afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added support for Filebeat-oss and several improvements

Browse Source
This commit is contained in:
Manuel J. Bernal 2020-06-04 21:17:33 +02:00
parent f21a7e9c1c
commit 79d58c3917
41 changed files with 340 additions and 417 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
playbooks/wazuh-manager-oss.yml
View File

@ -1,8 +1,9 @@
--- ---
- hosts: <WAZUH_MANAGER_HOST> - hosts: managers
roles: roles:
- role: ../roles/wazuh/ansible-wazuh-manager # - role: ../roles/wazuh/ansible-wazuh-manager
- role: ../roles/wazuh/filebeat-oss - role: ../roles/wazuh/ansible-filebeat-oss
filebeat_output_elasticsearch_hosts: 172.16.0.161:9200 filebeat_output_elasticsearch_hosts:
- "172.16.0.161:9200"
- "172.16.0.162:9200"
- "172.16.0.163:9200"

2
playbooks/wazuh-opendistro.yml
View File

@ -1,4 +1,4 @@
--- ---
- hosts: es-cluster - hosts: es_cluster
roles: roles:
- role: ../roles/opendistro/opendistro-elasticsearch - role: ../roles/opendistro/opendistro-elasticsearch

2
roles/elastic-stack/ansible-elasticsearch/README.md
View File

@ -134,7 +134,7 @@ It is possible to define users directly on the playbook, these must be defined o
License and copyright License and copyright
--------------------- ---------------------
WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3) WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3)
### Based on previous work from geerlingguy ### Based on previous work from geerlingguy

2
roles/elastic-stack/ansible-elasticsearch/defaults/main.yml
View File

@ -4,7 +4,7 @@ elasticsearch_http_port: 9200
elasticsearch_network_host: 127.0.0.1 elasticsearch_network_host: 127.0.0.1
elasticsearch_reachable_host: 127.0.0.1 elasticsearch_reachable_host: 127.0.0.1
elasticsearch_jvm_xms: null elasticsearch_jvm_xms: null
elastic_stack_version: 7.6.2 elastic_stack_version: 7.7.0
elasticsearch_lower_disk_requirements: false elasticsearch_lower_disk_requirements: false
elasticrepo: elasticrepo:

2
roles/elastic-stack/ansible-kibana/README.md
View File

@ -37,7 +37,7 @@ Example Playbook
License and copyright License and copyright
--------------------- ---------------------
WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3) WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3)
### Based on previous work from geerlingguy ### Based on previous work from geerlingguy

2
roles/elastic-stack/ansible-kibana/defaults/main.yml
View File

@ -5,7 +5,7 @@ elasticsearch_http_port: "9200"
elasticsearch_network_host: "127.0.0.1" elasticsearch_network_host: "127.0.0.1"
kibana_server_host: "0.0.0.0" kibana_server_host: "0.0.0.0"
kibana_server_port: "5601" kibana_server_port: "5601"
elastic_stack_version: 7.6.2 elastic_stack_version: 7.7.0
wazuh_version: 3.12.3 wazuh_version: 3.12.3
wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp

49
roles/opendistro/hosts
View File

@ -1,49 +0,0 @@
# This is the default ansible 'hosts' file.
#
# It should live in /etc/ansible/hosts
#
# - Comments begin with the '#' character
# - Blank lines are ignored
# - Groups of hosts are delimited by [header] elements
# - You can enter hostnames or ip addresses
# - A hostname/ip can be a member of multiple groups
# Ex 1: Ungrouped hosts, specify before any group headers.
## green.example.com
## blue.example.com
## 192.168.100.1
## 192.168.100.10
# Ex 2: A collection of hosts belonging to the 'webservers' group
#[elasticsearch_first
es1 ansible_host=172.16.0.161 ansible_user=vagrant ip=172.16.0.161
es2 ansible_host=172.16.0.162 ansible_user=vagrant ip=172.16.0.162
es3 ansible_host=172.16.0.163 ansible_user=vagrant ip=172.16.0.163
manager1 ansible_host=172.16.1.250 ansible_user=vagrant ip=172.16.1.250
[managers]
manager1
[es-cluster]
es1
es2
es3
manager1
[kibana]
es1
[single-host]
172.16.1.15 ansible_ssh_user=vagrant
[elastic-cluster]
172.16.0.161 ansible_ssh_user=vagrant
172.16.0.162 ansible_ssh_user=vagrant
172.16.0.163 ansible_ssh_user=vagrant
[agents]
172.16.0.131 ansible_ssh_user=vagrant
172.16.0.132 ansible_ssh_user=vagrant
# If you have multiple hosts following a pattern you can specify
# them like this:

4
roles/opendistro/opendistro-elasticsearch/defaults/main.yml
View File

@ -1,6 +1,6 @@
--- ---
# The OpenDistro version # The OpenDistro version
opendistro_version: 1.6.0 opendistro_version: 1.8.0
elasticsearch_cluster_name: wazuh-cluster elasticsearch_cluster_name: wazuh-cluster
# Minimum master nodes in cluster, 2 for 3 nodes elasticsearch cluster # Minimum master nodes in cluster, 2 for 3 nodes elasticsearch cluster
@ -28,7 +28,7 @@ opendistro_sec_plugin_conf_path: /usr/share/elasticsearch/plugins/opendistro_sec
opendistro_sec_plugin_tools_path: /usr/share/elasticsearch/plugins/opendistro_security/tools opendistro_sec_plugin_tools_path: /usr/share/elasticsearch/plugins/opendistro_security/tools
opendistro_conf_path: /etc/elasticsearch/ opendistro_conf_path: /etc/elasticsearch/
es_nodes: |- es_nodes: |-
{% for item in groups['es-cluster'] -%} {% for item in groups['es_cluster'] -%}
{{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %} {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %}
{%- endfor %} {%- endfor %}

43
roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml
View File

@ -2,36 +2,36 @@
- block: - block:
- name: Local action | Create local temporary directory for certificates generation - name: Local action | Create local temporary directory for certificates generation
local_action: file:
module: file
path: "{{ local_certs_path }}" path: "{{ local_certs_path }}"
state: directory state: directory
- name: Local action | Check that the generation tool exists
stat:
path: "{{ local_certs_path }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip"
register: tool_package
- name: Local action | Download certificates generation tool - name: Local action | Download certificates generation tool
local_action: get_url:
module: get_url
url: "{{ certs_gen_tool_url }}" url: "{{ certs_gen_tool_url }}"
dest: "{{ local_certs_path }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" dest: "{{ local_certs_path }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip"
when: not tool_package.stat.exists
- name: Local action | Extract the certificates generation tool - name: Local action | Extract the certificates generation tool
local_action: unarchive:
module: unarchive
src: "{{ local_certs_path }}/search-guard-tlstool-1.7.zip" src: "{{ local_certs_path }}/search-guard-tlstool-1.7.zip"
dest: "{{ local_certs_path }}/" dest: "{{ local_certs_path }}/"
- name: Local action | Add the execution bit to the binary - name: Local action | Add the execution bit to the binary
local_action: file:
module: file
dest: "{{ local_certs_path }}/tools/sgtlstool.sh" dest: "{{ local_certs_path }}/tools/sgtlstool.sh"
mode: a+x mode: a+x
- name: Local action | Prepare the certificates generation template file - name: Local action | Prepare the certificates generation template file
local_action: template:
module: template
src: "templates/tlsconfig.yml.j2" src: "templates/tlsconfig.yml.j2"
dest: "{{ local_certs_path }}/config/tlsconfig.yml" dest: "{{ local_certs_path }}/config/tlsconfig.yml"
- name: Create a directory if it does not exist - name: Create a directory if it does not exist
file: file:
path: "{{ local_certs_path }}/certs/" path: "{{ local_certs_path }}/certs/"
@ -40,20 +40,29 @@
delegate_to: localhost delegate_to: localhost
- name: Local action | Check if root CA file exists - name: Local action | Check if root CA file exists
local_action: stat:
module: stat
path: "{{ local_certs_path }}/certs/root-ca.key" path: "{{ local_certs_path }}/certs/root-ca.key"
register: root_ca_file register: root_ca_file
- name: Local action | Generate the node & admin certificates in local - name: Local action | Generate the node & admin certificates in local
local_action: command: >-
module: command {{ local_certs_path }}/tools/sgtlstool.sh -c {{ local_certs_path }}/config/tlsconfig.yml -ca -crt -t {{ local_certs_path }}/certs/ -f -o {{ local_certs_path }}/tools/sgtlstool.sh
-c {{ local_certs_path }}/config/tlsconfig.yml
-ca -crt
-t {{ local_certs_path }}/certs/
-f -o
when: not root_ca_file.stat.exists when: not root_ca_file.stat.exists
- name: Local action | Generate the node & admin certificates using an existing root CA - name: Local action | Generate the node & admin certificates using an existing root CA
local_action: command: >-
module: command {{ local_certs_path }}/tools/sgtlstool.sh -c {{ local_certs_path }}/config/tlsconfig.yml -ca -crt -t {{ local_certs_path }}/certs/ -f {{ local_certs_path }}/tools/sgtlstool.sh
-c {{ local_certs_path }}/config/tlsconfig.yml
-crt
-t {{ local_certs_path }}/certs/
-f
when: root_ca_file.stat.exists when: root_ca_file.stat.exists
run_once: true run_once: true
delegate_to: localhost
tags: tags:
- generate-certs - generate-certs

