diff --git a/roles/opensearch/wazuh-dashboard/defaults/main.yml b/roles/opensearch/wazuh-dashboard/defaults/main.yml index ecea6dfc..4bf534f0 100644 --- a/roles/opensearch/wazuh-dashboard/defaults/main.yml +++ b/roles/opensearch/wazuh-dashboard/defaults/main.yml @@ -4,21 +4,14 @@ indexer_http_port: 9700 indexer_api_protocol: https dashboard_conf_path: /etc/wazuh-dashboard/ -## 732 check the path dashboard_node_name: node-1 dashboard_server_host: "0.0.0.0" dashboard_server_port: "5601" dashboard_server_name: "dashboard" -#kibana_max_payload_bytes: 1048576 -#elastic_stack_version: 4.3.0 -## 732 check if it is the right version wazuh_version: 4.3.0 -#wazuh_app_url: https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana -## 732 check if it is needed. -# The OpenDistro package repository -dashboard_version: "4.3.0" # Version includes the - for RedHat family compatibility, replace with = for Debian hosts -## 732 check if it is the right version +# The Wazuh dashboard package repository +dashboard_version: "4.3.0" package_repos: yum: @@ -42,28 +35,9 @@ wazuh_api_credentials: username: "wazuh" password: "wazuh" -# opendistro Security +# Dashboard Security dashboard_security: true -#kibana_newsfeed_enabled: "false" -#kibana_telemetry_optin: "false" -#kibana_telemetry_enabled: "false" - indexer_admin_password: changeme dashboard_user: kibanaserver dashboard_password: changeme local_certs_path: "{{ playbook_dir }}/indexer/certificates" - -# Nodejs -nodejs: - repo_dict: - debian: "deb" - redhat: "rpm" - repo_url_ext: "nodesource.com/setup_10.x" - -# Build from sources -build_from_sources: false -#wazuh_plugin_branch: 4.1-7.10 -## 732 check if it is the right version and if it is needed - -#Nodejs NODE_OPTIONS -node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536 diff --git a/roles/opensearch/wazuh-dashboard/handlers/main.yml b/roles/opensearch/wazuh-dashboard/handlers/main.yml index ac7f23e7..45f71935 100644 --- a/roles/opensearch/wazuh-dashboard/handlers/main.yml +++ b/roles/opensearch/wazuh-dashboard/handlers/main.yml @@ -1,4 +1,3 @@ --- - name: restart wazuh-dashboard service: name=wazuh-dashboard state=restarted -## 732 service name should be updated \ No newline at end of file diff --git a/roles/opensearch/wazuh-dashboard/tasks/build_wazuh_plugin.yml b/roles/opensearch/wazuh-dashboard/tasks/build_wazuh_plugin.yml deleted file mode 100644 index 5f11ae00..00000000 --- a/roles/opensearch/wazuh-dashboard/tasks/build_wazuh_plugin.yml +++ /dev/null @@ -1,79 +0,0 @@ ---- -## 732 will not be needed - - name: Ensure the Git package is present - package: - name: git - state: present - - - name: Modify repo url if host is in Debian family - set_fact: - node_js_repo_type: deb - when: - - ansible_os_family | lower == "debian" - - - name: Download script to install Nodejs repository - get_url: - url: "https://{{ nodejs['repo_dict'][ansible_os_family|lower] }}.{{ nodejs['repo_url_ext'] }}" - dest: "/tmp/setup_nodejs_repo.sh" - mode: 0700 - - - name: Execute downloaded script to install Nodejs repo - command: /tmp/setup_nodejs_repo.sh - register: node_repo_installation_result - changed_when: false - - - name: Install Nodejs - package: - name: nodejs - state: present - - - name: Install yarn dependency to build the Wazuh Kibana Plugin - # Using shell due to errors when evaluating text between @ with command - shell: "npm install -g {{ 'yarn' }}{{ '@' }}{{ '1.10.1'}}" # noqa 305 - register: install_yarn_result - changed_when: install_yarn_result == 0 - - - name: Remove old wazuh-kibana-app git directory -## 732 check if it is needed - file: - path: /tmp/app - state: absent - changed_when: false - - - name: Clone wazuh-kibana-app repository # Using command as git module doesn't cover single-branch nor depth -## 732 will not be needed - command: git clone https://github.com/wazuh/wazuh-kibana-app -b {{ wazuh_plugin_branch }} --single-branch --depth=1 app # noqa 303 - register: clone_app_repo_result - changed_when: false - args: - chdir: "/tmp" - - - name: Executing yarn to build the package - command: "{{ item }}" - with_items: - - "yarn" - - "yarn build" - register: yarn_execution_result - changed_when: false - args: - chdir: "/tmp/app/" - - - name: Obtain name of generated package - shell: "find ./ -name 'wazuh-*.zip' -printf '%f\\n'" - register: wazuhapp_package_name - changed_when: false - args: - chdir: "/tmp/app/build" - - - name: Install Wazuh Plugin (can take a while) - shell: NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana-plugin install file:///tmp/app/build/{{ wazuhapp_package_name.stdout }} - args: - executable: /bin/bash - creates: /usr/share/kibana/plugins/wazuh/package.json - chdir: /usr/share/kibana - become: yes - become_user: kibana - notify: restart kibana - tags: - - install - - skip_ansible_lint diff --git a/roles/opensearch/wazuh-dashboard/tasks/main.yml b/roles/opensearch/wazuh-dashboard/tasks/main.yml index f80e9347..7daf7b1e 100755 --- a/roles/opensearch/wazuh-dashboard/tasks/main.yml +++ b/roles/opensearch/wazuh-dashboard/tasks/main.yml @@ -1,13 +1,5 @@ --- -- name: Stopping early, trying to compile Wazuh Dashboard Plugin on Debian 10 is not possible - fail: - msg: "It's not possible to compile the Wazuh Dashboard plugin on Debian 10 due to: https://github.com/wazuh/wazuh-kibana-app/issues/1924" - when: - - build_from_sources - - ansible_distribution == "Debian" - - ansible_distribution_major_version == "10" - - import_tasks: RedHat.yml when: ansible_os_family == 'RedHat' @@ -45,39 +37,6 @@ group: wazuh-dashboard recurse: yes -#- name: Build and Install Wazuh Kibana Plugin from sources -# import_tasks: build_wazuh_plugin.yml -# when: -# - build_from_sources is defined -# - build_from_sources - -#- name: Install Wazuh Plugin (can take a while) -# shell: >- -# NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana-plugin install -# {{ wazuh_app_url }}-{{ wazuh_version }}_{{ elastic_stack_version }}-1.zip -# args: -# executable: /bin/bash -# creates: /usr/share/kibana/plugins/wazuh/package.json -# chdir: /usr/share/kibana -# become: yes -# become_user: kibana -# notify: restart kibana -# tags: -# - install -# - skip_ansible_lint -# when: -# - not build_from_sources - -#- name: Kibana optimization (can take a while) -# shell: /usr/share/kibana/node/bin/node {{ node_options }} /usr/share/kibana/src/cli/cli.js --optimize -c {{ dashboard_conf_path }}/kibana.yml -# args: -# executable: /bin/bash -# become: yes -# become_user: kibana -# changed_when: false -# tags: -# - skip_ansible_lint - - name: Wait for Wazuh-Indexer port wait_for: host={{ indexer_network_host }} port={{ indexer_http_port }} diff --git a/roles/opensearch/wazuh-dashboard/templates/opendistro_kibana.yml.j2 b/roles/opensearch/wazuh-dashboard/templates/opendistro_kibana.yml.j2 deleted file mode 100644 index fb5aaf2e..00000000 --- a/roles/opensearch/wazuh-dashboard/templates/opendistro_kibana.yml.j2 +++ /dev/null @@ -1,36 +0,0 @@ -# {{ ansible_managed }} -# Description: -# Default Kibana configuration for Open Distro. -server.port: {{ dashboard_server_port }} - -#server.basePath: "" -server.maxPayloadBytes: {{ kibana_max_payload_bytes }} -server.name: {{ dashboard_server_name }} -server.host: {{ kibana_server_host }} - - -{% if kibana_opendistro_security %} - -elasticsearch.hosts: "https://{{ indexer_network_host }}:{{ indexer_http_port }}" -elasticsearch.username: {{ opendistro_kibana_user }} -elasticsearch.password: {{ dashboard_password }} -server.ssl.enabled: true -server.ssl.certificate: "/usr/share/kibana/{{ kibana_node_name }}_http.pem" -server.ssl.key: "/usr/share/kibana/{{ kibana_node_name }}_http.key" -elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/root-ca.pem"] -elasticsearch.ssl.verificationMode: full - -{% else %} -elasticsearch.hosts: "http://{{ indexer_network_host }}:{{ indexer_http_port }}" -{% endif %} - -elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"] -opendistro_security.multitenancy.enabled: true -opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"] -opendistro_security.readonly_mode.roles: ["kibana_read_only"] - -newsfeed.enabled: {{ kibana_newsfeed_enabled }} -telemetry.optIn: {{ kibana_telemetry_optin }} -telemetry.enabled: {{ kibana_telemetry_enabled }} - -server.defaultRoute: /app/wazuh?security_tenant=global diff --git a/roles/opensearch/wazuh-dashboard/templates/wazuh.yml.j2 b/roles/opensearch/wazuh-dashboard/templates/wazuh.yml.j2 index ee70c2ad..268c3023 100644 --- a/roles/opensearch/wazuh-dashboard/templates/wazuh.yml.j2 +++ b/roles/opensearch/wazuh-dashboard/templates/wazuh.yml.j2 @@ -16,7 +16,7 @@ # https://documentation.wazuh.com/current/installation-guide/index.html # # Also, you can check our repository: -# https://github.com/wazuh/wazuh-kibana-app +# https://github.com/wazuh/wazuh-dashboard # # ------------------------------- Index patterns ------------------------------- # diff --git a/roles/opensearch/wazuh-indexer/defaults/main.yml b/roles/opensearch/wazuh-indexer/defaults/main.yml index 0c72b624..514a8b54 100644 --- a/roles/opensearch/wazuh-indexer/defaults/main.yml +++ b/roles/opensearch/wazuh-indexer/defaults/main.yml @@ -12,23 +12,21 @@ indexer_node_data: true indexer_node_ingest: true indexer_start_timeout: 90 -#elasticsearch_lower_disk_requirements: false indexer_cluster_nodes: - 127.0.0.1 indexer_discovery_nodes: - 127.0.0.1 local_certs_path: "{{ playbook_dir }}/indexer/certificates" -##check if it is the correct directory -# Minimum master nodes in cluster, 2 for 3 nodes elasticsearch cluster +# Minimum master nodes in cluster, 2 for 3 nodes Wazuh indexer cluster minimum_master_nodes: 2 -# Configure hostnames for Elasticsearch nodes +# Configure hostnames for Wazuh indexer nodes # Example es1.example.com, es2.example.com domain_name: wazuh.com -# The OpenDistro package repository +# The Wazuh indexer package repository package_repos: yum: indexer: @@ -58,14 +56,11 @@ indexer_custom_user_role: "admin" indexer_jvm_xms: null indexer_http_port: 9700 -## 732 this port changes to 9700 certs_gen_tool_version: 4.3 -## 732 will no longer be needed. /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-cert-tool.sh comes with the package. -# Url of Search Guard certificates generator tool +# Url of certificates generator tool certs_gen_tool_url: "https://packages-dev.wazuh.com/resources/{{ certs_gen_tool_version }}/install_functions/opendistro/wazuh-cert-tool.sh" -## 732 will no longer be needed. /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-cert-tool.sh comes with the package. indexer_admin_password: changeme dashboard_password: changeme diff --git a/roles/opensearch/wazuh-indexer/tasks/local_actions.yml b/roles/opensearch/wazuh-indexer/tasks/local_actions.yml index 270c48db..72e80082 100644 --- a/roles/opensearch/wazuh-indexer/tasks/local_actions.yml +++ b/roles/opensearch/wazuh-indexer/tasks/local_actions.yml @@ -18,50 +18,23 @@ state: directory - name: Local action | Check that the generation tool exists - ## 732 will not be needed stat: path: "{{ local_certs_path }}/wazuh-cert-tool.sh" register: tool_package - name: Local action | Download certificates generation tool - ## 732 will not be needed get_url: url: "{{ certs_gen_tool_url }}" dest: "{{ local_certs_path }}/wazuh-cert-tool.sh" - #search-guard-tlstool-{{ certs_gen_tool_version }}.zip" when: not tool_package.stat.exists -# - name: Local action | Extract the certificates generation tool -# ## 732 will not be needed -# unarchive: -# src: "{{ local_certs_path }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" -# dest: "{{ local_certs_path }}/" - -# - name: Local action | Add the execution bit to the binary -# ## 732 will not be needed -# file: -# dest: "{{ local_certs_path }}/tools/sgtlstool.sh" -# mode: a+x - - name: Local action | Prepare the certificates generation template file -## 732 need to resolve the certificate creation (config.yml) template: src: "templates/config.yml.j2" dest: "{{ local_certs_path }}/config.yml" mode: 0644 register: tlsconfig_template -# - name: Create a directory if it does not exist -# file: -# path: "{{ local_certs_path }}/certs/" -# state: directory -# mode: '0755' - -# - name: Local action | Check if root CA file exists -# stat: -# path: "{{ local_certs_path }}/certs/root-ca.key" -# register: root_ca_file - - name: Local action | Generate the node & admin certificates in local command: >- bash {{ local_certs_path }}/wazuh-cert-tool.sh diff --git a/roles/opensearch/wazuh-indexer/tasks/main.yml b/roles/opensearch/wazuh-indexer/tasks/main.yml index 305dde73..7874fd64 100644 --- a/roles/opensearch/wazuh-indexer/tasks/main.yml +++ b/roles/opensearch/wazuh-indexer/tasks/main.yml @@ -11,28 +11,25 @@ - import_tasks: Debian.yml when: ansible_os_family == 'Debian' -# - name: Remove performance analyzer plugin from elasticsearch -# ## 732 will not be needed -# become: true -# command: ./elasticsearch-plugin remove opendistro-performance-analyzer -# ignore_errors: true -# args: -# chdir: /usr/share/elasticsearch/bin/ -# register: remove_elasticsearch_performance_analyzer -# failed_when: -# - remove_elasticsearch_performance_analyzer.rc != 0 -# - '"not found" not in remove_elasticsearch_performance_analyzer.stderr' -# changed_when: "remove_elasticsearch_performance_analyzer.rc == 0" + - name: Remove performance analyzer plugin from Wazuh indexer + become: true + command: ./opensearch-plugin remove opensearch-performance-analyzer + ignore_errors: true + args: + chdir: /usr/share/wazuh-indexer/bin/ + register: remove_opensearch_performance_analyzer + failed_when: + - remove_opensearch_performance_analyzer.rc != 0 + - '"not found" not in remove_opensearch_performance_analyzer.stderr' + changed_when: "remove_opensearch_performance_analyzer.rc == 0" - name: Remove Opensearch configuration file - ## 732 will not be needed file: path: "{{ indexer_conf_path }}/opensearch.yml" state: absent tags: install - name: Copy Opensearch Configuration File - ## 732 will not be needed template: src: "templates/opensearch.yml.j2" dest: "{{ indexer_conf_path }}/opensearch.yml" @@ -48,7 +45,6 @@ - name: Configure Wazuh-Indexer JVM memmory. - ## 732 will not be needed and if it is needed the path should be updated. template: src: "templates/jvm.options.j2" dest: "{{ indexer_conf_path }}/jvm.options" @@ -60,7 +56,6 @@ tags: install - name: Configure disabled log4j. - ## 732 will not be needed template: src: "templates/disabledlog4j.options.j2" dest: "{{ indexer_conf_path }}/jvm.options.d/disabledlog4j.options" @@ -92,7 +87,6 @@ with_items: "{{ files_to_delete.files }}" - name: Ensure Wazuh-Indexer started and enabled - ## 732 the service name should be updated service: name: wazuh-indexer enabled: true diff --git a/roles/opensearch/wazuh-indexer/tasks/security_actions.yml b/roles/opensearch/wazuh-indexer/tasks/security_actions.yml index d999242b..0e995d75 100644 --- a/roles/opensearch/wazuh-indexer/tasks/security_actions.yml +++ b/roles/opensearch/wazuh-indexer/tasks/security_actions.yml @@ -1,13 +1,11 @@ -#- name: Remove demo certs -# ## 732 will not be needed -# file: -# path: "{{ item }}" -# state: absent -# with_items: -# - "{{ indexer_conf_path }}/kirk.pem" -# - "{{ indexer_conf_path }}/kirk-key.pem" -# - "{{ indexer_conf_path }}/esnode.pem" -# - "{{ indexer_conf_path }}/esnode-key.pem" +- name: Remove demo certs + file: + path: "{{ item }}" + state: absent + with_items: + - "{{ indexer_conf_path }}/demo-indexer-key.pem" + - "{{ indexer_conf_path }}/demo-indexer.pem" + - name: Configure IP (Private address) set_fact: @@ -33,28 +31,9 @@ - root-ca.key - "{{ indexer_node_name }}-key.pem" - "{{ indexer_node_name }}.pem" - #- "{{ indexer_node_name }}_http.key" - #- "{{ indexer_node_name }}_http.pem" - #- "{{ indexer_node_name }}_elasticsearch_config_snippet.yml" - admin-key.pem - admin.pem -#- name: Copy the OpenDistro security configuration file to cluster -# blockinfile: -# block: "{{ lookup('file', snippet_path ) }}" -# dest: "{{ indexer_conf_path }}/elasticsearch.yml" -# insertafter: EOF -# marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" -# vars: -# snippet_path: '{{ local_certs_path }}/certs/{{ indexer_node_name }}_elasticsearch_config_snippet.yml' - -#- name: Prepare the OpenDistro security configuration file -# replace: -# path: "{{ indexer_conf_path }}/elasticsearch.yml" -# regexp: 'searchguard' -# replace: 'opendistro_security' -# tags: local - - name: Restart Wazuh-Indexer with security configuration systemd: name: wazuh-indexer @@ -70,7 +49,7 @@ - name: Hashing the custom admin password command: "{{ indexer_sec_plugin_tools_path }}/hash.sh -p {{ indexer_admin_password }}" # noqa 301 register: indexer_admin_password_hashed - #no_log: '{{ indexer_nolog_sensible | bool }}' + no_log: '{{ indexer_nolog_sensible | bool }}' run_once: true - name: Set the Admin user password diff --git a/roles/opensearch/wazuh-indexer/templates/config.yml.j2 b/roles/opensearch/wazuh-indexer/templates/config.yml.j2 index 918e947e..1de66900 100644 --- a/roles/opensearch/wazuh-indexer/templates/config.yml.j2 +++ b/roles/opensearch/wazuh-indexer/templates/config.yml.j2 @@ -26,7 +26,7 @@ nodes: # Kibana node kibana: -## 732 this will change to dashboards: +## 732 this will change to dashboard: {% for (key,value) in instances.items() %} {% if (value.role is defined and value.role == 'dashboard') %} name: {{ value.name }} diff --git a/roles/opensearch/wazuh-indexer/templates/elasticsearch.yml.j2 b/roles/opensearch/wazuh-indexer/templates/elasticsearch.yml.j2 deleted file mode 100644 index ae40f4b5..00000000 --- a/roles/opensearch/wazuh-indexer/templates/elasticsearch.yml.j2 +++ /dev/null @@ -1,44 +0,0 @@ -cluster.name: {{ opendistro_cluster_name }} -node.name: {{ elasticsearch_node_name }} -path.data: /var/lib/elasticsearch -path.logs: /var/log/elasticsearch -network.host: {{ elasticsearch_network_host }} - -node.master: {{ indexer_node_master|lower }} - -{% if single_node == true %} -discovery.type: single-node -{% else %} -cluster.initial_master_nodes: -{% for item in elasticsearch_cluster_nodes %} - - {{ item }} -{% endfor %} - -discovery.seed_hosts: -{% for item in elasticsearch_discovery_nodes %} - - {{ item }} -{% endfor %} -{% endif %} - -{% if indexer_node_data|lower == 'false' %} -node.data: false -{% endif %} - -{% if indexer_node_ingest|lower == 'false' %} -node.ingest: false -{% endif %} - - -{% if elasticsearch_lower_disk_requirements %} -cluster.routing.allocation.disk.threshold_enabled: true -cluster.routing.allocation.disk.watermark.flood_stage: 200mb -cluster.routing.allocation.disk.watermark.low: 500mb -cluster.routing.allocation.disk.watermark.high: 300mb -{% endif %} - -discovery.zen.minimum_master_nodes: "{{ minimum_master_nodes }}" -opendistro_security.allow_default_init_securityindex: true -opendistro_security.audit.type: internal_elasticsearch -opendistro_security.enable_snapshot_restore_privilege: true -opendistro_security.check_snapshot_restore_write_privileges: true -opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] diff --git a/roles/opensearch/wazuh-indexer/templates/jvm.options.j2 b/roles/opensearch/wazuh-indexer/templates/jvm.options.j2 index 1d3de5b7..68119527 100644 --- a/roles/opensearch/wazuh-indexer/templates/jvm.options.j2 +++ b/roles/opensearch/wazuh-indexer/templates/jvm.options.j2 @@ -11,8 +11,6 @@ ## -Xms4g ## -Xmx4g ## -## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html -## for more information ## ################################################################