afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #499 from wazuh/feature-release-4.0.1

Browse Source 
wazuh-ansible release v4.0.1
This commit is contained in:
Manuel J. Bernal 2020-11-16 18:05:01 +01:00 committed by GitHub
commit 6e72daa737
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
74 changed files with 3931 additions and 1136 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
.ansible-lint Normal file
View File

@ -0,0 +1,15 @@
---
use_default_rules: true
parseable: true
quiet: true
verbosity: 1
# State that naming for now should be a warning
# 106: ansible role name does not conform to pattern [a-z][a-z0-9_]+$
warn_list:
- '106'
# This is for false positives
# 504: Do not use 'local_action', use 'delegate_to: localhost'
skip_list:
- '504'

7
.github/actions/default/Dockerfile vendored
View File

@ -1,7 +0,0 @@
FROM quay.io/ansible/molecule:2.20
VOLUME [ "/sys/fs/cgroup", "/run", "/run/lock" ]
COPY ./entrypoint.sh /entrypoint.sh
RUN chmod 755 /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]

6
.github/actions/default/action.yml vendored
View File

@ -1,6 +0,0 @@
name: molecule-test
description: Molecule tests for Wazuh Ansible
runs:
using: docker
image: 'Dockerfile'

3
.github/actions/default/entrypoint.sh vendored
View File

@ -1,3 +0,0 @@
#!/bin/sh -eu
molecule test

130
.github/workflows/main.yml vendored
View File

@ -1,13 +1,127 @@
---
name: Molecule tests for Wazuh Ansible
on: [push]
on: [pull_request, workflow_dispatch, release]
jobs:
default:
scenario-default:
name: Default scenario (smoke)
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v2
- name: Default scenario
uses: './.github/actions/default'
- name: Check out the codebase.
uses: actions/checkout@v2
- name: Hack to get setup-python to work on act. See act issue 251
run: |
# Hack to get setup-python to work on act
if [ ! -f "/etc/lsb-release" ] ; then
echo "DISTRIB_RELEASE=18.04" > /etc/lsb-release
fi
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install poetry
run: pip3 install poetry
- name: Install dependencies
run: poetry install
- name: Run Molecule tests.
run: poetry run molecule test -s default
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
scenario-distributed-wazuh-elk:
name: Distributed ELK + Wazuh
runs-on: ubuntu-latest
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
- name: Hack to get setup-python to work on act. See act issue 251
run: |
if [ ! -f "/etc/lsb-release" ] ; then
echo "DISTRIB_RELEASE=18.04" > /etc/lsb-release
fi
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install poetry
run: pip3 install poetry
- name: Install dependencies
run: poetry install
- name: Run Molecule tests.
run: poetry run molecule test -s distributed-wazuh-elk
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
scenario-distributed-wazuh-elk-xpack:
name: Distributed ELK + XPack + Wazuh
runs-on: ubuntu-latest
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
- name: Hack to get setup-python to work on act. See act issue 251
run: |
if [ ! -f "/etc/lsb-release" ] ; then
echo "DISTRIB_RELEASE=18.04" > /etc/lsb-release
fi
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install poetry
run: pip3 install poetry
- name: Install dependencies
run: poetry install
- name: Run Molecule tests.
run: poetry run molecule test -s distributed-wazuh-elk-xpack
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
scenario-distributed-wazuh-odfe:
name: Distributed ODFE + Wazuh
runs-on: ubuntu-latest
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
- name: Hack to get setup-python to work on act. See act issue 251
run: |
if [ ! -f "/etc/lsb-release" ] ; then
echo "DISTRIB_RELEASE=18.04" > /etc/lsb-release
fi
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install poetry
run: pip3 install poetry
- name: Install dependencies
run: poetry install
- name: Run Molecule tests.
run: poetry run molecule test -s distributed-wazuh-odfe
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'

3
.gitignore vendored
View File

@ -6,5 +6,8 @@ wazuh-elastic.yml
wazuh-kibana.yml
wazuh-manager.yml
*.pyc
.mypy_cache
Pipfile.lock
*.swp
molecule/**/es_certs/
molecule/**/opendistro/

29
.yamllint
View File

@ -1,3 +1,5 @@
---
# Based on ansible-lint config
extends: default
rules:
@ -7,10 +9,25 @@ rules:
brackets:
max-spaces-inside: 1
level: error
colons:
max-spaces-after: -1
level: error
commas:
max-spaces-after: -1
level: error
comments: disable
comments-indentation: disable
document-start: disable
empty-lines:
max: 3
level: error
hyphens:
level: error
indentation: disable
key-duplicates: enable
line-length: disable
# NOTE(retr0h): Templates no longer fail this lint rule.
# Uncomment if running old Molecule templates.
# truthy: disable
ignore: |
.travis.yml
config.yml
new-line-at-end-of-file: disable
new-lines:
type: unix
trailing-spaces: disable
truthy: disable

31
CHANGELOG.md
View File

@ -1,20 +1,45 @@
# Change Log
All notable changes to this project will be documented in this file.
## [v4.0.1]
### Added
- Update to Wazuh v4.0.1
- Allow installing fixed Filebeat-oss version ([@Zenidd](https://github.com/Zenidd)) [PR#486](https://github.com/wazuh/wazuh-ansible/pull/486)
- Feature adapt molecule tests ([@neonmei](https://github.com/neonmei)) [PR#477](https://github.com/wazuh/wazuh-ansible/pull/477)
### Fixed
- Roles/elastic-stack: update jvm.options template per upstream updates ([@neonmei](https://github.com/neonmei)) [PR#501](https://github.com/wazuh/wazuh-ansible/pull/501)
- Improve linting history ([@neonmei](https://github.com/neonmei))
- Fix lint opendistro kibana [PR#497](https://github.com/wazuh/wazuh-ansible/pull/497)
- Feature lint roles configurations [PR#496](https://github.com/wazuh/wazuh-ansible/pull/496)
- Feature lint role wazuh agent [PR#495](https://github.com/wazuh/wazuh-ansible/pull/495)
- Feature lint role filebeat oss [PR#494](https://github.com/wazuh/wazuh-ansible/pull/494)
- Lint role wazuh-manager [PR#493](https://github.com/wazuh/wazuh-ansible/pull/493)
- Feature lint role elasticsearch [PR#492](https://github.com/wazuh/wazuh-ansible/pull/492)
- Feature lint role opendistro-elasticsearch [PR#491](https://github.com/wazuh/wazuh-ansible/pull/491)
- Feature lint remove unused variables [PR#487](https://github.com/wazuh/wazuh-ansible/pull/487)
- Feature agent default vars depth reduction [PR#485](https://github.com/wazuh/wazuh-ansible/pull/485)
- Remove unnecesary nodejs dependency ([@neonmei](https://github.com/neonmei)) [PR#482](https://github.com/wazuh/wazuh-ansible/pull/482)
- Feature manager configuration unnest ([@neonmei](https://github.com/neonmei)) [PR#481](https://github.com/wazuh/wazuh-ansible/pull/481)
- Elastic API check fix ([@Zenidd](https://github.com/Zenidd)) [PR#480](https://github.com/wazuh/wazuh-ansible/pull/480)
- Improve handling of run_once at opendistro-elasticsearch role ([@neonmei](https://github.com/neonmei)) [PR#478](https://github.com/wazuh/wazuh-ansible/pull/478)
## [v4.0.0]
### Added
- Update to Wazuh v4.0.0
- New example playbooks on README ([@Zenidd](https://github.com/Zenidd)) [PR#468](https://github.com/wazuh/wazuh-ansible/pull/468)
### Fixed
- Ensure recursive /usr/share/kibana permissions before installing WUI ([@Zenidd](https://github.com/Zenidd)) [PR#471](https://github.com/wazuh/wazuh-ansible/pull/471)
- Remove vuls integration ([@manuasir](https://github.com/manuasir)) [PR#469](https://github.com/wazuh/wazuh-ansible/pull/469)
### Added
- New example playbooks on README ([@Zenidd](https://github.com/Zenidd)) [PR#468](https://github.com/wazuh/wazuh-ansible/pull/468)
## [v3.13.2]

2
README.md
View File

@ -15,7 +15,7 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack.
| Wazuh version | Elastic | ODFE |
|---------------|---------|--------|
| v4.0.0 | 7.9.2 | 1.10.1 |
| v4.0.1 | 7.9.3 | 1.11.0 |
## Documentation

14
molecule/default/Dockerfile.j2
View File

@ -1,14 +0,0 @@
# Molecule managed
{% if item.registry is defined %}
FROM {{ item.registry.url }}/{{ item.image }}
{% else %}
FROM {{ item.image }}
{% endif %}
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python2-dnf bash && dnf clean all; \
elif [ $(command -v yum) ]; then yum makecache fast && yum update -y && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
elif [ $(command -v zypper) ]; then zypper refresh && zypper update -y && zypper install -y python sudo bash python-xml && zypper clean -a; \
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O; fi

17
molecule/default/converge.yml Normal file
View File

@ -0,0 +1,17 @@
---
- name: Converge
hosts: all
roles:
- role: ../../roles/wazuh/ansible-wazuh-manager
vars:
- { role: ../../roles/wazuh/ansible-filebeat, filebeat_output_elasticsearch_hosts: "elasticsearch_centos7:9200" }
vars:
pre_tasks:
- name: (converge) fix missing packages in cloud images
apt:
name:
- unzip
- gpg-agent
state: present
update_cache: yes
when: ansible_distribution == "Ubuntu"

52
molecule/default/molecule.yml
View File

@ -1,34 +1,53 @@
---
# Smoke test: basic manager run
dependency:
name: galaxy
driver:
name: docker
lint:
name: yamllint
enabled: false
lint: |
yamllint .
ansible-lint roles
flake8 molecule
platforms:
- name: manager_centos7
image: milcom/centos7-systemd
- name: wazuh_manager_centos7
hostname: wazuh-mgr01
image: geerlingguy/docker-centos7-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory_reservation: 512m
memory: 1024m
ulimits:
- nofile:262144:262144
privileged: true
memory_reservation: 2048m
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
- name: ubuntu20
image: jrei/systemd-ubuntu:20.04
privileged: true
- name: debian9
image: jrei/systemd-debian:9
- name: wazuh_manager_debian9
hostname: wazuh-mgr02
image: geerlingguy/docker-debian9-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory_reservation: 512m
memory: 1024m
groups:
- managers
ulimits:
- nofile:262144:262144
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
provisioner:
name: ansible
ansible_args:
- -vv
config_options:
defaults:
hash_behaviour: merge
playbooks:
create: create.yml
converge: converge.yml
#destroy: destroy.yml
env:
ANSIBLE_ROLES_PATH: ./roles
lint:
@ -43,11 +62,8 @@ scenario:
- prepare
- converge
#- idempotence
- verify
#- verify
- cleanup
- destroy
verifier:
name: testinfra
lint:
name: flake8
enabled: false

7
molecule/default/playbook.yml
View File

@ -1,7 +0,0 @@
---
- name: Converge
hosts: all
roles:
- role: ../../roles/wazuh/ansible-wazuh-manager
vars:
- { role: ../../roles/wazuh/ansible-filebeat, filebeat_output_elasticsearch_hosts: "elasticsearch_centos7:9200" }

3
molecule/default/tests/test_default.py
View File

@ -1,7 +1,6 @@
import os
import pytest
import testinfra.utils.ansible_runner
import re
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
@ -9,7 +8,7 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
def get_wazuh_version():
"""This return the version of Wazuh."""
return "4.0.0"
return "4.0.1"
def test_wazuh_packages_are_installed(host):

16
molecule/distributed-wazuh-elk-xpack/INSTALL.rst Normal file
View File

@ -0,0 +1,16 @@
*******
Install
*******
Requirements
============
* Docker Engine
* docker-py
Install
=======
.. code-block:: bash
$ sudo pip install docker-py

94
molecule/distributed-wazuh-elk-xpack/converge.yml Normal file
View File

@ -0,0 +1,94 @@
---
- name: Generate certificates prior to converging
hosts: all
become: true
become_user: root
vars:
endpoints_hostvars: '{{ managers_hostvars | union(elastic_hostvars) | union(kibana_hostvars) }}'
roles:
- role: ../../roles/elastic-stack/ansible-elasticsearch
vars:
node_certs_generator: true
instances: '{{ elk_endpoint_list }}'
when:
- inventory_hostname in groups['elastic']
- ansible_hostname == 'wazuh-es01'
pre_tasks:
- name: (converge) build instances list dynamically for cert generator consumption
set_fact:
elk_endpoint_list: "{{ elk_endpoint_list | default({}) | combine({ instance_hostname: instance_item }) }}"
vars:
instance_hostname: '{{ item.ansible_facts.hostname }}'
instance_item:
name: '{{ item.private_ip}}'
ip: '{{ item.private_ip }}'
loop: '{{ endpoints_hostvars }}'
no_log: true
- name: overview of cert configuration
debug:
var: elk_endpoint_list
- name: Converge
hosts: all
become: true
become_user: root
vars:
endpoints_hostvars: '{{ managers_hostvars | union(elastic_hostvars) | union(kibana_hostvars) }}'
# arguments common to all managers
wazuh_managers_common:
port: 1514
protocol: tcp
api_port: 55000
api_proto: 'http'
api_user: ansible
max_retries: 5
retry_interval: 5
roles:
# 1. Elasticsearch
- role: ../../roles/elastic-stack/ansible-elasticsearch
vars:
instances: '{{ elk_endpoint_list }}'
when: inventory_hostname in groups['elastic']
# 2. Managers
- role: ../../roles/wazuh/ansible-wazuh-manager
when: inventory_hostname in groups['managers']
- role: ../../roles/wazuh/ansible-filebeat
when: inventory_hostname in groups['managers']
# 3. Kibana
- role: ../../roles/elastic-stack/ansible-kibana
when: inventory_hostname in groups['kibana']
# 4. Agents:
- role: ../../roles/wazuh/ansible-wazuh-agent
vars:
wazuh_managers: '{{ wazuh_managers_list }}'
when: inventory_hostname in groups['agents']
pre_tasks:
- name: (converge) build wazuh_managers list dynamically for agents to consume
set_fact:
wazuh_managers_list: '{{ wazuh_managers_list | default([]) | union([manager_item]) }}'
vars:
manager_item: '{{ wazuh_managers_common | combine({"address": item}) }}'
loop: '{{ manager_addresses }}'
- name: (converge) build instances list dynamically for cert generator consumption
set_fact:
elk_endpoint_list: "{{ elk_endpoint_list | default({}) | combine({ instance_hostname: instance_item }) }}"
vars:
instance_hostname: '{{ item.ansible_facts.hostname }}'
instance_item:
name: '{{ item.private_ip}}'
ip: '{{ item.private_ip }}'
loop: '{{ endpoints_hostvars }}'
no_log: true
- name: (converge) fix ubuntu repository key task in thin images where gpg-agent is missing
apt:
name: gpg-agent
state: present
update_cache: yes
when:
- ansible_distribution == "Ubuntu"
- inventory_hostname in groups['agents']

