"decoder": {
"properties": {
"parent": {
"type": "keyword",
"doc_values": "true"
},
"name": {
"type": "keyword",
"doc_values": "true"
},
"ftscomment": {
"type": "keyword",
"doc_values": "true"
},
"fts": {
"type": "long",
"doc_values": "true"
},
"accumulate": {
"type": "long",
"doc_values": "true"
}
}
},
"data": {
"properties": {
"protocol": {
"type": "keyword",
"doc_values": "true"
},
"action": {
"type": "keyword",
"doc_values": "true"
},
"srcip": {
"type": "keyword",
"doc_values": "true"
},
"dstip": {
"type": "keyword",
"doc_values": "true"
},
"srcport": {
"type": "keyword",
"doc_values": "true"
},
"dstport": {
"type": "keyword",
"doc_values": "true"
},
"srcuser": {
"type": "keyword",
"doc_values": "true"
},
"dstuser": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"status": {
"type": "keyword",
"doc_values": "true"
},
"data": {
"type": "keyword",
"doc_values": "true"
},
"system_name": {
"type": "keyword",
"doc_values": "true"
},
"url": {
"type": "keyword",
"doc_values": "true"
},
"oscap": {
"properties": {
"check.title": {
"type": "keyword",
"doc_values": "true"
},
"check.id": {
"type": "keyword",
"doc_values": "true"
},
"check.result": {
"type": "keyword",
"doc_values": "true"
},
"check.severity": {
"type": "keyword",
"doc_values": "true"
},
"check.description": {
"type": "text"
},
"check.rationale": {
"type": "text"
},
"check.references": {
"type": "text"
},
"check.identifiers": {
"type": "text"
},
"check.oval.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.content": {
"type": "keyword",
"doc_values": "true"
},
"scan.benchmark.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.title": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.score": {
"type": "double",
"doc_values": "true"
},
"scan.return_code": {
"type": "long",
"doc_values": "true"
}
}
},
"audit": {
"properties": {
"type": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"syscall": {
"type": "keyword",
"doc_values": "true"
},
"exit": {
"type": "keyword",
"doc_values": "true"
},
"ppid": {
"type": "keyword",
"doc_values": "true"
},
"pid": {
"type": "keyword",
"doc_values": "true"
},
"auid": {
"type": "keyword",
"doc_values": "true"
},
"uid": {
"type": "keyword",
"doc_values": "true"
},
"gid": {
"type": "keyword",
"doc_values": "true"
},
"euid": {
"type": "keyword",
"doc_values": "true"
},
"suid": {
"type": "keyword",
"doc_values": "true"
},
"fsuid": {
"type": "keyword",
"doc_values": "true"
},
"egid": {
"type": "keyword",
"doc_values": "true"
},
"sgid": {
"type": "keyword",
"doc_values": "true"
},
"fsgid": {
"type": "keyword",
"doc_values": "true"
},
"tty": {
"type": "keyword",
"doc_values": "true"
},
"session": {
"type": "keyword",
"doc_values": "true"
},
"command": {
"type": "keyword",
"doc_values": "true"
},
"exe": {
"type": "keyword",
"doc_values": "true"
},
"key": {
"type": "keyword",
"doc_values": "true"
},
"cwd": {
"type": "keyword",
"doc_values": "true"
},
"directory.name": {
"type": "keyword",
"doc_values": "true"
},
"directory.inode": {
"type": "keyword",
"doc_values": "true"
},
"directory.mode": {
"type": "keyword",
"doc_values": "true"
},
"file.name": {
"type": "keyword",
"doc_values": "true"
},
"file.inode": {
"type": "keyword",
"doc_values": "true"
},
"file.mode": {
"type": "keyword",
"doc_values": "true"
},
"acct": {
"type": "keyword",
"doc_values": "true"
},
"dev": {
"type": "keyword",
"doc_values": "true"
},
"enforcing": {
"type": "keyword",
"doc_values": "true"
},
"list": {
"type": "keyword",
"doc_values": "true"
},
"old-auid": {
"type": "keyword",
"doc_values": "true"
},
"old-ses": {
"type": "keyword",
"doc_values": "true"
},
"old_enforcing": {
"type": "keyword",
"doc_values": "true"
},
"old_prom": {
"type": "keyword",
"doc_values": "true"
},
"op": {
"type": "keyword",
"doc_values": "true"
},
"prom": {
"type": "keyword",
"doc_values": "true"
},
"res": {
"type": "keyword",
"doc_values": "true"
},
"srcip": {
"type": "keyword",
"doc_values": "true"
},
"subj": {
"type": "keyword",
"doc_values": "true"
},
"success": {
"type": "keyword",
"doc_values": "true"
}
}
}
}
},
"program_name": {
"type": "keyword",
"doc_values": "true"
},
"command": {
"type": "keyword",
"doc_values": "true"
},
"type": {
"type": "text"
},
"title": {
"type": "keyword",
"doc_values": "true"
}
}
}
}
}

1676
roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 Normal file
View File

File diff suppressed because it is too large Load Diff

45
roles/elastic-stack/ansible-kibana/defaults/main.yml
View File

@ -1,10 +1,47 @@
--- ---
kibana_node_name: node-1
elasticsearch_http_port: "9200" elasticsearch_http_port: "9200"
elasticsearch_network_host: "127.0.0.1" elasticsearch_network_host: "127.0.0.1"
kibana_server_host: "0.0.0.0" kibana_server_host: "0.0.0.0"
kibana_server_port: "5601" kibana_server_port: "5601"
elastic_stack_version: 6.5.4 elastic_stack_version: 7.5.1
wazuh_version: 3.8.2 wazuh_version: 3.11.1
wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp
elasticrepo_server: https://artifacts.elastic.co/packages/7.x/apt
elasticrepo_gpg_keyserver: pool.sks-keyservers.net elasticrepo_gpg_keyserver: pool.sks-keyservers.net
elasticrepo_server: https://artifacts.elastic.co/packages/6.x/apt
wazuhapp_location: https://packages.wazuh.com/wazuhapp # API credentials
wazuh_api_credentials:
- id: "default"
url: "http://localhost"
port: 55000
user: "foo"
password: "bar"
# Xpack Security
kibana_xpack_security: false
elasticsearch_xpack_security_user: elastic
elasticsearch_xpack_security_password: elastic_pass
node_certs_generator: false
node_certs_source: /usr/share/elasticsearch
node_certs_destination: /etc/kibana/certs
# CA Generation
master_certs_path: /es_certs
generate_CA: true
ca_cert_name: ""
# Nodejs
nodejs:
repo_dict:
debian: "deb"
redhat: "rpm"
repo_url_ext: "nodesource.com/setup_8.x"
# Build from sources
build_from_sources: false
wazuh_plugin_branch: 3.11-7.5

24
roles/elastic-stack/ansible-kibana/meta/main.yml
View File

@ -6,18 +6,18 @@ galaxy_info:
license: license (GPLv3) license: license (GPLv3)
min_ansible_version: 2.0 min_ansible_version: 2.0
platforms: platforms:
- name: EL - name: EL
versions: versions:
- all - all
- name: Fedora - name: Fedora
versions: versions:
- all - all
- name: Debian - name: Debian
versions: versions:
- all - all
- name: Ubuntu - name: Ubuntu
versions: versions:
- all - all
galaxy_tags: galaxy_tags:
- web - web
- system - system

17
roles/elastic-stack/ansible-kibana/tasks/Debian.yml
View File

@ -1,12 +1,12 @@
--- ---
- name: Debian/Ubuntu | Install apt-transport-https and ca-certificates - name: Debian/Ubuntu | Install apt-transport-https and ca-certificates
apt: apt:
name: "{{ item }}" name:
- apt-transport-https
- ca-certificates
state: present state: present
cache_valid_time: 3600 register: kibana_installing_ca_package
with_items: until: kibana_installing_ca_package is succeeded
- apt-transport-https
- ca-certificates
- name: Debian/Ubuntu | Add Elasticsearch GPG key - name: Debian/Ubuntu | Add Elasticsearch GPG key
apt_key: apt_key:
@ -17,12 +17,15 @@
apt_repository: apt_repository:
repo: "deb {{ elasticrepo_server }} stable main" repo: "deb {{ elasticrepo_server }} stable main"
state: present state: present
filename: 'elastic_repo' filename: 'elastic_repo_7'
update_cache: yes update_cache: true
changed_when: false
- name: Debian/Ubuntu | Install Kibana - name: Debian/Ubuntu | Install Kibana
apt: apt:
name: "kibana={{ elastic_stack_version }}" name: "kibana={{ elastic_stack_version }}"
state: present state: present
cache_valid_time: 3600 cache_valid_time: 3600
register: installing_kibana_package
until: installing_kibana_package is succeeded
tags: install tags: install

3
roles/elastic-stack/ansible-kibana/tasks/RMDebian.yml
View File

@ -1,5 +1,6 @@
--- ---
- name: Debian/Ubuntu | Removing Elasticsearch repository - name: Debian/Ubuntu | Removing Elasticsearch repository
apt_repository: apt_repository:
repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main repo: deb https://artifacts.elastic.co/packages/7.x/apt stable main
state: absent state: absent
changed_when: false

1
roles/elastic-stack/ansible-kibana/tasks/RMRedHat.yml
View File

@ -3,3 +3,4 @@
yum_repository: yum_repository:
name: elastic_repo name: elastic_repo
state: absent state: absent
changed_when: false

11
roles/elastic-stack/ansible-kibana/tasks/RedHat.yml
View File

@ -1,12 +1,15 @@
--- ---
- name: RedHat/CentOS/Fedora | Install Elastic repo - name: RedHat/CentOS/Fedora | Install Elastic repo
yum_repository: yum_repository:
name: elastic_repo name: elastic_repo_7
description: Elastic repository for 6.x packages description: Elastic repository for 7.x packages
baseurl: https://artifacts.elastic.co/packages/6.x/yum baseurl: https://artifacts.elastic.co/packages/7.x/yum
gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
gpgcheck: yes gpgcheck: true
changed_when: false
- name: RedHat/CentOS/Fedora | Install Kibana - name: RedHat/CentOS/Fedora | Install Kibana
package: name=kibana-{{ elastic_stack_version }} state=present package: name=kibana-{{ elastic_stack_version }} state=present
register: installing_kibana_package
until: installing_kibana_package is succeeded
tags: install tags: install

77
roles/elastic-stack/ansible-kibana/tasks/build_wazuh_plugin.yml Normal file
View File

@ -0,0 +1,77 @@
---
- name: Ensure the Git package is present
package:
name: git
state: present
- name: Modify repo url if host is in Debian family
set_fact:
node_js_repo_type: deb
when:
- ansible_os_family | lower == "debian"
- name: Download script to install Nodejs repository
get_url:
url: "https://{{ nodejs['repo_dict'][ansible_os_family|lower] }}.{{ nodejs['repo_url_ext'] }}"
dest: "/tmp/setup_nodejs_repo.sh"
mode: "0700"
- name: Execute downloaded script to install Nodejs repo
command: /tmp/setup_nodejs_repo.sh
register: node_repo_installation_result
changed_when: false
- name: Install Nodejs
package:
name: nodejs
state: present
- name: Install yarn dependency to build the Wazuh Kibana Plugin
# Using shell due to errors when evaluating text between @ with command
shell: "npm install -g {{ 'yarn' }}{{ '@' }}{{ '1.10.1'}}" # noqa 305
register: install_yarn_result
changed_when: install_yarn_result == 0
- name: Remove old wazuh-kibana-app git directory
file:
path: /tmp/app
state: absent
changed_when: false
- name: Clone wazuh-kibana-app repository # Using command as git module doesn't cover single-branch nor depth
command: git clone https://github.com/wazuh/wazuh-kibana-app -b {{ wazuh_plugin_branch }} --single-branch --depth=1 app # noqa 303
register: clone_app_repo_result
changed_when: false
args:
chdir: "/tmp"
- name: Executing yarn to build the package
command: "{{ item }}"
with_items:
- "yarn"
- "yarn build"
register: yarn_execution_result
changed_when: false
args:
chdir: "/tmp/app/"
- name: Obtain name of generated package
shell: "find ./ -name 'wazuh-*.zip' -printf '%f\\n'"
register: wazuhapp_package_name
changed_when: false
args:
chdir: "/tmp/app/build"
- name: Install Wazuh Plugin (can take a while)
shell: "/usr/share/kibana/bin/kibana-plugin install file:///tmp/app/build/{{ wazuhapp_package_name.stdout }}"
environment:
NODE_OPTIONS: "--max-old-space-size=3072"
args:
executable: /bin/bash
creates: /usr/share/kibana/plugins/wazuh/package.json
become: yes
become_user: kibana
notify: restart kibana
tags:
- install
- skip_ansible_lint

148
roles/elastic-stack/ansible-kibana/tasks/main.yml
View File

@ -1,21 +1,76 @@
--- ---
- name: Stopping early, trying to compile Wazuh Kibana Plugin on Debian 10 is not possible
fail:
msg: "It's not possible to compile the Wazuh Kibana plugin on Debian 10 due to: https://github.com/wazuh/wazuh-kibana-app/issues/1924"
when:
- build_from_sources
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "10"
- import_tasks: RedHat.yml - import_tasks: RedHat.yml
when: ansible_os_family == 'RedHat' when: ansible_os_family == 'RedHat'
- import_tasks: Debian.yml - import_tasks: Debian.yml
when: ansible_os_family == 'Debian' when: ansible_os_family == 'Debian'
- name: Make sure Elasticsearch is running before proceeding.
wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=300
tags: configure
- name: Reload systemd - name: Reload systemd
systemd: daemon_reload=yes systemd:
ignore_errors: yes daemon_reload: true
ignore_errors: true
when: when:
- not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") - not (ansible_distribution == "Amazon" and ansible_distribution_version == "(Karoo)")
- not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<')) - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<'))
- not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<'))
- not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<'))
- name: Copying node's certificate from master
copy:
src: "{{ item }}"
dest: "{{ node_certs_destination }}/"
with_items:
- "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key"
- "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.crt"
- "{{ master_certs_path }}/ca/ca.crt"
tags: xpack-security
when:
- kibana_xpack_security
- generate_CA
- name: Copying node's certificate from master (Custom CA)
copy:
src: "{{ item }}"
dest: "{{ node_certs_destination }}/"
mode: '0664'
with_items:
- "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key"
- "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.crt"
- "{{ master_certs_path }}/ca/{{ ca_cert_name }}"
when:
- kibana_xpack_security
- not generate_CA
tags: xpack-security
- name: Ensuring certificates folder owner
file:
path: "{{ node_certs_destination }}/"
state: directory
recurse: yes
owner: kibana
group: kibana
when:
- kibana_xpack_security
tags: xpack-security
- name: Ensuring certificates folder owner
file:
path: "{{ node_certs_destination }}/"
mode: '0770'
recurse: yes
when:
- kibana_xpack_security
notify: restart kibana
tags: xpack-security
- name: Kibana configuration - name: Kibana configuration
template: template:
@ -23,41 +78,94 @@
dest: /etc/kibana/kibana.yml dest: /etc/kibana/kibana.yml
owner: root owner: root
group: root group: root
mode: 0664 mode: '0664'
notify: restart kibana notify: restart kibana
tags: configure tags: configure
- name: Checking Wazuh-APP version - name: Checking Wazuh-APP version
shell: "grep -c -E 'version.*{{ elastic_stack_version }}' /usr/share/kibana/plugins/wazuh/package.json | xargs echo" shell: >-
grep -c -E 'version.*{{ elastic_stack_version }}' /usr/share/kibana/plugins/wazuh/package.json
args: args:
executable: /bin/bash
removes: /usr/share/kibana/plugins/wazuh/package.json removes: /usr/share/kibana/plugins/wazuh/package.json
register: wazuh_app_verify register: wazuh_app_verify
changed_when: False changed_when: false
tags: install failed_when:
- wazuh_app_verify.rc != 0
- wazuh_app_verify.rc != 1
- name: Removing old Wazuh-APP - name: Removing old Wazuh-APP
command: /usr/share/kibana/bin/kibana-plugin remove wazuh command: /usr/share/kibana/bin/kibana-plugin --allow-root remove wazuh
when: wazuh_app_verify.stdout == "0" when: wazuh_app_verify.rc == 1
tags: install tags: install
- name: Removing bundles - name: Removing bundles
file: path=/usr/share/kibana/optimize/bundles state=absent file:
when: wazuh_app_verify.stdout == "0" path: /usr/share/kibana/optimize/bundles
state: absent
when: wazuh_app_verify.rc == 1
tags: install tags: install
- name: Install Wazuh-APP (can take a while) - name: Explicitly starting Kibana to generate "wazuh-"
shell: "/usr/share/kibana/bin/kibana-plugin install {{wazuhapp_location}}/wazuhapp-{{ wazuh_version }}_{{ elastic_stack_version }}.zip" service:
name: kibana
state: started
- name: Build and Install Wazuh Kibana Plugin from sources
import_tasks: build_wazuh_plugin.yml
when:
- build_from_sources is defined
- build_from_sources
- name: Install Wazuh Plugin (can take a while)
shell: "/usr/share/kibana/bin/kibana-plugin install {{ wazuh_app_url }}-{{ wazuh_version }}_{{ elastic_stack_version }}.zip"
environment: environment:
NODE_OPTIONS: "--max-old-space-size=3072" NODE_OPTIONS: "--max-old-space-size=3072"
args: args:
executable: /bin/bash
creates: /usr/share/kibana/plugins/wazuh/package.json creates: /usr/share/kibana/plugins/wazuh/package.json
become: yes
become_user: kibana
notify: restart kibana notify: restart kibana
tags: install tags:
- install
- skip_ansible_lint
when:
- not build_from_sources
- name: Ensure Kibana started and enabled - name: Wait for Elasticsearch port
wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }}
- name: Select correct API protocol
set_fact:
elastic_api_protocol: "{% if kibana_xpack_security %}https{% else %}http{% endif %}"
- name: Attempting to delete legacy Wazuh index if exists
uri:
url: "{{ elastic_api_protocol }}://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}/.wazuh"
method: DELETE
user: "{{ elasticsearch_xpack_security_user }}"
password: "{{ elasticsearch_xpack_security_password }}"
validate_certs: no
status_code: 200, 404
- name: Configure Wazuh Kibana Plugin
template:
src: wazuh.yml.j2
dest: /usr/share/kibana/plugins/wazuh/wazuh.yml
owner: kibana
group: root
mode: 0644
- name: Reload systemd configuration
systemd:
daemon_reload: true
- name: Ensure Kibana is started and enabled
service: service:
name: kibana name: kibana
enabled: yes enabled: true
state: started state: started
- import_tasks: RMRedHat.yml - import_tasks: RMRedHat.yml

20
roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2
View File

@ -19,7 +19,11 @@ server.host: {{ kibana_server_host }}
#server.name: "your-hostname" #server.name: "your-hostname"
# The URL of the Elasticsearch instance to use for all your queries. # The URL of the Elasticsearch instance to use for all your queries.
elasticsearch.url: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" {% if kibana_xpack_security %}
elasticsearch.hosts: "https://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}"
{% else %}
elasticsearch.hosts: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}"
{% endif %}
# When this setting's value is true Kibana uses the hostname specified in the server.host # When this setting's value is true Kibana uses the hostname specified in the server.host
# setting. When the value of this setting is false, Kibana uses the hostname of the host # setting. When the value of this setting is false, Kibana uses the hostname of the host
@ -98,3 +102,17 @@ elasticsearch.url: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_htt
# Set the interval in milliseconds to sample system and process performance # Set the interval in milliseconds to sample system and process performance
# metrics. Minimum is 100ms. Defaults to 5000. # metrics. Minimum is 100ms. Defaults to 5000.
#ops.interval: 5000 #ops.interval: 5000
# Xpack Security
{% if kibana_xpack_security %}
elasticsearch.username: "{{ elasticsearch_xpack_security_user }}"
elasticsearch.password: "{{ elasticsearch_xpack_security_password }}"
server.ssl.enabled: true
server.ssl.key: "{{node_certs_destination}}/{{ kibana_node_name }}.key"
server.ssl.certificate: "{{node_certs_destination}}/{{ kibana_node_name }}.crt"
{% if generate_CA == true %}
elasticsearch.ssl.certificateAuthorities: ["{{ node_certs_destination }}/ca.crt"]
{% elif generate_CA == false %}
elasticsearch.ssl.certificateAuthorities: ["{{ node_certs_destination }}/{{ca_cert_name}}"]
{% endif %}
{% endif %}

134
roles/elastic-stack/ansible-kibana/templates/wazuh.yml.j2 Normal file
View File

@ -0,0 +1,134 @@
---
#
# Wazuh app - App configuration file
# Copyright (C) 2015-2019 Wazuh, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Find more information about this on the LICENSE file.
#
# ======================== Wazuh app configuration file ========================
#
# Please check the documentation for more information on configuration options:
# https://documentation.wazuh.com/current/installation-guide/index.html
#
# Also, you can check our repository:
# https://github.com/wazuh/wazuh-kibana-app
#
# ------------------------------- Index patterns -------------------------------
#
# Default index pattern to use.
#pattern: wazuh-alerts-3.x-*
#
# ----------------------------------- Checks -----------------------------------
#
# Defines which checks must to be consider by the healthcheck
# step once the Wazuh app starts. Values must to be true or false.
#checks.pattern : true
#checks.template: true
#checks.api : true
#checks.setup : true
#
# --------------------------------- Extensions ---------------------------------
#
# Defines which extensions should be activated when you add a new API entry.
# You can change them after Wazuh app starts.
# Values must to be true or false.
#extensions.pci : true
#extensions.gdpr : true
#extensions.hipaa : true
#extensions.nist : true
#extensions.audit : true
#extensions.oscap : false
#extensions.ciscat : false
#extensions.aws : false
#extensions.virustotal: false
#extensions.osquery : false
#extensions.docker : false
#
# ---------------------------------- Time out ----------------------------------
#
# Defines maximum timeout to be used on the Wazuh app requests.
# It will be ignored if it is bellow 1500.
# It means milliseconds before we consider a request as failed.
# Default: 20000
#timeout: 20000
#
# ------------------------------ Advanced indices ------------------------------
#
# Configure .wazuh indices shards and replicas.
#wazuh.shards : 1
#wazuh.replicas : 0
#
# --------------------------- Index pattern selector ---------------------------
#
# Defines if the user is allowed to change the selected
# index pattern directly from the Wazuh app top menu.
# Default: true
#ip.selector: true
#
# List of index patterns to be ignored
#ip.ignore: []
#
# -------------------------------- X-Pack RBAC ---------------------------------
#
# Custom setting to enable/disable built-in X-Pack RBAC security capabilities.
# Default: enabled
#xpack.rbac.enabled: true
#
# ------------------------------ wazuh-monitoring ------------------------------
#
# Custom setting to enable/disable wazuh-monitoring indices.
# Values: true, false, worker
# If worker is given as value, the app will show the Agents status
# visualization but won't insert data on wazuh-monitoring indices.
# Default: true
#wazuh.monitoring.enabled: true
#
# Custom setting to set the frequency for wazuh-monitoring indices cron task.
# Default: 900 (s)
#wazuh.monitoring.frequency: 900
#
# Configure wazuh-monitoring-3.x-* indices shards and replicas.
#wazuh.monitoring.shards: 2
#wazuh.monitoring.replicas: 0
#
# Configure wazuh-monitoring-3.x-* indices custom creation interval.
# Values: h (hourly), d (daily), w (weekly), m (monthly)
# Default: d
#wazuh.monitoring.creation: d
#
# Default index pattern to use for Wazuh monitoring
#wazuh.monitoring.pattern: wazuh-monitoring-3.x-*
#
#
# ------------------------------- App privileges --------------------------------
#admin: true
#
# ------------------------------- App logging level -----------------------------
# Set the logging level for the Wazuh App log files.
# Default value: info
# Allowed values: info, debug
#logs.level: info
#
#-------------------------------- API entries -----------------------------------
#The following configuration is the default structure to define an API entry.
#
#hosts:
# - <id>:
# url: http(s)://<url>
# port: <port>
# user: <user>
# password: <password>
hosts:
{% for api in wazuh_api_credentials %}
- {{ api['id'] }}:
url: {{ api['url'] }}
port: {{ api['port'] }}
user: {{ api['user'] }}
password: {{ api['password'] }}
{% endfor %}

53
roles/elastic-stack/ansible-logstash/README.md
View File

@ -1,53 +0,0 @@
Ansible Role: Logstash
----------------------
An Ansible Role that installs [Logstash](https://www.elastic.co/products/logstash)
Requirements
------------
This role will work on:
* Red Hat
* CentOS
* Fedora
* Debian
* Ubuntu
Role Variables
--------------
```
---
logstash_create_config: true
logstash_input_beats: false
elasticsearch_network_host: "127.0.0.1"
elasticsearch_http_port: "9200"
elastic_stack_version: 5.5.0
logstash_ssl: false
logstash_ssl_dir: /etc/pki/logstash
logstash_ssl_certificate_file: ""
logstash_ssl_key_file: ""
```
Example Playbook
----------------
```
- hosts: logstash
roles:
- { role: ansible-role-logstash, elasticsearch_network_host: '192.168.33.182' }
```
License and copyright
---------------------
WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3)
### Based on previous work from geerlingguy
- https://github.com/geerlingguy/ansible-role-elasticsearch
### Modified by Wazuh
The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem.

