From 7cce8e9490421b7ddfd3144915659111a6490b89 Mon Sep 17 00:00:00 2001 From: singuliere Date: Tue, 8 Jan 2019 13:58:41 +0100 Subject: [PATCH 01/57] make agent registration delegate_to configurable Registering to the API requires the port 55000 of the wazuh manager is open. Depending on the firewall policy, it may be true from the ansible controller, reason why it was delegated to localhost in the original implementation at 6cb6d3bda84c65508881e293e3403dae94ff24cc The role should be more flexible and allow for the API call to be made from the ansible controller or the host. Implementation note: although it would be more elegant to use omit instead of inventory_hostname, it is not possible because of an ansible bug at this time https://github.com/ansible/ansible/issues/26009 Fixes: https://github.com/wazuh/wazuh-ansible/issues/126 Signed-off-by: singuliere --- roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 1 + roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 56580b75..dd56cb42 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -6,6 +6,7 @@ wazuh_managers: api_port: 55000 api_proto: 'http' api_user: null +wazuh_api_reachable_from_agent: false wazuh_profile: null wazuh_auto_restart: 'yes' wazuh_agent_authd: diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml index 2d17fb16..f16e5997 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml @@ -95,11 +95,12 @@ user: "{{ wazuh_managers.0.api_user }}" password: "{{ api_pass }}" register: newagent_api + delegate_to: "{{ 'localhost' if not wazuh_api_reachable_from_agent else inventory_hostname }}" + become: no changed_when: newagent_api.json.error == 0 when: - check_keys.stat.exists == false or check_keys.stat.size == 0 - wazuh_managers.0.address is not none - become: no tags: - config - api @@ -117,7 +118,7 @@ - wazuh_managers.0.address is not none - newagent_api.json.error == 0 register: newagentdata_api - delegate_to: localhost + delegate_to: "{{ 'localhost' if not wazuh_api_reachable_from_agent else inventory_hostname }}" become: no tags: - config From dbeb8b31fb18d802f23780df5f8070f946caddf9 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Tue, 7 Apr 2020 18:54:12 +0200 Subject: [PATCH 02/57] First OpenDistro default installation --- playbooks/wazuh-opendistro.yml | 4 + .../defaults/main.yml | 19 +++ .../handlers/main.yml | 3 + .../opendistro-elasticsearch/meta/main.yml | 24 ++++ .../tasks/RMRedHat.yml | 6 + .../opendistro-elasticsearch/tasks/RedHat.yml | 36 ++++++ .../opendistro-elasticsearch/tasks/main.yml | 58 +++++++++ .../templates/jvm.options.j2 | 117 ++++++++++++++++++ 8 files changed, 267 insertions(+) create mode 100644 playbooks/wazuh-opendistro.yml create mode 100644 roles/opendistro/opendistro-elasticsearch/defaults/main.yml create mode 100644 roles/opendistro/opendistro-elasticsearch/handlers/main.yml create mode 100644 roles/opendistro/opendistro-elasticsearch/meta/main.yml create mode 100644 roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml create mode 100644 roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml create mode 100644 roles/opendistro/opendistro-elasticsearch/tasks/main.yml create mode 100644 roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 diff --git a/playbooks/wazuh-opendistro.yml b/playbooks/wazuh-opendistro.yml new file mode 100644 index 00000000..d146ee3c --- /dev/null +++ b/playbooks/wazuh-opendistro.yml @@ -0,0 +1,4 @@ +--- +- hosts: 172.16.0.161 + roles: + - role: ../roles/opendistro/opendistro-elasticsearch diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml new file mode 100644 index 00000000..f6dd905b --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -0,0 +1,19 @@ +--- +# The OpenDistro version +opendistro_version: 1.6.0 + +# The OpenDistro package repository +package_repos: + yum: + opendistro: + baseurl: 'https://d3g5vo6xdbdb9a.cloudfront.net/yum/noarch/' + gpg: 'https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch' + elasticsearch_oss: + baseurl: 'https://artifacts.elastic.co/packages/oss-7.x/yum' + gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' + +# Security password +opendistro_security_password: admin + +# Set JVM memory limits +elasticsearch_jvm_xms: null \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/handlers/main.yml b/roles/opendistro/opendistro-elasticsearch/handlers/main.yml new file mode 100644 index 00000000..a4c1162a --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart elasticsearch + service: name=elasticsearch state=restarted diff --git a/roles/opendistro/opendistro-elasticsearch/meta/main.yml b/roles/opendistro/opendistro-elasticsearch/meta/main.yml new file mode 100644 index 00000000..e09933c7 --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/meta/main.yml @@ -0,0 +1,24 @@ +--- +galaxy_info: + author: Wazuh + description: Installing and maintaining Opendistro server. + company: wazuh.com + license: license (GPLv3) + min_ansible_version: 2.0 + platforms: + - name: EL + versions: + - all + - name: Ubuntu + versions: + - all + - name: Debian + versions: + - all + - name: Fedora + versions: + - all + galaxy_tags: + - web + - system + - monitoring diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml new file mode 100644 index 00000000..46989361 --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml @@ -0,0 +1,6 @@ +--- +- name: RedHat/CentOS/Fedora | Remove Elasticsearch repository (and clean up left-over metadata) + yum_repository: + name: elastic_repo_7 + state: absent + changed_when: false diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml new file mode 100644 index 00000000..c212b007 --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -0,0 +1,36 @@ +--- + +- name: RedHat/CentOS/Fedora | Add OpenDistro repo + yum_repository: + file: opendistro + name: opendistro_repo + description: Opendistro yum repository + baseurl: "{{ package_repos.yum.opendistro.baseurl }}" + gpgkey: "{{ package_repos.yum.opendistro.gpg }}" + gpgcheck: true + changed_when: false + +- name: RedHat/CentOS/Fedora | Add Elasticsearch-oss repo + yum_repository: + file: opendistro + name: elasticsearch_oss_repo + description: Elasticsearch-oss yum repository + baseurl: "{{ package_repos.yum.elasticsearch_oss.baseurl }}" + gpgkey: "{{ package_repos.yum.elasticsearch_oss.gpg }}" + gpgcheck: true + changed_when: false + +- name: RedHat/CentOS/Fedora | Install OpenJDK 11 + yum: name=java-11-openjdk-devel state=present + +- name: RedHat/CentOS/Fedora | Install OpenDistro dependencies + yum: + name: "{{ packages }}" + vars: + packages: + - wget + - unzip + +- name: RedHat/CentOS/Fedora | Install OpenDistro + package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present + tags: install diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml new file mode 100644 index 00000000..b58afe7a --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -0,0 +1,58 @@ +--- +- import_tasks: RedHat.yml + when: ansible_os_family == 'RedHat' + +- import_tasks: Debian.yml + when: ansible_os_family == "Debian" + +- name: Configure OpenDistro Elasticsearch JVM memmory. + template: + src: jvm.options.j2 + dest: /etc/elasticsearch/jvm.options + owner: root + group: elasticsearch + mode: 0660 + notify: restart elasticsearch + tags: configure + +# fix in new PR (ignore_errors) + +- import_tasks: "RMRedHat.yml" + when: ansible_os_family == "RedHat" + + +- name: Ensure Elasticsearch started and enabled + service: + name: elasticsearch + enabled: true + state: started + tags: + - configure + - init + +- name: Make sure Elasticsearch is running before proceeding + wait_for: host=localhost port=9200 delay=3 timeout=400 + tags: + - configure + - init + +- import_tasks: "RMRedHat.yml" + when: ansible_os_family == "RedHat" + +- import_tasks: "RMDebian.yml" + when: ansible_os_family == "Debian" + +- name: Wait for Elasticsearch API + uri: + url: "https://localhost:9200/_cluster/health/" + user: "admin" # Default Elasticsearch user is always "elastic" + password: "{{ opendistro_security_password }}" + validate_certs: no + status_code: 200,401 + return_content: yes + timeout: 4 + register: _result + until: ( _result.json is defined) and (_result.json.status == "green") + retries: 24 + delay: 5 + diff --git a/roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 b/roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 new file mode 100644 index 00000000..c43ce401 --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 @@ -0,0 +1,117 @@ +#jinja2: trim_blocks:False +# {{ ansible_managed }} +## JVM configuration + +################################################################ +## IMPORTANT: JVM heap size +################################################################ +## +## You should always set the min and max JVM heap +## size to the same value. For example, to set +## the heap to 4 GB, set: +## +## -Xms4g +## -Xmx4g +## +## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html +## for more information +## +################################################################ + +# Xms represents the initial size of total heap space +# Xmx represents the maximum size of total heap space + +# Xms represents the initial size of total heap space +# Xmx represents the maximum size of total heap space +{% if elasticsearch_jvm_xms is not none %} +{% if elasticsearch_jvm_xms < 32000 %} +-Xms{{ elasticsearch_jvm_xms }}m +-Xmx{{ elasticsearch_jvm_xms }}m +{% else %} +-Xms32000m +-Xmx32000m +{% endif %} +{% else %} +-Xms{% if ansible_memtotal_mb < 64000 %}{{ ((ansible_memtotal_mb|int)/2)|int }}m{% else %}32000m{% endif %} +-Xmx{% if ansible_memtotal_mb < 64000 %}{{ ((ansible_memtotal_mb|int)/2)|int }}m{% else %}32000m{% endif %} +{% endif %} + +################################################################ +## Expert settings +################################################################ +## +## All settings below this section are considered +## expert settings. Don't tamper with them unless +## you understand what you are doing +## +################################################################ + +## GC configuration +-XX:+UseConcMarkSweepGC +-XX:CMSInitiatingOccupancyFraction=75 +-XX:+UseCMSInitiatingOccupancyOnly + +## optimizations + +# pre-touch memory pages used by the JVM during initialization +-XX:+AlwaysPreTouch + +## basic + +# force the server VM +-server + +# explicitly set the stack size +-Xss1m + +# set to headless, just in case +-Djava.awt.headless=true + +# ensure UTF-8 encoding by default (e.g. filenames) +-Dfile.encoding=UTF-8 + +# use our provided JNA always versus the system one +-Djna.nosys=true + +# turn off a JDK optimization that throws away stack traces for common +# exceptions because stack traces are important for debugging +-XX:-OmitStackTraceInFastThrow + +# flags to configure Netty +-Dio.netty.noUnsafe=true +-Dio.netty.noKeySetOptimization=true +-Dio.netty.recycler.maxCapacityPerThread=0 + +# log4j 2 +-Dlog4j.shutdownHookEnabled=false +-Dlog4j2.disable.jmx=true + +## heap dumps + +# generate a heap dump when an allocation from the Java heap fails +# heap dumps are created in the working directory of the JVM +-XX:+HeapDumpOnOutOfMemoryError + +# specify an alternative path for heap dumps +# ensure the directory exists and has sufficient space +-XX:HeapDumpPath=/var/lib/elasticsearch + +## GC logging + +#-XX:+PrintGCDetails +#-XX:+PrintGCTimeStamps +#-XX:+PrintGCDateStamps +#-XX:+PrintClassHistogram +#-XX:+PrintTenuringDistribution +#-XX:+PrintGCApplicationStoppedTime + +# log GC status to a file with time stamps +# ensure the directory exists +#-Xloggc:${loggc} + +# By default, the GC log file will not rotate. +# By uncommenting the lines below, the GC log file +# will be rotated every 128MB at most 32 times. +#-XX:+UseGCLogFileRotation +#-XX:NumberOfGCLogFiles=32 +#-XX:GCLogFileSize=128M From 9fc2b1e3c493ecc33cf34a708b7b1362d989bb4c Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Wed, 8 Apr 2020 17:38:44 +0200 Subject: [PATCH 03/57] Added opendistro tasks and templates --- .../defaults/main.yml | 69 ++++++++++- .../opendistro-elasticsearch/tasks/RedHat.yml | 115 ++++++++++++++++++ .../opendistro-elasticsearch/tasks/main.yml | 21 +--- .../templates/elasticsearch.yml.j2 | 22 ++++ .../templates/tlsconfig.yml.j2 | 47 +++++++ 5 files changed, 257 insertions(+), 17 deletions(-) create mode 100644 roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 create mode 100644 roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index f6dd905b..f1bff651 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -2,6 +2,19 @@ # The OpenDistro version opendistro_version: 1.6.0 +elasticsearch_cluster_name: wazuh-cluster + +# Minimum master nodes in cluster, 2 for 3 nodes elasticsearch cluster +minimum_master_nodes: 2 + +# Elasticsearch version +es_version: "7.3.2" +es_major_version: "7.x" + +# Configure hostnames for Elasticsearch nodes +# Example es1.example.com, es2.example.com +domain_name: example.com + # The OpenDistro package repository package_repos: yum: @@ -12,8 +25,60 @@ package_repos: baseurl: 'https://artifacts.elastic.co/packages/oss-7.x/yum' gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' +populate_inventory_to_hosts_file: true + +es_plugin_bin_path: /usr/share/elasticsearch/bin/elasticsearch-plugin +es_sec_plugin_conf_path: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig +es_sec_plugin_tools_path: /usr/share/elasticsearch/plugins/opendistro_security/tools + +es_nodes: |- + {% for item in groups['es-cluster'] -%} + {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %} + {%- endfor %} + # Security password opendistro_security_password: admin - # Set JVM memory limits -elasticsearch_jvm_xms: null \ No newline at end of file +opendistro_jvm_xms: null + +opendistro_http_port: 9200 +opendistro_network_host: 127.0.0.1 +opendistro_reachable_host: 127.0.0.1 +opendistro_jvm_xms: null +elastic_stack_version: 7.6.1 +opendistro_lower_disk_requirements: false + +elasticrepo: + apt: 'https://artifacts.elastic.co/packages/7.x/apt' + yum: 'https://artifacts.elastic.co/packages/7.x/yum' + gpg: 'https://artifacts.elastic.co/GPG-KEY-opendistro' + key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' + +# Cluster Settings +single_node: true +opendistro_cluster_name: wazuh +opendistro_node_name: node-1 +opendistro_bootstrap_node: false +opendistro_node_master: false +opendistro_cluster_nodes: + - 127.0.0.1 +opendistro_discovery_nodes: + - 127.0.0.1 +opendistro_node_data: true +opendistro_node_ingest: true + +# X-Pack Security +opendistro_xpack_security: false +opendistro_xpack_security_user: elastic +opendistro_xpack_security_password: elastic_pass + +node_certs_generator: false +node_certs_source: /usr/share/elasticsearch +node_certs_destination: /etc/elasticsearch/certs + +# CA generation +master_certs_path: /es_certs +generate_CA: true +ca_key_name: "" +ca_cert_name: "" +ca_password: "" diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index c212b007..64b48b7f 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -34,3 +34,118 @@ - name: RedHat/CentOS/Fedora | Install OpenDistro package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present tags: install + +## Here we are going to use self-signed certificates for Transport (Node-Node communication) & REST API layer +## Using searchguard offline TLS tool to create node & root certificates +- name: RedHat/CentOS/Fedora | Create local temporary directory for certificates generation + local_action: + module: file + path: /tmp/opendistro-nodecerts + state: directory + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Download certificates generation tool + local_action: + module: get_url + url: https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-tlstool/1.5/search-guard-tlstool-1.5.zip + dest: /tmp/opendistro-nodecerts/search-guard-tlstool.zip + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Extract the certificates generation tool + local_action: command chdir=/tmp/opendistro-nodecerts tar -xvf search-guard-tlstool.zip + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Add the execution bit to the binary + local_action: + module: file + dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh + mode: a+x + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Prepare the certificates generation template file + local_action: + module: template + src: tlsconfig.yml + dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Generate the node & admin certificates in local + local_action: + module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Copy the node & admin certificates to Elasticsearch cluster + copy: + src: "/tmp/opendistro-nodecerts/config/{{ item }}" + dest: /etc/elasticsearch/ + mode: 0644 + with_items: + - root-ca.pem + - root-ca.key + - "{{ inventory_hostname }}.key" + - "{{ inventory_hostname }}.pem" + - "{{ inventory_hostname }}_http.key" + - "{{ inventory_hostname }}_http.pem" + - "{{ inventory_hostname }}_elasticsearch_config_snippet.yml" + - admin.key + - admin.pem + when: install.changed + +- name: RedHat/CentOS/Fedora | Copy the opendistro security configuration file to cluster + blockinfile: + block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" + dest: "{{ conf_dir }}/elasticsearch.yml" + backup: yes + insertafter: EOF + marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" + when: install.changed + +- name: RedHat/CentOS/Fedora | Prepare the opendistro security configuration file + command: sed -i 's/searchguard/opendistro_security/g' {{ conf_dir }}/elasticsearch.yml + when: install.changed + +- name: RedHat/CentOS/Fedora | Restart elasticsearch with security configuration + systemd: + name: elasticsearch + state: restarted + when: install.changed + +- name: RedHat/CentOS/Fedora | Copy the opendistro security internal users template + template: + src: internal_users.yml + dest: "{{ es_sec_plugin_conf_path }}/internal_users.yml" + mode: 0644 + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Set the Admin user password + shell: > + sed -i 's,{{ admin_password }},'$(sh {{ es_sec_plugin_tools_path }}/hash.sh -p {{ admin_password }} | tail -1)',' + {{ es_sec_plugin_conf_path }}/internal_users.yml + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Set the kibanaserver user pasword + shell: > + sed -i 's,{{ kibanaserver_password }},'$(sh {{ es_sec_plugin_tools_path }}/hash.sh -p {{ kibanaserver_password }} | tail -1)',' + {{ es_sec_plugin_conf_path }}/internal_users.yml + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Initialize the opendistro security index in elasticsearch + shell: > + sh {{ es_sec_plugin_tools_path }}/securityadmin.sh + -cacert {{ conf_dir }}/root-ca.pem + -cert {{ conf_dir }}/admin.pem + -key {{ conf_dir }}/admin.key + -cd {{ es_sec_plugin_conf_path }}/ + -nhnv -icl + -h {{ hostvars[inventory_hostname]['ip'] }} + run_once: true + when: install.changed diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index b58afe7a..9f4c438c 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -11,7 +11,8 @@ dest: /etc/elasticsearch/jvm.options owner: root group: elasticsearch - mode: 0660 + mode: 0644 + force: yes notify: restart elasticsearch tags: configure @@ -20,6 +21,10 @@ - import_tasks: "RMRedHat.yml" when: ansible_os_family == "RedHat" +- name: Copy Configuration File + template: src=elasticsearch.yml dest={{conf_dir}}/elasticsearch.yml group=elasticsearch mode=0644 backup=yes + register: system_change + notify: restart elasticsearch - name: Ensure Elasticsearch started and enabled service: @@ -42,17 +47,3 @@ - import_tasks: "RMDebian.yml" when: ansible_os_family == "Debian" -- name: Wait for Elasticsearch API - uri: - url: "https://localhost:9200/_cluster/health/" - user: "admin" # Default Elasticsearch user is always "elastic" - password: "{{ opendistro_security_password }}" - validate_certs: no - status_code: 200,401 - return_content: yes - timeout: 4 - register: _result - until: ( _result.json is defined) and (_result.json.status == "green") - retries: 24 - delay: 5 - diff --git a/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 new file mode 100644 index 00000000..6b025674 --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 @@ -0,0 +1,22 @@ +cluster.name: "{{ elasticsearch_cluster_name }}" + +node.name: "{{ inventory_hostname }}" + +path.data: /var/lib/elasticsearch + +path.logs: /var/log/elasticsearch + +network.host: "{{ hostvars[inventory_hostname]['ip'] }}" + +http.port: "{{ opendistro_http_port }}" + +discovery.seed_hosts: ["{{ es_nodes }}"] + +cluster.initial_master_nodes: ["{{ es_nodes }}"] + +discovery.zen.minimum_master_nodes: "{{ minimum_master_nodes }}" +opendistro_security.allow_default_init_securityindex: true +opendistro_security.audit.type: internal_elasticsearch +opendistro_security.enable_snapshot_restore_privilege: true +opendistro_security.check_snapshot_restore_write_privileges: true +opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] diff --git a/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 new file mode 100644 index 00000000..85792a6a --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 @@ -0,0 +1,47 @@ +ca: + root: + dn: CN=root.ca.{{ domain_name }},OU=CA,O={{ domain_name }}\, Inc.,DC={{ domain_name }} + keysize: 2048 + validityDays: 730 + pkPassword: none + file: root-ca.pem + +### Default values and global settings +defaults: + validityDays: 730 + pkPassword: none + # Set this to true in order to generate config and certificates for + # the HTTP interface of nodes + httpsEnabled: true + reuseTransportCertificatesForHttp: false + verifyHostnames: false + resolveHostnames: false + + +### +### Nodes +### +# +# Specify the nodes of your ES cluster here +# +nodes: +{% for item in groups['es-cluster'] %} + - name: {{ item }} + dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} + dns: {{ item }}.{{ domain_name }} + ip: {{ hostvars[item]['ip'] }} +{% endfor %} + +### +### Clients +### +# +# Specify the clients that shall access your ES cluster with certificate authentication here +# +# At least one client must be an admin user (i.e., a super-user). Admin users can +# be specified with the attribute admin: true +# +clients: + - name: admin + dn: CN=admin.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} + admin: true From f6e020631e639d7f69a04b9f407f393a81ad74ca Mon Sep 17 00:00:00 2001 From: Christos Pollalis Date: Sat, 11 Apr 2020 02:15:42 +0300 Subject: [PATCH 04/57] Make agent registration via the rest API idempotent Check whether an error was returned by the HTTP POST to the `agents/` endpoint before invoking `/var/ossec/bin/manage_agents` in order to register a new agent. It seems like that if an agent has already been registered under the given name, the HTTP POST will return an error that'll cause the next task, which is meant to retrieve the agent information, to be skipped. That'll cause the agent registration task to fail in return. Instead, this change will cause the aforementioned task to be skipped, too. So, if an agent has already been successfully registered and the playbook is re-run, it'll run all the way to the end. If anything goes wrong (during the registration process) and the agent fails to start, the `restart wazuh-agent` handler will still fail. --- roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml index 9528aa33..a84e4020 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml @@ -124,7 +124,6 @@ password: "{{ api_pass }}" register: newagent_api notify: restart wazuh-agent - # changed_when: newagent_api.json.error == 0 vars: agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ inventory_hostname }}{% endif %}" when: @@ -133,7 +132,7 @@ become: false ignore_errors: true - - name: Linux | Retieve new agent data via rest-API + - name: Linux | Retrieve new agent data via rest-API uri: url: >- "{{ wazuh_managers.0.api_proto }}://{{ wazuh_agent_authd.registration_address @@ -164,7 +163,7 @@ when: - not check_keys.stat.exists or check_keys.stat.size == 0 - wazuh_agent_authd.registration_address is not none - - newagent_api.changed + - newagent_api.json.error == 0 notify: restart wazuh-agent when: From ae40cb45827cb1c3590651a6771c12ee72343c63 Mon Sep 17 00:00:00 2001 From: Christos Pollalis Date: Sat, 11 Apr 2020 18:26:13 +0300 Subject: [PATCH 05/57] Split "Copy CA, SSL key and cert for authd" task of the wazuh-agent playbook to allow one to perform either manager or agent verification, or both. --- roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml index a84e4020..7fa0cc03 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml @@ -50,17 +50,25 @@ - name: Retrieving authd Credentials include_vars: authd_pass.yml - - name: Copy CA, SSL key and cert for authd + - name: Copy CA root certificate to verify authd + copy: + src: "{{ wazuh_agent_authd.ssl_agent_ca }}" + dest: "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}" + mode: 0644 + when: + - wazuh_agent_authd.ssl_agent_ca is not none + + - name: Copy TLS/SSL certificate for agent verification copy: src: "{{ item }}" dest: "/var/ossec/etc/{{ item | basename }}" mode: 0644 with_items: - - "{{ wazuh_agent_authd.ssl_agent_ca }}" - "{{ wazuh_agent_authd.ssl_agent_cert }}" - "{{ wazuh_agent_authd.ssl_agent_key }}" when: - - wazuh_agent_authd.ssl_agent_ca is not none + - wazuh_agent_authd.ssl_agent_cert is not none + - wazuh_agent_authd.ssl_agent_key is not none - name: Linux | Register agent (via authd) shell: > From 7bed850905a8c89caa6c90615c6f77693b6b33b9 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Fri, 24 Apr 2020 18:07:37 +0200 Subject: [PATCH 06/57] Changes tasks --- playbooks/wazuh-opendistro.yml | 2 +- .../opendistro-elasticsearch/defaults/main.yml | 2 +- .../opendistro-elasticsearch/tasks/RedHat.yml | 12 +++--------- .../opendistro-elasticsearch/tasks/main.yml | 9 +-------- 4 files changed, 6 insertions(+), 19 deletions(-) diff --git a/playbooks/wazuh-opendistro.yml b/playbooks/wazuh-opendistro.yml index d146ee3c..ede8ca93 100644 --- a/playbooks/wazuh-opendistro.yml +++ b/playbooks/wazuh-opendistro.yml @@ -1,4 +1,4 @@ --- -- hosts: 172.16.0.161 +- hosts: es-cluster roles: - role: ../roles/opendistro/opendistro-elasticsearch diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index f1bff651..8c791a04 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -13,7 +13,7 @@ es_major_version: "7.x" # Configure hostnames for Elasticsearch nodes # Example es1.example.com, es2.example.com -domain_name: example.com +domain_name: wazuh.com # The OpenDistro package repository package_repos: diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index 64b48b7f..642e7f41 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -43,20 +43,17 @@ path: /tmp/opendistro-nodecerts state: directory run_once: true - when: install.changed - name: RedHat/CentOS/Fedora | Download certificates generation tool local_action: module: get_url url: https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-tlstool/1.5/search-guard-tlstool-1.5.zip dest: /tmp/opendistro-nodecerts/search-guard-tlstool.zip - run_once: true - when: install.changed + run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip - name: RedHat/CentOS/Fedora | Extract the certificates generation tool - local_action: command chdir=/tmp/opendistro-nodecerts tar -xvf search-guard-tlstool.zip + local_action: command chdir=/tmp/opendistro-nodecerts unzip search-guard-tlstool.zip run_once: true - when: install.changed - name: RedHat/CentOS/Fedora | Add the execution bit to the binary local_action: @@ -64,21 +61,18 @@ dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh mode: a+x run_once: true - when: install.changed - name: RedHat/CentOS/Fedora | Prepare the certificates generation template file local_action: module: template - src: tlsconfig.yml + src: ../templates/tlsconfig.yml dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml run_once: true - when: install.changed - name: RedHat/CentOS/Fedora | Generate the node & admin certificates in local local_action: module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ run_once: true - when: install.changed - name: RedHat/CentOS/Fedora | Copy the node & admin certificates to Elasticsearch cluster copy: diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index 9f4c438c..f8727637 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -2,9 +2,6 @@ - import_tasks: RedHat.yml when: ansible_os_family == 'RedHat' -- import_tasks: Debian.yml - when: ansible_os_family == "Debian" - - name: Configure OpenDistro Elasticsearch JVM memmory. template: src: jvm.options.j2 @@ -42,8 +39,4 @@ - init - import_tasks: "RMRedHat.yml" - when: ansible_os_family == "RedHat" - -- import_tasks: "RMDebian.yml" - when: ansible_os_family == "Debian" - + when: ansible_os_family == "RedHat" \ No newline at end of file From b91ea1c6aa05e27bede9c6afbdd912aeccd61fd7 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Mon, 27 Apr 2020 14:00:49 +0200 Subject: [PATCH 07/57] Fixed register install --- roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index 642e7f41..9558094a 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -33,7 +33,7 @@ - name: RedHat/CentOS/Fedora | Install OpenDistro package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present - tags: install + register: install ## Here we are going to use self-signed certificates for Transport (Node-Node communication) & REST API layer ## Using searchguard offline TLS tool to create node & root certificates @@ -65,7 +65,7 @@ - name: RedHat/CentOS/Fedora | Prepare the certificates generation template file local_action: module: template - src: ../templates/tlsconfig.yml + src: opendistro/opendistro-elasticsearch/templates/tlsconfig.yml dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml run_once: true From 53ad5c62ccb9b09f80f7c0b1743610346a5fc93d Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Mon, 27 Apr 2020 15:26:13 +0200 Subject: [PATCH 08/57] Fixed unzip task and added templates --- .../opendistro-elasticsearch/tasks/RedHat.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index 9558094a..dca70b8d 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -52,8 +52,10 @@ run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip - name: RedHat/CentOS/Fedora | Extract the certificates generation tool - local_action: command chdir=/tmp/opendistro-nodecerts unzip search-guard-tlstool.zip - run_once: true + local_action: + module: unarchive + src: /tmp/opendistro-nodecerts/search-guard-tlstool.zip + dest: /tmp/opendistro-nodecerts/ - name: RedHat/CentOS/Fedora | Add the execution bit to the binary local_action: @@ -65,7 +67,7 @@ - name: RedHat/CentOS/Fedora | Prepare the certificates generation template file local_action: module: template - src: opendistro/opendistro-elasticsearch/templates/tlsconfig.yml + src: "templates/tlsconfig.yml.j2" dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml run_once: true @@ -112,7 +114,7 @@ - name: RedHat/CentOS/Fedora | Copy the opendistro security internal users template template: - src: internal_users.yml + src: "templates/internal_users.yml.j2" dest: "{{ es_sec_plugin_conf_path }}/internal_users.yml" mode: 0644 run_once: true From ae160cf6c33d50b0658e6071886988ee8cfbe9d8 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Wed, 29 Apr 2020 15:54:29 +0200 Subject: [PATCH 09/57] Decoupled local actions and updated SearchGuard certificate generator binary --- .../tasks/LocalActions.yml | 40 +++++++++++++++++++ .../opendistro-elasticsearch/tasks/RedHat.yml | 40 ------------------- .../opendistro-elasticsearch/tasks/main.yml | 11 ++++- 3 files changed, 49 insertions(+), 42 deletions(-) create mode 100644 roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml new file mode 100644 index 00000000..e33ce7e5 --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml @@ -0,0 +1,40 @@ +--- + +- name: RedHat/CentOS/Fedora | Create local temporary directory for certificates generation + local_action: + module: file + path: /tmp/opendistro-nodecerts + state: directory + run_once: true + +- name: RedHat/CentOS/Fedora | Download certificates generation tool + local_action: + module: get_url + url: https://releases.floragunn.com/search-guard-tlstool/1.7/search-guard-tlstool-1.7.zip + dest: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip + run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip + +- name: RedHat/CentOS/Fedora | Extract the certificates generation tool + local_action: + module: unarchive + src: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip + dest: /tmp/opendistro-nodecerts/ + +- name: RedHat/CentOS/Fedora | Add the execution bit to the binary + local_action: + module: file + dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh + mode: a+x + run_once: true + +- name: RedHat/CentOS/Fedora | Prepare the certificates generation template file + local_action: + module: template + src: "templates/tlsconfig.yml.j2" + dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml + run_once: true + +- name: RedHat/CentOS/Fedora | Generate the node & admin certificates in local + local_action: + module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ -f + run_once: true \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index dca70b8d..d396960b 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -35,46 +35,6 @@ package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present register: install -## Here we are going to use self-signed certificates for Transport (Node-Node communication) & REST API layer -## Using searchguard offline TLS tool to create node & root certificates -- name: RedHat/CentOS/Fedora | Create local temporary directory for certificates generation - local_action: - module: file - path: /tmp/opendistro-nodecerts - state: directory - run_once: true - -- name: RedHat/CentOS/Fedora | Download certificates generation tool - local_action: - module: get_url - url: https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-tlstool/1.5/search-guard-tlstool-1.5.zip - dest: /tmp/opendistro-nodecerts/search-guard-tlstool.zip - run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip - -- name: RedHat/CentOS/Fedora | Extract the certificates generation tool - local_action: - module: unarchive - src: /tmp/opendistro-nodecerts/search-guard-tlstool.zip - dest: /tmp/opendistro-nodecerts/ - -- name: RedHat/CentOS/Fedora | Add the execution bit to the binary - local_action: - module: file - dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh - mode: a+x - run_once: true - -- name: RedHat/CentOS/Fedora | Prepare the certificates generation template file - local_action: - module: template - src: "templates/tlsconfig.yml.j2" - dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml - run_once: true - -- name: RedHat/CentOS/Fedora | Generate the node & admin certificates in local - local_action: - module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ - run_once: true - name: RedHat/CentOS/Fedora | Copy the node & admin certificates to Elasticsearch cluster copy: diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index f8727637..728f4970 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -1,10 +1,12 @@ --- +- import_tasks: LocalActions.yml + - import_tasks: RedHat.yml when: ansible_os_family == 'RedHat' - name: Configure OpenDistro Elasticsearch JVM memmory. template: - src: jvm.options.j2 + src: "templates/jvm.options.j2" dest: /etc/elasticsearch/jvm.options owner: root group: elasticsearch @@ -19,7 +21,12 @@ when: ansible_os_family == "RedHat" - name: Copy Configuration File - template: src=elasticsearch.yml dest={{conf_dir}}/elasticsearch.yml group=elasticsearch mode=0644 backup=yes + template: + src: "templates/elasticsearch.ym.j2" + dest: "{{conf_dir}}/elasticsearch.yml" + group: elasticsearch + mode: 0644 + backup: yes register: system_change notify: restart elasticsearch From 7e47b561e0b1f235b54230b47d11c35409250737 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Wed, 29 Apr 2020 16:51:49 +0200 Subject: [PATCH 10/57] Added internal_users template --- .../templates/internal_users.yml.j2 | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 diff --git a/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 new file mode 100644 index 00000000..7bb089f3 --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 @@ -0,0 +1,21 @@ +--- +# This is the internal user database +# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh + +_meta: + type: "internalusers" + config_version: 2 + +# Define your internal users here + +admin: + hash: "{{ admin_password }}" + reserved: true + backend_roles: + - "admin" + description: "admin user" + +kibanaserver: + hash: "{{ kibanaserver_password }}" + reserved: true + description: "kibanaserver user" From 34920f5fe560fcc479581efcfb2e4c88df744960 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Wed, 29 Apr 2020 17:27:34 +0200 Subject: [PATCH 11/57] Added task to check if root ca already exist --- .../opendistro-elasticsearch/tasks/LocalActions.