25
molecule/distributed-wazuh-elk-xpack/group_vars/agents.yml Normal file
View File

@ -0,0 +1,25 @@
---
wazuh_agent_config:
enrollment:
enabled: 'yes'
#manager_address: ''
#port: 1515
agent_name: '{{ ansible_hostname }}'
#groups: ''
#agent_address: ''
#ssl_cipher: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
#server_ca_path: ''
#agent_certificate_path: ''
#agent_key_path: ''
#authorization_pass_path : /var/ossec/etc/authd.pass
#auto_method: 'no'
#delay_after_enrollment: 20
#use_source_ip: 'no'
wazuh_agent_authd:
registration_address: '{{ manager_addresses | random }}'
enable: true
port: 1515
ssl_agent_ca: null
ssl_auto_negotiate: 'no'

27
molecule/distributed-wazuh-elk-xpack/group_vars/all.yml Normal file
View File

@ -0,0 +1,27 @@
---
########################################################
# Helper variables
private_ip: '{{ ansible_default_ipv4.address }}'
managers_hostvars: "{{ groups['managers'] | map('extract', hostvars) | list }}"
elastic_hostvars: "{{ groups['elastic'] | map('extract', hostvars) | list }}"
kibana_hostvars: "{{ groups['kibana'] | map('extract', hostvars) | list }}"
manager_addresses: "{{ managers_hostvars | map(attribute='private_ip') | list }}"
elastic_addresses: "{{ elastic_hostvars | map(attribute='private_ip') | list }}"
kibana_addresses: "{{ kibana_hostvars | map(attribute='private_ip') | list }}"
########################################################
# General ELK stack variables
# Xpack Security: autogenerate CA
generate_CA: true
filebeat_xpack_security: true
kibana_xpack_security: true
elasticsearch_xpack_security: true
elasticsearch_xpack_security_user: elastic
elasticsearch_xpack_security_password: elastic_pass
elastic_stack_version: 7.9.3
filebeat_version: 7.9.3

17
molecule/distributed-wazuh-elk-xpack/group_vars/elastic.yml Normal file
View File

@ -0,0 +1,17 @@
---
single_node: false
elasticsearch_node_master: true
minimum_master_nodes: 1
elasticsearch_network_host: '{{ private_ip }}'
elasticsearch_node_name: '{{ private_ip }}'
elasticsearch_reachable_host: '{{ private_ip }}'
elasticsearch_http_port: 9200
elasticsearch_bootstrap_node: true
elasticsearch_cluster_nodes: '{{ elastic_addresses }}'
elasticsearch_discovery_nodes: '{{ elastic_addresses }}'
elasticsearch_jvm_xms: 1024

19
molecule/distributed-wazuh-elk-xpack/group_vars/kibana.yml Normal file
View File

@ -0,0 +1,19 @@
---
kibana_server_name: '{{ ansible_hostname }}'
kibana_node_name: '{{ private_ip }}'
elasticsearch_network_host: "{{ elastic_addresses[0] }}"
#elasticsearch_http_port: 9200
elasticsearch_node_master: false
elasticsearch_node_ingest: false
elasticsearch_node_data: false
wazuh_api_credentials:
- id: default
url: 'https://{{ manager_addresses[0] }}'
port: 55000
#port: 1514
username: wazuh
password: wazuh

21
molecule/distributed-wazuh-elk-xpack/group_vars/managers.yml Normal file
View File

@ -0,0 +1,21 @@
---
wazuh_manager_fqdn: '{{ ansible_hostname }}'
filebeat_node_name: '{{ private_ip }}'
filebeat_output_elasticsearch_hosts: '{{ elastic_addresses }}'
wazuh_manager_config:
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
api:
https: 'yes'
cluster:
disable: 'no'
node_name: '{{ ansible_hostname }}'
node_type: "{{ 'master' if ansible_hostname == 'wazuh-mgr01' else 'worker' }}"
nodes: '{{ manager_addresses }}'
hidden: 'no'

162
molecule/distributed-wazuh-elk-xpack/molecule.yml Normal file
View File

@ -0,0 +1,162 @@
---
# Distributed scenario: clustered manager scenario + connected agents
# 2-core CPU
# 7 GB of RAM memory
# 14 GB of SSD disk space
#
# Source: https://docs.github.com/en/free-pro-team@latest/actions/reference/specifications-for-github-hosted-runners
dependency:
name: galaxy
driver:
name: docker
lint: |
yamllint .
ansible-lint roles
flake8 molecule
platforms:
################################################
# Wazuh Managers
################################################
- name: molecule_xpack_manager_centos7
hostname: wazuh-mgr01
image: geerlingguy/docker-centos7-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory_reservation: 512m
memory: 1024m
groups:
- managers
ulimits:
- nofile:262144:262144
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
- name: molecule_xpack_manager_debian9
hostname: wazuh-mgr02
image: geerlingguy/docker-debian9-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory_reservation: 512m
memory: 1024m
groups:
- managers
ulimits:
- nofile:262144:262144
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
################################################
# Elastic Cluster
################################################
- name: molecule_xpack_elasticsearch_centos7
hostname: wazuh-es01
image: geerlingguy/docker-centos7-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory: 4096m
memory_reservation: 2048m
groups:
- elastic
ulimits:
- nofile:262144:262144
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
- name: molecule_xpack_elasticsearch_debian9
hostname: wazuh-es02
image: geerlingguy/docker-debian9-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory: 4096m
memory_reservation: 2048m
groups:
- elastic
ulimits:
- nofile:262144:262144
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
################################################
# Wazuh Agents
################################################
- name: molecule_xpack_agent_centos7
hostname: wazuh-agent01
image: geerlingguy/docker-centos7-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory: 1024m
memory_reservation: 512m
groups:
- agents
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
- name: molecule_xpack_agent_debian9
hostname: wazuh-agent02
image: geerlingguy/docker-debian9-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory: 1024m
memory_reservation: 512m
groups:
- agents
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
################################################
# Kibana
################################################
- name: molecule_xpack_kibana_centos7
hostname: wazuh-kib01
image: geerlingguy/docker-centos7-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory: 2048m
memory_reservation: 512m
groups:
- kibana
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
provisioner:
name: ansible
ansible_args:
- -vv
inventory:
links:
group_vars: group_vars
playbooks:
create: create.yml
converge: converge.yml
#destroy: destroy.yml
config_options:
defaults:
hash_behaviour: merge
env:
ANSIBLE_ROLES_PATH: ./roles
lint:
name: ansible-lint
enabled: false
scenario:
name: distributed-wazuh-elk-xpack
test_sequence:
- dependency
- syntax
- create
- prepare
- converge
#- idempotence
#- verify
- cleanup
- destroy
verifier:
name: testinfra

64
molecule/distributed-wazuh-elk-xpack/tests/test_default.py Normal file
View File

@ -0,0 +1,64 @@
import os
import pytest
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
def get_wazuh_version():
"""This return the version of Wazuh."""
return "4.0.1"
def test_wazuh_packages_are_installed(host):
"""Test the main packages are installed."""
manager = host.package("wazuh-manager")
assert manager.is_installed
assert manager.version.startswith(get_wazuh_version())
def test_wazuh_services_are_running(host):
"""Test the services are enabled and running.
When assert commands are commented, this means that the service command has
a wrong exit code: https://github.com/wazuh/wazuh-ansible/issues/107
"""
# This currently doesn't work with out current Docker base images
# manager = host.service("wazuh-manager")
# api = host.service("wazuh-api")
# assert manager.is_running
# assert api.is_running
output = host.check_output(
'ps aux | grep ossec | tr -s " " | cut -d" " -f11'
)
assert 'ossec-authd' in output
assert 'wazuh-modulesd' in output
assert 'wazuh-db' in output
assert 'ossec-execd' in output
assert 'ossec-monitord' in output
assert 'ossec-remoted' in output
assert 'ossec-logcollector' in output
assert 'ossec-analysisd' in output
assert 'ossec-syscheckd' in output
@pytest.mark.parametrize("wazuh_file, wazuh_owner, wazuh_group, wazuh_mode", [
("/var/ossec/etc/sslmanager.cert", "root", "root", 0o640),
("/var/ossec/etc/sslmanager.key", "root", "root", 0o640),
("/var/ossec/etc/rules/local_rules.xml", "ossec", "ossec", 0o640),
("/var/ossec/etc/lists/audit-keys", "ossec", "ossec", 0o660),
])
def test_wazuh_files(host, wazuh_file, wazuh_owner, wazuh_group, wazuh_mode):
"""Test Wazuh related files exist and have proper owners and mode."""
wazuh_file_host = host.file(wazuh_file)
assert wazuh_file_host.user == wazuh_owner
assert wazuh_file_host.group == wazuh_group
assert wazuh_file_host.mode == wazuh_mode
def test_filebeat_is_installed(host):
"""Test the elasticsearch package is installed."""
filebeat = host.package("filebeat")
assert filebeat.is_installed
assert filebeat.version.startswith('7.9.3')

16
molecule/distributed-wazuh-elk/INSTALL.rst Normal file
View File

@ -0,0 +1,16 @@
*******
Install
*******
Requirements
============
* Docker Engine
* docker-py
Install
=======
.. code-block:: bash
$ sudo pip install docker-py

60
molecule/distributed-wazuh-elk/converge.yml Normal file
View File

@ -0,0 +1,60 @@
---
- name: Converge
hosts: all
become: true
become_user: root
vars:
# arguments common to all managers
wazuh_managers_common:
port: 1514
protocol: tcp
api_port: 55000
api_proto: 'http'
api_user: ansible
max_retries: 5
retry_interval: 5
roles:
# 1. Elasticsearch
- role: ../../roles/elastic-stack/ansible-elasticsearch
when: inventory_hostname in groups['elastic']
# 2. Managers
- role: ../../roles/wazuh/ansible-wazuh-manager
when: inventory_hostname in groups['managers']
- role: ../../roles/wazuh/ansible-filebeat
when: inventory_hostname in groups['managers']
# 3. Kibana
- role: ../../roles/elastic-stack/ansible-kibana
when: inventory_hostname in groups['kibana']
# 4. Agents:
- role: ../../roles/wazuh/ansible-wazuh-agent
vars:
wazuh_managers: '{{ wazuh_managers_list }}'
when: inventory_hostname in groups['agents']
pre_tasks:
- name: (converge) build wazuh_managers list dynamically for agents to consume
set_fact:
wazuh_managers_list: '{{ wazuh_managers_list | default([]) | union([merged_dict]) }}'
vars:
merged_dict: '{{ wazuh_managers_common | combine({"address": item}) }}'
loop: '{{ manager_addresses }}'
- name: (converge) fix ubuntu repository key task in thin images where gpg-agent is missing
apt:
name: gpg-agent
state: present
update_cache: yes
when:
- ansible_distribution == "Ubuntu"
- inventory_hostname in groups['agents']
- debug:
msg: |
-----------------------------------------
managers: {{ managers_hostvars | length }}
addresses: {{ manager_addresses }}
-----------------------------------------
elastic: {{ elastic_hostvars | length }}
addresses: {{ elastic_addresses }}
-----------------------------------------

18
molecule/distributed-wazuh-elk/group_vars/agents.yml Normal file
View File

@ -0,0 +1,18 @@
---
wazuh_agent_config:
enrollment:
enabled: 'yes'
#manager_address: ''
#port: 1515
agent_name: '{{ ansible_hostname }}'
#groups: ''
#agent_address: ''
#ssl_cipher: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
#server_ca_path: ''
#agent_certificate_path: ''
#agent_key_path: ''
#authorization_pass_path : /var/ossec/etc/authd.pass
#auto_method: 'no'
#delay_after_enrollment: 20
#use_source_ip: 'no'

13
molecule/distributed-wazuh-elk/group_vars/all.yml Normal file
View File

@ -0,0 +1,13 @@
---
########################################################
# Helper variables
private_ip: '{{ ansible_default_ipv4.address }}'
managers_hostvars: "{{ groups['managers'] | map('extract', hostvars) | list }}"
elastic_hostvars: "{{ groups['elastic'] | map('extract', hostvars) | list }}"
manager_addresses: "{{ managers_hostvars | map(attribute='private_ip') | list }}"
elastic_addresses: "{{ elastic_hostvars | map(attribute='private_ip') | list }}"
elastic_stack_version: 7.9.3

21
molecule/distributed-wazuh-elk/group_vars/elastic.yml Normal file
View File

@ -0,0 +1,21 @@
---
single_node: false
elasticsearch_node_master: true
minimum_master_nodes: 1
elasticsearch_network_host: '{{ private_ip }}'
elasticsearch_node_name: '{{ ansible_hostname }}'
elasticsearch_reachable_host: '{{ private_ip }}'
elasticsearch_http_port: 9200
# This scenario runs without xpack-security
elasticsearch_xpack_security: false
node_certs_generator: false
elasticsearch_bootstrap_node: true
elasticsearch_cluster_nodes: '{{ elastic_addresses }}'
elasticsearch_discovery_nodes: '{{ elastic_addresses }}'
elasticsearch_jvm_xms: 1024

19
molecule/distributed-wazuh-elk/group_vars/kibana.yml Normal file
View File

@ -0,0 +1,19 @@
---
kibana_node_name: '{{ ansible_hostname }}'
kibana_server_name: '{{ ansible_hostname }}'
elasticsearch_network_host: "{{ elastic_addresses | random }}"
#elasticsearch_http_port: 9200
elasticsearch_node_master: false
elasticsearch_node_ingest: false
elasticsearch_node_data: false
wazuh_api_credentials:
- id: default
url: 'https://{{ manager_addresses[0] }}'
port: 55000
#port: 1514
username: wazuh
password: wazuh

20
molecule/distributed-wazuh-elk/group_vars/managers.yml Normal file
View File

@ -0,0 +1,20 @@
---
wazuh_manager_fqdn: '{{ ansible_hostname }}'
filebeat_node_name: '{{ ansible_hostname }}'
filebeat_output_elasticsearch_hosts: '{{ elastic_addresses }}'
wazuh_manager_config:
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
api:
https: 'yes'
cluster:
disable: 'no'
node_name: '{{ ansible_hostname }}'
node_type: "{{ 'master' if ansible_hostname == 'wazuh-mgr01' else 'worker' }}"
nodes: '{{ manager_addresses }}'
hidden: 'no'