22
roles/elastic-stack/ansible-logstash/defaults/main.yml
View File

@ -1,22 +0,0 @@
---
logstash_create_config: true
logstash_input_beats: false
#You can introduce Multiples IPs
# elasticseacrh_network_host: ["Localhost1", "Localhost2", "Localhost3", ...]
elasticsearch_network_host: ["Localhost"]
elasticsearch_http_port: "9200"
elasticsearch_shards: 5
elasticsearch_replicas: 1
elastic_stack_version: 6.5.4
logstash_ssl: false
logstash_ssl_dir: /etc/pki/logstash
logstash_ssl_certificate_file: ""
logstash_ssl_key_file: ""
logstash_install_java: yes
elasticrepo_gpg_keyserver: pool.sks-keyservers.net
elasticrepo_server: https://artifacts.elastic.co/packages/6.x/apt

3
roles/elastic-stack/ansible-logstash/handlers/main.yml
View File

@ -1,3 +0,0 @@
---
- name: restart logstash
service: name=logstash state=restarted

24
roles/elastic-stack/ansible-logstash/meta/main.yml
View File

@ -1,24 +0,0 @@
---
galaxy_info:
author: Wazuh
description: Installing and maintaining Elasticsearch server.
company: wazuh.com
license: license (GPLv3)
min_ansible_version: 2.0
platforms:
- name: EL
versions:
- all
- name: Fedora
versions:
- all
- name: Debian
versions:
- all
- name: Ubuntu
versions:
- all
galaxy_tags:
- web
- system
- monitoring

64
roles/elastic-stack/ansible-logstash/tasks/Debian.yml
View File

@ -1,64 +0,0 @@
---
- name: Debian/Ubuntu | Install apt-transport-https and ca-certificates
apt:
name: "{{ item }}"
state: present
cache_valid_time: 3600
with_items:
- apt-transport-https
- ca-certificates
- when: logstash_install_java
block:
- name: Debian/Ubuntu | Setting webupd8 repository
apt_repository:
repo: 'ppa:webupd8team/java'
codename: 'xenial'
- name: Debian/Ubuntu | Accept Oracle Java 8 license
debconf:
name: oracle-java8-installer
question: shared/accepted-oracle-license-v1-1
value: true
vtype: boolean
- name: Debian/Ubuntu | Oracle Java 8 installer
apt:
name: oracle-java8-installer
state: present
cache_valid_time: 3600
tags: install
- name: Debian/Ubuntu | Add Elasticsearch GPG key
apt_key:
keyserver: "{{ elasticrepo_gpg_keyserver }}"
id: 46095ACC8548582C1A2699A9D27D666CD88E42B4
- name: Debian/Ubuntu | Install Elasticsearch repo
apt_repository:
repo: "deb {{ elasticrepo_server }} stable main"
state: present
filename: 'elastic_repo'
- name: Debian/Ubuntu | Install Logstash
apt:
name: "logstash=1:{{ elastic_stack_version }}-1"
state: present
update_cache: yes
tags: install
- name: Debian/Ubuntu | Checking if wazuh-manager is installed
command: dpkg -l wazuh-manager
register: wazuh_manager_check_deb
when: logstash_input_beats == false
args:
warn: no
- name: Debian/Ubuntu | Add user logstash to group ossec
user:
name: logstash
groups: ossec
append: yes
when:
- logstash_input_beats == false
- wazuh_manager_check_deb.rc == 0

5
roles/elastic-stack/ansible-logstash/tasks/RMDebian.yml
View File

@ -1,5 +0,0 @@
---
- name: Debian/Ubuntu | Removing Elasticsearch repository
apt_repository:
repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main
state: absent

5
roles/elastic-stack/ansible-logstash/tasks/RMRedHat.yml
View File

@ -1,5 +0,0 @@
---
- name: RedHat/CentOS/Fedora | Remove logstash repository (and clean up left-over metadata)
yum_repository:
name: elastic_repo
state: absent

51
roles/elastic-stack/ansible-logstash/tasks/RedHat.yml
View File

@ -1,51 +0,0 @@
---
- when: logstash_install_java
block:
- name: RedHat/CentOS/Fedora | download Oracle Java RPM
get_url:
url: https://download.oracle.com/otn-pub/java/jdk/8u202-b08/1961070e4c9b4e26a04e7f5a083f551e/jre-8u202-linux-x64.rpm
dest: /tmp/jre-8-linux-x64.rpm
headers: 'Cookie:oraclelicense=accept-securebackup-cookie'
register: oracle_java_task_rpm_download
- name: RedHat/CentOS/Fedora | Install Oracle Java RPM
package: name=/tmp/jre-8-linux-x64.rpm state=present
when: oracle_java_task_rpm_download is defined
register: oracle_java_task_rpm_installed
tags: install
- name: RedHat/CentOS/Fedora | Install Logstash repo
yum_repository:
name: elastic_repo
description: Elastic repository for 6.x packages
baseurl: https://artifacts.elastic.co/packages/6.x/yum
gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
gpgcheck: yes
- name: RedHat/CentOS/Fedora | Install Logstash
package: name=logstash-{{ elastic_stack_version }} state=present
when: not logstash_install_java or oracle_java_task_rpm_installed is defined
tags: install
- name: RedHat/CentOS/Fedora | Checking if wazuh-manager is installed
command: rpm -q wazuh-manager
register: wazuh_manager_check_rpm
when: logstash_input_beats == false
args:
warn: no
- name: RedHat/CentOS/Fedora | Add user logstash to group ossec
user:
name: logstash
groups: ossec
append: yes
when:
- logstash_input_beats == false
- wazuh_manager_check_rpm.rc == 0
- name: Amazon Linux change startup group
shell: sed -i 's/.*LS_GROUP=logstash.*/LS_GROUP=ossec/' /etc/logstash/startup.options
when:
- logstash_input_beats == false
- wazuh_manager_check_rpm.rc == 0
- ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA"

27
roles/elastic-stack/ansible-logstash/tasks/config.yml
View File

@ -1,27 +0,0 @@
---
- name: Ensure Logstash SSL key pair directory exists.
file:
path: "{{ logstash_ssl_dir }}"
state: directory
when: logstash_ssl
tags: configure
- name: Copy SSL key and cert for logstash.
copy:
src: "{{ item }}"
dest: "{{ logstash_ssl_dir }}/{{ item | basename }}"
mode: 0644
with_items:
- "{{ logstash_ssl_key_file }}"
- "{{ logstash_ssl_certificate_file }}"
when: logstash_ssl
tags: configure
- name: Logstash configuration
template:
src: 01-wazuh.conf.j2
dest: /etc/logstash/conf.d/01-wazuh.conf
owner: root
group: root
notify: restart logstash
tags: configure

40
roles/elastic-stack/ansible-logstash/tasks/main.yml
View File

@ -1,40 +0,0 @@
---
- import_tasks: RedHat.yml
when: ansible_os_family == 'RedHat'
- import_tasks: Debian.yml
when: ansible_os_family == "Debian"
- import_tasks: config.yml
when: logstash_create_config
- name: Reload systemd
systemd: daemon_reload=yes
ignore_errors: yes
when:
- not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA")
- not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<'))
- not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<'))
- name: Amazon Linux create service
shell: /usr/share/logstash/bin/system-install /etc/logstash/startup.options
when: ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA"
- name: Ensure Logstash started and enabled
service:
name: logstash
enabled: yes
state: started
- name: Amazon Linux start Logstash
service:
name: logstash
enabled: yes
state: started
when: ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA"
- import_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat"
- import_tasks: "RMDebian.yml"
when: ansible_os_family == "Debian"

73
roles/elastic-stack/ansible-logstash/templates/01-wazuh.conf.j2
View File

@ -1,73 +0,0 @@
#jinja2: trim_blocks:False
# {{ ansible_managed }}
# Wazuh - Logstash configuration file
{% if logstash_input_beats == true %}
## Remote Wazuh Manager - Filebeat input
input {
beats {
port => 5000
codec => "json_lines"
{% if logstash_ssl == true %}
ssl => true
ssl_certificate => "{{ logstash_ssl_dir }}/{{ logstash_ssl_certificate_file | basename }}"
ssl_key => "{{ logstash_ssl_dir }}/{{ logstash_ssl_key_file | basename }}"
{% endif %}
}
}
{% else %}
## Local Wazuh Manager - JSON file input
input {
file {
type => "wazuh-alerts"
path => "/var/ossec/logs/alerts/alerts.json"
codec => "json"
}
}
{% endif %}
filter {
if [data][srcip] {
mutate {
add_field => [ "@src_ip", "%{[data][srcip]}" ]
}
}
if [data][aws][sourceIPAddress] {
mutate {
add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
}
}
}
filter {
if [data][srcip] {
mutate {
add_field => [ "@src_ip", "%{[data][srcip]}" ]
}
}
if [data][aws][sourceIPAddress] {
mutate {
add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
}
}
}
filter {
geoip {
source => "@src_ip"
target => "GeoLocation"
fields => ["city_name", "country_name", "region_name", "location"]
}
date {
match => ["timestamp", "ISO8601"]
target => "@timestamp"
}
mutate {
remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]
}
}
output {
#stdout { codec => rubydebug }
elasticsearch {
hosts => {{ elasticsearch_network_host | to_json}}
index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
document_type => "wazuh"
}
}

24
roles/wazuh/ansible-filebeat/README.md
View File

@ -19,34 +19,10 @@ Role Variables
Available variables are listed below, along with default values (see `defaults/main.yml`): Available variables are listed below, along with default values (see `defaults/main.yml`):
``` ```
filebeat_create_config: true
filebeat_prospectors:
- input_type: log
paths:
- "/var/ossec/logs/alerts/alerts.json"
document_type: json
json.message_key: log
json.keys_under_root: true
json.overwrite_keys: true
filebeat_output_elasticsearch_enabled: false filebeat_output_elasticsearch_enabled: false
filebeat_output_elasticsearch_hosts: filebeat_output_elasticsearch_hosts:
- "localhost:9200" - "localhost:9200"
filebeat_output_logstash_enabled: true
filebeat_output_logstash_hosts:
- "192.168.212.158:5000"
filebeat_enable_logging: true
filebeat_log_level: debug
filebeat_log_dir: /var/log/mybeat
filebeat_log_filename: mybeat.log
filebeat_ssl_dir: /etc/pki/logstash
filebeat_ssl_certificate_file: ""
filebeat_ssl_key_file: ""
filebeat_ssl_insecure: "false"
``` ```
License and copyright License and copyright

33
roles/wazuh/ansible-filebeat/defaults/main.yml
View File

@ -1,4 +1,6 @@
--- ---
filebeat_version: 7.5.1
filebeat_create_config: true filebeat_create_config: true
filebeat_prospectors: filebeat_prospectors:
@ -10,23 +12,42 @@ filebeat_prospectors:
json.keys_under_root: true json.keys_under_root: true
json.overwrite_keys: true json.overwrite_keys: true
filebeat_node_name: node-1
filebeat_output_elasticsearch_enabled: false filebeat_output_elasticsearch_enabled: false
filebeat_output_elasticsearch_hosts: filebeat_output_elasticsearch_hosts:
- "localhost:9200" - "localhost:9200"
filebeat_output_logstash_enabled: true
filebeat_output_logstash_hosts:
- "192.168.212.158:5000"
filebeat_enable_logging: true filebeat_enable_logging: true
filebeat_log_level: debug filebeat_log_level: debug
filebeat_log_dir: /var/log/mybeat filebeat_log_dir: /var/log/mybeat
filebeat_log_filename: mybeat.log filebeat_log_filename: mybeat.log
filebeat_ssl_dir: /etc/pki/logstash filebeat_ssl_dir: /etc/pki/filebeat
filebeat_ssl_certificate_file: "" filebeat_ssl_certificate_file: ""
filebeat_ssl_key_file: "" filebeat_ssl_key_file: ""
filebeat_ssl_insecure: "false" filebeat_ssl_insecure: "false"
filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz
filebeat_module_package_path: /tmp/
filebeat_module_destination: /usr/share/filebeat/module
filebeat_module_folder: /usr/share/filebeat/module/wazuh
# Xpack Security
filebeat_xpack_security: false
elasticsearch_xpack_security_user: elastic
elasticsearch_xpack_security_password: elastic_pass
node_certs_generator : false
node_certs_source: /usr/share/elasticsearch
node_certs_destination: /etc/filebeat/certs
# CA Generation
master_certs_path: /es_certs
generate_CA: true
ca_cert_name: ""
elasticrepo_gpg_keyserver: pool.sks-keyservers.net elasticrepo_gpg_keyserver: pool.sks-keyservers.net
elasticrepo_server: https://artifacts.elastic.co/packages/6.x/apt elasticrepo_server: https://artifacts.elastic.co/packages/7.x/apt

30
roles/wazuh/ansible-filebeat/meta/main.yml
View File

@ -8,21 +8,21 @@ galaxy_info:
license: license (GPLv3) license: license (GPLv3)
min_ansible_version: 2.0 min_ansible_version: 2.0
platforms: platforms:
- name: EL - name: EL
versions: versions:
- 6 - 6
- 7 - 7
- name: Fedora - name: Fedora
versions: versions:
- all - all
- name: Debian - name: Debian
versions: versions:
- jessie - jessie
- name: Ubuntu - name: Ubuntu
versions: versions:
- precise - precise
- trusty - trusty
- xenial - xenial
galaxy_tags: galaxy_tags:
- web - web
- system - system

13
roles/wazuh/ansible-filebeat/tasks/Debian.yml
View File

@ -1,12 +1,12 @@
--- ---
- name: Debian/Ubuntu | Install apt-transport-https and ca-certificates - name: Debian/Ubuntu | Install apt-transport-https and ca-certificates
apt: apt:
name: "{{ item }}" name:
- apt-transport-https
- ca-certificates
state: present state: present
cache_valid_time: 3600 register: filebeat_ca_packages_install
with_items: until: filebeat_ca_packages_install is succeeded
- apt-transport-https
- ca-certificates
- name: Debian/Ubuntu | Add Elasticsearch apt key. - name: Debian/Ubuntu | Add Elasticsearch apt key.
apt_key: apt_key:
@ -17,4 +17,5 @@
apt_repository: apt_repository:
repo: "deb {{ elasticrepo_server }} stable main" repo: "deb {{ elasticrepo_server }} stable main"
state: present state: present
update_cache: yes update_cache: true
changed_when: false

3
roles/wazuh/ansible-filebeat/tasks/RMDebian.yml
View File

@ -1,5 +1,6 @@
--- ---
- name: Debian/Ubuntu | Remove Filebeat repository (and clean up left-over metadata) - name: Debian/Ubuntu | Remove Filebeat repository (and clean up left-over metadata)
apt_repository: apt_repository:
repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main repo: deb https://artifacts.elastic.co/packages/7.x/apt stable main
state: absent state: absent
changed_when: false

1
roles/wazuh/ansible-filebeat/tasks/RMRedHat.yml
View File

@ -3,3 +3,4 @@
yum_repository: yum_repository:
name: elastic_repo name: elastic_repo
state: absent state: absent
changed_when: false

5
roles/wazuh/ansible-filebeat/tasks/RedHat.yml
View File

@ -3,6 +3,7 @@
yum_repository: yum_repository:
name: elastic_repo name: elastic_repo
description: Elastic repository for 6.x packages description: Elastic repository for 6.x packages
baseurl: https://artifacts.elastic.co/packages/6.x/yum baseurl: https://artifacts.elastic.co/packages/7.x/yum
gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
gpgcheck: yes gpgcheck: true
changed_when: false

10
roles/wazuh/ansible-filebeat/tasks/config.yml
View File

@ -9,6 +9,16 @@
notify: restart filebeat notify: restart filebeat
tags: configure tags: configure
- name: Copy Elasticsearch template.
template:
src: elasticsearch.yml.j2
dest: "/etc/filebeat/wazuh-template.json"
owner: root
group: root
mode: 0644
notify: restart filebeat
tags: configure
- name: Ensure Filebeat SSL key pair directory exists. - name: Ensure Filebeat SSL key pair directory exists.
file: file:
path: "{{ filebeat_ssl_dir }}" path: "{{ filebeat_ssl_dir }}"

105
roles/wazuh/ansible-filebeat/tasks/main.yml
View File

@ -1,34 +1,123 @@
--- ---
- import_tasks: RedHat.yml - include_tasks: RedHat.yml
when: ansible_os_family == 'RedHat' when: ansible_os_family == 'RedHat'
- import_tasks: Debian.yml - include_tasks: Debian.yml
when: ansible_os_family == 'Debian' when: ansible_os_family == 'Debian'
- name: Install Filebeat. - name: CentOS/RedHat | Install Filebeat.
package: name=filebeat state=present package: name=filebeat-{{ filebeat_version }} state=present
register: filebeat_installing_package
until: filebeat_installing_package is succeeded
when:
- ansible_distribution in ['CentOS','RedHat', 'Amazon']
tags: tags:
- install - install
- name: Debian/Ubuntu | Install Filebeat.
apt:
name: filebeat={{ filebeat_version }}
state: present
cache_valid_time: 3600
register: filebeat_installing_package_debian
until: filebeat_installing_package_debian is succeeded
when:
- not (ansible_distribution in ['CentOS','RedHat', 'Amazon'])
tags:
- init
- name: Copying node's certificate from master
copy:
src: "{{ item }}"
dest: "{{ node_certs_destination }}/"
with_items:
- "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key"
- "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt"
- "{{ master_certs_path }}/ca/ca.crt"
when:
- generate_CA
- filebeat_xpack_security
tags: xpack-security
- name: Copying node's certificate from master (Custom CA)
copy:
src: "{{ item }}"
dest: "{{ node_certs_destination }}/"
with_items:
- "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key"
- "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt"
- "{{ master_certs_path }}/ca/{{ ca_cert_name }}"
when:
- not generate_CA
- filebeat_xpack_security
tags: xpack-security
- name: Ensuring folder & certs permissions
file:
path: "{{ node_certs_destination }}/"
mode: '0774'
state: directory
recurse: yes
when:
- filebeat_xpack_security
tags: xpack-security
- name: Checking if Filebeat Module folder file exists
stat:
path: "{{ filebeat_module_folder }}"
register: filebeat_module_folder
- name: Download Filebeat module package
get_url:
url: https://packages.wazuh.com/3.x/filebeat/{{ filebeat_module_package_name }}
dest: "{{ filebeat_module_package_path }}"
when: not filebeat_module_folder.stat.exists
- name: Unpakcing Filebeat module package
unarchive:
src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
dest: "{{ filebeat_module_destination }}"
remote_src: yes
when: not filebeat_module_folder.stat.exists
- name: Setting 0755 permission for Filebeat module folder
file: dest={{ filebeat_module_folder }} mode=u=rwX,g=rwX,o=rwX recurse=yes
when: not filebeat_module_folder.stat.exists
- name: Checking if Filebeat Module package file exists
stat:
path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
register: filebeat_module_package
when: filebeat_module_package is not defined
- name: Delete Filebeat module package file
file:
state: absent
path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
when: filebeat_module_package.stat.exists
- import_tasks: config.yml - import_tasks: config.yml
when: filebeat_create_config when: filebeat_create_config
notify: restart filebeat
- name: Reload systemd - name: Reload systemd
systemd: daemon_reload=yes systemd: daemon_reload=yes
ignore_errors: yes ignore_errors: true
when: when:
- not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") - not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA")
- not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<')) - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<'))
- not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<'))
- not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<'))
- name: Ensure Filebeat is started and enabled at boot. - name: Ensure Filebeat is started and enabled at boot.
service: service:
name: filebeat name: filebeat
state: started state: started
enabled: yes enabled: true
- import_tasks: "RMRedHat.yml" - include_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat" when: ansible_os_family == "RedHat"
- import_tasks: "RMDebian.yml" - include_tasks: "RMDebian.yml"
when: ansible_os_family == "Debian" when: ansible_os_family == "Debian"

1676
roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 Normal file
View File