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml index e33ce7e5..432a4423 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml @@ -34,7 +34,14 @@ dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml run_once: true +- name: RedHat/CentOS/Fedora | Check if root CA file exists + local_action: + module: stat + path: /tmp/opendistro-nodecerts/config/root-ca.key + register: root_ca_file + - name: RedHat/CentOS/Fedora | Generate the node & admin certificates in local local_action: - module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ -f - run_once: true \ No newline at end of file + module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ -f -o + run_once: true + when: root_ca_file.stat.exists == False \ No newline at end of file From 7269b15041d6417cfc5d7a2a221bbd4d421d7cf0 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Wed, 29 Apr 2020 18:01:11 +0200 Subject: [PATCH 12/57] Modified several variables --- .../defaults/main.yml | 31 +++---------------- .../opendistro-elasticsearch/tasks/RedHat.yml | 24 +++++++------- .../opendistro-elasticsearch/tasks/main.yml | 4 +-- .../templates/elasticsearch.yml.j2 | 2 +- .../templates/jvm.options.j2 | 8 ++--- 5 files changed, 23 insertions(+), 46 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index 8c791a04..bca544e6 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -1,7 +1,6 @@ --- # The OpenDistro version opendistro_version: 1.6.0 - elasticsearch_cluster_name: wazuh-cluster # Minimum master nodes in cluster, 2 for 3 nodes elasticsearch cluster @@ -25,12 +24,9 @@ package_repos: baseurl: 'https://artifacts.elastic.co/packages/oss-7.x/yum' gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' -populate_inventory_to_hosts_file: true - -es_plugin_bin_path: /usr/share/elasticsearch/bin/elasticsearch-plugin -es_sec_plugin_conf_path: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig -es_sec_plugin_tools_path: /usr/share/elasticsearch/plugins/opendistro_security/tools - +opendistro_sec_plugin_conf_path: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig +opendistro_sec_plugin_tools_path: /usr/share/elasticsearch/plugins/opendistro_security/tools +opendistro_conf_path: /etc/elasticsearch/ es_nodes: |- {% for item in groups['es-cluster'] -%} {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %} @@ -42,11 +38,6 @@ opendistro_security_password: admin opendistro_jvm_xms: null opendistro_http_port: 9200 -opendistro_network_host: 127.0.0.1 -opendistro_reachable_host: 127.0.0.1 -opendistro_jvm_xms: null -elastic_stack_version: 7.6.1 -opendistro_lower_disk_requirements: false elasticrepo: apt: 'https://artifacts.elastic.co/packages/7.x/apt' @@ -54,6 +45,7 @@ elasticrepo: gpg: 'https://artifacts.elastic.co/GPG-KEY-opendistro' key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' +opendistro_admin_password: Test@123 # Cluster Settings single_node: true opendistro_cluster_name: wazuh @@ -67,18 +59,3 @@ opendistro_discovery_nodes: opendistro_node_data: true opendistro_node_ingest: true -# X-Pack Security -opendistro_xpack_security: false -opendistro_xpack_security_user: elastic -opendistro_xpack_security_password: elastic_pass - -node_certs_generator: false -node_certs_source: /usr/share/elasticsearch -node_certs_destination: /etc/elasticsearch/certs - -# CA generation -master_certs_path: /es_certs -generate_CA: true -ca_key_name: "" -ca_cert_name: "" -ca_password: "" diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index d396960b..b2170af1 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -56,14 +56,14 @@ - name: RedHat/CentOS/Fedora | Copy the opendistro security configuration file to cluster blockinfile: block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" - dest: "{{ conf_dir }}/elasticsearch.yml" + dest: "{{ opendistro_conf_path }}/elasticsearch.yml" backup: yes insertafter: EOF marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" when: install.changed - name: RedHat/CentOS/Fedora | Prepare the opendistro security configuration file - command: sed -i 's/searchguard/opendistro_security/g' {{ conf_dir }}/elasticsearch.yml + command: sed -i 's/searchguard/opendistro_security/g' {{ opendistro_conf_path }}/elasticsearch.yml when: install.changed - name: RedHat/CentOS/Fedora | Restart elasticsearch with security configuration @@ -75,32 +75,32 @@ - name: RedHat/CentOS/Fedora | Copy the opendistro security internal users template template: src: "templates/internal_users.yml.j2" - dest: "{{ es_sec_plugin_conf_path }}/internal_users.yml" + dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" mode: 0644 run_once: true when: install.changed - name: RedHat/CentOS/Fedora | Set the Admin user password shell: > - sed -i 's,{{ admin_password }},'$(sh {{ es_sec_plugin_tools_path }}/hash.sh -p {{ admin_password }} | tail -1)',' - {{ es_sec_plugin_conf_path }}/internal_users.yml + sed -i 's,{{ admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ admin_password }} | tail -1)',' + {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true when: install.changed - name: RedHat/CentOS/Fedora | Set the kibanaserver user pasword shell: > - sed -i 's,{{ kibanaserver_password }},'$(sh {{ es_sec_plugin_tools_path }}/hash.sh -p {{ kibanaserver_password }} | tail -1)',' - {{ es_sec_plugin_conf_path }}/internal_users.yml + sed -i 's,{{ kibanaserver_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ kibanaserver_password }} | tail -1)',' + {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true when: install.changed - name: RedHat/CentOS/Fedora | Initialize the opendistro security index in elasticsearch shell: > - sh {{ es_sec_plugin_tools_path }}/securityadmin.sh - -cacert {{ conf_dir }}/root-ca.pem - -cert {{ conf_dir }}/admin.pem - -key {{ conf_dir }}/admin.key - -cd {{ es_sec_plugin_conf_path }}/ + sh {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh + -cacert {{ opendistro_conf_path }}/root-ca.pem + -cert {{ opendistro_conf_path }}/admin.pem + -key {{ opendistro_conf_path }}/admin.key + -cd {{ opendistro_sec_plugin_conf_path }}/ -nhnv -icl -h {{ hostvars[inventory_hostname]['ip'] }} run_once: true diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index 728f4970..bdfb6be8 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -22,8 +22,8 @@ - name: Copy Configuration File template: - src: "templates/elasticsearch.ym.j2" - dest: "{{conf_dir}}/elasticsearch.yml" + src: "templates/elasticsearch.yml.j2" + dest: "{{opendistro_conf_path}}/elasticsearch.yml" group: elasticsearch mode: 0644 backup: yes diff --git a/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 index 6b025674..58a8ece2 100644 --- a/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 @@ -1,4 +1,4 @@ -cluster.name: "{{ elasticsearch_cluster_name }}" +cluster.name: "{{ opendistro_cluster_name }}" node.name: "{{ inventory_hostname }}" diff --git a/roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 b/roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 index c43ce401..de69125c 100644 --- a/roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 +++ b/roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 @@ -23,10 +23,10 @@ # Xms represents the initial size of total heap space # Xmx represents the maximum size of total heap space -{% if elasticsearch_jvm_xms is not none %} -{% if elasticsearch_jvm_xms < 32000 %} --Xms{{ elasticsearch_jvm_xms }}m --Xmx{{ elasticsearch_jvm_xms }}m +{% if opendistro_jvm_xms is not none %} +{% if opendistro_jvm_xms < 32000 %} +-Xms{{ opendistro_jvm_xms }}m +-Xmx{{ opendistro_jvm_xms }}m {% else %} -Xms32000m -Xmx32000m From c99d554e2f2fd0dd3ecfb8d55156e120ef56379e Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 30 Apr 2020 17:57:01 +0200 Subject: [PATCH 13/57] Delete alert_new_files references in jinja templates --- .../templates/var-ossec-etc-ossec-server.conf.j2 | 1 - .../templates/var-ossec-etc-shared-agent.conf.j2 | 1 - 2 files changed, 2 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 index e7ca872e..53565007 100644 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 @@ -294,7 +294,6 @@ {{ wazuh_manager_config.syscheck.disable }} - {{ wazuh_manager_config.syscheck.alert_new_files }} {{ wazuh_manager_config.syscheck.frequency }} {{ wazuh_manager_config.syscheck.scan_on_start }} diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 index f300f22a..78893385 100644 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 @@ -7,7 +7,6 @@ {% if agent_config.syscheck.auto_ignore is defined %} {{ agent_config.syscheck.auto_ignore }} {% endif %} - {{ agent_config.syscheck.alert_new_files }} {{ agent_config.syscheck.frequency }} {{ agent_config.syscheck.scan_on_start }} From e899b1c6020efd1d87291e1294ced56f9ca34cf4 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Wed, 6 May 2020 17:33:53 +0200 Subject: [PATCH 14/57] WIP: Testing first secured cluster deployment --- .../opendistro-elasticsearch/tasks/RedHat.yml | 75 ----------- .../opendistro-elasticsearch/tasks/main.yml | 125 +++++++++++++++--- 2 files changed, 107 insertions(+), 93 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index b2170af1..b3318193 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -30,78 +30,3 @@ packages: - wget - unzip - -- name: RedHat/CentOS/Fedora | Install OpenDistro - package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present - register: install - - -- name: RedHat/CentOS/Fedora | Copy the node & admin certificates to Elasticsearch cluster - copy: - src: "/tmp/opendistro-nodecerts/config/{{ item }}" - dest: /etc/elasticsearch/ - mode: 0644 - with_items: - - root-ca.pem - - root-ca.key - - "{{ inventory_hostname }}.key" - - "{{ inventory_hostname }}.pem" - - "{{ inventory_hostname }}_http.key" - - "{{ inventory_hostname }}_http.pem" - - "{{ inventory_hostname }}_elasticsearch_config_snippet.yml" - - admin.key - - admin.pem - when: install.changed - -- name: RedHat/CentOS/Fedora | Copy the opendistro security configuration file to cluster - blockinfile: - block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" - dest: "{{ opendistro_conf_path }}/elasticsearch.yml" - backup: yes - insertafter: EOF - marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" - when: install.changed - -- name: RedHat/CentOS/Fedora | Prepare the opendistro security configuration file - command: sed -i 's/searchguard/opendistro_security/g' {{ opendistro_conf_path }}/elasticsearch.yml - when: install.changed - -- name: RedHat/CentOS/Fedora | Restart elasticsearch with security configuration - systemd: - name: elasticsearch - state: restarted - when: install.changed - -- name: RedHat/CentOS/Fedora | Copy the opendistro security internal users template - template: - src: "templates/internal_users.yml.j2" - dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" - mode: 0644 - run_once: true - when: install.changed - -- name: RedHat/CentOS/Fedora | Set the Admin user password - shell: > - sed -i 's,{{ admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ admin_password }} | tail -1)',' - {{ opendistro_sec_plugin_conf_path }}/internal_users.yml - run_once: true - when: install.changed - -- name: RedHat/CentOS/Fedora | Set the kibanaserver user pasword - shell: > - sed -i 's,{{ kibanaserver_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ kibanaserver_password }} | tail -1)',' - {{ opendistro_sec_plugin_conf_path }}/internal_users.yml - run_once: true - when: install.changed - -- name: RedHat/CentOS/Fedora | Initialize the opendistro security index in elasticsearch - shell: > - sh {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh - -cacert {{ opendistro_conf_path }}/root-ca.pem - -cert {{ opendistro_conf_path }}/admin.pem - -key {{ opendistro_conf_path }}/admin.key - -cd {{ opendistro_sec_plugin_conf_path }}/ - -nhnv -icl - -h {{ hostvars[inventory_hostname]['ip'] }} - run_once: true - when: install.changed diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index bdfb6be8..bf7c6e06 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -4,6 +4,110 @@ - import_tasks: RedHat.yml when: ansible_os_family == 'RedHat' +- name: Install OpenDistro + package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present + register: install + +- name: Copy the node & admin certificates to Elasticsearch cluster + copy: + src: "/tmp/opendistro-nodecerts/config/{{ item }}" + dest: /etc/elasticsearch/ + mode: 0644 + with_items: + - root-ca.pem + - root-ca.key + - "{{ inventory_hostname }}.key" + - "{{ inventory_hostname }}.pem" + - "{{ inventory_hostname }}_http.key" + - "{{ inventory_hostname }}_http.pem" + - "{{ inventory_hostname }}_elasticsearch_config_snippet.yml" + - admin.key + - admin.pem + when: install.changed + +- name: Remove demo certs + file: + path: "{{ item }}" + state: absent + with_items: + - "{{opendistro_conf_path}}/kirk.pem" + - "{{opendistro_conf_path}}/kirk-key.pem" + - "{{opendistro_conf_path}}/esnode.pem" + - "{{opendistro_conf_path}}/esnode-key.pem" + when: install.changed + +- name: Remove elasticsearch configuration file + file: + path: "{{opendistro_conf_path}}/elasticsearch.yml" + state: absent + when: install.changed + +- name: Copy Configuration File + blockinfile: + block: "{{ lookup('template', 'elasticsearch.yml.j2') }}" + dest: "{{ opendistro_conf_path }}/elasticsearch.yml" + create: true + group: elasticsearch + mode: 0640 + marker: "## {mark} Opendistro general settings ##" + when: install.changed + +- name: Copy the opendistro security configuration file to cluster + blockinfile: + block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" + dest: "{{ opendistro_conf_path }}/elasticsearch.yml" + insertafter: EOF + marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" + when: install.changed + +- name: Prepare the opendistro security configuration file + replace: + path: "{{ opendistro_conf_path }}/elasticsearch.yml" + regexp: 'searchguard' + replace: 'opendistro_security' + tags: local + when: install.changed + +- name: Restart elasticsearch with security configuration + systemd: + name: elasticsearch + state: restarted + when: install.changed + +- name: Copy the opendistro security internal users template + template: + src: "templates/internal_users.yml.j2" + dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" + mode: 0644 + run_once: true + when: install.changed + +- name: Set the Admin user password + shell: > + sed -i 's,{{ admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ admin_password }} | tail -1)',' + {{ opendistro_sec_plugin_conf_path }}/internal_users.yml + run_once: true + when: install.changed + +- name: Set the kibanaserver user pasword + shell: > + sed -i 's,{{ kibanaserver_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ kibanaserver_password }} | tail -1)',' + {{ opendistro_sec_plugin_conf_path }}/internal_users.yml + run_once: true + when: install.changed + +- name: Initialize the opendistro security index in elasticsearch + shell: > + sh {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh + -cacert {{ opendistro_conf_path }}/root-ca.pem + -cert {{ opendistro_conf_path }}/admin.pem + -key {{ opendistro_conf_path }}/admin.key + -cd {{ opendistro_sec_plugin_conf_path }}/ + -nhnv -icl + -h {{ hostvars[inventory_hostname]['ip'] }} + run_once: true + when: install.changed + - name: Configure OpenDistro Elasticsearch JVM memmory. template: src: "templates/jvm.options.j2" @@ -13,22 +117,7 @@ mode: 0644 force: yes notify: restart elasticsearch - tags: configure - -# fix in new PR (ignore_errors) - -- import_tasks: "RMRedHat.yml" - when: ansible_os_family == "RedHat" - -- name: Copy Configuration File - template: - src: "templates/elasticsearch.yml.j2" - dest: "{{opendistro_conf_path}}/elasticsearch.yml" - group: elasticsearch - mode: 0644 - backup: yes - register: system_change - notify: restart elasticsearch + tags: opendistro - name: Ensure Elasticsearch started and enabled service: @@ -36,13 +125,13 @@ enabled: true state: started tags: - - configure + - opendistro - init - name: Make sure Elasticsearch is running before proceeding wait_for: host=localhost port=9200 delay=3 timeout=400 tags: - - configure + - opendistro - init - import_tasks: "RMRedHat.yml" From 5fd4988a888e207dc25320019ef0b37d57e5e0f3 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Thu, 7 May 2020 14:40:58 +0200 Subject: [PATCH 15/57] Fixed typo --- roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 2 +- .../opendistro-elasticsearch/templates/internal_users.yml.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index bf7c6e06..88ad8711 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -84,7 +84,7 @@ - name: Set the Admin user password shell: > - sed -i 's,{{ admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ admin_password }} | tail -1)',' + sed -i 's,{{ opendistro_admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }} | tail -1)',' {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true when: install.changed diff --git a/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 index 7bb089f3..f39bbf50 100644 --- a/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 +++ b/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 @@ -9,7 +9,7 @@ _meta: # Define your internal users here admin: - hash: "{{ admin_password }}" + hash: "{{ opendistro_admin_password }}" reserved: true backend_roles: - "admin" From 77c30c3bf0e496138bb29024de8bf41765fc7adb Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Thu, 7 May 2020 14:50:01 +0200 Subject: [PATCH 16/57] Added Kibana admin password --- roles/opendistro/opendistro-elasticsearch/defaults/main.yml | 3 ++- roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 2 +- .../opendistro-elasticsearch/templates/internal_users.yml.j2 | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index bca544e6..b71b67de 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -45,7 +45,8 @@ elasticrepo: gpg: 'https://artifacts.elastic.co/GPG-KEY-opendistro' key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' -opendistro_admin_password: Test@123 +opendistro_admin_password: changeme +opendistro_kibana_password: changeme # Cluster Settings single_node: true opendistro_cluster_name: wazuh diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index 88ad8711..7174a27f 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -91,7 +91,7 @@ - name: Set the kibanaserver user pasword shell: > - sed -i 's,{{ kibanaserver_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ kibanaserver_password }} | tail -1)',' + sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)',' {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true when: install.changed diff --git a/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 index f39bbf50..471a5c28 100644 --- a/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 +++ b/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 @@ -16,6 +16,6 @@ admin: description: "admin user" kibanaserver: - hash: "{{ kibanaserver_password }}" + hash: "{{ opendistro_kibana_password }}" reserved: true description: "kibanaserver user" From 0c04b22b0f8b49a36e6af4be2d7c6cec3ac1e864 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Thu, 7 May 2020 19:12:43 +0200 Subject: [PATCH 17/57] Checking API status --- .../opendistro-elasticsearch/tasks/main.yml | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index 7174a27f..ea56183e 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -128,11 +128,20 @@ - opendistro - init -- name: Make sure Elasticsearch is running before proceeding - wait_for: host=localhost port=9200 delay=3 timeout=400 - tags: - - opendistro - - init +- name: Wait for Elasticsearch API + uri: + url: "https://{{ es_nodes.split(',')[0].split('\"')[0] }}:9200/_cluster/health/" + user: "admin" # Default OpenDistro user is always "admin" + password: "{{ opendistro_admin_password }}" + validate_certs: no + status_code: 200,401 + return_content: yes + timeout: 4 + register: _result + until: ( _result.json is defined) and (_result.json.status == "green") + retries: 24 + delay: 5 + tags: debug - import_tasks: "RMRedHat.yml" when: ansible_os_family == "RedHat" \ No newline at end of file From e83c6f8d86cf1d34701bd16ab6bbd2a99bf0bd88 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Thu, 7 May 2020 20:03:39 +0200 Subject: [PATCH 18/57] Refactor of production ready actions --- .../tasks/LocalActions.yml | 82 ++++++++-------- .../opendistro-elasticsearch/tasks/RedHat.yml | 58 ++++++------ .../tasks/SecurityActions.yml | 88 ++++++++++++++++++ .../opendistro-elasticsearch/tasks/main.yml | 93 ++----------------- 4 files changed, 168 insertions(+), 153 deletions(-) create mode 100644 roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml index 432a4423..8ff56b64 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml @@ -1,47 +1,51 @@ --- +- block: -- name: RedHat/CentOS/Fedora | Create local temporary directory for certificates generation - local_action: - module: file - path: /tmp/opendistro-nodecerts - state: directory - run_once: true + - name: Local action | Create local temporary directory for certificates generation + local_action: + module: file + path: /tmp/opendistro-nodecerts + state: directory + run_once: true + + - name: Local action | Download certificates generation tool + local_action: + module: get_url + url: https://releases.floragunn.com/search-guard-tlstool/1.7/search-guard-tlstool-1.7.zip + dest: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip + run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip -- name: RedHat/CentOS/Fedora | Download certificates generation tool - local_action: - module: get_url - url: https://releases.floragunn.com/search-guard-tlstool/1.7/search-guard-tlstool-1.7.zip - dest: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip - run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip + - name: Local action | Extract the certificates generation tool + local_action: + module: unarchive + src: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip + dest: /tmp/opendistro-nodecerts/ -- name: RedHat/CentOS/Fedora | Extract the certificates generation tool - local_action: - module: unarchive - src: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip - dest: /tmp/opendistro-nodecerts/ + - name: Local action | Add the execution bit to the binary + local_action: + module: file + dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh + mode: a+x + run_once: true -- name: RedHat/CentOS/Fedora | Add the execution bit to the binary - local_action: - module: file - dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh - mode: a+x - run_once: true + - name: Local action | Prepare the certificates generation template file + local_action: + module: template + src: "templates/tlsconfig.yml.j2" + dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml + run_once: true -- name: RedHat/CentOS/Fedora | Prepare the certificates generation template file - local_action: - module: template - src: "templates/tlsconfig.yml.j2" - dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml - run_once: true + - name: Local action | Check if root CA file exists + local_action: + module: stat + path: /tmp/opendistro-nodecerts/config/root-ca.key + register: root_ca_file -- name: RedHat/CentOS/Fedora | Check if root CA file exists - local_action: - module: stat - path: /tmp/opendistro-nodecerts/config/root-ca.key - register: root_ca_file + - name: Local action | Generate the node & admin certificates in local + local_action: + module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ -f -o + run_once: true + when: root_ca_file.stat.exists == False -- name: RedHat/CentOS/Fedora | Generate the node & admin certificates in local - local_action: - module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ -f -o - run_once: true - when: root_ca_file.stat.exists == False \ No newline at end of file + tags: + - generate-certs \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index b3318193..68459544 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -1,32 +1,36 @@ --- +- block: -- name: RedHat/CentOS/Fedora | Add OpenDistro repo - yum_repository: - file: opendistro - name: opendistro_repo - description: Opendistro yum repository - baseurl: "{{ package_repos.yum.opendistro.baseurl }}" - gpgkey: "{{ package_repos.yum.opendistro.gpg }}" - gpgcheck: true - changed_when: false + - name: RedHat/CentOS/Fedora | Add OpenDistro repo + yum_repository: + file: opendistro + name: opendistro_repo + description: Opendistro yum repository + baseurl: "{{ package_repos.yum.opendistro.baseurl }}" + gpgkey: "{{ package_repos.yum.opendistro.gpg }}" + gpgcheck: true + changed_when: false -- name: RedHat/CentOS/Fedora | Add Elasticsearch-oss repo - yum_repository: - file: opendistro - name: elasticsearch_oss_repo - description: Elasticsearch-oss yum repository - baseurl: "{{ package_repos.yum.elasticsearch_oss.baseurl }}" - gpgkey: "{{ package_repos.yum.elasticsearch_oss.gpg }}" - gpgcheck: true - changed_when: false + - name: RedHat/CentOS/Fedora | Add Elasticsearch-oss repo + yum_repository: + file: opendistro + name: elasticsearch_oss_repo + description: Elasticsearch-oss yum repository + baseurl: "{{ package_repos.yum.elasticsearch_oss.baseurl }}" + gpgkey: "{{ package_repos.yum.elasticsearch_oss.gpg }}" + gpgcheck: true + changed_when: false -- name: RedHat/CentOS/Fedora | Install OpenJDK 11 - yum: name=java-11-openjdk-devel state=present + - name: RedHat/CentOS/Fedora | Install OpenJDK 11 + yum: name=java-11-openjdk-devel state=present -- name: RedHat/CentOS/Fedora | Install OpenDistro dependencies - yum: - name: "{{ packages }}" - vars: - packages: - - wget - - unzip + - name: RedHat/CentOS/Fedora | Install OpenDistro dependencies + yum: + name: "{{ packages }}" + vars: + packages: + - wget + - unzip + + tags: + - install \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml new file mode 100644 index 00000000..c6323fde --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml @@ -0,0 +1,88 @@ +- block: + + - name: Remove demo certs + file: + path: "{{ item }}" + state: absent + with_items: + - "{{opendistro_conf_path}}/kirk.pem" + - "{{opendistro_conf_path}}/kirk-key.pem" + - "{{opendistro_conf_path}}/esnode.pem" + - "{{opendistro_conf_path}}/esnode-key.pem" + when: install.changed + + - name: Copy the node & admin certificates to Elasticsearch cluster + copy: + src: "/tmp/opendistro-nodecerts/config/{{ item }}" + dest: /etc/elasticsearch/ + mode: 0644 + with_items: + - root-ca.pem + - root-ca.key + - "{{ inventory_hostname }}.key" + - "{{ inventory_hostname }}.pem" + - "{{ inventory_hostname }}_http.key" + - "{{ inventory_hostname }}_http.pem" + - "{{ inventory_hostname }}_elasticsearch_config_snippet.yml" + - admin.key + - admin.pem + when: install.changed + + - name: Copy the opendistro security configuration file to cluster + blockinfile: + block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" + dest: "{{ opendistro_conf_path }}/elasticsearch.yml" + insertafter: EOF + marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" + when: install.changed + + - name: Prepare the opendistro security configuration file + replace: + path: "{{ opendistro_conf_path }}/elasticsearch.yml" + regexp: 'searchguard' + replace: 'opendistro_security' + tags: local + when: install.changed + + - name: Restart elasticsearch with security configuration + systemd: + name: elasticsearch + state: restarted + when: install.changed + + - name: Copy the opendistro security internal users template + template: + src: "templates/internal_users.yml.j2" + dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" + mode: 0644 + run_once: true + when: install.changed + + - name: Set the Admin user password + shell: > + sed -i 's,{{ opendistro_admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }} | tail -1)',' + {{ opendistro_sec_plugin_conf_path }}/internal_users.yml + run_once: true + when: install.changed + + - name: Set the kibanaserver user pasword + shell: > + sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)',' + {{ opendistro_sec_plugin_conf_path }}/internal_users.yml + run_once: true + when: install.changed + + - name: Initialize the opendistro security index in elasticsearch + shell: > + sh {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh + -cacert {{ opendistro_conf_path }}/root-ca.pem + -cert {{ opendistro_conf_path }}/admin.pem + -key {{ opendistro_conf_path }}/admin.key + -cd {{ opendistro_sec_plugin_conf_path }}/ + -nhnv -icl + -h {{ hostvars[inventory_hostname]['ip'] }} + run_once: true + when: install.changed + + tags: + - production_ready diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index ea56183e..94f4ab91 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -1,4 +1,5 @@ --- + - import_tasks: LocalActions.yml - import_tasks: RedHat.yml @@ -7,40 +8,14 @@ - name: Install OpenDistro package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present register: install - -- name: Copy the node & admin certificates to Elasticsearch cluster - copy: - src: "/tmp/opendistro-nodecerts/config/{{ item }}" - dest: /etc/elasticsearch/ - mode: 0644 - with_items: - - root-ca.pem - - root-ca.key - - "{{ inventory_hostname }}.key" - - "{{ inventory_hostname }}.pem" - - "{{ inventory_hostname }}_http.key" - - "{{ inventory_hostname }}_http.pem" - - "{{ inventory_hostname }}_elasticsearch_config_snippet.yml" - - admin.key - - admin.pem - when: install.changed - -- name: Remove demo certs - file: - path: "{{ item }}" - state: absent - with_items: - - "{{opendistro_conf_path}}/kirk.pem" - - "{{opendistro_conf_path}}/kirk-key.pem" - - "{{opendistro_conf_path}}/esnode.pem" - - "{{opendistro_conf_path}}/esnode-key.pem" - when: install.changed + tags: install - name: Remove elasticsearch configuration file file: path: "{{opendistro_conf_path}}/elasticsearch.yml" state: absent when: install.changed + tags: install - name: Copy Configuration File blockinfile: @@ -51,62 +26,9 @@ mode: 0640 marker: "## {mark} Opendistro general settings ##" when: install.changed + tags: install -- name: Copy the opendistro security configuration file to cluster - blockinfile: - block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" - dest: "{{ opendistro_conf_path }}/elasticsearch.yml" - insertafter: EOF - marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" - when: install.changed - -- name: Prepare the opendistro security configuration file - replace: - path: "{{ opendistro_conf_path }}/elasticsearch.yml" - regexp: 'searchguard' - replace: 'opendistro_security' - tags: local - when: install.changed - -- name: Restart elasticsearch with security configuration - systemd: - name: elasticsearch - state: restarted - when: install.changed - -- name: Copy the opendistro security internal users template - template: - src: "templates/internal_users.yml.j2" - dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" - mode: 0644 - run_once: true - when: install.changed - -- name: Set the Admin user password - shell: > - sed -i 's,{{ opendistro_admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }} | tail -1)',' - {{ opendistro_sec_plugin_conf_path }}/internal_users.yml - run_once: true - when: install.changed - -- name: Set the kibanaserver user pasword - shell: > - sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)',' - {{ opendistro_sec_plugin_conf_path }}/internal_users.yml - run_once: true - when: install.changed - -- name: Initialize the opendistro security index in elasticsearch - shell: > - sh {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh - -cacert {{ opendistro_conf_path }}/root-ca.pem - -cert {{ opendistro_conf_path }}/admin.pem - -key {{ opendistro_conf_path }}/admin.key - -cd {{ opendistro_sec_plugin_conf_path }}/ - -nhnv -icl - -h {{ hostvars[inventory_hostname]['ip'] }} - run_once: true - when: install.changed +- import_tasks: SecurityActions.yml - name: Configure OpenDistro Elasticsearch JVM memmory. template: @@ -117,16 +39,13 @@ mode: 0644 force: yes notify: restart elasticsearch - tags: opendistro + tags: install - name: Ensure Elasticsearch started and enabled service: name: elasticsearch enabled: true state: started - tags: - - opendistro - - init - name: Wait for Elasticsearch API uri: From 3c6e08c7cf0ecf5890555cf6bde5fc07a0c24bfd Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Fri, 8 May 2020 14:43:30 +0200 Subject: [PATCH 19/57] Modified task, from shell to command module --- .../opendistro-elasticsearch/tasks/SecurityActions.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml index c6323fde..765285aa 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml @@ -73,8 +73,8 @@ when: install.changed - name: Initialize the opendistro security index in elasticsearch - shell: > - sh {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh + command: > + {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh -cacert {{ opendistro_conf_path }}/root-ca.pem -cert {{ opendistro_conf_path }}/admin.pem -key {{ opendistro_conf_path }}/admin.key From d7be137e6e2f3791d0a18d968348c690897f995b Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Fri, 8 May 2020 15:54:23 +0200 Subject: [PATCH 20/57] Ansible linting compliant variables --- .../opendistro-elasticsearch/tasks/SecurityActions.yml | 8 ++++---- roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml index 765285aa..390df69c 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml @@ -5,10 +5,10 @@ path: "{{ item }}" state: absent with_items: - - "{{opendistro_conf_path}}/kirk.pem" - - "{{opendistro_conf_path}}/kirk-key.pem" - - "{{opendistro_conf_path}}/esnode.pem" - - "{{opendistro_conf_path}}/esnode-key.pem" + - "{{ opendistro_conf_path }}/kirk.pem" + - "{{ opendistro_conf_path }}/kirk-key.pem" + - "{{ opendistro_conf_path }}/esnode.pem" + - "{{ opendistro_conf_path }}/esnode-key.pem" when: install.changed - name: Copy the node & admin certificates to Elasticsearch cluster diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index 94f4ab91..6547b03a 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -12,7 +12,7 @@ - name: Remove elasticsearch configuration file file: - path: "{{opendistro_conf_path}}/elasticsearch.yml" + path: "{{ opendistro_conf_path }}/elasticsearch.yml" state: absent when: install.changed tags: install From 8fd684927581a0bb7c969a3728fa7b7ce0d9f0ad Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Fri, 8 May 2020 15:55:13 +0200 Subject: [PATCH 21/57] Tasks in YAML format --- roles/opendistro/opendistro-elasticsearch/handlers/main.yml | 3 ++- roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml | 3 ++- roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/handlers/main.yml b/roles/opendistro/opendistro-elasticsearch/handlers/main.yml index a4c1162a..c2836edc 100644 --- a/roles/opendistro/opendistro-elasticsearch/handlers/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/handlers/main.yml @@ -1,3 +1,4 @@ --- - name: restart elasticsearch - service: name=elasticsearch state=restarted + service: name=elasticsearch + state: restarted diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index 68459544..3511c7c4 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -22,7 +22,8 @@ changed_when: false - name: RedHat/CentOS/Fedora | Install OpenJDK 11 - yum: name=java-11-openjdk-devel state=present + yum: name=java-11-openjdk-devel + state: present - name: RedHat/CentOS/Fedora | Install OpenDistro dependencies yum: diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index 6547b03a..fbc9dea6 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -6,7 +6,8 @@ when: ansible_os_family == 'RedHat' - name: Install OpenDistro - package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present + package: name=opendistroforelasticsearch-{{ opendistro_version }} + state: present register: install tags: install From 9152d07ac1b7780f96bff074b91d5822f0f0125e Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Fri, 8 May 2020 15:56:00 +0200 Subject: [PATCH 22/57] When statement at block level --- .../opendistro-elasticsearch/tasks/SecurityActions.yml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml index 390df69c..8572d864 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml @@ -9,7 +9,6 @@ - "{{ opendistro_conf_path }}/kirk-key.pem" - "{{ opendistro_conf_path }}/esnode.pem" - "{{ opendistro_conf_path }}/esnode-key.pem" - when: install.changed - name: Copy the node & admin certificates to Elasticsearch cluster copy: @@ -26,7 +25,6 @@ - "{{ inventory_hostname }}_elasticsearch_config_snippet.yml" - admin.key - admin.pem - when: install.changed - name: Copy the opendistro security configuration file to cluster blockinfile: @@ -34,7 +32,6 @@ dest: "{{ opendistro_conf_path }}/elasticsearch.yml" insertafter: EOF marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" - when: install.changed - name: Prepare the opendistro security configuration file replace: @@ -42,13 +39,11 @@ regexp: 'searchguard' replace: 'opendistro_security' tags: local - when: install.changed - name: Restart elasticsearch with security configuration systemd: name: elasticsearch state: restarted - when: install.changed - name: Copy the opendistro security internal users template template: @@ -56,21 +51,18 @@ dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" mode: 0644 run_once: true - when: install.changed - name: Set the Admin user password shell: > sed -i 's,{{ opendistro_admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }} | tail -1)',' {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true - when: install.changed - name: Set the kibanaserver user pasword shell: > sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)',' {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true - when: install.changed - name: Initialize the opendistro security index in elasticsearch command: > @@ -82,7 +74,7 @@ -nhnv -icl -h {{ hostvars[inventory_hostname]['ip'] }} run_once: true - when: install.changed tags: - production_ready + when: install.changed \ No newline at end of file From a2fe75775e3cab2ef2d4bd246f8379245f066a3e Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Fri, 8 May 2020 18:43:01 +0200 Subject: [PATCH 23/57] Added new variables --- .../defaults/main.yml | 13 ++++-------- .../tasks/LocalActions.yml | 20 +++++++++---------- .../tasks/SecurityActions.yml | 4 ++-- 3 files changed, 16 insertions(+), 21 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index b71b67de..9103b4ad 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -39,6 +39,9 @@ opendistro_jvm_xms: null opendistro_http_port: 9200 +# Url of Search Guard certificates generator tool +certs_gen_tool_url: https://releases.floragunn.com/search-guard-tlstool/1.7/search-guard-tlstool-1.7.zip + elasticrepo: apt: 'https://artifacts.elastic.co/packages/7.x/apt' yum: 'https://artifacts.elastic.co/packages/7.x/yum' @@ -50,13 +53,5 @@ opendistro_kibana_password: changeme # Cluster Settings single_node: true opendistro_cluster_name: wazuh -opendistro_node_name: node-1 -opendistro_bootstrap_node: false -opendistro_node_master: false -opendistro_cluster_nodes: - - 127.0.0.1 -opendistro_discovery_nodes: - - 127.0.0.1 -opendistro_node_data: true -opendistro_node_ingest: true +local_certs_path: /tmp/opendistro-nodecerts \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml index 8ff56b64..50d4016c 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml @@ -4,27 +4,27 @@ - name: Local action | Create local temporary directory for certificates generation local_action: module: file - path: /tmp/opendistro-nodecerts + path: {{ local_certs_path }} state: directory run_once: true - name: Local action | Download certificates generation tool local_action: module: get_url - url: https://releases.floragunn.com/search-guard-tlstool/1.7/search-guard-tlstool-1.7.zip - dest: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip - run_once: /tmp/opendistro-nodecerts/search-guard-tlstool.zip + url: "{{ certs_gen_tool_url }}" + dest: "{{ local_certs_path }}/search-guard-tlstool-1.7.zip" + run_once: "{{ local_certs_path }}/search-guard-tlstool.zip" - name: Local action | Extract the certificates generation tool local_action: module: unarchive - src: /tmp/opendistro-nodecerts/search-guard-tlstool-1.7.zip - dest: /tmp/opendistro-nodecerts/ + src: "{{ local_certs_path }}/search-guard-tlstool-1.7.zip" + dest: "{{ local_certs_path }}/" - name: Local action | Add the execution bit to the binary local_action: module: file - dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh + dest: "{{ local_certs_path }}/tools/sgtlstool.sh" mode: a+x run_once: true @@ -32,18 +32,18 @@ local_action: module: template src: "templates/tlsconfig.yml.j2" - dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml + dest: "{{ local_certs_path }}/config/tlsconfig.yml" run_once: true - name: Local action | Check if root CA file exists local_action: module: stat - path: /tmp/opendistro-nodecerts/config/root-ca.key + path: "{{ local_certs_path }}/config/root-ca.key" register: root_ca_file - name: Local action | Generate the node & admin certificates in local local_action: - module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ -f -o + module: command {{ local_certs_path }}/tools/sgtlstool.sh -c {{ local_certs_path }}/config/tlsconfig.yml -ca -crt -t {{ local_certs_path }}/config/ -f -o run_once: true when: root_ca_file.stat.exists == False diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml index 8572d864..3c8293f5 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml @@ -12,7 +12,7 @@ - name: Copy the node & admin certificates to Elasticsearch cluster copy: - src: "/tmp/opendistro-nodecerts/config/{{ item }}" + src: "{{ local_certs_path }}/config/{{ item }}" dest: /etc/elasticsearch/ mode: 0644 with_items: @@ -28,7 +28,7 @@ - name: Copy the opendistro security configuration file to cluster blockinfile: - block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" + block: "{{ lookup('file', '{{ local_certs_path }}/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" dest: "{{ opendistro_conf_path }}/elasticsearch.yml" insertafter: EOF marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" From 459ac4631034c75a4e3f9c9963d9bb742edd6c92 Mon Sep 17 00:00:00 2001 From: Jose M Date: Fri, 8 May 2020 20:05:28 +0200 Subject: [PATCH 24/57] Fix API from sources installation conditional --- .../ansible-wazuh-manager/tasks/installation_from_sources.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml b/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml index e019d2f9..2fa00fe7 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml @@ -123,7 +123,7 @@ path: /var/ossec/api/app.js register: wazuh_api when: - - wazuh_manager_config.cluster.node_type == "master" + - wazuh_manager_config.cluster.node_type == "master" or wazuh_manager_config.cluster.node_type == "worker" - name: Install Wazuh API from sources block: From cf14f400ba417965a8fdf98f71faaa1c9072f88c Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Fri, 8 May 2020 20:44:30 +0200 Subject: [PATCH 25/57] Linting and improving variables --- roles/opendistro/opendistro-elasticsearch/defaults/main.yml | 3 ++- roles/opendistro/opendistro-elasticsearch/handlers/main.yml | 5 +++-- .../opendistro-elasticsearch/tasks/LocalActions.yml | 6 +++--- roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml | 5 +++-- roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 5 +++-- 5 files changed, 14 insertions(+), 10 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index 9103b4ad..0c8f8f1f 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -39,8 +39,9 @@ opendistro_jvm_xms: null opendistro_http_port: 9200 +certs_gen_tool_version: 1.7 # Url of Search Guard certificates generator tool -certs_gen_tool_url: https://releases.floragunn.com/search-guard-tlstool/1.7/search-guard-tlstool-1.7.zip +certs_gen_tool_url: "https://releases.floragunn.com/search-guard-tlstool/{{ certs_gen_tool_version }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" elasticrepo: apt: 'https://artifacts.elastic.co/packages/7.x/apt' diff --git a/roles/opendistro/opendistro-elasticsearch/handlers/main.yml b/roles/opendistro/opendistro-elasticsearch/handlers/main.yml index c2836edc..95f5868b 100644 --- a/roles/opendistro/opendistro-elasticsearch/handlers/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/handlers/main.yml @@ -1,4 +1,5 @@ --- - name: restart elasticsearch - service: name=elasticsearch - state: restarted + service: + name: elasticsearch + state: restarted diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml index 50d4016c..60379616 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml @@ -4,7 +4,7 @@ - name: Local action | Create local temporary directory for certificates generation local_action: module: file - path: {{ local_certs_path }} + path: "{{ local_certs_path }}" state: directory run_once: true @@ -12,8 +12,8 @@ local_action: module: get_url url: "{{ certs_gen_tool_url }}" - dest: "{{ local_certs_path }}/search-guard-tlstool-1.7.zip" - run_once: "{{ local_certs_path }}/search-guard-tlstool.zip" + dest: "{{ local_certs_path }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" + run_once: true - name: Local action | Extract the certificates generation tool local_action: diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index 3511c7c4..1a2eed56 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -22,8 +22,9 @@ changed_when: false - name: RedHat/CentOS/Fedora | Install OpenJDK 11 - yum: name=java-11-openjdk-devel - state: present + yum: + name: java-11-openjdk-devel + state: present - name: RedHat/CentOS/Fedora | Install OpenDistro dependencies yum: diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index fbc9dea6..d8f51f81 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -6,8 +6,9 @@ when: ansible_os_family == 'RedHat' - name: Install OpenDistro - package: name=opendistroforelasticsearch-{{ opendistro_version }} - state: present + package: + name: opendistroforelasticsearch-{{ opendistro_version }} + state: present register: install tags: install From 9742c4984cb929d99733ffe8cee77ebae90933b5 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Mon, 11 May 2020 13:56:03 +0200 Subject: [PATCH 26/57] Changed task description --- .../opendistro-elasticsearch/tasks/SecurityActions.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml index 3c8293f5..056af1e4 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml @@ -26,14 +26,14 @@ - admin.key - admin.pem - - name: Copy the opendistro security configuration file to cluster + - name: Copy the OpenDistrosecurity configuration file to cluster blockinfile: block: "{{ lookup('file', '{{ local_certs_path }}/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" dest: "{{ opendistro_conf_path }}/elasticsearch.yml" insertafter: EOF marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" - - name: Prepare the opendistro security configuration file + - name: Prepare the OpenDistrosecurity configuration file replace: path: "{{ opendistro_conf_path }}/elasticsearch.yml" regexp: 'searchguard' @@ -45,7 +45,7 @@ name: elasticsearch state: restarted - - name: Copy the opendistro security internal users template + - name: Copy the OpenDistrosecurity internal users template template: src: "templates/internal_users.yml.j2" dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" @@ -58,13 +58,13 @@ {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true - - name: Set the kibanaserver user pasword + - name: Set the kibanaserver role/user pasword shell: > sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)',' {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true - - name: Initialize the opendistro security index in elasticsearch + - name: Initialize the OpenDistrosecurity index in elasticsearch command: > {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh -cacert {{ opendistro_conf_path }}/root-ca.pem From eb9925a901a70f70da61aec99b0309fac4348658 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Mon, 11 May 2020 15:18:11 +0200 Subject: [PATCH 27/57] Fixed variables and renamed files --- .../tasks/{LocalActions.yml => local_actions.yml} | 0 roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 4 ++-- .../tasks/{SecurityActions.yml => security_actions.yml} | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) rename roles/opendistro/opendistro-elasticsearch/tasks/{LocalActions.yml => local_actions.yml} (100%) rename roles/opendistro/opendistro-elasticsearch/tasks/{SecurityActions.yml => security_actions.yml} (89%) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml similarity index 100% rename from roles/opendistro/opendistro-elasticsearch/tasks/LocalActions.yml rename to roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index d8f51f81..c8941208 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -1,6 +1,6 @@ --- -- import_tasks: LocalActions.yml +- import_tasks: local_actions.yml - import_tasks: RedHat.yml when: ansible_os_family == 'RedHat' @@ -30,7 +30,7 @@ when: install.changed tags: install -- import_tasks: SecurityActions.yml +- import_tasks: security_actions.yml - name: Configure OpenDistro Elasticsearch JVM memmory. template: diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml similarity index 89% rename from roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml rename to roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml index 056af1e4..1fee6fef 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/SecurityActions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml @@ -26,14 +26,14 @@ - admin.key - admin.pem - - name: Copy the OpenDistrosecurity configuration file to cluster + - name: Copy the OpenDistro security configuration file to cluster blockinfile: block: "{{ lookup('file', '{{ local_certs_path }}/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" dest: "{{ opendistro_conf_path }}/elasticsearch.yml" insertafter: EOF marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" - - name: Prepare the OpenDistrosecurity configuration file + - name: Prepare the OpenDistro security configuration file replace: path: "{{ opendistro_conf_path }}/elasticsearch.yml" regexp: 'searchguard' @@ -45,7 +45,7 @@ name: elasticsearch state: restarted - - name: Copy the OpenDistrosecurity internal users template + - name: Copy the OpenDistro security internal users template template: src: "templates/internal_users.yml.j2" dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" @@ -64,7 +64,7 @@ {{ opendistro_sec_plugin_conf_path }}/internal_users.yml run_once: true - - name: Initialize the OpenDistrosecurity index in elasticsearch + - name: Initialize the OpenDistro security index in elasticsearch command: > {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh -cacert {{ opendistro_conf_path }}/root-ca.pem From 3d74c3a3c393a4bf224aface32e06dbe5064e440 Mon Sep 17 00:00:00 2001 From: Pablo Escobar Date: Wed, 13 May 2020 13:44:40 +0200 Subject: [PATCH 28/57] fix override of var filebeat_module_folder --- roles/wazuh/ansible-filebeat/tasks/main.yml | 32 +++++++++++---------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 4948c252..496a7687 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -67,25 +67,26 @@ - name: Checking if Filebeat Module folder file exists stat: path: "{{ filebeat_module_folder }}" - register: filebeat_module_folder + register: filebeat_module_folder_info +- name: Download, uncompress and apply permissions for Filebeat + block: -- name: Download Filebeat module package - get_url: - url: "{{ filebeat_module_package_url }}/{{ filebeat_module_package_name }}" - dest: "{{ filebeat_module_package_path }}" - when: not filebeat_module_folder.stat.exists + - name: Download Filebeat module package + get_url: + url: "{{ filebeat_module_package_url }}/{{ filebeat_module_package_name }}" + dest: "{{ filebeat_module_package_path }}" -- name: Unpakcing Filebeat module package - unarchive: - src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" - dest: "{{ filebeat_module_destination }}" - remote_src: yes - when: not filebeat_module_folder.stat.exists + - name: Unpacking Filebeat module package + unarchive: + src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" + dest: "{{ filebeat_module_destination }}" + remote_src: yes -- name: Setting 0755 permission for Filebeat module folder - file: dest={{ filebeat_module_folder }} mode=u=rwX,g=rwX,o=rwX recurse=yes - when: not filebeat_module_folder.stat.exists + - name: Setting 0755 permission for Filebeat module folder + file: dest={{ filebeat_module_folder }} mode=u=rwX,g=rwX,o=rwX recurse=yes + + when: not filebeat_module_folder_info.stat.exists - name: Checking if Filebeat Module package file exists stat: @@ -99,6 +100,7 @@ path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" when: filebeat_module_package.stat.exists +- meta: end_play - import_tasks: config.yml when: filebeat_create_config notify: restart filebeat From e7bcd54a91a8d8d5f834a87c77ca2837d2a42be7 Mon Sep 17 00:00:00 2001 From: Pablo Escobar Date: Wed, 13 May 2020 14:32:09 +0200 Subject: [PATCH 29/57] remove leftover debug line --- roles/wazuh/ansible-filebeat/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 496a7687..33eec3c3 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -100,7 +100,6 @@ path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" when: filebeat_module_package.stat.exists -- meta: end_play - import_tasks: config.yml when: filebeat_create_config notify: restart filebeat From 607387383790047d60e9ac5d63a309ccd73d0b2a Mon Sep 17 00:00:00 2001 From: Pablo Escobar Date: Wed, 13 May 2020 15:53:43 +0200 Subject: [PATCH 30/57] apply permissions 0755 --- roles/wazuh/ansible-filebeat/tasks/main.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 33eec3c3..34f74f42 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -84,7 +84,10 @@ remote_src: yes - name: Setting 0755 permission for Filebeat module folder - file: dest={{ filebeat_module_folder }} mode=u=rwX,g=rwX,o=rwX recurse=yes + file: + path: "{{ filebeat_module_folder }}" + mode: 0755 + recurse: yes when: not filebeat_module_folder_info.stat.exists From fdc3b0f55cd1f774523232b517aef462207e7d0a Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Thu, 14 May 2020 18:13:53 +0200 Subject: [PATCH 31/57] Lint changes --- roles/opendistro/opendistro-elasticsearch/handlers/main.yml | 2 +- roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml | 2 +- .../opendistro-elasticsearch/tasks/local_actions.yml | 6 +++--- roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 4 ++-- roles/wazuh/ansible-filebeat/tasks/main.yml | 1 - roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml | 2 +- 6 files changed, 8 insertions(+), 9 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/handlers/main.yml b/roles/opendistro/opendistro-elasticsearch/handlers/main.yml index 95f5868b..3cfaa6b0 100644 --- a/roles/opendistro/opendistro-elasticsearch/handlers/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart elasticsearch - service: + service: name: elasticsearch state: restarted diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index 1a2eed56..f018c9f7 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -23,7 +23,7 @@ - name: RedHat/CentOS/Fedora | Install OpenJDK 11 yum: - name: java-11-openjdk-devel + name: java-11-openjdk-devel state: present - name: RedHat/CentOS/Fedora | Install OpenDistro dependencies diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml index 60379616..d4857046 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml @@ -7,7 +7,7 @@ path: "{{ local_certs_path }}" state: directory run_once: true - + - name: Local action | Download certificates generation tool local_action: module: get_url @@ -37,7 +37,7 @@ - name: Local action | Check if root CA file exists local_action: - module: stat + module: stat path: "{{ local_certs_path }}/config/root-ca.key" register: root_ca_file @@ -45,7 +45,7 @@ local_action: module: command {{ local_certs_path }}/tools/sgtlstool.sh -c {{ local_certs_path }}/config/tlsconfig.yml -ca -crt -t {{ local_certs_path }}/config/ -f -o run_once: true - when: root_ca_file.stat.exists == False + when: not root_ca_file.stat.exists tags: - generate-certs \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index c8941208..9df1e01c 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -7,7 +7,7 @@ - name: Install OpenDistro package: - name: opendistroforelasticsearch-{{ opendistro_version }} + name: opendistroforelasticsearch-{{ opendistro_version }} state: present register: install tags: install @@ -18,7 +18,7 @@ state: absent when: install.changed tags: install - + - name: Copy Configuration File blockinfile: block: "{{ lookup('template', 'elasticsearch.yml.j2') }}" diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 4948c252..4dcd8da5 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -69,7 +69,6 @@ path: "{{ filebeat_module_folder }}" register: filebeat_module_folder - - name: Download Filebeat module package get_url: url: "{{ filebeat_module_package_url }}/{{ filebeat_module_package_name }}" diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml index e9342860..2c4e2f5e 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml @@ -127,7 +127,7 @@ become: no changed_when: newagent_api.json.error == 0 when: - - check_keys.stat.exists == false or check_keys.stat.size == 0 + - not check_keys.stat.exists or check_keys.stat.size == 0 - wazuh_managers.0.address is not none tags: - config From 930125cc86b84914dc3ccf36f2f6371053be9a79 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Thu, 21 May 2020 22:32:36 +0200 Subject: [PATCH 32/57] WIP: First Kibana working approach --- playbooks/wazuh-opendistro-kibana.yml | 4 + .../defaults/main.yml | 4 +- .../tasks/RMRedHat.yml | 2 +- .../templates/tlsconfig.yml.j2 | 9 +- .../opendistro-kibana/defaults/main.yml | 60 ++++++++ .../opendistro-kibana/handlers/main.yml | 3 + .../opendistro-kibana/tasks/RMRedHat.yml | 6 + .../opendistro-kibana/tasks/RedHat.yml | 23 +++ .../tasks/build_wazuh_plugin.yml | 76 ++++++++++ .../opendistro-kibana/tasks/main.yml | 62 ++++++++ .../tasks/security_actions.yml | 13 ++ .../templates/opendistro_kibana.yml.j2 | 36 +++++ .../opendistro-kibana/templates/wazuh.yml.j2 | 134 ++++++++++++++++++ 13 files changed, 428 insertions(+), 4 deletions(-) create mode 100644 playbooks/wazuh-opendistro-kibana.yml create mode 100644 roles/opendistro/opendistro-kibana/defaults/main.yml create mode 100644 roles/opendistro/opendistro-kibana/handlers/main.yml create mode 100644 roles/opendistro/opendistro-kibana/tasks/RMRedHat.yml create mode 100644 roles/opendistro/opendistro-kibana/tasks/RedHat.yml create mode 100644 roles/opendistro/opendistro-kibana/tasks/build_wazuh_plugin.yml create mode 100644 roles/opendistro/opendistro-kibana/tasks/main.yml create mode 100644 roles/opendistro/opendistro-kibana/tasks/security_actions.yml create mode 100644 roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 create mode 100644 roles/opendistro/opendistro-kibana/templates/wazuh.yml.j2 diff --git a/playbooks/wazuh-opendistro-kibana.yml b/playbooks/wazuh-opendistro-kibana.yml new file mode 100644 index 00000000..fa3600c1 --- /dev/null +++ b/playbooks/wazuh-opendistro-kibana.yml @@ -0,0 +1,4 @@ +--- +- hosts: es1 + roles: + - role: ../roles/opendistro/opendistro-kibana diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index 0c8f8f1f..23140123 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -16,8 +16,8 @@ domain_name: wazuh.com # The OpenDistro package repository package_repos: - yum: - opendistro: + yum: + opendistro: baseurl: 'https://d3g5vo6xdbdb9a.cloudfront.net/yum/noarch/' gpg: 'https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch' elasticsearch_oss: diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml index 46989361..31f0416a 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml @@ -1,6 +1,6 @@ --- - name: RedHat/CentOS/Fedora | Remove Elasticsearch repository (and clean up left-over metadata) yum_repository: - name: elastic_repo_7 + name: opendistro_repo state: absent changed_when: false diff --git a/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 index 85792a6a..f5ee89bc 100644 --- a/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 +++ b/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 @@ -31,7 +31,14 @@ nodes: dns: {{ item }}.{{ domain_name }} ip: {{ hostvars[item]['ip'] }} {% endfor %} - +{% if groups['kibana'] is defined and groups['kibana']|length > 0 %} +{% for item in groups['kibana'] %} + - name: {{ item }} + dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} + dns: {{ item }}.{{ domain_name }} + ip: {{ hostvars[item]['ip'] }} +{% endfor %} +{% endif %} ### ### Clients ### diff --git a/roles/opendistro/opendistro-kibana/defaults/main.yml b/roles/opendistro/opendistro-kibana/defaults/main.yml new file mode 100644 index 00000000..6bbf5015 --- /dev/null +++ b/roles/opendistro/opendistro-kibana/defaults/main.yml @@ -0,0 +1,60 @@ +--- + +elasticsearch_http_port: "9200" +elasticsearch_network_host: |- + {% for item in groups['kibana'] -%} + {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %} + {%- endfor %} + +kibana_conf_path: /etc/kibana +kibana_server_host: "0.0.0.0" +kibana_server_port: "5601" +kibana_server_name: "kibana" +kibana_max_payload_bytes: 1048576 +opendistro_version: 7.6.1 +wazuh_version: 3.12.3 +wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp + +# The OpenDistro package repository +package_repos: + yum: + opendistro: + baseurl: 'https://d3g5vo6xdbdb9a.cloudfront.net/yum/noarch/' + gpg: 'https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch' + elasticsearch_oss: + baseurl: 'https://artifacts.elastic.co/packages/oss-7.x/yum' + gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' + + +# API credentials +wazuh_api_credentials: + - id: "default" + url: "http://localhost" + port: 55000 + user: "foo" + password: "bar" + +# opendistro Security +kibana_opendistro_security: true +kibana_newsfeed_enabled: "false" +kibana_telemetry_optin: "false" +kibana_telemetry_enabled: "false" + +opendistro_security_user: elastic +opendistro_kibana_user: kibanaserver +opendistro_kibana_password: changeme +local_certs_path: /tmp/opendistro-nodecerts + +# Nodejs +nodejs: + repo_dict: + debian: "deb" + redhat: "rpm" + repo_url_ext: "nodesource.com/setup_10.x" + +# Build from sources +build_from_sources: false +wazuh_plugin_branch: 3.12-7.6 + +#Nodejs NODE_OPTIONS +node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536 diff --git a/roles/opendistro/opendistro-kibana/handlers/main.yml b/roles/opendistro/opendistro-kibana/handlers/main.yml new file mode 100644 index 00000000..55ea3d3c --- /dev/null +++ b/roles/opendistro/opendistro-kibana/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart kibana + service: name=kibana state=restarted diff --git a/roles/opendistro/opendistro-kibana/tasks/RMRedHat.yml b/roles/opendistro/opendistro-kibana/tasks/RMRedHat.yml new file mode 100644 index 00000000..959c70e9 --- /dev/null +++ b/roles/opendistro/opendistro-kibana/tasks/RMRedHat.yml @@ -0,0 +1,6 @@ +--- +- name: Remove Elasticsearch repository (and clean up left-over metadata) + yum_repository: + name: opendistro_repo + state: absent + changed_when: false diff --git a/roles/opendistro/opendistro-kibana/tasks/RedHat.yml b/roles/opendistro/opendistro-kibana/tasks/RedHat.yml new file mode 100644 index 00000000..d2dbc4ec --- /dev/null +++ b/roles/opendistro/opendistro-kibana/tasks/RedHat.yml @@ -0,0 +1,23 @@ +--- +- block: + + - name: RedHat/CentOS/Fedora | Add OpenDistro repo + yum_repository: + file: opendistro + name: opendistro_repo + description: Opendistro yum repository + baseurl: "{{ package_repos.yum.opendistro.baseurl }}" + gpgkey: "{{ package_repos.yum.opendistro.gpg }}" + gpgcheck: true + + - name: RedHat/CentOS/Fedora | Add Elasticsearch-oss repo + yum_repository: + file: opendistro + name: elasticsearch_oss_repo + description: Elasticsearch-oss yum repository + baseurl: "{{ package_repos.yum.elasticsearch_oss.baseurl }}" + gpgkey: "{{ package_repos.yum.elasticsearch_oss.gpg }}" + gpgcheck: true + + tags: + - install \ No newline at end of file diff --git a/roles/opendistro/opendistro-kibana/tasks/build_wazuh_plugin.yml b/roles/opendistro/opendistro-kibana/tasks/build_wazuh_plugin.yml new file mode 100644 index 00000000..b7ceb87f --- /dev/null +++ b/roles/opendistro/opendistro-kibana/tasks/build_wazuh_plugin.yml @@ -0,0 +1,76 @@ +--- + - name: Ensure the Git package is present + package: + name: git + state: present + + - name: Modify repo url if host is in Debian family + set_fact: + node_js_repo_type: deb + when: + - ansible_os_family | lower == "debian" + + - name: Download script to install Nodejs repository + get_url: + url: "https://{{ nodejs['repo_dict'][ansible_os_family|lower] }}.{{ nodejs['repo_url_ext'] }}" + dest: "/tmp/setup_nodejs_repo.sh" + mode: 0700 + + - name: Execute downloaded script to install Nodejs repo + command: /tmp/setup_nodejs_repo.sh + register: node_repo_installation_result + changed_when: false + + - name: Install Nodejs + package: + name: nodejs + state: present + + - name: Install yarn dependency to build the Wazuh Kibana Plugin + # Using shell due to errors when evaluating text between @ with command + shell: "npm install -g {{ 'yarn' }}{{ '@' }}{{ '1.10.1'}}" # noqa 305 + register: install_yarn_result + changed_when: install_yarn_result == 0 + + - name: Remove old wazuh-kibana-app git directory + file: + path: /tmp/app + state: absent + changed_when: false + + - name: Clone wazuh-kibana-app repository # Using command as git module doesn't cover single-branch nor depth + command: git clone https://github.com/wazuh/wazuh-kibana-app -b {{ wazuh_plugin_branch }} --single-branch --depth=1 app # noqa 303 + register: clone_app_repo_result + changed_when: false + args: + chdir: "/tmp" + + - name: Executing yarn to build the package + command: "{{ item }}" + with_items: + - "yarn" + - "yarn build" + register: yarn_execution_result + changed_when: false + args: + chdir: "/tmp/app/" + + - name: Obtain name of generated package + shell: "find ./ -name 'wazuh-*.zip' -printf '%f\\n'" + register: wazuhapp_package_name + changed_when: false + args: + chdir: "/tmp/app/build" + + - name: Install Wazuh Plugin (can take a while) + shell: NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana-plugin install file:///tmp/app/build/{{ wazuhapp_package_name.stdout }} + args: + executable: /bin/bash + creates: /usr/share/kibana/plugins/wazuh/package.json + chdir: /usr/share/kibana + become: yes + become_user: kibana + notify: restart kibana + tags: + - install + - skip_ansible_lint diff --git a/roles/opendistro/opendistro-kibana/tasks/main.yml b/roles/opendistro/opendistro-kibana/tasks/main.yml new file mode 100644 index 00000000..c68200cc --- /dev/null +++ b/roles/opendistro/opendistro-kibana/tasks/main.yml @@ -0,0 +1,62 @@ +--- + +- name: Stopping early, trying to compile Wazuh Kibana Plugin on Debian 10 is not possible + fail: + msg: "It's not possible to compile the Wazuh Kibana plugin on Debian 10 due to: https://github.com/wazuh/wazuh-kibana-app/issues/1924" + when: + - build_from_sources + - ansible_distribution == "Debian" + - ansible_distribution_major_version == "10" + +- import_tasks: RedHat.yml + when: ansible_os_family == 'RedHat' + +- name: Reload systemd + systemd: + daemon_reload: true + ignore_errors: true + when: + - not (ansible_distribution == "Amazon" and ansible_distribution_version == "(Karoo)") + - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<')) + - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) + - not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<')) + +- name: Install Kibana + package: + name: opendistroforelasticsearch-kibana + state: present + register: install + tags: install + + +- name: Remove Kibana configuration file + file: + path: "{{ kibana_conf_path }}/kibana.yml" + state: absent + when: install.changed + tags: install + +- import_tasks: security_actions.yml + +- name: Copy Configuration File + blockinfile: + block: "{{ lookup('template', 'opendistro_kibana.yml.j2') }}" + dest: "{{ kibana_conf_path }}/kibana.yml" + create: true + group: root + mode: 0640 + marker: "## {mark} Kibana general settings ##" + notify: restart kibana + + tags: + - install + - configure + +- name: Ensure Kibana started and enabled + service: + name: kibana + enabled: true + state: started + +- import_tasks: RMRedHat.yml + when: ansible_os_family == 'RedHat' diff --git a/roles/opendistro/opendistro-kibana/tasks/security_actions.yml b/roles/opendistro/opendistro-kibana/tasks/security_actions.yml new file mode 100644 index 00000000..96b787c9 --- /dev/null +++ b/roles/opendistro/opendistro-kibana/tasks/security_actions.yml @@ -0,0 +1,13 @@ +- block: + + - name: Copy the certificates from local to the Kibana instance + copy: + src: "{{ local_certs_path }}/config/{{ item }}" + dest: /usr/share/kibana + mode: 0644 + with_items: + - "{{ inventory_hostname }}_http.key" + - "{{ inventory_hostname }}_http.pem" + tags: + - production_ready + when: install.changed \ No newline at end of file diff --git a/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 b/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 new file mode 100644 index 00000000..c526fcda --- /dev/null +++ b/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 @@ -0,0 +1,36 @@ +# {{ ansible_managed }} +# Description: +# Default Kibana configuration for Open Distro. +server.port: {{ kibana_server_port }} + +#server.basePath: "" +server.maxPayloadBytes: {{ kibana_max_payload_bytes }} +server.name: {{ kibana_server_name }} +server.host: {{ kibana_server_host }} +{% if kibana_opendistro_security %} +elasticsearch.hosts: "https://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" +{% else %} +elasticsearch.hosts: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" +{% endif %} + +elasticsearch.username: {{ opendistro_kibana_user }} +elasticsearch.password: {{ opendistro_kibana_password }} +elasticsearch.ssl.verificationMode: none + +elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"] +opendistro_security.multitenancy.enabled: true +opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"] +opendistro_security.readonly_mode.roles: ["kibana_read_only"] + +# OpenDistro Security +{% if kibana_opendistro_security %} +server.ssl.enabled: true +server.ssl.certificate: "/usr/share/kibana/{{ inventory_hostname }}_http.pem" +server.ssl.key: "/usr/share/kibana//{{ inventory_hostname }}_http.key" +{% endif %} + +newsfeed.enabled: {{ kibana_newsfeed_enabled }} +telemetry.optIn: {{ kibana_telemetry_optin }} +telemetry.enabled: {{ kibana_telemetry_enabled }} + + diff --git a/roles/opendistro/opendistro-kibana/templates/wazuh.yml.j2 b/roles/opendistro/opendistro-kibana/templates/wazuh.yml.j2 new file mode 100644 index 00000000..1cbc9e2d --- /dev/null +++ b/roles/opendistro/opendistro-kibana/templates/wazuh.yml.j2 @@ -0,0 +1,134 @@ +--- +# +# Wazuh app - App configuration file +# Copyright (C) 2015-2019 Wazuh, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Find more information about this on the LICENSE file. +# +# ======================== Wazuh app configuration file ======================== +# +# Please check the documentation for more information on configuration options: +# https://documentation.wazuh.com/current/installation-guide/index.html +# +# Also, you can check our repository: +# https://github.com/wazuh/wazuh-kibana-app +# +# ------------------------------- Index patterns ------------------------------- +# +# Default index pattern to use. +#pattern: wazuh-alerts-3.x-* +# +# ----------------------------------- Checks ----------------------------------- +# +# Defines which checks must to be consider by the healthcheck +# step once the Wazuh app starts. Values must to be true or false. +#checks.pattern : true +#checks.template: true +#checks.api : true +#checks.setup : true +# +# --------------------------------- Extensions --------------------------------- +# +# Defines which extensions should be activated when you add a new API entry. +# You can change them after Wazuh app starts. +# Values must to be true or false. +#extensions.pci : true +#extensions.gdpr : true +#extensions.hipaa : true +#extensions.nist : true +#extensions.audit : true +#extensions.oscap : false +#extensions.ciscat : false +#extensions.aws : false +#extensions.virustotal: false +#extensions.osquery : false +#extensions.docker : false +# +# ---------------------------------- Time out ---------------------------------- +# +# Defines maximum timeout to be used on the Wazuh app requests. +# It will be ignored if it is bellow 1500. +# It means milliseconds before we consider a request as failed. +# Default: 20000 +#timeout: 20000 +# +# ------------------------------ Advanced indices ------------------------------ +# +# Configure .wazuh indices shards and replicas. +#wazuh.shards : 1 +#wazuh.replicas : 0 +# +# --------------------------- Index pattern selector --------------------------- +# +# Defines if the user is allowed to change the selected +# index pattern directly from the Wazuh app top menu. +# Default: true +#ip.selector: true +# +# List of index patterns to be ignored +#ip.ignore: [] +# +# -------------------------------- X-Pack RBAC --------------------------------- +# +# Custom setting to enable/disable built-in X-Pack RBAC security capabilities. +# Default: enabled +#xpack.rbac.enabled: true +# +# ------------------------------ wazuh-monitoring ------------------------------ +# +# Custom setting to enable/disable wazuh-monitoring indices. +# Values: true, false, worker +# If worker is given as value, the app will show the Agents status +# visualization but won't insert data on wazuh-monitoring indices. +# Default: true +#wazuh.monitoring.enabled: true +# +# Custom setting to set the frequency for wazuh-monitoring indices cron task. +# Default: 900 (s) +#wazuh.monitoring.frequency: 900 +# +# Configure wazuh-monitoring-3.x-* indices shards and replicas. +#wazuh.monitoring.shards: 2 +#wazuh.monitoring.replicas: 0 +# +# Configure wazuh-monitoring-3.x-* indices custom creation interval. +# Values: h (hourly), d (daily), w (weekly), m (monthly) +# Default: d +#wazuh.monitoring.creation: d +# +# Default index pattern to use for Wazuh monitoring +#wazuh.monitoring.pattern: wazuh-monitoring-3.x-* +# +# +# ------------------------------- App privileges -------------------------------- +#admin: true +# +# ------------------------------- App logging level ----------------------------- +# Set the logging level for the Wazuh App log files. +# Default value: info +# Allowed values: info, debug +#logs.level: info +# +#-------------------------------- API entries ----------------------------------- +#The following configuration is the default structure to define an API entry. +# +#hosts: +# - : +# url: http(s):// +# port: +# user: +# password: + +hosts: +{% for api in wazuh_api_credentials %} + - {{ api['id'] }}: + url: {{ api['url'] }} + port: {{ api['port'] }} + user: {{ api['user'] }} + password: {{ api['password'] }} +{% endfor %} From f43b885dc81b8cc278094c5c5692a3ec6cafab31 Mon Sep 17 00:00:00 2001 From: Pablo Escobar Date: Fri, 22 May 2020 19:28:05 +0200 Subject: [PATCH 33/57] fix permission override and broken idempotence --- .../ansible-elasticsearch/tasks/xpack_security.yml | 2 +- roles/wazuh/ansible-filebeat/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 47438f98..1233fde4 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -180,7 +180,7 @@ path: "{{ node_certs_destination }}/" mode: 0774 state: directory - recurse: yes + recurse: no when: - elasticsearch_xpack_security - generate_CA diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 4948c252..29732104 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -59,7 +59,7 @@ path: "{{ node_certs_destination }}/" mode: 0774 state: directory - recurse: yes + recurse: no when: - filebeat_xpack_security tags: xpack-security From be973340addc998c8eba9720ca35827b3b73e4d3 Mon Sep 17 00:00:00 2001 From: Pablo Escobar Date: Sat, 23 May 2020 00:18:10 +0200 Subject: [PATCH 34/57] allow elasticsearch to readh the ca file --- .../ansible-elasticsearch/tasks/xpack_security.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 1233fde4..47063c4e 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -149,6 +149,8 @@ copy: src: "{{ item }}" dest: "{{ node_certs_destination }}/" + owner: root + group: elasticsearch mode: 0440 with_items: - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key" @@ -164,6 +166,8 @@ copy: src: "{{ item }}" dest: "{{ node_certs_destination }}/" + owner: root + group: elasticsearch mode: 0440 with_items: - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key" @@ -178,6 +182,8 @@ - name: Ensuring folder permissions file: path: "{{ node_certs_destination }}/" + owner: root + group: elasticsearch mode: 0774 state: directory recurse: no From 18d69f8b67ed5d35f007d7aa33dcf2a25baee97b Mon Sep 17 00:00:00 2001 From: Pablo Escobar Date: Sat, 23 May 2020 00:48:38 +0200 Subject: [PATCH 35/57] fix for kibana --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index 220230c8..122b6488 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -56,7 +56,7 @@ file: path: "{{ node_certs_destination }}/" state: directory - recurse: yes + recurse: no owner: kibana group: kibana when: @@ -67,7 +67,7 @@ file: path: "{{ node_certs_destination }}/" mode: 0770 - recurse: yes + recurse: no when: - kibana_xpack_security notify: restart kibana From 57c2a9bb760da8c12eddcd836eec1b993155af48 Mon Sep 17 00:00:00 2001 From: Pablo Escobar Date: Sat, 23 May 2020 01:23:25 +0200 Subject: [PATCH 36/57] fix permissions for kibana --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index 122b6488..b9dde1fe 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -28,6 +28,8 @@ copy: src: "{{ item }}" dest: "{{ node_certs_destination }}/" + owner: root + group: kibana mode: 0440 with_items: - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key" @@ -42,6 +44,8 @@ copy: src: "{{ item }}" dest: "{{ node_certs_destination }}/" + owner: root + group: kibana mode: 0440 with_items: - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key" From c11cdfcf05966ce94dc9bb7c9cd8a4e5b747b371 Mon Sep 17 00:00:00 2001 From: Pablo Escobar Date: Sat, 23 May 2020 01:40:26 +0200 Subject: [PATCH 37/57] only execute kibana optimization during initial installation --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index 220230c8..093aafa6 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -139,6 +139,7 @@ shell: /usr/share/kibana/node/bin/node {{ node_options }} /usr/share/kibana/src/cli --optimize args: executable: /bin/bash + creates: /usr/share/kibana/optimize/wazuh/ become: yes become_user: kibana changed_when: false From d9f7e79b7dc9d61b9002b8c05b52ad4215c98235 Mon Sep 17 00:00:00 2001 From: Pablo Escobar Date: Sat, 23 May 2020 13:20:19 +0200 Subject: [PATCH 38/57] always use 0770 for the certs folder --- .../ansible-elasticsearch/tasks/xpack_security.yml | 2 +- roles/elastic-stack/ansible-kibana/tasks/main.yml | 4 ++-- roles/wazuh/ansible-filebeat/tasks/main.yml | 6 +++++- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 47063c4e..0d9740d4 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -184,7 +184,7 @@ path: "{{ node_certs_destination }}/" owner: root group: elasticsearch - mode: 0774 + mode: 0770 state: directory recurse: no when: diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index b9dde1fe..cb7f3c55 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -56,13 +56,14 @@ - not generate_CA tags: xpack-security -- name: Ensuring certificates folder owner +- name: Ensuring certificates folder owner and permissions file: path: "{{ node_certs_destination }}/" state: directory recurse: no owner: kibana group: kibana + mode: 0770 when: - kibana_xpack_security tags: xpack-security @@ -70,7 +71,6 @@ - name: Ensuring certificates folder owner file: path: "{{ node_certs_destination }}/" - mode: 0770 recurse: no when: - kibana_xpack_security diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 29732104..5a15926d 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -30,6 +30,8 @@ copy: src: "{{ item }}" dest: "{{ node_certs_destination }}/" + owner: root + group: root mode: 0440 with_items: - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" @@ -44,6 +46,8 @@ copy: src: "{{ item }}" dest: "{{ node_certs_destination }}/" + owner: root + group: root mode: 0440 with_items: - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" @@ -57,7 +61,7 @@ - name: Ensuring folder & certs permissions file: path: "{{ node_certs_destination }}/" - mode: 0774 + mode: 0770 state: directory recurse: no when: From 5d211c3b41bc50fcbef3f0d8d13dfe46d13acfc3 Mon Sep 17 00:00:00 2001 From: Pablo Escobar Date: Sat, 23 May 2020 13:22:00 +0200 Subject: [PATCH 39/57] apply kibana certs permissions in a single task --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index cb7f3c55..e4f8b733 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -66,14 +66,6 @@ mode: 0770 when: - kibana_xpack_security - tags: xpack-security - -- name: Ensuring certificates folder owner - file: - path: "{{ node_certs_destination }}/" - recurse: no - when: - - kibana_xpack_security notify: restart kibana tags: xpack-security From 3d94c5d159dfd9483e7e526d417df7d530dc145b Mon Sep 17 00:00:00 2001 From: Pablo Escobar Date: Sat, 23 May 2020 13:46:49 +0200 Subject: [PATCH 40/57] remove unneded option changed_when --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index 093aafa6..321e2268 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -142,7 +142,6 @@ creates: /usr/share/kibana/optimize/wazuh/ become: yes become_user: kibana - changed_when: false tags: - skip_ansible_lint From 44ca014cc1db8a618214002c12985e8a2bc96e35 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Tue, 26 May 2020 16:10:41 +0200 Subject: [PATCH 41/57] Trim spaces --- roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index c8941208..9df1e01c 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -7,7 +7,7 @@ - name: Install OpenDistro package: - name: opendistroforelasticsearch-{{ opendistro_version }} + name: opendistroforelasticsearch-{{ opendistro_version }} state: present register: install tags: install @@ -18,7 +18,7 @@ state: absent when: install.changed tags: install - + - name: Copy Configuration File blockinfile: block: "{{ lookup('template', 'elasticsearch.yml.j2') }}" From f21a7e9c1c231094be70b4b7fb354bb78b4fda4f Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Tue, 26 May 2020 21:06:16 +0200 Subject: [PATCH 42/57] - Refactoring security local actions - Added Filebeat OSS repositories --- playbooks/wazuh-manager-oss.yml | 8 + roles/opendistro/hosts | 49 + .../tasks/local_actions.yml | 28 +- .../opendistro-kibana/tasks/main.yml | 3 +- roles/wazuh/filebeat-oss/defaults/main.yml | 57 + roles/wazuh/filebeat-oss/handlers/main.yml | 3 + roles/wazuh/filebeat-oss/meta/main.yml | 29 + roles/wazuh/filebeat-oss/tasks/Debian.yml | 22 + roles/wazuh/filebeat-oss/tasks/RMDebian.yml | 6 + roles/wazuh/filebeat-oss/tasks/RMRedHat.yml | 6 + roles/wazuh/filebeat-oss/tasks/RedHat.yml | 9 + roles/wazuh/filebeat-oss/tasks/config.yml | 39 + roles/wazuh/filebeat-oss/tasks/main.yml | 125 ++ .../filebeat-oss/tasks/security_actions.yml | 11 + .../templates/elasticsearch.yml.j2 | 1800 +++++++++++++++++ .../filebeat-oss/templates/filebeat.yml.j2 | 39 + .../wazuh/filebeat-oss/tests/requirements.yml | 3 + roles/wazuh/filebeat-oss/tests/test.yml | 20 + 18 files changed, 2246 insertions(+), 11 deletions(-) create mode 100644 playbooks/wazuh-manager-oss.yml create mode 100644 roles/opendistro/hosts create mode 100644 roles/wazuh/filebeat-oss/defaults/main.yml create mode 100644 roles/wazuh/filebeat-oss/handlers/main.yml create mode 100644 roles/wazuh/filebeat-oss/meta/main.yml create mode 100644 roles/wazuh/filebeat-oss/tasks/Debian.yml create mode 100644 roles/wazuh/filebeat-oss/tasks/RMDebian.yml create mode 100644 roles/wazuh/filebeat-oss/tasks/RMRedHat.yml create mode 100644 roles/wazuh/filebeat-oss/tasks/RedHat.yml create mode 100644 roles/wazuh/filebeat-oss/tasks/config.yml create mode 100644 roles/wazuh/filebeat-oss/tasks/main.yml create mode 100644 roles/wazuh/filebeat-oss/tasks/security_actions.yml create mode 100644 roles/wazuh/filebeat-oss/templates/elasticsearch.yml.j2 create mode 100644 roles/wazuh/filebeat-oss/templates/filebeat.yml.j2 create mode 100644 roles/wazuh/filebeat-oss/tests/requirements.yml create mode 100644 roles/wazuh/filebeat-oss/tests/test.yml diff --git a/playbooks/wazuh-manager-oss.yml b/playbooks/wazuh-manager-oss.yml new file mode 100644 index 00000000..5cb9b4bd --- /dev/null +++ b/playbooks/wazuh-manager-oss.yml @@ -0,0 +1,8 @@ +--- +- hosts: + roles: + - role: ../roles/wazuh/ansible-wazuh-manager + - role: ../roles/wazuh/filebeat-oss + filebeat_output_elasticsearch_hosts: 172.16.0.161:9200 + + diff --git a/roles/opendistro/hosts b/roles/opendistro/hosts new file mode 100644 index 00000000..bd3b73e7 --- /dev/null +++ b/roles/opendistro/hosts @@ -0,0 +1,49 @@ +# This is the default ansible 'hosts' file. +# +# It should live in /etc/ansible/hosts +# +# - Comments begin with the '#' character +# - Blank lines are ignored +# - Groups of hosts are delimited by [header] elements +# - You can enter hostnames or ip addresses +# - A hostname/ip can be a member of multiple groups + +# Ex 1: Ungrouped hosts, specify before any group headers. + +## green.example.com +## blue.example.com +## 192.168.100.1 +## 192.168.100.10 + +# Ex 2: A collection of hosts belonging to the 'webservers' group +#[elasticsearch_first + + +es1 ansible_host=172.16.0.161 ansible_user=vagrant ip=172.16.0.161 +es2 ansible_host=172.16.0.162 ansible_user=vagrant ip=172.16.0.162 +es3 ansible_host=172.16.0.163 ansible_user=vagrant ip=172.16.0.163 +manager1 ansible_host=172.16.1.250 ansible_user=vagrant ip=172.16.1.250 + +[managers] +manager1 + +[es-cluster] +es1 +es2 +es3 +manager1 + +[kibana] +es1 + +[single-host] +172.16.1.15 ansible_ssh_user=vagrant +[elastic-cluster] +172.16.0.161 ansible_ssh_user=vagrant +172.16.0.162 ansible_ssh_user=vagrant +172.16.0.163 ansible_ssh_user=vagrant +[agents] +172.16.0.131 ansible_ssh_user=vagrant +172.16.0.132 ansible_ssh_user=vagrant +# If you have multiple hosts following a pattern you can specify +# them like this: diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml index 60379616..b6995e5c 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml @@ -6,14 +6,12 @@ module: file path: "{{ local_certs_path }}" state: directory - run_once: true - + - name: Local action | Download certificates generation tool local_action: module: get_url url: "{{ certs_gen_tool_url }}" dest: "{{ local_certs_path }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" - run_once: true - name: Local action | Extract the certificates generation tool local_action: @@ -26,26 +24,36 @@ module: file dest: "{{ local_certs_path }}/tools/sgtlstool.sh" mode: a+x - run_once: true - name: Local action | Prepare the certificates generation template file local_action: module: template src: "templates/tlsconfig.yml.j2" dest: "{{ local_certs_path }}/config/tlsconfig.yml" - run_once: true + + + - name: Create a directory if it does not exist + file: + path: "{{ local_certs_path }}/certs/" + state: directory + mode: '0755' + delegate_to: localhost - name: Local action | Check if root CA file exists local_action: - module: stat - path: "{{ local_certs_path }}/config/root-ca.key" + module: stat + path: "{{ local_certs_path }}/certs/root-ca.key" register: root_ca_file - name: Local action | Generate the node & admin certificates in local local_action: - module: command {{ local_certs_path }}/tools/sgtlstool.sh -c {{ local_certs_path }}/config/tlsconfig.yml -ca -crt -t {{ local_certs_path }}/config/ -f -o - run_once: true - when: root_ca_file.stat.exists == False + module: command {{ local_certs_path }}/tools/sgtlstool.sh -c {{ local_certs_path }}/config/tlsconfig.yml -ca -crt -t {{ local_certs_path }}/certs/ -f -o + when: not root_ca_file.stat.exists + - name: Local action | Generate the node & admin certificates using an existing root CA + local_action: + module: command {{ local_certs_path }}/tools/sgtlstool.sh -c {{ local_certs_path }}/config/tlsconfig.yml -ca -crt -t {{ local_certs_path }}/certs/ -f + when: root_ca_file.stat.exists + run_once: true tags: - generate-certs \ No newline at end of file diff --git a/roles/opendistro/opendistro-kibana/tasks/main.yml b/roles/opendistro/opendistro-kibana/tasks/main.yml index c68200cc..2d29e0cb 100644 --- a/roles/opendistro/opendistro-kibana/tasks/main.yml +++ b/roles/opendistro/opendistro-kibana/tasks/main.yml @@ -43,7 +43,8 @@ block: "{{ lookup('template', 'opendistro_kibana.yml.j2') }}" dest: "{{ kibana_conf_path }}/kibana.yml" create: true - group: root + group: kibana + owner: kibana mode: 0640 marker: "## {mark} Kibana general settings ##" notify: restart kibana diff --git a/roles/wazuh/filebeat-oss/defaults/main.yml b/roles/wazuh/filebeat-oss/defaults/main.yml new file mode 100644 index 00000000..4ed76156 --- /dev/null +++ b/roles/wazuh/filebeat-oss/defaults/main.yml @@ -0,0 +1,57 @@ +--- +filebeat_version: 7.6.2 + +filebeat_create_config: true + +filebeat_prospectors: + - input_type: log + paths: + - "/var/ossec/logs/alerts/alerts.json" + document_type: json + json.message_key: log + json.keys_under_root: true + json.overwrite_keys: true + +filebeat_node_name: node-1 + +filebeat_output_elasticsearch_enabled: false +filebeat_output_elasticsearch_hosts: + - "localhost:9200" + +filebeat_enable_logging: true +filebeat_log_level: debug +filebeat_log_dir: /var/log/mybeat +filebeat_log_filename: mybeat.log + +filebeat_ssl_dir: /etc/pki/filebeat +filebeat_ssl_certificate_file: "" +filebeat_ssl_key_file: "" +filebeat_ssl_insecure: "false" + +filebeat_module_package_url: https://packages.wazuh.com/3.x/filebeat +filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz +filebeat_module_package_path: /tmp/ +filebeat_module_destination: /usr/share/filebeat/module +filebeat_module_folder: /usr/share/filebeat/module/wazuh + +# Opendistro Security +filebeat_opendistro_security: false + +elasticsearch_opendistro_security_user: elastic +elasticsearch_opendistro_security_password: elastic_pass + +node_certs_generator : false +node_certs_source: /usr/share/elasticsearch +node_certs_destination: /etc/filebeat/certs + + +# CA Generation +master_certs_path: /es_certs +generate_CA: true +ca_cert_name: "" + +elasticrepo: + apt: 'https://artifacts.elastic.co/packages/oss-7.x/apt' + yum: 'https://artifacts.elastic.co/packages/oss-7.x/yum' + gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' + key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' diff --git a/roles/wazuh/filebeat-oss/handlers/main.yml b/roles/wazuh/filebeat-oss/handlers/main.yml new file mode 100644 index 00000000..96e15a22 --- /dev/null +++ b/roles/wazuh/filebeat-oss/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart filebeat + service: name=filebeat state=restarted diff --git a/roles/wazuh/filebeat-oss/meta/main.yml b/roles/wazuh/filebeat-oss/meta/main.yml new file mode 100644 index 00000000..240b2d08 --- /dev/null +++ b/roles/wazuh/filebeat-oss/meta/main.yml @@ -0,0 +1,29 @@ +--- +dependencies: [] + +galaxy_info: + author: Wazuh + description: Installing and maintaining filebeat server. + company: wazuh.com + license: license (GPLv3) + min_ansible_version: 2.0 + platforms: + - name: EL + versions: + - 6 + - 7 + - name: Fedora + versions: + - all + - name: Debian + versions: + - jessie + - name: Ubuntu + versions: + - precise + - trusty + - xenial + galaxy_tags: + - web + - system + - monitoring diff --git a/roles/wazuh/filebeat-oss/tasks/Debian.yml b/roles/wazuh/filebeat-oss/tasks/Debian.yml new file mode 100644 index 00000000..a87bb2bf --- /dev/null +++ b/roles/wazuh/filebeat-oss/tasks/Debian.yml @@ -0,0 +1,22 @@ +--- +- name: Debian/Ubuntu | Install apt-transport-https and ca-certificates + apt: + name: + - apt-transport-https + - ca-certificates + state: present + register: filebeat_ca_packages_install + until: filebeat_ca_packages_install is succeeded + +- name: Debian/Ubuntu | Add Elasticsearch apt key. + apt_key: + url: "{{ elasticrepo.gpg }}" + id: "{{ elasticrepo.key_id }}" + state: present + +- name: Debian/Ubuntu | Add Filebeat repository. + apt_repository: + repo: "deb {{ elasticrepo.apt }} stable main" + state: present + update_cache: true + changed_when: false diff --git a/roles/wazuh/filebeat-oss/tasks/RMDebian.yml b/roles/wazuh/filebeat-oss/tasks/RMDebian.yml new file mode 100644 index 00000000..25a33909 --- /dev/null +++ b/roles/wazuh/filebeat-oss/tasks/RMDebian.yml @@ -0,0 +1,6 @@ +--- +- name: Debian/Ubuntu | Remove Filebeat repository (and clean up left-over metadata) + apt_repository: + repo: "deb {{ elasticrepo.apt }} stable main" + state: absent + changed_when: false diff --git a/roles/wazuh/filebeat-oss/tasks/RMRedHat.yml b/roles/wazuh/filebeat-oss/tasks/RMRedHat.yml new file mode 100644 index 00000000..1cf84081 --- /dev/null +++ b/roles/wazuh/filebeat-oss/tasks/RMRedHat.yml @@ -0,0 +1,6 @@ +--- +- name: RedHat/CentOS/Fedora | Remove Filebeat repository (and clean up left-over metadata) + yum_repository: + name: elastic_repo_7 + state: absent + changed_when: false diff --git a/roles/wazuh/filebeat-oss/tasks/RedHat.yml b/roles/wazuh/filebeat-oss/tasks/RedHat.yml new file mode 100644 index 00000000..23948b37 --- /dev/null +++ b/roles/wazuh/filebeat-oss/tasks/RedHat.yml @@ -0,0 +1,9 @@ +--- +- name: RedHat/CentOS/Fedora/Amazon Linux | Install Filebeats repo + yum_repository: + name: elastic_repo_7 + description: Elastic repository for 7.x packages + baseurl: "{{ elasticrepo.yum }}" + gpgkey: "{{ elasticrepo.gpg }}" + gpgcheck: true + changed_when: false diff --git a/roles/wazuh/filebeat-oss/tasks/config.yml b/roles/wazuh/filebeat-oss/tasks/config.yml new file mode 100644 index 00000000..d45b06e8 --- /dev/null +++ b/roles/wazuh/filebeat-oss/tasks/config.yml @@ -0,0 +1,39 @@ +--- +- name: Copy Filebeat configuration. + template: + src: filebeat.yml.j2 + dest: "/etc/filebeat/filebeat.yml" + owner: root + group: root + mode: 0400 + notify: restart filebeat + tags: configure + +- name: Copy Elasticsearch template. + template: + src: elasticsearch.yml.j2 + dest: "/etc/filebeat/wazuh-template.json" + owner: root + group: root + mode: 0400 + notify: restart filebeat + tags: configure + +- name: Ensure Filebeat SSL key pair directory exists. + file: + path: "{{ filebeat_ssl_dir }}" + state: directory + when: filebeat_ssl_key_file + tags: configure + +- name: Copy SSL key and cert for filebeat. + copy: + src: "{{ item }}" + dest: "{{ filebeat_ssl_dir }}/{{ item | basename }}" + mode: 0400 + with_items: + - "{{ filebeat_ssl_key_file }}" + - "{{ filebeat_ssl_certificate_file }}" + notify: restart filebeat + when: filebeat_ssl_key_file and filebeat_ssl_certificate_file + tags: configure diff --git a/roles/wazuh/filebeat-oss/tasks/main.yml b/roles/wazuh/filebeat-oss/tasks/main.yml new file mode 100644 index 00000000..df3a428b --- /dev/null +++ b/roles/wazuh/filebeat-oss/tasks/main.yml @@ -0,0 +1,125 @@ +--- +- include_tasks: RedHat.yml + when: ansible_os_family == 'RedHat' + +- include_tasks: Debian.yml + when: ansible_os_family == 'Debian' + +- name: CentOS/RedHat | Install Filebeat. + package: name=filebeat-{{ filebeat_version }} state=present + register: filebeat_installing_package + until: filebeat_installing_package is succeeded + when: + - ansible_distribution in ['CentOS','RedHat', 'Amazon'] + tags: + - install + +- name: Debian/Ubuntu | Install Filebeat. + apt: + name: filebeat={{ filebeat_version }} + state: present + cache_valid_time: 3600 + register: filebeat_installing_package_debian + until: filebeat_installing_package_debian is succeeded + when: + - not (ansible_distribution in ['CentOS','RedHat', 'Amazon']) + tags: + - init + +- name: Copying node's certificate from master + copy: + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" + mode: 0440 + with_items: + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt" + - "{{ master_certs_path }}/ca/ca.crt" + when: + - generate_CA + - filebeat_opendistro_security + tags: opendistro-security + +- name: Copying node's certificate from master (Custom CA) + copy: + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" + mode: 0440 + with_items: + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt" + - "{{ master_certs_path }}/ca/{{ ca_cert_name }}" + when: + - not generate_CA + - filebeat_opendistro_security + tags: opendistro-security + +- name: Ensuring folder & certs permissions + file: + path: "{{ node_certs_destination }}/" + mode: 0774 + state: directory + recurse: yes + when: + - filebeat_xpack_security + tags: xpack-security + +- name: Checking if Filebeat Module folder file exists + stat: + path: "{{ filebeat_module_folder }}" + register: filebeat_module_folder + + +- name: Download Filebeat module package + get_url: + url: "{{ filebeat_module_package_url }}/{{ filebeat_module_package_name }}" + dest: "{{ filebeat_module_package_path }}" + when: not filebeat_module_folder.stat.exists + +- name: Unpakcing Filebeat module package + unarchive: + src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" + dest: "{{ filebeat_module_destination }}" + remote_src: yes + when: not filebeat_module_folder.stat.exists + +- name: Setting 0755 permission for Filebeat module folder + file: dest={{ filebeat_module_folder }} mode=u=rwX,g=rwX,o=rwX recurse=yes + when: not filebeat_module_folder.stat.exists + +- name: Checking if Filebeat Module package file exists + stat: + path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" + register: filebeat_module_package + when: filebeat_module_package is not defined + +- name: Delete Filebeat module package file + file: + state: absent + path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" + when: filebeat_module_package.stat.exists + +- import_tasks: config.yml + when: filebeat_create_config + notify: restart filebeat + +- name: Reload systemd + systemd: daemon_reload=yes + ignore_errors: true + when: + - not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") + - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<')) + - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) + - not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<')) + +- name: Ensure Filebeat is started and enabled at boot. + service: + name: filebeat + state: started + enabled: true + +- include_tasks: "RMRedHat.yml" + when: ansible_os_family == "RedHat" + +- include_tasks: "RMDebian.yml" + when: ansible_os_family == "Debian" diff --git a/roles/wazuh/filebeat-oss/tasks/security_actions.yml b/roles/wazuh/filebeat-oss/tasks/security_actions.yml new file mode 100644 index 00000000..6b11bc9a --- /dev/null +++ b/roles/wazuh/filebeat-oss/tasks/security_actions.yml @@ -0,0 +1,11 @@ +- block: + + - name: Copy certificates and root-ca to Filebeat + copy: + src: "{{ local_certs_path }}/config/{{ item }}" + dest: /etc/filebeat/ + mode: 0644 + with_items: + - root-ca.pem + - "{{ inventory_hostname }}.key" + - "{{ inventory_hostname }}.pem" \ No newline at end of file diff --git a/roles/wazuh/filebeat-oss/templates/elasticsearch.yml.j2 b/roles/wazuh/filebeat-oss/templates/elasticsearch.yml.j2 new file mode 100644 index 00000000..88d50c3f --- /dev/null +++ b/roles/wazuh/filebeat-oss/templates/elasticsearch.yml.j2 @@ -0,0 +1,1800 @@ +{ + "order": 0, + "index_patterns": [ + "wazuh-alerts-3.x-*", + "wazuh-archives-3.x-*" + ], + "settings": { + "index.refresh_interval": "5s", + "index.number_of_shards": "3", + "index.number_of_replicas": "0", + "index.auto_expand_replicas": "0-1", + "index.mapping.total_fields.limit": 10000, + "index.query.default_field": [ + "GeoLocation.city_name", + "GeoLocation.continent_code", + "GeoLocation.country_code2", + "GeoLocation.country_code3", + "GeoLocation.country_name", + "GeoLocation.ip", + "GeoLocation.postal_code", + "GeoLocation.real_region_name", + "GeoLocation.region_name", + "GeoLocation.timezone", + "agent.id", + "agent.ip", + "agent.name", + "cluster.name", + "cluster.node", + "command", + "data", + "data.action", + "data.audit", + "data.audit.acct", + "data.audit.arch", + "data.audit.auid", + "data.audit.command", + "data.audit.cwd", + "data.audit.dev", + "data.audit.directory.inode", + "data.audit.directory.mode", + "data.audit.directory.name", + "data.audit.egid", + "data.audit.enforcing", + "data.audit.euid", + "data.audit.exe", + "data.audit.execve.a0", + "data.audit.execve.a1", + "data.audit.execve.a2", + "data.audit.execve.a3", + "data.audit.exit", + "data.audit.file.inode", + "data.audit.file.mode", + "data.audit.file.name", + "data.audit.fsgid", + "data.audit.fsuid", + "data.audit.gid", + "data.audit.id", + "data.audit.key", + "data.audit.list", + "data.audit.old-auid", + "data.audit.old-ses", + "data.audit.old_enforcing", + "data.audit.old_prom", + "data.audit.op", + "data.audit.pid", + "data.audit.ppid", + "data.audit.prom", + "data.audit.res", + "data.audit.session", + "data.audit.sgid", + "data.audit.srcip", + "data.audit.subj", + "data.audit.success", + "data.audit.suid", + "data.audit.syscall", + "data.audit.tty", + "data.audit.uid", + "data.aws.accountId", + "data.aws.account_id", + "data.aws.action", + "data.aws.actor", + "data.aws.aws_account_id", + "data.aws.description", + "data.aws.dstport", + "data.aws.errorCode", + "data.aws.errorMessage", + "data.aws.eventID", + "data.aws.eventName", + "data.aws.eventSource", + "data.aws.eventType", + "data.aws.id", + "data.aws.name", + "data.aws.requestParameters.accessKeyId", + "data.aws.requestParameters.bucketName", + "data.aws.requestParameters.gatewayId", + "data.aws.requestParameters.groupDescription", + "data.aws.requestParameters.groupId", + "data.aws.requestParameters.groupName", + "data.aws.requestParameters.host", + "data.aws.requestParameters.hostedZoneId", + "data.aws.requestParameters.instanceId", + "data.aws.requestParameters.instanceProfileName", + "data.aws.requestParameters.loadBalancerName", + "data.aws.requestParameters.loadBalancerPorts", + "data.aws.requestParameters.masterUserPassword", + "data.aws.requestParameters.masterUsername", + "data.aws.requestParameters.name", + "data.aws.requestParameters.natGatewayId", + "data.aws.requestParameters.networkAclId", + "data.aws.requestParameters.path", + "data.aws.requestParameters.policyName", + "data.aws.requestParameters.port", + "data.aws.requestParameters.stackId", + "data.aws.requestParameters.stackName", + "data.aws.requestParameters.subnetId", + "data.aws.requestParameters.subnetIds", + "data.aws.requestParameters.volumeId", + "data.aws.requestParameters.vpcId", + "data.aws.resource.accessKeyDetails.accessKeyId", + "data.aws.resource.accessKeyDetails.principalId", + "data.aws.resource.accessKeyDetails.userName", + "data.aws.resource.instanceDetails.instanceId", + "data.aws.resource.instanceDetails.instanceState", + "data.aws.resource.instanceDetails.networkInterfaces.privateDnsName", + "data.aws.resource.instanceDetails.networkInterfaces.publicDnsName", + "data.aws.resource.instanceDetails.networkInterfaces.subnetId", + "data.aws.resource.instanceDetails.networkInterfaces.vpcId", + "data.aws.resource.instanceDetails.tags.value", + "data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId", + "data.aws.responseElements.description", + "data.aws.responseElements.instanceId", + "data.aws.responseElements.instances.instanceId", + "data.aws.responseElements.instancesSet.items.instanceId", + "data.aws.responseElements.listeners.port", + "data.aws.responseElements.loadBalancerName", + "data.aws.responseElements.loadBalancers.vpcId", + "data.aws.responseElements.loginProfile.userName", + "data.aws.responseElements.networkAcl.vpcId", + "data.aws.responseElements.ownerId", + "data.aws.responseElements.publicIp", + "data.aws.responseElements.user.userId", + "data.aws.responseElements.user.userName", + "data.aws.responseElements.volumeId", + "data.aws.service.serviceName", + "data.aws.severity", + "data.aws.source", + "data.aws.sourceIPAddress", + "data.aws.srcport", + "data.aws.userIdentity.accessKeyId", + "data.aws.userIdentity.accountId", + "data.aws.userIdentity.userName", + "data.aws.vpcEndpointId", + "data.command", + "data.data", + "data.docker.Actor.Attributes.container", + "data.docker.Actor.Attributes.image", + "data.docker.Actor.Attributes.name", + "data.docker.Actor.ID", + "data.docker.id", + "data.docker.message", + "data.docker.status", + "data.dstip", + "data.dstport", + "data.dstuser", + "data.extra_data", + "data.hardware.serial", + "data.id", + "data.integration", + "data.netinfo.iface.adapter", + "data.netinfo.iface.ipv4.address", + "data.netinfo.iface.ipv6.address", + "data.netinfo.iface.mac", + "data.netinfo.iface.name", + "data.os.architecture", + "data.os.build", + "data.os.codename", + "data.os.hostname", + "data.os.major", + "data.os.minor", + "data.os.name", + "data.os.platform", + "data.os.release", + "data.os.release_version", + "data.os.sysname", + "data.os.version", + "data.oscap.check.description", + "data.oscap.check.id", + "data.oscap.check.identifiers", + "data.oscap.check.oval.id", + "data.oscap.check.rationale", + "data.oscap.check.references", + "data.oscap.check.result", + "data.oscap.check.severity", + "data.oscap.check.title", + "data.oscap.scan.benchmark.id", + "data.oscap.scan.content", + "data.oscap.scan.id", + "data.oscap.scan.profile.id", + "data.oscap.scan.profile.title", + "data.osquery.columns.address", + "data.osquery.columns.command", + "data.osquery.columns.description", + "data.osquery.columns.dst_ip", + "data.osquery.columns.gid", + "data.osquery.columns.hostname", + "data.osquery.columns.md5", + "data.osquery.columns.path", + "data.osquery.columns.sha1", + "data.osquery.columns.sha256", + "data.osquery.columns.src_ip", + "data.osquery.columns.user", + "data.osquery.columns.username", + "data.osquery.name", + "data.osquery.pack", + "data.port.process", + "data.port.protocol", + "data.port.state", + "data.process.args", + "data.process.cmd", + "data.process.egroup", + "data.process.euser", + "data.process.fgroup", + "data.process.name", + "data.process.rgroup", + "data.process.ruser", + "data.process.sgroup", + "data.process.state", + "data.process.suser", + "data.program.architecture", + "data.program.description", + "data.program.format", + "data.program.location", + "data.program.multiarch", + "data.program.name", + "data.program.priority", + "data.program.section", + "data.program.source", + "data.program.vendor", + "data.program.version", + "data.protocol", + "data.pwd", + "data.sca", + "data.sca.check.compliance.cis", + "data.sca.check.compliance.cis_csc", + "data.sca.check.compliance.pci_dss", + "data.sca.check.compliance.hipaa", + "data.sca.check.compliance.nist_800_53", + "data.sca.check.description", + "data.sca.check.directory", + "data.sca.check.file", + "data.sca.check.id", + "data.sca.check.previous_result", + "data.sca.check.process", + "data.sca.check.rationale", + "data.sca.check.reason", + "data.sca.check.references", + "data.sca.check.registry", + "data.sca.check.remediation", + "data.sca.check.result", + "data.sca.check.status", + "data.sca.check.title", + "data.sca.description", + "data.sca.file", + "data.sca.invalid", + "data.sca.name", + "data.sca.policy", + "data.sca.policy_id", + "data.sca.scan_id", + "data.sca.total_checks", + "data.script", + "data.src_ip", + "data.src_port", + "data.srcip", + "data.srcport", + "data.srcuser", + "data.status", + "data.system_name", + "data.title", + "data.tty", + "data.uid", + "data.url", + "data.virustotal.description", + "data.virustotal.error", + "data.virustotal.found", + "data.virustotal.permalink", + "data.virustotal.scan_date", + "data.virustotal.sha1", + "data.virustotal.source.alert_id", + "data.virustotal.source.file", + "data.virustotal.source.md5", + "data.virustotal.source.sha1", + "data.vulnerability.advisories", + "data.vulnerability.bugzilla_reference", + "data.vulnerability.cve", + "data.vulnerability.cvss.cvss2.base_score", + "data.vulnerability.cvss.cvss2.exploitability_score", + "data.vulnerability.cvss.cvss2.impact_score", + "data.vulnerability.cvss.cvss2.vector.access_complexity", + "data.vulnerability.cvss.cvss2.vector.attack_vector", + "data.vulnerability.cvss.cvss2.vector.authentication", + "data.vulnerability.cvss.cvss2.vector.availability", + "data.vulnerability.cvss.cvss2.vector.confidentiality_impact", + "data.vulnerability.cvss.cvss2.vector.integrity_impact", + "data.vulnerability.cvss.cvss2.vector.privileges_required", + "data.vulnerability.cvss.cvss2.vector.scope", + "data.vulnerability.cvss.cvss2.vector.user_interaction", + "data.vulnerability.cvss.cvss3.base_score", + "data.vulnerability.cvss.cvss3.exploitability_score", + "data.vulnerability.cvss.cvss3.impact_score", + "data.vulnerability.cvss.cvss3.vector.access_complexity", + "data.vulnerability.cvss.cvss3.vector.attack_vector", + "data.vulnerability.cvss.cvss3.vector.authentication", + "data.vulnerability.cvss.cvss3.vector.availability", + "data.vulnerability.cvss.cvss3.vector.confidentiality_impact", + "data.vulnerability.cvss.cvss3.vector.integrity_impact", + "data.vulnerability.cvss.cvss3.vector.privileges_required", + "data.vulnerability.cvss.cvss3.vector.scope", + "data.vulnerability.cvss.cvss3.vector.user_interaction", + "data.vulnerability.cwe_reference", + "data.vulnerability.package.architecture", + "data.vulnerability.package.condition", + "data.vulnerability.package.generated_cpe", + "data.vulnerability.package.name", + "data.vulnerability.package.version", + "data.vulnerability.rationale", + "data.vulnerability.reference", + "data.vulnerability.severity", + "data.vulnerability.state", + "data.vulnerability.title", + "data.win.eventdata.auditPolicyChanges", + "data.win.eventdata.auditPolicyChangesId", + "data.win.eventdata.binary", + "data.win.eventdata.category", + "data.win.eventdata.categoryId", + "data.win.eventdata.data", + "data.win.eventdata.image", + "data.win.eventdata.ipAddress", + "data.win.eventdata.ipPort", + "data.win.eventdata.keyName", + "data.win.eventdata.logonGuid", + "data.win.eventdata.logonProcessName", + "data.win.eventdata.operation", + "data.win.eventdata.parentImage", + "data.win.eventdata.processId", + "data.win.eventdata.processName", + "data.win.eventdata.providerName", + "data.win.eventdata.returnCode", + "data.win.eventdata.service", + "data.win.eventdata.status", + "data.win.eventdata.subcategory", + "data.win.eventdata.subcategoryGuid", + "data.win.eventdata.subcategoryId", + "data.win.eventdata.subjectDomainName", + "data.win.eventdata.subjectLogonId", + "data.win.eventdata.subjectUserName", + "data.win.eventdata.subjectUserSid", + "data.win.eventdata.targetDomainName", + "data.win.eventdata.targetLinkedLogonId", + "data.win.eventdata.targetLogonId", + "data.win.eventdata.targetUserName", + "data.win.eventdata.targetUserSid", + "data.win.eventdata.workstationName", + "data.win.system.channel", + "data.win.system.computer", + "data.win.system.eventID", + "data.win.system.eventRecordID", + "data.win.system.eventSourceName", + "data.win.system.keywords", + "data.win.system.level", + "data.win.system.message", + "data.win.system.opcode", + "data.win.system.processID", + "data.win.system.providerGuid", + "data.win.system.providerName", + "data.win.system.securityUserID", + "data.win.system.severityValue", + "data.win.system.userID", + "decoder.ftscomment", + "decoder.name", + "decoder.parent", + "full_log", + "host", + "id", + "input", + "location", + "manager.name", + "message", + "offset", + "predecoder.hostname", + "predecoder.program_name", + "previous_log", + "previous_output", + "program_name", + "rule.cis", + "rule.cve", + "rule.description", + "rule.gdpr", + "rule.gpg13", + "rule.groups", + "rule.id", + "rule.info", + "rule.pci_dss", + "rule.hipaa", + "rule.nist_800_53", + "syscheck.audit.effective_user.id", + "syscheck.audit.effective_user.name", + "syscheck.audit.group.id", + "syscheck.audit.group.name", + "syscheck.audit.login_user.id", + "syscheck.audit.login_user.name", + "syscheck.audit.process.id", + "syscheck.audit.process.name", + "syscheck.audit.process.ppid", + "syscheck.audit.user.id", + "syscheck.audit.user.name", + "syscheck.diff", + "syscheck.event", + "syscheck.gid_after", + "syscheck.gid_before", + "syscheck.gname_after", + "syscheck.gname_before", + "syscheck.inode_after", + "syscheck.inode_before", + "syscheck.md5_after", + "syscheck.md5_before", + "syscheck.path", + "syscheck.perm_after", + "syscheck.perm_before", + "syscheck.sha1_after", + "syscheck.sha1_before", + "syscheck.sha256_after", + "syscheck.sha256_before", + "syscheck.tags", + "syscheck.uid_after", + "syscheck.uid_before", + "syscheck.uname_after", + "syscheck.uname_before", + "title", + "type" + ] + }, + "mappings": { + "dynamic_templates": [ + { + "string_as_keyword": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false, + "properties": { + "@timestamp": { + "type": "date" + }, + "timestamp": { + "type": "date", + "format": "date_optional_time||epoch_millis" + }, + "@version": { + "type": "text" + }, + "agent": { + "properties": { + "ip": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "manager": { + "properties": { + "name": { + "type": "keyword" + } + } + }, + "cluster": { + "properties": { + "name": { + "type": "keyword" + }, + "node": { + "type": "keyword" + } + } + }, + "full_log": { + "type": "text" + }, + "previous_log": { + "type": "text" + }, + "GeoLocation": { + "properties": { + "area_code": { + "type": "long" + }, + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "text" + }, + "coordinates": { + "type": "double" + }, + "country_code2": { + "type": "text" + }, + "country_code3": { + "type": "text" + }, + "country_name": { + "type": "keyword" + }, + "dma_code": { + "type": "long" + }, + "ip": { + "type": "keyword" + }, + "latitude": { + "type": "double" + }, + "location": { + "type": "geo_point" + }, + "longitude": { + "type": "double" + }, + "postal_code": { + "type": "keyword" + }, + "real_region_name": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "text" + } + } + }, + "host": { + "type": "keyword" + }, + "syscheck": { + "properties": { + "path": { + "type": "keyword" + }, + "sha1_before": { + "type": "keyword" + }, + "sha1_after": { + "type": "keyword" + }, + "uid_before": { + "type": "keyword" + }, + "uid_after": { + "type": "keyword" + }, + "gid_before": { + "type": "keyword" + }, + "gid_after": { + "type": "keyword" + }, + "perm_before": { + "type": "keyword" + }, + "perm_after": { + "type": "keyword" + }, + "md5_after": { + "type": "keyword" + }, + "md5_before": { + "type": "keyword" + }, + "gname_after": { + "type": "keyword" + }, + "gname_before": { + "type": "keyword" + }, + "inode_after": { + "type": "keyword" + }, + "inode_before": { + "type": "keyword" + }, + "mtime_after": { + "type": "date", + "format": "date_optional_time" + }, + "mtime_before": { + "type": "date", + "format": "date_optional_time" + }, + "uname_after": { + "type": "keyword" + }, + "uname_before": { + "type": "keyword" + }, + "size_before": { + "type": "long" + }, + "size_after": { + "type": "long" + }, + "diff": { + "type": "keyword" + }, + "event": { + "type": "keyword" + }, + "audit": { + "properties": { + "effective_user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "group": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "login_user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "process": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "ppid": { + "type": "keyword" + } + } + }, + "user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + } + } + }, + "sha256_after": { + "type": "keyword" + }, + "sha256_before": { + "type": "keyword" + }, + "tags": { + "type": "keyword" + } + } + }, + "location": { + "type": "keyword" + }, + "message": { + "type": "text" + }, + "offset": { + "type": "keyword" + }, + "rule": { + "properties": { + "description": { + "type": "keyword" + }, + "groups": { + "type": "keyword" + }, + "level": { + "type": "long" + }, + "id": { + "type": "keyword" + }, + "cve": { + "type": "keyword" + }, + "info": { + "type": "keyword" + }, + "frequency": { + "type": "long" + }, + "firedtimes": { + "type": "long" + }, + "cis": { + "type": "keyword" + }, + "pci_dss": { + "type": "keyword" + }, + "gdpr": { + "type": "keyword" + }, + "gpg13": { + "type": "keyword" + }, + "hipaa": { + "type": "keyword" + }, + "nist_800_53": { + "type": "keyword" + }, + "mail": { + "type": "boolean" + } + } + }, + "predecoder": { + "properties": { + "program_name": { + "type": "keyword" + }, + "timestamp": { + "type": "keyword" + }, + "hostname": { + "type": "keyword" + } + } + }, + "decoder": { + "properties": { + "parent": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "ftscomment": { + "type": "keyword" + }, + "fts": { + "type": "long" + }, + "accumulate": { + "type": "long" + } + } + }, + "data": { + "properties": { + "audit": { + "properties": { + "acct": { + "type": "keyword" + }, + "arch": { + "type": "keyword" + }, + "auid": { + "type": "keyword" + }, + "command": { + "type": "keyword" + }, + "cwd": { + "type": "keyword" + }, + "dev": { + "type": "keyword" + }, + "directory": { + "properties": { + "inode": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "egid": { + "type": "keyword" + }, + "enforcing": { + "type": "keyword" + }, + "euid": { + "type": "keyword" + }, + "exe": { + "type": "keyword" + }, + "execve": { + "properties": { + "a0": { + "type": "keyword" + }, + "a1": { + "type": "keyword" + }, + "a2": { + "type": "keyword" + }, + "a3": { + "type": "keyword" + } + } + }, + "exit": { + "type": "keyword" + }, + "file": { + "properties": { + "inode": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "fsgid": { + "type": "keyword" + }, + "fsuid": { + "type": "keyword" + }, + "gid": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "key": { + "type": "keyword" + }, + "list": { + "type": "keyword" + }, + "old-auid": { + "type": "keyword" + }, + "old-ses": { + "type": "keyword" + }, + "old_enforcing": { + "type": "keyword" + }, + "old_prom": { + "type": "keyword" + }, + "op": { + "type": "keyword" + }, + "pid": { + "type": "keyword" + }, + "ppid": { + "type": "keyword" + }, + "prom": { + "type": "keyword" + }, + "res": { + "type": "keyword" + }, + "session": { + "type": "keyword" + }, + "sgid": { + "type": "keyword" + }, + "srcip": { + "type": "keyword" + }, + "subj": { + "type": "keyword" + }, + "success": { + "type": "keyword" + }, + "suid": { + "type": "keyword" + }, + "syscall": { + "type": "keyword" + }, + "tty": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + } + } + }, + "protocol": { + "type": "keyword" + }, + "action": { + "type": "keyword" + }, + "srcip": { + "type": "keyword" + }, + "dstip": { + "type": "keyword" + }, + "srcport": { + "type": "keyword" + }, + "dstport": { + "type": "keyword" + }, + "srcuser": { + "type": "keyword" + }, + "dstuser": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "extra_data": { + "type": "keyword" + }, + "system_name": { + "type": "keyword" + }, + "url": { + "type": "keyword" + }, + "oscap": { + "properties": { + "check": { + "properties": { + "description": { + "type": "text" + }, + "id": { + "type": "keyword" + }, + "identifiers": { + "type": "text" + }, + "oval": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "rationale": { + "type": "text" + }, + "references": { + "type": "text" + }, + "result": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "scan": { + "properties": { + "benchmark": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "content": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "profile": { + "properties": { + "id": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "return_code": { + "type": "long" + }, + "score": { + "type": "double" + } + } + } + } + }, + "type": { + "type": "keyword" + }, + "netinfo": { + "properties": { + "iface": { + "properties": { + "name": { + "type": "keyword" + }, + "mac": { + "type": "keyword" + }, + "adapter": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "state": { + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "tx_bytes": { + "type": "long" + }, + "rx_bytes": { + "type": "long" + }, + "tx_errors": { + "type": "long" + }, + "rx_errors": { + "type": "long" + }, + "tx_dropped": { + "type": "long" + }, + "rx_dropped": { + "type": "long" + }, + "tx_packets": { + "type": "long" + }, + "rx_packets": { + "type": "long" + }, + "ipv4": { + "properties": { + "gateway": { + "type": "keyword" + }, + "dhcp": { + "type": "keyword" + }, + "address": { + "type": "keyword" + }, + "netmask": { + "type": "keyword" + }, + "broadcast": { + "type": "keyword" + }, + "metric": { + "type": "long" + } + } + }, + "ipv6": { + "properties": { + "gateway": { + "type": "keyword" + }, + "dhcp": { + "type": "keyword" + }, + "address": { + "type": "keyword" + }, + "netmask": { + "type": "keyword" + }, + "broadcast": { + "type": "keyword" + }, + "metric": { + "type": "long" + } + } + } + } + } + } + }, + "os": { + "properties": { + "hostname": { + "type": "keyword" + }, + "architecture": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "version": { + "type": "keyword" + }, + "codename": { + "type": "keyword" + }, + "major": { + "type": "keyword" + }, + "minor": { + "type": "keyword" + }, + "build": { + "type": "keyword" + }, + "platform": { + "type": "keyword" + }, + "sysname": { + "type": "keyword" + }, + "release": { + "type": "keyword" + }, + "release_version": { + "type": "keyword" + } + } + }, + "port": { + "properties": { + "protocol": { + "type": "keyword" + }, + "local_ip": { + "type": "ip" + }, + "local_port": { + "type": "long" + }, + "remote_ip": { + "type": "ip" + }, + "remote_port": { + "type": "long" + }, + "tx_queue": { + "type": "long" + }, + "rx_queue": { + "type": "long" + }, + "inode": { + "type": "long" + }, + "state": { + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "process": { + "type": "keyword" + } + } + }, + "hardware": { + "properties": { + "serial": { + "type": "keyword" + }, + "cpu_name": { + "type": "keyword" + }, + "cpu_cores": { + "type": "long" + }, + "cpu_mhz": { + "type": "double" + }, + "ram_total": { + "type": "long" + }, + "ram_free": { + "type": "long" + }, + "ram_usage": { + "type": "long" + } + } + }, + "program": { + "properties": { + "format": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "priority": { + "type": "keyword" + }, + "section": { + "type": "keyword" + }, + "size": { + "type": "long" + }, + "vendor": { + "type": "keyword" + }, + "install_time": { + "type": "keyword" + }, + "version": { + "type": "keyword" + }, + "architecture": { + "type": "keyword" + }, + "multiarch": { + "type": "keyword" + }, + "source": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "location": { + "type": "keyword" + } + } + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "name": { + "type": "keyword" + }, + "state": { + "type": "keyword" + }, + "ppid": { + "type": "long" + }, + "utime": { + "type": "long" + }, + "stime": { + "type": "long" + }, + "cmd": { + "type": "keyword" + }, + "args": { + "type": "keyword" + }, + "euser": { + "type": "keyword" + }, + "ruser": { + "type": "keyword" + }, + "suser": { + "type": "keyword" + }, + "egroup": { + "type": "keyword" + }, + "sgroup": { + "type": "keyword" + }, + "fgroup": { + "type": "keyword" + }, + "rgroup": { + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "nice": { + "type": "long" + }, + "size": { + "type": "long" + }, + "vm_size": { + "type": "long" + }, + "resident": { + "type": "long" + }, + "share": { + "type": "long" + }, + "start_time": { + "type": "long" + }, + "pgrp": { + "type": "long" + }, + "session": { + "type": "long" + }, + "nlwp": { + "type": "long" + }, + "tgid": { + "type": "long" + }, + "tty": { + "type": "long" + }, + "processor": { + "type": "long" + } + } + }, + "sca": { + "properties": { + "type": { + "type": "keyword" + }, + "scan_id": { + "type": "keyword" + }, + "policy": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "file": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "passed": { + "type": "integer" + }, + "failed": { + "type": "integer" + }, + "score": { + "type": "long" + }, + "check": { + "properties": { + "id": { + "type": "keyword" + }, + "title": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "rationale": { + "type": "keyword" + }, + "remediation": { + "type": "keyword" + }, + "compliance": { + "properties": { + "cis": { + "type": "keyword" + }, + "cis_csc": { + "type": "keyword" + }, + "pci_dss": { + "type": "keyword" + }, + "hipaa": { + "type": "keyword" + }, + "nist_800_53": { + "type": "keyword" + } + } + }, + "references": { + "type": "keyword" + }, + "file": { + "type": "keyword" + }, + "directory": { + "type": "keyword" + }, + "registry": { + "type": "keyword" + }, + "process": { + "type": "keyword" + }, + "result": { + "type": "keyword" + }, + "previous_result": { + "type": "keyword" + }, + "reason": { + "type": "keyword" + }, + "status": { + "type": "keyword" + } + } + }, + "invalid": { + "type": "keyword" + }, + "policy_id": { + "type": "keyword" + }, + "total_checks": { + "type": "keyword" + } + } + }, + "command": { + "type": "keyword" + }, + "integration": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "title": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + }, + "virustotal": { + "properties": { + "description": { + "type": "keyword" + }, + "error": { + "type": "keyword" + }, + "found": { + "type": "keyword" + }, + "malicious": { + "type": "keyword" + }, + "permalink": { + "type": "keyword" + }, + "positives": { + "type": "keyword" + }, + "scan_date": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "source": { + "properties": { + "alert_id": { + "type": "keyword" + }, + "file": { + "type": "keyword" + }, + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + } + } + }, + "total": { + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "advisories": { + "type": "keyword" + }, + "bugzilla_reference": { + "type": "keyword" + }, + "cve": { + "type": "keyword" + }, + "cvss": { + "properties": { + "cvss2": { + "properties": { + "base_score": { + "type": "keyword" + }, + "exploitability_score": { + "type": "keyword" + }, + "impact_score": { + "type": "keyword" + }, + "vector": { + "properties": { + "access_complexity": { + "type": "keyword" + }, + "attack_vector": { + "type": "keyword" + }, + "authentication": { + "type": "keyword" + }, + "availability": { + "type": "keyword" + }, + "confidentiality_impact": { + "type": "keyword" + }, + "integrity_impact": { + "type": "keyword" + }, + "privileges_required": { + "type": "keyword" + }, + "scope": { + "type": "keyword" + }, + "user_interaction": { + "type": "keyword" + } + } + } + } + }, + "cvss3": { + "properties": { + "base_score": { + "type": "keyword" + }, + "exploitability_score": { + "type": "keyword" + }, + "impact_score": { + "type": "keyword" + }, + "vector": { + "properties": { + "access_complexity": { + "type": "keyword" + }, + "attack_vector": { + "type": "keyword" + }, + "authentication": { + "type": "keyword" + }, + "availability": { + "type": "keyword" + }, + "confidentiality_impact": { + "type": "keyword" + }, + "integrity_impact": { + "type": "keyword" + }, + "privileges_required": { + "type": "keyword" + }, + "scope": { + "type": "keyword" + }, + "user_interaction": { + "type": "keyword" + } + } + } + } + } + } + }, + "cwe_reference": { + "type": "keyword" + }, + "package": { + "properties": { + "architecture": { + "type": "keyword" + }, + "condition": { + "type": "keyword" + }, + "generated_cpe": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "published": { + "type": "date" + }, + "updated": { + "type": "date" + }, + "rationale": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + }, + "state": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "aws": { + "properties": { + "bytes": { + "type": "long" + }, + "dstaddr": { + "type": "ip" + }, + "srcaddr": { + "type": "ip" + }, + "end": { + "type": "date" + }, + "start": { + "type": "date" + }, + "source_ip_address": { + "type": "ip" + }, + "service": { + "properties": { + "count": { + "type": "long" + }, + "action.networkConnectionAction.remoteIpDetails": { + "properties": { + "ipAddressV4": { + "type": "ip" + }, + "geoLocation": { + "type": "geo_point" + } + } + }, + "eventFirstSeen": { + "type": "date" + }, + "eventLastSeen": { + "type": "date" + } + } + }, + "createdAt": { + "type": "date" + }, + "updatedAt": { + "type": "date" + }, + "resource.instanceDetails": { + "properties": { + "launchTime": { + "type": "date" + }, + "networkInterfaces": { + "properties": { + "privateIpAddress": { + "type": "ip" + }, + "publicIp": { + "type": "ip" + } + } + } + } + } + } + } + } + }, + "program_name": { + "type": "keyword" + }, + "command": { + "type": "keyword" + }, + "type": { + "type": "text" + }, + "title": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "input": { + "properties": { + "type": { + "type": "keyword" + } + } + }, + "previous_output": { + "type": "keyword" + } + } + }, + "version": 1 +} diff --git a/roles/wazuh/filebeat-oss/templates/filebeat.yml.j2 b/roles/wazuh/filebeat-oss/templates/filebeat.yml.j2 new file mode 100644 index 00000000..747d2da6 --- /dev/null +++ b/roles/wazuh/filebeat-oss/templates/filebeat.yml.j2 @@ -0,0 +1,39 @@ +# Wazuh - Filebeat configuration file + +# Wazuh - Filebeat configuration file +filebeat.modules: + - module: wazuh + alerts: + enabled: true + archives: + enabled: false + +setup.template.json.enabled: true +setup.template.json.path: '/etc/filebeat/wazuh-template.json' +setup.template.json.name: 'wazuh' +setup.template.overwrite: true +setup.ilm.enabled: false + + +# Send events directly to Elasticsearch +output.elasticsearch: + hosts: {{ filebeat_output_elasticsearch_hosts | to_json }} + +{% if filebeat_opendistro_security %} + username: {{ elasticsearch_opendistro_security_user }} + password: {{ elasticsearch_opendistro_security_password }} + protocol: https +{% if generate_CA == true %} + ssl.certificate_authorities: + - {{node_certs_destination}}/ca.crt +{% elif generate_CA == false %} + ssl.certificate_authorities: + - {{node_certs_destination}}/{{ca_cert_name}} +{% endif %} + + ssl.certificate: "{{node_certs_destination}}/{{ filebeat_node_name }}.crt" + ssl.key: "{{node_certs_destination}}/{{ filebeat_node_name }}.key" +{% endif %} + +# Optional. Send events to Logstash instead of Elasticsearch +#output.logstash.hosts: ["YOUR_LOGSTASH_SERVER_IP:5000"] \ No newline at end of file diff --git a/roles/wazuh/filebeat-oss/tests/requirements.yml b/roles/wazuh/filebeat-oss/tests/requirements.yml new file mode 100644 index 00000000..63d857e2 --- /dev/null +++ b/roles/wazuh/filebeat-oss/tests/requirements.yml @@ -0,0 +1,3 @@ +--- +- src: geerlingguy.java +- src: geerlingguy.elasticsearch diff --git a/roles/wazuh/filebeat-oss/tests/test.yml b/roles/wazuh/filebeat-oss/tests/test.yml new file mode 100644 index 00000000..3a4c8f21 --- /dev/null +++ b/roles/wazuh/filebeat-oss/tests/test.yml @@ -0,0 +1,20 @@ +--- +- hosts: all + + pre_tasks: + - name: Update apt cache. + apt: + cache_valid_time: 600 + when: ansible_os_family == 'Debian' + + - name: Install test dependencies (RedHat). + package: name=which state=present + when: ansible_os_family == 'RedHat' + + - name: Install test dependencies. + package: name=curl state=present + + roles: + - geerlingguy.java + - geerlingguy.elasticsearch + - role_under_test From 668eaacf96359c6d7760b68d1b711cb475568a62 Mon Sep 17 00:00:00 2001 From: Zenidd Date: Fri, 29 May 2020 12:25:18 +0200 Subject: [PATCH 43/57] Replacing root owner with ossec for local decoders/rules --- roles/wazuh/ansible-wazuh-manager/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml index eaabdb77..71914578 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml @@ -106,7 +106,7 @@ - name: Installing the local_rules.xml (default local_rules.xml) template: src=var-ossec-rules-local_rules.xml.j2 dest=/var/ossec/etc/rules/local_rules.xml - owner=root + owner=ossec group=ossec mode=0640 notify: restart wazuh-manager @@ -118,7 +118,7 @@ - name: Adding local rules files copy: src="{{ wazuh_manager_config.ruleset.rules_path }}" dest=/var/ossec/etc/rules/ - owner=root + owner=ossec group=ossec mode=0640 notify: restart wazuh-manager @@ -130,7 +130,7 @@ - name: Installing the local_decoder.xml template: src=var-ossec-rules-local_decoder.xml.j2 dest=/var/ossec/etc/decoders/local_decoder.xml - owner=root + owner=ossec group=ossec mode=0640 notify: restart wazuh-manager @@ -142,7 +142,7 @@ - name: Adding local decoders files copy: src="{{ wazuh_manager_config.ruleset.decoders_path }}" dest=/var/ossec/etc/decoders/ - owner=root + owner=ossec group=ossec mode=0640 notify: restart wazuh-manager From 79d58c39172ec0eb89c6f193155d4e7e04dfff47 Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Thu, 4 Jun 2020 21:17:33 +0200 Subject: [PATCH 44/57] Added support for Filebeat-oss and several improvements --- playbooks/wazuh-manager-oss.yml | 13 +- playbooks/wazuh-opendistro.yml | 2 +- .../ansible-elasticsearch/README.md | 2 +- .../ansible-elasticsearch/defaults/main.yml | 2 +- roles/elastic-stack/ansible-kibana/README.md | 2 +- .../ansible-kibana/defaults/main.yml | 2 +- roles/opendistro/hosts | 49 ------- .../defaults/main.yml | 4 +- .../tasks/local_actions.yml | 43 +++--- .../tasks/security_actions.yml | 7 +- .../templates/tlsconfig.yml.j2 | 11 +- .../opendistro-kibana/defaults/main.yml | 10 +- .../opendistro-kibana/tasks/main.yml | 76 ++++++++++- .../tasks/security_actions.yml | 4 +- .../templates/opendistro_kibana.yml.j2 | 4 +- roles/wazuh/ansible-filebeat-oss/README.md | 39 ++++++ .../ansible-filebeat-oss/defaults/main.yml | 30 +++++ .../handlers/main.yml | 0 .../meta/main.yml | 2 +- .../tasks/Debian.yml | 2 +- .../tasks/RMDebian.yml | 0 .../tasks/RMRedHat.yml | 2 +- .../tasks/RedHat.yml | 2 +- .../ansible-filebeat-oss/tasks/config.yml | 22 +++ .../wazuh/ansible-filebeat-oss/tasks/main.yml | 70 ++++++++++ .../tasks/security_actions.yml | 29 ++++ .../templates/elasticsearch.yml.j2 | 0 .../templates/filebeat.yml.j2 | 19 +-- roles/wazuh/ansible-filebeat/README.md | 2 +- .../wazuh/ansible-filebeat/defaults/main.yml | 4 +- roles/wazuh/ansible-filebeat/tasks/config.yml | 21 +-- roles/wazuh/ansible-filebeat/tasks/main.yml | 2 +- .../ansible-filebeat/tests/requirements.yml | 3 - roles/wazuh/ansible-filebeat/tests/test.yml | 20 --- roles/wazuh/ansible-wazuh-manager/README.md | 2 +- roles/wazuh/filebeat-oss/defaults/main.yml | 57 -------- roles/wazuh/filebeat-oss/tasks/config.yml | 39 ------ roles/wazuh/filebeat-oss/tasks/main.yml | 125 ------------------ .../filebeat-oss/tasks/security_actions.yml | 11 -- .../wazuh/filebeat-oss/tests/requirements.yml | 3 - roles/wazuh/filebeat-oss/tests/test.yml | 20 --- 41 files changed, 340 insertions(+), 417 deletions(-) delete mode 100644 roles/opendistro/hosts create mode 100644 roles/wazuh/ansible-filebeat-oss/README.md create mode 100644 roles/wazuh/ansible-filebeat-oss/defaults/main.yml rename roles/wazuh/{filebeat-oss => ansible-filebeat-oss}/handlers/main.yml (100%) rename roles/wazuh/{filebeat-oss => ansible-filebeat-oss}/meta/main.yml (88%) rename roles/wazuh/{filebeat-oss => ansible-filebeat-oss}/tasks/Debian.yml (91%) rename roles/wazuh/{filebeat-oss => ansible-filebeat-oss}/tasks/RMDebian.yml (100%) rename roles/wazuh/{filebeat-oss => ansible-filebeat-oss}/tasks/RMRedHat.yml (84%) rename roles/wazuh/{filebeat-oss => ansible-filebeat-oss}/tasks/RedHat.yml (89%) create mode 100644 roles/wazuh/ansible-filebeat-oss/tasks/config.yml create mode 100644 roles/wazuh/ansible-filebeat-oss/tasks/main.yml create mode 100644 roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml rename roles/wazuh/{filebeat-oss => ansible-filebeat-oss}/templates/elasticsearch.yml.j2 (100%) rename roles/wazuh/{filebeat-oss => ansible-filebeat-oss}/templates/filebeat.yml.j2 (52%) delete mode 100644 roles/wazuh/ansible-filebeat/tests/requirements.yml delete mode 100644 roles/wazuh/ansible-filebeat/tests/test.yml delete mode 100644 roles/wazuh/filebeat-oss/defaults/main.yml delete mode 100644 roles/wazuh/filebeat-oss/tasks/config.yml delete mode 100644 roles/wazuh/filebeat-oss/tasks/main.yml delete mode 100644 roles/wazuh/filebeat-oss/tasks/security_actions.yml delete mode 100644 roles/wazuh/filebeat-oss/tests/requirements.yml delete mode 100644 roles/wazuh/filebeat-oss/tests/test.yml diff --git a/playbooks/wazuh-manager-oss.yml b/playbooks/wazuh-manager-oss.yml index 5cb9b4bd..3dc6346d 100644 --- a/playbooks/wazuh-manager-oss.yml +++ b/playbooks/wazuh-manager-oss.yml @@ -1,8 +1,9 @@ --- -- hosts: +- hosts: managers roles: - - role: ../roles/wazuh/ansible-wazuh-manager - - role: ../roles/wazuh/filebeat-oss - filebeat_output_elasticsearch_hosts: 172.16.0.161:9200 - - +# - role: ../roles/wazuh/ansible-wazuh-manager + - role: ../roles/wazuh/ansible-filebeat-oss + filebeat_output_elasticsearch_hosts: + - "172.16.0.161:9200" + - "172.16.0.162:9200" + - "172.16.0.163:9200" \ No newline at end of file diff --git a/playbooks/wazuh-opendistro.yml b/playbooks/wazuh-opendistro.yml index ede8ca93..271dfa5b 100644 --- a/playbooks/wazuh-opendistro.yml +++ b/playbooks/wazuh-opendistro.yml @@ -1,4 +1,4 @@ --- -- hosts: es-cluster +- hosts: es_cluster roles: - role: ../roles/opendistro/opendistro-elasticsearch diff --git a/roles/elastic-stack/ansible-elasticsearch/README.md b/roles/elastic-stack/ansible-elasticsearch/README.md index c574aa9f..f37d3cec 100644 --- a/roles/elastic-stack/ansible-elasticsearch/README.md +++ b/roles/elastic-stack/ansible-elasticsearch/README.md @@ -134,7 +134,7 @@ It is possible to define users directly on the playbook, these must be defined o License and copyright --------------------- -WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3) +WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3) ### Based on previous work from geerlingguy diff --git a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml index 6f2528c3..019179fc 100644 --- a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml @@ -4,7 +4,7 @@ elasticsearch_http_port: 9200 elasticsearch_network_host: 127.0.0.1 elasticsearch_reachable_host: 127.0.0.1 elasticsearch_jvm_xms: null -elastic_stack_version: 7.6.2 +elastic_stack_version: 7.7.0 elasticsearch_lower_disk_requirements: false elasticrepo: diff --git a/roles/elastic-stack/ansible-kibana/README.md b/roles/elastic-stack/ansible-kibana/README.md index 593cf319..28978761 100644 --- a/roles/elastic-stack/ansible-kibana/README.md +++ b/roles/elastic-stack/ansible-kibana/README.md @@ -37,7 +37,7 @@ Example Playbook License and copyright --------------------- -WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3) +WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3) ### Based on previous work from geerlingguy diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index d1ddb8e1..b4bf0c88 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -5,7 +5,7 @@ elasticsearch_http_port: "9200" elasticsearch_network_host: "127.0.0.1" kibana_server_host: "0.0.0.0" kibana_server_port: "5601" -elastic_stack_version: 7.6.2 +elastic_stack_version: 7.7.0 wazuh_version: 3.12.3 wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp diff --git a/roles/opendistro/hosts b/roles/opendistro/hosts deleted file mode 100644 index bd3b73e7..00000000 --- a/roles/opendistro/hosts +++ /dev/null @@ -1,49 +0,0 @@ -# This is the default ansible 'hosts' file. -# -# It should live in /etc/ansible/hosts -# -# - Comments begin with the '#' character -# - Blank lines are ignored -# - Groups of hosts are delimited by [header] elements -# - You can enter hostnames or ip addresses -# - A hostname/ip can be a member of multiple groups - -# Ex 1: Ungrouped hosts, specify before any group headers. - -## green.example.com -## blue.example.com -## 192.168.100.1 -## 192.168.100.10 - -# Ex 2: A collection of hosts belonging to the 'webservers' group -#[elasticsearch_first - - -es1 ansible_host=172.16.0.161 ansible_user=vagrant ip=172.16.0.161 -es2 ansible_host=172.16.0.162 ansible_user=vagrant ip=172.16.0.162 -es3 ansible_host=172.16.0.163 ansible_user=vagrant ip=172.16.0.163 -manager1 ansible_host=172.16.1.250 ansible_user=vagrant ip=172.16.1.250 - -[managers] -manager1 - -[es-cluster] -es1 -es2 -es3 -manager1 - -[kibana] -es1 - -[single-host] -172.16.1.15 ansible_ssh_user=vagrant -[elastic-cluster] -172.16.0.161 ansible_ssh_user=vagrant -172.16.0.162 ansible_ssh_user=vagrant -172.16.0.163 ansible_ssh_user=vagrant -[agents] -172.16.0.131 ansible_ssh_user=vagrant -172.16.0.132 ansible_ssh_user=vagrant -# If you have multiple hosts following a pattern you can specify -# them like this: diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index 23140123..aa683033 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -1,6 +1,6 @@ --- # The OpenDistro version -opendistro_version: 1.6.0 +opendistro_version: 1.8.0 elasticsearch_cluster_name: wazuh-cluster # Minimum master nodes in cluster, 2 for 3 nodes elasticsearch cluster @@ -28,7 +28,7 @@ opendistro_sec_plugin_conf_path: /usr/share/elasticsearch/plugins/opendistro_sec opendistro_sec_plugin_tools_path: /usr/share/elasticsearch/plugins/opendistro_security/tools opendistro_conf_path: /etc/elasticsearch/ es_nodes: |- - {% for item in groups['es-cluster'] -%} + {% for item in groups['es_cluster'] -%} {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %} {%- endfor %} diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml index b6995e5c..edaf9ef8 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml @@ -2,36 +2,36 @@ - block: - name: Local action | Create local temporary directory for certificates generation - local_action: - module: file + file: path: "{{ local_certs_path }}" state: directory + - name: Local action | Check that the generation tool exists + stat: + path: "{{ local_certs_path }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" + register: tool_package + - name: Local action | Download certificates generation tool - local_action: - module: get_url + get_url: url: "{{ certs_gen_tool_url }}" dest: "{{ local_certs_path }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" + when: not tool_package.stat.exists - name: Local action | Extract the certificates generation tool - local_action: - module: unarchive + unarchive: src: "{{ local_certs_path }}/search-guard-tlstool-1.7.zip" dest: "{{ local_certs_path }}/" - name: Local action | Add the execution bit to the binary - local_action: - module: file + file: dest: "{{ local_certs_path }}/tools/sgtlstool.sh" mode: a+x - name: Local action | Prepare the certificates generation template file - local_action: - module: template + template: src: "templates/tlsconfig.yml.j2" dest: "{{ local_certs_path }}/config/tlsconfig.yml" - - name: Create a directory if it does not exist file: path: "{{ local_certs_path }}/certs/" @@ -40,20 +40,29 @@ delegate_to: localhost - name: Local action | Check if root CA file exists - local_action: - module: stat + stat: path: "{{ local_certs_path }}/certs/root-ca.key" register: root_ca_file - name: Local action | Generate the node & admin certificates in local - local_action: - module: command {{ local_certs_path }}/tools/sgtlstool.sh -c {{ local_certs_path }}/config/tlsconfig.yml -ca -crt -t {{ local_certs_path }}/certs/ -f -o + command: >- + {{ local_certs_path }}/tools/sgtlstool.sh + -c {{ local_certs_path }}/config/tlsconfig.yml + -ca -crt + -t {{ local_certs_path }}/certs/ + -f -o when: not root_ca_file.stat.exists - name: Local action | Generate the node & admin certificates using an existing root CA - local_action: - module: command {{ local_certs_path }}/tools/sgtlstool.sh -c {{ local_certs_path }}/config/tlsconfig.yml -ca -crt -t {{ local_certs_path }}/certs/ -f + command: >- + {{ local_certs_path }}/tools/sgtlstool.sh + -c {{ local_certs_path }}/config/tlsconfig.yml + -crt + -t {{ local_certs_path }}/certs/ + -f when: root_ca_file.stat.exists + run_once: true + delegate_to: localhost tags: - generate-certs \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml index 1fee6fef..ea48874e 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml @@ -1,5 +1,4 @@ - block: - - name: Remove demo certs file: path: "{{ item }}" @@ -12,7 +11,7 @@ - name: Copy the node & admin certificates to Elasticsearch cluster copy: - src: "{{ local_certs_path }}/config/{{ item }}" + src: "{{ local_certs_path }}/certs/{{ item }}" dest: /etc/elasticsearch/ mode: 0644 with_items: @@ -28,7 +27,7 @@ - name: Copy the OpenDistro security configuration file to cluster blockinfile: - block: "{{ lookup('file', '{{ local_certs_path }}/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" + block: "{{ lookup('file', '{{ local_certs_path }}/certs/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" dest: "{{ opendistro_conf_path }}/elasticsearch.yml" insertafter: EOF marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" @@ -76,5 +75,5 @@ run_once: true tags: - - production_ready + - security when: install.changed \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 index f5ee89bc..0f7671e2 100644 --- a/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 +++ b/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 @@ -17,7 +17,6 @@ defaults: verifyHostnames: false resolveHostnames: false - ### ### Nodes ### @@ -25,7 +24,7 @@ defaults: # Specify the nodes of your ES cluster here # nodes: -{% for item in groups['es-cluster'] %} +{% for item in groups['es_cluster'] %} - name: {{ item }} dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} dns: {{ item }}.{{ domain_name }} @@ -39,6 +38,14 @@ nodes: ip: {{ hostvars[item]['ip'] }} {% endfor %} {% endif %} +{% if groups['managers'] is defined and groups['managers']|length > 0 %} +{% for item in groups['managers'] %} + - name: {{ item }} + dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} + dns: {{ item }}.{{ domain_name }} + ip: {{ hostvars[item]['ip'] }} +{% endfor %} +{% endif %} ### ### Clients ### diff --git a/roles/opendistro/opendistro-kibana/defaults/main.yml b/roles/opendistro/opendistro-kibana/defaults/main.yml index 6bbf5015..611eabdd 100644 --- a/roles/opendistro/opendistro-kibana/defaults/main.yml +++ b/roles/opendistro/opendistro-kibana/defaults/main.yml @@ -1,17 +1,18 @@ --- -elasticsearch_http_port: "9200" -elasticsearch_network_host: |- +elasticsearch_http_port: 9200 +elasticsearch_nodes: |- {% for item in groups['kibana'] -%} {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %} {%- endfor %} - +elasticsearch_network_host: 172.16.0.161 +elastic_api_protocol: https kibana_conf_path: /etc/kibana kibana_server_host: "0.0.0.0" kibana_server_port: "5601" kibana_server_name: "kibana" kibana_max_payload_bytes: 1048576 -opendistro_version: 7.6.1 +elastic_stack_version: 7.7.0 wazuh_version: 3.12.3 wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp @@ -41,6 +42,7 @@ kibana_telemetry_optin: "false" kibana_telemetry_enabled: "false" opendistro_security_user: elastic +opendistro_admin_password: changeme opendistro_kibana_user: kibanaserver opendistro_kibana_password: changeme local_certs_path: /tmp/opendistro-nodecerts diff --git a/roles/opendistro/opendistro-kibana/tasks/main.yml b/roles/opendistro/opendistro-kibana/tasks/main.yml index 2d29e0cb..94a646f8 100644 --- a/roles/opendistro/opendistro-kibana/tasks/main.yml +++ b/roles/opendistro/opendistro-kibana/tasks/main.yml @@ -28,7 +28,6 @@ register: install tags: install - - name: Remove Kibana configuration file file: path: "{{ kibana_conf_path }}/kibana.yml" @@ -48,11 +47,82 @@ mode: 0640 marker: "## {mark} Kibana general settings ##" notify: restart kibana - tags: - install - configure +- name: Build and Install Wazuh Kibana Plugin from sources + import_tasks: build_wazuh_plugin.yml + when: + - build_from_sources is defined + - build_from_sources + +- name: Install Wazuh Plugin (can take a while) + shell: >- + NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana-plugin install + {{ wazuh_app_url }}-{{ wazuh_version }}_{{ elastic_stack_version }}.zip + args: + executable: /bin/bash + creates: /usr/share/kibana/plugins/wazuh/package.json + chdir: /usr/share/kibana + become: yes + become_user: kibana + notify: restart kibana + tags: + - install + - skip_ansible_lint + when: + - not build_from_sources + +- name: Kibana optimization (can take a while) + shell: /usr/share/kibana/node/bin/node {{ node_options }} /usr/share/kibana/src/cli --optimize + args: + executable: /bin/bash + become: yes + become_user: kibana + changed_when: false + tags: + - skip_ansible_lint + +- name: Wait for Elasticsearch port + wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} + +- name: Select correct API protocol + set_fact: + elastic_api_protocol: "{% if kibana_xpack_security %}https{% else %}http{% endif %}" + +- name: Attempting to delete legacy Wazuh index if exists + uri: + url: "{{ elastic_api_protocol }}://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}/.wazuh" + method: DELETE + user: "admin" + password: "{{ opendistro_admin_password }}" + validate_certs: no + status_code: 200, 404 + +- name: Create wazuh plugin config directory + file: + path: /usr/share/kibana/optimize/wazuh/config/ + state: directory + recurse: yes + owner: kibana + group: kibana + mode: 0751 + changed_when: False + +- name: Configure Wazuh Kibana Plugin + template: + src: wazuh.yml.j2 + dest: /usr/share/kibana/optimize/wazuh/config/wazuh.yml + owner: kibana + group: kibana + mode: 0751 + changed_when: False + +- name: Reload systemd configuration + systemd: + daemon_reload: true + - name: Ensure Kibana started and enabled service: name: kibana @@ -60,4 +130,4 @@ state: started - import_tasks: RMRedHat.yml - when: ansible_os_family == 'RedHat' + when: ansible_os_family == 'RedHat' \ No newline at end of file diff --git a/roles/opendistro/opendistro-kibana/tasks/security_actions.yml b/roles/opendistro/opendistro-kibana/tasks/security_actions.yml index 96b787c9..be63c9ea 100644 --- a/roles/opendistro/opendistro-kibana/tasks/security_actions.yml +++ b/roles/opendistro/opendistro-kibana/tasks/security_actions.yml @@ -2,12 +2,12 @@ - name: Copy the certificates from local to the Kibana instance copy: - src: "{{ local_certs_path }}/config/{{ item }}" + src: "{{ local_certs_path }}/certs/{{ item }}" dest: /usr/share/kibana mode: 0644 with_items: - "{{ inventory_hostname }}_http.key" - "{{ inventory_hostname }}_http.pem" tags: - - production_ready + - security when: install.changed \ No newline at end of file diff --git a/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 b/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 index c526fcda..702de5e2 100644 --- a/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 +++ b/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 @@ -8,9 +8,9 @@ server.maxPayloadBytes: {{ kibana_max_payload_bytes }} server.name: {{ kibana_server_name }} server.host: {{ kibana_server_host }} {% if kibana_opendistro_security %} -elasticsearch.hosts: "https://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" +elasticsearch.hosts: "https://{{ elasticsearch_nodes }}:{{ elasticsearch_http_port }}" {% else %} -elasticsearch.hosts: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" +elasticsearch.hosts: "http://{{ elasticsearch_nodes }}:{{ elasticsearch_http_port }}" {% endif %} elasticsearch.username: {{ opendistro_kibana_user }} diff --git a/roles/wazuh/ansible-filebeat-oss/README.md b/roles/wazuh/ansible-filebeat-oss/README.md new file mode 100644 index 00000000..bed47531 --- /dev/null +++ b/roles/wazuh/ansible-filebeat-oss/README.md @@ -0,0 +1,39 @@ +Ansible Role: Filebeat for Elastic Stack +------------------------------------ + +An Ansible Role that installs [Filebeat-oss](https://www.elastic.co/products/beats/filebeat), this can be used in conjunction with [ansible-wazuh-manager](https://github.com/wazuh/wazuh-ansible/ansible-wazuh-server). + +Requirements +------------ + +This role will work on: + * Red Hat + * CentOS + * Fedora + * Debian + * Ubuntu + +Role Variables +-------------- + +Available variables are listed below, along with default values (see `defaults/main.yml`): + +``` + filebeat_output_elasticsearch_enabled: false + filebeat_output_elasticsearch_hosts: + - "localhost:9200" + +``` + +License and copyright +--------------------- + +WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3) + +### Based on previous work from geerlingguy + + - https://github.com/geerlingguy/ansible-role-filebeat + +### Modified by Wazuh + +The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem. diff --git a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml new file mode 100644 index 00000000..7603fd51 --- /dev/null +++ b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml @@ -0,0 +1,30 @@ +--- +filebeat_version: 7.7.0 + +filebeat_create_config: true + +filebeat_output_elasticsearch_enabled: false +filebeat_output_elasticsearch_hosts: + - "localhost:9200" + +filebeat_module_package_url: https://packages.wazuh.com/3.x/filebeat +filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz +filebeat_module_package_path: /tmp/ +filebeat_module_destination: /usr/share/filebeat/module +filebeat_module_folder: /usr/share/filebeat/module/wazuh +elasticsearch_security_user: admin +elasticsearch_security_password: changeme +# Security plugin +filebeat_security: true +filebeat_security_user: admin +filebeat_security_password: changeme +filebeat_ssl_dir: /etc/pki/filebeat + +# Local path to store the generated certificates (OpenDistro security plugin) +local_certs_path: /tmp/opendistro-nodecerts + +elasticrepo: + apt: 'https://artifacts.elastic.co/packages/oss-7.x/apt' + yum: 'https://artifacts.elastic.co/packages/oss-7.x/yum' + gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' + key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' diff --git a/roles/wazuh/filebeat-oss/handlers/main.yml b/roles/wazuh/ansible-filebeat-oss/handlers/main.yml similarity index 100% rename from roles/wazuh/filebeat-oss/handlers/main.yml rename to roles/wazuh/ansible-filebeat-oss/handlers/main.yml diff --git a/roles/wazuh/filebeat-oss/meta/main.yml b/roles/wazuh/ansible-filebeat-oss/meta/main.yml similarity index 88% rename from roles/wazuh/filebeat-oss/meta/main.yml rename to roles/wazuh/ansible-filebeat-oss/meta/main.yml index 240b2d08..4fd7e900 100644 --- a/roles/wazuh/filebeat-oss/meta/main.yml +++ b/roles/wazuh/ansible-filebeat-oss/meta/main.yml @@ -3,7 +3,7 @@ dependencies: [] galaxy_info: author: Wazuh - description: Installing and maintaining filebeat server. + description: Installing and maintaining Filebeat-oss. company: wazuh.com license: license (GPLv3) min_ansible_version: 2.0 diff --git a/roles/wazuh/filebeat-oss/tasks/Debian.yml b/roles/wazuh/ansible-filebeat-oss/tasks/Debian.yml similarity index 91% rename from roles/wazuh/filebeat-oss/tasks/Debian.yml rename to roles/wazuh/ansible-filebeat-oss/tasks/Debian.yml index a87bb2bf..33c94cf6 100644 --- a/roles/wazuh/filebeat-oss/tasks/Debian.yml +++ b/roles/wazuh/ansible-filebeat-oss/tasks/Debian.yml @@ -14,7 +14,7 @@ id: "{{ elasticrepo.key_id }}" state: present -- name: Debian/Ubuntu | Add Filebeat repository. +- name: Debian/Ubuntu | Add Filebeat-oss repository. apt_repository: repo: "deb {{ elasticrepo.apt }} stable main" state: present diff --git a/roles/wazuh/filebeat-oss/tasks/RMDebian.yml b/roles/wazuh/ansible-filebeat-oss/tasks/RMDebian.yml similarity index 100% rename from roles/wazuh/filebeat-oss/tasks/RMDebian.yml rename to roles/wazuh/ansible-filebeat-oss/tasks/RMDebian.yml diff --git a/roles/wazuh/filebeat-oss/tasks/RMRedHat.yml b/roles/wazuh/ansible-filebeat-oss/tasks/RMRedHat.yml similarity index 84% rename from roles/wazuh/filebeat-oss/tasks/RMRedHat.yml rename to roles/wazuh/ansible-filebeat-oss/tasks/RMRedHat.yml index 1cf84081..8565894e 100644 --- a/roles/wazuh/filebeat-oss/tasks/RMRedHat.yml +++ b/roles/wazuh/ansible-filebeat-oss/tasks/RMRedHat.yml @@ -1,6 +1,6 @@ --- - name: RedHat/CentOS/Fedora | Remove Filebeat repository (and clean up left-over metadata) yum_repository: - name: elastic_repo_7 + name: elastic_oss-repo_7 state: absent changed_when: false diff --git a/roles/wazuh/filebeat-oss/tasks/RedHat.yml b/roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml similarity index 89% rename from roles/wazuh/filebeat-oss/tasks/RedHat.yml rename to roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml index 23948b37..74873aca 100644 --- a/roles/wazuh/filebeat-oss/tasks/RedHat.yml +++ b/roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml @@ -1,7 +1,7 @@ --- - name: RedHat/CentOS/Fedora/Amazon Linux | Install Filebeats repo yum_repository: - name: elastic_repo_7 + name: elastic_oss-repo_7 description: Elastic repository for 7.x packages baseurl: "{{ elasticrepo.yum }}" gpgkey: "{{ elasticrepo.gpg }}" diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/config.yml b/roles/wazuh/ansible-filebeat-oss/tasks/config.yml new file mode 100644 index 00000000..f64c8ceb --- /dev/null +++ b/roles/wazuh/ansible-filebeat-oss/tasks/config.yml @@ -0,0 +1,22 @@ +--- +- block: + - name: Copy Filebeat configuration. + template: + src: filebeat.yml.j2 + dest: "/etc/filebeat/filebeat.yml" + owner: root + group: root + mode: 0400 + notify: restart filebeat + + - name: Copy Elasticsearch template. + template: + src: elasticsearch.yml.j2 + dest: "/etc/filebeat/wazuh-template.json" + owner: root + group: root + mode: 0400 + notify: restart filebeat + + tags: + - configure \ No newline at end of file diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/main.yml b/roles/wazuh/ansible-filebeat-oss/tasks/main.yml new file mode 100644 index 00000000..e9c3ead6 --- /dev/null +++ b/roles/wazuh/ansible-filebeat-oss/tasks/main.yml @@ -0,0 +1,70 @@ +--- +- include_tasks: RedHat.yml + when: ansible_os_family == 'RedHat' + +- include_tasks: Debian.yml + when: ansible_os_family == 'Debian' + +- name: Install Filebeat + package: + name: filebeat + state: present + register: install + tags: + - install + - init + +- include_tasks: security_actions.yml + when: ansible_os_family == 'RedHat' + +- name: Checking if Filebeat Module folder file exists + stat: + path: "{{ filebeat_module_folder }}" + register: filebeat_module_folder + +- name: Download Filebeat module package + get_url: + url: "{{ filebeat_module_package_url }}/{{ filebeat_module_package_name }}" + dest: "{{ filebeat_module_package_path }}" + when: not filebeat_module_folder.stat.exists + +- name: Unpack Filebeat module package + unarchive: + src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" + dest: "{{ filebeat_module_destination }}" + remote_src: yes + when: not filebeat_module_folder.stat.exists + +- name: Setting 0755 permission for Filebeat module folder + file: dest={{ filebeat_module_folder }} mode=u=rwX,g=rwX,o=rwX recurse=yes + when: not filebeat_module_folder.stat.exists + +- name: Checking if Filebeat Module package file exists + stat: + path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" + register: filebeat_module_package + when: filebeat_module_package is not defined + +- name: Delete Filebeat module package file + file: + state: absent + path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" + when: filebeat_module_package.stat.exists + +- import_tasks: config.yml + notify: restart filebeat + +- include_tasks: security_actions.yml + when: filebeat_security + +- name: Ensure Filebeat is started and enabled at boot. + service: + name: filebeat + state: started + enabled: true + +- include_tasks: "RMRedHat.yml" + when: ansible_os_family == "RedHat" + +- include_tasks: "RMDebian.yml" + when: ansible_os_family == "Debian" diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml b/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml new file mode 100644 index 00000000..1af67c84 --- /dev/null +++ b/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml @@ -0,0 +1,29 @@ +- block: + + - name: Ensure Filebeat SSL key pair directory exists. + file: + path: "{{ filebeat_ssl_dir }}" + state: directory + + - name: Copy the certificates from local to the Manager instance + copy: + src: "{{ local_certs_path }}/certs/{{ item }}" + dest: "{{ filebeat_ssl_dir }}" + mode: 0644 + with_items: + - "{{ inventory_hostname }}.key" + - "{{ inventory_hostname }}.pem" + - "root-ca.pem" + + - name: Ensuring folder & certs permissions + file: + path: "{{ filebeat_ssl_dir }}/" + mode: 0774 + state: directory + recurse: yes + + tags: + - security + when: + - filebeat_security + - install.changed \ No newline at end of file diff --git a/roles/wazuh/filebeat-oss/templates/elasticsearch.yml.j2 b/roles/wazuh/ansible-filebeat-oss/templates/elasticsearch.yml.j2 similarity index 100% rename from roles/wazuh/filebeat-oss/templates/elasticsearch.yml.j2 rename to roles/wazuh/ansible-filebeat-oss/templates/elasticsearch.yml.j2 diff --git a/roles/wazuh/filebeat-oss/templates/filebeat.yml.j2 b/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 similarity index 52% rename from roles/wazuh/filebeat-oss/templates/filebeat.yml.j2 rename to roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 index 747d2da6..67a99347 100644 --- a/roles/wazuh/filebeat-oss/templates/filebeat.yml.j2 +++ b/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 @@ -14,25 +14,18 @@ setup.template.json.name: 'wazuh' setup.template.overwrite: true setup.ilm.enabled: false - # Send events directly to Elasticsearch output.elasticsearch: hosts: {{ filebeat_output_elasticsearch_hosts | to_json }} -{% if filebeat_opendistro_security %} - username: {{ elasticsearch_opendistro_security_user }} - password: {{ elasticsearch_opendistro_security_password }} +{% if filebeat_security %} + username: {{ elasticsearch_security_user }} + password: {{ elasticsearch_security_password }} protocol: https -{% if generate_CA == true %} - ssl.certificate_authorities: - - {{node_certs_destination}}/ca.crt -{% elif generate_CA == false %} ssl.certificate_authorities: - - {{node_certs_destination}}/{{ca_cert_name}} -{% endif %} - - ssl.certificate: "{{node_certs_destination}}/{{ filebeat_node_name }}.crt" - ssl.key: "{{node_certs_destination}}/{{ filebeat_node_name }}.key" + - {{ filebeat_ssl_dir }}/root-ca.pem + ssl.certificate: "{{ filebeat_ssl_dir }}/{{ inventory_hostname }}.pem" + ssl.key: "{{ filebeat_ssl_dir }}/{{ inventory_hostname }}.key" {% endif %} # Optional. Send events to Logstash instead of Elasticsearch diff --git a/roles/wazuh/ansible-filebeat/README.md b/roles/wazuh/ansible-filebeat/README.md index ad588e64..416f7da0 100644 --- a/roles/wazuh/ansible-filebeat/README.md +++ b/roles/wazuh/ansible-filebeat/README.md @@ -28,7 +28,7 @@ Available variables are listed below, along with default values (see `defaults/m License and copyright --------------------- -WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3) +WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3) ### Based on previous work from geerlingguy diff --git a/roles/wazuh/ansible-filebeat/defaults/main.yml b/roles/wazuh/ansible-filebeat/defaults/main.yml index cc7de7bf..0f9c0021 100644 --- a/roles/wazuh/ansible-filebeat/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat/defaults/main.yml @@ -1,5 +1,5 @@ --- -filebeat_version: 7.6.2 +filebeat_version: 7.7.0 filebeat_create_config: true @@ -22,10 +22,8 @@ filebeat_enable_logging: true filebeat_log_level: debug filebeat_log_dir: /var/log/mybeat filebeat_log_filename: mybeat.log - filebeat_ssl_dir: /etc/pki/filebeat filebeat_ssl_certificate_file: "" -filebeat_ssl_key_file: "" filebeat_ssl_insecure: "false" filebeat_module_package_url: https://packages.wazuh.com/3.x/filebeat diff --git a/roles/wazuh/ansible-filebeat/tasks/config.yml b/roles/wazuh/ansible-filebeat/tasks/config.yml index d45b06e8..2b0b7eda 100644 --- a/roles/wazuh/ansible-filebeat/tasks/config.yml +++ b/roles/wazuh/ansible-filebeat/tasks/config.yml @@ -17,23 +17,4 @@ group: root mode: 0400 notify: restart filebeat - tags: configure - -- name: Ensure Filebeat SSL key pair directory exists. - file: - path: "{{ filebeat_ssl_dir }}" - state: directory - when: filebeat_ssl_key_file - tags: configure - -- name: Copy SSL key and cert for filebeat. - copy: - src: "{{ item }}" - dest: "{{ filebeat_ssl_dir }}/{{ item | basename }}" - mode: 0400 - with_items: - - "{{ filebeat_ssl_key_file }}" - - "{{ filebeat_ssl_certificate_file }}" - notify: restart filebeat - when: filebeat_ssl_key_file and filebeat_ssl_certificate_file - tags: configure + tags: configure \ No newline at end of file diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 4948c252..3e47db37 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -76,7 +76,7 @@ dest: "{{ filebeat_module_package_path }}" when: not filebeat_module_folder.stat.exists -- name: Unpakcing Filebeat module package +- name: Unpack Filebeat module package unarchive: src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" dest: "{{ filebeat_module_destination }}" diff --git a/roles/wazuh/ansible-filebeat/tests/requirements.yml b/roles/wazuh/ansible-filebeat/tests/requirements.yml deleted file mode 100644 index 63d857e2..00000000 --- a/roles/wazuh/ansible-filebeat/tests/requirements.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- src: geerlingguy.java -- src: geerlingguy.elasticsearch diff --git a/roles/wazuh/ansible-filebeat/tests/test.yml b/roles/wazuh/ansible-filebeat/tests/test.yml deleted file mode 100644 index 3a4c8f21..00000000 --- a/roles/wazuh/ansible-filebeat/tests/test.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- hosts: all - - pre_tasks: - - name: Update apt cache. - apt: - cache_valid_time: 600 - when: ansible_os_family == 'Debian' - - - name: Install test dependencies (RedHat). - package: name=which state=present - when: ansible_os_family == 'RedHat' - - - name: Install test dependencies. - package: name=curl state=present - - roles: - - geerlingguy.java - - geerlingguy.elasticsearch - - role_under_test diff --git a/roles/wazuh/ansible-wazuh-manager/README.md b/roles/wazuh/ansible-wazuh-manager/README.md index 199e7810..ac52363d 100644 --- a/roles/wazuh/ansible-wazuh-manager/README.md +++ b/roles/wazuh/ansible-wazuh-manager/README.md @@ -218,7 +218,7 @@ Including an example of how to use your role (for instance, with variables passe License and copyright --------------------- -WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3) +WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3) ### Based on previous work from dj-wasabi diff --git a/roles/wazuh/filebeat-oss/defaults/main.yml b/roles/wazuh/filebeat-oss/defaults/main.yml deleted file mode 100644 index 4ed76156..00000000 --- a/roles/wazuh/filebeat-oss/defaults/main.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- -filebeat_version: 7.6.2 - -filebeat_create_config: true - -filebeat_prospectors: - - input_type: log - paths: - - "/var/ossec/logs/alerts/alerts.json" - document_type: json - json.message_key: log - json.keys_under_root: true - json.overwrite_keys: true - -filebeat_node_name: node-1 - -filebeat_output_elasticsearch_enabled: false -filebeat_output_elasticsearch_hosts: - - "localhost:9200" - -filebeat_enable_logging: true -filebeat_log_level: debug -filebeat_log_dir: /var/log/mybeat -filebeat_log_filename: mybeat.log - -filebeat_ssl_dir: /etc/pki/filebeat -filebeat_ssl_certificate_file: "" -filebeat_ssl_key_file: "" -filebeat_ssl_insecure: "false" - -filebeat_module_package_url: https://packages.wazuh.com/3.x/filebeat -filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz -filebeat_module_package_path: /tmp/ -filebeat_module_destination: /usr/share/filebeat/module -filebeat_module_folder: /usr/share/filebeat/module/wazuh - -# Opendistro Security -filebeat_opendistro_security: false - -elasticsearch_opendistro_security_user: elastic -elasticsearch_opendistro_security_password: elastic_pass - -node_certs_generator : false -node_certs_source: /usr/share/elasticsearch -node_certs_destination: /etc/filebeat/certs - - -# CA Generation -master_certs_path: /es_certs -generate_CA: true -ca_cert_name: "" - -elasticrepo: - apt: 'https://artifacts.elastic.co/packages/oss-7.x/apt' - yum: 'https://artifacts.elastic.co/packages/oss-7.x/yum' - gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' - key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' diff --git a/roles/wazuh/filebeat-oss/tasks/config.yml b/roles/wazuh/filebeat-oss/tasks/config.yml deleted file mode 100644 index d45b06e8..00000000 --- a/roles/wazuh/filebeat-oss/tasks/config.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -- name: Copy Filebeat configuration. - template: - src: filebeat.yml.j2 - dest: "/etc/filebeat/filebeat.yml" - owner: root - group: root - mode: 0400 - notify: restart filebeat - tags: configure - -- name: Copy Elasticsearch template. - template: - src: elasticsearch.yml.j2 - dest: "/etc/filebeat/wazuh-template.json" - owner: root - group: root - mode: 0400 - notify: restart filebeat - tags: configure - -- name: Ensure Filebeat SSL key pair directory exists. - file: - path: "{{ filebeat_ssl_dir }}" - state: directory - when: filebeat_ssl_key_file - tags: configure - -- name: Copy SSL key and cert for filebeat. - copy: - src: "{{ item }}" - dest: "{{ filebeat_ssl_dir }}/{{ item | basename }}" - mode: 0400 - with_items: - - "{{ filebeat_ssl_key_file }}" - - "{{ filebeat_ssl_certificate_file }}" - notify: restart filebeat - when: filebeat_ssl_key_file and filebeat_ssl_certificate_file - tags: configure diff --git a/roles/wazuh/filebeat-oss/tasks/main.yml b/roles/wazuh/filebeat-oss/tasks/main.yml deleted file mode 100644 index df3a428b..00000000 --- a/roles/wazuh/filebeat-oss/tasks/main.yml +++ /dev/null @@ -1,125 +0,0 @@ ---- -- include_tasks: RedHat.yml - when: ansible_os_family == 'RedHat' - -- include_tasks: Debian.yml - when: ansible_os_family == 'Debian' - -- name: CentOS/RedHat | Install Filebeat. - package: name=filebeat-{{ filebeat_version }} state=present - register: filebeat_installing_package - until: filebeat_installing_package is succeeded - when: - - ansible_distribution in ['CentOS','RedHat', 'Amazon'] - tags: - - install - -- name: Debian/Ubuntu | Install Filebeat. - apt: - name: filebeat={{ filebeat_version }} - state: present - cache_valid_time: 3600 - register: filebeat_installing_package_debian - until: filebeat_installing_package_debian is succeeded - when: - - not (ansible_distribution in ['CentOS','RedHat', 'Amazon']) - tags: - - init - -- name: Copying node's certificate from master - copy: - src: "{{ item }}" - dest: "{{ node_certs_destination }}/" - mode: 0440 - with_items: - - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" - - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt" - - "{{ master_certs_path }}/ca/ca.crt" - when: - - generate_CA - - filebeat_opendistro_security - tags: opendistro-security - -- name: Copying node's certificate from master (Custom CA) - copy: - src: "{{ item }}" - dest: "{{ node_certs_destination }}/" - mode: 0440 - with_items: - - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" - - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt" - - "{{ master_certs_path }}/ca/{{ ca_cert_name }}" - when: - - not generate_CA - - filebeat_opendistro_security - tags: opendistro-security - -- name: Ensuring folder & certs permissions - file: - path: "{{ node_certs_destination }}/" - mode: 0774 - state: directory - recurse: yes - when: - - filebeat_xpack_security - tags: xpack-security - -- name: Checking if Filebeat Module folder file exists - stat: - path: "{{ filebeat_module_folder }}" - register: filebeat_module_folder - - -- name: Download Filebeat module package - get_url: - url: "{{ filebeat_module_package_url }}/{{ filebeat_module_package_name }}" - dest: "{{ filebeat_module_package_path }}" - when: not filebeat_module_folder.stat.exists - -- name: Unpakcing Filebeat module package - unarchive: - src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" - dest: "{{ filebeat_module_destination }}" - remote_src: yes - when: not filebeat_module_folder.stat.exists - -- name: Setting 0755 permission for Filebeat module folder - file: dest={{ filebeat_module_folder }} mode=u=rwX,g=rwX,o=rwX recurse=yes - when: not filebeat_module_folder.stat.exists - -- name: Checking if Filebeat Module package file exists - stat: - path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" - register: filebeat_module_package - when: filebeat_module_package is not defined - -- name: Delete Filebeat module package file - file: - state: absent - path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" - when: filebeat_module_package.stat.exists - -- import_tasks: config.yml - when: filebeat_create_config - notify: restart filebeat - -- name: Reload systemd - systemd: daemon_reload=yes - ignore_errors: true - when: - - not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") - - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<')) - - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) - - not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<')) - -- name: Ensure Filebeat is started and enabled at boot. - service: - name: filebeat - state: started - enabled: true - -- include_tasks: "RMRedHat.yml" - when: ansible_os_family == "RedHat" - -- include_tasks: "RMDebian.yml" - when: ansible_os_family == "Debian" diff --git a/roles/wazuh/filebeat-oss/tasks/security_actions.yml b/roles/wazuh/filebeat-oss/tasks/security_actions.yml deleted file mode 100644 index 6b11bc9a..00000000 --- a/roles/wazuh/filebeat-oss/tasks/security_actions.yml +++ /dev/null @@ -1,11 +0,0 @@ -- block: - - - name: Copy certificates and root-ca to Filebeat - copy: - src: "{{ local_certs_path }}/config/{{ item }}" - dest: /etc/filebeat/ - mode: 0644 - with_items: - - root-ca.pem - - "{{ inventory_hostname }}.key" - - "{{ inventory_hostname }}.pem" \ No newline at end of file diff --git a/roles/wazuh/filebeat-oss/tests/requirements.yml b/roles/wazuh/filebeat-oss/tests/requirements.yml deleted file mode 100644 index 63d857e2..00000000 --- a/roles/wazuh/filebeat-oss/tests/requirements.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- src: geerlingguy.java -- src: geerlingguy.elasticsearch diff --git a/roles/wazuh/filebeat-oss/tests/test.yml b/roles/wazuh/filebeat-oss/tests/test.yml deleted file mode 100644 index 3a4c8f21..00000000 --- a/roles/wazuh/filebeat-oss/tests/test.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- hosts: all - - pre_tasks: - - name: Update apt cache. - apt: - cache_valid_time: 600 - when: ansible_os_family == 'Debian' - - - name: Install test dependencies (RedHat). - package: name=which state=present - when: ansible_os_family == 'RedHat' - - - name: Install test dependencies. - package: name=curl state=present - - roles: - - geerlingguy.java - - geerlingguy.elasticsearch - - role_under_test From 1062cddf06e4212df464e86d57db820c240814e5 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 10 Jun 2020 19:01:09 +0200 Subject: [PATCH 45/57] Use variable kibana_opendistro_security --- roles/opendistro/opendistro-kibana/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/opendistro/opendistro-kibana/tasks/main.yml b/roles/opendistro/opendistro-kibana/tasks/main.yml index 94a646f8..013648db 100644 --- a/roles/opendistro/opendistro-kibana/tasks/main.yml +++ b/roles/opendistro/opendistro-kibana/tasks/main.yml @@ -89,7 +89,7 @@ - name: Select correct API protocol set_fact: - elastic_api_protocol: "{% if kibana_xpack_security %}https{% else %}http{% endif %}" + elastic_api_protocol: "{% if kibana_opendistro_security is defined and kibana_opendistro_security %}https{% else %}http{% endif %}" - name: Attempting to delete legacy Wazuh index if exists uri: From 1a5f74eec0e7df4f14cbc210cda73ee4b3e29f01 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Wed, 10 Jun 2020 19:01:33 +0200 Subject: [PATCH 46/57] Use group es_cluster --- roles/opendistro/opendistro-kibana/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/opendistro/opendistro-kibana/defaults/main.yml b/roles/opendistro/opendistro-kibana/defaults/main.yml index 611eabdd..428880ee 100644 --- a/roles/opendistro/opendistro-kibana/defaults/main.yml +++ b/roles/opendistro/opendistro-kibana/defaults/main.yml @@ -2,7 +2,7 @@ elasticsearch_http_port: 9200 elasticsearch_nodes: |- - {% for item in groups['kibana'] -%} + {% for item in groups['es_cluster'] -%} {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %} {%- endfor %} elasticsearch_network_host: 172.16.0.161 From 473decb3fd9cb948cb40c64af9ed911eda44d933 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Thu, 11 Jun 2020 19:02:40 +0200 Subject: [PATCH 47/57] Use elasticsearch_network_host --- .../opendistro-kibana/templates/opendistro_kibana.yml.j2 | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 b/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 index 702de5e2..0a1f37cb 100644 --- a/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 +++ b/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 @@ -7,10 +7,12 @@ server.port: {{ kibana_server_port }} server.maxPayloadBytes: {{ kibana_max_payload_bytes }} server.name: {{ kibana_server_name }} server.host: {{ kibana_server_host }} + + {% if kibana_opendistro_security %} -elasticsearch.hosts: "https://{{ elasticsearch_nodes }}:{{ elasticsearch_http_port }}" +elasticsearch.hosts: "https://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" {% else %} -elasticsearch.hosts: "http://{{ elasticsearch_nodes }}:{{ elasticsearch_http_port }}" +elasticsearch.hosts: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" {% endif %} elasticsearch.username: {{ opendistro_kibana_user }} From be21ad434ec4a84e94901dc7fcae0ad96fa33736 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 12 Jun 2020 13:20:23 +0200 Subject: [PATCH 48/57] Disable multitenancy until 3.13 fix --- .../opendistro-kibana/templates/opendistro_kibana.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 b/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 index 0a1f37cb..40dd9d6c 100644 --- a/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 +++ b/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 @@ -20,7 +20,7 @@ elasticsearch.password: {{ opendistro_kibana_password }} elasticsearch.ssl.verificationMode: none elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"] -opendistro_security.multitenancy.enabled: true +opendistro_security.multitenancy.enabled: false # FIXME: should be enabled starting with Wazuh App v3.13 opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"] opendistro_security.readonly_mode.roles: ["kibana_read_only"] From bbbc656985534404605b6ee2c1bd5cb9df8d08f5 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 12 Jun 2020 17:36:18 +0200 Subject: [PATCH 49/57] Make cert generation idempotent --- .../opendistro-elasticsearch/tasks/local_actions.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml index edaf9ef8..6885276d 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml @@ -31,13 +31,13 @@ template: src: "templates/tlsconfig.yml.j2" dest: "{{ local_certs_path }}/config/tlsconfig.yml" + register: tlsconfig_template - name: Create a directory if it does not exist file: path: "{{ local_certs_path }}/certs/" state: directory mode: '0755' - delegate_to: localhost - name: Local action | Check if root CA file exists stat: @@ -51,7 +51,9 @@ -ca -crt -t {{ local_certs_path }}/certs/ -f -o - when: not root_ca_file.stat.exists + when: + - not root_ca_file.stat.exists + - tlsconfig_template.changed - name: Local action | Generate the node & admin certificates using an existing root CA command: >- @@ -60,7 +62,9 @@ -crt -t {{ local_certs_path }}/certs/ -f - when: root_ca_file.stat.exists + when: + - root_ca_file.stat.exists + - tlsconfig_template.changed run_once: true delegate_to: localhost From 68cfc2fb10ef71721c4690334c978795c3306692 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 12 Jun 2020 17:37:02 +0200 Subject: [PATCH 50/57] Remove extra include_tasks --- roles/wazuh/ansible-filebeat-oss/tasks/main.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/main.yml b/roles/wazuh/ansible-filebeat-oss/tasks/main.yml index e9c3ead6..2c5d3de1 100644 --- a/roles/wazuh/ansible-filebeat-oss/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat-oss/tasks/main.yml @@ -14,9 +14,6 @@ - install - init -- include_tasks: security_actions.yml - when: ansible_os_family == 'RedHat' - - name: Checking if Filebeat Module folder file exists stat: path: "{{ filebeat_module_folder }}" From 0b456a25f0d2217af8785091e904c0c2ef93c2ac Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 12 Jun 2020 17:38:17 +0200 Subject: [PATCH 51/57] Remove flag to allow exec on deleted cert --- roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml b/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml index 1af67c84..dfea91ee 100644 --- a/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml +++ b/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml @@ -26,4 +26,3 @@ - security when: - filebeat_security - - install.changed \ No newline at end of file From 7a7def1626c069e63539dac9d491376662d6303c Mon Sep 17 00:00:00 2001 From: Jani Heikkine Date: Thu, 18 Jun 2020 17:14:06 +0200 Subject: [PATCH 52/57] add support to configure path.repo option required for backups/snapshots --- roles/elastic-stack/ansible-elasticsearch/defaults/main.yml | 1 + .../ansible-elasticsearch/templates/elasticsearch.yml.j2 | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml index 279283c2..cc0f8150 100644 --- a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml @@ -6,6 +6,7 @@ elasticsearch_reachable_host: 127.0.0.1 elasticsearch_jvm_xms: null elastic_stack_version: 7.6.2 elasticsearch_lower_disk_requirements: false +elasticsearch_path_repo: [] elasticrepo: apt: 'https://artifacts.elastic.co/packages/7.x/apt' diff --git a/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 b/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 index 0d6887f5..184bc4b4 100644 --- a/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 @@ -6,6 +6,12 @@ path.data: /var/lib/elasticsearch path.logs: /var/log/elasticsearch bootstrap.memory_lock: true network.host: {{ elasticsearch_network_host }} +{% if elasticsearch_path_repo | length>0 %} +path.repo: +{% for item in elasticsearch_path_repo %} + - {{ item }} +{% endfor %} +{% endif %} {% if single_node %} discovery.type: single-node From d907793953f597c8ab0ecc49507433ca4ce9f9c5 Mon Sep 17 00:00:00 2001 From: Zenidd Date: Tue, 23 Jun 2020 16:51:53 +0200 Subject: [PATCH 53/57] Bump to version v3.13.0_7.7.1 --- CHANGELOG.md | 14 + .../wazuh-elastic7-template-alerts.json.j2 | 1679 --------------- .../ansible-kibana/defaults/main.yml | 6 +- .../opendistro-kibana/defaults/main.yml | 6 +- roles/wazuh/ansible-filebeat/tasks/config.yml | 8 +- .../templates/elasticsearch.yml.j2 | 1800 ----------------- .../ansible-wazuh-agent/defaults/main.yml | 12 +- .../var-ossec-etc-ossec-agent.conf.j2 | 2 +- .../ansible-wazuh-manager/defaults/main.yml | 8 +- 9 files changed, 35 insertions(+), 3500 deletions(-) delete mode 100644 roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 delete mode 100644 roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index c9b8803d..06255568 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,20 @@ # Change Log All notable changes to this project will be documented in this file. +## [v3.13.0_7.7.1] + +### Added + +- Update to Wazuh v3.13.0 +- Open Distro-Kibana and Filebeat-oss roles ([@manuasir](https://github.com/manuasir)) [PR#424](https://github.com/wazuh/wazuh-ansible/pull/424) + +### Changed + +- Fetch ES template from wazuh/wazuh repository ([@Zenidd](https://github.com/Zenidd)) [PR#435](https://github.com/wazuh/wazuh-ansible/pull/435) + +### Fixed + +- Use local path while generating xpack certificates ([@xr09](https://github.com/xr09)) [PR#432](https://github.com/wazuh/wazuh-ansible/pull/432) ## [v3.12.3_7.6.2] diff --git a/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 b/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 deleted file mode 100644 index 0b153fd4..00000000 --- a/roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 +++ /dev/null @@ -1,1679 +0,0 @@ -{ - "order": 0, - "index_patterns": [ - "wazuh-alerts-3.x-*", - "wazuh-archives-3.x-*" - ], - "settings": { - "index.refresh_interval": "5s", - "index.number_of_shards": "3", - "index.number_of_replicas": "0", - "index.auto_expand_replicas": "0-1", - "index.mapping.total_fields.limit": 10000, - "index.query.default_field": [ - "GeoLocation.city_name", - "GeoLocation.continent_code", - "GeoLocation.country_code2", - "GeoLocation.country_code3", - "GeoLocation.country_name", - "GeoLocation.ip", - "GeoLocation.postal_code", - "GeoLocation.real_region_name", - "GeoLocation.region_name", - "GeoLocation.timezone", - "agent.id", - "agent.ip", - "agent.name", - "cluster.name", - "cluster.node", - "command", - "data", - "data.action", - "data.audit", - "data.audit.acct", - "data.audit.arch", - "data.audit.auid", - "data.audit.command", - "data.audit.cwd", - "data.audit.dev", - "data.audit.directory.inode", - "data.audit.directory.mode", - "data.audit.directory.name", - "data.audit.egid", - "data.audit.enforcing", - "data.audit.euid", - "data.audit.exe", - "data.audit.execve.a0", - "data.audit.execve.a1", - "data.audit.execve.a2", - "data.audit.execve.a3", - "data.audit.exit", - "data.audit.file.inode", - "data.audit.file.mode", - "data.audit.file.name", - "data.audit.fsgid", - "data.audit.fsuid", - "data.audit.gid", - "data.audit.id", - "data.audit.key", - "data.audit.list", - "data.audit.old-auid", - "data.audit.old-ses", - "data.audit.old_enforcing", - "data.audit.old_prom", - "data.audit.op", - "data.audit.pid", - "data.audit.ppid", - "data.audit.prom", - "data.audit.res", - "data.audit.session", - "data.audit.sgid", - "data.audit.srcip", - "data.audit.subj", - "data.audit.success", - "data.audit.suid", - "data.audit.syscall", - "data.audit.tty", - "data.audit.uid", - "data.aws.accountId", - "data.aws.account_id", - "data.aws.action", - "data.aws.actor", - "data.aws.aws_account_id", - "data.aws.description", - "data.aws.dstport", - "data.aws.errorCode", - "data.aws.errorMessage", - "data.aws.eventID", - "data.aws.eventName", - "data.aws.eventSource", - "data.aws.eventType", - "data.aws.id", - "data.aws.name", - "data.aws.requestParameters.accessKeyId", - "data.aws.requestParameters.bucketName", - "data.aws.requestParameters.gatewayId", - "data.aws.requestParameters.groupDescription", - "data.aws.requestParameters.groupId", - "data.aws.requestParameters.groupName", - "data.aws.requestParameters.host", - "data.aws.requestParameters.hostedZoneId", - "data.aws.requestParameters.instanceId", - "data.aws.requestParameters.instanceProfileName", - "data.aws.requestParameters.loadBalancerName", - "data.aws.requestParameters.loadBalancerPorts", - "data.aws.requestParameters.masterUserPassword", - "data.aws.requestParameters.masterUsername", - "data.aws.requestParameters.name", - "data.aws.requestParameters.natGatewayId", - "data.aws.requestParameters.networkAclId", - "data.aws.requestParameters.path", - "data.aws.requestParameters.policyName", - "data.aws.requestParameters.port", - "data.aws.requestParameters.stackId", - "data.aws.requestParameters.stackName", - "data.aws.requestParameters.subnetId", - "data.aws.requestParameters.subnetIds", - "data.aws.requestParameters.volumeId", - "data.aws.requestParameters.vpcId", - "data.aws.resource.accessKeyDetails.accessKeyId", - "data.aws.resource.accessKeyDetails.principalId", - "data.aws.resource.accessKeyDetails.userName", - "data.aws.resource.instanceDetails.instanceId", - "data.aws.resource.instanceDetails.instanceState", - "data.aws.resource.instanceDetails.networkInterfaces.privateDnsName", - "data.aws.resource.instanceDetails.networkInterfaces.publicDnsName", - "data.aws.resource.instanceDetails.networkInterfaces.subnetId", - "data.aws.resource.instanceDetails.networkInterfaces.vpcId", - "data.aws.resource.instanceDetails.tags.value", - "data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId", - "data.aws.responseElements.description", - "data.aws.responseElements.instanceId", - "data.aws.responseElements.instances.instanceId", - "data.aws.responseElements.instancesSet.items.instanceId", - "data.aws.responseElements.listeners.port", - "data.aws.responseElements.loadBalancerName", - "data.aws.responseElements.loadBalancers.vpcId", - "data.aws.responseElements.loginProfile.userName", - "data.aws.responseElements.networkAcl.vpcId", - "data.aws.responseElements.ownerId", - "data.aws.responseElements.publicIp", - "data.aws.responseElements.user.userId", - "data.aws.responseElements.user.userName", - "data.aws.responseElements.volumeId", - "data.aws.service.serviceName", - "data.aws.severity", - "data.aws.source", - "data.aws.sourceIPAddress", - "data.aws.srcport", - "data.aws.userIdentity.accessKeyId", - "data.aws.userIdentity.accountId", - "data.aws.userIdentity.userName", - "data.aws.vpcEndpointId", - "data.command", - "data.data", - "data.docker.Actor.Attributes.container", - "data.docker.Actor.Attributes.image", - "data.docker.Actor.Attributes.name", - "data.docker.Actor.ID", - "data.docker.id", - "data.docker.message", - "data.docker.status", - "data.dstip", - "data.dstport", - "data.dstuser", - "data.hardware.serial", - "data.id", - "data.integration", - "data.netinfo.iface.adapter", - "data.netinfo.iface.ipv4.address", - "data.netinfo.iface.ipv6.address", - "data.netinfo.iface.mac", - "data.netinfo.iface.name", - "data.os.architecture", - "data.os.build", - "data.os.codename", - "data.os.hostname", - "data.os.major", - "data.os.minor", - "data.os.name", - "data.os.platform", - "data.os.release", - "data.os.release_version", - "data.os.sysname", - "data.os.version", - "data.oscap.check.description", - "data.oscap.check.id", - "data.oscap.check.identifiers", - "data.oscap.check.oval.id", - "data.oscap.check.rationale", - "data.oscap.check.references", - "data.oscap.check.result", - "data.oscap.check.severity", - "data.oscap.check.title", - "data.oscap.scan.benchmark.id", - "data.oscap.scan.content", - "data.oscap.scan.id", - "data.oscap.scan.profile.id", - "data.oscap.scan.profile.title", - "data.osquery.columns.address", - "data.osquery.columns.command", - "data.osquery.columns.description", - "data.osquery.columns.dst_ip", - "data.osquery.columns.gid", - "data.osquery.columns.hostname", - "data.osquery.columns.md5", - "data.osquery.columns.path", - "data.osquery.columns.sha1", - "data.osquery.columns.sha256", - "data.osquery.columns.src_ip", - "data.osquery.columns.user", - "data.osquery.columns.username", - "data.osquery.name", - "data.osquery.pack", - "data.port.process", - "data.port.protocol", - "data.port.state", - "data.process.args", - "data.process.cmd", - "data.process.egroup", - "data.process.euser", - "data.process.fgroup", - "data.process.name", - "data.process.rgroup", - "data.process.ruser", - "data.process.sgroup", - "data.process.state", - "data.process.suser", - "data.program.architecture", - "data.program.description", - "data.program.format", - "data.program.location", - "data.program.multiarch", - "data.program.name", - "data.program.priority", - "data.program.section", - "data.program.source", - "data.program.vendor", - "data.program.version", - "data.protocol", - "data.pwd", - "data.sca", - "data.sca.check.compliance.cis", - "data.sca.check.compliance.cis_csc", - "data.sca.check.compliance.pci_dss", - "data.sca.check.compliance.hipaa", - "data.sca.check.compliance.nist_800_53", - "data.sca.check.description", - "data.sca.check.directory", - "data.sca.check.file", - "data.sca.check.id", - "data.sca.check.previous_result", - "data.sca.check.process", - "data.sca.check.rationale", - "data.sca.check.reason", - "data.sca.check.references", - "data.sca.check.registry", - "data.sca.check.remediation", - "data.sca.check.result", - "data.sca.check.status", - "data.sca.check.title", - "data.sca.description", - "data.sca.file", - "data.sca.invalid", - "data.sca.name", - "data.sca.policy", - "data.sca.policy_id", - "data.sca.scan_id", - "data.sca.total_checks", - "data.script", - "data.src_ip", - "data.src_port", - "data.srcip", - "data.srcport", - "data.srcuser", - "data.status", - "data.system_name", - "data.title", - "data.tty", - "data.uid", - "data.url", - "data.virustotal.description", - "data.virustotal.error", - "data.virustotal.found", - "data.virustotal.permalink", - "data.virustotal.scan_date", - "data.virustotal.sha1", - "data.virustotal.source.alert_id", - "data.virustotal.source.file", - "data.virustotal.source.md5", - "data.virustotal.source.sha1", - "data.vulnerability.advisories", - "data.vulnerability.bugzilla_reference", - "data.vulnerability.cve", - "data.vulnerability.cwe_reference", - "data.vulnerability.package.condition", - "data.vulnerability.package.name", - "data.vulnerability.package.version", - "data.vulnerability.reference", - "data.vulnerability.severity", - "data.vulnerability.state", - "data.vulnerability.title", - "data.win.eventdata.auditPolicyChanges", - "data.win.eventdata.auditPolicyChangesId", - "data.win.eventdata.binary", - "data.win.eventdata.category", - "data.win.eventdata.categoryId", - "data.win.eventdata.data", - "data.win.eventdata.image", - "data.win.eventdata.ipAddress", - "data.win.eventdata.ipPort", - "data.win.eventdata.keyName", - "data.win.eventdata.logonGuid", - "data.win.eventdata.logonProcessName", - "data.win.eventdata.operation", - "data.win.eventdata.parentImage", - "data.win.eventdata.processId", - "data.win.eventdata.processName", - "data.win.eventdata.providerName", - "data.win.eventdata.returnCode", - "data.win.eventdata.service", - "data.win.eventdata.status", - "data.win.eventdata.subcategory", - "data.win.eventdata.subcategoryGuid", - "data.win.eventdata.subcategoryId", - "data.win.eventdata.subjectDomainName", - "data.win.eventdata.subjectLogonId", - "data.win.eventdata.subjectUserName", - "data.win.eventdata.subjectUserSid", - "data.win.eventdata.targetDomainName", - "data.win.eventdata.targetLinkedLogonId", - "data.win.eventdata.targetLogonId", - "data.win.eventdata.targetUserName", - "data.win.eventdata.targetUserSid", - "data.win.eventdata.workstationName", - "data.win.system.channel", - "data.win.system.computer", - "data.win.system.eventID", - "data.win.system.eventRecordID", - "data.win.system.eventSourceName", - "data.win.system.keywords", - "data.win.system.level", - "data.win.system.message", - "data.win.system.opcode", - "data.win.system.processID", - "data.win.system.providerGuid", - "data.win.system.providerName", - "data.win.system.securityUserID", - "data.win.system.severityValue", - "data.win.system.userID", - "decoder.ftscomment", - "decoder.name", - "decoder.parent", - "full_log", - "host", - "id", - "input", - "location", - "manager.name", - "message", - "offset", - "predecoder.hostname", - "predecoder.program_name", - "previous_log", - "previous_output", - "program_name", - "rule.cis", - "rule.cve", - "rule.description", - "rule.gdpr", - "rule.gpg13", - "rule.groups", - "rule.id", - "rule.info", - "rule.pci_dss", - "syscheck.audit.effective_user.id", - "syscheck.audit.effective_user.name", - "syscheck.audit.group.id", - "syscheck.audit.group.name", - "syscheck.audit.login_user.id", - "syscheck.audit.login_user.name", - "syscheck.audit.process.id", - "syscheck.audit.process.name", - "syscheck.audit.process.ppid", - "syscheck.audit.user.id", - "syscheck.audit.user.name", - "syscheck.diff", - "syscheck.event", - "syscheck.gid_after", - "syscheck.gid_before", - "syscheck.gname_after", - "syscheck.gname_before", - "syscheck.inode_after", - "syscheck.inode_before", - "syscheck.md5_after", - "syscheck.md5_before", - "syscheck.path", - "syscheck.perm_after", - "syscheck.perm_before", - "syscheck.sha1_after", - "syscheck.sha1_before", - "syscheck.sha256_after", - "syscheck.sha256_before", - "syscheck.tags", - "syscheck.uid_after", - "syscheck.uid_before", - "syscheck.uname_after", - "syscheck.uname_before", - "title", - "type" - ] - }, - "mappings": { - "dynamic_templates": [ - { - "string_as_keyword": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "date_detection": false, - "properties": { - "@timestamp": { - "type": "date" - }, - "timestamp": { - "type": "date", - "format": "date_optional_time||epoch_millis" - }, - "@version": { - "type": "text" - }, - "agent": { - "properties": { - "ip": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "manager": { - "properties": { - "name": { - "type": "keyword" - } - } - }, - "cluster": { - "properties": { - "name": { - "type": "keyword" - }, - "node": { - "type": "keyword" - } - } - }, - "full_log": { - "type": "text" - }, - "previous_log": { - "type": "text" - }, - "GeoLocation": { - "properties": { - "area_code": { - "type": "long" - }, - "city_name": { - "type": "keyword" - }, - "continent_code": { - "type": "text" - }, - "coordinates": { - "type": "double" - }, - "country_code2": { - "type": "text" - }, - "country_code3": { - "type": "text" - }, - "country_name": { - "type": "keyword" - }, - "dma_code": { - "type": "long" - }, - "ip": { - "type": "keyword" - }, - "latitude": { - "type": "double" - }, - "location": { - "type": "geo_point" - }, - "longitude": { - "type": "double" - }, - "postal_code": { - "type": "keyword" - }, - "real_region_name": { - "type": "keyword" - }, - "region_name": { - "type": "keyword" - }, - "timezone": { - "type": "text" - } - } - }, - "host": { - "type": "keyword" - }, - "syscheck": { - "properties": { - "path": { - "type": "keyword" - }, - "sha1_before": { - "type": "keyword" - }, - "hard_links": { - "type": "keyword" - }, - "sha1_after": { - "type": "keyword" - }, - "uid_before": { - "type": "keyword" - }, - "uid_after": { - "type": "keyword" - }, - "gid_before": { - "type": "keyword" - }, - "gid_after": { - "type": "keyword" - }, - "perm_before": { - "type": "keyword" - }, - "perm_after": { - "type": "keyword" - }, - "md5_after": { - "type": "keyword" - }, - "md5_before": { - "type": "keyword" - }, - "gname_after": { - "type": "keyword" - }, - "gname_before": { - "type": "keyword" - }, - "inode_after": { - "type": "keyword" - }, - "inode_before": { - "type": "keyword" - }, - "mtime_after": { - "type": "date", - "format": "date_optional_time" - }, - "mtime_before": { - "type": "date", - "format": "date_optional_time" - }, - "uname_after": { - "type": "keyword" - }, - "uname_before": { - "type": "keyword" - }, - "size_before": { - "type": "long" - }, - "size_after": { - "type": "long" - }, - "diff": { - "type": "keyword" - }, - "event": { - "type": "keyword" - }, - "audit": { - "properties": { - "effective_user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "group": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "login_user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "process": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "ppid": { - "type": "keyword" - } - } - }, - "user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - } - } - }, - "sha256_after": { - "type": "keyword" - }, - "sha256_before": { - "type": "keyword" - }, - "tags": { - "type": "keyword" - } - } - }, - "location": { - "type": "keyword" - }, - "message": { - "type": "text" - }, - "offset": { - "type": "keyword" - }, - "rule": { - "properties": { - "description": { - "type": "keyword" - }, - "groups": { - "type": "keyword" - }, - "level": { - "type": "long" - }, - "id": { - "type": "keyword" - }, - "cve": { - "type": "keyword" - }, - "info": { - "type": "keyword" - }, - "frequency": { - "type": "long" - }, - "firedtimes": { - "type": "long" - }, - "cis": { - "type": "keyword" - }, - "pci_dss": { - "type": "keyword" - }, - "gdpr": { - "type": "keyword" - }, - "gpg13": { - "type": "keyword" - }, - "hipaa": { - "type": "keyword" - }, - "nist_800_53": { - "type": "keyword" - }, - "mail": { - "type": "boolean" - } - } - }, - "predecoder": { - "properties": { - "program_name": { - "type": "keyword" - }, - "timestamp": { - "type": "keyword" - }, - "hostname": { - "type": "keyword" - } - } - }, - "decoder": { - "properties": { - "parent": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "ftscomment": { - "type": "keyword" - }, - "fts": { - "type": "long" - }, - "accumulate": { - "type": "long" - } - } - }, - "data": { - "properties": { - "audit": { - "properties": { - "acct": { - "type": "keyword" - }, - "arch": { - "type": "keyword" - }, - "auid": { - "type": "keyword" - }, - "command": { - "type": "keyword" - }, - "cwd": { - "type": "keyword" - }, - "dev": { - "type": "keyword" - }, - "directory": { - "properties": { - "inode": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "egid": { - "type": "keyword" - }, - "enforcing": { - "type": "keyword" - }, - "euid": { - "type": "keyword" - }, - "exe": { - "type": "keyword" - }, - "execve": { - "properties": { - "a0": { - "type": "keyword" - }, - "a1": { - "type": "keyword" - }, - "a2": { - "type": "keyword" - }, - "a3": { - "type": "keyword" - } - } - }, - "exit": { - "type": "keyword" - }, - "file": { - "properties": { - "inode": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "fsgid": { - "type": "keyword" - }, - "fsuid": { - "type": "keyword" - }, - "gid": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "key": { - "type": "keyword" - }, - "list": { - "type": "keyword" - }, - "old-auid": { - "type": "keyword" - }, - "old-ses": { - "type": "keyword" - }, - "old_enforcing": { - "type": "keyword" - }, - "old_prom": { - "type": "keyword" - }, - "op": { - "type": "keyword" - }, - "pid": { - "type": "keyword" - }, - "ppid": { - "type": "keyword" - }, - "prom": { - "type": "keyword" - }, - "res": { - "type": "keyword" - }, - "session": { - "type": "keyword" - }, - "sgid": { - "type": "keyword" - }, - "srcip": { - "type": "keyword" - }, - "subj": { - "type": "keyword" - }, - "success": { - "type": "keyword" - }, - "suid": { - "type": "keyword" - }, - "syscall": { - "type": "keyword" - }, - "tty": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "uid": { - "type": "keyword" - } - } - }, - "protocol": { - "type": "keyword" - }, - "action": { - "type": "keyword" - }, - "srcip": { - "type": "keyword" - }, - "dstip": { - "type": "keyword" - }, - "srcport": { - "type": "keyword" - }, - "dstport": { - "type": "keyword" - }, - "srcuser": { - "type": "keyword" - }, - "dstuser": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "status": { - "type": "keyword" - }, - "data": { - "type": "keyword" - }, - "system_name": { - "type": "keyword" - }, - "url": { - "type": "keyword" - }, - "oscap": { - "properties": { - "check": { - "properties": { - "description": { - "type": "text" - }, - "id": { - "type": "keyword" - }, - "identifiers": { - "type": "text" - }, - "oval": { - "properties": { - "id": { - "type": "keyword" - } - } - }, - "rationale": { - "type": "text" - }, - "references": { - "type": "text" - }, - "result": { - "type": "keyword" - }, - "severity": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "scan": { - "properties": { - "benchmark": { - "properties": { - "id": { - "type": "keyword" - } - } - }, - "content": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "profile": { - "properties": { - "id": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "return_code": { - "type": "long" - }, - "score": { - "type": "double" - } - } - } - } - }, - "type": { - "type": "keyword" - }, - "netinfo": { - "properties": { - "iface": { - "properties": { - "name": { - "type": "keyword" - }, - "mac": { - "type": "keyword" - }, - "adapter": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "state": { - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "tx_bytes": { - "type": "long" - }, - "rx_bytes": { - "type": "long" - }, - "tx_errors": { - "type": "long" - }, - "rx_errors": { - "type": "long" - }, - "tx_dropped": { - "type": "long" - }, - "rx_dropped": { - "type": "long" - }, - "tx_packets": { - "type": "long" - }, - "rx_packets": { - "type": "long" - }, - "ipv4": { - "properties": { - "gateway": { - "type": "keyword" - }, - "dhcp": { - "type": "keyword" - }, - "address": { - "type": "keyword" - }, - "netmask": { - "type": "keyword" - }, - "broadcast": { - "type": "keyword" - }, - "metric": { - "type": "long" - } - } - }, - "ipv6": { - "properties": { - "gateway": { - "type": "keyword" - }, - "dhcp": { - "type": "keyword" - }, - "address": { - "type": "keyword" - }, - "netmask": { - "type": "keyword" - }, - "broadcast": { - "type": "keyword" - }, - "metric": { - "type": "long" - } - } - } - } - } - } - }, - "os": { - "properties": { - "hostname": { - "type": "keyword" - }, - "architecture": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "version": { - "type": "keyword" - }, - "codename": { - "type": "keyword" - }, - "major": { - "type": "keyword" - }, - "minor": { - "type": "keyword" - }, - "build": { - "type": "keyword" - }, - "platform": { - "type": "keyword" - }, - "sysname": { - "type": "keyword" - }, - "release": { - "type": "keyword" - }, - "release_version": { - "type": "keyword" - } - } - }, - "port": { - "properties": { - "protocol": { - "type": "keyword" - }, - "local_ip": { - "type": "ip" - }, - "local_port": { - "type": "long" - }, - "remote_ip": { - "type": "ip" - }, - "remote_port": { - "type": "long" - }, - "tx_queue": { - "type": "long" - }, - "rx_queue": { - "type": "long" - }, - "inode": { - "type": "long" - }, - "state": { - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "process": { - "type": "keyword" - } - } - }, - "hardware": { - "properties": { - "serial": { - "type": "keyword" - }, - "cpu_name": { - "type": "keyword" - }, - "cpu_cores": { - "type": "long" - }, - "cpu_mhz": { - "type": "double" - }, - "ram_total": { - "type": "long" - }, - "ram_free": { - "type": "long" - }, - "ram_usage": { - "type": "long" - } - } - }, - "program": { - "properties": { - "format": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "priority": { - "type": "keyword" - }, - "section": { - "type": "keyword" - }, - "size": { - "type": "long" - }, - "vendor": { - "type": "keyword" - }, - "install_time": { - "type": "keyword" - }, - "version": { - "type": "keyword" - }, - "architecture": { - "type": "keyword" - }, - "multiarch": { - "type": "keyword" - }, - "source": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "location": { - "type": "keyword" - } - } - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "name": { - "type": "keyword" - }, - "state": { - "type": "keyword" - }, - "ppid": { - "type": "long" - }, - "utime": { - "type": "long" - }, - "stime": { - "type": "long" - }, - "cmd": { - "type": "keyword" - }, - "args": { - "type": "keyword" - }, - "euser": { - "type": "keyword" - }, - "ruser": { - "type": "keyword" - }, - "suser": { - "type": "keyword" - }, - "egroup": { - "type": "keyword" - }, - "sgroup": { - "type": "keyword" - }, - "fgroup": { - "type": "keyword" - }, - "rgroup": { - "type": "keyword" - }, - "priority": { - "type": "long" - }, - "nice": { - "type": "long" - }, - "size": { - "type": "long" - }, - "vm_size": { - "type": "long" - }, - "resident": { - "type": "long" - }, - "share": { - "type": "long" - }, - "start_time": { - "type": "long" - }, - "pgrp": { - "type": "long" - }, - "session": { - "type": "long" - }, - "nlwp": { - "type": "long" - }, - "tgid": { - "type": "long" - }, - "tty": { - "type": "long" - }, - "processor": { - "type": "long" - } - } - }, - "sca": { - "properties": { - "type": { - "type": "keyword" - }, - "scan_id": { - "type": "keyword" - }, - "policy": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "passed": { - "type": "integer" - }, - "failed": { - "type": "integer" - }, - "score": { - "type": "long" - }, - "check": { - "properties": { - "id": { - "type": "keyword" - }, - "title": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "rationale": { - "type": "keyword" - }, - "remediation": { - "type": "keyword" - }, - "compliance": { - "properties": { - "cis": { - "type": "keyword" - }, - "cis_csc": { - "type": "keyword" - }, - "pci_dss": { - "type": "keyword" - }, - "hipaa": { - "type": "keyword" - }, - "nist_800_53": { - "type": "keyword" - } - } - }, - "references": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "directory": { - "type": "keyword" - }, - "registry": { - "type": "keyword" - }, - "process": { - "type": "keyword" - }, - "result": { - "type": "keyword" - }, - "previous_result": { - "type": "keyword" - }, - "reason": { - "type": "keyword" - }, - "status": { - "type": "keyword" - } - } - }, - "invalid": { - "type": "keyword" - }, - "policy_id": { - "type": "keyword" - }, - "total_checks": { - "type": "keyword" - } - } - }, - "command": { - "type": "keyword" - }, - "integration": { - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "title": { - "type": "keyword" - }, - "uid": { - "type": "keyword" - }, - "virustotal": { - "properties": { - "description": { - "type": "keyword" - }, - "error": { - "type": "keyword" - }, - "found": { - "type": "keyword" - }, - "malicious": { - "type": "keyword" - }, - "permalink": { - "type": "keyword" - }, - "positives": { - "type": "keyword" - }, - "scan_date": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - }, - "source": { - "properties": { - "alert_id": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "md5": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - } - } - }, - "total": { - "type": "keyword" - } - } - }, - "vulnerability": { - "properties": { - "advisories": { - "type": "keyword" - }, - "bugzilla_reference": { - "type": "keyword" - }, - "cve": { - "type": "keyword" - }, - "cvss": { - "properties": { - "cvss3_score": { - "type": "keyword" - }, - "cvss_score": { - "type": "keyword" - }, - "cvss_scoring_vector": { - "type": "keyword" - } - } - }, - "cwe_reference": { - "type": "keyword" - }, - "package": { - "properties": { - "condition": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "published": { - "type": "date" - }, - "reference": { - "type": "keyword" - }, - "severity": { - "type": "keyword" - }, - "state": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "aws": { - "properties": { - "bytes": { - "type": "long" - }, - "dstaddr": { - "type": "ip" - }, - "srcaddr": { - "type": "ip" - }, - "end": { - "type": "date" - }, - "start": { - "type": "date" - }, - "source_ip_address": { - "type": "ip" - }, - "service": { - "properties": { - "count": { - "type": "long" - }, - "action.networkConnectionAction.remoteIpDetails": { - "properties": { - "ipAddressV4": { - "type": "ip" - }, - "geoLocation": { - "type": "geo_point" - } - } - }, - "eventFirstSeen": { - "type": "date" - }, - "eventLastSeen": { - "type": "date" - } - } - }, - "createdAt": { - "type": "date" - }, - "updatedAt": { - "type": "date" - }, - "resource.instanceDetails": { - "properties": { - "launchTime": { - "type": "date" - }, - "networkInterfaces": { - "properties": { - "privateIpAddress": { - "type": "ip" - }, - "publicIp": { - "type": "ip" - } - } - } - } - } - } - } - } - }, - "program_name": { - "type": "keyword" - }, - "command": { - "type": "keyword" - }, - "type": { - "type": "text" - }, - "title": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "input": { - "properties": { - "type": { - "type": "keyword" - } - } - }, - "previous_output": { - "type": "keyword" - } - } - }, - "version": 1 -} diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index fd392334..3faf5de3 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -5,8 +5,8 @@ elasticsearch_http_port: "9200" elasticsearch_network_host: "127.0.0.1" kibana_server_host: "0.0.0.0" kibana_server_port: "5601" -elastic_stack_version: 7.7.0 -wazuh_version: 3.12.3 +elastic_stack_version: 7.7.1 +wazuh_version: 3.13.0 wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp elasticrepo: @@ -47,7 +47,7 @@ nodejs: # Build from sources build_from_sources: false -wazuh_plugin_branch: 3.12-7.6 +wazuh_plugin_branch: 3.13-7.7 #Nodejs NODE_OPTIONS node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536 diff --git a/roles/opendistro/opendistro-kibana/defaults/main.yml b/roles/opendistro/opendistro-kibana/defaults/main.yml index 428880ee..98c70a2d 100644 --- a/roles/opendistro/opendistro-kibana/defaults/main.yml +++ b/roles/opendistro/opendistro-kibana/defaults/main.yml @@ -12,8 +12,8 @@ kibana_server_host: "0.0.0.0" kibana_server_port: "5601" kibana_server_name: "kibana" kibana_max_payload_bytes: 1048576 -elastic_stack_version: 7.7.0 -wazuh_version: 3.12.3 +elastic_stack_version: 7.7.1 +wazuh_version: 3.13.0 wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp # The OpenDistro package repository @@ -56,7 +56,7 @@ nodejs: # Build from sources build_from_sources: false -wazuh_plugin_branch: 3.12-7.6 +wazuh_plugin_branch: 3.13-7.7 #Nodejs NODE_OPTIONS node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536 diff --git a/roles/wazuh/ansible-filebeat/tasks/config.yml b/roles/wazuh/ansible-filebeat/tasks/config.yml index 2b0b7eda..34f519af 100644 --- a/roles/wazuh/ansible-filebeat/tasks/config.yml +++ b/roles/wazuh/ansible-filebeat/tasks/config.yml @@ -9,12 +9,12 @@ notify: restart filebeat tags: configure -- name: Copy Elasticsearch template. - template: - src: elasticsearch.yml.j2 +- name: Fetch latest Wazuh alerts template + get_url: + url: https://raw.githubusercontent.com/wazuh/wazuh/master/extensions/elasticsearch/7.x/wazuh-template.json dest: "/etc/filebeat/wazuh-template.json" owner: root group: root mode: 0400 notify: restart filebeat - tags: configure \ No newline at end of file + tags: configure diff --git a/roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 b/roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 deleted file mode 100644 index 88d50c3f..00000000 --- a/roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 +++ /dev/null @@ -1,1800 +0,0 @@ -{ - "order": 0, - "index_patterns": [ - "wazuh-alerts-3.x-*", - "wazuh-archives-3.x-*" - ], - "settings": { - "index.refresh_interval": "5s", - "index.number_of_shards": "3", - "index.number_of_replicas": "0", - "index.auto_expand_replicas": "0-1", - "index.mapping.total_fields.limit": 10000, - "index.query.default_field": [ - "GeoLocation.city_name", - "GeoLocation.continent_code", - "GeoLocation.country_code2", - "GeoLocation.country_code3", - "GeoLocation.country_name", - "GeoLocation.ip", - "GeoLocation.postal_code", - "GeoLocation.real_region_name", - "GeoLocation.region_name", - "GeoLocation.timezone", - "agent.id", - "agent.ip", - "agent.name", - "cluster.name", - "cluster.node", - "command", - "data", - "data.action", - "data.audit", - "data.audit.acct", - "data.audit.arch", - "data.audit.auid", - "data.audit.command", - "data.audit.cwd", - "data.audit.dev", - "data.audit.directory.inode", - "data.audit.directory.mode", - "data.audit.directory.name", - "data.audit.egid", - "data.audit.enforcing", - "data.audit.euid", - "data.audit.exe", - "data.audit.execve.a0", - "data.audit.execve.a1", - "data.audit.execve.a2", - "data.audit.execve.a3", - "data.audit.exit", - "data.audit.file.inode", - "data.audit.file.mode", - "data.audit.file.name", - "data.audit.fsgid", - "data.audit.fsuid", - "data.audit.gid", - "data.audit.id", - "data.audit.key", - "data.audit.list", - "data.audit.old-auid", - "data.audit.old-ses", - "data.audit.old_enforcing", - "data.audit.old_prom", - "data.audit.op", - "data.audit.pid", - "data.audit.ppid", - "data.audit.prom", - "data.audit.res", - "data.audit.session", - "data.audit.sgid", - "data.audit.srcip", - "data.audit.subj", - "data.audit.success", - "data.audit.suid", - "data.audit.syscall", - "data.audit.tty", - "data.audit.uid", - "data.aws.accountId", - "data.aws.account_id", - "data.aws.action", - "data.aws.actor", - "data.aws.aws_account_id", - "data.aws.description", - "data.aws.dstport", - "data.aws.errorCode", - "data.aws.errorMessage", - "data.aws.eventID", - "data.aws.eventName", - "data.aws.eventSource", - "data.aws.eventType", - "data.aws.id", - "data.aws.name", - "data.aws.requestParameters.accessKeyId", - "data.aws.requestParameters.bucketName", - "data.aws.requestParameters.gatewayId", - "data.aws.requestParameters.groupDescription", - "data.aws.requestParameters.groupId", - "data.aws.requestParameters.groupName", - "data.aws.requestParameters.host", - "data.aws.requestParameters.hostedZoneId", - "data.aws.requestParameters.instanceId", - "data.aws.requestParameters.instanceProfileName", - "data.aws.requestParameters.loadBalancerName", - "data.aws.requestParameters.loadBalancerPorts", - "data.aws.requestParameters.masterUserPassword", - "data.aws.requestParameters.masterUsername", - "data.aws.requestParameters.name", - "data.aws.requestParameters.natGatewayId", - "data.aws.requestParameters.networkAclId", - "data.aws.requestParameters.path", - "data.aws.requestParameters.policyName", - "data.aws.requestParameters.port", - "data.aws.requestParameters.stackId", - "data.aws.requestParameters.stackName", - "data.aws.requestParameters.subnetId", - "data.aws.requestParameters.subnetIds", - "data.aws.requestParameters.volumeId", - "data.aws.requestParameters.vpcId", - "data.aws.resource.accessKeyDetails.accessKeyId", - "data.aws.resource.accessKeyDetails.principalId", - "data.aws.resource.accessKeyDetails.userName", - "data.aws.resource.instanceDetails.instanceId", - "data.aws.resource.instanceDetails.instanceState", - "data.aws.resource.instanceDetails.networkInterfaces.privateDnsName", - "data.aws.resource.instanceDetails.networkInterfaces.publicDnsName", - "data.aws.resource.instanceDetails.networkInterfaces.subnetId", - "data.aws.resource.instanceDetails.networkInterfaces.vpcId", - "data.aws.resource.instanceDetails.tags.value", - "data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId", - "data.aws.responseElements.description", - "data.aws.responseElements.instanceId", - "data.aws.responseElements.instances.instanceId", - "data.aws.responseElements.instancesSet.items.instanceId", - "data.aws.responseElements.listeners.port", - "data.aws.responseElements.loadBalancerName", - "data.aws.responseElements.loadBalancers.vpcId", - "data.aws.responseElements.loginProfile.userName", - "data.aws.responseElements.networkAcl.vpcId", - "data.aws.responseElements.ownerId", - "data.aws.responseElements.publicIp", - "data.aws.responseElements.user.userId", - "data.aws.responseElements.user.userName", - "data.aws.responseElements.volumeId", - "data.aws.service.serviceName", - "data.aws.severity", - "data.aws.source", - "data.aws.sourceIPAddress", - "data.aws.srcport", - "data.aws.userIdentity.accessKeyId", - "data.aws.userIdentity.accountId", - "data.aws.userIdentity.userName", - "data.aws.vpcEndpointId", - "data.command", - "data.data", - "data.docker.Actor.Attributes.container", - "data.docker.Actor.Attributes.image", - "data.docker.Actor.Attributes.name", - "data.docker.Actor.ID", - "data.docker.id", - "data.docker.message", - "data.docker.status", - "data.dstip", - "data.dstport", - "data.dstuser", - "data.extra_data", - "data.hardware.serial", - "data.id", - "data.integration", - "data.netinfo.iface.adapter", - "data.netinfo.iface.ipv4.address", - "data.netinfo.iface.ipv6.address", - "data.netinfo.iface.mac", - "data.netinfo.iface.name", - "data.os.architecture", - "data.os.build", - "data.os.codename", - "data.os.hostname", - "data.os.major", - "data.os.minor", - "data.os.name", - "data.os.platform", - "data.os.release", - "data.os.release_version", - "data.os.sysname", - "data.os.version", - "data.oscap.check.description", - "data.oscap.check.id", - "data.oscap.check.identifiers", - "data.oscap.check.oval.id", - "data.oscap.check.rationale", - "data.oscap.check.references", - "data.oscap.check.result", - "data.oscap.check.severity", - "data.oscap.check.title", - "data.oscap.scan.benchmark.id", - "data.oscap.scan.content", - "data.oscap.scan.id", - "data.oscap.scan.profile.id", - "data.oscap.scan.profile.title", - "data.osquery.columns.address", - "data.osquery.columns.command", - "data.osquery.columns.description", - "data.osquery.columns.dst_ip", - "data.osquery.columns.gid", - "data.osquery.columns.hostname", - "data.osquery.columns.md5", - "data.osquery.columns.path", - "data.osquery.columns.sha1", - "data.osquery.columns.sha256", - "data.osquery.columns.src_ip", - "data.osquery.columns.user", - "data.osquery.columns.username", - "data.osquery.name", - "data.osquery.pack", - "data.port.process", - "data.port.protocol", - "data.port.state", - "data.process.args", - "data.process.cmd", - "data.process.egroup", - "data.process.euser", - "data.process.fgroup", - "data.process.name", - "data.process.rgroup", - "data.process.ruser", - "data.process.sgroup", - "data.process.state", - "data.process.suser", - "data.program.architecture", - "data.program.description", - "data.program.format", - "data.program.location", - "data.program.multiarch", - "data.program.name", - "data.program.priority", - "data.program.section", - "data.program.source", - "data.program.vendor", - "data.program.version", - "data.protocol", - "data.pwd", - "data.sca", - "data.sca.check.compliance.cis", - "data.sca.check.compliance.cis_csc", - "data.sca.check.compliance.pci_dss", - "data.sca.check.compliance.hipaa", - "data.sca.check.compliance.nist_800_53", - "data.sca.check.description", - "data.sca.check.directory", - "data.sca.check.file", - "data.sca.check.id", - "data.sca.check.previous_result", - "data.sca.check.process", - "data.sca.check.rationale", - "data.sca.check.reason", - "data.sca.check.references", - "data.sca.check.registry", - "data.sca.check.remediation", - "data.sca.check.result", - "data.sca.check.status", - "data.sca.check.title", - "data.sca.description", - "data.sca.file", - "data.sca.invalid", - "data.sca.name", - "data.sca.policy", - "data.sca.policy_id", - "data.sca.scan_id", - "data.sca.total_checks", - "data.script", - "data.src_ip", - "data.src_port", - "data.srcip", - "data.srcport", - "data.srcuser", - "data.status", - "data.system_name", - "data.title", - "data.tty", - "data.uid", - "data.url", - "data.virustotal.description", - "data.virustotal.error", - "data.virustotal.found", - "data.virustotal.permalink", - "data.virustotal.scan_date", - "data.virustotal.sha1", - "data.virustotal.source.alert_id", - "data.virustotal.source.file", - "data.virustotal.source.md5", - "data.virustotal.source.sha1", - "data.vulnerability.advisories", - "data.vulnerability.bugzilla_reference", - "data.vulnerability.cve", - "data.vulnerability.cvss.cvss2.base_score", - "data.vulnerability.cvss.cvss2.exploitability_score", - "data.vulnerability.cvss.cvss2.impact_score", - "data.vulnerability.cvss.cvss2.vector.access_complexity", - "data.vulnerability.cvss.cvss2.vector.attack_vector", - "data.vulnerability.cvss.cvss2.vector.authentication", - "data.vulnerability.cvss.cvss2.vector.availability", - "data.vulnerability.cvss.cvss2.vector.confidentiality_impact", - "data.vulnerability.cvss.cvss2.vector.integrity_impact", - "data.vulnerability.cvss.cvss2.vector.privileges_required", - "data.vulnerability.cvss.cvss2.vector.scope", - "data.vulnerability.cvss.cvss2.vector.user_interaction", - "data.vulnerability.cvss.cvss3.base_score", - "data.vulnerability.cvss.cvss3.exploitability_score", - "data.vulnerability.cvss.cvss3.impact_score", - "data.vulnerability.cvss.cvss3.vector.access_complexity", - "data.vulnerability.cvss.cvss3.vector.attack_vector", - "data.vulnerability.cvss.cvss3.vector.authentication", - "data.vulnerability.cvss.cvss3.vector.availability", - "data.vulnerability.cvss.cvss3.vector.confidentiality_impact", - "data.vulnerability.cvss.cvss3.vector.integrity_impact", - "data.vulnerability.cvss.cvss3.vector.privileges_required", - "data.vulnerability.cvss.cvss3.vector.scope", - "data.vulnerability.cvss.cvss3.vector.user_interaction", - "data.vulnerability.cwe_reference", - "data.vulnerability.package.architecture", - "data.vulnerability.package.condition", - "data.vulnerability.package.generated_cpe", - "data.vulnerability.package.name", - "data.vulnerability.package.version", - "data.vulnerability.rationale", - "data.vulnerability.reference", - "data.vulnerability.severity", - "data.vulnerability.state", - "data.vulnerability.title", - "data.win.eventdata.auditPolicyChanges", - "data.win.eventdata.auditPolicyChangesId", - "data.win.eventdata.binary", - "data.win.eventdata.category", - "data.win.eventdata.categoryId", - "data.win.eventdata.data", - "data.win.eventdata.image", - "data.win.eventdata.ipAddress", - "data.win.eventdata.ipPort", - "data.win.eventdata.keyName", - "data.win.eventdata.logonGuid", - "data.win.eventdata.logonProcessName", - "data.win.eventdata.operation", - "data.win.eventdata.parentImage", - "data.win.eventdata.processId", - "data.win.eventdata.processName", - "data.win.eventdata.providerName", - "data.win.eventdata.returnCode", - "data.win.eventdata.service", - "data.win.eventdata.status", - "data.win.eventdata.subcategory", - "data.win.eventdata.subcategoryGuid", - "data.win.eventdata.subcategoryId", - "data.win.eventdata.subjectDomainName", - "data.win.eventdata.subjectLogonId", - "data.win.eventdata.subjectUserName", - "data.win.eventdata.subjectUserSid", - "data.win.eventdata.targetDomainName", - "data.win.eventdata.targetLinkedLogonId", - "data.win.eventdata.targetLogonId", - "data.win.eventdata.targetUserName", - "data.win.eventdata.targetUserSid", - "data.win.eventdata.workstationName", - "data.win.system.channel", - "data.win.system.computer", - "data.win.system.eventID", - "data.win.system.eventRecordID", - "data.win.system.eventSourceName", - "data.win.system.keywords", - "data.win.system.level", - "data.win.system.message", - "data.win.system.opcode", - "data.win.system.processID", - "data.win.system.providerGuid", - "data.win.system.providerName", - "data.win.system.securityUserID", - "data.win.system.severityValue", - "data.win.system.userID", - "decoder.ftscomment", - "decoder.name", - "decoder.parent", - "full_log", - "host", - "id", - "input", - "location", - "manager.name", - "message", - "offset", - "predecoder.hostname", - "predecoder.program_name", - "previous_log", - "previous_output", - "program_name", - "rule.cis", - "rule.cve", - "rule.description", - "rule.gdpr", - "rule.gpg13", - "rule.groups", - "rule.id", - "rule.info", - "rule.pci_dss", - "rule.hipaa", - "rule.nist_800_53", - "syscheck.audit.effective_user.id", - "syscheck.audit.effective_user.name", - "syscheck.audit.group.id", - "syscheck.audit.group.name", - "syscheck.audit.login_user.id", - "syscheck.audit.login_user.name", - "syscheck.audit.process.id", - "syscheck.audit.process.name", - "syscheck.audit.process.ppid", - "syscheck.audit.user.id", - "syscheck.audit.user.name", - "syscheck.diff", - "syscheck.event", - "syscheck.gid_after", - "syscheck.gid_before", - "syscheck.gname_after", - "syscheck.gname_before", - "syscheck.inode_after", - "syscheck.inode_before", - "syscheck.md5_after", - "syscheck.md5_before", - "syscheck.path", - "syscheck.perm_after", - "syscheck.perm_before", - "syscheck.sha1_after", - "syscheck.sha1_before", - "syscheck.sha256_after", - "syscheck.sha256_before", - "syscheck.tags", - "syscheck.uid_after", - "syscheck.uid_before", - "syscheck.uname_after", - "syscheck.uname_before", - "title", - "type" - ] - }, - "mappings": { - "dynamic_templates": [ - { - "string_as_keyword": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "date_detection": false, - "properties": { - "@timestamp": { - "type": "date" - }, - "timestamp": { - "type": "date", - "format": "date_optional_time||epoch_millis" - }, - "@version": { - "type": "text" - }, - "agent": { - "properties": { - "ip": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "manager": { - "properties": { - "name": { - "type": "keyword" - } - } - }, - "cluster": { - "properties": { - "name": { - "type": "keyword" - }, - "node": { - "type": "keyword" - } - } - }, - "full_log": { - "type": "text" - }, - "previous_log": { - "type": "text" - }, - "GeoLocation": { - "properties": { - "area_code": { - "type": "long" - }, - "city_name": { - "type": "keyword" - }, - "continent_code": { - "type": "text" - }, - "coordinates": { - "type": "double" - }, - "country_code2": { - "type": "text" - }, - "country_code3": { - "type": "text" - }, - "country_name": { - "type": "keyword" - }, - "dma_code": { - "type": "long" - }, - "ip": { - "type": "keyword" - }, - "latitude": { - "type": "double" - }, - "location": { - "type": "geo_point" - }, - "longitude": { - "type": "double" - }, - "postal_code": { - "type": "keyword" - }, - "real_region_name": { - "type": "keyword" - }, - "region_name": { - "type": "keyword" - }, - "timezone": { - "type": "text" - } - } - }, - "host": { - "type": "keyword" - }, - "syscheck": { - "properties": { - "path": { - "type": "keyword" - }, - "sha1_before": { - "type": "keyword" - }, - "sha1_after": { - "type": "keyword" - }, - "uid_before": { - "type": "keyword" - }, - "uid_after": { - "type": "keyword" - }, - "gid_before": { - "type": "keyword" - }, - "gid_after": { - "type": "keyword" - }, - "perm_before": { - "type": "keyword" - }, - "perm_after": { - "type": "keyword" - }, - "md5_after": { - "type": "keyword" - }, - "md5_before": { - "type": "keyword" - }, - "gname_after": { - "type": "keyword" - }, - "gname_before": { - "type": "keyword" - }, - "inode_after": { - "type": "keyword" - }, - "inode_before": { - "type": "keyword" - }, - "mtime_after": { - "type": "date", - "format": "date_optional_time" - }, - "mtime_before": { - "type": "date", - "format": "date_optional_time" - }, - "uname_after": { - "type": "keyword" - }, - "uname_before": { - "type": "keyword" - }, - "size_before": { - "type": "long" - }, - "size_after": { - "type": "long" - }, - "diff": { - "type": "keyword" - }, - "event": { - "type": "keyword" - }, - "audit": { - "properties": { - "effective_user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "group": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "login_user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "process": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "ppid": { - "type": "keyword" - } - } - }, - "user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - } - } - }, - "sha256_after": { - "type": "keyword" - }, - "sha256_before": { - "type": "keyword" - }, - "tags": { - "type": "keyword" - } - } - }, - "location": { - "type": "keyword" - }, - "message": { - "type": "text" - }, - "offset": { - "type": "keyword" - }, - "rule": { - "properties": { - "description": { - "type": "keyword" - }, - "groups": { - "type": "keyword" - }, - "level": { - "type": "long" - }, - "id": { - "type": "keyword" - }, - "cve": { - "type": "keyword" - }, - "info": { - "type": "keyword" - }, - "frequency": { - "type": "long" - }, - "firedtimes": { - "type": "long" - }, - "cis": { - "type": "keyword" - }, - "pci_dss": { - "type": "keyword" - }, - "gdpr": { - "type": "keyword" - }, - "gpg13": { - "type": "keyword" - }, - "hipaa": { - "type": "keyword" - }, - "nist_800_53": { - "type": "keyword" - }, - "mail": { - "type": "boolean" - } - } - }, - "predecoder": { - "properties": { - "program_name": { - "type": "keyword" - }, - "timestamp": { - "type": "keyword" - }, - "hostname": { - "type": "keyword" - } - } - }, - "decoder": { - "properties": { - "parent": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "ftscomment": { - "type": "keyword" - }, - "fts": { - "type": "long" - }, - "accumulate": { - "type": "long" - } - } - }, - "data": { - "properties": { - "audit": { - "properties": { - "acct": { - "type": "keyword" - }, - "arch": { - "type": "keyword" - }, - "auid": { - "type": "keyword" - }, - "command": { - "type": "keyword" - }, - "cwd": { - "type": "keyword" - }, - "dev": { - "type": "keyword" - }, - "directory": { - "properties": { - "inode": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "egid": { - "type": "keyword" - }, - "enforcing": { - "type": "keyword" - }, - "euid": { - "type": "keyword" - }, - "exe": { - "type": "keyword" - }, - "execve": { - "properties": { - "a0": { - "type": "keyword" - }, - "a1": { - "type": "keyword" - }, - "a2": { - "type": "keyword" - }, - "a3": { - "type": "keyword" - } - } - }, - "exit": { - "type": "keyword" - }, - "file": { - "properties": { - "inode": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "fsgid": { - "type": "keyword" - }, - "fsuid": { - "type": "keyword" - }, - "gid": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "key": { - "type": "keyword" - }, - "list": { - "type": "keyword" - }, - "old-auid": { - "type": "keyword" - }, - "old-ses": { - "type": "keyword" - }, - "old_enforcing": { - "type": "keyword" - }, - "old_prom": { - "type": "keyword" - }, - "op": { - "type": "keyword" - }, - "pid": { - "type": "keyword" - }, - "ppid": { - "type": "keyword" - }, - "prom": { - "type": "keyword" - }, - "res": { - "type": "keyword" - }, - "session": { - "type": "keyword" - }, - "sgid": { - "type": "keyword" - }, - "srcip": { - "type": "keyword" - }, - "subj": { - "type": "keyword" - }, - "success": { - "type": "keyword" - }, - "suid": { - "type": "keyword" - }, - "syscall": { - "type": "keyword" - }, - "tty": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "uid": { - "type": "keyword" - } - } - }, - "protocol": { - "type": "keyword" - }, - "action": { - "type": "keyword" - }, - "srcip": { - "type": "keyword" - }, - "dstip": { - "type": "keyword" - }, - "srcport": { - "type": "keyword" - }, - "dstport": { - "type": "keyword" - }, - "srcuser": { - "type": "keyword" - }, - "dstuser": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "status": { - "type": "keyword" - }, - "data": { - "type": "keyword" - }, - "extra_data": { - "type": "keyword" - }, - "system_name": { - "type": "keyword" - }, - "url": { - "type": "keyword" - }, - "oscap": { - "properties": { - "check": { - "properties": { - "description": { - "type": "text" - }, - "id": { - "type": "keyword" - }, - "identifiers": { - "type": "text" - }, - "oval": { - "properties": { - "id": { - "type": "keyword" - } - } - }, - "rationale": { - "type": "text" - }, - "references": { - "type": "text" - }, - "result": { - "type": "keyword" - }, - "severity": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "scan": { - "properties": { - "benchmark": { - "properties": { - "id": { - "type": "keyword" - } - } - }, - "content": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "profile": { - "properties": { - "id": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "return_code": { - "type": "long" - }, - "score": { - "type": "double" - } - } - } - } - }, - "type": { - "type": "keyword" - }, - "netinfo": { - "properties": { - "iface": { - "properties": { - "name": { - "type": "keyword" - }, - "mac": { - "type": "keyword" - }, - "adapter": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "state": { - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "tx_bytes": { - "type": "long" - }, - "rx_bytes": { - "type": "long" - }, - "tx_errors": { - "type": "long" - }, - "rx_errors": { - "type": "long" - }, - "tx_dropped": { - "type": "long" - }, - "rx_dropped": { - "type": "long" - }, - "tx_packets": { - "type": "long" - }, - "rx_packets": { - "type": "long" - }, - "ipv4": { - "properties": { - "gateway": { - "type": "keyword" - }, - "dhcp": { - "type": "keyword" - }, - "address": { - "type": "keyword" - }, - "netmask": { - "type": "keyword" - }, - "broadcast": { - "type": "keyword" - }, - "metric": { - "type": "long" - } - } - }, - "ipv6": { - "properties": { - "gateway": { - "type": "keyword" - }, - "dhcp": { - "type": "keyword" - }, - "address": { - "type": "keyword" - }, - "netmask": { - "type": "keyword" - }, - "broadcast": { - "type": "keyword" - }, - "metric": { - "type": "long" - } - } - } - } - } - } - }, - "os": { - "properties": { - "hostname": { - "type": "keyword" - }, - "architecture": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "version": { - "type": "keyword" - }, - "codename": { - "type": "keyword" - }, - "major": { - "type": "keyword" - }, - "minor": { - "type": "keyword" - }, - "build": { - "type": "keyword" - }, - "platform": { - "type": "keyword" - }, - "sysname": { - "type": "keyword" - }, - "release": { - "type": "keyword" - }, - "release_version": { - "type": "keyword" - } - } - }, - "port": { - "properties": { - "protocol": { - "type": "keyword" - }, - "local_ip": { - "type": "ip" - }, - "local_port": { - "type": "long" - }, - "remote_ip": { - "type": "ip" - }, - "remote_port": { - "type": "long" - }, - "tx_queue": { - "type": "long" - }, - "rx_queue": { - "type": "long" - }, - "inode": { - "type": "long" - }, - "state": { - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "process": { - "type": "keyword" - } - } - }, - "hardware": { - "properties": { - "serial": { - "type": "keyword" - }, - "cpu_name": { - "type": "keyword" - }, - "cpu_cores": { - "type": "long" - }, - "cpu_mhz": { - "type": "double" - }, - "ram_total": { - "type": "long" - }, - "ram_free": { - "type": "long" - }, - "ram_usage": { - "type": "long" - } - } - }, - "program": { - "properties": { - "format": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "priority": { - "type": "keyword" - }, - "section": { - "type": "keyword" - }, - "size": { - "type": "long" - }, - "vendor": { - "type": "keyword" - }, - "install_time": { - "type": "keyword" - }, - "version": { - "type": "keyword" - }, - "architecture": { - "type": "keyword" - }, - "multiarch": { - "type": "keyword" - }, - "source": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "location": { - "type": "keyword" - } - } - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "name": { - "type": "keyword" - }, - "state": { - "type": "keyword" - }, - "ppid": { - "type": "long" - }, - "utime": { - "type": "long" - }, - "stime": { - "type": "long" - }, - "cmd": { - "type": "keyword" - }, - "args": { - "type": "keyword" - }, - "euser": { - "type": "keyword" - }, - "ruser": { - "type": "keyword" - }, - "suser": { - "type": "keyword" - }, - "egroup": { - "type": "keyword" - }, - "sgroup": { - "type": "keyword" - }, - "fgroup": { - "type": "keyword" - }, - "rgroup": { - "type": "keyword" - }, - "priority": { - "type": "long" - }, - "nice": { - "type": "long" - }, - "size": { - "type": "long" - }, - "vm_size": { - "type": "long" - }, - "resident": { - "type": "long" - }, - "share": { - "type": "long" - }, - "start_time": { - "type": "long" - }, - "pgrp": { - "type": "long" - }, - "session": { - "type": "long" - }, - "nlwp": { - "type": "long" - }, - "tgid": { - "type": "long" - }, - "tty": { - "type": "long" - }, - "processor": { - "type": "long" - } - } - }, - "sca": { - "properties": { - "type": { - "type": "keyword" - }, - "scan_id": { - "type": "keyword" - }, - "policy": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "passed": { - "type": "integer" - }, - "failed": { - "type": "integer" - }, - "score": { - "type": "long" - }, - "check": { - "properties": { - "id": { - "type": "keyword" - }, - "title": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "rationale": { - "type": "keyword" - }, - "remediation": { - "type": "keyword" - }, - "compliance": { - "properties": { - "cis": { - "type": "keyword" - }, - "cis_csc": { - "type": "keyword" - }, - "pci_dss": { - "type": "keyword" - }, - "hipaa": { - "type": "keyword" - }, - "nist_800_53": { - "type": "keyword" - } - } - }, - "references": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "directory": { - "type": "keyword" - }, - "registry": { - "type": "keyword" - }, - "process": { - "type": "keyword" - }, - "result": { - "type": "keyword" - }, - "previous_result": { - "type": "keyword" - }, - "reason": { - "type": "keyword" - }, - "status": { - "type": "keyword" - } - } - }, - "invalid": { - "type": "keyword" - }, - "policy_id": { - "type": "keyword" - }, - "total_checks": { - "type": "keyword" - } - } - }, - "command": { - "type": "keyword" - }, - "integration": { - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "title": { - "type": "keyword" - }, - "uid": { - "type": "keyword" - }, - "virustotal": { - "properties": { - "description": { - "type": "keyword" - }, - "error": { - "type": "keyword" - }, - "found": { - "type": "keyword" - }, - "malicious": { - "type": "keyword" - }, - "permalink": { - "type": "keyword" - }, - "positives": { - "type": "keyword" - }, - "scan_date": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - }, - "source": { - "properties": { - "alert_id": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "md5": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - } - } - }, - "total": { - "type": "keyword" - } - } - }, - "vulnerability": { - "properties": { - "advisories": { - "type": "keyword" - }, - "bugzilla_reference": { - "type": "keyword" - }, - "cve": { - "type": "keyword" - }, - "cvss": { - "properties": { - "cvss2": { - "properties": { - "base_score": { - "type": "keyword" - }, - "exploitability_score": { - "type": "keyword" - }, - "impact_score": { - "type": "keyword" - }, - "vector": { - "properties": { - "access_complexity": { - "type": "keyword" - }, - "attack_vector": { - "type": "keyword" - }, - "authentication": { - "type": "keyword" - }, - "availability": { - "type": "keyword" - }, - "confidentiality_impact": { - "type": "keyword" - }, - "integrity_impact": { - "type": "keyword" - }, - "privileges_required": { - "type": "keyword" - }, - "scope": { - "type": "keyword" - }, - "user_interaction": { - "type": "keyword" - } - } - } - } - }, - "cvss3": { - "properties": { - "base_score": { - "type": "keyword" - }, - "exploitability_score": { - "type": "keyword" - }, - "impact_score": { - "type": "keyword" - }, - "vector": { - "properties": { - "access_complexity": { - "type": "keyword" - }, - "attack_vector": { - "type": "keyword" - }, - "authentication": { - "type": "keyword" - }, - "availability": { - "type": "keyword" - }, - "confidentiality_impact": { - "type": "keyword" - }, - "integrity_impact": { - "type": "keyword" - }, - "privileges_required": { - "type": "keyword" - }, - "scope": { - "type": "keyword" - }, - "user_interaction": { - "type": "keyword" - } - } - } - } - } - } - }, - "cwe_reference": { - "type": "keyword" - }, - "package": { - "properties": { - "architecture": { - "type": "keyword" - }, - "condition": { - "type": "keyword" - }, - "generated_cpe": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "published": { - "type": "date" - }, - "updated": { - "type": "date" - }, - "rationale": { - "type": "keyword" - }, - "reference": { - "type": "keyword" - }, - "severity": { - "type": "keyword" - }, - "state": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "aws": { - "properties": { - "bytes": { - "type": "long" - }, - "dstaddr": { - "type": "ip" - }, - "srcaddr": { - "type": "ip" - }, - "end": { - "type": "date" - }, - "start": { - "type": "date" - }, - "source_ip_address": { - "type": "ip" - }, - "service": { - "properties": { - "count": { - "type": "long" - }, - "action.networkConnectionAction.remoteIpDetails": { - "properties": { - "ipAddressV4": { - "type": "ip" - }, - "geoLocation": { - "type": "geo_point" - } - } - }, - "eventFirstSeen": { - "type": "date" - }, - "eventLastSeen": { - "type": "date" - } - } - }, - "createdAt": { - "type": "date" - }, - "updatedAt": { - "type": "date" - }, - "resource.instanceDetails": { - "properties": { - "launchTime": { - "type": "date" - }, - "networkInterfaces": { - "properties": { - "privateIpAddress": { - "type": "ip" - }, - "publicIp": { - "type": "ip" - } - } - } - } - } - } - } - } - }, - "program_name": { - "type": "keyword" - }, - "command": { - "type": "keyword" - }, - "type": { - "type": "text" - }, - "title": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "input": { - "properties": { - "type": { - "type": "keyword" - } - } - }, - "previous_output": { - "type": "keyword" - } - } - }, - "version": 1 -} diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index bac623e7..180d546d 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -1,5 +1,5 @@ --- -wazuh_agent_version: 3.12.3-1 +wazuh_agent_version: 3.13.0-1 # Custom packages installation @@ -12,7 +12,7 @@ wazuh_custom_packages_installation_agent_rpm_url: "" wazuh_agent_sources_installation: enabled: false - branch: "v3.12.3" + branch: "v3.13.0" user_language: "y" user_no_stop: "y" user_install_type: "agent" @@ -21,7 +21,7 @@ wazuh_agent_sources_installation: user_enable_active_response: "y" user_enable_syscheck: "y" user_enable_rootcheck: "y" - user_enable_openscap: "y" + user_enable_openscap: "n" user_enable_sca: "y" user_enable_authd: "y" user_generate_authd_cert: "n" @@ -64,9 +64,9 @@ wazuh_winagent_config: # Adding quotes to auth_path_x86 since win_shell outputs error otherwise auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe check_md5: True - md5: 4ae4e930d3ae9d572b07cd9e7207d783 -wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.12.3-1.msi -wazuh_winagent_package_name: wazuh-agent-3.12.3-1.msi + md5: d0f13c0c417c74ccbad7b45f66518513 +wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.13.0-1.msi +wazuh_winagent_package_name: wazuh-agent-3.13.0-1.msi wazuh_agent_config: repo: apt: 'deb https://packages.wazuh.com/3.x/apt/ stable main' diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 index 2ee7f97d..d8522158 100644 --- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 +++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 @@ -69,7 +69,7 @@ {% endif %} - {% if ansible_system == "Linux" %} + {% if ansible_system == "Linux" and wazuh_agent_config.openscap.disable == 'no' %} {{ wazuh_agent_config.openscap.disable }} {{ wazuh_agent_config.openscap.timeout }} diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index a046addf..7bd4846a 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -1,5 +1,5 @@ --- -wazuh_manager_version: 3.12.3-1 +wazuh_manager_version: 3.13.0-1 wazuh_manager_fqdn: "wazuh-server" wazuh_manager_package_state: present @@ -15,7 +15,7 @@ wazuh_custom_packages_installation_api_rpm_url: "https://s3-us-west-1.amazonaws. # Sources installation wazuh_manager_sources_installation: enabled: false - branch: "v3.12.3" + branch: "v3.13.0" user_language: "en" user_no_stop: "y" user_install_type: "server" @@ -24,7 +24,7 @@ wazuh_manager_sources_installation: user_enable_active_response: null user_enable_syscheck: "y" user_enable_rootcheck: "y" - user_enable_openscap: "y" + user_enable_openscap: "n" user_enable_authd: "y" user_generate_authd_cert: null user_update: "y" @@ -40,7 +40,7 @@ wazuh_manager_sources_installation: wazuh_api_sources_installation: enabled: false - branch: "v3.12.3" + branch: "v3.13.0" update: "y" remove: "y" directory: null From 4c0289cdf88487e6f4c7780c0cf0f195eed0cd1d Mon Sep 17 00:00:00 2001 From: Zenidd Date: Tue, 23 Jun 2020 16:59:30 +0200 Subject: [PATCH 54/57] Removing comment and using placeholders --- playbooks/wazuh-manager-oss.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/playbooks/wazuh-manager-oss.yml b/playbooks/wazuh-manager-oss.yml index 3dc6346d..ba7b9444 100644 --- a/playbooks/wazuh-manager-oss.yml +++ b/playbooks/wazuh-manager-oss.yml @@ -1,9 +1,9 @@ --- - hosts: managers roles: -# - role: ../roles/wazuh/ansible-wazuh-manager + - role: ../roles/wazuh/ansible-wazuh-manager - role: ../roles/wazuh/ansible-filebeat-oss filebeat_output_elasticsearch_hosts: - - "172.16.0.161:9200" - - "172.16.0.162:9200" - - "172.16.0.163:9200" \ No newline at end of file + - ":9200" + - ":9200" + - ":9200" From eb276a1f731515bd114334f6e4041f36068e0558 Mon Sep 17 00:00:00 2001 From: Zenidd Date: Tue, 23 Jun 2020 17:01:32 +0200 Subject: [PATCH 55/57] Handlers refactor --- roles/elastic-stack/ansible-kibana/handlers/main.yml | 4 +++- roles/wazuh/ansible-filebeat/handlers/main.yml | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/elastic-stack/ansible-kibana/handlers/main.yml b/roles/elastic-stack/ansible-kibana/handlers/main.yml index 55ea3d3c..a1afb7cf 100644 --- a/roles/elastic-stack/ansible-kibana/handlers/main.yml +++ b/roles/elastic-stack/ansible-kibana/handlers/main.yml @@ -1,3 +1,5 @@ --- - name: restart kibana - service: name=kibana state=restarted + service: + name: kibana + state: restarted diff --git a/roles/wazuh/ansible-filebeat/handlers/main.yml b/roles/wazuh/ansible-filebeat/handlers/main.yml index 96e15a22..6c7742dc 100644 --- a/roles/wazuh/ansible-filebeat/handlers/main.yml +++ b/roles/wazuh/ansible-filebeat/handlers/main.yml @@ -1,3 +1,5 @@ --- - name: restart filebeat - service: name=filebeat state=restarted + service: + name: filebeat + state: restarted From 600dd40896cdec05c9211731e45b7987537f1c4a Mon Sep 17 00:00:00 2001 From: Zenidd Date: Tue, 23 Jun 2020 17:03:33 +0200 Subject: [PATCH 56/57] Adding dynamic template fetch to filebeat-oss --- .../ansible-filebeat-oss/tasks/config.yml | 8 +- .../templates/elasticsearch.yml.j2 | 1800 ----------------- 2 files changed, 4 insertions(+), 1804 deletions(-) delete mode 100644 roles/wazuh/ansible-filebeat-oss/templates/elasticsearch.yml.j2 diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/config.yml b/roles/wazuh/ansible-filebeat-oss/tasks/config.yml index f64c8ceb..3b543d96 100644 --- a/roles/wazuh/ansible-filebeat-oss/tasks/config.yml +++ b/roles/wazuh/ansible-filebeat-oss/tasks/config.yml @@ -9,9 +9,9 @@ mode: 0400 notify: restart filebeat - - name: Copy Elasticsearch template. - template: - src: elasticsearch.yml.j2 + - name: Fetch latest Wazuh alerts template + get_url: + url: https://raw.githubusercontent.com/wazuh/wazuh/master/extensions/elasticsearch/7.x/wazuh-template.json dest: "/etc/filebeat/wazuh-template.json" owner: root group: root @@ -19,4 +19,4 @@ notify: restart filebeat tags: - - configure \ No newline at end of file + - configure diff --git a/roles/wazuh/ansible-filebeat-oss/templates/elasticsearch.yml.j2 b/roles/wazuh/ansible-filebeat-oss/templates/elasticsearch.yml.j2 deleted file mode 100644 index 88d50c3f..00000000 --- a/roles/wazuh/ansible-filebeat-oss/templates/elasticsearch.yml.j2 +++ /dev/null @@ -1,1800 +0,0 @@ -{ - "order": 0, - "index_patterns": [ - "wazuh-alerts-3.x-*", - "wazuh-archives-3.x-*" - ], - "settings": { - "index.refresh_interval": "5s", - "index.number_of_shards": "3", - "index.number_of_replicas": "0", - "index.auto_expand_replicas": "0-1", - "index.mapping.total_fields.limit": 10000, - "index.query.default_field": [ - "GeoLocation.city_name", - "GeoLocation.continent_code", - "GeoLocation.country_code2", - "GeoLocation.country_code3", - "GeoLocation.country_name", - "GeoLocation.ip", - "GeoLocation.postal_code", - "GeoLocation.real_region_name", - "GeoLocation.region_name", - "GeoLocation.timezone", - "agent.id", - "agent.ip", - "agent.name", - "cluster.name", - "cluster.node", - "command", - "data", - "data.action", - "data.audit", - "data.audit.acct", - "data.audit.arch", - "data.audit.auid", - "data.audit.command", - "data.audit.cwd", - "data.audit.dev", - "data.audit.directory.inode", - "data.audit.directory.mode", - "data.audit.directory.name", - "data.audit.egid", - "data.audit.enforcing", - "data.audit.euid", - "data.audit.exe", - "data.audit.execve.a0", - "data.audit.execve.a1", - "data.audit.execve.a2", - "data.audit.execve.a3", - "data.audit.exit", - "data.audit.file.inode", - "data.audit.file.mode", - "data.audit.file.name", - "data.audit.fsgid", - "data.audit.fsuid", - "data.audit.gid", - "data.audit.id", - "data.audit.key", - "data.audit.list", - "data.audit.old-auid", - "data.audit.old-ses", - "data.audit.old_enforcing", - "data.audit.old_prom", - "data.audit.op", - "data.audit.pid", - "data.audit.ppid", - "data.audit.prom", - "data.audit.res", - "data.audit.session", - "data.audit.sgid", - "data.audit.srcip", - "data.audit.subj", - "data.audit.success", - "data.audit.suid", - "data.audit.syscall", - "data.audit.tty", - "data.audit.uid", - "data.aws.accountId", - "data.aws.account_id", - "data.aws.action", - "data.aws.actor", - "data.aws.aws_account_id", - "data.aws.description", - "data.aws.dstport", - "data.aws.errorCode", - "data.aws.errorMessage", - "data.aws.eventID", - "data.aws.eventName", - "data.aws.eventSource", - "data.aws.eventType", - "data.aws.id", - "data.aws.name", - "data.aws.requestParameters.accessKeyId", - "data.aws.requestParameters.bucketName", - "data.aws.requestParameters.gatewayId", - "data.aws.requestParameters.groupDescription", - "data.aws.requestParameters.groupId", - "data.aws.requestParameters.groupName", - "data.aws.requestParameters.host", - "data.aws.requestParameters.hostedZoneId", - "data.aws.requestParameters.instanceId", - "data.aws.requestParameters.instanceProfileName", - "data.aws.requestParameters.loadBalancerName", - "data.aws.requestParameters.loadBalancerPorts", - "data.aws.requestParameters.masterUserPassword", - "data.aws.requestParameters.masterUsername", - "data.aws.requestParameters.name", - "data.aws.requestParameters.natGatewayId", - "data.aws.requestParameters.networkAclId", - "data.aws.requestParameters.path", - "data.aws.requestParameters.policyName", - "data.aws.requestParameters.port", - "data.aws.requestParameters.stackId", - "data.aws.requestParameters.stackName", - "data.aws.requestParameters.subnetId", - "data.aws.requestParameters.subnetIds", - "data.aws.requestParameters.volumeId", - "data.aws.requestParameters.vpcId", - "data.aws.resource.accessKeyDetails.accessKeyId", - "data.aws.resource.accessKeyDetails.principalId", - "data.aws.resource.accessKeyDetails.userName", - "data.aws.resource.instanceDetails.instanceId", - "data.aws.resource.instanceDetails.instanceState", - "data.aws.resource.instanceDetails.networkInterfaces.privateDnsName", - "data.aws.resource.instanceDetails.networkInterfaces.publicDnsName", - "data.aws.resource.instanceDetails.networkInterfaces.subnetId", - "data.aws.resource.instanceDetails.networkInterfaces.vpcId", - "data.aws.resource.instanceDetails.tags.value", - "data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId", - "data.aws.responseElements.description", - "data.aws.responseElements.instanceId", - "data.aws.responseElements.instances.instanceId", - "data.aws.responseElements.instancesSet.items.instanceId", - "data.aws.responseElements.listeners.port", - "data.aws.responseElements.loadBalancerName", - "data.aws.responseElements.loadBalancers.vpcId", - "data.aws.responseElements.loginProfile.userName", - "data.aws.responseElements.networkAcl.vpcId", - "data.aws.responseElements.ownerId", - "data.aws.responseElements.publicIp", - "data.aws.responseElements.user.userId", - "data.aws.responseElements.user.userName", - "data.aws.responseElements.volumeId", - "data.aws.service.serviceName", - "data.aws.severity", - "data.aws.source", - "data.aws.sourceIPAddress", - "data.aws.srcport", - "data.aws.userIdentity.accessKeyId", - "data.aws.userIdentity.accountId", - "data.aws.userIdentity.userName", - "data.aws.vpcEndpointId", - "data.command", - "data.data", - "data.docker.Actor.Attributes.container", - "data.docker.Actor.Attributes.image", - "data.docker.Actor.Attributes.name", - "data.docker.Actor.ID", - "data.docker.id", - "data.docker.message", - "data.docker.status", - "data.dstip", - "data.dstport", - "data.dstuser", - "data.extra_data", - "data.hardware.serial", - "data.id", - "data.integration", - "data.netinfo.iface.adapter", - "data.netinfo.iface.ipv4.address", - "data.netinfo.iface.ipv6.address", - "data.netinfo.iface.mac", - "data.netinfo.iface.name", - "data.os.architecture", - "data.os.build", - "data.os.codename", - "data.os.hostname", - "data.os.major", - "data.os.minor", - "data.os.name", - "data.os.platform", - "data.os.release", - "data.os.release_version", - "data.os.sysname", - "data.os.version", - "data.oscap.check.description", - "data.oscap.check.id", - "data.oscap.check.identifiers", - "data.oscap.check.oval.id", - "data.oscap.check.rationale", - "data.oscap.check.references", - "data.oscap.check.result", - "data.oscap.check.severity", - "data.oscap.check.title", - "data.oscap.scan.benchmark.id", - "data.oscap.scan.content", - "data.oscap.scan.id", - "data.oscap.scan.profile.id", - "data.oscap.scan.profile.title", - "data.osquery.columns.address", - "data.osquery.columns.command", - "data.osquery.columns.description", - "data.osquery.columns.dst_ip", - "data.osquery.columns.gid", - "data.osquery.columns.hostname", - "data.osquery.columns.md5", - "data.osquery.columns.path", - "data.osquery.columns.sha1", - "data.osquery.columns.sha256", - "data.osquery.columns.src_ip", - "data.osquery.columns.user", - "data.osquery.columns.username", - "data.osquery.name", - "data.osquery.pack", - "data.port.process", - "data.port.protocol", - "data.port.state", - "data.process.args", - "data.process.cmd", - "data.process.egroup", - "data.process.euser", - "data.process.fgroup", - "data.process.name", - "data.process.rgroup", - "data.process.ruser", - "data.process.sgroup", - "data.process.state", - "data.process.suser", - "data.program.architecture", - "data.program.description", - "data.program.format", - "data.program.location", - "data.program.multiarch", - "data.program.name", - "data.program.priority", - "data.program.section", - "data.program.source", - "data.program.vendor", - "data.program.version", - "data.protocol", - "data.pwd", - "data.sca", - "data.sca.check.compliance.cis", - "data.sca.check.compliance.cis_csc", - "data.sca.check.compliance.pci_dss", - "data.sca.check.compliance.hipaa", - "data.sca.check.compliance.nist_800_53", - "data.sca.check.description", - "data.sca.check.directory", - "data.sca.check.file", - "data.sca.check.id", - "data.sca.check.previous_result", - "data.sca.check.process", - "data.sca.check.rationale", - "data.sca.check.reason", - "data.sca.check.references", - "data.sca.check.registry", - "data.sca.check.remediation", - "data.sca.check.result", - "data.sca.check.status", - "data.sca.check.title", - "data.sca.description", - "data.sca.file", - "data.sca.invalid", - "data.sca.name", - "data.sca.policy", - "data.sca.policy_id", - "data.sca.scan_id", - "data.sca.total_checks", - "data.script", - "data.src_ip", - "data.src_port", - "data.srcip", - "data.srcport", - "data.srcuser", - "data.status", - "data.system_name", - "data.title", - "data.tty", - "data.uid", - "data.url", - "data.virustotal.description", - "data.virustotal.error", - "data.virustotal.found", - "data.virustotal.permalink", - "data.virustotal.scan_date", - "data.virustotal.sha1", - "data.virustotal.source.alert_id", - "data.virustotal.source.file", - "data.virustotal.source.md5", - "data.virustotal.source.sha1", - "data.vulnerability.advisories", - "data.vulnerability.bugzilla_reference", - "data.vulnerability.cve", - "data.vulnerability.cvss.cvss2.base_score", - "data.vulnerability.cvss.cvss2.exploitability_score", - "data.vulnerability.cvss.cvss2.impact_score", - "data.vulnerability.cvss.cvss2.vector.access_complexity", - "data.vulnerability.cvss.cvss2.vector.attack_vector", - "data.vulnerability.cvss.cvss2.vector.authentication", - "data.vulnerability.cvss.cvss2.vector.availability", - "data.vulnerability.cvss.cvss2.vector.confidentiality_impact", - "data.vulnerability.cvss.cvss2.vector.integrity_impact", - "data.vulnerability.cvss.cvss2.vector.privileges_required", - "data.vulnerability.cvss.cvss2.vector.scope", - "data.vulnerability.cvss.cvss2.vector.user_interaction", - "data.vulnerability.cvss.cvss3.base_score", - "data.vulnerability.cvss.cvss3.exploitability_score", - "data.vulnerability.cvss.cvss3.impact_score", - "data.vulnerability.cvss.cvss3.vector.access_complexity", - "data.vulnerability.cvss.cvss3.vector.attack_vector", - "data.vulnerability.cvss.cvss3.vector.authentication", - "data.vulnerability.cvss.cvss3.vector.availability", - "data.vulnerability.cvss.cvss3.vector.confidentiality_impact", - "data.vulnerability.cvss.cvss3.vector.integrity_impact", - "data.vulnerability.cvss.cvss3.vector.privileges_required", - "data.vulnerability.cvss.cvss3.vector.scope", - "data.vulnerability.cvss.cvss3.vector.user_interaction", - "data.vulnerability.cwe_reference", - "data.vulnerability.package.architecture", - "data.vulnerability.package.condition", - "data.vulnerability.package.generated_cpe", - "data.vulnerability.package.name", - "data.vulnerability.package.version", - "data.vulnerability.rationale", - "data.vulnerability.reference", - "data.vulnerability.severity", - "data.vulnerability.state", - "data.vulnerability.title", - "data.win.eventdata.auditPolicyChanges", - "data.win.eventdata.auditPolicyChangesId", - "data.win.eventdata.binary", - "data.win.eventdata.category", - "data.win.eventdata.categoryId", - "data.win.eventdata.data", - "data.win.eventdata.image", - "data.win.eventdata.ipAddress", - "data.win.eventdata.ipPort", - "data.win.eventdata.keyName", - "data.win.eventdata.logonGuid", - "data.win.eventdata.logonProcessName", - "data.win.eventdata.operation", - "data.win.eventdata.parentImage", - "data.win.eventdata.processId", - "data.win.eventdata.processName", - "data.win.eventdata.providerName", - "data.win.eventdata.returnCode", - "data.win.eventdata.service", - "data.win.eventdata.status", - "data.win.eventdata.subcategory", - "data.win.eventdata.subcategoryGuid", - "data.win.eventdata.subcategoryId", - "data.win.eventdata.subjectDomainName", - "data.win.eventdata.subjectLogonId", - "data.win.eventdata.subjectUserName", - "data.win.eventdata.subjectUserSid", - "data.win.eventdata.targetDomainName", - "data.win.eventdata.targetLinkedLogonId", - "data.win.eventdata.targetLogonId", - "data.win.eventdata.targetUserName", - "data.win.eventdata.targetUserSid", - "data.win.eventdata.workstationName", - "data.win.system.channel", - "data.win.system.computer", - "data.win.system.eventID", - "data.win.system.eventRecordID", - "data.win.system.eventSourceName", - "data.win.system.keywords", - "data.win.system.level", - "data.win.system.message", - "data.win.system.opcode", - "data.win.system.processID", - "data.win.system.providerGuid", - "data.win.system.providerName", - "data.win.system.securityUserID", - "data.win.system.severityValue", - "data.win.system.userID", - "decoder.ftscomment", - "decoder.name", - "decoder.parent", - "full_log", - "host", - "id", - "input", - "location", - "manager.name", - "message", - "offset", - "predecoder.hostname", - "predecoder.program_name", - "previous_log", - "previous_output", - "program_name", - "rule.cis", - "rule.cve", - "rule.description", - "rule.gdpr", - "rule.gpg13", - "rule.groups", - "rule.id", - "rule.info", - "rule.pci_dss", - "rule.hipaa", - "rule.nist_800_53", - "syscheck.audit.effective_user.id", - "syscheck.audit.effective_user.name", - "syscheck.audit.group.id", - "syscheck.audit.group.name", - "syscheck.audit.login_user.id", - "syscheck.audit.login_user.name", - "syscheck.audit.process.id", - "syscheck.audit.process.name", - "syscheck.audit.process.ppid", - "syscheck.audit.user.id", - "syscheck.audit.user.name", - "syscheck.diff", - "syscheck.event", - "syscheck.gid_after", - "syscheck.gid_before", - "syscheck.gname_after", - "syscheck.gname_before", - "syscheck.inode_after", - "syscheck.inode_before", - "syscheck.md5_after", - "syscheck.md5_before", - "syscheck.path", - "syscheck.perm_after", - "syscheck.perm_before", - "syscheck.sha1_after", - "syscheck.sha1_before", - "syscheck.sha256_after", - "syscheck.sha256_before", - "syscheck.tags", - "syscheck.uid_after", - "syscheck.uid_before", - "syscheck.uname_after", - "syscheck.uname_before", - "title", - "type" - ] - }, - "mappings": { - "dynamic_templates": [ - { - "string_as_keyword": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "date_detection": false, - "properties": { - "@timestamp": { - "type": "date" - }, - "timestamp": { - "type": "date", - "format": "date_optional_time||epoch_millis" - }, - "@version": { - "type": "text" - }, - "agent": { - "properties": { - "ip": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "manager": { - "properties": { - "name": { - "type": "keyword" - } - } - }, - "cluster": { - "properties": { - "name": { - "type": "keyword" - }, - "node": { - "type": "keyword" - } - } - }, - "full_log": { - "type": "text" - }, - "previous_log": { - "type": "text" - }, - "GeoLocation": { - "properties": { - "area_code": { - "type": "long" - }, - "city_name": { - "type": "keyword" - }, - "continent_code": { - "type": "text" - }, - "coordinates": { - "type": "double" - }, - "country_code2": { - "type": "text" - }, - "country_code3": { - "type": "text" - }, - "country_name": { - "type": "keyword" - }, - "dma_code": { - "type": "long" - }, - "ip": { - "type": "keyword" - }, - "latitude": { - "type": "double" - }, - "location": { - "type": "geo_point" - }, - "longitude": { - "type": "double" - }, - "postal_code": { - "type": "keyword" - }, - "real_region_name": { - "type": "keyword" - }, - "region_name": { - "type": "keyword" - }, - "timezone": { - "type": "text" - } - } - }, - "host": { - "type": "keyword" - }, - "syscheck": { - "properties": { - "path": { - "type": "keyword" - }, - "sha1_before": { - "type": "keyword" - }, - "sha1_after": { - "type": "keyword" - }, - "uid_before": { - "type": "keyword" - }, - "uid_after": { - "type": "keyword" - }, - "gid_before": { - "type": "keyword" - }, - "gid_after": { - "type": "keyword" - }, - "perm_before": { - "type": "keyword" - }, - "perm_after": { - "type": "keyword" - }, - "md5_after": { - "type": "keyword" - }, - "md5_before": { - "type": "keyword" - }, - "gname_after": { - "type": "keyword" - }, - "gname_before": { - "type": "keyword" - }, - "inode_after": { - "type": "keyword" - }, - "inode_before": { - "type": "keyword" - }, - "mtime_after": { - "type": "date", - "format": "date_optional_time" - }, - "mtime_before": { - "type": "date", - "format": "date_optional_time" - }, - "uname_after": { - "type": "keyword" - }, - "uname_before": { - "type": "keyword" - }, - "size_before": { - "type": "long" - }, - "size_after": { - "type": "long" - }, - "diff": { - "type": "keyword" - }, - "event": { - "type": "keyword" - }, - "audit": { - "properties": { - "effective_user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "group": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "login_user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "process": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "ppid": { - "type": "keyword" - } - } - }, - "user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - } - } - }, - "sha256_after": { - "type": "keyword" - }, - "sha256_before": { - "type": "keyword" - }, - "tags": { - "type": "keyword" - } - } - }, - "location": { - "type": "keyword" - }, - "message": { - "type": "text" - }, - "offset": { - "type": "keyword" - }, - "rule": { - "properties": { - "description": { - "type": "keyword" - }, - "groups": { - "type": "keyword" - }, - "level": { - "type": "long" - }, - "id": { - "type": "keyword" - }, - "cve": { - "type": "keyword" - }, - "info": { - "type": "keyword" - }, - "frequency": { - "type": "long" - }, - "firedtimes": { - "type": "long" - }, - "cis": { - "type": "keyword" - }, - "pci_dss": { - "type": "keyword" - }, - "gdpr": { - "type": "keyword" - }, - "gpg13": { - "type": "keyword" - }, - "hipaa": { - "type": "keyword" - }, - "nist_800_53": { - "type": "keyword" - }, - "mail": { - "type": "boolean" - } - } - }, - "predecoder": { - "properties": { - "program_name": { - "type": "keyword" - }, - "timestamp": { - "type": "keyword" - }, - "hostname": { - "type": "keyword" - } - } - }, - "decoder": { - "properties": { - "parent": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "ftscomment": { - "type": "keyword" - }, - "fts": { - "type": "long" - }, - "accumulate": { - "type": "long" - } - } - }, - "data": { - "properties": { - "audit": { - "properties": { - "acct": { - "type": "keyword" - }, - "arch": { - "type": "keyword" - }, - "auid": { - "type": "keyword" - }, - "command": { - "type": "keyword" - }, - "cwd": { - "type": "keyword" - }, - "dev": { - "type": "keyword" - }, - "directory": { - "properties": { - "inode": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "egid": { - "type": "keyword" - }, - "enforcing": { - "type": "keyword" - }, - "euid": { - "type": "keyword" - }, - "exe": { - "type": "keyword" - }, - "execve": { - "properties": { - "a0": { - "type": "keyword" - }, - "a1": { - "type": "keyword" - }, - "a2": { - "type": "keyword" - }, - "a3": { - "type": "keyword" - } - } - }, - "exit": { - "type": "keyword" - }, - "file": { - "properties": { - "inode": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "fsgid": { - "type": "keyword" - }, - "fsuid": { - "type": "keyword" - }, - "gid": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "key": { - "type": "keyword" - }, - "list": { - "type": "keyword" - }, - "old-auid": { - "type": "keyword" - }, - "old-ses": { - "type": "keyword" - }, - "old_enforcing": { - "type": "keyword" - }, - "old_prom": { - "type": "keyword" - }, - "op": { - "type": "keyword" - }, - "pid": { - "type": "keyword" - }, - "ppid": { - "type": "keyword" - }, - "prom": { - "type": "keyword" - }, - "res": { - "type": "keyword" - }, - "session": { - "type": "keyword" - }, - "sgid": { - "type": "keyword" - }, - "srcip": { - "type": "keyword" - }, - "subj": { - "type": "keyword" - }, - "success": { - "type": "keyword" - }, - "suid": { - "type": "keyword" - }, - "syscall": { - "type": "keyword" - }, - "tty": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "uid": { - "type": "keyword" - } - } - }, - "protocol": { - "type": "keyword" - }, - "action": { - "type": "keyword" - }, - "srcip": { - "type": "keyword" - }, - "dstip": { - "type": "keyword" - }, - "srcport": { - "type": "keyword" - }, - "dstport": { - "type": "keyword" - }, - "srcuser": { - "type": "keyword" - }, - "dstuser": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "status": { - "type": "keyword" - }, - "data": { - "type": "keyword" - }, - "extra_data": { - "type": "keyword" - }, - "system_name": { - "type": "keyword" - }, - "url": { - "type": "keyword" - }, - "oscap": { - "properties": { - "check": { - "properties": { - "description": { - "type": "text" - }, - "id": { - "type": "keyword" - }, - "identifiers": { - "type": "text" - }, - "oval": { - "properties": { - "id": { - "type": "keyword" - } - } - }, - "rationale": { - "type": "text" - }, - "references": { - "type": "text" - }, - "result": { - "type": "keyword" - }, - "severity": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "scan": { - "properties": { - "benchmark": { - "properties": { - "id": { - "type": "keyword" - } - } - }, - "content": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "profile": { - "properties": { - "id": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "return_code": { - "type": "long" - }, - "score": { - "type": "double" - } - } - } - } - }, - "type": { - "type": "keyword" - }, - "netinfo": { - "properties": { - "iface": { - "properties": { - "name": { - "type": "keyword" - }, - "mac": { - "type": "keyword" - }, - "adapter": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "state": { - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "tx_bytes": { - "type": "long" - }, - "rx_bytes": { - "type": "long" - }, - "tx_errors": { - "type": "long" - }, - "rx_errors": { - "type": "long" - }, - "tx_dropped": { - "type": "long" - }, - "rx_dropped": { - "type": "long" - }, - "tx_packets": { - "type": "long" - }, - "rx_packets": { - "type": "long" - }, - "ipv4": { - "properties": { - "gateway": { - "type": "keyword" - }, - "dhcp": { - "type": "keyword" - }, - "address": { - "type": "keyword" - }, - "netmask": { - "type": "keyword" - }, - "broadcast": { - "type": "keyword" - }, - "metric": { - "type": "long" - } - } - }, - "ipv6": { - "properties": { - "gateway": { - "type": "keyword" - }, - "dhcp": { - "type": "keyword" - }, - "address": { - "type": "keyword" - }, - "netmask": { - "type": "keyword" - }, - "broadcast": { - "type": "keyword" - }, - "metric": { - "type": "long" - } - } - } - } - } - } - }, - "os": { - "properties": { - "hostname": { - "type": "keyword" - }, - "architecture": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "version": { - "type": "keyword" - }, - "codename": { - "type": "keyword" - }, - "major": { - "type": "keyword" - }, - "minor": { - "type": "keyword" - }, - "build": { - "type": "keyword" - }, - "platform": { - "type": "keyword" - }, - "sysname": { - "type": "keyword" - }, - "release": { - "type": "keyword" - }, - "release_version": { - "type": "keyword" - } - } - }, - "port": { - "properties": { - "protocol": { - "type": "keyword" - }, - "local_ip": { - "type": "ip" - }, - "local_port": { - "type": "long" - }, - "remote_ip": { - "type": "ip" - }, - "remote_port": { - "type": "long" - }, - "tx_queue": { - "type": "long" - }, - "rx_queue": { - "type": "long" - }, - "inode": { - "type": "long" - }, - "state": { - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "process": { - "type": "keyword" - } - } - }, - "hardware": { - "properties": { - "serial": { - "type": "keyword" - }, - "cpu_name": { - "type": "keyword" - }, - "cpu_cores": { - "type": "long" - }, - "cpu_mhz": { - "type": "double" - }, - "ram_total": { - "type": "long" - }, - "ram_free": { - "type": "long" - }, - "ram_usage": { - "type": "long" - } - } - }, - "program": { - "properties": { - "format": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "priority": { - "type": "keyword" - }, - "section": { - "type": "keyword" - }, - "size": { - "type": "long" - }, - "vendor": { - "type": "keyword" - }, - "install_time": { - "type": "keyword" - }, - "version": { - "type": "keyword" - }, - "architecture": { - "type": "keyword" - }, - "multiarch": { - "type": "keyword" - }, - "source": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "location": { - "type": "keyword" - } - } - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "name": { - "type": "keyword" - }, - "state": { - "type": "keyword" - }, - "ppid": { - "type": "long" - }, - "utime": { - "type": "long" - }, - "stime": { - "type": "long" - }, - "cmd": { - "type": "keyword" - }, - "args": { - "type": "keyword" - }, - "euser": { - "type": "keyword" - }, - "ruser": { - "type": "keyword" - }, - "suser": { - "type": "keyword" - }, - "egroup": { - "type": "keyword" - }, - "sgroup": { - "type": "keyword" - }, - "fgroup": { - "type": "keyword" - }, - "rgroup": { - "type": "keyword" - }, - "priority": { - "type": "long" - }, - "nice": { - "type": "long" - }, - "size": { - "type": "long" - }, - "vm_size": { - "type": "long" - }, - "resident": { - "type": "long" - }, - "share": { - "type": "long" - }, - "start_time": { - "type": "long" - }, - "pgrp": { - "type": "long" - }, - "session": { - "type": "long" - }, - "nlwp": { - "type": "long" - }, - "tgid": { - "type": "long" - }, - "tty": { - "type": "long" - }, - "processor": { - "type": "long" - } - } - }, - "sca": { - "properties": { - "type": { - "type": "keyword" - }, - "scan_id": { - "type": "keyword" - }, - "policy": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "passed": { - "type": "integer" - }, - "failed": { - "type": "integer" - }, - "score": { - "type": "long" - }, - "check": { - "properties": { - "id": { - "type": "keyword" - }, - "title": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "rationale": { - "type": "keyword" - }, - "remediation": { - "type": "keyword" - }, - "compliance": { - "properties": { - "cis": { - "type": "keyword" - }, - "cis_csc": { - "type": "keyword" - }, - "pci_dss": { - "type": "keyword" - }, - "hipaa": { - "type": "keyword" - }, - "nist_800_53": { - "type": "keyword" - } - } - }, - "references": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "directory": { - "type": "keyword" - }, - "registry": { - "type": "keyword" - }, - "process": { - "type": "keyword" - }, - "result": { - "type": "keyword" - }, - "previous_result": { - "type": "keyword" - }, - "reason": { - "type": "keyword" - }, - "status": { - "type": "keyword" - } - } - }, - "invalid": { - "type": "keyword" - }, - "policy_id": { - "type": "keyword" - }, - "total_checks": { - "type": "keyword" - } - } - }, - "command": { - "type": "keyword" - }, - "integration": { - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "title": { - "type": "keyword" - }, - "uid": { - "type": "keyword" - }, - "virustotal": { - "properties": { - "description": { - "type": "keyword" - }, - "error": { - "type": "keyword" - }, - "found": { - "type": "keyword" - }, - "malicious": { - "type": "keyword" - }, - "permalink": { - "type": "keyword" - }, - "positives": { - "type": "keyword" - }, - "scan_date": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - }, - "source": { - "properties": { - "alert_id": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "md5": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - } - } - }, - "total": { - "type": "keyword" - } - } - }, - "vulnerability": { - "properties": { - "advisories": { - "type": "keyword" - }, - "bugzilla_reference": { - "type": "keyword" - }, - "cve": { - "type": "keyword" - }, - "cvss": { - "properties": { - "cvss2": { - "properties": { - "base_score": { - "type": "keyword" - }, - "exploitability_score": { - "type": "keyword" - }, - "impact_score": { - "type": "keyword" - }, - "vector": { - "properties": { - "access_complexity": { - "type": "keyword" - }, - "attack_vector": { - "type": "keyword" - }, - "authentication": { - "type": "keyword" - }, - "availability": { - "type": "keyword" - }, - "confidentiality_impact": { - "type": "keyword" - }, - "integrity_impact": { - "type": "keyword" - }, - "privileges_required": { - "type": "keyword" - }, - "scope": { - "type": "keyword" - }, - "user_interaction": { - "type": "keyword" - } - } - } - } - }, - "cvss3": { - "properties": { - "base_score": { - "type": "keyword" - }, - "exploitability_score": { - "type": "keyword" - }, - "impact_score": { - "type": "keyword" - }, - "vector": { - "properties": { - "access_complexity": { - "type": "keyword" - }, - "attack_vector": { - "type": "keyword" - }, - "authentication": { - "type": "keyword" - }, - "availability": { - "type": "keyword" - }, - "confidentiality_impact": { - "type": "keyword" - }, - "integrity_impact": { - "type": "keyword" - }, - "privileges_required": { - "type": "keyword" - }, - "scope": { - "type": "keyword" - }, - "user_interaction": { - "type": "keyword" - } - } - } - } - } - } - }, - "cwe_reference": { - "type": "keyword" - }, - "package": { - "properties": { - "architecture": { - "type": "keyword" - }, - "condition": { - "type": "keyword" - }, - "generated_cpe": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "published": { - "type": "date" - }, - "updated": { - "type": "date" - }, - "rationale": { - "type": "keyword" - }, - "reference": { - "type": "keyword" - }, - "severity": { - "type": "keyword" - }, - "state": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "aws": { - "properties": { - "bytes": { - "type": "long" - }, - "dstaddr": { - "type": "ip" - }, - "srcaddr": { - "type": "ip" - }, - "end": { - "type": "date" - }, - "start": { - "type": "date" - }, - "source_ip_address": { - "type": "ip" - }, - "service": { - "properties": { - "count": { - "type": "long" - }, - "action.networkConnectionAction.remoteIpDetails": { - "properties": { - "ipAddressV4": { - "type": "ip" - }, - "geoLocation": { - "type": "geo_point" - } - } - }, - "eventFirstSeen": { - "type": "date" - }, - "eventLastSeen": { - "type": "date" - } - } - }, - "createdAt": { - "type": "date" - }, - "updatedAt": { - "type": "date" - }, - "resource.instanceDetails": { - "properties": { - "launchTime": { - "type": "date" - }, - "networkInterfaces": { - "properties": { - "privateIpAddress": { - "type": "ip" - }, - "publicIp": { - "type": "ip" - } - } - } - } - } - } - } - } - }, - "program_name": { - "type": "keyword" - }, - "command": { - "type": "keyword" - }, - "type": { - "type": "text" - }, - "title": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "input": { - "properties": { - "type": { - "type": "keyword" - } - } - }, - "previous_output": { - "type": "keyword" - } - } - }, - "version": 1 -} From d82d1b51d149ee4f1d9f9f66b2566e37ae9800de Mon Sep 17 00:00:00 2001 From: Zenidd Date: Tue, 23 Jun 2020 17:19:37 +0200 Subject: [PATCH 57/57] Adding variable to parametrize elastic template URL --- roles/wazuh/ansible-filebeat-oss/defaults/main.yml | 2 ++ roles/wazuh/ansible-filebeat-oss/tasks/config.yml | 2 +- roles/wazuh/ansible-filebeat/defaults/main.yml | 2 ++ roles/wazuh/ansible-filebeat/tasks/config.yml | 2 +- 4 files changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml index 7603fd51..4159dc9a 100644 --- a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml @@ -1,6 +1,8 @@ --- filebeat_version: 7.7.0 +wazuh_template_branch: v3.13.0 + filebeat_create_config: true filebeat_output_elasticsearch_enabled: false diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/config.yml b/roles/wazuh/ansible-filebeat-oss/tasks/config.yml index 3b543d96..c6dcbe94 100644 --- a/roles/wazuh/ansible-filebeat-oss/tasks/config.yml +++ b/roles/wazuh/ansible-filebeat-oss/tasks/config.yml @@ -11,7 +11,7 @@ - name: Fetch latest Wazuh alerts template get_url: - url: https://raw.githubusercontent.com/wazuh/wazuh/master/extensions/elasticsearch/7.x/wazuh-template.json + url: https://raw.githubusercontent.com/wazuh/wazuh/{{ wazuh_template_branch }}/extensions/elasticsearch/7.x/wazuh-template.json dest: "/etc/filebeat/wazuh-template.json" owner: root group: root diff --git a/roles/wazuh/ansible-filebeat/defaults/main.yml b/roles/wazuh/ansible-filebeat/defaults/main.yml index 12e62dce..c105205e 100644 --- a/roles/wazuh/ansible-filebeat/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat/defaults/main.yml @@ -1,6 +1,8 @@ --- filebeat_version: 7.7.0 +wazuh_template_branch: v3.13.0 + filebeat_create_config: true filebeat_prospectors: diff --git a/roles/wazuh/ansible-filebeat/tasks/config.yml b/roles/wazuh/ansible-filebeat/tasks/config.yml index 34f519af..417e1e13 100644 --- a/roles/wazuh/ansible-filebeat/tasks/config.yml +++ b/roles/wazuh/ansible-filebeat/tasks/config.yml @@ -11,7 +11,7 @@ - name: Fetch latest Wazuh alerts template get_url: - url: https://raw.githubusercontent.com/wazuh/wazuh/master/extensions/elasticsearch/7.x/wazuh-template.json + url: https://raw.githubusercontent.com/wazuh/wazuh/{{ wazuh_template_branch }}/extensions/elasticsearch/7.x/wazuh-template.json dest: "/etc/filebeat/wazuh-template.json" owner: root group: root