7
molecule/distributed-wazuh-elk/host_vars/wazuh_agent_centos7.yml Normal file
View File

@ -0,0 +1,7 @@
---
wazuh_agent_authd:
registration_address: '{{ manager_addresses | random }}'
enable: true
port: 1515
ssl_agent_ca: null
ssl_auto_negotiate: 'no'

163
molecule/distributed-wazuh-elk/molecule.yml Normal file
View File

@ -0,0 +1,163 @@
---
# Distributed scenario: clustered manager scenario + connected agents
# 2-core CPU
# 7 GB of RAM memory
# 14 GB of SSD disk space
#
# Source: https://docs.github.com/en/free-pro-team@latest/actions/reference/specifications-for-github-hosted-runners
dependency:
name: galaxy
driver:
name: docker
lint: |
yamllint .
ansible-lint roles
flake8 molecule
platforms:
################################################
# Wazuh Managers
################################################
- name: wazuh_manager_centos7
hostname: wazuh-mgr01
image: geerlingguy/docker-centos7-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory_reservation: 512m
memory: 1024m
groups:
- managers
ulimits:
- nofile:262144:262144
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
- name: wazuh_manager_debian9
hostname: wazuh-mgr02
image: geerlingguy/docker-debian9-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory_reservation: 512m
memory: 1024m
groups:
- managers
ulimits:
- nofile:262144:262144
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
################################################
# Elastic Cluster
################################################
- name: wazuh_elasticsearch_centos7
hostname: wazuh-es01
image: geerlingguy/docker-centos7-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory: 4096m
memory_reservation: 2048m
groups:
- elastic
ulimits:
- nofile:262144:262144
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
- name: wazuh_elasticsearch_debian9
hostname: wazuh-es02
image: geerlingguy/docker-debian9-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory: 4096m
memory_reservation: 2048m
groups:
- elastic
ulimits:
- nofile:262144:262144
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
################################################
# Wazuh Agents
################################################
- name: wazuh_agent_centos7
hostname: wazuh-agent01
image: geerlingguy/docker-centos7-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory: 1024m
memory_reservation: 512m
groups:
- agents
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
- name: wazuh_agent_debian9
hostname: wazuh-agent01
image: geerlingguy/docker-debian9-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory: 1024m
memory_reservation: 512m
groups:
- agents
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
################################################
# Kibana
################################################
- name: wazuh_kibana_centos7
hostname: wazuh-kib01
image: geerlingguy/docker-centos7-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory: 2048m
memory_reservation: 512m
groups:
- kibana
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
provisioner:
name: ansible
ansible_args:
- -vv
inventory:
links:
group_vars: group_vars
host_vars: host_vars
playbooks:
create: create.yml
converge: converge.yml
#destroy: destroy.yml
config_options:
defaults:
hash_behaviour: merge
env:
ANSIBLE_ROLES_PATH: ./roles
lint:
name: ansible-lint
enabled: false
scenario:
name: distributed-wazuh-elk
test_sequence:
- dependency
- syntax
- create
- prepare
- converge
#- idempotence
#- verify
- cleanup
- destroy
verifier:
name: testinfra

64
molecule/distributed-wazuh-elk/tests/test_default.py Normal file
View File

@ -0,0 +1,64 @@
import os
import pytest
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
def get_wazuh_version():
"""This return the version of Wazuh."""
return "4.0.1"
def test_wazuh_packages_are_installed(host):
"""Test the main packages are installed."""
manager = host.package("wazuh-manager")
assert manager.is_installed
assert manager.version.startswith(get_wazuh_version())
def test_wazuh_services_are_running(host):
"""Test the services are enabled and running.
When assert commands are commented, this means that the service command has
a wrong exit code: https://github.com/wazuh/wazuh-ansible/issues/107
"""
# This currently doesn't work with out current Docker base images
# manager = host.service("wazuh-manager")
# api = host.service("wazuh-api")
# assert manager.is_running
# assert api.is_running
output = host.check_output(
'ps aux | grep ossec | tr -s " " | cut -d" " -f11'
)
assert 'ossec-authd' in output
assert 'wazuh-modulesd' in output
assert 'wazuh-db' in output
assert 'ossec-execd' in output
assert 'ossec-monitord' in output
assert 'ossec-remoted' in output
assert 'ossec-logcollector' in output
assert 'ossec-analysisd' in output
assert 'ossec-syscheckd' in output
@pytest.mark.parametrize("wazuh_file, wazuh_owner, wazuh_group, wazuh_mode", [
("/var/ossec/etc/sslmanager.cert", "root", "root", 0o640),
("/var/ossec/etc/sslmanager.key", "root", "root", 0o640),
("/var/ossec/etc/rules/local_rules.xml", "ossec", "ossec", 0o640),
("/var/ossec/etc/lists/audit-keys", "ossec", "ossec", 0o660),
])
def test_wazuh_files(host, wazuh_file, wazuh_owner, wazuh_group, wazuh_mode):
"""Test Wazuh related files exist and have proper owners and mode."""
wazuh_file_host = host.file(wazuh_file)
assert wazuh_file_host.user == wazuh_owner
assert wazuh_file_host.group == wazuh_group
assert wazuh_file_host.mode == wazuh_mode
def test_filebeat_is_installed(host):
"""Test the elasticsearch package is installed."""
filebeat = host.package("filebeat")
assert filebeat.is_installed
assert filebeat.version.startswith('7.9.3')

16
molecule/distributed-wazuh-odfe/INSTALL.rst Normal file
View File

@ -0,0 +1,16 @@
*******
Install
*******
Requirements
============
* Docker Engine
* docker-py
Install
=======
.. code-block:: bash
$ sudo pip install docker-py

75
molecule/distributed-wazuh-odfe/converge.yml Normal file
View File

@ -0,0 +1,75 @@
---
- name: Build Facts
hosts: all
become: true
become_user: root
vars:
endpoints_hostvars: '{{ managers_hostvars | union(elastic_hostvars) | union(kibana_hostvars) }}'
wazuh_managers_common:
port: 1514
protocol: tcp
api_port: 55000
api_proto: 'http'
api_user: ansible
max_retries: 5
retry_interval: 5
pre_tasks:
- name: (converge) build instances list dynamically for cert generator consumption
set_fact:
odfe_endpoint_list: "{{ odfe_endpoint_list | default({}) | combine({ instance_hostname: instance_item }) }}"
vars:
instance_hostname: '{{ item.ansible_facts.hostname }}'
instance_item:
name: '{{ instance_hostname }}'
ip: '{{ item.private_ip }}'
loop: '{{ endpoints_hostvars }}'
no_log: true
- name: (converge) build wazuh_managers list dynamically for agents to consume
set_fact:
wazuh_managers_list: '{{ wazuh_managers_list | default([]) | union([manager_item]) }}'
vars:
manager_item: '{{ wazuh_managers_common | combine({"address": item}) }}'
loop: '{{ manager_addresses }}'
- name: overview of cert configuration
debug:
var: odfe_endpoint_list
- name: Generate certificates prior to converging
hosts: molecule_odfe_elasticsearch_centos7
become: true
become_user: root
roles:
- role: ../../roles/opendistro/opendistro-elasticsearch
vars:
generate_certs: true
perform_installation: false
instances: '{{ odfe_endpoint_list }}'
pre_tasks:
- name: overview of cert configuration
debug:
var: odfe_endpoint_list
- name: Converge
hosts: all
become: true
become_user: root
roles:
# 1. Elasticsearch
- role: ../../roles/opendistro/opendistro-elasticsearch
when: inventory_hostname in groups['elastic']
# 2. Managers
- role: ../../roles/wazuh/ansible-wazuh-manager
when: inventory_hostname in groups['managers']
- role: ../../roles/wazuh/ansible-filebeat-oss
when: inventory_hostname in groups['managers']
# 3. Kibana
- role: ../../roles/opendistro/opendistro-kibana
when: inventory_hostname in groups['kibana']
# 4. Agents:
- role: ../../roles/wazuh/ansible-wazuh-agent
vars:
wazuh_managers: '{{ wazuh_managers_list }}'
when: inventory_hostname in groups['agents']

25
molecule/distributed-wazuh-odfe/group_vars/agents.yml Normal file
View File

@ -0,0 +1,25 @@
---
wazuh_agent_config:
enrollment:
enabled: 'yes'
#manager_address: ''
#port: 1515
agent_name: '{{ ansible_hostname }}'
#groups: ''
#agent_address: ''
#ssl_cipher: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
#server_ca_path: ''
#agent_certificate_path: ''
#agent_key_path: ''
#authorization_pass_path : /var/ossec/etc/authd.pass
#auto_method: 'no'
#delay_after_enrollment: 20
#use_source_ip: 'no'
wazuh_agent_authd:
registration_address: '{{ manager_addresses[0] }}'
enable: true
port: 1515
ssl_agent_ca: null
ssl_auto_negotiate: 'no'

37
molecule/distributed-wazuh-odfe/group_vars/all.yml Normal file
View File

@ -0,0 +1,37 @@
---
########################################################
# Helper variables
private_ip: '{{ ansible_default_ipv4.address }}'
managers_hostvars: "{{ groups['managers'] | map('extract', hostvars) | list }}"
elastic_hostvars: "{{ groups['elastic'] | map('extract', hostvars) | list }}"
kibana_hostvars: "{{ groups['kibana'] | map('extract', hostvars) | list }}"
manager_addresses: "{{ managers_hostvars | map(attribute='private_ip') | list }}"
elastic_addresses: "{{ elastic_hostvars | map(attribute='private_ip') | list }}"
kibana_addresses: "{{ kibana_hostvars | map(attribute='private_ip') | list }}"
########################################################
# General ELK stack variables
# Cluster Settings
#es_version: "7.9.1"
#es_major_version: "7.x"
#opendistro_version: 1.10.1
filebeat_version: 7.9.1
# OpenDistro
kibana_opendistro_security: true
opendistro_kibana_user: kibanaserver
opendistro_security_user: elastic
opendistro_kibana_password: changeme
opendistro_security_password: admin
opendistro_admin_password: changeme
# All nodes are called by IP name
elasticsearch_node_name: '{{ ansible_hostname }}'
kibana_node_name: '{{ ansible_hostname }}'
filebeat_node_name: '{{ ansible_hostname }}'

16
molecule/distributed-wazuh-odfe/group_vars/elastic.yml Normal file
View File

@ -0,0 +1,16 @@
---
single_node: false
elasticsearch_node_master: true
minimum_master_nodes: 1
elasticsearch_network_host: '{{ private_ip }}'
elasticsearch_reachable_host: '{{ private_ip }}'
elasticsearch_http_port: 9200
elasticsearch_bootstrap_node: true
elasticsearch_cluster_nodes: '{{ elastic_addresses }}'
elasticsearch_discovery_nodes: '{{ elastic_addresses }}'
opendistro_jvm_xms: 1024

17
molecule/distributed-wazuh-odfe/group_vars/kibana.yml Normal file
View File

@ -0,0 +1,17 @@
---
kibana_server_name: '{{ ansible_hostname }}'
elasticsearch_network_host: "{{ elastic_addresses[0] }}"
#elasticsearch_http_port: 9200
elasticsearch_node_master: false
elasticsearch_node_ingest: false
elasticsearch_node_data: false
wazuh_api_credentials:
- id: default
url: 'https://{{ manager_addresses[0] }}'
port: 55000
#port: 1514
username: wazuh
password: wazuh

19
molecule/distributed-wazuh-odfe/group_vars/managers.yml Normal file
View File

@ -0,0 +1,19 @@
---
wazuh_manager_fqdn: '{{ ansible_hostname }}'
filebeat_output_elasticsearch_hosts: '{{ elastic_addresses }}'
wazuh_manager_config:
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
api:
https: 'yes'
cluster:
disable: 'no'
node_name: '{{ ansible_hostname }}'
node_type: "{{ 'master' if ansible_hostname == 'wazuh-mgr01' else 'worker' }}"
nodes: '{{ manager_addresses }}'
hidden: 'no'

162
molecule/distributed-wazuh-odfe/molecule.yml Normal file
View File

@ -0,0 +1,162 @@
---
# Distributed scenario: clustered manager scenario + connected agents
# 2-core CPU
# 7 GB of RAM memory
# 14 GB of SSD disk space
#
# Source: https://docs.github.com/en/free-pro-team@latest/actions/reference/specifications-for-github-hosted-runners
dependency:
name: galaxy
driver:
name: docker
lint: |
yamllint .
ansible-lint roles
flake8 molecule
platforms:
################################################
# Wazuh Managers
################################################
- name: molecule_odfe_manager_centos7
hostname: wazuh-mgr01
image: geerlingguy/docker-centos7-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory_reservation: 512m
memory: 1024m
groups:
- managers
ulimits:
- nofile:262144:262144
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
- name: molecule_odfe_manager_debian9
hostname: wazuh-mgr02
image: geerlingguy/docker-debian9-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory_reservation: 512m
memory: 1024m
groups:
- managers
ulimits:
- nofile:262144:262144
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
################################################
# Elastic Cluster
################################################
- name: molecule_odfe_elasticsearch_centos7
hostname: wazuh-es01
image: geerlingguy/docker-centos7-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory: 4096m
memory_reservation: 2048m
groups:
- elastic
ulimits:
- nofile:262144:262144
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
- name: molecule_odfe_elasticsearch_centos7_2
hostname: wazuh-es02
image: geerlingguy/docker-centos7-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory: 4096m
memory_reservation: 2048m
groups:
- elastic
ulimits:
- nofile:262144:262144
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
################################################
# Wazuh Agents
################################################
- name: molecule_odfe_agent_centos7
hostname: wazuh-agent01
image: geerlingguy/docker-centos7-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory: 1024m
memory_reservation: 512m
groups:
- agents
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
- name: molecule_odfe_agent_debian9
hostname: wazuh-agent02
image: geerlingguy/docker-debian9-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory: 1024m
memory_reservation: 512m
groups:
- agents
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
################################################
# Kibana
################################################
- name: molecule_odfe_kibana_centos7
hostname: wazuh-kib01
image: geerlingguy/docker-centos7-ansible
command: /sbin/init
pre_build_image: true
privileged: true
memory: 2048m
memory_reservation: 512m
groups:
- kibana
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
provisioner:
name: ansible
ansible_args:
- -vv
inventory:
links:
group_vars: group_vars
playbooks:
create: create.yml
converge: converge.yml
#destroy: destroy.yml
config_options:
defaults:
hash_behaviour: merge
env:
ANSIBLE_ROLES_PATH: ./roles
lint:
name: ansible-lint
enabled: false
scenario:
name: distributed-wazuh-odfe
test_sequence:
- dependency
- syntax
- create
- prepare
- converge
#- idempotence
#- verify
- cleanup
- destroy
verifier:
name: testinfra