File diff suppressed because it is too large Load Diff

171
roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2
View File

@ -1,150 +1,39 @@
filebeat: # Wazuh - Filebeat configuration file
# List of prospectors to fetch data.
prospectors:
{{ filebeat_prospectors | to_json }}
# Configure what outputs to use when sending the data collected by the beat. # Wazuh - Filebeat configuration file
# Multiple outputs may be used. filebeat.modules:
output: - module: wazuh
alerts:
enabled: true
archives:
enabled: false
{% if filebeat_output_elasticsearch_enabled %} setup.template.json.enabled: true
### Elasticsearch as output setup.template.json.path: '/etc/filebeat/wazuh-template.json'
elasticsearch: setup.template.json.name: 'wazuh'
# Array of hosts to connect to. setup.template.overwrite: true
hosts: {{ filebeat_output_elasticsearch_hosts | to_json }} setup.ilm.enabled: false
# Optional protocol and basic auth credentials. These are deprecated.
#protocol: "https"
#username: "admin"
#password: "s3cr3t"
# Number of workers per Elasticsearch host. # Send events directly to Elasticsearch
#worker: 1 output.elasticsearch:
hosts: {{ filebeat_output_elasticsearch_hosts | to_json }}
# Optional index name. The default is "filebeat" and generates {% if filebeat_xpack_security %}
# [filebeat-]YYYY.MM.DD keys. username: {{ elasticsearch_xpack_security_user }}
#index: "filebeat" password: {{ elasticsearch_xpack_security_password }}
protocol: https
# Optional HTTP Path {% if generate_CA == true %}
#path: "/elasticsearch" ssl.certificate_authorities:
- {{node_certs_destination}}/ca.crt
# Proxy server URL {% elif generate_CA == false %}
# proxy_url: http://proxy:3128 ssl.certificate_authorities:
- {{node_certs_destination}}/{{ca_cert_name}}
# The number of times a particular Elasticsearch index operation is attempted. If
# the indexing operation doesn't succeed after this many retries, the events are
# dropped. The default is 3.
#max_retries: 3
# The maximum number of events to bulk in a single Elasticsearch bulk API index request.
# The default is 50.
#bulk_max_size: 50
# Configure http request timeout before failing an request to Elasticsearch.
#timeout: 90
# The number of seconds to wait for new events between two bulk API index requests.
# If `bulk_max_size` is reached before this interval expires, addition bulk index
# requests are made.
#flush_interval: 1
# Boolean that sets if the topology is kept in Elasticsearch. The default is
# false. This option makes sense only for Packetbeat.
#save_topology: false
# The time to live in seconds for the topology information that is stored in
# Elasticsearch. The default is 15 seconds.
#topology_expire: 15
{% if filebeat_ssl_certificate_file and filebeat_ssl_key_file %}
# tls configuration. By default is off.
tls:
# List of root certificates for HTTPS server verifications
#certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for TLS client authentication
certificate: "{{ filebeat_ssl_dir }}/{{ filebeat_ssl_certificate_file | basename }}"
# Client Certificate Key
certificate_key: "{{ filebeat_ssl_dir }}/{{ filebeat_ssl_key_file | basename}}"
# Controls whether the client verifies server certificates and host name.
# If insecure is set to true, all server host names and certificates will be
# accepted. In this mode TLS based connections are susceptible to
# man-in-the-middle attacks. Use only for testing.
insecure: {{ filebeat_ssl_insecure }}
# Configure cipher suites to be used for TLS connections
#cipher_suites: []
# Configure curve types for ECDHE based cipher suites
#curve_types: []
# Configure minimum TLS version allowed for connection to logstash
#min_version: 1.0
# Configure maximum TLS version allowed for connection to logstash
#max_version: 1.2
{% endif %}
{% endif %} {% endif %}
{% if filebeat_output_logstash_enabled %} ssl.certificate: "{{node_certs_destination}}/{{ filebeat_node_name }}.crt"
### Logstash as output ssl.key: "{{node_certs_destination}}/{{ filebeat_node_name }}.key"
logstash:
# The Logstash hosts
hosts: {{ filebeat_output_logstash_hosts | to_json }}
# Number of workers per Logstash host.
#worker: 1
# Optional load balance the events between the Logstash hosts
#loadbalance: true
# Optional index name. The default index name depends on the each beat.
# For Packetbeat, the default is set to packetbeat, for Topbeat
# top topbeat and for Filebeat to filebeat.
#index: filebeat
{% if filebeat_ssl_certificate_file and filebeat_ssl_key_file %}
# Optional TLS. By default is off.
tls:
# List of root certificates for HTTPS server verifications
#certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for TLS client authentication
certificate: "{{ filebeat_ssl_dir }}/{{ filebeat_ssl_certificate_file | basename }}"
# Client Certificate Key
certificate_key: "{{ filebeat_ssl_dir }}/{{ filebeat_ssl_key_file | basename}}"
# Controls whether the client verifies server certificates and host name.
# If insecure is set to true, all server host names and certificates will be
# accepted. In this mode TLS based connections are susceptible to
# man-in-the-middle attacks. Use only for testing.
#insecure: true
insecure: {{ filebeat_ssl_insecure }}
# Configure cipher suites to be used for TLS connections
#cipher_suites: []
# Configure curve types for ECDHE based cipher suites
#curve_types: []
{% endif %} {% endif %}
{% if filebeat_enable_logging %} # Optional. Send events to Logstash instead of Elasticsearch
logging: #output.logstash.hosts: ["YOUR_LOGSTASH_SERVER_IP:5000"]
### Filebeat log
level: {{ filebeat_log_level }}
# Enable file rotation with default configuration
to_files: true
# Do not log to syslog
to_syslog: false
files:
path: {{ filebeat_log_dir }}
name: {{ filebeat_log_filename }}
keepfiles: 7
{% endif %}
{% endif %}

1
roles/wazuh/ansible-filebeat/tests/requirements.yml
View File

@ -1,4 +1,3 @@
--- ---
- src: geerlingguy.java - src: geerlingguy.java
- src: geerlingguy.elasticsearch - src: geerlingguy.elasticsearch
- src: geerlingguy.logstash

1
roles/wazuh/ansible-filebeat/tests/test.yml
View File

@ -17,5 +17,4 @@
roles: roles:
- geerlingguy.java - geerlingguy.java
- geerlingguy.elasticsearch - geerlingguy.elasticsearch
- geerlingguy.logstash
- role_under_test - role_under_test

2
roles/wazuh/ansible-wazuh-agent/README.md
View File

@ -32,7 +32,7 @@ The following is an example of how this role can be used:
wazuh_managers: wazuh_managers:
- address: 127.0.0.1 - address: 127.0.0.1
port: 1514 port: 1514
protocol: udp protocol: tcp
api_port: 55000 api_port: 55000
api_proto: 'http' api_proto: 'http'
api_user: 'ansible' api_user: 'ansible'

115
roles/wazuh/ansible-wazuh-agent/defaults/main.yml
View File

@ -1,16 +1,42 @@
--- ---
wazuh_agent_version: 3.11.1-1
wazuh_agent_sources_installation:
enabled: false
branch: "v3.11.1"
user_language: "y"
user_no_stop: "y"
user_install_type: "agent"
user_dir: "/var/ossec"
user_delete_dir: "y"
user_enable_active_response: "y"
user_enable_syscheck: "y"
user_enable_rootcheck: "y"
user_enable_openscap: "y"
user_enable_sca: "y"
user_enable_authd: "y"
user_generate_authd_cert: "n"
user_update: "y"
user_binaryinstall: null
user_agent_server_ip: "YOUR_MANAGER_IP"
user_agent_server_name: null
user_agent_config_profile: null
user_ca_store: "/var/ossec/wpk_root.pem"
wazuh_managers: wazuh_managers:
- address: 127.0.0.1 - address: 127.0.0.1
port: 1514 port: 1514
protocol: tcp protocol: udp
api_port: 55000 api_port: 55000
api_proto: 'http' api_proto: 'http'
api_user: null api_user: null
wazuh_profile: null wazuh_profile_centos: 'centos, centos7, centos7.6'
wazuh_profile_ubuntu: 'ubuntu, ubuntu18, ubuntu18.04'
wazuh_auto_restart: 'yes' wazuh_auto_restart: 'yes'
wazuh_agent_authd: wazuh_agent_authd:
enable: false enable: false
port: 1515 port: 1515
agent_name: null
ssl_agent_ca: null ssl_agent_ca: null
ssl_agent_cert: null ssl_agent_cert: null
ssl_agent_key: null ssl_agent_key: null
@ -19,20 +45,26 @@ wazuh_notify_time: '10'
wazuh_time_reconnect: '60' wazuh_time_reconnect: '60'
wazuh_crypto_method: 'aes' wazuh_crypto_method: 'aes'
wazuh_winagent_config: wazuh_winagent_config:
install_dir: 'C:\Program Files\ossec-agent\' download_dir: C:\
install_dir_x86: 'C:\Program Files (x86)\ossec-agent\' install_dir: C:\Program Files\ossec-agent\
auth_path: C:\'Program Files'\ossec-agent\agent-auth.exe install_dir_x86: C:\Program Files (x86)\ossec-agent\
auth_path: C:\Program Files\ossec-agent\agent-auth.exe
# Adding quotes to auth_path_x86 since win_shell outputs error otherwise
auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe
version: '3.8.2' version: '3.11.1'
revision: '1' revision: '1'
repo: https://packages.wazuh.com/3.x/windows/ repo: https://packages.wazuh.com/3.x/windows/
md5: 43936e7bc7eb51bd186f47dac4a6f477 md5: 1e39c2ad032259cb9682c1eac3ac646a
wazuh_agent_config: wazuh_agent_config:
repo:
apt: 'deb https://packages.wazuh.com/3.x/apt/ stable main'
yum: 'https://packages.wazuh.com/3.x/yum/'
gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
active_response: active_response:
ar_disabled: 'no' ar_disabled: 'no'
ca_store: '/var/ossec/etc/wpk_root.pem' ca_store: '/var/ossec/etc/wpk_root.pem'
ca_store_win: 'wpk_root.pem' ca_store_win: 'wpk_root.pem'
ca_verification: 'yes' ca_verification: 'yes'
log_format: 'plain' log_format: 'plain'
client_buffer: client_buffer:
disable: 'no' disable: 'no'
@ -43,13 +75,10 @@ wazuh_agent_config:
scan_on_start: 'yes' scan_on_start: 'yes'
auto_ignore: 'no' auto_ignore: 'no'
alert_new_files: 'yes' alert_new_files: 'yes'
remove_old_diff: 'yes'
restart_audit: 'yes'
win_audit_interval: 300 win_audit_interval: 300
skip_nfs: 'yes' skip_nfs: 'yes'
ignore: ignore:
- /etc/mtab - /etc/mtab
#- /etc/mnttab
- /etc/hosts.deny - /etc/hosts.deny
- /etc/mail/statistics - /etc/mail/statistics
- /etc/random-seed - /etc/random-seed
@ -63,6 +92,10 @@ wazuh_agent_config:
- /etc/svc/volatile - /etc/svc/volatile
- /sys/kernel/security - /sys/kernel/security
- /sys/kernel/debug - /sys/kernel/debug
- /dev/core
ignore_linux_type:
- '^/proc'
- '.log$|.swp$'
ignore_win: ignore_win:
- '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$' - '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
no_diff: no_diff:
@ -70,7 +103,7 @@ wazuh_agent_config:
directories: directories:
- dirs: /etc,/usr/bin,/usr/sbin - dirs: /etc,/usr/bin,/usr/sbin
checks: 'check_all="yes"' checks: 'check_all="yes"'
- dirs: /bin,/sbin - dirs: /bin,/sbin,/boot
checks: 'check_all="yes"' checks: 'check_all="yes"'
win_directories: win_directories:
- dirs: '%WINDIR%\regedit.exe' - dirs: '%WINDIR%\regedit.exe'
@ -211,19 +244,19 @@ wazuh_agent_config:
rootcheck: rootcheck:
frequency: 43200 frequency: 43200
openscap: openscap:
disable: 'no' disable: 'yes'
timeout: 1800 timeout: 1800
interval: '1d' interval: '1d'
scan_on_start: 'yes' scan_on_start: 'yes'
osquery: osquery:
disable: 'yes' disable: 'yes'
run_daemon: 'yes' run_daemon: 'yes'
bin_path_win: 'C:\ProgramData\osquery\osqueryd' bin_path_win: 'C:\Program Files\osquery\osqueryd'
log_path: '/var/log/osquery/osqueryd.results.log' log_path: '/var/log/osquery/osqueryd.results.log'
log_path_win: 'C:\ProgramData\osquery\log\osqueryd.results.log' log_path_win: 'C:\Program Files\osquery\log\osqueryd.results.log'
config_path: '/etc/osquery/osquery.conf' config_path: '/etc/osquery/osquery.conf'
config_path_win: 'C:\ProgramData\osquery\osquery.conf' config_path_win: 'C:\Program Files\osquery\osquery.conf'
ad_labels: 'yes' add_labels: 'yes'
syscollector: syscollector:
disable: 'no' disable: 'no'
interval: '1h' interval: '1h'
@ -234,20 +267,24 @@ wazuh_agent_config:
packages: 'yes' packages: 'yes'
ports_no: 'yes' ports_no: 'yes'
processes: 'yes' processes: 'yes'
sca:
enabled: 'yes'
scan_on_start: 'yes'
interval: '12h'
skip_nfs: 'yes'
day: ''
wday: ''
time: ''
cis_cat: cis_cat:
disable: 'yes' disable: 'yes'
install_java: 'yes' install_java: 'no'
timeout: 1800 timeout: 1800
interval: '1d' interval: '1d'
scan_on_start: 'yes' scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin' java_path: 'wodles/java'
java_path_win: '\\server\jre\bin\java.exe' java_path_win: '\\server\jre\bin\java.exe'
ciscat_path: '/var/ossec/wodles/ciscat' ciscat_path: 'wodles/ciscat'
ciscat_path_win: 'C:\cis-cat' ciscat_path_win: 'C:\cis-cat'
content:
- type: 'xccdf'
path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
vuls: vuls:
disable: 'yes' disable: 'yes'
interval: '1d' interval: '1d'
@ -273,29 +310,29 @@ wazuh_agent_config:
location: '/var/log/messages' location: '/var/log/messages'
- format: 'syslog' - format: 'syslog'
location: '/var/log/secure' location: '/var/log/secure'
- format: 'syslog' - format: 'syslog'
location: '/var/log/maillog' location: '/var/log/maillog'
- format: 'audit' - format: 'audit'
location: '/var/log/audit/audit.log' location: '/var/log/audit/audit.log'
linux: linux:
- format: 'syslog' - format: 'syslog'
location: '/var/ossec/logs/active-responses.log' location: '/var/ossec/logs/active-responses.log'
- format: 'command'
command: 'df -P'
frequency: '360'
- format: 'full_command'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports'
frequency: '360'
- format: 'full_command' - format: 'full_command'
command: 'last -n 20' command: 'last -n 20'
frequency: '360' frequency: '360'
- format: 'command'
command: df -P
frequency: '360'
- format: 'full_command'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports'
frequency: '360'
windows: windows:
- format: 'eventlog' - format: 'eventlog'
location: 'Application' location: 'Application'
- format: 'eventchannel' - format: 'eventchannel'
location: 'Security' location: 'Security'
query: 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]' query: 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]'
- format: 'eventlog' - format: 'eventlog'
location: 'System' location: 'System'
- format: 'syslog' - format: 'syslog'
@ -306,5 +343,7 @@ wazuh_agent_config:
- key: Env - key: Env
value: Production value: Production
wauzhrepo_gpg_keyserver: pool.sks-keyservers.net wazuh_agent_nat: false
wazuhrepo_server: https://packages.wazuh.com/3.x/apt/ wazuhrepo_server: https://packages.wazuh.com/3.x/apt/
wauzhrepo_gpg_keyserver: pool.sks-keyservers.net

2
roles/wazuh/ansible-wazuh-agent/handlers/main.yml
View File

@ -2,5 +2,5 @@
- name: restart wazuh-agent - name: restart wazuh-agent
service: name=wazuh-agent state=restarted enabled=yes service: name=wazuh-agent state=restarted enabled=yes
- name: restart wazuh-agent windows - name: Windows | Restart Wazuh Agent
win_service: name=OssecSvc start_mode=auto state=restarted win_service: name=OssecSvc start_mode=auto state=restarted

28
roles/wazuh/ansible-wazuh-agent/meta/main.yml
View File

@ -6,18 +6,18 @@ galaxy_info:
license: license (GPLv3) license: license (GPLv3)
min_ansible_version: 2.0 min_ansible_version: 2.0
platforms: platforms:
- name: EL - name: EL
versions: versions:
- all - all
- name: Ubuntu - name: Ubuntu
versions: versions:
- all - all
- name: Debian - name: Debian
versions: versions:
- all - all
- name: Fedora - name: Fedora
versions: versions:
- all - all
categories: galaxy_tags:
- monitoring - monitoring
dependencies: [] dependencies: []

83
roles/wazuh/ansible-wazuh-agent/tasks/Debian.yml
View File

@ -1,70 +1,81 @@
--- ---
- name: Debian/Ubuntu | Install apt-transport-https and ca-certificates - name: Debian/Ubuntu | Install apt-transport-https and ca-certificates
apt: apt:
name: "{{ item }}" name:
- apt-transport-https
- ca-certificates
state: present state: present
cache_valid_time: 3600 register: wazuh_agent_ca_package_install
with_items: until: wazuh_agent_ca_package_install is succeeded
- apt-transport-https
- ca-certificates - name: Debian/Ubuntu | Installing Wazuh repository key (Ubuntu 14)
become: true
shell: |
set -o pipefail
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
args:
warn: false
executable: /bin/bash
changed_when: false
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version | int == 14
- not wazuh_agent_sources_installation.enabled
- name: Debian/Ubuntu | Installing Wazuh repository key - name: Debian/Ubuntu | Installing Wazuh repository key
apt_key: apt_key:
keyserver: "{{ wauzhrepo_gpg_keyserver }}" url: "{{ wazuh_agent_config.repo.gpg }}"
id: 0DCFCA5547B19D2A6099506096B3EE5F29111145 when:
- not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- not wazuh_agent_sources_installation.enabled
- name: Debian/Ubuntu | Add Wazuh repositories - name: Debian/Ubuntu | Add Wazuh repositories
apt_repository: apt_repository:
repo: "deb {{ wazuhrepo_server }} stable main" filename: wazuh_repo
repo: "{{ wazuh_agent_config.repo.apt }}"
state: present state: present
update_cache: yes update_cache: true
when:
- not wazuh_agent_sources_installation.enabled
- name: Debian/Ubuntu | Set Distribution CIS filename for debian - name: Debian/Ubuntu | Set Distribution CIS filename for debian
set_fact: set_fact:
cis_distribution_filename: cis_debian_linux_rcl.txt cis_distribution_filename: cis_debian_linux_rcl.txt
when: ansible_os_family == "Debian" when: ansible_os_family == "Debian"
- name: Debian/Ubuntu | Install OpenJDK-8 repo
apt_repository:
repo: 'ppa:openjdk-r/ppa'
state: present
update_cache: true
when:
- (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- when: - when:
- wazuh_agent_config.cis_cat.disable == 'no' - wazuh_agent_config.cis_cat.disable == 'no'
- wazuh_agent_config.cis_cat.install_java == 'yes' - wazuh_agent_config.cis_cat.install_java == 'yes'
block: block:
- name: Debian/Ubuntu | Setting webupd8 repository - name: Debian/Ubuntu | Install OpenJDK 1.8
apt_repository: apt: name=openjdk-8-jre state=present cache_valid_time=3600
repo: 'ppa:webupd8team/java'
codename: 'xenial'
update_cache: yes
- name: Debian/Ubuntu | Accept Oracle Java 8 license
debconf:
name: oracle-java8-installer
question: shared/accepted-oracle-license-v1-1
value: true
vtype: boolean
- name: Debian/Ubuntu | Oracle Java 8 installer
apt:
name: oracle-java8-installer
state: present
cache_valid_time: 3600
tags: tags:
- init - init
- name: Debian/Ubuntu | Install OpenScap - name: Debian/Ubuntu | Install OpenScap
apt: apt:
name: "{{ item }}" name:
- libopenscap8
- xsltproc
state: present state: present
cache_valid_time: 3600
when: wazuh_agent_config.openscap.disable == 'no' when: wazuh_agent_config.openscap.disable == 'no'
with_items:
- libopenscap8
- xsltproc
tags: tags:
- init - init
register: wazuh_agent_OpenScap_package_install
until: wazuh_agent_OpenScap_package_install is succeeded
- name: Debian/Ubuntu | Get OpenScap installed version - name: Debian/Ubuntu | Get OpenScap installed version
shell: "dpkg-query --showformat='${Version}' --show libopenscap8" shell: "dpkg-query --showformat='${Version}' --show libopenscap8"
register: openscap_version register: openscap_version
changed_when: true changed_when: false
when: wazuh_agent_config.openscap.disable == 'no' when: wazuh_agent_config.openscap.disable == 'no'
tags: tags:
- config - config
@ -72,7 +83,7 @@
- name: Debian/Ubuntu | Check OpenScap version - name: Debian/Ubuntu | Check OpenScap version
shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?" shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?"
register: openscap_version_valid register: openscap_version_valid
changed_when: true changed_when: false
when: wazuh_agent_config.openscap.disable == 'no' when: wazuh_agent_config.openscap.disable == 'no'
tags: tags:
- config - config