7
roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml
View File

@ -1,5 +1,4 @@
- block: - block:
- name: Remove demo certs - name: Remove demo certs
file: file:
path: "{{ item }}" path: "{{ item }}"
@ -12,7 +11,7 @@
- name: Copy the node & admin certificates to Elasticsearch cluster - name: Copy the node & admin certificates to Elasticsearch cluster
copy: copy:
src: "{{ local_certs_path }}/config/{{ item }}" src: "{{ local_certs_path }}/certs/{{ item }}"
dest: /etc/elasticsearch/ dest: /etc/elasticsearch/
mode: 0644 mode: 0644
with_items: with_items:
@ -28,7 +27,7 @@
- name: Copy the OpenDistro security configuration file to cluster - name: Copy the OpenDistro security configuration file to cluster
blockinfile: blockinfile:
block: "{{ lookup('file', '{{ local_certs_path }}/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" block: "{{ lookup('file', '{{ local_certs_path }}/certs/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}"
dest: "{{ opendistro_conf_path }}/elasticsearch.yml" dest: "{{ opendistro_conf_path }}/elasticsearch.yml"
insertafter: EOF insertafter: EOF
marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##"
@ -76,5 +75,5 @@
run_once: true run_once: true
tags: tags:
- production_ready - security
when: install.changed when: install.changed

11
roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2
View File

@ -17,7 +17,6 @@ defaults:
verifyHostnames: false verifyHostnames: false
resolveHostnames: false resolveHostnames: false
### ###
### Nodes ### Nodes
### ###
@ -25,7 +24,7 @@ defaults:
# Specify the nodes of your ES cluster here # Specify the nodes of your ES cluster here
# #
nodes: nodes:
{% for item in groups['es-cluster'] %} {% for item in groups['es_cluster'] %}
- name: {{ item }} - name: {{ item }}
dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
dns: {{ item }}.{{ domain_name }} dns: {{ item }}.{{ domain_name }}
@ -39,6 +38,14 @@ nodes:
ip: {{ hostvars[item]['ip'] }} ip: {{ hostvars[item]['ip'] }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if groups['managers'] is defined and groups['managers']|length > 0 %}
{% for item in groups['managers'] %}
- name: {{ item }}
dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
dns: {{ item }}.{{ domain_name }}
ip: {{ hostvars[item]['ip'] }}
{% endfor %}
{% endif %}
### ###
### Clients ### Clients
### ###

10
roles/opendistro/opendistro-kibana/defaults/main.yml
View File

@ -1,17 +1,18 @@
--- ---
elasticsearch_http_port: "9200" elasticsearch_http_port: 9200
elasticsearch_network_host: |- elasticsearch_nodes: |-
{% for item in groups['kibana'] -%} {% for item in groups['kibana'] -%}
{{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %} {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %}
{%- endfor %} {%- endfor %}
elasticsearch_network_host: 172.16.0.161
elastic_api_protocol: https
kibana_conf_path: /etc/kibana kibana_conf_path: /etc/kibana
kibana_server_host: "0.0.0.0" kibana_server_host: "0.0.0.0"
kibana_server_port: "5601" kibana_server_port: "5601"
kibana_server_name: "kibana" kibana_server_name: "kibana"
kibana_max_payload_bytes: 1048576 kibana_max_payload_bytes: 1048576
opendistro_version: 7.6.1 elastic_stack_version: 7.7.0
wazuh_version: 3.12.3 wazuh_version: 3.12.3
wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp
@ -41,6 +42,7 @@ kibana_telemetry_optin: "false"
kibana_telemetry_enabled: "false" kibana_telemetry_enabled: "false"
opendistro_security_user: elastic opendistro_security_user: elastic
opendistro_admin_password: changeme
opendistro_kibana_user: kibanaserver opendistro_kibana_user: kibanaserver
opendistro_kibana_password: changeme opendistro_kibana_password: changeme
local_certs_path: /tmp/opendistro-nodecerts local_certs_path: /tmp/opendistro-nodecerts

76
roles/opendistro/opendistro-kibana/tasks/main.yml
View File

@ -28,7 +28,6 @@
register: install register: install
tags: install tags: install
- name: Remove Kibana configuration file - name: Remove Kibana configuration file
file: file:
path: "{{ kibana_conf_path }}/kibana.yml" path: "{{ kibana_conf_path }}/kibana.yml"
@ -48,11 +47,82 @@
mode: 0640 mode: 0640
marker: "## {mark} Kibana general settings ##" marker: "## {mark} Kibana general settings ##"
notify: restart kibana notify: restart kibana
tags: tags:
- install - install
- configure - configure
- name: Build and Install Wazuh Kibana Plugin from sources
import_tasks: build_wazuh_plugin.yml
when:
- build_from_sources is defined
- build_from_sources
- name: Install Wazuh Plugin (can take a while)
shell: >-
NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana-plugin install
{{ wazuh_app_url }}-{{ wazuh_version }}_{{ elastic_stack_version }}.zip
args:
executable: /bin/bash
creates: /usr/share/kibana/plugins/wazuh/package.json
chdir: /usr/share/kibana
become: yes
become_user: kibana
notify: restart kibana
tags:
- install
- skip_ansible_lint
when:
- not build_from_sources
- name: Kibana optimization (can take a while)
shell: /usr/share/kibana/node/bin/node {{ node_options }} /usr/share/kibana/src/cli --optimize
args:
executable: /bin/bash
become: yes
become_user: kibana
changed_when: false
tags:
- skip_ansible_lint
- name: Wait for Elasticsearch port
wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }}
- name: Select correct API protocol
set_fact:
elastic_api_protocol: "{% if kibana_xpack_security %}https{% else %}http{% endif %}"
- name: Attempting to delete legacy Wazuh index if exists
uri:
url: "{{ elastic_api_protocol }}://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}/.wazuh"
method: DELETE
user: "admin"
password: "{{ opendistro_admin_password }}"
validate_certs: no
status_code: 200, 404
- name: Create wazuh plugin config directory
file:
path: /usr/share/kibana/optimize/wazuh/config/
state: directory
recurse: yes
owner: kibana
group: kibana
mode: 0751
changed_when: False
- name: Configure Wazuh Kibana Plugin
template:
src: wazuh.yml.j2
dest: /usr/share/kibana/optimize/wazuh/config/wazuh.yml
owner: kibana
group: kibana
mode: 0751
changed_when: False
- name: Reload systemd configuration
systemd:
daemon_reload: true
- name: Ensure Kibana started and enabled - name: Ensure Kibana started and enabled
service: service:
name: kibana name: kibana
@ -60,4 +130,4 @@
state: started state: started
- import_tasks: RMRedHat.yml - import_tasks: RMRedHat.yml
when: ansible_os_family == 'RedHat' when: ansible_os_family == 'RedHat'

4
roles/opendistro/opendistro-kibana/tasks/security_actions.yml
View File

@ -2,12 +2,12 @@
- name: Copy the certificates from local to the Kibana instance - name: Copy the certificates from local to the Kibana instance
copy: copy:
src: "{{ local_certs_path }}/config/{{ item }}" src: "{{ local_certs_path }}/certs/{{ item }}"
dest: /usr/share/kibana dest: /usr/share/kibana
mode: 0644 mode: 0644
with_items: with_items:
- "{{ inventory_hostname }}_http.key" - "{{ inventory_hostname }}_http.key"
- "{{ inventory_hostname }}_http.pem" - "{{ inventory_hostname }}_http.pem"
tags: tags:
- production_ready - security
when: install.changed when: install.changed

4
roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2
View File

@ -8,9 +8,9 @@ server.maxPayloadBytes: {{ kibana_max_payload_bytes }}
server.name: {{ kibana_server_name }} server.name: {{ kibana_server_name }}
server.host: {{ kibana_server_host }} server.host: {{ kibana_server_host }}
{% if kibana_opendistro_security %} {% if kibana_opendistro_security %}
elasticsearch.hosts: "https://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" elasticsearch.hosts: "https://{{ elasticsearch_nodes }}:{{ elasticsearch_http_port }}"
{% else %} {% else %}
elasticsearch.hosts: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" elasticsearch.hosts: "http://{{ elasticsearch_nodes }}:{{ elasticsearch_http_port }}"
{% endif %} {% endif %}
elasticsearch.username: {{ opendistro_kibana_user }} elasticsearch.username: {{ opendistro_kibana_user }}

39
roles/wazuh/ansible-filebeat-oss/README.md Normal file
View File

@ -0,0 +1,39 @@
Ansible Role: Filebeat for Elastic Stack
------------------------------------
An Ansible Role that installs [Filebeat-oss](https://www.elastic.co/products/beats/filebeat), this can be used in conjunction with [ansible-wazuh-manager](https://github.com/wazuh/wazuh-ansible/ansible-wazuh-server).
Requirements
------------
This role will work on:
* Red Hat
* CentOS
* Fedora
* Debian
* Ubuntu
Role Variables
--------------
Available variables are listed below, along with default values (see `defaults/main.yml`):
```
filebeat_output_elasticsearch_enabled: false
filebeat_output_elasticsearch_hosts:
- "localhost:9200"
```
License and copyright
---------------------
WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3)
### Based on previous work from geerlingguy
- https://github.com/geerlingguy/ansible-role-filebeat
### Modified by Wazuh
The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem.

30
roles/wazuh/ansible-filebeat-oss/defaults/main.yml Normal file
View File

@ -0,0 +1,30 @@
---
filebeat_version: 7.7.0
filebeat_create_config: true
filebeat_output_elasticsearch_enabled: false
filebeat_output_elasticsearch_hosts:
- "localhost:9200"
filebeat_module_package_url: https://packages.wazuh.com/3.x/filebeat
filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz
filebeat_module_package_path: /tmp/
filebeat_module_destination: /usr/share/filebeat/module
filebeat_module_folder: /usr/share/filebeat/module/wazuh
elasticsearch_security_user: admin
elasticsearch_security_password: changeme
# Security plugin
filebeat_security: true
filebeat_security_user: admin
filebeat_security_password: changeme
filebeat_ssl_dir: /etc/pki/filebeat
# Local path to store the generated certificates (OpenDistro security plugin)
local_certs_path: /tmp/opendistro-nodecerts
elasticrepo:
apt: 'https://artifacts.elastic.co/packages/oss-7.x/apt'
yum: 'https://artifacts.elastic.co/packages/oss-7.x/yum'
gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4'

0
roles/wazuh/filebeat-oss/handlers/main.yml → roles/wazuh/ansible-filebeat-oss/handlers/main.yml
View File

2
roles/wazuh/filebeat-oss/meta/main.yml → roles/wazuh/ansible-filebeat-oss/meta/main.yml
View File

@ -3,7 +3,7 @@ dependencies: []
galaxy_info: galaxy_info:
author: Wazuh author: Wazuh
description: Installing and maintaining filebeat server. description: Installing and maintaining Filebeat-oss.
company: wazuh.com company: wazuh.com
license: license (GPLv3) license: license (GPLv3)
min_ansible_version: 2.0 min_ansible_version: 2.0

2
roles/wazuh/filebeat-oss/tasks/Debian.yml → roles/wazuh/ansible-filebeat-oss/tasks/Debian.yml
View File

@ -14,7 +14,7 @@
id: "{{ elasticrepo.key_id }}" id: "{{ elasticrepo.key_id }}"
state: present state: present
- name: Debian/Ubuntu | Add Filebeat repository. - name: Debian/Ubuntu | Add Filebeat-oss repository.
apt_repository: apt_repository:
repo: "deb {{ elasticrepo.apt }} stable main" repo: "deb {{ elasticrepo.apt }} stable main"
state: present state: present

0
roles/wazuh/filebeat-oss/tasks/RMDebian.yml → roles/wazuh/ansible-filebeat-oss/tasks/RMDebian.yml
View File

2
roles/wazuh/filebeat-oss/tasks/RMRedHat.yml → roles/wazuh/ansible-filebeat-oss/tasks/RMRedHat.yml
View File

@ -1,6 +1,6 @@
--- ---
- name: RedHat/CentOS/Fedora | Remove Filebeat repository (and clean up left-over metadata) - name: RedHat/CentOS/Fedora | Remove Filebeat repository (and clean up left-over metadata)
yum_repository: yum_repository:
name: elastic_repo_7 name: elastic_oss-repo_7
state: absent state: absent
changed_when: false changed_when: false

2
roles/wazuh/filebeat-oss/tasks/RedHat.yml → roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml
View File

@ -1,7 +1,7 @@
--- ---
- name: RedHat/CentOS/Fedora/Amazon Linux | Install Filebeats repo - name: RedHat/CentOS/Fedora/Amazon Linux | Install Filebeats repo
yum_repository: yum_repository:
name: elastic_repo_7 name: elastic_oss-repo_7
description: Elastic repository for 7.x packages description: Elastic repository for 7.x packages
baseurl: "{{ elasticrepo.yum }}" baseurl: "{{ elasticrepo.yum }}"
gpgkey: "{{ elasticrepo.gpg }}" gpgkey: "{{ elasticrepo.gpg }}"

22
roles/wazuh/ansible-filebeat-oss/tasks/config.yml Normal file
View File

@ -0,0 +1,22 @@
---
- block:
- name: Copy Filebeat configuration.
template:
src: filebeat.yml.j2
dest: "/etc/filebeat/filebeat.yml"
owner: root
group: root
mode: 0400
notify: restart filebeat
- name: Copy Elasticsearch template.
template:
src: elasticsearch.yml.j2
dest: "/etc/filebeat/wazuh-template.json"
owner: root
group: root
mode: 0400
notify: restart filebeat
tags:
- configure

70
roles/wazuh/ansible-filebeat-oss/tasks/main.yml Normal file
View File

@ -0,0 +1,70 @@
---
- include_tasks: RedHat.yml
when: ansible_os_family == 'RedHat'
- include_tasks: Debian.yml
when: ansible_os_family == 'Debian'
- name: Install Filebeat
package:
name: filebeat
state: present
register: install
tags:
- install
- init
- include_tasks: security_actions.yml
when: ansible_os_family == 'RedHat'
- name: Checking if Filebeat Module folder file exists
stat:
path: "{{ filebeat_module_folder }}"
register: filebeat_module_folder
- name: Download Filebeat module package
get_url:
url: "{{ filebeat_module_package_url }}/{{ filebeat_module_package_name }}"
dest: "{{ filebeat_module_package_path }}"
when: not filebeat_module_folder.stat.exists
- name: Unpack Filebeat module package
unarchive:
src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
dest: "{{ filebeat_module_destination }}"
remote_src: yes
when: not filebeat_module_folder.stat.exists
- name: Setting 0755 permission for Filebeat module folder
file: dest={{ filebeat_module_folder }} mode=u=rwX,g=rwX,o=rwX recurse=yes
when: not filebeat_module_folder.stat.exists
- name: Checking if Filebeat Module package file exists
stat:
path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
register: filebeat_module_package
when: filebeat_module_package is not defined
- name: Delete Filebeat module package file
file:
state: absent
path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
when: filebeat_module_package.stat.exists
- import_tasks: config.yml
notify: restart filebeat
- include_tasks: security_actions.yml
when: filebeat_security
- name: Ensure Filebeat is started and enabled at boot.
service:
name: filebeat
state: started
enabled: true
- include_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat"
- include_tasks: "RMDebian.yml"
when: ansible_os_family == "Debian"

29
roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml Normal file
View File

@ -0,0 +1,29 @@
- block:
- name: Ensure Filebeat SSL key pair directory exists.
file:
path: "{{ filebeat_ssl_dir }}"
state: directory
- name: Copy the certificates from local to the Manager instance
copy:
src: "{{ local_certs_path }}/certs/{{ item }}"
dest: "{{ filebeat_ssl_dir }}"
mode: 0644
with_items:
- "{{ inventory_hostname }}.key"
- "{{ inventory_hostname }}.pem"
- "root-ca.pem"
- name: Ensuring folder & certs permissions
file:
path: "{{ filebeat_ssl_dir }}/"
mode: 0774
state: directory
recurse: yes
tags:
- security
when:
- filebeat_security
- install.changed

0
roles/wazuh/filebeat-oss/templates/elasticsearch.yml.j2 → roles/wazuh/ansible-filebeat-oss/templates/elasticsearch.yml.j2
View File

19
roles/wazuh/filebeat-oss/templates/filebeat.yml.j2 → roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2
View File

@ -14,25 +14,18 @@ setup.template.json.name: 'wazuh'
setup.template.overwrite: true setup.template.overwrite: true
setup.ilm.enabled: false setup.ilm.enabled: false
# Send events directly to Elasticsearch # Send events directly to Elasticsearch
output.elasticsearch: output.elasticsearch:
hosts: {{ filebeat_output_elasticsearch_hosts | to_json }} hosts: {{ filebeat_output_elasticsearch_hosts | to_json }}
{% if filebeat_opendistro_security %} {% if filebeat_security %}
username: {{ elasticsearch_opendistro_security_user }} username: {{ elasticsearch_security_user }}
password: {{ elasticsearch_opendistro_security_password }} password: {{ elasticsearch_security_password }}
protocol: https protocol: https
{% if generate_CA == true %}
ssl.certificate_authorities:
- {{node_certs_destination}}/ca.crt
{% elif generate_CA == false %}
ssl.certificate_authorities: ssl.certificate_authorities:
- {{node_certs_destination}}/{{ca_cert_name}} - {{ filebeat_ssl_dir }}/root-ca.pem
{% endif %} ssl.certificate: "{{ filebeat_ssl_dir }}/{{ inventory_hostname }}.pem"
ssl.key: "{{ filebeat_ssl_dir }}/{{ inventory_hostname }}.key"
ssl.certificate: "{{node_certs_destination}}/{{ filebeat_node_name }}.crt"
ssl.key: "{{node_certs_destination}}/{{ filebeat_node_name }}.key"
{% endif %} {% endif %}
# Optional. Send events to Logstash instead of Elasticsearch # Optional. Send events to Logstash instead of Elasticsearch

2
roles/wazuh/ansible-filebeat/README.md
View File

@ -28,7 +28,7 @@ Available variables are listed below, along with default values (see `defaults/m
License and copyright License and copyright
--------------------- ---------------------
WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3) WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3)
### Based on previous work from geerlingguy ### Based on previous work from geerlingguy

4
roles/wazuh/ansible-filebeat/defaults/main.yml
View File

@ -1,5 +1,5 @@
--- ---
filebeat_version: 7.6.2 filebeat_version: 7.7.0
filebeat_create_config: true filebeat_create_config: true
@ -22,10 +22,8 @@ filebeat_enable_logging: true
filebeat_log_level: debug filebeat_log_level: debug
filebeat_log_dir: /var/log/mybeat filebeat_log_dir: /var/log/mybeat
filebeat_log_filename: mybeat.log filebeat_log_filename: mybeat.log
filebeat_ssl_dir: /etc/pki/filebeat filebeat_ssl_dir: /etc/pki/filebeat
filebeat_ssl_certificate_file: "" filebeat_ssl_certificate_file: ""
filebeat_ssl_key_file: ""
filebeat_ssl_insecure: "false" filebeat_ssl_insecure: "false"
filebeat_module_package_url: https://packages.wazuh.com/3.x/filebeat filebeat_module_package_url: https://packages.wazuh.com/3.x/filebeat

21
roles/wazuh/ansible-filebeat/tasks/config.yml
View File

@ -17,23 +17,4 @@
group: root group: root
mode: 0400 mode: 0400
notify: restart filebeat notify: restart filebeat
tags: configure tags: configure
- name: Ensure Filebeat SSL key pair directory exists.
file:
path: "{{ filebeat_ssl_dir }}"
state: directory
when: filebeat_ssl_key_file
tags: configure
- name: Copy SSL key and cert for filebeat.
copy:
src: "{{ item }}"
dest: "{{ filebeat_ssl_dir }}/{{ item | basename }}"
mode: 0400
with_items:
- "{{ filebeat_ssl_key_file }}"
- "{{ filebeat_ssl_certificate_file }}"
notify: restart filebeat
when: filebeat_ssl_key_file and filebeat_ssl_certificate_file
tags: configure

2
roles/wazuh/ansible-filebeat/tasks/main.yml
View File

@ -76,7 +76,7 @@
dest: "{{ filebeat_module_package_path }}" dest: "{{ filebeat_module_package_path }}"
when: not filebeat_module_folder.stat.exists when: not filebeat_module_folder.stat.exists
- name: Unpakcing Filebeat module package - name: Unpack Filebeat module package
unarchive: unarchive:
src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
dest: "{{ filebeat_module_destination }}" dest: "{{ filebeat_module_destination }}"

3
roles/wazuh/ansible-filebeat/tests/requirements.yml
View File

@ -1,3 +0,0 @@
---
- src: geerlingguy.java
- src: geerlingguy.elasticsearch

20
roles/wazuh/ansible-filebeat/tests/test.yml
View File

@ -1,20 +0,0 @@
---
- hosts: all
pre_tasks:
- name: Update apt cache.
apt:
cache_valid_time: 600
when: ansible_os_family == 'Debian'
- name: Install test dependencies (RedHat).
package: name=which state=present
when: ansible_os_family == 'RedHat'
- name: Install test dependencies.
package: name=curl state=present
roles:
- geerlingguy.java
- geerlingguy.elasticsearch
- role_under_test

2
roles/wazuh/ansible-wazuh-manager/README.md
View File

@ -218,7 +218,7 @@ Including an example of how to use your role (for instance, with variables passe
License and copyright License and copyright
--------------------- ---------------------
WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3) WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3)
### Based on previous work from dj-wasabi ### Based on previous work from dj-wasabi

57
roles/wazuh/filebeat-oss/defaults/main.yml
View File

@ -1,57 +0,0 @@
---
filebeat_version: 7.6.2
filebeat_create_config: true
filebeat_prospectors:
- input_type: log
paths:
- "/var/ossec/logs/alerts/alerts.json"
document_type: json
json.message_key: log
json.keys_under_root: true
json.overwrite_keys: true
filebeat_node_name: node-1
filebeat_output_elasticsearch_enabled: false
filebeat_output_elasticsearch_hosts:
- "localhost:9200"
filebeat_enable_logging: true
filebeat_log_level: debug
filebeat_log_dir: /var/log/mybeat
filebeat_log_filename: mybeat.log
filebeat_ssl_dir: /etc/pki/filebeat
filebeat_ssl_certificate_file: ""
filebeat_ssl_key_file: ""
filebeat_ssl_insecure: "false"
filebeat_module_package_url: https://packages.wazuh.com/3.x/filebeat
filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz
filebeat_module_package_path: /tmp/
filebeat_module_destination: /usr/share/filebeat/module
filebeat_module_folder: /usr/share/filebeat/module/wazuh
# Opendistro Security
filebeat_opendistro_security: false
elasticsearch_opendistro_security_user: elastic
elasticsearch_opendistro_security_password: elastic_pass
node_certs_generator : false
node_certs_source: /usr/share/elasticsearch
node_certs_destination: /etc/filebeat/certs
# CA Generation
master_certs_path: /es_certs
generate_CA: true
ca_cert_name: ""
elasticrepo:
apt: 'https://artifacts.elastic.co/packages/oss-7.x/apt'
yum: 'https://artifacts.elastic.co/packages/oss-7.x/yum'
gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4'

39
roles/wazuh/filebeat-oss/tasks/config.yml
View File

@ -1,39 +0,0 @@
---
- name: Copy Filebeat configuration.
template:
src: filebeat.yml.j2
dest: "/etc/filebeat/filebeat.yml"
owner: root
group: root
mode: 0400
notify: restart filebeat
tags: configure
- name: Copy Elasticsearch template.
template:
src: elasticsearch.yml.j2
dest: "/etc/filebeat/wazuh-template.json"
owner: root
group: root
mode: 0400
notify: restart filebeat
tags: configure
- name: Ensure Filebeat SSL key pair directory exists.
file:
path: "{{ filebeat_ssl_dir }}"
state: directory
when: filebeat_ssl_key_file
tags: configure
- name: Copy SSL key and cert for filebeat.
copy:
src: "{{ item }}"
dest: "{{ filebeat_ssl_dir }}/{{ item | basename }}"
mode: 0400
with_items:
- "{{ filebeat_ssl_key_file }}"
- "{{ filebeat_ssl_certificate_file }}"
notify: restart filebeat
when: filebeat_ssl_key_file and filebeat_ssl_certificate_file
tags: configure

125
roles/wazuh/filebeat-oss/tasks/main.yml
View File

@ -1,125 +0,0 @@
---
- include_tasks: RedHat.yml
when: ansible_os_family == 'RedHat'
- include_tasks: Debian.yml
when: ansible_os_family == 'Debian'
- name: CentOS/RedHat | Install Filebeat.
package: name=filebeat-{{ filebeat_version }} state=present
register: filebeat_installing_package
until: filebeat_installing_package is succeeded
when:
- ansible_distribution in ['CentOS','RedHat', 'Amazon']
tags:
- install
- name: Debian/Ubuntu | Install Filebeat.
apt:
name: filebeat={{ filebeat_version }}
state: present
cache_valid_time: 3600
register: filebeat_installing_package_debian
until: filebeat_installing_package_debian is succeeded
when:
- not (ansible_distribution in ['CentOS','RedHat', 'Amazon'])
tags:
- init
- name: Copying node's certificate from master
copy:
src: "{{ item }}"
dest: "{{ node_certs_destination }}/"
mode: 0440
with_items:
- "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key"
- "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt"
- "{{ master_certs_path }}/ca/ca.crt"
when:
- generate_CA
- filebeat_opendistro_security
tags: opendistro-security
- name: Copying node's certificate from master (Custom CA)
copy:
src: "{{ item }}"
dest: "{{ node_certs_destination }}/"
mode: 0440
with_items:
- "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key"
- "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt"
- "{{ master_certs_path }}/ca/{{ ca_cert_name }}"
when:
- not generate_CA
- filebeat_opendistro_security
tags: opendistro-security
- name: Ensuring folder & certs permissions
file:
path: "{{ node_certs_destination }}/"
mode: 0774
state: directory
recurse: yes
when:
- filebeat_xpack_security
tags: xpack-security
- name: Checking if Filebeat Module folder file exists
stat:
path: "{{ filebeat_module_folder }}"
register: filebeat_module_folder
- name: Download Filebeat module package
get_url:
url: "{{ filebeat_module_package_url }}/{{ filebeat_module_package_name }}"
dest: "{{ filebeat_module_package_path }}"
when: not filebeat_module_folder.stat.exists
- name: Unpakcing Filebeat module package
unarchive:
src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
dest: "{{ filebeat_module_destination }}"
remote_src: yes
when: not filebeat_module_folder.stat.exists
- name: Setting 0755 permission for Filebeat module folder
file: dest={{ filebeat_module_folder }} mode=u=rwX,g=rwX,o=rwX recurse=yes
when: not filebeat_module_folder.stat.exists
- name: Checking if Filebeat Module package file exists
stat:
path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
register: filebeat_module_package
when: filebeat_module_package is not defined
- name: Delete Filebeat module package file
file:
state: absent
path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
when: filebeat_module_package.stat.exists
- import_tasks: config.yml
when: filebeat_create_config
notify: restart filebeat
- name: Reload systemd
systemd: daemon_reload=yes
ignore_errors: true
when:
- not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA")
- not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<'))
- not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<'))
- not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<'))
- name: Ensure Filebeat is started and enabled at boot.
service:
name: filebeat
state: started
enabled: true
- include_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat"
- include_tasks: "RMDebian.yml"
when: ansible_os_family == "Debian"

11
roles/wazuh/filebeat-oss/tasks/security_actions.yml
View File

@ -1,11 +0,0 @@
- block:
- name: Copy certificates and root-ca to Filebeat
copy:
src: "{{ local_certs_path }}/config/{{ item }}"
dest: /etc/filebeat/
mode: 0644
with_items:
- root-ca.pem
- "{{ inventory_hostname }}.key"
- "{{ inventory_hostname }}.pem"

3
roles/wazuh/filebeat-oss/tests/requirements.yml
View File

@ -1,3 +0,0 @@
---
- src: geerlingguy.java
- src: geerlingguy.elasticsearch

20
roles/wazuh/filebeat-oss/tests/test.yml
View File

@ -1,20 +0,0 @@
---
- hosts: all
pre_tasks:
- name: Update apt cache.
apt:
cache_valid_time: 600
when: ansible_os_family == 'Debian'
- name: Install test dependencies (RedHat).
package: name=which state=present
when: ansible_os_family == 'RedHat'
- name: Install test dependencies.
package: name=curl state=present
roles:
- geerlingguy.java
- geerlingguy.elasticsearch
- role_under_test