64
molecule/distributed-wazuh-odfe/tests/test_default.py Normal file
View File

@ -0,0 +1,64 @@
import os
import pytest
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
def get_wazuh_version():
"""This return the version of Wazuh."""
return "4.0.1"
def test_wazuh_packages_are_installed(host):
"""Test the main packages are installed."""
manager = host.package("wazuh-manager")
assert manager.is_installed
assert manager.version.startswith(get_wazuh_version())
def test_wazuh_services_are_running(host):
"""Test the services are enabled and running.
When assert commands are commented, this means that the service command has
a wrong exit code: https://github.com/wazuh/wazuh-ansible/issues/107
"""
# This currently doesn't work with out current Docker base images
# manager = host.service("wazuh-manager")
# api = host.service("wazuh-api")
# assert manager.is_running
# assert api.is_running
output = host.check_output(
'ps aux | grep ossec | tr -s " " | cut -d" " -f11'
)
assert 'ossec-authd' in output
assert 'wazuh-modulesd' in output
assert 'wazuh-db' in output
assert 'ossec-execd' in output
assert 'ossec-monitord' in output
assert 'ossec-remoted' in output
assert 'ossec-logcollector' in output
assert 'ossec-analysisd' in output
assert 'ossec-syscheckd' in output
@pytest.mark.parametrize("wazuh_file, wazuh_owner, wazuh_group, wazuh_mode", [
("/var/ossec/etc/sslmanager.cert", "root", "root", 0o640),
("/var/ossec/etc/sslmanager.key", "root", "root", 0o640),
("/var/ossec/etc/rules/local_rules.xml", "ossec", "ossec", 0o640),
("/var/ossec/etc/lists/audit-keys", "ossec", "ossec", 0o660),
])
def test_wazuh_files(host, wazuh_file, wazuh_owner, wazuh_group, wazuh_mode):
"""Test Wazuh related files exist and have proper owners and mode."""
wazuh_file_host = host.file(wazuh_file)
assert wazuh_file_host.user == wazuh_owner
assert wazuh_file_host.group == wazuh_group
assert wazuh_file_host.mode == wazuh_mode
def test_filebeat_is_installed(host):
"""Test the elasticsearch package is installed."""
filebeat = host.package("filebeat")
assert filebeat.is_installed
assert filebeat.version.startswith('7.9.1')

1282
poetry.lock generated Normal file
View File

File diff suppressed because it is too large Load Diff

28
pyproject.toml Normal file
View File

@ -0,0 +1,28 @@
[tool.poetry]
name = "wazuh-ansible"
version = "4.0.1"
description = ""
authors = ["neonmei <neonmei@pm.me>"]
[tool.poetry.dependencies]
python = "^3.6"
# Pin ansible version to that currently present on awx
ansible = "==2.9.5"
jinja2 = "^2.11.2"
[tool.poetry.dev-dependencies]
pytest = "^5.2"
ansible-lint = "^4.3.5"
flake8 = "^3.8.4"
selinux = "^0.2.1"
yamllint = "^1.25.0"
# minimum version is 3.0.3, because we need docker memory limitation
# https://github.com/ansible-community/molecule/pull/2615
molecule = {extras = ["docker"], version = "==3.0.8"}
testinfra = "^5.3.1"
[build-system]
requires = ["poetry>=0.12"]
build-backend = "poetry.masonry.api"

5
roles/elastic-stack/ansible-elasticsearch/defaults/main.yml
View File

@ -4,7 +4,7 @@ elasticsearch_http_port: 9200
elasticsearch_network_host: 127.0.0.1
elasticsearch_reachable_host: 127.0.0.1
elasticsearch_jvm_xms: null
elastic_stack_version: 7.9.1
elastic_stack_version: 7.9.3
elasticsearch_lower_disk_requirements: false
elasticsearch_path_repo: []
@ -27,9 +27,8 @@ elasticsearch_discovery_nodes:
elasticsearch_node_data: true
elasticsearch_node_ingest: true
# X-Pack Security
# X-Pack Security
elasticsearch_xpack_security: false
elasticsearch_xpack_security_user: elastic
elasticsearch_xpack_security_password: elastic_pass
node_certs_generator: false

12
roles/elastic-stack/ansible-elasticsearch/tasks/main.yml
View File

@ -6,7 +6,12 @@
when: ansible_os_family == "Debian"
- name: Create elasticsearch.service.d folder.
file: path=/etc/systemd/system/elasticsearch.service.d/ state=directory
file:
path: /etc/systemd/system/elasticsearch.service.d
state: directory
owner: root
group: root
mode: 0755
when:
- ansible_service_mgr == "systemd"
@ -78,7 +83,7 @@
tags: configure
- name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.conf
lineinfile:
lineinfile: # noqa 208
path: /etc/security/limits.conf
line: elasticsearch - memlock unlimited
create: yes
@ -92,6 +97,9 @@
lineinfile:
path: /etc/security/limits.d/elasticsearch.conf
line: elasticsearch - memlock unlimited
owner: root
group: root
mode: 0644
create: yes
become: true
changed_when: false

3
roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml
View File

@ -8,6 +8,9 @@
template:
src: instances.yml.j2
dest: "{{ node_certs_source }}/instances.yml"
owner: root
group: root
mode: 0644
force: no
register: instances_file_exists
tags:

41
roles/elastic-stack/ansible-elasticsearch/templates/jvm.options.j2
View File

@ -47,9 +47,22 @@
################################################################
## GC configuration
-XX:+UseConcMarkSweepGC
-XX:CMSInitiatingOccupancyFraction=75
-XX:+UseCMSInitiatingOccupancyOnly
8-13:-XX:+UseConcMarkSweepGC
8-13:-XX:CMSInitiatingOccupancyFraction=75
8-13:-XX:+UseCMSInitiatingOccupancyOnly
## G1GC Configuration
# NOTE: G1 GC is only supported on JDK version 10 or later
# to use G1GC, uncomment the next two lines and update the version on the
# following three lines to your version of the JDK
# 10-13:-XX:-UseConcMarkSweepGC
# 10-13:-XX:-UseCMSInitiatingOccupancyOnly
14-:-XX:+UseG1GC
14-:-XX:G1ReservePercent=25
14-:-XX:InitiatingHeapOccupancyPercent=30
## JVM temporary directory
-Djava.io.tmpdir=${ES_TMPDIR}
## optimizations
@ -96,14 +109,24 @@
# ensure the directory exists and has sufficient space
-XX:HeapDumpPath=/var/lib/elasticsearch
# specify an alternative path for JVM fatal error logs
-XX:ErrorFile=/var/log/elasticsearch/hs_err_pid%p.log
## GC logging
#-XX:+PrintGCDetails
#-XX:+PrintGCTimeStamps
#-XX:+PrintGCDateStamps
#-XX:+PrintClassHistogram
#-XX:+PrintTenuringDistribution
#-XX:+PrintGCApplicationStoppedTime
## JDK 8 GC logging
# 8:-XX:+PrintGCDetails
# 8:-XX:+PrintGCDateStamps
# 8:-XX:+PrintTenuringDistribution
# 8:-XX:+PrintGCApplicationStoppedTime
# 8:-Xloggc:/var/log/elasticsearch/gc.log
# 8:-XX:+UseGCLogFileRotation
# 8:-XX:NumberOfGCLogFiles=32
# 8:-XX:GCLogFileSize=64m
# JDK 9+ GC logging
# 9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/elasticsearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m
# log GC status to a file with time stamps
# ensure the directory exists

6
roles/elastic-stack/ansible-kibana/defaults/main.yml
View File

@ -6,8 +6,8 @@ elasticsearch_network_host: "127.0.0.1"
kibana_server_host: "0.0.0.0"
kibana_server_port: "5601"
kibana_conf_path: /etc/kibana
elastic_stack_version: 7.9.2
wazuh_version: 4.0.0
elastic_stack_version: 7.9.3
wazuh_version: 4.0.1
wazuh_app_url: https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana
elasticrepo:
@ -31,8 +31,6 @@ kibana_ssl_verification_mode: "full"
elasticsearch_xpack_security_user: elastic
elasticsearch_xpack_security_password: elastic_pass
node_certs_generator: false
node_certs_source: /usr/share/elasticsearch
node_certs_destination: /etc/kibana/certs
# CA Generation

1
roles/elastic-stack/ansible-kibana/tasks/main.yml
View File

@ -100,6 +100,7 @@
- name: Ensuring Kibana directory owner
file:
# noqa 208
path: "/usr/share/kibana"
state: directory
owner: kibana

17
roles/opendistro/opendistro-elasticsearch/defaults/main.yml
View File

@ -1,9 +1,6 @@
---
# Cluster Settings
es_version: "7.9.1"
es_major_version: "7.x"
opendistro_version: 1.10.1
opendistro_version: 1.11.0
single_node: false
elasticsearch_node_name: node-1
@ -38,13 +35,8 @@ package_repos:
opendistro_sec_plugin_conf_path: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig
opendistro_sec_plugin_tools_path: /usr/share/elasticsearch/plugins/opendistro_security/tools
opendistro_conf_path: /etc/elasticsearch/
es_nodes: |-
{% for item in groups['es_cluster'] -%}
{{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %}
{%- endfor %}
# Security password
opendistro_security_password: admin
opendistro_custom_user: ""
opendistro_custom_user_role: "admin"
@ -58,11 +50,6 @@ certs_gen_tool_version: 1.8
# Url of Search Guard certificates generator tool
certs_gen_tool_url: "https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-tlstool/{{ certs_gen_tool_version }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip"
elasticrepo:
apt: 'https://artifacts.elastic.co/packages/7.x/apt'
yum: 'https://artifacts.elastic.co/packages/7.x/yum'
gpg: 'https://artifacts.elastic.co/GPG-KEY-opendistro'
key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4'
opendistro_admin_password: changeme
opendistro_kibana_password: changeme
@ -70,3 +57,5 @@ opendistro_kibana_password: changeme
# Deployment settings
generate_certs: true
perform_installation: true
opendistro_nolog_sensible: true

2
roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml
View File

@ -14,6 +14,7 @@
- name: Local action | Create local temporary directory for certificates generation
file:
path: "{{ local_certs_path }}"
mode: 0755
state: directory
- name: Local action | Check that the generation tool exists
@ -41,6 +42,7 @@
template:
src: "templates/tlsconfig.yml.j2"
dest: "{{ local_certs_path }}/config/tlsconfig.yml"
mode: 0644
register: tlsconfig_template
- name: Create a directory if it does not exist

160
roles/opendistro/opendistro-elasticsearch/tasks/main.yml
View File

@ -5,92 +5,94 @@
- generate_certs
- block:
- import_tasks: RedHat.yml
when: ansible_os_family == 'RedHat'
- import_tasks: RedHat.yml
when: ansible_os_family == 'RedHat'
- name: Install OpenDistro
package:
name: opendistroforelasticsearch-{{ opendistro_version }}
state: present
register: install
tags: install
- name: Remove elasticsearch configuration file
file:
path: "{{ opendistro_conf_path }}/elasticsearch.yml"
state: absent
when: install.changed
tags: install
- name: Install OpenDistro
package:
name: opendistroforelasticsearch-{{ opendistro_version }}
state: present
register: install
tags: install
- name: Copy Configuration File
blockinfile:
block: "{{ lookup('template', 'elasticsearch.yml.j2') }}"
dest: "{{ opendistro_conf_path }}/elasticsearch.yml"
create: true
group: elasticsearch
mode: 0640
marker: "## {mark} Opendistro general settings ##"
when: install.changed
tags: install
- name: Remove elasticsearch configuration file
file:
path: "{{ opendistro_conf_path }}/elasticsearch.yml"
state: absent
when: install.changed
tags: install
- include_tasks: security_actions.yml
tags:
- security
when: install.changed
- name: Copy Configuration File
blockinfile:
block: "{{ lookup('template', 'elasticsearch.yml.j2') }}"
dest: "{{ opendistro_conf_path }}/elasticsearch.yml"
create: true
group: elasticsearch
mode: 0640
marker: "## {mark} Opendistro general settings ##"
when: install.changed
tags: install
- name: Configure OpenDistro Elasticsearch JVM memmory.
template:
src: "templates/jvm.options.j2"
dest: /etc/elasticsearch/jvm.options
owner: root
group: elasticsearch
mode: 0644
force: yes
notify: restart elasticsearch
tags: install
- import_tasks: security_actions.yml
- name: Ensure Elasticsearch started and enabled
service:
name: elasticsearch
enabled: true
state: started
- name: Configure OpenDistro Elasticsearch JVM memmory.
template:
src: "templates/jvm.options.j2"
dest: /etc/elasticsearch/jvm.options
owner: root
group: elasticsearch
mode: 0644
force: yes
notify: restart elasticsearch
tags: install
- name: Wait for Elasticsearch API
uri:
url: "https://{{ inventory_hostname }}:{{ opendistro_http_port }}/_cluster/health/"
user: "admin" # Default OpenDistro user is always "admin"
password: "{{ opendistro_admin_password }}"
validate_certs: no
status_code: 200,401
return_content: yes
timeout: 4
register: _result
until:
- _result.json is defined
- _result.json.status == "green" or ( _result.json.status == "yellow" and single_node )
retries: 24
delay: 5
tags: debug
when:
- hostvars[inventory_hostname]['private_ip'] is not defined or not hostvars[inventory_hostname]['private_ip']
- name: Ensure Elasticsearch started and enabled
service:
name: elasticsearch
enabled: true
state: started
- name: Wait for Elasticsearch API
uri:
url: "https://{{ inventory_hostname }}:{{ opendistro_http_port }}/_cluster/health/"
user: "admin" # Default OpenDistro user is always "admin"
password: "{{ opendistro_admin_password }}"
validate_certs: no
status_code: 200,401
return_content: yes
timeout: 4
register: _result
until: ( _result.json is defined) and (_result.json.status == "green")
retries: 24
delay: 5
tags: debug
when:
- hostvars[inventory_hostname]['private_ip'] is not defined or not hostvars[inventory_hostname]['private_ip']
- single_node == false
- name: Wait for Elasticsearch API (Private IP)
uri:
url: "https://{{ hostvars[inventory_hostname]['private_ip'] }}:{{ opendistro_http_port }}/_cluster/health/"
user: "admin" # Default OpenDistro user is always "admin"
password: "{{ opendistro_admin_password }}"
validate_certs: no
status_code: 200,401
return_content: yes
timeout: 4
register: _result
until: ( _result.json is defined) and (_result.json.status == "green")
retries: 24
delay: 5
tags: debug
when:
- hostvars[inventory_hostname]['private_ip'] is defined and hostvars[inventory_hostname]['private_ip']
- single_node == false
- import_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat"
- name: Wait for Elasticsearch API (Private IP)
uri:
url: "https://{{ hostvars[inventory_hostname]['private_ip'] }}:{{ opendistro_http_port }}/_cluster/health/"
user: "admin" # Default OpenDistro user is always "admin"
password: "{{ opendistro_admin_password }}"
validate_certs: no
status_code: 200,401
return_content: yes
timeout: 4
register: _result
until:
- _result.json is defined
- _result.json.status == "green" or ( _result.json.status == "yellow" and single_node )
retries: 24
delay: 5
tags: debug
when:
- hostvars[inventory_hostname]['private_ip'] is defined and hostvars[inventory_hostname]['private_ip']
- import_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat"
when: perform_installation