98
roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml
View File

@ -1,14 +1,34 @@
--- ---
- import_tasks: "RedHat.yml" - include_tasks: "RedHat.yml"
when: ansible_os_family == "RedHat" when: ansible_os_family == "RedHat"
- import_tasks: "Debian.yml" - include_tasks: "Debian.yml"
when: ansible_os_family == "Debian" when: ansible_os_family == "Debian"
- name: Linux | Install wazuh-agent - include_tasks: "installation_from_sources.yml"
package: name=wazuh-agent state=present when:
- wazuh_agent_sources_installation.enabled
- name: Linux CentOS/RedHat | Install wazuh-agent
package:
name: wazuh-agent-{{ wazuh_agent_version }}
state: present
async: 90 async: 90
poll: 15 poll: 30
when:
- ansible_os_family|lower == "redhat"
- not wazuh_agent_sources_installation.enabled
tags:
- init
- name: Linux Debian | Install wazuh-agent
apt:
name: "wazuh-agent={{ wazuh_agent_version }}"
state: present
cache_valid_time: 3600
when:
- ansible_os_family|lower != "redhat"
- not wazuh_agent_sources_installation.enabled
tags: tags:
- init - init
@ -39,30 +59,38 @@
- name: Linux | Register agent (via authd) - name: Linux | Register agent (via authd)
shell: > shell: >
/var/ossec/bin/agent-auth /var/ossec/bin/agent-auth
-A {{ agent_name }} {% if wazuh_agent_authd.agent_name is defined and wazuh_agent_authd.agent_name != None %}
-A {{ wazuh_agent_authd.agent_name }}
{% endif %}
-m {{ wazuh_managers.0.address }} -m {{ wazuh_managers.0.address }}
-p {{ wazuh_agent_authd.port }} -p {{ wazuh_agent_authd.port }}
{% if authd_pass is defined %}-P {{ authd_pass }}{% endif %} {% if wazuh_agent_nat %} -I "any" {% endif %}
{% if wazuh_agent_authd.ssl_agent_ca is not none %} {% if authd_pass is defined %} -P {{ authd_pass }} {% endif %}
{% if wazuh_agent_authd.ssl_agent_ca is defined and wazuh_agent_authd.ssl_agent_ca != None %}
-v "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}" -v "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}"
{% endif %}
{% if wazuh_agent_authd.ssl_agent_cert is defined and wazuh_agent_authd.ssl_agent_cert != None %}
-x "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_cert | basename }}" -x "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_cert | basename }}"
{% endif %}
{% if wazuh_agent_authd.ssl_agent_key is defined and wazuh_agent_authd.ssl_agent_key != None %}
-k "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_key | basename }}" -k "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_key | basename }}"
{% endif %} {% endif %}
{% if wazuh_agent_authd.ssl_auto_negotiate == 'yes' %}-a{% endif %} {% if wazuh_agent_authd.ssl_auto_negotiate == 'yes' %} -a {% endif %}
register: agent_auth_output register: agent_auth_output
notify: restart wazuh-agent
vars: vars:
agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ ansible_hostname }}{% endif %}" agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ ansible_hostname }}{% endif %}"
when: when:
- check_keys.stat.exists == false or check_keys.stat.size == 0 - not check_keys.stat.exists or check_keys.stat.size == 0
- wazuh_managers.0.address is not none - wazuh_managers.0.address is not none
- name: Linux | Verify agent registration - name: Linux | Verify agent registration
shell: echo {{ agent_auth_output }} | grep "Valid key created" shell: echo {{ agent_auth_output }} | grep "Valid key created"
when: when:
- check_keys.stat.exists == false or check_keys.stat.size == 0 - not check_keys.stat.exists or check_keys.stat.size == 0
- wazuh_managers.0.address is not none - wazuh_managers.0.address is not none
when: wazuh_agent_authd.enable == true when: wazuh_agent_authd.enable
tags: tags:
- config - config
- authd - authd
@ -76,9 +104,9 @@
- name: Linux | Create the agent key via rest-API - name: Linux | Create the agent key via rest-API
uri: uri:
url: "{{ wazuh_managers.0.api_proto }}://{{ wazuh_managers.0.address }}:{{ wazuh_managers.0.api_port }}/agents/" url: "{{ wazuh_managers.0.api_proto }}://{{ wazuh_managers.0.address }}:{{ wazuh_managers.0.api_port }}/agents/"
validate_certs: no validate_certs: false
method: POST method: POST
body: {"name":"{{ agent_name }}"} body: '{"name":"{{ agent_name }}"}'
body_format: json body_format: json
status_code: 200 status_code: 200
headers: headers:
@ -86,47 +114,50 @@
user: "{{ wazuh_managers.0.api_user }}" user: "{{ wazuh_managers.0.api_user }}"
password: "{{ api_pass }}" password: "{{ api_pass }}"
register: newagent_api register: newagent_api
changed_when: newagent_api.json.error == 0 notify: restart wazuh-agent
# changed_when: newagent_api.json.error == 0
vars: vars:
agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ inventory_hostname }}{% endif %}" agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ inventory_hostname }}{% endif %}"
when: when:
- check_keys.stat.exists == false or check_keys.stat.size == 0 - not check_keys.stat.exists or check_keys.stat.size == 0
- wazuh_managers.0.address is not none - wazuh_managers.0.address is not none
become: no become: false
ignore_errors: true
- name: Linux | Retieve new agent data via rest-API - name: Linux | Retieve new agent data via rest-API
uri: uri:
url: "{{ wazuh_managers.0.api_proto }}://{{ wazuh_managers.0.address }}:{{ wazuh_managers.0.api_port }}/agents/{{ newagent_api.json.data.id }}" url: "{{ wazuh_managers.0.api_proto }}://{{ wazuh_managers.0.address }}:{{ wazuh_managers.0.api_port }}/agents/{{ newagent_api.json.data.id }}"
validate_certs: no validate_certs: false
method: GET method: GET
return_content: yes return_content: true
user: "{{ wazuh_managers.0.api_user }}" user: "{{ wazuh_managers.0.api_user }}"
password: "{{ api_pass }}" password: "{{ api_pass }}"
when: when:
- check_keys.stat.exists == false or check_keys.stat.size == 0 - not check_keys.stat.exists or check_keys.stat.size == 0
- wazuh_managers.0.address is not none - wazuh_managers.0.address is not none
- newagent_api.json.error == 0 - newagent_api.json.error == 0
register: newagentdata_api register: newagentdata_api
delegate_to: localhost delegate_to: localhost
become: no become: false
- name: Linux | Register agent (via rest-API) - name: Linux | Register agent (via rest-API)
command: /var/ossec/bin/manage_agents command: /var/ossec/bin/manage_agents
environment: environment:
OSSEC_ACTION: i OSSEC_ACTION: i
OSSEC_AGENT_NAME: '{{ newagentdata_api.json.data.name }}' OSSEC_AGENT_NAME: '{{ newagentdata_api.json.data.name }}'
OSSEC_AGENT_IP: '{{ newagentdata_api.json.data.ip }}' OSSEC_AGENT_IP: '{% if wazuh_agent_nat %}any{% else %}{{ newagentdata_api.json.data.ip }}{% endif %}'
OSSEC_AGENT_ID: '{{ newagent_api.json.data.id }}' OSSEC_AGENT_ID: '{{ newagent_api.json.data.id }}'
OSSEC_AGENT_KEY: '{{ newagent_api.json.data.key }}' OSSEC_AGENT_KEY: '{{ newagent_api.json.data.key }}'
OSSEC_ACTION_CONFIRMED: y OSSEC_ACTION_CONFIRMED: y
register: manage_agents_output register: manage_agents_output
when: when:
- check_keys.stat.exists == false or check_keys.stat.size == 0 - not check_keys.stat.exists or check_keys.stat.size == 0
- wazuh_managers.0.address is not none - wazuh_managers.0.address is not none
- newagent_api.changed - newagent_api.changed
notify: restart wazuh-agent notify: restart wazuh-agent
when: wazuh_agent_authd.enable == false when:
- not wazuh_agent_authd.enable
tags: tags:
- config - config
- api - api
@ -139,7 +170,7 @@
poll: 0 poll: 0
when: when:
- wazuh_agent_config.vuls.disable != 'yes' - wazuh_agent_config.vuls.disable != 'yes'
- ansible_distribution == 'Redhat' or ansible_distribution == 'CentOS' or ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' or ansible_distribution == 'Oracle' - ansible_distribution in ['Redhat', 'CentOS', 'Ubuntu', 'Debian', 'Oracle']
tags: tags:
- init - init
@ -168,11 +199,16 @@
- name: Linux | Ensure Wazuh Agent service is started and enabled - name: Linux | Ensure Wazuh Agent service is started and enabled
service: service:
name: wazuh-agent name: wazuh-agent
enabled: yes enabled: true
state: started state: started
tags: config
- import_tasks: "RMRedHat.yml" - include_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat" when:
- ansible_os_family == "RedHat"
- not wazuh_agent_sources_installation.enabled
- import_tasks: "RMDebian.yml" - include_tasks: "RMDebian.yml"
when: ansible_os_family == "Debian" when:
- ansible_os_family == "Debian"
- not wazuh_agent_sources_installation.enabled

1
roles/wazuh/ansible-wazuh-agent/tasks/RMDebian.yml
View File

@ -3,3 +3,4 @@
apt_repository: apt_repository:
repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main
state: absent state: absent
changed_when: false

1
roles/wazuh/ansible-wazuh-agent/tasks/RMRedHat.yml
View File

@ -3,3 +3,4 @@
yum_repository: yum_repository:
name: wazuh_repo name: wazuh_repo
state: absent state: absent
changed_when: false

50
roles/wazuh/ansible-wazuh-agent/tasks/RedHat.yml
View File

@ -1,33 +1,29 @@
--- ---
- name: RedHat/CentOS/Fedora | Install Wazuh repo
yum_repository:
name: wazuh_repo
description: Wazuh repository
baseurl: https://packages.wazuh.com/3.x/yum/
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
gpgcheck: yes
when:
- ansible_distribution_major_version|int > 5
- name: RedHat/CentOS 5 | Install Wazuh repo - name: RedHat/CentOS 5 | Install Wazuh repo
yum_repository: yum_repository:
name: wazuh_repo name: wazuh_repo
description: Wazuh repository description: Wazuh repository
baseurl: https://packages.wazuh.com/3.x/yum/5/ baseurl: "{{ wazuh_agent_config.repo.yum }}5/"
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH-5 gpgkey: "{{ wazuh_agent_config.repo.gpg }}-5"
gpgcheck: yes gpgcheck: true
changed_when: false
when: when:
- ansible_distribution_major_version|int == 5 - (ansible_facts['os_family']|lower == 'redhat') and (ansible_distribution|lower != 'amazon')
- (ansible_distribution_major_version|int <= 5)
- not wazuh_agent_sources_installation.enabled or not wazuh_api_sources_installation.enabled
register: repo_v5_installed
- name: AmazonLinux | Install Wazuh repo - name: RedHat/CentOS/Fedora | Install Wazuh repo
yum_repository: yum_repository:
name: wazuh_repo name: wazuh_repo
description: Wazuh repository description: Wazuh repository
baseurl: https://packages.wazuh.com/3.x/yum/ baseurl: "{{ wazuh_agent_config.repo.yum }}"
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH gpgkey: "{{ wazuh_agent_config.repo.gpg }}"
gpgcheck: yes gpgcheck: true
changed_when: false
when: when:
- ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA" - repo_v5_installed is skipped
- not wazuh_agent_sources_installation.enabled
- name: RedHat/CentOS/Fedora | download Oracle Java RPM - name: RedHat/CentOS/Fedora | download Oracle Java RPM
get_url: get_url:
@ -35,6 +31,7 @@
dest: /tmp/jre-8-linux-x64.rpm dest: /tmp/jre-8-linux-x64.rpm
headers: 'Cookie:oraclelicense=accept-securebackup-cookie' headers: 'Cookie:oraclelicense=accept-securebackup-cookie'
register: oracle_java_task_rpm_download register: oracle_java_task_rpm_download
until: oracle_java_task_rpm_download is succeeded
when: when:
- wazuh_agent_config.cis_cat.disable == 'no' - wazuh_agent_config.cis_cat.disable == 'no'
- wazuh_agent_config.cis_cat.install_java == 'yes' - wazuh_agent_config.cis_cat.install_java == 'yes'
@ -43,6 +40,8 @@
- name: RedHat/CentOS/Fedora | Install Oracle Java RPM - name: RedHat/CentOS/Fedora | Install Oracle Java RPM
package: name=/tmp/jre-8-linux-x64.rpm state=present package: name=/tmp/jre-8-linux-x64.rpm state=present
register: wazuh_agent_java_package_install
until: wazuh_agent_java_package_install is succeeded
when: when:
- wazuh_agent_config.cis_cat.disable == 'no' - wazuh_agent_config.cis_cat.disable == 'no'
- wazuh_agent_config.cis_cat.install_java == 'yes' - wazuh_agent_config.cis_cat.install_java == 'yes'
@ -63,10 +62,21 @@
- name: Set Distribution CIS filename for RHEL7 - name: Set Distribution CIS filename for RHEL7
set_fact: set_fact:
cis_distribution_filename: cis_rhel7_linux_rcl.txt cis_distribution_filename: cis_rhel7_linux_rcl.txt
when: (ansible_os_family == "RedHat" and ansible_distribution_major_version == "7") or (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") when:
- ansible_os_family == "RedHat"
- ansible_distribution_major_version == "7"
- name: Set Distribution CIS filename for RHEL7 (Amazon)
set_fact:
cis_distribution_filename: cis_rhel7_linux_rcl.txt
when:
- ansible_distribution == "Amazon"
- ansible_distribution_major_version == "NA"
- name: RedHat/CentOS/RedHat | Install openscap - name: RedHat/CentOS/RedHat | Install openscap
package: name=openscap-scanner state=present package: name=openscap-scanner state=present
register: wazuh_agent_openscap_package_install
until: wazuh_agent_openscap_package_install is succeeded
when: wazuh_agent_config.openscap.disable == 'no' when: wazuh_agent_config.openscap.disable == 'no'
tags: tags:
- init - init

98
roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml
View File

@ -1,53 +1,52 @@
--- ---
- name: Windows | Check if Program Files (x86) exists - name: Windows | Check if Program Files (x86) exists
win_stat: win_stat:
path: C:\Program Files (x86) path: C:\Program Files (x86)
register: check_path register: check_path
- name: Windows | Get current installed version - name: Windows | Set Win Path (x86)
win_shell: "{% if check_path.stat.exists == true %}{{ wazuh_winagent_config.install_dir_x86 }}{% else %} set_fact:
{{ wazuh_winagent_config.install_dir }}{% endif %}ossec-agent.exe -h" wazuh_agent_win_path: "{{ wazuh_winagent_config.install_dir_x86 }}"
args: wazuh_agent_win_auth_path: "{{ wazuh_winagent_config.auth_path_x86 }}"
removes: "{% if check_path.stat.exists == true %}{{ wazuh_winagent_config.install_dir_x86 }}{% else %}
{{ wazuh_winagent_config.install_dir }}{% endif %}ossec-agent.exe"
register: agent_version
failed_when: False
changed_when: False
- name: Windows | Check Wazuh agent version installed
set_fact: correct_version=true
when: when:
- agent_version.stdout is defined - check_path.stat.exists
- wazuh_winagent_config.version in agent_version.stdout
- name: Windows | Downloading windows Wazuh agent installer - name: Windows | Set Win Path (x64)
win_get_url: set_fact:
dest: C:\wazuh-agent-installer.msi wazuh_agent_win_path: "{{ wazuh_winagent_config.install_dir }}"
url: "{{ wazuh_winagent_config.repo }}wazuh-agent-{{ wazuh_winagent_config.version }}-{{ wazuh_winagent_config.revision }}.msi" wazuh_agent_win_auth_path: "{{ wazuh_winagent_config.auth_path_x86 }}"
when: when:
- correct_version is not defined - not check_path.stat.exists
- name: Windows | Verify the downloaded Wazuh agent installer - name: Windows | Check if Wazuh installer is already downloaded
win_stat: win_stat:
path: C:\wazuh-agent-installer.msi path: "{{ wazuh_winagent_config.download_dir }}wazuh-agent-{{ wazuh_winagent_config.version }}-{{ wazuh_winagent_config.revision }}.msi"
get_checksum: yes register: wazuh_package_downloaded
checksum_algorithm: md5
register: installer_md5
when:
- correct_version is not defined
failed_when:
- installer_md5.stat.checksum != wazuh_winagent_config.md5
- name: Windows | Install Wazuh agent - name: Windows | Download Wazuh Agent package
win_package: win_get_url:
path: C:\wazuh-agent-installer.msi url: "{{ wazuh_winagent_config.repo }}wazuh-agent-{{ wazuh_winagent_config.version }}-{{ wazuh_winagent_config.revision }}.msi"
dest: "{{ wazuh_winagent_config.download_dir }}"
when: when:
- correct_version is not defined - not wazuh_package_downloaded.stat.exists
- name: Windows | Verify the Wazuh Agent installer
win_stat:
path: "{{ wazuh_winagent_config.download_dir }}wazuh-agent-{{ wazuh_winagent_config.version }}-{{ wazuh_winagent_config.revision }}.msi"
get_checksum: true
checksum_algorithm: md5
register: wazuh_agent_status
failed_when:
- wazuh_agent_status.stat.checksum != wazuh_winagent_config.md5
- name: Windows | Install Agent if not already installed
win_package:
path: "{{ wazuh_winagent_config.download_dir }}wazuh-agent-{{ wazuh_winagent_config.version }}-{{ wazuh_winagent_config.revision }}.msi"
state: present
- name: Windows | Check if client.keys exists - name: Windows | Check if client.keys exists
win_stat: path="{% if check_path.stat.exists == true %}{{ wazuh_winagent_config.install_dir_x86 }}{% else %}{{ wazuh_winagent_config.install_dir }}{% endif %}client.keys" win_stat: path="{{ wazuh_agent_win_path }}client.keys"
register: check_windows_key register: check_windows_key
notify: restart wazuh-agent windows
tags: tags:
- config - config
@ -58,39 +57,42 @@
- name: Windows | Register agent - name: Windows | Register agent
win_shell: > win_shell: >
{% if check_path.stat.exists == true %}{{ wazuh_winagent_config.auth_path_x86 }}{% else %} {{ wazuh_agent_win_auth_path }}
{{ wazuh_winagent_config.auth_path }}{% endif %}
-m {{ wazuh_managers.0.address }} -m {{ wazuh_managers.0.address }}
-p {{ wazuh_agent_authd.port }} -p {{ wazuh_agent_authd.port }}
{% if wazuh_agent_authd.agent_name is defined %}-A {{ wazuh_agent_authd.agent_name }} {% endif %}
{% if authd_pass is defined %} -P {{ authd_pass }}{% endif %} {% if authd_pass is defined %} -P {{ authd_pass }}{% endif %}
args:
chdir: "{% if check_path.stat.exists == true %}{{ wazuh_winagent_config.install_dir_x86 }}{% else %}{{ wazuh_winagent_config.install_dir }}{% endif %}"
register: agent_auth_output register: agent_auth_output
notify: restart wazuh-agent windows notify: Windows | Restart Wazuh Agent
when: when:
- wazuh_agent_authd.enable == true - wazuh_agent_authd.enable
- check_windows_key.stat.exists == false or check_windows_key.stat.size == 0 - not check_windows_key.stat.exists or check_windows_key.stat.size == 0
- wazuh_managers.0.address is not none - wazuh_managers.0.address is not none
tags: tags:
- config - config
- name: Windows | Check if ossec folder is accessible
win_file:
path: "{{ wazuh_agent_win_path }}"
state: directory
- name: Windows | Installing agent configuration (ossec.conf) - name: Windows | Installing agent configuration (ossec.conf)
win_template: template:
src: var-ossec-etc-ossec-agent.conf.j2 src: var-ossec-etc-ossec-agent.conf.j2
dest: "{% if check_path.stat.exists == true %}{{ wazuh_winagent_config.install_dir_x86 }}{% else %}{{ wazuh_winagent_config.install_dir }}{% endif %}ossec.conf" dest: "{{ wazuh_agent_win_path }}ossec.conf"
notify: restart wazuh-agent windows notify: Windows | Restart Wazuh Agent
tags: tags:
- config - config
- name: Windows | Installing local_internal_options.conf - name: Windows | Installing local_internal_options.conf
win_template: win_template:
src: var-ossec-etc-local-internal-options.conf.j2 src: var-ossec-etc-local-internal-options.conf.j2
dest: "{% if check_path.stat.exists == true %}{{ wazuh_winagent_config.install_dir_x86 }}{% else %}{{ wazuh_winagent_config.install_dir }}{% endif %}local_internal_options.conf" dest: "{{ wazuh_agent_win_path }}local_internal_options.conf"
notify: restart wazuh-agent windows notify: Windows | Restart Wazuh Agent
tags: tags:
- config - config
- name: Windows | Delete downloaded Wazuh agent installer file - name: Windows | Delete downloaded Wazuh agent installer file
win_file: win_file:
path: C:\wazuh-agent-installer.msi path: "{{ wazuh_winagent_config.download_dir }}wazuh-agent-{{ wazuh_winagent_config.version }}-{{ wazuh_winagent_config.revision }}.msi"
state: absent state: absent

99
roles/wazuh/ansible-wazuh-agent/tasks/installation_from_sources.yml Normal file
View File

@ -0,0 +1,99 @@
---
- name: Install dependencies to build Wazuh packages
package:
name:
- make
- gcc
- automake
- autoconf
- libtool
- tar
state: present
- name: Removing old files
file:
path: "/tmp/{{ wazuh_agent_sources_installation.branch }}.tar.gz"
state: absent
- name: Removing old folders
file:
path: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}"
state: absent
- name: Installing policycoreutils-python (RedHat families)
package:
name:
- policycoreutils-python
when:
- ansible_os_family|lower == "redhat"
- name: Installing policycoreutils-python-utils (Debian families)
package:
name:
- libc6-dev
- curl
- policycoreutils
when:
- ansible_os_family|lower == "debian"
- name: Download required packages from github.com/wazuh/wazuh
get_url:
url: "https://github.com/wazuh/wazuh/archive/{{ wazuh_agent_sources_installation.branch }}.tar.gz"
dest: "/tmp/{{ wazuh_agent_sources_installation.branch }}.tar.gz"
delegate_to: "{{ inventory_hostname }}"
changed_when: false
- name: Create folder to extract Wazuh branch
file:
path: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}"
state: directory
changed_when: false
- name: Extract downloaded Wazuh branch from Github # Using shell instead of unarchive due to that module not working properlyh with --strip
command: >-
tar -xzvf /tmp/{{ wazuh_agent_sources_installation.branch }}.tar.gz
--strip 1
--directory /tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}
register: wazuh_untar
changed_when: false
args:
warn: false
- name: Clean remaining files from others builds
command: "make -C src {{ item }}"
args:
chdir: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}/src/"
with_items:
- "clean"
- "clean-deps"
register: clean_result
changed_when: clean_result.rc == 0
failed_when: false
- name: Render the "preloaded-vars.conf" file
template:
src: "templates/preloaded_vars_agent.conf.j2"
dest: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}/etc/preloaded-vars.conf"
owner: root
group: root
mode: '644'
changed_when: false
- name: Executing "install.sh" script to build and install the Wazuh Agent
shell: ./install.sh > /tmp/build_agent_log.txt
register: installation_result
changed_when: installation_result == 0
args:
chdir: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}"
- name: Cleanup downloaded files
file:
path: "/tmp/{{ wazuh_agent_sources_installation.branch }}.tar.gz"
state: absent
changed_when: false
- name: Cleanup created folders
file:
path: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}"
state: absent
changed_when: false

4
roles/wazuh/ansible-wazuh-agent/tasks/main.yml
View File

@ -1,6 +1,6 @@
--- ---
- import_tasks: "Windows.yml" - include_tasks: "Windows.yml"
when: ansible_os_family == "Windows" when: ansible_os_family == "Windows"
- import_tasks: "Linux.yml" - include_tasks: "Linux.yml"
when: ansible_system == "Linux" when: ansible_system == "Linux"

7
roles/wazuh/ansible-wazuh-agent/templates/preloaded_vars_agent.conf.j2 Normal file
View File

@ -0,0 +1,7 @@
{% for key, value in wazuh_agent_sources_installation.items() %}
{% if "user_" in key %}
{% if value is defined and value is not none %}
{{ key|upper }}="{{ value }}"
{% endif %}
{% endif %}
{% endfor %}

4
roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-local-internal-options.conf.j2
View File

@ -10,3 +10,7 @@
# This is the template of Ansible for the file local_internal_options.conf # This is the template of Ansible for the file local_internal_options.conf
# In this file you could include the configuration settings for your agents # In this file you could include the configuration settings for your agents
# Logcollector - If it should accept remote commands from the manager
logcollector.remote_commands=1

336
roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
View File

@ -1,4 +1,4 @@
#jinja2: trim_blocks: False #jinja2: lstrip_blocks: True
<!-- {{ ansible_managed }} --> <!-- {{ ansible_managed }} -->
<!-- <!--
Wazuh - Agent Wazuh - Agent
@ -8,7 +8,6 @@
<ossec_config> <ossec_config>
<client> <client>
{% for manager in wazuh_managers %} {% for manager in wazuh_managers %}
<server> <server>
<address>{{ manager.address }}</address> <address>{{ manager.address }}</address>
@ -20,9 +19,12 @@
{% endif %} {% endif %}
</server> </server>
{% endfor %} {% endfor %}
{% if wazuh_profile_centos is not none or wazuh_profile_ubuntu is not none %}
{% if wazuh_profile is not none %} {% if ansible_distribution == 'CentOS' %}
<config-profile>{{ wazuh_profile }}</config-profile> <config-profile>{{ wazuh_profile_centos }}</config-profile>
{% elif ansible_distribution == "Ubuntu" %}
<config-profile>{{ wazuh_profile_ubuntu }}</config-profile>
{% endif %}
{% endif %} {% endif %}
{% if wazuh_notify_time is not none and wazuh_time_reconnect is not none %} {% if wazuh_notify_time is not none and wazuh_time_reconnect is not none %}
<notify_time>{{ wazuh_notify_time }}</notify_time> <notify_time>{{ wazuh_notify_time }}</notify_time>
@ -31,27 +33,18 @@
<auto_restart>{{ wazuh_auto_restart }}</auto_restart> <auto_restart>{{ wazuh_auto_restart }}</auto_restart>
<crypto_method>{{ wazuh_crypto_method }}</crypto_method> <crypto_method>{{ wazuh_crypto_method }}</crypto_method>
</client> </client>
<client_buffer> <client_buffer>
<!-- Agent buffer options --> <!-- Agent buffer options -->
<disabled>{{ wazuh_agent_config.client_buffer.disable }}</disabled> <disabled>{{ wazuh_agent_config.client_buffer.disable }}</disabled>
<queue_size>{{ wazuh_agent_config.client_buffer.queue_size }}</queue_size> <queue_size>{{ wazuh_agent_config.client_buffer.queue_size }}</queue_size>
<events_per_second>{{ wazuh_agent_config.client_buffer.events_per_sec }}</events_per_second> <events_per_second>{{ wazuh_agent_config.client_buffer.events_per_sec }}</events_per_second>
</client_buffer> </client_buffer>
<logging>
<log_format>{{ wazuh_agent_config.log_format }}</log_format>
</logging>
<active-response>
<disabled>{{ wazuh_agent_config.active_response.ar|default('no') }}</disabled>
<ca_store>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.active_response.ca_store_win }}{% else %}{{ wazuh_agent_config.active_response.ca_store }}{% endif %}</ca_store>
<ca_verification>{{ wazuh_agent_config.active_response.ca_verification }}</ca_verification>
</active-response>
{% if wazuh_agent_config.rootcheck is defined %} {% if wazuh_agent_config.rootcheck is defined %}
<rootcheck> <rootcheck>
<disabled>no</disabled> <disabled>no</disabled>
{% if ansible_system == "Linux" %} {% if ansible_system == "Linux" %}
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files> <check_files>yes</check_files>
<check_trojans>yes</check_trojans> <check_trojans>yes</check_trojans>
<check_dev>yes</check_dev> <check_dev>yes</check_dev>
@ -65,14 +58,8 @@
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
{% if cis_distribution_filename is defined %}
<system_audit>/var/ossec/etc/shared/{{ cis_distribution_filename }}</system_audit>
{% endif %}
<skip_nfs>yes</skip_nfs> <skip_nfs>yes</skip_nfs>
{% endif %} {% endif %}
{% if ansible_os_family == "Windows" %} {% if ansible_os_family == "Windows" %}
<windows_audit>./shared/win_audit_rcl.txt</windows_audit> <windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps> <windows_apps>./shared/win_applications_rcl.txt</windows_apps>
@ -82,95 +69,10 @@
</rootcheck> </rootcheck>
{% endif %} {% endif %}
<!-- Directories to check (perform all possible verifications) -->
{% if wazuh_agent_config.syscheck is defined %}
<syscheck>
<disabled>no</disabled>
<!-- #<alert_new_files>{{ wazuh_agent_config.syscheck.alert_new_files }}</alert_new_files> -->
<!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency>
{% if ansible_system == "Linux" %}
<!-- #<directories check_all="yes" realtime="yes" restrict="^/var/ossec/etc/shared/agent.conf$">/var/ossec/etc/shared</directories> -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
<auto_ignore>{{ wazuh_agent_config.syscheck.auto_ignore }}</auto_ignore> {% if ansible_system == "Linux" %}
<scan_on_start>{{ wazuh_agent_config.syscheck.scan_on_start }}</scan_on_start>
{% endif %}
<!-- Directories to check (perform all possible verifications) -->
{% if wazuh_agent_config.syscheck.directories is defined and ansible_system == "Linux" %}
{% for directory in wazuh_agent_config.syscheck.directories %}
<directories {{ directory.checks }}>{{ directory.dirs }}</directories>
{% endfor %}
{% endif %}
<!-- Directories to check (perform all possible verifications) -->
{% if wazuh_agent_config.syscheck.win_directories is defined and ansible_os_family == "Windows" %}
{% for directory in wazuh_agent_config.syscheck.win_directories %}
<directories {{ directory.checks }}>{{ directory.dirs }}</directories>
{% endfor %}
{% endif %}
<!-- Files/directories to ignore -->
{% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Linux" %}
{% for ignore in wazuh_agent_config.syscheck.ignore %}
<ignore>{{ ignore }}</ignore>
{% endfor %}
{% endif %}
{% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Windows" %}
{% for ignore in wazuh_agent_config.syscheck.ignore_win %}
<ignore type="sregex">{{ ignore }}</ignore>
{% endfor %}
{% endif %}
{% if ansible_system == "Linux" %}
<!-- Files no diff -->
{% for no_diff in wazuh_agent_config.syscheck.no_diff %}
<nodiff>{{ no_diff }}</nodiff>
{% endfor %}
<skip_nfs>{{ wazuh_agent_config.syscheck.skip_nfs }}</skip_nfs>
{% endif %}
<!-- Remove not monitored files -->
<remove_old_diff>{{ wazuh_agent_config.syscheck.remove_old_diff }}</remove_old_diff>
{% if ansible_system == "Linux"%}
<!-- Allow the system to restart Auditd after installing the plugin -->
<restart_audit>{{ wazuh_agent_config.syscheck.restart_audit }}</restart_audit>
{% endif %}
{% if ansible_os_family == "Windows" %}
{% for registry_key in wazuh_agent_config.syscheck.windows_registry %}
{% if registry_key.arch is defined %}
<windows_registry arch="{{ registry_key.arch }}">{{ registry_key.key }}</windows_registry>
{% else %}
<windows_registry>{{ registry_key.key }}</windows_registry>
{% endif %}
{% endfor %}
{% endif %}
{% if ansible_os_family == "Windows" %}
{% for registry_key in wazuh_agent_config.syscheck.windows_registry_ignore %}
{% if registry_key.type is defined %}
<registry_ignore type="{{ registry_key.type }}">{{ registry_key.key }}</registry_ignore>
{% else %}
<registry_ignore>{{ registry_key.key }}</registry_ignore>
{% endif %}
{% endfor %}
{% endif %}
{% if ansible_os_family == "Windows" %}
<!-- Frequency for ACL checking (seconds) -->
<windows_audit_interval>{{ wazuh_agent_config.syscheck.win_audit_interval }}</windows_audit_interval>
{% endif %}
</syscheck>
{% endif %}
{% if ansible_system == "Linux" and wazuh_agent_config.openscap.disable == 'no' %}
<wodle name="open-scap"> <wodle name="open-scap">
<disabled>no</disabled> <disabled>{{ wazuh_agent_config.openscap.disable }}</disabled>
<timeout>{{ wazuh_agent_config.openscap.timeout }}</timeout> <timeout>{{ wazuh_agent_config.openscap.timeout }}</timeout>
<interval>{{ wazuh_agent_config.openscap.interval }}</interval> <interval>{{ wazuh_agent_config.openscap.interval }}</interval>
<scan-on-start>{{ wazuh_agent_config.openscap.scan_on_start }}</scan-on-start> <scan-on-start>{{ wazuh_agent_config.openscap.scan_on_start }}</scan-on-start>
@ -221,9 +123,8 @@
</wodle> </wodle>
{% endif %} {% endif %}
{% if wazuh_agent_config.cis_cat.disable == 'no' %}
<wodle name="cis-cat"> <wodle name="cis-cat">
<disabled>no</disabled> <disabled>{{ wazuh_agent_config.cis_cat.disable }}</disabled>
<timeout>{{ wazuh_agent_config.cis_cat.timeout }}</timeout> <timeout>{{ wazuh_agent_config.cis_cat.timeout }}</timeout>
<interval>{{ wazuh_agent_config.cis_cat.interval }}</interval> <interval>{{ wazuh_agent_config.cis_cat.interval }}</interval>
<scan-on-start>{{ wazuh_agent_config.cis_cat.scan_on_start }}</scan-on-start> <scan-on-start>{{ wazuh_agent_config.cis_cat.scan_on_start }}</scan-on-start>
@ -235,15 +136,7 @@
<java_path>{{ wazuh_agent_config.cis_cat.java_path }}</java_path> <java_path>{{ wazuh_agent_config.cis_cat.java_path }}</java_path>
{% endif %} {% endif %}
<ciscat_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.cis_cat.ciscat_path_win }}{% else %}{{ wazuh_agent_config.cis_cat.ciscat_path }}{% endif %}</ciscat_path> <ciscat_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.cis_cat.ciscat_path_win }}{% else %}{{ wazuh_agent_config.cis_cat.ciscat_path }}{% endif %}</ciscat_path>
{% if ansible_system == "Linux" %}
{% for benchmark in wazuh_agent_config.cis_cat.content %}
<content type="{{ benchmark.type }}" path="{{ benchmark.path }}">
<profile>{{ benchmark.profile }}</profile>
</content>
{% endfor %}
{% endif %}
</wodle> </wodle>
{% endif %}
<!-- Osquery integration --> <!-- Osquery integration -->
<wodle name="osquery"> <wodle name="osquery">
@ -254,7 +147,7 @@
{% endif %} {% endif %}
<log_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.osquery.log_path_win }}{% else %}{{ wazuh_agent_config.osquery.log_path }}{% endif %}</log_path> <log_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.osquery.log_path_win }}{% else %}{{ wazuh_agent_config.osquery.log_path }}{% endif %}</log_path>
<config_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.osquery.config_path_win }}{% else %}{{ wazuh_agent_config.osquery.config_path }}{% endif %}</config_path> <config_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.osquery.config_path_win }}{% else %}{{ wazuh_agent_config.osquery.config_path }}{% endif %}</config_path>
<add_labels>{{ wazuh_agent_config.osquery.ad_labels }}</add_labels> <add_labels>{{ wazuh_agent_config.osquery.add_labels }}</add_labels>
</wodle> </wodle>
<!-- System inventory --> <!-- System inventory -->
@ -270,6 +163,110 @@
<processes>{{ wazuh_agent_config.syscollector.processes }}</processes> <processes>{{ wazuh_agent_config.syscollector.processes }}</processes>
</wodle> </wodle>
<sca>
{% if wazuh_agent_config.sca.enabled | length > 0 %}
<enabled>{{ wazuh_agent_config.sca.enabled }}</enabled>
{% endif %}
{% if wazuh_agent_config.sca.scan_on_start | length > 0 %}
<scan_on_start>{{ wazuh_agent_config.sca.scan_on_start }}</scan_on_start>
{% endif %}
{% if wazuh_agent_config.sca.interval | length > 0 %}
<interval>{{ wazuh_agent_config.sca.interval }}</interval>
{% endif %}
{% if wazuh_agent_config.sca.skip_nfs | length > 0 %}
<skip_nfs>yes</skip_nfs>
{% endif %}
{% if wazuh_agent_config.sca.day | length > 0 %}
<day>yes</day>
{% endif %}
{% if wazuh_agent_config.sca.wday | length > 0 %}
<wday>yes</wday>
{% endif %}
{% if wazuh_agent_config.sca.time | length > 0 %}
<time>yes</time>
{% endif %}
</sca>
<!-- Directories to check (perform all possible verifications) -->
{% if wazuh_agent_config.syscheck is defined %}
<syscheck>
<disabled>no</disabled>
<!-- <alert_new_files>{{ wazuh_agent_config.syscheck.alert_new_files }}</alert_new_files> -->
<!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency>
{% if ansible_system == "Linux" %}
<scan_on_start>{{ wazuh_agent_config.syscheck.scan_on_start }}</scan_on_start>
<!-- Directories to check (perform all possible verifications) -->
{% if wazuh_agent_config.syscheck.directories is defined and ansible_system == "Linux" %}
{% for directory in wazuh_agent_config.syscheck.directories %}
<directories {{ directory.checks }}>{{ directory.dirs }}</directories>
{% endfor %}
{% endif %}
{% endif %}
<!-- Directories to check (perform all possible verifications) -->
{% if wazuh_agent_config.syscheck.win_directories is defined and ansible_system == "Windows" %}
{% for directory in wazuh_agent_config.syscheck.win_directories %}
<directories {{ directory.checks }}>{{ directory.dirs }}</directories>
{% endfor %}
{% endif %}
<!-- Files/directories to ignore -->
{% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Linux" %}
{% for ignore in wazuh_agent_config.syscheck.ignore %}
<ignore>{{ ignore }}</ignore>
{% endfor %}
{% endif %}
<!-- File types to ignore -->
{% if wazuh_agent_config.syscheck.ignore_linux_type is defined %}
{% for ignore in wazuh_agent_config.syscheck.ignore_linux_type %}
<ignore type="sregex">{{ ignore }}</ignore>
{% endfor %}
{% endif %}
{% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Windows" %}
{% for ignore in wazuh_agent_config.syscheck.ignore_win %}
<ignore type="sregex">{{ ignore }}</ignore>
{% endfor %}
{% endif %}
{% if ansible_system == "Linux" %}
<!-- Files no diff -->
{% for no_diff in wazuh_agent_config.syscheck.no_diff %}
<nodiff>{{ no_diff }}</nodiff>
{% endfor %}
<skip_nfs>{{ wazuh_agent_config.syscheck.skip_nfs }}</skip_nfs>
{% endif %}
{% if ansible_os_family == "Windows" %}
{% for registry_key in wazuh_agent_config.syscheck.windows_registry %}
{% if registry_key.arch is defined %}
<windows_registry arch="{{ registry_key.arch }}">{{ registry_key.key }}</windows_registry>
{% else %}
<windows_registry>{{ registry_key.key }}</windows_registry>
{% endif %}
{% endfor %}
{% endif %}
{% if ansible_os_family == "Windows" %}
{% for registry_key in wazuh_agent_config.syscheck.windows_registry_ignore %}
{% if registry_key.type is defined %}
<registry_ignore type="{{ registry_key.type }}">{{ registry_key.key }}</registry_ignore>
{% else %}
<registry_ignore>{{ registry_key.key }}</registry_ignore>
{% endif %}
{% endfor %}
{% endif %}
{% if ansible_os_family == "Windows" %}
<!-- Frequency for ACL checking (seconds) -->
<windows_audit_interval>{{ wazuh_agent_config.syscheck.win_audit_interval }}</windows_audit_interval>
{% endif %}
</syscheck>
{% endif %}
{% if ansible_system == "Linux" and wazuh_agent_config.vuls.disable == 'no' %} {% if ansible_system == "Linux" and wazuh_agent_config.vuls.disable == 'no' %}
@ -284,59 +281,72 @@
{% endif %} {% endif %}
<!-- Files to monitor (localfiles) --> <!-- Files to monitor (localfiles) -->
{% if ansible_system == "Linux" %} {% if ansible_system == "Linux" %}
{% for localfile in wazuh_agent_config.localfiles.linux %} {% for localfile in wazuh_agent_config.localfiles.linux %}
<localfile>
<log_format>{{ localfile.format }}</log_format> <localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %} {% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command> <command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency> <frequency>{{ localfile.frequency }}</frequency>
{% else %} {% if localfile.alias is defined %}
<location>{{ localfile.location }}</location> <alias>{{ localfile.alias }}</alias>
{% endif %} {% endif %}
</localfile> {% else %}
<location>{{ localfile.location }}</location>
{% endif %}
</localfile>
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if ansible_os_family == "Debian" %} {% if ansible_os_family == "Debian" %}
{% for localfile in wazuh_agent_config.localfiles.debian %} {% for localfile in wazuh_agent_config.localfiles.debian %}
<localfile>
<log_format>{{ localfile.format }}</log_format> <localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %} {% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command> <command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency> <frequency>{{ localfile.frequency }}</frequency>
{% else %} {% if localfile.alias is defined %}
<location>{{ localfile.location }}</location> <alias>{{ localfile.alias }}</alias>
{% endif %} {% endif %}
</localfile> {% else %}
<location>{{ localfile.location }}</location>
{% endif %}
</localfile>
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if ansible_os_family == "RedHat" %} {% if ansible_os_family == "RedHat" %}
{% for localfile in wazuh_agent_config.localfiles.centos %} {% for localfile in wazuh_agent_config.localfiles.centos %}
<localfile>
<log_format>{{ localfile.format }}</log_format> <localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %} {% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command> <command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency> <frequency>{{ localfile.frequency }}</frequency>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% else %} {% else %}
<location>{{ localfile.location }}</location> <location>{{ localfile.location }}</location>
{% endif %} {% endif %}
</localfile> </localfile>
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if ansible_os_family == "Windows" %} {% if ansible_os_family == "Windows" %}
{% for localfile in wazuh_agent_config.localfiles.windows %} {% for localfile in wazuh_agent_config.localfiles.windows %}
<localfile>
<log_format>{{ localfile.format }}</log_format> <localfile>
{% if localfile.format == 'eventchannel' %} <log_format>{{ localfile.format }}</log_format>
<location>{{ localfile.location }}</location> {% if localfile.format == 'eventchannel' %}
<query>{{ localfile.query}}</query> <location>{{ localfile.location }}</location>
{% else %} <query>{{ localfile.query}}</query>
<location>{{ localfile.location }}</location> {% else %}
{% endif %} <location>{{ localfile.location }}</location>
</localfile> {% endif %}
</localfile>
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@ -348,4 +358,14 @@
</labels> </labels>
{% endif %} {% endif %}
<active-response>
<disabled>{{ wazuh_agent_config.active_response.ar_disabled|default('no') }}</disabled>
<ca_store>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.active_response.ca_store_win }}{% else %}{{ wazuh_agent_config.active_response.ca_store }}{% endif %}</ca_store>
<ca_verification>{{ wazuh_agent_config.active_response.ca_verification }}</ca_verification>
</active-response>
<logging>
<log_format>{{ wazuh_agent_config.log_format }}</log_format>
</logging>
</ossec_config> </ossec_config>

2
roles/wazuh/ansible-wazuh-agent/vars/api_pass.yml
View File

@ -1,3 +1,3 @@
--- ---
# We recommend the use of Ansible Vault to protect Wazuh, api, agentless and authd credentials. # We recommend the use of Ansible Vault to protect Wazuh, api, agentless and authd credentials.
#api_pass: 'changeme' # api_pass: 'changeme'

2
roles/wazuh/ansible-wazuh-agent/vars/authd_pass.yml
View File

@ -1,3 +1,3 @@
--- ---
# We recommend the use of Ansible Vault to protect Wazuh, api, agentless and authd credentials. # We recommend the use of Ansible Vault to protect Wazuh, api, agentless and authd credentials.
#authd_pass: 'foobar' # authd_pass: 'foobar'

245
roles/wazuh/ansible-wazuh-manager/defaults/main.yml
View File

@ -1,7 +1,57 @@
--- ---
wazuh_manager_version: 3.11.1-1
wazuh_manager_fqdn: "wazuh-server" wazuh_manager_fqdn: "wazuh-server"
wazuh_manager_package_state: present
wazuh_manager_sources_installation:
enabled: false
branch: "v3.11.1"
user_language: "en"
user_no_stop: "y"
user_install_type: "server"
user_dir: "/var/ossec"
user_delete_dir: null
user_enable_active_response: null
user_enable_syscheck: "y"
user_enable_rootcheck: "y"
user_enable_openscap: "y"
user_enable_authd: "y"
user_generate_authd_cert: null
user_update: "y"
user_binaryinstall: null
user_enable_email: "n"
user_auto_start: "y"
user_email_address: null
user_email_smpt: null
user_enable_syslog: "n"
user_white_list: "n"
user_ca_store: null
threads: "2"
wazuh_api_sources_installation:
enabled: false
branch: "v3.11.1"
update: "y"
remove: "y"
directory: null
port: 55000
https: "n"
authd: null
proxy: null
country: null
state: null
locality: null
org_name: null
org_unit: null
common_name: null
password: null
wazuh_manager_config: wazuh_manager_config:
repo:
apt: 'deb https://packages.wazuh.com/3.x/apt/ stable main'
yum: 'https://packages.wazuh.com/3.x/yum/'
gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
json_output: 'yes' json_output: 'yes'
alerts_log: 'yes' alerts_log: 'yes'
logall: 'no' logall: 'no'
@ -29,13 +79,10 @@ wazuh_manager_config:
node_name: 'manager_01' node_name: 'manager_01'
node_type: 'master' node_type: 'master'
key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa' key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa'
interval: '2m'
port: '1516' port: '1516'
bind_addr: '0.0.0.0' bind_addr: '0.0.0.0'
nodes: nodes:
- '172.17.0.2' - 'manager'
- '172.17.0.3'
- '172.17.0.4'
hidden: 'no' hidden: 'no'
connection: connection:
- type: 'secure' - type: 'secure'
@ -48,23 +95,26 @@ wazuh_manager_config:
use_source_ip: 'yes' use_source_ip: 'yes'
force_insert: 'yes' force_insert: 'yes'
force_time: 0 force_time: 0
purge: 'no' purge: 'yes'
use_password: 'no' use_password: 'no'
limit_maxagents: 'yes'
ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH'
ssl_agent_ca: null ssl_agent_ca: null
ssl_verify_host: 'no' ssl_verify_host: 'no'
ssl_manager_cert: '/var/ossec/etc/sslmanager.cert' ssl_manager_cert: 'sslmanager.cert'
ssl_manager_key: '/var/ossec/etc/sslmanager.key' ssl_manager_key: 'sslmanager.key'
ssl_auto_negotiate: 'no' ssl_auto_negotiate: 'no'
email_notification: 'no' email_notification: 'no'
mail_to: mail_to:
- 'admin@example.net' - 'admin@example.net'
mail_smtp_server: localhost mail_smtp_server: smtp.example.wazuh.com
mail_from: wazuh-server@example.com mail_from: ossecm@example.wazuh.com
mail_maxperhour: 12 mail_maxperhour: 12
mail_queue_size: 131072 mail_queue_size: 131072
email_log_source: 'alerts.log'
extra_emails: extra_emails:
- enable: false - enable: false
mail_to: 'admin@example.net' mail_to: 'recipient@example.wazuh.com'
format: full format: full
level: 7 level: 7
event_location: null event_location: null
@ -76,7 +126,7 @@ wazuh_manager_config:
- enable: false - enable: false
category: 'syscheck' category: 'syscheck'
title: 'Daily report: File changes' title: 'Daily report: File changes'
email_to: 'admin@example.net' email_to: 'recipient@example.wazuh.com'
location: null location: null
group: null group: null
rule: null rule: null
@ -105,6 +155,10 @@ wazuh_manager_config:
- /etc/svc/volatile - /etc/svc/volatile
- /sys/kernel/security - /sys/kernel/security
- /sys/kernel/debug - /sys/kernel/debug
- /dev/core
ignore_linux_type:
- '^/proc'
- '.log$|.swp$'
no_diff: no_diff:
- /etc/ssl/private.key - /etc/ssl/private.key
directories: directories:
@ -117,12 +171,10 @@ wazuh_manager_config:
timeframe: 'timeframe="3600"' timeframe: 'timeframe="3600"'
value: 'no' value: 'no'
skip_nfs: 'yes' skip_nfs: 'yes'
remove_old_diff: 'yes'
restart_audit: 'yes'
rootcheck: rootcheck:
frequency: 43200 frequency: 43200
openscap: openscap:
disable: 'no' disable: 'yes'
timeout: 1800 timeout: 1800
interval: '1d' interval: '1d'
scan_on_start: 'yes' scan_on_start: 'yes'
@ -134,10 +186,6 @@ wazuh_manager_config:
scan_on_start: 'yes' scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin' java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
ciscat_path: 'wodles/ciscat' ciscat_path: 'wodles/ciscat'
content:
- type: 'xccdf'
path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
osquery: osquery:
disable: 'yes' disable: 'yes'
run_daemon: 'yes' run_daemon: 'yes'
@ -154,20 +202,44 @@ wazuh_manager_config:
packages: 'yes' packages: 'yes'
ports_no: 'yes' ports_no: 'yes'
processes: 'yes' processes: 'yes'
vul_detector: sca:
disable: 'yes' enabled: 'yes'
scan_on_start: 'yes'
interval: '12h'
skip_nfs: 'yes'
day: ''
wday: ''
time: ''
vulnerability_detector:
enabled: 'no'
interval: '5m' interval: '5m'
ignore_time: '6h' ignore_time: '6h'
run_on_start: 'yes' run_on_start: 'yes'
ubuntu: providers:
disable: 'yes' - enabled: 'no'
update_interval: '1h' os:
redhat: - 'precise'
disable: 'yes' - 'trusty'
update_interval: '1h' - 'xenial'
debian: - 'bionic'
disable: 'yes' update_interval: '1h'
update_interval: '1h' name: '"canonical"'
- enabled: 'no'
os:
- 'wheezy'
- 'stretch'
- 'jessie'
- 'buster'
update_interval: '1h'
name: '"debian"'
- enabled: 'no'
update_from_year: '2010'
update_interval: '1h'
name: '"redhat"'
- enabled: 'no'
update_from_year: '2010'
update_interval: '1h'
name: '"nvd"'
vuls: vuls:
disable: 'yes' disable: 'yes'
interval: '1d' interval: '1d'
@ -178,55 +250,52 @@ wazuh_manager_config:
- 'updatenvd' - 'updatenvd'
- 'nvd-year 2016' - 'nvd-year 2016'
- 'autoupdate' - 'autoupdate'
log_level: 1 log_level: 3
email_level: 12 email_level: 12
localfiles: localfiles:
common: common:
- format: 'command' - format: 'command'
command: 'df -P' command: df -P
frequency: '360' frequency: '360'
- format: 'full_command' - format: 'full_command'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports' alias: 'netstat listening ports'
frequency: '360' frequency: '360'
- format: 'full_command' - format: 'full_command'
command: 'last -n 20' command: 'last -n 20'
- format: 'syslog' frequency: '360'
location: '/var/ossec/logs/active-responses.log' - format: 'syslog'
location: '/var/ossec/logs/active-responses.log'
debian: debian:
- format: 'syslog' - format: 'syslog'
location: '/var/log/auth.log' location: '/var/log/auth.log'
- format: 'syslog' - format: 'syslog'
location: '/var/log/syslog' location: '/var/log/syslog'
- format: 'syslog' - format: 'syslog'
location: '/var/log/dpkg.log' location: '/var/log/dpkg.log'
- format: 'syslog' - format: 'syslog'
location: '/var/log/kern.log' location: '/var/log/kern.log'
centos: centos:
- format: 'syslog' - format: 'syslog'
location: '/var/log/messages' location: '/var/log/messages'
- format: 'syslog' - format: 'syslog'
location: '/var/log/secure' location: '/var/log/secure'
- format: 'syslog' - format: 'syslog'
location: '/var/log/maillog' location: '/var/log/maillog'
- format: 'audit' - format: 'audit'
location: '/var/log/audit/audit.log' location: '/var/log/audit/audit.log'
globals: globals:
- '127.0.0.1' - '127.0.0.1'
- '192.168.2.1' - '^localhost.localdomain$'
- '127.0.0.53'
commands: commands:
- name: 'disable-account' - name: 'disable-account'
executable: 'disable-account.sh' executable: 'disable-account.sh'
expect: 'user' expect: 'user'
timeout_allowed: 'yes' timeout_allowed: 'yes'
#- name: 'restart-ossec' - name: 'restart-ossec'
# executable: 'restart-ossec.sh' executable: 'restart-ossec.sh'
# expect: ''
# timeout_allowed: 'no'
- name: 'win_restart-ossec'
executable: 'restart-ossec.cmd'
expect: '' expect: ''
timeout_allowed: 'no'
- name: 'firewall-drop' - name: 'firewall-drop'
executable: 'firewall-drop.sh' executable: 'firewall-drop.sh'
expect: 'srcip' expect: 'srcip'
@ -243,6 +312,10 @@ wazuh_manager_config:
executable: 'route-null.cmd' executable: 'route-null.cmd'
expect: 'srcip' expect: 'srcip'
timeout_allowed: 'yes' timeout_allowed: 'yes'
- name: 'win_route-null-2012'
executable: 'route-null-2012.cmd'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'netsh' - name: 'netsh'
executable: 'netsh.cmd' executable: 'netsh.cmd'
expect: 'srcip' expect: 'srcip'
@ -252,21 +325,14 @@ wazuh_manager_config:
expect: 'srcip' expect: 'srcip'
timeout_allowed: 'yes' timeout_allowed: 'yes'
ruleset: ruleset:
rules_path: 'custom_ruleset/rules/' rules_path: 'custom_ruleset/rules/'
decoders_path: 'custom_ruleset/decoders/' decoders_path: 'custom_ruleset/decoders/'
cdb_lists:
- 'audit-keys'
- 'security-eventchannel'
- 'amazon/aws-eventnames'
rule_exclude: rule_exclude:
- '0215-policy_rules.xml' - '0215-policy_rules.xml'
active_responses:
- command: 'restart-ossec'
location: 'local'
rules_id: '100002'
- command: 'win_restart-ossec'
location: 'local'
rules_id: '100003'
- command: 'host-deny'
location: 'local'
level: 6
timeout: 600
syslog_outputs: syslog_outputs:
- server: null - server: null
port: null port: null
@ -283,20 +349,15 @@ wazuh_agent_configs:
syscheck: syscheck:
frequency: 43200 frequency: 43200
scan_on_start: 'yes' scan_on_start: 'yes'
auto_ignore: 'no'
alert_new_files: 'yes' alert_new_files: 'yes'
ignore: ignore:
- /etc/mtab - /etc/mtab
- /etc/mnttab - /etc/mnttab
- /etc/hosts.deny - /etc/hosts.deny
- /etc/mail/statistics - /etc/mail/statistics
- /etc/svc/volatile - /etc/svc/volatile
no_diff: no_diff:
- /etc/ssl/private.key - /etc/ssl/private.key
# Example
#directories:
#- dirs: /etc,/usr/bin,/usr/sbin
# checks: 'check_all="yes"'
rootcheck: rootcheck:
frequency: 43200 frequency: 43200
cis_distribution_filename: null cis_distribution_filename: null
@ -330,7 +391,11 @@ wazuh_agent_configs:
- location: 'System' - location: 'System'
format: 'eventlog' format: 'eventlog'
nodejs:
repo_dict:
debian: "deb"
redhat: "rpm"
repo_url_ext: "nodesource.com/setup_8.x"
wauzhrepo_gpg_keyserver: pool.sks-keyservers.net wauzhrepo_gpg_keyserver: pool.sks-keyservers.net
nodejsrepo_gpg_keyserver: pool.sks-keyservers.net
wazuhrepo_server: https://packages.wazuh.com/3.x/apt/ wazuhrepo_server: https://packages.wazuh.com/3.x/apt/
nodejsrepo_server: https://deb.nodesource.com/node_6.x