262
roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml
View File

@ -1,152 +1,150 @@
- block:
- name: Remove demo certs
file:
path: "{{ item }}"
state: absent
with_items:
- "{{ opendistro_conf_path }}/kirk.pem"
- "{{ opendistro_conf_path }}/kirk-key.pem"
- "{{ opendistro_conf_path }}/esnode.pem"
- "{{ opendistro_conf_path }}/esnode-key.pem"
- name: Remove demo certs
file:
path: "{{ item }}"
state: absent
with_items:
- "{{ opendistro_conf_path }}/kirk.pem"
- "{{ opendistro_conf_path }}/kirk-key.pem"
- "{{ opendistro_conf_path }}/esnode.pem"
- "{{ opendistro_conf_path }}/esnode-key.pem"
- name: Configure node name
block:
- name: Setting node name (Elasticsearch)
set_fact:
od_node_name: "{{ elasticsearch_node_name }}"
when:
elasticsearch_node_name is defined and kibana_node_name is not defined
- name: Configure node name
block:
- name: Setting node name (Elasticsearch)
set_fact:
od_node_name: "{{ elasticsearch_node_name }}"
when:
elasticsearch_node_name is defined and kibana_node_name is not defined
- name: Setting node name (Kibana)
set_fact:
od_node_name: "{{ kibana_node_name }}"
when:
kibana_node_name is defined
- name: Setting node name (Kibana)
set_fact:
od_node_name: "{{ kibana_node_name }}"
when:
kibana_node_name is defined
- name: Setting node name (Filebeat)
set_fact:
od_node_name: "{{ kibana_node_name }}"
when:
filebeat_node_name is defined
- name: Setting node name (Filebeat)
set_fact:
od_node_name: "{{ kibana_node_name }}"
when:
filebeat_node_name is defined
- name: Configure IP (Private address)
set_fact:
target_address: "{{ hostvars[inventory_hostname]['private_ip'] }}"
when:
- hostvars[inventory_hostname]['private_ip'] is defined
- name: Configure IP (Private address)
set_fact:
target_address: "{{ hostvars[inventory_hostname]['private_ip'] }}"
when:
- hostvars[inventory_hostname]['private_ip'] is defined
- name: Configure IP (Public address)
set_fact:
target_address: "{{ inventory_hostname }}"
when:
- hostvars[inventory_hostname]['private_ip'] is not defined
- name: Configure IP (Public address)
set_fact:
target_address: "{{ inventory_hostname }}"
when:
- hostvars[inventory_hostname]['private_ip'] is not defined
- name: Copy the node & admin certificates to Elasticsearch cluster
copy:
src: "{{ local_certs_path }}/certs/{{ item }}"
dest: /etc/elasticsearch/
mode: 0644
with_items:
- root-ca.pem
- root-ca.key
- "{{ od_node_name }}.key"
- "{{ od_node_name }}.pem"
- "{{ od_node_name }}_http.key"
- "{{ od_node_name }}_http.pem"
- "{{ od_node_name }}_elasticsearch_config_snippet.yml"
- admin.key
- admin.pem
- name: Copy the node & admin certificates to Elasticsearch cluster
copy:
src: "{{ local_certs_path }}/certs/{{ item }}"
dest: /etc/elasticsearch/
mode: 0644
with_items:
- root-ca.pem
- root-ca.key
- "{{ od_node_name }}.key"
- "{{ od_node_name }}.pem"
- "{{ od_node_name }}_http.key"
- "{{ od_node_name }}_http.pem"
- "{{ od_node_name }}_elasticsearch_config_snippet.yml"
- admin.key
- admin.pem
- name: Copy the OpenDistro security configuration file to cluster
blockinfile:
block: "{{ lookup('file', '{{ local_certs_path }}/certs/{{ od_node_name }}_elasticsearch_config_snippet.yml') }}"
dest: "{{ opendistro_conf_path }}/elasticsearch.yml"
insertafter: EOF
marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##"
- name: Copy the OpenDistro security configuration file to cluster
blockinfile:
block: "{{ lookup('file', snippet_path ) }}"
dest: "{{ opendistro_conf_path }}/elasticsearch.yml"
insertafter: EOF
marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##"
vars:
snippet_path: '{{ local_certs_path }}/certs/{{ od_node_name }}_elasticsearch_config_snippet.yml'
- name: Prepare the OpenDistro security configuration file
replace:
path: "{{ opendistro_conf_path }}/elasticsearch.yml"
regexp: 'searchguard'
replace: 'opendistro_security'
tags: local
- name: Prepare the OpenDistro security configuration file
replace:
path: "{{ opendistro_conf_path }}/elasticsearch.yml"
regexp: 'searchguard'
replace: 'opendistro_security'
tags: local
- name: Restart elasticsearch with security configuration
systemd:
name: elasticsearch
state: restarted
- name: Restart elasticsearch with security configuration
systemd:
name: elasticsearch
state: restarted
- name: Copy the OpenDistro security internal users template
template:
src: "templates/internal_users.yml.j2"
dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
mode: 0644
run_once: true
- name: Copy the OpenDistro security internal users template
template:
src: "templates/internal_users.yml.j2"
dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
mode: 0644
run_once: true
- name: Hashing the custom admin password
command: "{{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }}"
register: opendistro_admin_password_hashed
run_once: true
- name: Hashing the custom admin password
command: "{{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }}" # noqa 301
register: opendistro_admin_password_hashed
no_log: '{{ opendistro_nolog_sensible | bool }}'
run_once: true
- name: Filtering hash result in case java path is not defined
set_fact:
opendistro_admin_password_hashed_filtered: "{{ opendistro_admin_password_hashed.stdout_lines[1] }}"
when:
- opendistro_admin_password_hashed.stdout_lines[1] is defined
run_once: true
- name: Set the Admin user password
replace:
path: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
regexp: '(?<=admin:\n hash: )(.*)(?=)'
replace: "{{ odfe_password_hash | quote }}"
vars:
odfe_password_hash: "{{ opendistro_admin_password_hashed.stdout_lines | last }}"
run_once: true
- name: Setting admin hash result
set_fact:
opendistro_admin_password_hashed_filtered: "{{ opendistro_admin_password_hashed.stdout_lines[0] }}"
when:
- opendistro_admin_password_hashed.stdout_lines[1] is not defined
run_once: true
# this can also be achieved with password_hash, but it requires dependencies on the controller
- name: Hash the kibanaserver role/user pasword
command: "{{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }}" # noqa 301
register: opendistro_kibanaserver_password_hashed
no_log: '{{ opendistro_nolog_sensible | bool }}'
run_once: true
- name: Set the Admin user password
replace:
path: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
regexp: '(?<=admin:\n hash: )(.*)(?=)'
replace: "\"{{ opendistro_admin_password_hashed_filtered }}\""
run_once: true
- name: Set the kibanaserver user password
replace:
path: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
regexp: '(?<=kibanaserver:\n hash: )(.*)(?=)'
replace: "{{ odfe_password_hash | quote }}"
vars:
odfe_password_hash: "{{ opendistro_kibanaserver_password_hashed.stdout_lines | last }}"
run_once: true
- name: Set the kibanaserver role/user pasword
shell: >
sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)','
{{ opendistro_sec_plugin_conf_path }}/internal_users.yml
run_once: true
- name: Initialize the OpenDistro security index in elasticsearch
command: >
{{ opendistro_sec_plugin_tools_path }}/securityadmin.sh
-cacert {{ opendistro_conf_path }}/root-ca.pem
-cert {{ opendistro_conf_path }}/admin.pem
-key {{ opendistro_conf_path }}/admin.key
-cd {{ opendistro_sec_plugin_conf_path }}/
-nhnv -icl
-h {{ target_address }}
run_once: true # noqa 301
- name: Initialize the OpenDistro security index in elasticsearch
command: >
{{ opendistro_sec_plugin_tools_path }}/securityadmin.sh
-cacert {{ opendistro_conf_path }}/root-ca.pem
-cert {{ opendistro_conf_path }}/admin.pem
-key {{ opendistro_conf_path }}/admin.key
-cd {{ opendistro_sec_plugin_conf_path }}/
-nhnv -icl
-h {{ target_address }}
run_once: true
- name: Create custom user
uri:
url: "https://{{ target_address }}:{{ opendistro_http_port }}/_opendistro/_security/api/internalusers/{{ opendistro_custom_user }}"
method: PUT
user: "admin" # Default OpenDistro user is always "admin"
password: "{{ opendistro_admin_password }}"
body: |
{
"password": "{{ opendistro_admin_password }}",
"backend_roles": ["{{ opendistro_custom_user_role }}"]
}
body_format: json
validate_certs: no
status_code: 200,201,401
return_content: yes
timeout: 4
when:
- opendistro_custom_user is defined and opendistro_custom_user
- name: Create custom user
uri:
url: "https://{{ target_address }}:{{ opendistro_http_port }}/_opendistro/_security/api/internalusers/{{ opendistro_custom_user }}"
method: PUT
user: "admin" # Default OpenDistro user is always "admin"
password: "{{ opendistro_admin_password }}"
body: |
{
"password": "{{ opendistro_admin_password }}",
"backend_roles": ["{{ opendistro_custom_user_role }}"]
}
body_format: json
validate_certs: no
status_code: 200,201,401
return_content: yes
timeout: 4
when:
- opendistro_custom_user is defined and opendistro_custom_user
tags:
- security
when: install.changed

9
roles/opendistro/opendistro-kibana/defaults/main.yml
View File

@ -2,10 +2,6 @@
# Kibana configuration
elasticsearch_http_port: 9200
elasticsearch_nodes: |-
{% for item in groups['es_cluster'] -%}
{{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %}
{%- endfor %}
elastic_api_protocol: https
kibana_conf_path: /etc/kibana
kibana_node_name: node-1
@ -14,11 +10,11 @@ kibana_server_port: "5601"
kibana_server_name: "kibana"
kibana_max_payload_bytes: 1048576
elastic_stack_version: 7.9.1
wazuh_version: 4.0.0
wazuh_version: 4.0.1
wazuh_app_url: https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana
# The OpenDistro package repository
kibana_opendistro_version: -1.10.1-1 # Version includes the - for RedHat family compatibility, replace with = for Debian hosts
kibana_opendistro_version: -1.11.0-1 # Version includes the - for RedHat family compatibility, replace with = for Debian hosts
package_repos:
yum:
@ -44,7 +40,6 @@ kibana_newsfeed_enabled: "false"
kibana_telemetry_optin: "false"
kibana_telemetry_enabled: "false"
opendistro_security_user: elastic
opendistro_admin_password: changeme
opendistro_kibana_user: kibanaserver
opendistro_kibana_password: changeme

2
roles/opendistro/opendistro-kibana/tasks/main.yml
View File

@ -20,6 +20,7 @@
- name: Remove Kibana configuration file
file:
# noqa 503
path: "{{ kibana_conf_path }}/kibana.yml"
state: absent
when: install.changed
@ -43,6 +44,7 @@
- name: Ensuring Kibana directory owner
file:
# noqa 208
path: "/usr/share/kibana"
state: directory
owner: kibana

1
roles/wazuh/ansible-filebeat-oss/README.md
View File

@ -19,7 +19,6 @@ Role Variables
Available variables are listed below, along with default values (see `defaults/main.yml`):
```
filebeat_output_elasticsearch_enabled: false
filebeat_output_elasticsearch_hosts:
- "localhost:9200"

7
roles/wazuh/ansible-filebeat-oss/defaults/main.yml
View File

@ -1,11 +1,8 @@
---
filebeat_version: 7.9.1
wazuh_template_branch: v4.0.0
wazuh_template_branch: v4.0.1
filebeat_create_config: true
filebeat_output_elasticsearch_enabled: false
filebeat_output_elasticsearch_hosts:
- "localhost:9200"
@ -18,8 +15,6 @@ elasticsearch_security_user: admin
elasticsearch_security_password: changeme
# Security plugin
filebeat_security: true
filebeat_security_user: admin
filebeat_security_password: changeme
filebeat_ssl_dir: /etc/pki/filebeat
# Local path to store the generated certificates (OpenDistro security plugin)

17
roles/wazuh/ansible-filebeat-oss/tasks/main.yml
View File

@ -5,14 +5,25 @@
- include_tasks: Debian.yml
when: ansible_os_family == 'Debian'
- name: Install Filebeat
package:
name: filebeat
- name: Install Filebeat | Redhat
yum:
name: "filebeat-{{ filebeat_version }}"
state: present
register: install
tags:
- install
- init
when: ansible_os_family == 'RedHat'
- name: Install Filebeat | Debian
apt:
name: "filebeat={{ filebeat_version }}"
state: present
register: install
tags:
- install
- init
when: ansible_os_family == 'Debian'
- name: Checking if Filebeat Module folder file exists
stat:

12
roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml
View File

@ -4,24 +4,22 @@
file:
path: "{{ filebeat_ssl_dir }}"
state: directory
owner: root
group: root
mode: 0774
- name: Copy the certificates from local to the Manager instance
copy:
src: "{{ local_certs_path }}/certs/{{ item }}"
dest: "{{ filebeat_ssl_dir }}"
owner: root
group: root
mode: 0644
with_items:
- "{{ filebeat_node_name }}.key"
- "{{ filebeat_node_name }}.pem"
- "root-ca.pem"
- name: Ensuring folder & certs permissions
file:
path: "{{ filebeat_ssl_dir }}/"
mode: 0774
state: directory
recurse: yes
tags:
- security
when:

1
roles/wazuh/ansible-filebeat/README.md
View File

@ -19,7 +19,6 @@ Role Variables
Available variables are listed below, along with default values (see `defaults/main.yml`):
```
filebeat_output_elasticsearch_enabled: false
filebeat_output_elasticsearch_hosts:
- "localhost:9200"