5
roles/wazuh/ansible-wazuh-manager/handlers/main.yml
View File

@ -1,7 +1,4 @@
--- ---
- name: rebuild cdb_lists
command: /var/ossec/bin/ossec-makelists
- name: restart wazuh-manager - name: restart wazuh-manager
service: service:
name: wazuh-manager name: wazuh-manager
@ -12,4 +9,4 @@
service: service:
name: wazuh-api name: wazuh-api
state: restarted state: restarted
enabled: true enabled: true

28
roles/wazuh/ansible-wazuh-manager/meta/main.yml
View File

@ -6,18 +6,18 @@ galaxy_info:
license: license (GPLv3) license: license (GPLv3)
min_ansible_version: 2.0 min_ansible_version: 2.0
platforms: platforms:
- name: EL - name: EL
versions: versions:
- all - all
- name: Ubuntu - name: Ubuntu
versions: versions:
- all - all
- name: Debian - name: Debian
versions: versions:
- all - all
- name: Fedora - name: Fedora
versions: versions:
- all - all
categories: galaxy_tags:
- monitoring - monitoring
dependencies: [] dependencies: []

128
roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml
View File

@ -1,73 +1,79 @@
--- ---
- name: Debian/Ubuntu | Install apt-transport-https and ca-certificates - name: Debian/Ubuntu | Install apt-transport-https and ca-certificates
apt: apt:
name: "{{ item }}" name:
- apt-transport-https
- ca-certificates
- gnupg
state: present state: present
cache_valid_time: 3600 cache_valid_time: 3600
with_items: install_recommends: false
- apt-transport-https register: wazuh_manager_https_packages_installed
- ca-certificates until: wazuh_manager_https_packages_installed is succeeded
- name: Debian/Ubuntu | Installing Wazuh repository key (Ubuntu 14)
become: true
shell: |
set -o pipefail
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
args:
warn: false
executable: /bin/bash
changed_when: false
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version | int == 14
- not wazuh_manager_sources_installation.enabled or not wazuh_api_sources_installation.enabled
- name: Debian/Ubuntu | Installing Wazuh repository key - name: Debian/Ubuntu | Installing Wazuh repository key
apt_key: apt_key:
keyserver: "{{ wauzhrepo_gpg_keyserver }}" url: "{{ wazuh_manager_config.repo.gpg }}"
id: 0DCFCA5547B19D2A6099506096B3EE5F29111145 when:
- not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- not wazuh_manager_sources_installation.enabled or not wazuh_api_sources_installation.enabled
- name: Debian/Ubuntu | Add Wazuh repositories - name: Debian/Ubuntu | Add Wazuh repositories
apt_repository: apt_repository:
repo: "deb {{ wazuhrepo_server }} stable main" filename: wazuh_repo
repo: "{{ wazuh_manager_config.repo.apt }}"
state: present state: present
update_cache: yes update_cache: true
changed_when: false
- name: Debian/Ubuntu | Installing NodeJS repository key when:
apt_key: - not wazuh_manager_sources_installation.enabled or not wazuh_api_sources_installation.enabled
keyserver: "{{ nodejsrepo_gpg_keyserver }}"
id: 9FD3B784BC1C6FC31A8A0A1C1655A0AB68576280
- name: Debian/Ubuntu | Add NodeSource repositories for Node.js
apt_repository:
repo: "deb {{ nodejsrepo_server }} {{ ansible_distribution_release }} main"
state: present
update_cache: yes
- name: Debian/Ubuntu | Set Distribution CIS filename for Debian/Ubuntu - name: Debian/Ubuntu | Set Distribution CIS filename for Debian/Ubuntu
set_fact: set_fact:
cis_distribution_filename: cis_debian_linux_rcl.txt cis_distribution_filename: cis_debian_linux_rcl.txt
- name: Debian/Ubuntu | Install OpenJDK-8 repo
apt_repository:
repo: 'ppa:openjdk-r/ppa'
state: present
update_cache: true
when:
- (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- when: - when:
- wazuh_manager_config.cis_cat.disable == 'no' - wazuh_manager_config.cis_cat.disable == 'no'
- wazuh_manager_config.cis_cat.install_java == 'yes' - wazuh_manager_config.cis_cat.install_java == 'yes'
block: block:
- name: Debian/Ubuntu | Setting webupd8 repository - name: Debian/Ubuntu | Install OpenJDK 1.8
apt_repository: apt: name=openjdk-8-jre state=present cache_valid_time=3600
repo: 'ppa:webupd8team/java'
codename: 'xenial'
update_cache: yes
- name: Debian/Ubuntu | Accept Oracle Java 8 license
debconf:
name: oracle-java8-installer
question: shared/accepted-oracle-license-v1-1
value: true
vtype: boolean
- name: Debian/Ubuntu | Oracle Java 8 installer
apt:
name: oracle-java8-installer
state: present
cache_valid_time: 3600
tags: tags:
- init - init
- name: Debian/Ubuntu | Install OpenScap - name: Debian/Ubuntu | Install OpenScap
package: apt:
name: "{{ item }}" name:
- libopenscap8
- xsltproc
state: present state: present
cache_valid_time: 3600 cache_valid_time: 3600
install_recommends: false
register: wazuh_manager_openscap_installed
until: wazuh_manager_openscap_installed is succeeded
when: wazuh_manager_config.openscap.disable == 'no' when: wazuh_manager_config.openscap.disable == 'no'
with_items:
- libopenscap8
- xsltproc
tags: tags:
- init - init
@ -75,7 +81,7 @@
shell: "dpkg-query --showformat='${Version}' --show libopenscap8" shell: "dpkg-query --showformat='${Version}' --show libopenscap8"
when: wazuh_manager_config.openscap.disable == 'no' when: wazuh_manager_config.openscap.disable == 'no'
register: openscap_version register: openscap_version
changed_when: true changed_when: false
tags: tags:
- config - config
@ -83,6 +89,36 @@
shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?" shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?"
when: wazuh_manager_config.openscap.disable == 'no' when: wazuh_manager_config.openscap.disable == 'no'
register: openscap_version_valid register: openscap_version_valid
changed_when: true changed_when: false
tags: tags:
- config - config
- name: Debian/Ubuntu | Install wazuh-manager
apt:
name:
- "wazuh-manager={{ wazuh_manager_version }}"
state: present
cache_valid_time: 3600
install_recommends: false
register: wazuh_manager_main_packages_installed
until: wazuh_manager_main_packages_installed is succeeded
tags: init
when:
- not wazuh_manager_sources_installation.enabled
- include_tasks: "installation_from_sources.yml"
when:
- wazuh_manager_sources_installation.enabled or wazuh_api_sources_installation.enabled
- name: Debian/Ubuntu | Install wazuh-api
apt:
name:
- "wazuh-api={{ wazuh_manager_version }}"
state: present
cache_valid_time: 3600
install_recommends: false
register: wazuh_manager_main_packages_installed
until: wazuh_manager_main_packages_installed is succeeded
tags: init
when:
- not wazuh_api_sources_installation.enabled

2
roles/wazuh/ansible-wazuh-manager/tasks/RMDebian.yml
View File

@ -3,8 +3,10 @@
apt_repository: apt_repository:
repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main
state: absent state: absent
changed_when: false
- name: Debian/Ubuntu | Remove Nodejs repository. - name: Debian/Ubuntu | Remove Nodejs repository.
apt_repository: apt_repository:
repo: deb https://deb.nodesource.com/node_6.x {{ ansible_distribution_release }} main repo: deb https://deb.nodesource.com/node_6.x {{ ansible_distribution_release }} main
state: absent state: absent
changed_when: false

2
roles/wazuh/ansible-wazuh-manager/tasks/RMRedHat.yml
View File

@ -3,8 +3,10 @@
yum_repository: yum_repository:
name: NodeJS name: NodeJS
state: absent state: absent
changed_when: false
- name: RedHat/CentOS/Fedora | Remove Wazuh repository (and clean up left-over metadata) - name: RedHat/CentOS/Fedora | Remove Wazuh repository (and clean up left-over metadata)
yum_repository: yum_repository:
name: wazuh_repo name: wazuh_repo
state: absent state: absent
changed_when: false

155
roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml
View File

@ -1,65 +1,44 @@
--- ---
- name: RedHat/CentOS | Install Nodejs repo - name: RedHat/CentOS 5 | Install Wazuh repo
yum_repository: yum_repository:
name: NodeJS name: wazuh_repo
description: NodeJS-$releasever description: Wazuh repository
baseurl: https://rpm.nodesource.com/pub_6.x/el/{{ansible_distribution_major_version}}/x86_64 baseurl: "{{ wazuh_manager_config.repo.yum }}5/"
gpgkey: https://rpm.nodesource.com/pub/el/NODESOURCE-GPG-SIGNING-KEY-EL gpgkey: "{{ wazuh_manager_config.repo.gpg }}-5"
gpgcheck: yes gpgcheck: true
changed_when: false
when: when:
- ansible_distribution_major_version|int > 5 - (ansible_os_family|lower == 'redhat') and (ansible_distribution|lower != 'amazon')
- (ansible_distribution_major_version|int <= 5)
- name: Fedora | Install Nodejs repo - not wazuh_manager_sources_installation.enabled or not wazuh_api_sources_installation.enabled
yum_repository: register: repo_v5_manager_installed
name: NodeJS
description: NodeJS-$releasever
baseurl: https://rpm.nodesource.com/pub_6.x/fc/$releasever/x86_64
gpgkey: https://rpm.nodesource.com/pub/el/NODESOURCE-GPG-SIGNING-KEY-EL
gpgcheck: yes
when: ansible_distribution == 'Fedora'
- name: AmazonLinux | Get Nodejs
shell: curl --silent --location https://rpm.nodesource.com/setup_8.x | bash -
args:
warn: no
when:
- ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA"
- name: AmazonLinux | Install Nodejs repo
yum:
name: nodejs
state: present
when:
- ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA"
- name: RedHat/CentOS/Fedora | Install Wazuh repo - name: RedHat/CentOS/Fedora | Install Wazuh repo
yum_repository: yum_repository:
name: wazuh_repo name: wazuh_repo
description: Wazuh repository description: Wazuh repository
baseurl: https://packages.wazuh.com/3.x/yum/ baseurl: "{{ wazuh_manager_config.repo.yum }}"
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH gpgkey: "{{ wazuh_manager_config.repo.gpg }}"
gpgcheck: yes gpgcheck: true
changed_when: false
when: when:
- (ansible_distribution_major_version|int > 5) or (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") - repo_v5_manager_installed is skipped
- not wazuh_manager_sources_installation.enabled or not wazuh_api_sources_installation.enabled
- name: RedHat/CentOS 5 | Install Wazuh repo
yum_repository:
name: wazuh_repo
description: Wazuh repository
baseurl: https://packages.wazuh.com/3.x/yum/5/
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
gpgcheck: yes
when:
- ansible_distribution_major_version|int == 5
- name: RedHat/CentOS/Fedora | Install openscap - name: RedHat/CentOS/Fedora | Install openscap
package: name=openscap-scanner state=present package: name={{ item }} state=present
with_items:
- openscap-scanner
register: wazuh_manager_openscp_packages_installed
until: wazuh_manager_openscp_packages_installed is succeeded
tags: tags:
- init - init
when: not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") when: not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA")
- name: CentOS 6 | Install Software Collections (SCL) Repository - name: CentOS 6 | Install Software Collections (SCL) Repository
package: name=centos-release-scl state=present package: name=centos-release-scl state=present
register: wazuh_manager_scl_packages_installed
until: wazuh_manager_scl_packages_installed is succeeded
when: when:
- ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6' - ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes' - wazuh_manager_config.cluster.disable != 'yes'
@ -75,12 +54,16 @@
- name: CentOS/RedHat 6 | Install Python 2.7 - name: CentOS/RedHat 6 | Install Python 2.7
package: name=python27 state=present package: name=python27 state=present
register: wazuh_manager_python_package_installed
until: wazuh_manager_python_package_installed is succeeded
when: when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6' - ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes' - wazuh_manager_config.cluster.disable != 'yes'
- name: CentOS/RedHat 6 | Install python-cryptography module - name: CentOS/RedHat 6 | Install python-cryptography module
shell: pip2.7 install cryptography pip: name=cryptography state=present
register: wazuh_manager_cryptography_package_installed
until: wazuh_manager_cryptography_package_installed is succeeded
environment: environment:
PATH: "/opt/rh/python27/root/usr/bin:{{ ansible_env.PATH }}" PATH: "/opt/rh/python27/root/usr/bin:{{ ansible_env.PATH }}"
LD_LIBRARY_PATH: "/opt/rh/python27/root/usr/lib64:/opt/rh/python27/root/usr/lib" LD_LIBRARY_PATH: "/opt/rh/python27/root/usr/lib64:/opt/rh/python27/root/usr/lib"
@ -90,31 +73,20 @@
- name: RedHat/CentOS/Fedora | Install python-cryptography module - name: RedHat/CentOS/Fedora | Install python-cryptography module
package: name=python-cryptography state=present package: name=python-cryptography state=present
register: wazuh_manager_cryptography_package_installed
until: wazuh_manager_cryptography_package_installed is succeeded
when: when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat') and ansible_distribution_major_version == '6' ) - not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat') and ansible_distribution_major_version == '6' )
- wazuh_manager_config.cluster.disable != 'yes' - wazuh_manager_config.cluster.disable != 'yes'
- name: RedHat/CentOS/Fedora | download Oracle Java RPM - name: RedHat/CentOS/Fedora | Install OpenJDK 1.8
get_url: yum: name=java-1.8.0-openjdk state=present
url: https://download.oracle.com/otn-pub/java/jdk/8u202-b08/1961070e4c9b4e26a04e7f5a083f551e/jre-8u202-linux-x64.rpm
dest: /tmp/jre-8-linux-x64.rpm
headers: 'Cookie:oraclelicense=accept-securebackup-cookie'
register: oracle_java_task_rpm_download
when: when:
- wazuh_manager_config.cis_cat.disable == 'no' - wazuh_manager_config.cis_cat.disable == 'no'
- wazuh_manager_config.cis_cat.install_java == 'yes' - wazuh_manager_config.cis_cat.install_java == 'yes'
tags: tags:
- init - init
- name: RedHat/CentOS/Fedora | Install Oracle Java RPM
package: name=/tmp/jre-8-linux-x64.rpm state=present
when:
- wazuh_manager_config.cis_cat.disable == 'no'
- wazuh_manager_config.cis_cat.install_java == 'yes'
- oracle_java_task_rpm_download is defined
tags:
- init
- name: Set Distribution CIS filename for RHEL5/CentOS-5 - name: Set Distribution CIS filename for RHEL5/CentOS-5
set_fact: set_fact:
cis_distribution_filename: cis_rhel5_linux_rcl.txt cis_distribution_filename: cis_rhel5_linux_rcl.txt
@ -128,4 +100,63 @@
- name: Set Distribution CIS filename for RHEL7/CentOS-7 - name: Set Distribution CIS filename for RHEL7/CentOS-7
set_fact: set_fact:
cis_distribution_filename: cis_rhel7_linux_rcl.txt cis_distribution_filename: cis_rhel7_linux_rcl.txt
when: (ansible_os_family == "RedHat" and ansible_distribution_major_version == '7') or (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") when:
- ansible_os_family == "RedHat" and ansible_distribution_major_version == '7'
- name: Set Distribution CIS filename for RHEL7/CentOS-7 (Amazon)
set_fact:
cis_distribution_filename: cis_rhel7_linux_rcl.txt
when:
- ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA"
- name: CentOS/RedHat/Amazon | Install wazuh-manager
package:
name: "wazuh-manager-{{ wazuh_manager_version }}"
state: "{{ wazuh_manager_package_state }}"
register: wazuh_manager_main_packages_installed
until: wazuh_manager_main_packages_installed is succeeded
when:
- ansible_os_family|lower == "redhat"
- not wazuh_manager_sources_installation.enabled
tags:
- init
- include_tasks: "../tasks/installation_from_sources.yml"
when:
- wazuh_manager_sources_installation.enabled or wazuh_api_sources_installation.enabled
- name: CentOS/RedHat/Amazon | Install wazuh-api
package:
name: "wazuh-api-{{ wazuh_manager_version }}"
state: "{{ wazuh_manager_package_state }}"
register: wazuh_api_main_packages_installed
until: wazuh_api_main_packages_installed is succeeded
when:
- ansible_os_family|lower == "redhat"
- not wazuh_api_sources_installation.enabled
tags:
- init
- name: CentOS/RedHat 6 | Enabling python2.7 and sqlite3
replace:
path: /etc/init.d/wazuh-manager
regexp: 'echo -n "Starting Wazuh-manager: "'
replace: 'echo -n "Starting Wazuh-manager (EL6): "; source /opt/rh/python27/enable; export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/var/ossec/framework/lib'
when:
- ansible_distribution in ['CentOS', 'RedHat', 'Amazon'] and ansible_distribution_major_version|int == 6
- wazuh_manager_config.cluster.disable != 'yes'
- name: Install expect (EL5)
package:
name: "{{ item }}"
state: "{{ wazuh_manager_package_state }}"
with_items:
- expect
register: wazuh_manager_main_packages_installed
until: wazuh_manager_main_packages_installed is succeeded
when:
- ansible_os_family|lower == "RedHat"
- ansible_distribution_major_version|int < 6
tags:
- init

182
roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml Normal file
View File