25
roles/wazuh/ansible-filebeat/defaults/main.yml
View File

@ -1,33 +1,15 @@
---
filebeat_version: 7.9.2
filebeat_version: 7.9.3
wazuh_template_branch: v4.0.0
wazuh_template_branch: v4.0.1
filebeat_create_config: true
filebeat_prospectors:
- input_type: log
paths:
- "/var/ossec/logs/alerts/alerts.json"
document_type: json
json.message_key: log
json.keys_under_root: true
json.overwrite_keys: true
filebeat_node_name: node-1
filebeat_output_elasticsearch_enabled: false
filebeat_output_elasticsearch_hosts:
- "localhost:9200"
filebeat_enable_logging: true
filebeat_log_level: debug
filebeat_log_dir: /var/log/mybeat
filebeat_log_filename: mybeat.log
filebeat_ssl_dir: /etc/pki/filebeat
filebeat_ssl_certificate_file: ""
filebeat_ssl_insecure: "false"
filebeat_module_package_url: https://packages.wazuh.com/4.x/filebeat
filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz
filebeat_module_package_path: /tmp/
@ -40,11 +22,8 @@ filebeat_xpack_security: false
elasticsearch_xpack_security_user: elastic
elasticsearch_xpack_security_password: elastic_pass
node_certs_generator : false
node_certs_source: /usr/share/elasticsearch
node_certs_destination: /etc/filebeat/certs
# CA Generation
master_certs_path: "{{ playbook_dir }}/es_certs"
generate_CA: true

538
roles/wazuh/ansible-wazuh-agent/defaults/main.yml
View File

@ -1,5 +1,5 @@
---
wazuh_agent_version: 4.0.0-1
wazuh_agent_version: 4.0.1-1
# Custom packages installation
@ -12,7 +12,7 @@ wazuh_custom_packages_installation_agent_rpm_url: ""
wazuh_agent_sources_installation:
enabled: false
branch: "v4.0.0"
branch: "v4.0.1"
user_language: "y"
user_no_stop: "y"
user_install_type: "agent"
@ -32,19 +32,11 @@ wazuh_agent_sources_installation:
user_agent_config_profile: null
user_ca_store: "/var/ossec/wpk_root.pem"
wazuh_managers:
- address: 127.0.0.1
port: 1514
protocol: tcp
api_port: 55000
api_proto: 'http'
api_user: null
max_retries: 5
retry_interval: 5
wazuh_api_reachable_from_agent: false
wazuh_profile_centos: 'centos, centos7, centos7.6'
wazuh_profile_ubuntu: 'ubuntu, ubuntu18, ubuntu18.04'
wazuh_auto_restart: 'yes'
wazuh_agent_authd:
registration_address: 127.0.0.1
enable: false
@ -66,237 +58,297 @@ wazuh_winagent_config:
# Adding quotes to auth_path_x86 since win_shell outputs error otherwise
auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe
check_md5: True
md5: f9737cbd7df7104c1bee9f3e8b9ca26e
wazuh_winagent_config_url: https://packages.wazuh.com/4.x/windows/wazuh-agent-4.0.0-1.msi
wazuh_winagent_package_name: wazuh-agent-4.0.0-1.msi
wazuh_agent_config:
repo:
apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main'
yum: 'https://packages.wazuh.com/4.x/yum/'
gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145'
active_response:
ar_disabled: 'no'
ca_store: '/var/ossec/etc/wpk_root.pem'
ca_store_win: 'wpk_root.pem'
ca_verification: 'yes'
log_format: 'plain'
client_buffer:
disable: 'no'
queue_size: '5000'
events_per_sec: '500'
syscheck:
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
win_audit_interval: 60
skip_nfs: 'yes'
skip_dev: 'yes'
skip_proc: 'yes'
skip_sys: 'yes'
process_priority: 10
max_eps: 100
sync_enabled: 'yes'
sync_interval: '5m'
sync_max_interval: '1h'
sync_max_eps: 10
ignore:
- /etc/mtab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
ignore_linux_type:
- '.log$|.swp$'
ignore_win:
- '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: ''
- dirs: /bin,/sbin,/boot
checks: ''
win_directories:
- dirs: '%WINDIR%'
checks: 'recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$"'
- dirs: '%WINDIR%\SysNative'
checks: >-
recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|
net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$"
- dirs: '%WINDIR%\SysNative\drivers\etc%'
checks: 'recursion_level="0"'
- dirs: '%WINDIR%\SysNative\wbem'
checks: 'recursion_level="0" restrict="WMIC.exe$"'
- dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0'
checks: 'recursion_level="0" restrict="powershell.exe$"'
- dirs: '%WINDIR%\SysNative'
checks: 'recursion_level="0" restrict="winrm.vbs$"'
- dirs: '%WINDIR%\System32'
checks: >-
recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|
netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$"
- dirs: '%WINDIR%\System32\drivers\etc'
checks: 'recursion_level="0"'
- dirs: '%WINDIR%\System32\wbem'
checks: 'recursion_level="0" restrict="WMIC.exe$"'
- dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0'
checks: 'recursion_level="0" restrict="powershell.exe$"'
- dirs: '%WINDIR%\System32'
checks: 'recursion_level="0" restrict="winrm.vbs$"'
- dirs: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup'
checks: 'realtime="yes"'
md5: f2444d89dab2c4c31bbdef454c95eb28
wazuh_winagent_config_url: https://packages.wazuh.com/4.x/windows/wazuh-agent-4.0.1-1.msi
wazuh_winagent_package_name: wazuh-agent-4.0.1-1.msi
wazuh_agent_repo:
apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main'
yum: 'https://packages.wazuh.com/4.x/yum/'
gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145'
windows_registry:
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Policies'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Security'
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'
- key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs'
- key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'
arch: "both"
windows_registry_ignore:
- key: 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets'
- key: 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users'
- key: '\Enum$'
type: "sregex"
rootcheck:
frequency: 43200
openscap:
disable: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
osquery:
disable: 'yes'
run_daemon: 'yes'
bin_path_win: 'C:\Program Files\osquery\osqueryd'
log_path: '/var/log/osquery/osqueryd.results.log'
log_path_win: 'C:\Program Files\osquery\log\osqueryd.results.log'
config_path: '/etc/osquery/osquery.conf'
config_path_win: 'C:\Program Files\osquery\osquery.conf'
add_labels: 'yes'
syscollector:
disable: 'no'
interval: '1h'
scan_on_start: 'yes'
hardware: 'yes'
os: 'yes'
network: 'yes'
packages: 'yes'
ports_no: 'yes'
processes: 'yes'
sca:
enabled: 'yes'
scan_on_start: 'yes'
interval: '12h'
skip_nfs: 'yes'
day: ''
wday: ''
time: ''
cis_cat:
disable: 'yes'
install_java: 'no'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
java_path: 'wodles/java'
java_path_win: '\\server\jre\bin\java.exe'
ciscat_path: 'wodles/ciscat'
ciscat_path_win: 'C:\cis-cat'
localfiles:
debian:
- format: 'syslog'
location: '/var/log/auth.log'
- format: 'syslog'
location: '/var/log/syslog'
- format: 'syslog'
location: '/var/log/dpkg.log'
- format: 'syslog'
location: '/var/log/kern.log'
centos:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'audit'
location: '/var/log/audit/audit.log'
linux:
- format: 'syslog'
location: '/var/ossec/logs/active-responses.log'
- format: 'full_command'
command: 'last -n 20'
frequency: '360'
- format: 'command'
command: df -P
frequency: '360'
- format: 'full_command'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports'
frequency: '360'
windows:
- format: 'eventlog'
location: 'Application'
- format: 'eventchannel'
location: 'Security'
query: 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]'
- format: 'eventlog'
location: 'System'
- format: 'syslog'
location: 'active-response\active-responses.log'
labels:
enable: false
list:
- key: Env
value: Production
enrollment:
enabled: ''
manager_address: ''
port: 1515
agent_name: 'testname'
groups: ''
agent_address: ''
ssl_cipher: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
server_ca_path: ''
agent_certificate_path: ''
agent_key_path: ''
authorization_pass_path : /var/ossec/etc/authd.pass
auto_method: 'no'
delay_after_enrollment: 20
use_source_ip: 'no'
wazuh_agent_nat: false
##########################################
### Wazuh
##########################################
wazuh_agent_config_overlay: yes
## Client
wazuh_managers:
- address: 127.0.0.1
port: 1514
protocol: tcp
api_port: 55000
api_proto: 'http'
api_user: null
max_retries: 5
retry_interval: 5
## Enrollment
wazuh_agent_enrollment:
enabled: ''
manager_address: ''
port: 1515
agent_name: 'testname'
groups: ''
agent_address: ''
ssl_cipher: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
server_ca_path: ''
agent_certificate_path: ''
agent_key_path: ''
authorization_pass_path: /var/ossec/etc/authd.pass
auto_method: 'no'
delay_after_enrollment: 20
use_source_ip: 'no'
## Client buffer
wazuh_agent_client_buffer:
disable: 'no'
queue_size: '5000'
events_per_sec: '500'
## Rootcheck
wazuh_agent_rootcheck:
frequency: 43200
## Wodles
wazuh_agent_openscap:
disable: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
wazuh_agent_cis_cat:
disable: 'yes'
install_java: 'no'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
java_path: 'wodles/java'
java_path_win: '\\server\jre\bin\java.exe'
ciscat_path: 'wodles/ciscat'
ciscat_path_win: 'C:\cis-cat'
wazuh_agent_osquery:
disable: 'yes'
run_daemon: 'yes'
bin_path_win: 'C:\Program Files\osquery\osqueryd'
log_path: '/var/log/osquery/osqueryd.results.log'
log_path_win: 'C:\Program Files\osquery\log\osqueryd.results.log'
config_path: '/etc/osquery/osquery.conf'
config_path_win: 'C:\Program Files\osquery\osquery.conf'
add_labels: 'yes'
wazuh_agent_syscollector:
disable: 'no'
interval: '1h'
scan_on_start: 'yes'
hardware: 'yes'
os: 'yes'
network: 'yes'
packages: 'yes'
ports_no: 'yes'
processes: 'yes'
## SCA
wazuh_agent_sca:
enabled: 'yes'
scan_on_start: 'yes'
interval: '12h'
skip_nfs: 'yes'
day: ''
wday: ''
time: ''
## Syscheck
wazuh_agent_syscheck:
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
win_audit_interval: 60
skip_nfs: 'yes'
skip_dev: 'yes'
skip_proc: 'yes'
skip_sys: 'yes'
process_priority: 10
max_eps: 100
sync_enabled: 'yes'
sync_interval: '5m'
sync_max_interval: '1h'
sync_max_eps: 10
ignore:
- /etc/mtab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
ignore_linux_type:
- '.log$|.swp$'
ignore_win:
- '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: ''
- dirs: /bin,/sbin,/boot
checks: ''
win_directories:
- dirs: '%WINDIR%'
checks: 'recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$"'
- dirs: '%WINDIR%\SysNative'
checks: >-
recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|
net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$"
- dirs: '%WINDIR%\SysNative\drivers\etc%'
checks: 'recursion_level="0"'
- dirs: '%WINDIR%\SysNative\wbem'
checks: 'recursion_level="0" restrict="WMIC.exe$"'
- dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0'
checks: 'recursion_level="0" restrict="powershell.exe$"'
- dirs: '%WINDIR%\SysNative'
checks: 'recursion_level="0" restrict="winrm.vbs$"'
- dirs: '%WINDIR%\System32'
checks: >-
recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|
netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$"
- dirs: '%WINDIR%\System32\drivers\etc'
checks: 'recursion_level="0"'
- dirs: '%WINDIR%\System32\wbem'
checks: 'recursion_level="0" restrict="WMIC.exe$"'
- dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0'
checks: 'recursion_level="0" restrict="powershell.exe$"'
- dirs: '%WINDIR%\System32'
checks: 'recursion_level="0" restrict="winrm.vbs$"'
- dirs: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup'
checks: 'realtime="yes"'
windows_registry:
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Policies'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Security'
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'
- key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs'
- key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'
arch: "both"
windows_registry_ignore:
- key: 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets'
- key: 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users'
- key: '\Enum$'
type: "sregex"
## Localfile
wazuh_agent_localfiles:
debian:
- format: 'syslog'
location: '/var/log/auth.log'
- format: 'syslog'
location: '/var/log/syslog'
- format: 'syslog'
location: '/var/log/dpkg.log'
- format: 'syslog'
location: '/var/log/kern.log'
centos:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'audit'
location: '/var/log/audit/audit.log'
linux:
- format: 'syslog'
location: '/var/ossec/logs/active-responses.log'
- format: 'full_command'
command: 'last -n 20'
frequency: '360'
- format: 'command'
command: df -P
frequency: '360'
- format: 'full_command'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports'
frequency: '360'
windows:
- format: 'eventlog'
location: 'Application'
- format: 'eventchannel'
location: 'Security'
query: 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]'
- format: 'eventlog'
location: 'System'
- format: 'syslog'
location: 'active-response\active-responses.log'
## Labels
wazuh_agent_labels:
enable: false
list:
- key: Env
value: Production
## Active response
wazuh_agent_active_response:
ar_disabled: 'no'
ca_store: '/var/ossec/etc/wpk_root.pem'
ca_store_win: 'wpk_root.pem'
ca_verification: 'yes'
## Logging
wazuh_agent_log_format: 'plain'
# wazuh_agent_config
wazuh_agent_config_defaults:
repo: '{{ wazuh_agent_repo }}'
active_response: '{{ wazuh_agent_active_response }}'
log_format: '{{ wazuh_agent_log_format }}'
client_buffer: '{{ wazuh_agent_client_buffer }}'
syscheck: '{{ wazuh_agent_syscheck }}'
rootcheck: '{{ wazuh_agent_rootcheck }}'
openscap: '{{ wazuh_agent_openscap }}'
osquery: '{{ wazuh_agent_osquery }}'
syscollector: '{{ wazuh_agent_syscollector }}'
sca: '{{ wazuh_agent_sca }}'
cis_cat: '{{ wazuh_agent_cis_cat }}'
localfiles: '{{ wazuh_agent_localfiles }}'
labels: '{{ wazuh_agent_labels }}'
enrollment: '{{ wazuh_agent_enrollment }}'

4
roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml
View File

@ -69,7 +69,7 @@
register: agent_auth_output
notify: Windows | Restart Wazuh Agent
when:
- wazuh_agent_authd.enable == true
- wazuh_agent_authd.enable | bool
- not check_windows_key.stat.exists or check_windows_key.stat.size == 0
- wazuh_agent_authd.registration_address is not none
tags:
@ -81,7 +81,7 @@
state: directory
- name: Windows | Installing agent configuration (ossec.conf)
template:
template: # noqa 208
src: var-ossec-etc-ossec-agent.conf.j2
dest: "{{ wazuh_agent_win_path }}ossec.conf"
notify: Windows | Restart Wazuh Agent

1
roles/wazuh/ansible-wazuh-agent/tasks/installation_from_sources.yml
View File

@ -46,6 +46,7 @@
- name: Create folder to extract Wazuh branch
file:
path: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}"
mode: 0755
state: directory
changed_when: false

8
roles/wazuh/ansible-wazuh-agent/tasks/main.yml
View File

@ -1,4 +1,12 @@
---
- name: Overlay wazuh_agent_config on top of defaults
set_fact:
wazuh_agent_config: '{{ wazuh_agent_config_defaults | combine(config_layer, recursive=True) }}'
vars:
config_layer: '{{ wazuh_agent_config | default({}) }}'
when: wazuh_agent_config_overlay | bool
- include_tasks: "Windows.yml"
when: ansible_os_family == "Windows"

847
roles/wazuh/ansible-wazuh-manager/defaults/main.yml
View File

@ -1,5 +1,5 @@
---
wazuh_manager_version: 4.0.0-1
wazuh_manager_version: 4.0.1-1
wazuh_manager_fqdn: "wazuh-server"
wazuh_manager_package_state: present
@ -12,7 +12,7 @@ wazuh_custom_packages_installation_manager_rpm_url: "https://s3-us-west-1.amazon
# Sources installation
wazuh_manager_sources_installation:
enabled: false
branch: "v4.0.0"
branch: "v4.0.1"
user_language: "en"
user_no_stop: "y"
user_install_type: "server"
@ -35,381 +35,480 @@ wazuh_manager_sources_installation:
user_ca_store: null
threads: "2"
wazuh_manager_repo:
apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main'
yum: 'https://packages.wazuh.com/4.x/yum/'
gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145'
##########################################
### Wazuh-OSSEC
##########################################
# groups to create
agent_groups: []
## Global
wazuh_manager_json_output: 'yes'
wazuh_manager_alerts_log: 'yes'
wazuh_manager_logall: 'no'
wazuh_manager_logall_json: 'no'
wazuh_manager_email_notification: 'no'
wazuh_manager_mailto:
- 'admin@example.net'
wazuh_manager_email_smtp_server: smtp.example.wazuh.com
wazuh_manager_email_from: ossecm@example.wazuh.com
wazuh_manager_email_maxperhour: 12
wazuh_manager_email_queue_size: 131072
wazuh_manager_email_log_source: 'alerts.log'
wazuh_manager_globals:
- '127.0.0.1'
- '^localhost.localdomain$'
- '127.0.0.53'
## Alerts
wazuh_manager_log_level: 3
wazuh_manager_email_level: 12
## Logging
wazuh_manager_log_format: 'plain'
## Email alerts
wazuh_manager_extra_emails:
- enable: false
mail_to: 'recipient@example.wazuh.com'
format: full
level: 7
event_location: null
group: null
do_not_delay: false
do_not_group: false
rule_id: null
## Remote
wazuh_manager_connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
## Reports
wazuh_manager_reports:
- enable: false
category: 'syscheck'
title: 'Daily report: File changes'
email_to: 'recipient@example.wazuh.com'
location: null
group: null
rule: null
level: null
srcip: null
user: null
showlogs: null
## Woodles
wazuh_manager_rootcheck:
frequency: 43200
wazuh_manager_openscap:
disable: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
wazuh_manager_ciscat:
disable: 'yes'
install_java: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
ciscat_path: 'wodles/ciscat'
wazuh_manager_osquery:
disable: 'yes'
run_daemon: 'yes'
log_path: '/var/log/osquery/osqueryd.results.log'
config_path: '/etc/osquery/osquery.conf'
ad_labels: 'yes'
wazuh_manager_syscollector:
disable: 'no'
interval: '1h'
scan_on_start: 'yes'
hardware: 'yes'
os: 'yes'
network: 'yes'
packages: 'yes'
ports_no: 'yes'
processes: 'yes'
wazuh_manager_monitor_aws:
disabled: 'yes'
interval: '10m'
run_on_start: 'yes'
skip_on_error: 'yes'
s3:
- name: null
bucket_type: null
path: null
only_logs_after: null
access_key: null
secret_key: null
## SCA
wazuh_manager_sca:
enabled: 'yes'
scan_on_start: 'yes'
interval: '12h'
skip_nfs: 'yes'
day: ''
wday: ''
time: ''
## Vulnerability Detector
wazuh_manager_vulnerability_detector:
enabled: 'no'
interval: '5m'
ignore_time: '6h'
run_on_start: 'yes'
providers:
- enabled: 'no'
os:
- 'trusty'
- 'xenial'
- 'bionic'
update_interval: '1h'
name: '"canonical"'
- enabled: 'no'
os:
- 'wheezy'
- 'stretch'
- 'jessie'
- 'buster'
update_interval: '1h'
name: '"debian"'
- enabled: 'no'
update_from_year: '2010'
update_interval: '1h'
name: '"redhat"'
- enabled: 'no'
update_from_year: '2010'
update_interval: '1h'
name: '"nvd"'
## Syscheck
wazuh_manager_syscheck:
disable: 'no'
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
ignore:
- /etc/mtab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
ignore_linux_type:
- '.log$|.swp$'
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: ''
- dirs: /bin,/sbin,/boot
checks: ''
auto_ignore_frequency:
frequency: 'frequency="10"'
timeframe: 'timeframe="3600"'
value: 'no'
skip_nfs: 'yes'
skip_dev: 'yes'
skip_proc: 'yes'
skip_sys: 'yes'
process_priority: 10
max_eps: 100
sync_enabled: 'yes'
sync_interval: '5m'
sync_max_interval: '1h'
sync_max_eps: 10
## Command
wazuh_manager_commands:
- name: 'disable-account'
executable: 'disable-account.sh'
expect: 'user'
timeout_allowed: 'yes'
- name: 'restart-ossec'
executable: 'restart-ossec.sh'
expect: ''
- name: 'firewall-drop'
executable: 'firewall-drop.sh'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'host-deny'
executable: 'host-deny.sh'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'route-null'
executable: 'route-null.sh'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'win_route-null'
executable: 'route-null.cmd'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'win_route-null-2012'
executable: 'route-null-2012.cmd'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'netsh'
executable: 'netsh.cmd'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'netsh-win-2016'
executable: 'netsh-win-2016.cmd'
expect: 'srcip'
timeout_allowed: 'yes'
## Localfile
wazuh_manager_localfiles:
common:
- format: 'command'
command: df -P
frequency: '360'
- format: 'full_command'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports'
frequency: '360'
- format: 'full_command'
command: 'last -n 20'
frequency: '360'
- format: 'syslog'
location: '/var/ossec/logs/active-responses.log'
debian:
- format: 'syslog'
location: '/var/log/auth.log'
- format: 'syslog'
location: '/var/log/syslog'
- format: 'syslog'
location: '/var/log/dpkg.log'
- format: 'syslog'
location: '/var/log/kern.log'
centos:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'audit'
location: '/var/log/audit/audit.log'
## Syslog outputs
wazuh_manager_syslog_outputs:
- server: null
port: null
format: null
## Integrations
wazuh_manager_integrations:
# slack
- name: null
hook_url: '<hook_url>'
alert_level: 10
alert_format: 'json'
rule_id: null
# pagerduty
- name: null
api_key: '<api_key>'
alert_level: 12
## Labels
wazuh_manager_labels:
enable: false
list:
- key: Env
value: Production
## Ruleset
wazuh_manager_ruleset:
rules_path: 'custom_ruleset/rules/'
decoders_path: 'custom_ruleset/decoders/'
cdb_lists:
- 'audit-keys'
- 'security-eventchannel'
- 'amazon/aws-eventnames'
wazuh_manager_rule_exclude:
- '0215-policy_rules.xml'
## Auth
wazuh_manager_authd:
enable: true
port: 1515
use_source_ip: 'no'
force_insert: 'yes'
force_time: 0
purge: 'yes'
use_password: 'no'
limit_maxagents: 'yes'
ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH'
ssl_agent_ca: null
ssl_verify_host: 'no'
ssl_manager_cert: 'sslmanager.cert'
ssl_manager_key: 'sslmanager.key'
ssl_auto_negotiate: 'no'
## Cluster
wazuh_manager_cluster:
disable: 'yes'
name: 'wazuh'
node_name: 'manager_01'
node_type: 'master'
key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa'
port: '1516'
bind_addr: '0.0.0.0'
nodes:
- 'manager'
hidden: 'no'
## Wazuh API setup
wazuh_manager_api:
bind_addr: 0.0.0.0
port: 55000
behind_proxy_server: no
https: yes
https_key: "api/configuration/ssl/server.key"
https_cert: "api/configuration/ssl/server.crt"
https_use_ca: False
https_ca: "api/configuration/ssl/ca.crt"
logging_level: "info"
logging_path: "logs/api.log"
cors: no
cors_source_route: "*"
cors_expose_headers: "*"
cors_allow_headers: "*"
cors_allow_credentials: no
cache: yes
cache_time: 0.750
access_max_login_attempts: 5
access_block_time: 300
access_max_request_per_minute: 300
use_only_authd: no
drop_privileges: yes
experimental_features: no
# wazuh_api_users:
# - username: custom-user
# password: .S3cur3Pa55w0rd*- # Must comply with requirements (8+ length, uppercase, lowercase, specials chars)
wazuh_manager_config:
repo:
apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main'
yum: 'https://packages.wazuh.com/4.x/yum/'
gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145'
json_output: 'yes'
alerts_log: 'yes'
logall: 'no'
logall_json: 'no'
log_format: 'plain'
api:
bind_addr: 0.0.0.0
port: 55000
behind_proxy_server: no
https: yes
https_key: "api/configuration/ssl/server.key"
https_cert: "api/configuration/ssl/server.crt"
https_use_ca: False
https_ca: "api/configuration/ssl/ca.crt"
logging_level: "info"
logging_path: "logs/api.log"
cors: no
cors_source_route: "*"
cors_expose_headers: "*"
cors_allow_headers: "*"
cors_allow_credentials: no
cache: yes
cache_time: 0.750
access_max_login_attempts: 5
access_block_time: 300
access_max_request_per_minute: 300
use_only_authd: no
drop_privileges: yes
experimental_features: no
cluster:
disable: 'yes'
name: 'wazuh'
node_name: 'manager_01'
node_type: 'master'
key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa'
port: '1516'
bind_addr: '0.0.0.0'
nodes:
- 'manager'
hidden: 'no'
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
authd:
enable: true
port: 1515
use_source_ip: 'no'
force_insert: 'yes'
force_time: 0
purge: 'yes'
use_password: 'no'
limit_maxagents: 'yes'
ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH'
ssl_agent_ca: null
ssl_verify_host: 'no'
ssl_manager_cert: 'sslmanager.cert'
ssl_manager_key: 'sslmanager.key'
ssl_auto_negotiate: 'no'
email_notification: 'no'
mail_to:
- 'admin@example.net'
mail_smtp_server: smtp.example.wazuh.com
mail_from: ossecm@example.wazuh.com
mail_maxperhour: 12
mail_queue_size: 131072
email_log_source: 'alerts.log'
extra_emails:
- enable: false
mail_to: 'recipient@example.wazuh.com'
format: full
level: 7
event_location: null
group: null
do_not_delay: false
do_not_group: false
rule_id: null
reports:
- enable: false
category: 'syscheck'
title: 'Daily report: File changes'
email_to: 'recipient@example.wazuh.com'
location: null
group: null
rule: null
level: null
srcip: null
user: null
showlogs: null
syscheck:
disable: 'no'
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
ignore:
- /etc/mtab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
ignore_linux_type:
- '.log$|.swp$'
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: ''
- dirs: /bin,/sbin,/boot
checks: ''
auto_ignore_frequency:
frequency: 'frequency="10"'
timeframe: 'timeframe="3600"'
value: 'no'
skip_nfs: 'yes'
skip_dev: 'yes'
skip_proc: 'yes'
skip_sys: 'yes'
process_priority: 10
max_eps: 100
sync_enabled: 'yes'
sync_interval: '5m'
sync_max_interval: '1h'
sync_max_eps: 10
rootcheck:
frequency: 43200
openscap:
disable: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
cis_cat:
disable: 'yes'
install_java: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
ciscat_path: 'wodles/ciscat'
osquery:
disable: 'yes'
run_daemon: 'yes'
log_path: '/var/log/osquery/osqueryd.results.log'
config_path: '/etc/osquery/osquery.conf'
ad_labels: 'yes'
syscollector:
disable: 'no'
interval: '1h'
scan_on_start: 'yes'
hardware: 'yes'
os: 'yes'
network: 'yes'
packages: 'yes'
ports_no: 'yes'
processes: 'yes'
sca:
enabled: 'yes'
scan_on_start: 'yes'
interval: '12h'
skip_nfs: 'yes'
day: ''
wday: ''
time: ''
vulnerability_detector:
enabled: 'no'
interval: '5m'
ignore_time: '6h'
run_on_start: 'yes'
providers:
- enabled: 'no'
os:
- 'trusty'
- 'xenial'
- 'bionic'
update_interval: '1h'
name: '"canonical"'
- enabled: 'no'
os:
- 'wheezy'
- 'stretch'
- 'jessie'
- 'buster'
update_interval: '1h'
name: '"debian"'
- enabled: 'no'
update_from_year: '2010'
update_interval: '1h'
name: '"redhat"'
- enabled: 'no'
update_from_year: '2010'
update_interval: '1h'
name: '"nvd"'
log_level: 3
email_level: 12
localfiles:
common:
- format: 'command'
command: df -P
frequency: '360'
- format: 'full_command'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports'
frequency: '360'
- format: 'full_command'
command: 'last -n 20'
frequency: '360'
- format: 'syslog'
location: '/var/ossec/logs/active-responses.log'
debian:
- format: 'syslog'
location: '/var/log/auth.log'
- format: 'syslog'
location: '/var/log/syslog'
- format: 'syslog'
location: '/var/log/dpkg.log'
- format: 'syslog'
location: '/var/log/kern.log'
centos:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'audit'
location: '/var/log/audit/audit.log'
globals:
- '127.0.0.1'
- '^localhost.localdomain$'
- '127.0.0.53'
commands:
- name: 'disable-account'
executable: 'disable-account.sh'
expect: 'user'
timeout_allowed: 'yes'
- name: 'restart-ossec'
executable: 'restart-ossec.sh'
expect: ''
- name: 'firewall-drop'
executable: 'firewall-drop.sh'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'host-deny'
executable: 'host-deny.sh'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'route-null'
executable: 'route-null.sh'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'win_route-null'
executable: 'route-null.cmd'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'win_route-null-2012'
executable: 'route-null-2012.cmd'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'netsh'
executable: 'netsh.cmd'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'netsh-win-2016'
executable: 'netsh-win-2016.cmd'
expect: 'srcip'
timeout_allowed: 'yes'
ruleset:
rules_path: 'custom_ruleset/rules/'
decoders_path: 'custom_ruleset/decoders/'
cdb_lists:
- 'audit-keys'
- 'security-eventchannel'
- 'amazon/aws-eventnames'
rule_exclude:
- '0215-policy_rules.xml'
syslog_outputs:
- server: null
port: null
format: null
integrations:
#slack
- name: null
hook_url: '<hook_url>'
alert_level: 10
alert_format: 'json'
rule_id: null
#pagerduty
- name: null
api_key: '<api_key>'
alert_level: 12
monitor_aws:
disabled: 'yes'
interval: '10m'
run_on_start: 'yes'
skip_on_error: 'yes'
s3:
- name: null
bucket_type: null
path: null
only_logs_after: null
access_key: null
secret_key: null
labels:
enable: false
list:
- key: Env
value: Production
# NOTE: As wazuh_manager_config is built dynamically per playbooks and ansible.cfg provided in the repo,
# we should also cover the case for partial settings in inventory variables overlayed on top of role's
# defaults with merge hash_behaviour. If you do a full replace instead of the hash_behaviour, set this to false.
#
# Please do notice this behaviour is deprecated in 2.13 and role will move away from it in future versions:
# https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-hash-behaviour
#
wazuh_manager_config_overlay: true
## Other/Wrappers
wazuh_manager_config_defaults:
repo: '{{ wazuh_manager_repo }}'
json_output: '{{ wazuh_manager_json_output }}'
alerts_log: '{{ wazuh_manager_alerts_log }}'
logall: '{{ wazuh_manager_logall }}'
logall_json: '{{ wazuh_manager_logall_json }}'
log_format: '{{ wazuh_manager_log_format }}'
api: '{{ wazuh_manager_api }}'
cluster: '{{ wazuh_manager_cluster }}'
connection: '{{ wazuh_manager_connection }}'
authd: '{{ wazuh_manager_authd }}'
email_notification: '{{ wazuh_manager_email_notification }}'
mail_to: '{{ wazuh_manager_mailto }}'
mail_smtp_server: '{{ wazuh_manager_email_smtp_server }}'
mail_from: '{{ wazuh_manager_email_from }}'
mail_maxperhour: '{{ wazuh_manager_email_maxperhour }}'
mail_queue_size: '{{ wazuh_manager_email_queue_size }}'
email_log_source: '{{ wazuh_manager_email_log_source }}'
extra_emails: '{{ wazuh_manager_extra_emails }}'
reports: '{{ wazuh_manager_reports}}'
syscheck: '{{ wazuh_manager_syscheck }}'
rootcheck: '{{ wazuh_manager_rootcheck }}'
openscap: '{{ wazuh_manager_openscap }}'
cis_cat: '{{ wazuh_manager_ciscat }}'
osquery: '{{ wazuh_manager_osquery }}'
syscollector: '{{ wazuh_manager_syscollector }}'
sca: '{{ wazuh_manager_sca }}'
vulnerability_detector: '{{ wazuh_manager_vulnerability_detector }}'
log_level: '{{ wazuh_manager_log_level }}'
email_level: '{{ wazuh_manager_email_level }}'
localfiles: '{{ wazuh_manager_localfiles }}'
globals: '{{ wazuh_manager_globals }}'
commands: '{{ wazuh_manager_commands }}'
ruleset: '{{ wazuh_manager_ruleset }}'
rule_exclude: '{{ wazuh_manager_rule_exclude }}'
syslog_outputs: '{{ wazuh_manager_syslog_outputs }}'
integrations: '{{ wazuh_manager_integrations }}'
monitor_aws: '{{ wazuh_manager_monitor_aws }}'
labels: '{{ wazuh_manager_labels }}'
# shared-agent.conf
# shared_agent_config:
# - type: os
# type_value: Linux
# syscheck:
# frequency: 43200
# scan_on_start: 'yes'
# ignore:
# - /etc/mtab
# - /etc/mnttab
# - /etc/hosts.deny
# - /etc/mail/statistics
# - /etc/svc/volatile
# no_diff:
# - /etc/ssl/private.key
# rootcheck:
# frequency: 43200
# cis_distribution_filename: null
# localfiles:
# - format: 'syslog'
# location: '/var/log/messages'
# - format: 'syslog'
# location: '/var/log/secure'
# - format: 'syslog'
# location: '/var/log/maillog'
# - format: 'apache'
# location: '/var/log/httpd/error_log'
# - format: 'apache'
# location: '/var/log/httpd/access_log'
# - format: 'apache'
# location: '/var/ossec/logs/active-responses.log'
# - type: os
# type_value: Windows
# syscheck:
# frequency: 43200
# scan_on_start: 'yes'
# auto_ignore: 'no'
# windows_registry:
# - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
# arch: 'both'
# - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
# localfiles:
# - location: 'Security'
# format: 'eventchannel'
# - location: 'System'
# format: 'eventlog'
nodejs:
repo_dict:
debian: "deb"
redhat: "rpm"
repo_url_ext: "nodesource.com/setup_10.x"
agent_groups: [] # groups to create
# - type: os
# type_value: Linux
# syscheck:
# frequency: 43200
# scan_on_start: 'yes'
# ignore:
# - /etc/mtab
# - /etc/mnttab
# - /etc/hosts.deny
# - /etc/mail/statistics
# - /etc/svc/volatile
# no_diff:
# - /etc/ssl/private.key
# rootcheck:
# frequency: 43200
# cis_distribution_filename: null
# localfiles:
# - format: 'syslog'
# location: '/var/log/messages'
# - format: 'syslog'
# location: '/var/log/secure'
# - format: 'syslog'
# location: '/var/log/maillog'
# - format: 'apache'
# location: '/var/log/httpd/error_log'
# - format: 'apache'
# location: '/var/log/httpd/access_log'
# - format: 'apache'
# location: '/var/ossec/logs/active-responses.log'
# - type: os
# type_value: Windows
# syscheck:
# frequency: 43200
# scan_on_start: 'yes'
# auto_ignore: 'no'
# windows_registry:
# - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
# arch: 'both'
# - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
# localfiles:
# - location: 'Security'
# format: 'eventchannel'
# - location: 'System'
# format: 'eventlog'

12
roles/wazuh/ansible-wazuh-manager/tasks/RMDebian.yml
View File

@ -1,12 +0,0 @@
---
- name: Debian/Ubuntu | Remove Wazuh repository.
apt_repository:
repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main
state: absent
changed_when: false
- name: Debian/Ubuntu | Remove Nodejs repository.
apt_repository:
repo: deb https://deb.nodesource.com/node_6.x {{ ansible_distribution_release }} main
state: absent
changed_when: false

12
roles/wazuh/ansible-wazuh-manager/tasks/RMRedHat.yml
View File

@ -1,12 +0,0 @@
---
- name: RedHat/CentOS/Fedora | Remove NodeJS repository (and clean up left-over metadata)
yum_repository:
name: NodeJS
state: absent
changed_when: false
- name: RedHat/CentOS/Fedora | Remove Wazuh repository (and clean up left-over metadata)
yum_repository:
name: wazuh_repo
state: absent
changed_when: false

3
roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml
View File

@ -58,6 +58,9 @@
- name: Create folder to extract Wazuh branch
file:
path: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}"
owner: root
group: root
mode: 0644
state: directory
# When downloading "v3.11.0" extracted folder name is 3.11.0.

42
roles/wazuh/ansible-wazuh-manager/tasks/main.yml
View File

@ -1,4 +1,12 @@
---
- name: Overlay wazuh_manager_config on top of defaults
set_fact:
wazuh_manager_config: '{{ wazuh_manager_config_defaults | combine(config_layer, recursive=True) }}'
vars:
config_layer: '{{ wazuh_manager_config | default({}) }}'
when: wazuh_manager_config_overlay | bool
- name: "Install dependencies"
package:
name:
@ -7,28 +15,6 @@
- tar
state: present
- name: Check if NodeJS service exists
stat:
path: /usr/bin/node
register: node_service_status
- name: Install NodeJS repository
block:
- name: Download NodeJS repository script
get_url:
url: "https://{{ nodejs['repo_dict'][ansible_os_family|lower] }}.{{ nodejs['repo_url_ext'] }}"
dest: /etc/nodejs.sh
mode: 0775
changed_when: false
- name: Run NodeJS bash script
command: sh /etc/nodejs.sh
register: nodejs_script
changed_when: nodejs_script.rc == 0
when:
- not node_service_status.stat.exists
- wazuh_manager_config.cluster.node_type == "master"
- include_tasks: "RedHat.yml"
when: (ansible_os_family == "RedHat" and ansible_distribution_major_version|int > 5) or (ansible_os_family == "RedHat" and ansible_distribution == "Amazon")
@ -335,12 +321,6 @@
- ( agent_groups is defined) and ( agent_groups|length > 0)
tags: molecule-idempotence-notest
- include_tasks: "RMRedHat.yml"
when:
- ansible_os_family == "RedHat" or ansible_os_family == "Amazon"
- not wazuh_manager_sources_installation.enabled
- include_tasks: "RMDebian.yml"
when:
- ansible_os_family == "Debian"
- not wazuh_manager_sources_installation.enabled
- name: Run uninstall tasks
include_tasks: uninstall.yml
when: not wazuh_manager_sources_installation.enabled

15
roles/wazuh/ansible-wazuh-manager/tasks/uninstall.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: Debian/Ubuntu | Remove Wazuh repository.
apt_repository:
repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main
state: absent
changed_when: false
when: ansible_os_family == "Debian"
- name: RedHat/CentOS/Fedora | Remove Wazuh repository (and clean up left-over metadata)
yum_repository:
name: wazuh_repo
state: absent
changed_when: false
when: ansible_os_family == "RedHat" or ansible_os_family == "Amazon"

95
roles/wazuh/ansible-wazuh-manager/templates/var-ossec-api-configuration-config.js.j2
View File

@ -1,95 +0,0 @@
var config = {};
// Basic configuration
// Path
config.ossec_path = "/var/ossec";
// The host to bind the API to.
config.host = "{{ wazuh_manager_config.api.bind_addr }}";
// TCP Port used by the API.
config.port = "{{ wazuh_manager_config.api.port }}";
// Use HTTP protocol over TLS/SSL. Values: yes, no.
config.https = "{{ wazuh_manager_config.api.https }}";
// Use HTTP authentication. Values: yes, no.
config.basic_auth = "{{ wazuh_manager_config.api.basic_auth }}";
//In case the API run behind a proxy server, turn to "yes" this feature. Values: yes, no.
config.BehindProxyServer = "{{ wazuh_manager_config.api.behind_proxy_server }}";
// HTTPS Certificates
config.https_key = "{{ wazuh_manager_config.api.https_key }}"
config.https_cert = "{{ wazuh_manager_config.api.https_cert }}"
config.https_use_ca = "{{ wazuh_manager_config.api.https_use_ca }}"
config.https_ca = "{{ wazuh_manager_config.api.https_ca }}"
// Advanced configuration
// Values for API log: disabled, info, warning, error, debug (each level includes the previous level).
config.logs = "info";
// Cross-origin resource sharing. Values: yes, no.
config.cors = "yes";
// Cache (time in milliseconds)
config.cache_enabled = "yes";
config.cache_debug = "no";
config.cache_time = "750";
// Log path
config.log_path = config.ossec_path + "/logs/api.log";
// Python
config.python = [
// Default installation
{
bin: "python",
lib: ""
},
// Python 3
{
bin: "python3",
lib: ""
},
// Package 'python27' for CentOS 6
{
bin: "/opt/rh/python27/root/usr/bin/python",
lib: "/opt/rh/python27/root/usr/lib64"
}
];
// Shared library path
config.ld_library_path = config.ossec_path + "/framework/lib"
// Option to force the use of authd to remove and add agents
config.use_only_authd = {{ wazuh_manager_config.api.use_only_authd }};
// Option to drop privileges (run as ossec)
config.drop_privileges = {{ wazuh_manager_config.api.drop_privileges }};
// Activate features still under development
config.experimental_features = {{ wazuh_manager_config.api.experimental_features }};
/************************* SSL OPTIONS ****************************************/
// SSL protocol
// SSL protocol to use. All available secure protocols available at:
// https://www.openssl.org/docs/man1.0.2/ssl/ssl.html#DEALING-WITH-PROTOCOL-METHODS
config.secureProtocol = "{{ wazuh_manager_config.api.secure_protocol }}";
try {
// Disable the use of SSLv3, TLSv1.1 and TLSv1.0. All available secureOptions at:
// https://nodejs.org/api/crypto.html#crypto_openssl_options
const crypto = require('crypto');
config.secureOptions = crypto.constants.SSL_OP_NO_SSLv3 |
crypto.constants.SSL_OP_NO_TLSv1 |
crypto.constants.SSL_OP_NO_TLSv1_1;
} catch (err) {
console.log("Could not configure NodeJS to avoid unsecure SSL/TLS protocols: " + err)
}
// SSL ciphersuit
// When choosing a cipher, use the server's preferences instead of the client
// preferences. When not set, the SSL server will always follow the clients
// preferences. More info at:
// https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html
config.honorCipherOrder = {{ wazuh_manager_config.api.honor_cipher_order }};
// Modify default ciphersuit. More info:
// https://nodejs.org/api/tls.html#tls_modifying_the_default_tls_cipher_suite
config.ciphers = "{{ wazuh_manager_config.api.ciphers }}";
module.exports = config;

1
roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2
View File

@ -82,7 +82,6 @@
{% if agent_config.rootcheck is defined %}
<rootcheck>
<disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>