@ -0,0 +1,182 @@
---
# Wazuh Manager
- name: Check if Wazuh Manager is already installed
stat:
path: /var/ossec/bin/ossec-control
register: wazuh_ossec_control
- name: Installing Wazuh Manager from sources
block:
- name: Install dependencies to build Wazuh packages
package:
name:
- make
- gcc
- automake
- autoconf
- libtool
- tar
state: present
- name: Removing old files
file:
path: "/tmp/{{ wazuh_manager_sources_installation.branch }}.tar.gz"
state: absent
- name: Removing old folders
file:
path: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}"
state: absent
- name: Installing policycoreutils-python (RedHat families)
package:
name:
- policycoreutils-python
when:
- ansible_os_family|lower == "redhat"
- name: Installing policycoreutils-python-utils (Debian families)
package:
name:
- libc6-dev
- curl
- policycoreutils
when:
- ansible_os_family|lower == "debian"
- name: Remove old repository folder
file:
path: /tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}
state: absent
- name: Download required packages from github.com/wazuh/wazuh
get_url:
url: "https://github.com/wazuh/wazuh/archive/{{ wazuh_manager_sources_installation.branch }}.tar.gz"
dest: "/tmp/{{ wazuh_manager_sources_installation.branch }}.tar.gz"
delegate_to: "{{ inventory_hostname }}"
- name: Create folder to extract Wazuh branch
file:
path: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}"
state: directory
# When downloading "v3.11.0" extracted folder name is 3.11.0.
# Explicitly creating the folder with proper naming and striping first level in .tar.gz file
- name: Extract downloaded Wazuh branch from Github # Using shell instead of unarchive due to that module not working properlyh with --strip
command: >-
tar -xzvf /tmp/{{ wazuh_manager_sources_installation.branch }}.tar.gz
--strip 1
--directory /tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}
register: wazuh_untar
changed_when: wazuh_untar.rc ==0
args:
warn: false
- name: Clean remaining files from others builds
command: "make -C src {{ item }}"
args:
chdir: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}/src/"
with_items:
- "clean"
- "clean-deps"
register: clean_result
changed_when: clean_result.rc == 0
failed_when: false
- name: Render the "preloaded-vars.conf" file
template:
src: "templates/preloaded_vars_manager.conf.j2"
dest: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}/etc/preloaded-vars.conf"
owner: root
group: root
mode: '644'
- name: Executing "install.sh" script to build and install the Wazuh Manager
shell: ./install.sh > /tmp/build_wazuh_manager_log.txt
register: installation_result
changed_when: installation_result == 0
args:
chdir: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}"
- name: Cleanup downloaded files
file:
path: "/tmp/{{ wazuh_manager_sources_installation.branch }}.tar.gz"
state: absent
- name: Cleanup created folders
file:
path: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}"
state: absent
when:
- not wazuh_ossec_control.stat.exists
- wazuh_manager_sources_installation.enabled
tags:
- manager
# Wazuh API
- name: Check if Wazuh API is already installed
stat:
path: /var/ossec/api/app.js
register: wazuh_api
- name: Install Wazuh API from sources
block:
- name: Install dependencies to build Wazuh packages
package:
name:
- make
- gcc
- automake
- autoconf
- libtool
- tar
state: present
- name: Explicitly installing npm for Debian hosts
package:
name: npm
state: present
when:
- ansible_distribution == "Debian"
- name: Ensure Git is present in the host
package:
name: git
state: present
- name: Remove old repository folder
file:
path: /tmp/wazuh-api
state: absent
- name: Download the Wazuh API repository
git:
repo: 'https://github.com/wazuh/wazuh-api.git'
version: "{{ wazuh_api_sources_installation.branch }}"
dest: /tmp/wazuh-api
- name: Configure Wazuh API installation
template:
src: "templates/preloaded_vars_api.conf.j2"
dest: "/tmp/wazuh-api/configuration/preloaded_vars.conf"
owner: root
group: root
mode: '644'
- name: Execute Wazuh API installation script
shell: ./install_api.sh > /tmp/build_wazuh_api_log.txt
register: install_api
changed_when: install_api.rc == 0
args:
chdir: "/tmp/wazuh-api"
notify:
- restart wazuh-api
when:
- not wazuh_api.stat.exists
- wazuh_api_sources_installation.enabled
tags:
- api

154
roles/wazuh/ansible-wazuh-manager/tasks/main.yml
View File

@ -1,53 +1,67 @@
--- ---
- import_tasks: "RedHat.yml" - name: "Install dependencies"
package:
name:
- unzip
- openssl
- tar
state: present
- name: Check if NodeJS service exists
stat:
path: /usr/bin/node
register: node_service_status
- name: Install NodeJS repository
block:
- name: Download NodeJS repository script
get_url:
url: "https://{{ nodejs['repo_dict'][ansible_os_family|lower] }}.{{ nodejs['repo_url_ext'] }}"
dest: /etc/nodejs.sh
mode: '0775'
changed_when: false
- name: Run NodeJS bash script
command: sh /etc/nodejs.sh
register: nodejs_script
changed_when: nodejs_script.rc == 0
when: not node_service_status.stat.exists
- name: Installing NodeJS
package:
name: nodejs
state: present
register: nodejs_service_is_installed
until: nodejs_service_is_installed is succeeded
tags: init
- include_tasks: "RedHat.yml"
when: (ansible_os_family == "RedHat" and ansible_distribution_major_version|int > 5) or (ansible_os_family == "RedHat" and ansible_distribution == "Amazon") when: (ansible_os_family == "RedHat" and ansible_distribution_major_version|int > 5) or (ansible_os_family == "RedHat" and ansible_distribution == "Amazon")
- import_tasks: "Debian.yml" - include_tasks: "Debian.yml"
when: ansible_os_family == "Debian" when: ansible_os_family == "Debian"
- name: Install wazuh-manager, wazuh-api and expect - name: Install expect
package: pkg={{ item }} state=latest package:
with_items: name: expect
- wazuh-manager state: "{{ wazuh_manager_package_state }}"
- wazuh-api
- expect
when: when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 ) - not (ansible_os_family|lower == "redhat" and ansible_distribution_major_version|int < 6)
tags: tags: init
- init
- name: CentOS/RedHat 6 | Enabling python2.7 and sqlite3
replace:
path: /etc/init.d/wazuh-manager
regexp: 'echo -n "Starting Wazuh-manager: "'
replace: 'echo -n "Starting Wazuh-manager (EL6): "; source /opt/rh/python27/enable; export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/var/ossec/framework/lib'
when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes'
- name: Install wazuh-manager and expect (EL5)
package: pkg={{ item }} state=latest
with_items:
- wazuh-manager
- expect
when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6
tags:
- init
- name: Generate SSL files for authd - name: Generate SSL files for authd
command: "openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:1825 -keyout sslmanager.key -out sslmanager.cert -subj /CN={{wazuh_manager_fqdn}}/" command: "openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:1825 -keyout sslmanager.key -out sslmanager.cert -subj /CN={{ wazuh_manager_fqdn }}/"
args: args:
creates: sslmanager.cert creates: sslmanager.cert
chdir: /var/ossec/etc/ chdir: /var/ossec/etc/
tags: tags:
- config - config
when: not wazuh_manager_config.authd.ssl_agent_ca is not none when: wazuh_manager_config.authd.ssl_agent_ca is not none
- name: Copy CA, SSL key and cert for authd - name: Copy CA, SSL key and cert for authd
copy: copy:
src: "{{ item }}" src: "{{ item }}"
dest: "/var/ossec/etc/{{ item | basename }}" dest: "/var/ossec/etc/{{ item }}"
mode: 0644 mode: 0644
with_items: with_items:
- "{{ wazuh_manager_config.authd.ssl_agent_ca }}" - "{{ wazuh_manager_config.authd.ssl_agent_ca }}"
@ -71,7 +85,7 @@
- name: Ensure ossec-authd service is disabled - name: Ensure ossec-authd service is disabled
service: name=ossec-authd enabled=no state=stopped service: name=ossec-authd enabled=no state=stopped
when: old_authd_service.stat.exists == True when: old_authd_service.stat.exists
tags: tags:
- config - config
@ -80,7 +94,7 @@
with_items: with_items:
- "/etc/init.d/ossec-authd" - "/etc/init.d/ossec-authd"
- "/lib/systemd/system/ossec-authd.service" - "/lib/systemd/system/ossec-authd.service"
when: old_authd_service.stat.exists == True when: old_authd_service.stat.exists
tags: tags:
- config - config
@ -180,12 +194,7 @@
- name: Retrieving Wazuh-API User Credentials - name: Retrieving Wazuh-API User Credentials
include_vars: wazuh_api_creds.yml include_vars: wazuh_api_creds.yml
when: when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 ) - not (ansible_distribution in ['CentOS','RedHat', 'Amazon'] and ansible_distribution_major_version|int < 6)
tags:
- config
- name: Retrieving CDB lists
include_vars: cdb_lists.yml
tags: tags:
- config - config
@ -198,11 +207,14 @@
- config - config
- name: Check if client-syslog is enabled - name: Check if client-syslog is enabled
shell: "grep -c 'ossec-csyslogd' /var/ossec/bin/.process_list | xargs echo" shell: |
set -o pipefail
"grep -c 'ossec-csyslogd' /var/ossec/bin/.process_list | xargs echo"
args: args:
removes: /var/ossec/bin/.process_list removes: /var/ossec/bin/.process_list
changed_when: False executable: /bin/bash
check_mode: no changed_when: false
check_mode: false
register: csyslog_enabled register: csyslog_enabled
tags: tags:
- config - config
@ -212,16 +224,19 @@
notify: restart wazuh-manager notify: restart wazuh-manager
when: when:
- csyslog_enabled.stdout == '0' or "skipped" in csyslog_enabled.stdout - csyslog_enabled.stdout == '0' or "skipped" in csyslog_enabled.stdout
- syslog_output is defined and syslog_output == true - syslog_output is defined and syslog_output
tags: tags:
- config - config
- name: Check if ossec-agentlessd is enabled - name: Check if ossec-agentlessd is enabled
shell: "grep -c 'ossec-agentlessd' /var/ossec/bin/.process_list | xargs echo" shell: |
set -o pipefail
"grep -c 'ossec-agentlessd' /var/ossec/bin/.process_list | xargs echo"
args: args:
removes: /var/ossec/bin/.process_list removes: /var/ossec/bin/.process_list
changed_when: False executable: /bin/bash
check_mode: no changed_when: false
check_mode: false
register: agentlessd_enabled register: agentlessd_enabled
tags: tags:
- config - config
@ -252,7 +267,7 @@
poll: 0 poll: 0
when: when:
- wazuh_manager_config.vuls.disable != 'yes' - wazuh_manager_config.vuls.disable != 'yes'
- ansible_distribution == 'Redhat' or ansible_distribution == 'CentOS' or ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' or ansible_distribution == 'Oracle' - ansible_distribution in ['Redhat', 'CentOS', 'Ubuntu', 'Debian', 'Oracle', 'Amazon']
tags: tags:
- init - init
@ -293,7 +308,6 @@
notify: restart wazuh-api notify: restart wazuh-api
when: when:
- wazuh_api_user is defined - wazuh_api_user is defined
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 )
tags: tags:
- config - config
@ -315,27 +329,10 @@
tags: tags:
- config - config
- name: CDB Lists
template:
src: cdb_lists.j2
dest: "/var/ossec/etc/lists/{{ item.name }}"
owner: root
group: ossec
mode: 0640
no_log: true
notify:
- rebuild cdb_lists
- restart wazuh-manager
with_items:
- "{{ cdb_lists }}"
when: cdb_lists is defined
tags:
- config
- name: Ensure Wazuh Manager, wazuh API service is started and enabled - name: Ensure Wazuh Manager, wazuh API service is started and enabled
service: service:
name: "{{ item }}" name: "{{ item }}"
enabled: yes enabled: true
state: started state: started
with_items: with_items:
- wazuh-manager - wazuh-manager
@ -345,20 +342,25 @@
environment: environment:
LD_LIBRARY_PATH: "$LD_LIBRARY_PATH:/var/ossec/framework/lib" LD_LIBRARY_PATH: "$LD_LIBRARY_PATH:/var/ossec/framework/lib"
when: when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 ) - not (ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' or ansible_distribution == 'Amazon')
- ansible_distribution_major_version|int < 6
- name: Ensure Wazuh Manager is started and enabled (EL5) - name: Ensure Wazuh Manager is started and enabled (EL5)
service: service:
name: wazuh-manager name: wazuh-manager
enabled: yes enabled: true
state: started state: started
tags: tags:
- config - config
when: when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 - ansible_distribution in ['CentOS', 'RedHat', 'Amazon'] and ansible_distribution_major_version|int < 6
- import_tasks: "RMRedHat.yml" - include_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat" when:
- ansible_os_family == "RedHat" or ansible_os_family == "Amazon"
- not wazuh_manager_sources_installation.enabled
- import_tasks: "RMDebian.yml" - include_tasks: "RMDebian.yml"
when: ansible_os_family == "Debian" when:
- ansible_os_family == "Debian"
- not wazuh_manager_sources_installation.enabled

7
roles/wazuh/ansible-wazuh-manager/templates/preloaded_vars_api.conf.j2 Normal file
View File

@ -0,0 +1,7 @@
{% for key, value in wazuh_api_sources_installation.items() %}
{% if "enabled" not in key and "branch" not in key %}
{% if value is defined and value is not none %}
{{ key|upper }}="{{ value }}"
{% endif %}
{% endif %}
{% endfor %}

7
roles/wazuh/ansible-wazuh-manager/templates/preloaded_vars_manager.conf.j2 Normal file
View File

@ -0,0 +1,7 @@
{% for key, value in wazuh_manager_sources_installation.items() %}
{% if "user_" in key %}
{% if value is defined and value is not none %}
{{ key|upper }}="{{ value }}"
{% endif %}
{% endif %}
{% endfor %}

388
roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
View File

@ -1,4 +1,4 @@
#jinja2: trim_blocks: False #jinja2: lstrip_blocks: True
<!-- <!--
Wazuh - Manager - Default configuration Wazuh - Manager - Default configuration
More info at: https://documentation.wazuh.com More info at: https://documentation.wazuh.com
@ -11,18 +11,14 @@
<alerts_log>{{ wazuh_manager_config.alerts_log }}</alerts_log> <alerts_log>{{ wazuh_manager_config.alerts_log }}</alerts_log>
<logall>{{ wazuh_manager_config.logall }}</logall> <logall>{{ wazuh_manager_config.logall }}</logall>
<logall_json>{{ wazuh_manager_config.logall_json }}</logall_json> <logall_json>{{ wazuh_manager_config.logall_json }}</logall_json>
{% if wazuh_manager_config.email_notification | lower == "yes" %} <email_notification>{{ wazuh_manager_config.email_notification }}</email_notification>
<email_notification>yes</email_notification>
{% else %}
<email_notification>no</email_notification>
{% endif %}
{% for to in wazuh_manager_config.mail_to %} {% for to in wazuh_manager_config.mail_to %}
<email_to>{{ to }}</email_to> <email_to>{{ to }}</email_to>
{% endfor %} {% endfor %}
<smtp_server>{{ wazuh_manager_config.mail_smtp_server }}</smtp_server> <smtp_server>{{ wazuh_manager_config.mail_smtp_server }}</smtp_server>
<email_from>{{ wazuh_manager_config.mail_from }}</email_from> <email_from>{{ wazuh_manager_config.mail_from }}</email_from>
<email_maxperhour>{{ wazuh_manager_config.mail_maxperhour }}</email_maxperhour> <email_maxperhour>{{ wazuh_manager_config.mail_maxperhour }}</email_maxperhour>
<queue_size>{{ wazuh_manager_config.mail_queue_size }}</queue_size> <email_log_source>{{ wazuh_manager_config.email_log_source }}</email_log_source>
</global> </global>
<alerts> <alerts>
@ -30,6 +26,11 @@
<email_alert_level>{{ wazuh_manager_config.email_level }}</email_alert_level> <email_alert_level>{{ wazuh_manager_config.email_level }}</email_alert_level>
</alerts> </alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>{{ wazuh_manager_config.log_format }}</log_format>
</logging>
{% if wazuh_manager_config.extra_emails is defined %} {% if wazuh_manager_config.extra_emails is defined %}
{% for mail in wazuh_manager_config.extra_emails %} {% for mail in wazuh_manager_config.extra_emails %}
{% if mail.enable == true %} {% if mail.enable == true %}
@ -61,16 +62,17 @@
{% endfor %} {% endfor %}
{% endif %} {% endif %}
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>{{ wazuh_manager_config.log_format }}</log_format>
</logging>
{% for connection in wazuh_manager_config.connection %}
<remote> {% for connection in wazuh_manager_config.connection %}
<remote>
<connection>{{ connection.type }}</connection> <connection>{{ connection.type }}</connection>
{% if connection.port is defined %}<port>{{ connection.port }}</port>{% endif %} {% if connection.port is defined %}
{% if connection.protocol is defined %}<protocol>{{ connection.protocol }}</protocol>{% endif %} <port>{{ connection.port }}</port>
{% endif %}
{% if connection.protocol is defined %}
<protocol>{{ connection.protocol }}</protocol>
{% endif %}
{% if connection.allowed_ips is defined %} {% if connection.allowed_ips is defined %}
{% for allowed_ip in connection.allowed_ips %} {% for allowed_ip in connection.allowed_ips %}
<allowed-ips>{{ allowed_ip }}</allowed-ips> <allowed-ips>{{ allowed_ip }}</allowed-ips>
@ -81,11 +83,17 @@
<denied-ips>{{ denied_ip }}</denied-ips> <denied-ips>{{ denied_ip }}</denied-ips>
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if connection.local_ip is defined %}<local_ip>{{ connection.local_ip }}</local_ip>{% endif %} {% if connection.local_ip is defined %}
{% if connection.ipv6 is defined %}<ipv6>{{ connection.ipv6 }}</ipv6>{% endif %} <local_ip>{{ connection.local_ip }}</local_ip>
{% if connection.queue_size is defined %}<queue_size>{{connection.queue_size}}</queue_size>{% endif %} {% endif %}
{% if connection.ipv6 is defined %}
<ipv6>{{ connection.ipv6 }}</ipv6>
{% endif %}
{% if connection.queue_size is defined %}
<queue_size>{{connection.queue_size}}</queue_size>
{% endif %}
</remote> </remote>
{% endfor %} {% endfor %}
{% if wazuh_manager_config.reports is defined %} {% if wazuh_manager_config.reports is defined %}
{% for report in wazuh_manager_config.reports %} {% for report in wazuh_manager_config.reports %}
@ -106,11 +114,9 @@
{% endfor %} {% endfor %}
{% endif %} {% endif %}
<!-- Policy monitoring --> <!-- Policy monitoring -->
<rootcheck> <rootcheck>
<disabled>no</disabled> <disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files> <check_files>yes</check_files>
<check_trojans>yes</check_trojans> <check_trojans>yes</check_trojans>
<check_dev>yes</check_dev> <check_dev>yes</check_dev>
@ -122,13 +128,8 @@
<!-- Frequency that rootcheck is executed - every 12 hours --> <!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>{{ wazuh_manager_config.rootcheck.frequency }}</frequency> <frequency>{{ wazuh_manager_config.rootcheck.frequency }}</frequency>
<rootkit_files>/var/ossec/etc/shared/default/rootkit_files.txt</rootkit_files> <rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/default/rootkit_trojans.txt</rootkit_trojans> <rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/default/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/default/system_audit_ssh.txt</system_audit>
{% if cis_distribution_filename is defined %}
<system_audit>/var/ossec/etc/shared/default/{{ cis_distribution_filename }}</system_audit>
{% endif %}
<skip_nfs>yes</skip_nfs> <skip_nfs>yes</skip_nfs>
</rootcheck> </rootcheck>
@ -155,23 +156,33 @@
<content type="oval" path="cve-debian-9-oval.xml"/> <content type="oval" path="cve-debian-9-oval.xml"/>
{% endif %} {% endif %}
{% elif ansible_distribution == 'CentOS' %} {% elif ansible_distribution == 'CentOS' %}
{% if ansible_distribution_major_version == '7' %} {% if ansible_distribution_major_version == '8' %}
{# Policy not available #}
{% elif ansible_distribution_major_version == '7' %}
<content type="xccdf" path="ssg-centos-7-ds.xml"> <content type="xccdf" path="ssg-centos-7-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% elif ansible_distribution_major_version == '6' %} {% elif ansible_distribution_major_version == '6' %}
<content type="xccdf" path="ssg-centos-6-ds.xml"> <content type="xccdf" path="ssg-centos-6-ds.xml">
{% endif %}
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile> <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile> <profile>xccdf_org.ssgproject.content_profile_common</profile>
</content> </content>
{% endif %}
{% elif ansible_distribution == 'RedHat' %} {% elif ansible_distribution == 'RedHat' %}
{% if ansible_distribution_major_version == '7' %} {% if ansible_distribution_major_version == '8' %}
{# Policy not available #}
{% elif ansible_distribution_major_version == '7' %}
<content type="xccdf" path="ssg-rhel-7-ds.xml"> <content type="xccdf" path="ssg-rhel-7-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% elif ansible_distribution_major_version == '6' %} {% elif ansible_distribution_major_version == '6' %}
<content type="xccdf" path="ssg-rhel-6-ds.xml"> <content type="xccdf" path="ssg-rhel-6-ds.xml">
{% endif %}
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile> <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile> <profile>xccdf_org.ssgproject.content_profile_common</profile>
</content> </content>
{% endif %}
{% if ansible_distribution_major_version == '7' %} {% if ansible_distribution_major_version == '7' %}
<content type="oval" path="cve-redhat-7-ds.xml"/> <content type="oval" path="cve-redhat-7-ds.xml"/>
{% elif ansible_distribution_major_version == '6' %} {% elif ansible_distribution_major_version == '6' %}
@ -197,11 +208,6 @@
<java_path>{{ wazuh_manager_config.cis_cat.java_path }}</java_path> <java_path>{{ wazuh_manager_config.cis_cat.java_path }}</java_path>
{% endif %} {% endif %}
<ciscat_path>{{ wazuh_manager_config.cis_cat.ciscat_path }}</ciscat_path> <ciscat_path>{{ wazuh_manager_config.cis_cat.ciscat_path }}</ciscat_path>
{% for benchmark in wazuh_manager_config.cis_cat.content %}
<content type="{{ benchmark.type }}" path="{{ benchmark.path }}">
<profile>{{ benchmark.profile }}</profile>
</content>
{% endfor %}
</wodle> </wodle>
<!-- Osquery integration --> <!-- Osquery integration -->
@ -226,35 +232,74 @@
<processes>{{ wazuh_manager_config.syscollector.processes }}</processes> <processes>{{ wazuh_manager_config.syscollector.processes }}</processes>
</wodle> </wodle>
<wodle name="vulnerability-detector"> <sca>
<disabled>{{ wazuh_manager_config.vul_detector.disable }}</disabled> {% if wazuh_manager_config.sca.enabled | length > 0 %}
<interval>{{ wazuh_manager_config.vul_detector.interval }}</interval> <enabled>{{ wazuh_manager_config.sca.enabled }}</enabled>
<ignore_time>{{ wazuh_manager_config.vul_detector.ignore_time }}</ignore_time> {% endif %}
<run_on_start>{{ wazuh_manager_config.vul_detector.run_on_start }}</run_on_start> {% if wazuh_manager_config.sca.scan_on_start | length > 0 %}
<feed name="ubuntu-18"> <scan_on_start>{{ wazuh_manager_config.sca.scan_on_start }}</scan_on_start>
<disabled>{{ wazuh_manager_config.vul_detector.ubuntu.disable }}</disabled> {% endif %}
<update_interval>{{ wazuh_manager_config.vul_detector.ubuntu.update_interval }}</update_interval> {% if wazuh_manager_config.sca.interval | length > 0 %}
</feed> <interval>{{ wazuh_manager_config.sca.interval }}</interval>
<feed name="redhat-7"> {% endif %}
<disabled>{{ wazuh_manager_config.vul_detector.redhat.disable }}</disabled> {% if wazuh_manager_config.sca.skip_nfs | length > 0 %}
<update_interval>{{ wazuh_manager_config.vul_detector.redhat.update_interval }}</update_interval> <skip_nfs>yes</skip_nfs>
</feed> {% endif %}
<feed name="debian-9"> {% if wazuh_manager_config.sca.day | length > 0 %}
<disabled>{{ wazuh_manager_config.vul_detector.debian.disable }}</disabled> <day>yes</day>
<update_interval>{{ wazuh_manager_config.vul_detector.debian.update_interval }}</update_interval> {% endif %}
</feed> {% if wazuh_manager_config.sca.wday | length > 0 %}
</wodle> <wday>yes</wday>
{% endif %}
{% if wazuh_manager_config.sca.time | length > 0 %}
<time>yes</time>
{% endif %}
</sca>
<vulnerability-detector>
{% if wazuh_manager_config.vulnerability_detector.enabled is defined %}
<enabled>{{ wazuh_manager_config.vulnerability_detector.enabled }}</enabled>
{% endif %}
{% if wazuh_manager_config.vulnerability_detector.interval is defined %}
<interval>{{ wazuh_manager_config.vulnerability_detector.interval }}</interval>
{% endif %}
{% if wazuh_manager_config.vulnerability_detector.ignore_time is defined %}
<ignore_time>{{ wazuh_manager_config.vulnerability_detector.ignore_time }}</ignore_time>
{% endif %}
{% if wazuh_manager_config.vulnerability_detector.run_on_start is defined %}
<run_on_start>{{ wazuh_manager_config.vulnerability_detector.run_on_start }}</run_on_start>
{% endif %}
{% if wazuh_manager_config.vulnerability_detector.providers is defined %}
{% for provider_ in wazuh_manager_config.vulnerability_detector.providers %}
<provider name={{ provider_.name }}>
{% if provider_.enabled is defined %}
<enabled>{{ provider_.enabled }}</enabled>
{% endif %}
{% if provider_.os is defined %}
{% for os_ in provider_.os %}
<os>{{ os_ }}</os>
{% endfor %}
{% endif %}
{% if provider_.update_from_year is defined %}
<update_from_year>{{ provider_.update_from_year }}</update_from_year>
{% endif %}
{% if provider_.update_interval is defined %}
<update_interval>{{ provider_.update_interval }}</update_interval>
{% endif %}
</provider>
{% endfor %}
{% endif %}
</vulnerability-detector>
<!-- File integrity monitoring --> <!-- File integrity monitoring -->
<syscheck> <syscheck>
<disabled>{{ wazuh_manager_config.syscheck.disable }}</disabled> <disabled>{{ wazuh_manager_config.syscheck.disable }}</disabled>
<auto_ignore>{{ wazuh_manager_config.syscheck.auto_ignore }}</auto_ignore>
<alert_new_files>{{ wazuh_manager_config.syscheck.alert_new_files }}</alert_new_files> <alert_new_files>{{ wazuh_manager_config.syscheck.alert_new_files }}</alert_new_files>
<!-- Frequency that syscheck is executed -- default every 20 hours --> <!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>{{ wazuh_manager_config.syscheck.frequency }}</frequency> <frequency>{{ wazuh_manager_config.syscheck.frequency }}</frequency>
<scan_on_start>{{ wazuh_manager_config.syscheck.scan_on_start }}</scan_on_start> <scan_on_start>{{ wazuh_manager_config.syscheck.scan_on_start }}</scan_on_start>
<!-- Don't ignore files that change more than 'frequency' times --> <!-- Do not ignore files that change more than 'frequency' times -->
{% if wazuh_manager_config.syscheck.auto_ignore_frequency is defined %} {% if wazuh_manager_config.syscheck.auto_ignore_frequency is defined %}
<auto_ignore {{ wazuh_manager_config.syscheck.auto_ignore_frequency.frequency }} {{ wazuh_manager_config.syscheck.auto_ignore_frequency.timeframe }}>{{wazuh_manager_config.syscheck.auto_ignore_frequency.value }}</auto_ignore> <auto_ignore {{ wazuh_manager_config.syscheck.auto_ignore_frequency.frequency }} {{ wazuh_manager_config.syscheck.auto_ignore_frequency.timeframe }}>{{wazuh_manager_config.syscheck.auto_ignore_frequency.value }}</auto_ignore>
{% endif %} {% endif %}
@ -273,24 +318,21 @@
{% endfor %} {% endfor %}
{% endif %} {% endif %}
<!-- File types to ignore -->
{% if wazuh_manager_config.syscheck.ignore_linux_type is defined %}
{% for ignore in wazuh_manager_config.syscheck.ignore_linux_type %}
<ignore type="sregex">{{ ignore }}</ignore>
{% endfor %}
{% endif %}
<!-- Files no diff --> <!-- Files no diff -->
{% for no_diff in wazuh_manager_config.syscheck.no_diff %} {% for no_diff in wazuh_manager_config.syscheck.no_diff %}
<nodiff>{{ no_diff }}</nodiff> <nodiff>{{ no_diff }}</nodiff>
{% endfor %} {% endfor %}
{% if wazuh_manager_config.syscheck.skip_nfs is defined %} {% if wazuh_manager_config.syscheck.skip_nfs is defined %}
<skip_nfs>{{ wazuh_manager_config.syscheck.skip_nfs }}</skip_nfs> <skip_nfs>{{ wazuh_manager_config.syscheck.skip_nfs }}</skip_nfs>
{% endif %} {% endif %}
<!-- Remove not monitored files -->
{% if wazuh_manager_config.syscheck.remove_old_diff is defined %}
<remove_old_diff>{{ wazuh_manager_config.syscheck.remove_old_diff }}</remove_old_diff>
{% endif %}
<!-- Allow the system to restart Auditd after installing the plugin -->
{% if wazuh_manager_config.syscheck.restart_audit is defined %}
<restart_audit>{{ wazuh_manager_config.syscheck.restart_audit }}</restart_audit>
{% endif %}
</syscheck> </syscheck>
<global> <global>
@ -299,79 +341,19 @@
{% endfor %} {% endfor %}
</global> </global>
{% for command in wazuh_manager_config.commands %} {% for command in wazuh_manager_config.commands %}
<command>
<name>{{ command.name }}</name>
<executable>{{ command.executable }}</executable>
<expect>{{ command.expect }}</expect>
<timeout_allowed>{{ command.timeout_allowed }}</timeout_allowed>
</command>
{% endfor %}
<!-- <command>
<active-response> <name>{{ command.name }}</name>
active-response options here <executable>{{ command.executable }}</executable>
</active-response> <expect>{{ command.expect }}</expect>
--> {% if command.timeout_allowed is defined %}
<timeout_allowed>{{ command.timeout_allowed }}</timeout_allowed>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
{% if wazuh_manager_config.rule_exclude is defined %}
{% for rule in wazuh_manager_config.rule_exclude %}
<rule_exclude>{{ rule }}</rule_exclude>
{% endfor %}
{% endif %}
{% if cdb_lists is defined %}
{% for list in cdb_lists %}
<list>etc/lists/{{ list.name }}</list>
{% endfor %}
{% endif %} {% endif %}
</command>
{% endfor %}
<!-- User-defined ruleset --> {% if ansible_system == "Linux" and wazuh_manager_config.vuls.disable == 'no' %}
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
{% if wazuh_manager_config.authd.enable == true %}
<auth>
<disabled>no</disabled>
{% if wazuh_manager_config.authd.port is not none %}<port>{{wazuh_manager_config.authd.port}}</port>{% else %}<port>1515</port>{% endif %}
{% if wazuh_manager_config.authd.use_source_ip is not none %}<use_source_ip>{{wazuh_manager_config.authd.use_source_ip}}</use_source_ip>{% endif %}
{% if wazuh_manager_config.authd.force_insert is not none %}<force_insert>{{wazuh_manager_config.authd.force_insert}}</force_insert>{% endif %}
{% if wazuh_manager_config.authd.force_time is not none %}<force_time>{{wazuh_manager_config.authd.force_time}}</force_time>{% endif %}
{% if wazuh_manager_config.authd.purge is not none %}<purge>{{wazuh_manager_config.authd.purge}}</purge>{% endif %}
{% if wazuh_manager_config.authd.use_password is not none %}<use_password>{{wazuh_manager_config.authd.use_password}}</use_password>{% endif %}
{% if wazuh_manager_config.authd.ssl_agent_ca is not none %}<ssl_agent_ca>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}}</ssl_agent_ca>{% endif %}
{% if wazuh_manager_config.authd.ssl_verify_host is not none %}<ssl_verify_host>{{wazuh_manager_config.authd.ssl_verify_host}}</ssl_verify_host>{% endif %}
{% if wazuh_manager_config.authd.ssl_manager_cert is not none %}<ssl_manager_cert>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_cert | basename}}</ssl_manager_cert>{% endif %}
{% if wazuh_manager_config.authd.ssl_manager_key is not none %}<ssl_manager_key>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_key | basename}}</ssl_manager_key>{% endif %}
{% if wazuh_manager_config.authd.ssl_auto_negotiate is not none %}<ssl_auto_negotiate>{{wazuh_manager_config.authd.ssl_auto_negotiate}}</ssl_auto_negotiate>{% endif %}
</auth>
{% endif %}
<cluster>
<disabled>{{ wazuh_manager_config.cluster.disable }}</disabled>
<name>{{ wazuh_manager_config.cluster.name }}</name>
<node_name>{{ wazuh_manager_config.cluster.node_name }}</node_name>
<node_type>{{ wazuh_manager_config.cluster.node_type }}</node_type>
<key>{{ wazuh_manager_config.cluster.key }}</key>
{% if wazuh_manager_config.cluster.interval is defined %}
<interval>{{ wazuh_manager_config.cluster.interval }}</interval>
{% endif %}
<port>{{ wazuh_manager_config.cluster.port }}</port>
<bind_addr>{{ wazuh_manager_config.cluster.bind_addr }}</bind_addr>
<nodes>
{% for node in wazuh_manager_config.cluster.nodes %}
<node>{{ node }}</node>
{% endfor %}
</nodes>
<hidden>{{ wazuh_manager_config.cluster.hidden }}</hidden>
</cluster>
{% if ansible_system == "Linux" and wazuh_manager_config.vuls.disable == 'no' %}
<wodle name="command"> <wodle name="command">
<disabled>no</disabled> <disabled>no</disabled>
<tag>Wazuh-VULS</tag> <tag>Wazuh-VULS</tag>
@ -380,7 +362,7 @@
<ignore_output>yes</ignore_output> <ignore_output>yes</ignore_output>
<run_on_start>{{ wazuh_manager_config.vuls.run_on_start }}</run_on_start> <run_on_start>{{ wazuh_manager_config.vuls.run_on_start }}</run_on_start>
</wodle> </wodle>
{% endif %} {% endif -%}
{% if agentless_creds is defined %} {% if agentless_creds is defined %}
{% for agentless in agentless_creds %} {% for agentless in agentless_creds %}
@ -393,29 +375,28 @@
<arguments>{{ agentless.arguments }}</arguments> <arguments>{{ agentless.arguments }}</arguments>
{% endif %} {% endif %}
</agentless> </agentless>
{% endfor %} {% endfor %}
{% endif %} {% endif -%}
{% if wazuh_manager_config.active_responses is defined %}
<!-- Active Response Config {% for response in wazuh_manager_config.active_responses %}
{% for response in wazuh_manager_config.active_responses %} <active-response>
<active-response> <disabled>{% if response.disabled is defined %}{{ response.disabled }}{% else %}no{% endif %}</disabled>
<disabled>{% if response.disabled is defined %}{{ response.disabled }}{% else %}no{% endif %}</disabled> {%if response.command is defined %}<command>{{ response.command }}</command>{% endif %}
{%if response.command is defined %}<command>{{ response.command }}</command>{% endif %} {%if response.location is defined %}<location>{{ response.location }}</location>{% endif %}
{%if response.location is defined %}<location>{{ response.location }}</location>{% endif %} {%if response.agent_id is defined %}<agent_id>{{ response.agent_id }}</agent_id>{% endif %}
{%if response.agent_id is defined %}<agent_id>{{ response.agent_id }}</agent_id>{% endif %} {%if response.level is defined %}<level>{{ response.level }}</level>{% endif %}
{%if response.level is defined %}<level>{{ response.level }}</level>{% endif %} {%if response.rules_group is defined %}<rules_group>{{ response.rules_group }}</rules_group>{% endif %}
{%if response.rules_group is defined %}<rules_group>{{ response.rules_group }}</rules_group>{% endif %} {%if response.rules_id is defined %}<rules_id>{{ response.rules_id }}</rules_id>{% endif %}
{%if response.rules_id is defined %}<rules_id>{{ response.rules_id }}</rules_id>{% endif %} {%if response.timeout is defined %}<timeout>{{ response.timeout }}</timeout>{% endif %}
{%if response.timeout is defined %}<timeout>{{ response.timeout }}</timeout>{% endif %} {%if response.repeated_offenders is defined %}<repeated_offenders>{{ response.repeated_offenders }}</repeated_offenders>{% endif %}
{%if response.repeated_offenders is defined %}<repeated_offenders>{{ response.repeated_offenders }}</repeated_offenders>{% endif %} </active-response>
</active-response> {% endfor %}
{% endfor %} {% endif -%}
-->
<!-- Files to monitor (localfiles) --> <!-- Files to monitor (localfiles) -->
{% for localfile in wazuh_manager_config.localfiles.common %} {% for localfile in wazuh_manager_config.localfiles.common %}
<localfile> <localfile>
<log_format>{{ localfile.format }}</log_format> <log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %} {% if localfile.format == 'command' or localfile.format == 'full_command' %}
@ -453,6 +434,7 @@
{% if ansible_os_family == "Debian" %} {% if ansible_os_family == "Debian" %}
{% for localfile in wazuh_manager_config.localfiles.debian %} {% for localfile in wazuh_manager_config.localfiles.debian %}
<localfile> <localfile>
<log_format>{{ localfile.format }}</log_format> <log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %} {% if localfile.format == 'command' or localfile.format == 'full_command' %}
@ -487,10 +469,11 @@
{% endif %} {% endif %}
</localfile> </localfile>
{% endfor %} {% endfor %}
{% endif %} {% endif -%}
{% if ansible_os_family == "RedHat" %} {% if ansible_os_family == "RedHat" %}
{% for localfile in wazuh_manager_config.localfiles.centos %} {% for localfile in wazuh_manager_config.localfiles.centos %}
<localfile> <localfile>
<log_format>{{ localfile.format }}</log_format> <log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %} {% if localfile.format == 'command' or localfile.format == 'full_command' %}
@ -525,7 +508,7 @@
{% endif %} {% endif %}
</localfile> </localfile>
{% endfor %} {% endfor %}
{% endif %} {% endif -%}
{% if wazuh_manager_config.syslog_outputs is defined %} {% if wazuh_manager_config.syslog_outputs is defined %}
{% for syslog_output in wazuh_manager_config.syslog_outputs %} {% for syslog_output in wazuh_manager_config.syslog_outputs %}
@ -547,4 +530,91 @@
</labels> </labels>
{% endif %} {% endif %}
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
{% if wazuh_manager_config.rule_exclude is defined %}
{% for rule in wazuh_manager_config.rule_exclude %}
<rule_exclude>{{ rule }}</rule_exclude>
{% endfor %}
{% endif %}
{% if wazuh_manager_config.ruleset.cdb_lists is defined %}
{% for list in wazuh_manager_config.ruleset.cdb_lists %}
<list>etc/lists/{{ list }}</list>
{% endfor %}
{% endif %}
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
{% if wazuh_manager_config.authd.enable == true %}
<auth>
<disabled>no</disabled>
{% if wazuh_manager_config.authd.port is not none %}
<port>{{wazuh_manager_config.authd.port}}</port>
{% else %}
<port>1515</port>
{% endif %}
{% if wazuh_manager_config.authd.use_source_ip is not none %}
<use_source_ip>{{wazuh_manager_config.authd.use_source_ip}}</use_source_ip>
{% endif %}
{% if wazuh_manager_config.authd.force_insert is not none %}
<force_insert>{{wazuh_manager_config.authd.force_insert}}</force_insert>
{% endif %}
{% if wazuh_manager_config.authd.force_time is not none %}
<force_time>{{wazuh_manager_config.authd.force_time}}</force_time>
{% endif %}
{% if wazuh_manager_config.authd.purge is not none %}
<purge>{{wazuh_manager_config.authd.purge}}</purge>
{% endif %}
{% if wazuh_manager_config.authd.use_password is not none %}
<use_password>{{wazuh_manager_config.authd.use_password}}</use_password>
{% endif %}
{% if wazuh_manager_config.authd.limit_maxagents is not none %}
<limit_maxagents>{{wazuh_manager_config.authd.limit_maxagents}}</limit_maxagents>
{% endif %}
{% if wazuh_manager_config.authd.ciphers is not none %}
<ciphers>{{wazuh_manager_config.authd.ciphers}}</ciphers>
{% endif %}
{% if wazuh_manager_config.authd.ssl_agent_ca is not none %}
<ssl_agent_ca>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}}</ssl_agent_ca>
{% endif %}
{% if wazuh_manager_config.authd.ssl_verify_host is not none %}
<ssl_verify_host>{{wazuh_manager_config.authd.ssl_verify_host}}</ssl_verify_host>
{% endif %}
{% if wazuh_manager_config.authd.ssl_manager_cert is not none %}
<ssl_manager_cert>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_cert | basename}}</ssl_manager_cert>
{% endif %}
{% if wazuh_manager_config.authd.ssl_manager_key is not none %}
<ssl_manager_key>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_key | basename}}</ssl_manager_key>
{% endif %}
{% if wazuh_manager_config.authd.ssl_auto_negotiate is not none %}
<ssl_auto_negotiate>{{wazuh_manager_config.authd.ssl_auto_negotiate}}</ssl_auto_negotiate>
{% endif %}
</auth>
{% endif %}
<cluster>
<disabled>{{ wazuh_manager_config.cluster.disable }}</disabled>
<name>{{ wazuh_manager_config.cluster.name }}</name>
<node_name>{{ wazuh_manager_config.cluster.node_name }}</node_name>
<node_type>{{ wazuh_manager_config.cluster.node_type }}</node_type>
<key>{{ wazuh_manager_config.cluster.key }}</key>
{% if wazuh_manager_config.cluster.interval is defined %}
<interval>{{ wazuh_manager_config.cluster.interval }}</interval>
{% endif %}
<port>{{ wazuh_manager_config.cluster.port }}</port>
<bind_addr>{{ wazuh_manager_config.cluster.bind_addr }}</bind_addr>
<nodes>
{% for node in wazuh_manager_config.cluster.nodes %}
<node>{{ node }}</node>
{% endfor %}
</nodes>
<hidden>{{ wazuh_manager_config.cluster.hidden }}</hidden>
</cluster>
</ossec_config> </ossec_config>

4
roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2
View File

@ -2,8 +2,11 @@
{% if wazuh_agent_configs is defined %} {% if wazuh_agent_configs is defined %}
{% for agent_config in wazuh_agent_configs %} {% for agent_config in wazuh_agent_configs %}
<agent_config {{ agent_config.type }}="{{ agent_config.type_value }}"> <agent_config {{ agent_config.type }}="{{ agent_config.type_value }}">
{% if agent_config.syscheck is defined %}
<syscheck> <syscheck>
{% if agent_config.syscheck.auto_ignore is defined %}
<auto_ignore>{{ agent_config.syscheck.auto_ignore }}</auto_ignore> <auto_ignore>{{ agent_config.syscheck.auto_ignore }}</auto_ignore>
{% endif %}
<alert_new_files>{{ agent_config.syscheck.alert_new_files }}</alert_new_files> <alert_new_files>{{ agent_config.syscheck.alert_new_files }}</alert_new_files>
<!-- Frequency that syscheck is executed -- default every 20 hours --> <!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>{{ agent_config.syscheck.frequency }}</frequency> <frequency>{{ agent_config.syscheck.frequency }}</frequency>
@ -40,6 +43,7 @@
{% endfor %} {% endfor %}
{% endif %} {% endif %}
</syscheck> </syscheck>
{% endif %}
{% for localfile in agent_config.localfiles %} {% for localfile in agent_config.localfiles %}
<localfile> <localfile>

20
roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2
View File

@ -1,6 +1,7 @@
<!-- Local rules --> <!-- Local rules -->
<!-- Modify it at your will. --> <!-- Modify it at your will. -->
<!-- Copyright (C) 2015-2019, Wazuh Inc. -->
<!-- Example --> <!-- Example -->
<group name="local,syslog,sshd,"> <group name="local,syslog,sshd,">
@ -15,21 +16,4 @@
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group> <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule> </rule>
</group> </group>
<!--
Used with active-response to restart an agent when agent.conf file
is successfully retrieved.
-->
<group name="local,ossec,">
<rule id="100002" level="1">
<if_group>syscheck</if_group>
<match>/var/ossec/etc/shared/agent.conf</match>
<description>Linux | agent.conf was modified</description>
</rule>
<rule id="100003" level="1">
<if_group>syscheck</if_group>
<match>C:\wazuh-agent/shared/agent.conf</match>
<description>Windows | agent.conf was modified</description>
</rule>
</group>

2
roles/wazuh/ansible-wazuh-manager/vars/authd_pass.yml
View File

@ -1,2 +1,2 @@
--- ---
#authd_pass: foobar # authd_pass: foobar

87
roles/wazuh/ansible-wazuh-manager/vars/cdb_lists.yml
View File

@ -1,87 +0,0 @@
---
cdb_lists:
- name: 'audit-keys'
content: |
audit-wazuh-w:write
audit-wazuh-r:read
audit-wazuh-a:attribute
audit-wazuh-x:execute
audit-wazuh-c:command
- name: 'aws-source'
content: |
ec2.amazonaws.com:
elasticloadbalancing.amazonaws.com:
iam.amazonaws.com:
signin.amazonaws.com:
kms.amazonaws.com:
s3.amazonaws.com:
- name: 'aws-eventnames'
content: |
AddUserToGroup:
AllocateAddress:
AssociateAddress:
AssociateDhcpOptions:
AssociateRouteTable:
AttachGroupPolicy:
AttachNetworkInterface:
AttachRolePolicy:
AttachUserPolicy:
AttachVolume:
AuthorizeSecurityGroupIngress:
ConsoleLogin:
CopySnapshot:
CreateAccountAlias:
CreateGroup:
CreateImage:
CreateLoadBalancer:
CreatePlacementGroup:
CreatePolicy:
CreateRole:
CreateRouteTable:
CreateSecurityGroup:
CreateSnapshot:
CreateSubnet:
CreateTags:
CreateUser:
CreateVolume:
CreateVpc:
DeleteAccountAlias:
DeleteLoadBalancer:
DeletePlacementGroup:
DeleteSecurityGroup:
DeleteSnapshot:
DeleteTags:
DeleteUser:
DeleteVolume:
DeregisterImage:
DetachGroupPolicy:
DetachNetworkInterface:
DetachRolePolicy:
DetachVolume:
DisableKey:
DisassociateAddress:
DisassociateAddress:
DisassociateRouteTable:
GetGroup:
ListAliases:
ListGroups:
ListUsers:
ModifyImageAttribute:
ModifyInstanceAttribute:
ModifyNetworkInterfaceAttribute:
ModifySnapshotAttribute:
ModifySubnetAttribute:
ModifyVolumeAttribute:
MonitorInstances:
RebootInstances:
RegisterImage:
RemoveUserFromGroup:
RevokeSecurityGroupIngress:
RunInstances:
StartInstances:
StopInstances:
TerminateInstances:
UnmonitorInstances:
UpdateAccessKey:
UpdateAccountPasswordPolicy:
UpdateInstanceAlias: