afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #437 from wazuh/wazuh-release-v3.13.0_7.7.1

Browse Source 
Wazuh release v3.13.0_7.7.1
This commit is contained in:
Jose M. Garcia 2020-06-24 09:30:40 +02:00 committed by GitHub
commit 89aea601df
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
61 changed files with 1494 additions and 3597 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
CHANGELOG.md
View File

@ -1,6 +1,20 @@
# Change Log
All notable changes to this project will be documented in this file.
## [v3.13.0_7.7.1]
### Added
- Update to Wazuh v3.13.0
- Open Distro-Kibana and Filebeat-oss roles ([@manuasir](https://github.com/manuasir)) [PR#424](https://github.com/wazuh/wazuh-ansible/pull/424)
### Changed
- Fetch ES template from wazuh/wazuh repository ([@Zenidd](https://github.com/Zenidd)) [PR#435](https://github.com/wazuh/wazuh-ansible/pull/435)
### Fixed
- Use local path while generating xpack certificates ([@xr09](https://github.com/xr09)) [PR#432](https://github.com/wazuh/wazuh-ansible/pull/432)
## [v3.12.3_7.6.2]

9
playbooks/wazuh-manager-oss.yml Normal file
View File

@ -0,0 +1,9 @@
---
- hosts: managers
roles:
- role: ../roles/wazuh/ansible-wazuh-manager
- role: ../roles/wazuh/ansible-filebeat-oss
filebeat_output_elasticsearch_hosts:
- "<elastic-node-1>:9200"
- "<elastic-node-2>:9200"
- "<elastic-node-2>:9200"

4
playbooks/wazuh-opendistro-kibana.yml Normal file
View File

@ -0,0 +1,4 @@
---
- hosts: es1
roles:
- role: ../roles/opendistro/opendistro-kibana

4
playbooks/wazuh-opendistro.yml Normal file
View File

@ -0,0 +1,4 @@
---
- hosts: es_cluster
roles:
- role: ../roles/opendistro/opendistro-elasticsearch

2
roles/elastic-stack/ansible-elasticsearch/README.md
View File

@ -134,7 +134,7 @@ It is possible to define users directly on the playbook, these must be defined o
License and copyright
---------------------
WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3)
WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3)
### Based on previous work from geerlingguy

3
roles/elastic-stack/ansible-elasticsearch/defaults/main.yml
View File

@ -4,8 +4,9 @@ elasticsearch_http_port: 9200
elasticsearch_network_host: 127.0.0.1
elasticsearch_reachable_host: 127.0.0.1
elasticsearch_jvm_xms: null
elastic_stack_version: 7.6.2
elastic_stack_version: 7.7.0
elasticsearch_lower_disk_requirements: false
elasticsearch_path_repo: []
elasticrepo:
apt: 'https://artifacts.elastic.co/packages/7.x/apt'

10
roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml
View File

@ -152,6 +152,8 @@
copy:
src: "{{ item }}"
dest: "{{ node_certs_destination }}/"
owner: root
group: elasticsearch
mode: 0440
with_items:
- "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key"
@ -167,6 +169,8 @@
copy:
src: "{{ item }}"
dest: "{{ node_certs_destination }}/"
owner: root
group: elasticsearch
mode: 0440
with_items:
- "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key"
@ -181,9 +185,11 @@
- name: Ensuring folder permissions
file:
path: "{{ node_certs_destination }}/"
mode: 0774
owner: root
group: elasticsearch
mode: 0770
state: directory
recurse: yes
recurse: no
when:
- elasticsearch_xpack_security
- generate_CA

6
roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2
View File

@ -6,6 +6,12 @@ path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: true
network.host: {{ elasticsearch_network_host }}
{% if elasticsearch_path_repo | length>0 %}
path.repo:
{% for item in elasticsearch_path_repo %}
- {{ item }}
{% endfor %}
{% endif %}
{% if single_node %}
discovery.type: single-node

1679
roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2
View File

File diff suppressed because it is too large Load Diff

2
roles/elastic-stack/ansible-kibana/README.md
View File

@ -37,7 +37,7 @@ Example Playbook
License and copyright
---------------------
WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3)
WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3)
### Based on previous work from geerlingguy

6
roles/elastic-stack/ansible-kibana/defaults/main.yml
View File

@ -5,8 +5,8 @@ elasticsearch_http_port: "9200"
elasticsearch_network_host: "127.0.0.1"
kibana_server_host: "0.0.0.0"
kibana_server_port: "5601"
elastic_stack_version: 7.6.2
wazuh_version: 3.12.3
elastic_stack_version: 7.7.1
wazuh_version: 3.13.0
wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp
elasticrepo:
@ -47,7 +47,7 @@ nodejs:
# Build from sources
build_from_sources: false
wazuh_plugin_branch: 3.12-7.6
wazuh_plugin_branch: 3.13-7.7
#Nodejs NODE_OPTIONS
node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536

4
roles/elastic-stack/ansible-kibana/handlers/main.yml
View File

@ -1,3 +1,5 @@
---
- name: restart kibana
service: name=kibana state=restarted
service:
name: kibana
state: restarted

18
roles/elastic-stack/ansible-kibana/tasks/main.yml
View File

@ -28,6 +28,8 @@
copy:
src: "{{ item }}"
dest: "{{ node_certs_destination }}/"
owner: root
group: kibana
mode: 0440
with_items:
- "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key"
@ -42,6 +44,8 @@
copy:
src: "{{ item }}"
dest: "{{ node_certs_destination }}/"
owner: root
group: kibana
mode: 0440
with_items:
- "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key"
@ -52,22 +56,14 @@
- not generate_CA
tags: xpack-security
- name: Ensuring certificates folder owner
- name: Ensuring certificates folder owner and permissions
file:
path: "{{ node_certs_destination }}/"
state: directory
recurse: yes
recurse: no
owner: kibana
group: kibana
when:
- kibana_xpack_security
tags: xpack-security
- name: Ensuring certificates folder owner
file:
path: "{{ node_certs_destination }}/"
mode: 0770
recurse: yes
when:
- kibana_xpack_security
notify: restart kibana
@ -139,9 +135,9 @@
shell: /usr/share/kibana/node/bin/node {{ node_options }} /usr/share/kibana/src/cli --optimize
args:
executable: /bin/bash
creates: /usr/share/kibana/optimize/wazuh/
become: yes
become_user: kibana
changed_when: false
tags:
- skip_ansible_lint

58
roles/opendistro/opendistro-elasticsearch/defaults/main.yml Normal file
View File

@ -0,0 +1,58 @@
---
# The OpenDistro version
opendistro_version: 1.8.0
elasticsearch_cluster_name: wazuh-cluster
# Minimum master nodes in cluster, 2 for 3 nodes elasticsearch cluster
minimum_master_nodes: 2
# Elasticsearch version
es_version: "7.3.2"
es_major_version: "7.x"
# Configure hostnames for Elasticsearch nodes
# Example es1.example.com, es2.example.com
domain_name: wazuh.com
# The OpenDistro package repository
package_repos:
yum:
opendistro:
baseurl: 'https://d3g5vo6xdbdb9a.cloudfront.net/yum/noarch/'
gpg: 'https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch'
elasticsearch_oss:
baseurl: 'https://artifacts.elastic.co/packages/oss-7.x/yum'
gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
opendistro_sec_plugin_conf_path: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig
opendistro_sec_plugin_tools_path: /usr/share/elasticsearch/plugins/opendistro_security/tools
opendistro_conf_path: /etc/elasticsearch/
es_nodes: |-
{% for item in groups['es_cluster'] -%}
{{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %}
{%- endfor %}
# Security password
opendistro_security_password: admin
# Set JVM memory limits
opendistro_jvm_xms: null
opendistro_http_port: 9200
certs_gen_tool_version: 1.7
# Url of Search Guard certificates generator tool
certs_gen_tool_url: "https://releases.floragunn.com/search-guard-tlstool/{{ certs_gen_tool_version }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip"
elasticrepo:
apt: 'https://artifacts.elastic.co/packages/7.x/apt'
yum: 'https://artifacts.elastic.co/packages/7.x/yum'
gpg: 'https://artifacts.elastic.co/GPG-KEY-opendistro'
key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4'
opendistro_admin_password: changeme
opendistro_kibana_password: changeme
# Cluster Settings
single_node: true
opendistro_cluster_name: wazuh
local_certs_path: /tmp/opendistro-nodecerts

5
roles/opendistro/opendistro-elasticsearch/handlers/main.yml Normal file
View File

@ -0,0 +1,5 @@
---
- name: restart elasticsearch
service:
name: elasticsearch
state: restarted

24
roles/opendistro/opendistro-elasticsearch/meta/main.yml Normal file
View File

@ -0,0 +1,24 @@
---
galaxy_info:
author: Wazuh
description: Installing and maintaining Opendistro server.
company: wazuh.com
license: license (GPLv3)
min_ansible_version: 2.0
platforms:
- name: EL
versions:
- all
- name: Ubuntu
versions:
- all
- name: Debian
versions:
- all
- name: Fedora
versions:
- all
galaxy_tags:
- web
- system
- monitoring

6
roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: RedHat/CentOS/Fedora | Remove Elasticsearch repository (and clean up left-over metadata)
yum_repository:
name: opendistro_repo
state: absent
changed_when: false

38
roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml Normal file
View File

@ -0,0 +1,38 @@
---
- block:
- name: RedHat/CentOS/Fedora | Add OpenDistro repo
yum_repository:
file: opendistro
name: opendistro_repo
description: Opendistro yum repository
baseurl: "{{ package_repos.yum.opendistro.baseurl }}"
gpgkey: "{{ package_repos.yum.opendistro.gpg }}"
gpgcheck: true
changed_when: false
- name: RedHat/CentOS/Fedora | Add Elasticsearch-oss repo
yum_repository:
file: opendistro
name: elasticsearch_oss_repo
description: Elasticsearch-oss yum repository
baseurl: "{{ package_repos.yum.elasticsearch_oss.baseurl }}"
gpgkey: "{{ package_repos.yum.elasticsearch_oss.gpg }}"
gpgcheck: true
changed_when: false
- name: RedHat/CentOS/Fedora | Install OpenJDK 11
yum:
name: java-11-openjdk-devel
state: present
- name: RedHat/CentOS/Fedora | Install OpenDistro dependencies
yum:
name: "{{ packages }}"
vars:
packages:
- wget
- unzip
tags:
- install

72
roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml Normal file
View File

@ -0,0 +1,72 @@
---
- block:
- name: Local action | Create local temporary directory for certificates generation
file:
path: "{{ local_certs_path }}"
state: directory
- name: Local action | Check that the generation tool exists
stat:
path: "{{ local_certs_path }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip"
register: tool_package
- name: Local action | Download certificates generation tool
get_url:
url: "{{ certs_gen_tool_url }}"
dest: "{{ local_certs_path }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip"
when: not tool_package.stat.exists
- name: Local action | Extract the certificates generation tool
unarchive:
src: "{{ local_certs_path }}/search-guard-tlstool-1.7.zip"
dest: "{{ local_certs_path }}/"
- name: Local action | Add the execution bit to the binary
file:
dest: "{{ local_certs_path }}/tools/sgtlstool.sh"
mode: a+x
- name: Local action | Prepare the certificates generation template file
template:
src: "templates/tlsconfig.yml.j2"
dest: "{{ local_certs_path }}/config/tlsconfig.yml"
register: tlsconfig_template
- name: Create a directory if it does not exist
file:
path: "{{ local_certs_path }}/certs/"
state: directory
mode: '0755'
- name: Local action | Check if root CA file exists
stat:
path: "{{ local_certs_path }}/certs/root-ca.key"
register: root_ca_file
- name: Local action | Generate the node & admin certificates in local
command: >-
{{ local_certs_path }}/tools/sgtlstool.sh
-c {{ local_certs_path }}/config/tlsconfig.yml
-ca -crt
-t {{ local_certs_path }}/certs/
-f -o
when:
- not root_ca_file.stat.exists
- tlsconfig_template.changed
- name: Local action | Generate the node & admin certificates using an existing root CA
command: >-
{{ local_certs_path }}/tools/sgtlstool.sh
-c {{ local_certs_path }}/config/tlsconfig.yml
-crt
-t {{ local_certs_path }}/certs/
-f
when:
- root_ca_file.stat.exists
- tlsconfig_template.changed
run_once: true
delegate_to: localhost
tags:
- generate-certs

68
roles/opendistro/opendistro-elasticsearch/tasks/main.yml Normal file
View File

@ -0,0 +1,68 @@
---
- import_tasks: local_actions.yml
- import_tasks: RedHat.yml
when: ansible_os_family == 'RedHat'
- name: Install OpenDistro
package:
name: opendistroforelasticsearch-{{ opendistro_version }}
state: present
register: install
tags: install
- name: Remove elasticsearch configuration file
file:
path: "{{ opendistro_conf_path }}/elasticsearch.yml"
state: absent
when: install.changed
tags: install
- name: Copy Configuration File
blockinfile:
block: "{{ lookup('template', 'elasticsearch.yml.j2') }}"
dest: "{{ opendistro_conf_path }}/elasticsearch.yml"
create: true
group: elasticsearch
mode: 0640
marker: "## {mark} Opendistro general settings ##"
when: install.changed
tags: install
- import_tasks: security_actions.yml
- name: Configure OpenDistro Elasticsearch JVM memmory.
template:
src: "templates/jvm.options.j2"
dest: /etc/elasticsearch/jvm.options
owner: root
group: elasticsearch
mode: 0644
force: yes
notify: restart elasticsearch
tags: install
- name: Ensure Elasticsearch started and enabled
service:
name: elasticsearch
enabled: true
state: started
- name: Wait for Elasticsearch API
uri:
url: "https://{{ es_nodes.split(',')[0].split('\"')[0] }}:9200/_cluster/health/"
user: "admin" # Default OpenDistro user is always "admin"
password: "{{ opendistro_admin_password }}"
validate_certs: no
status_code: 200,401
return_content: yes
timeout: 4
register: _result
until: ( _result.json is defined) and (_result.json.status == "green")
retries: 24
delay: 5
tags: debug
- import_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat"

79
roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml Normal file
View File

@ -0,0 +1,79 @@
- block:
- name: Remove demo certs
file:
path: "{{ item }}"
state: absent
with_items:
- "{{ opendistro_conf_path }}/kirk.pem"
- "{{ opendistro_conf_path }}/kirk-key.pem"
- "{{ opendistro_conf_path }}/esnode.pem"
- "{{ opendistro_conf_path }}/esnode-key.pem"
- name: Copy the node & admin certificates to Elasticsearch cluster
copy:
src: "{{ local_certs_path }}/certs/{{ item }}"
dest: /etc/elasticsearch/
mode: 0644
with_items:
- root-ca.pem
- root-ca.key
- "{{ inventory_hostname }}.key"
- "{{ inventory_hostname }}.pem"
- "{{ inventory_hostname }}_http.key"
- "{{ inventory_hostname }}_http.pem"
- "{{ inventory_hostname }}_elasticsearch_config_snippet.yml"
- admin.key
- admin.pem
- name: Copy the OpenDistro security configuration file to cluster
blockinfile:
block: "{{ lookup('file', '{{ local_certs_path }}/certs/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}"
dest: "{{ opendistro_conf_path }}/elasticsearch.yml"
insertafter: EOF
marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##"
- name: Prepare the OpenDistro security configuration file
replace:
path: "{{ opendistro_conf_path }}/elasticsearch.yml"
regexp: 'searchguard'
replace: 'opendistro_security'
tags: local
- name: Restart elasticsearch with security configuration
systemd:
name: elasticsearch
state: restarted
- name: Copy the OpenDistro security internal users template
template:
src: "templates/internal_users.yml.j2"
dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
mode: 0644
run_once: true
- name: Set the Admin user password
shell: >
sed -i 's,{{ opendistro_admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }} | tail -1)','
{{ opendistro_sec_plugin_conf_path }}/internal_users.yml
run_once: true
- name: Set the kibanaserver role/user pasword
shell: >
sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)','
{{ opendistro_sec_plugin_conf_path }}/internal_users.yml
run_once: true
- name: Initialize the OpenDistro security index in elasticsearch
command: >
{{ opendistro_sec_plugin_tools_path }}/securityadmin.sh
-cacert {{ opendistro_conf_path }}/root-ca.pem
-cert {{ opendistro_conf_path }}/admin.pem
-key {{ opendistro_conf_path }}/admin.key
-cd {{ opendistro_sec_plugin_conf_path }}/
-nhnv -icl
-h {{ hostvars[inventory_hostname]['ip'] }}
run_once: true
tags:
- security
when: install.changed

22
roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 Normal file
View File

@ -0,0 +1,22 @@
cluster.name: "{{ opendistro_cluster_name }}"
node.name: "{{ inventory_hostname }}"
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: "{{ hostvars[inventory_hostname]['ip'] }}"
http.port: "{{ opendistro_http_port }}"
discovery.seed_hosts: ["{{ es_nodes }}"]
cluster.initial_master_nodes: ["{{ es_nodes }}"]
discovery.zen.minimum_master_nodes: "{{ minimum_master_nodes }}"
opendistro_security.allow_default_init_securityindex: true
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]

21
roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 Normal file
View File

@ -0,0 +1,21 @@
---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
_meta:
type: "internalusers"
config_version: 2
# Define your internal users here
admin:
hash: "{{ opendistro_admin_password }}"
reserved: true
backend_roles:
- "admin"
description: "admin user"
kibanaserver:
hash: "{{ opendistro_kibana_password }}"
reserved: true
description: "kibanaserver user"

117
roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 Normal file
View File

@ -0,0 +1,117 @@
#jinja2: trim_blocks:False
# {{ ansible_managed }}
## JVM configuration
################################################################
## IMPORTANT: JVM heap size
################################################################
##
## You should always set the min and max JVM heap
## size to the same value. For example, to set
## the heap to 4 GB, set:
##
## -Xms4g
## -Xmx4g
##
## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html
## for more information
##
################################################################
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
{% if opendistro_jvm_xms is not none %}
{% if opendistro_jvm_xms < 32000 %}
-Xms{{ opendistro_jvm_xms }}m
-Xmx{{ opendistro_jvm_xms }}m
{% else %}
-Xms32000m
-Xmx32000m
{% endif %}
{% else %}
-Xms{% if ansible_memtotal_mb < 64000 %}{{ ((ansible_memtotal_mb|int)/2)|int }}m{% else %}32000m{% endif %}
-Xmx{% if ansible_memtotal_mb < 64000 %}{{ ((ansible_memtotal_mb|int)/2)|int }}m{% else %}32000m{% endif %}
{% endif %}
################################################################
## Expert settings
################################################################
##
## All settings below this section are considered
## expert settings. Don't tamper with them unless
## you understand what you are doing
##
################################################################
## GC configuration
-XX:+UseConcMarkSweepGC
-XX:CMSInitiatingOccupancyFraction=75
-XX:+UseCMSInitiatingOccupancyOnly
## optimizations
# pre-touch memory pages used by the JVM during initialization
-XX:+AlwaysPreTouch
## basic
# force the server VM
-server
# explicitly set the stack size
-Xss1m
# set to headless, just in case
-Djava.awt.headless=true
# ensure UTF-8 encoding by default (e.g. filenames)
-Dfile.encoding=UTF-8
# use our provided JNA always versus the system one
-Djna.nosys=true
# turn off a JDK optimization that throws away stack traces for common
# exceptions because stack traces are important for debugging
-XX:-OmitStackTraceInFastThrow
# flags to configure Netty
-Dio.netty.noUnsafe=true
-Dio.netty.noKeySetOptimization=true
-Dio.netty.recycler.maxCapacityPerThread=0
# log4j 2
-Dlog4j.shutdownHookEnabled=false
-Dlog4j2.disable.jmx=true
## heap dumps
# generate a heap dump when an allocation from the Java heap fails
# heap dumps are created in the working directory of the JVM
-XX:+HeapDumpOnOutOfMemoryError
# specify an alternative path for heap dumps
# ensure the directory exists and has sufficient space
-XX:HeapDumpPath=/var/lib/elasticsearch
## GC logging
#-XX:+PrintGCDetails
#-XX:+PrintGCTimeStamps
#-XX:+PrintGCDateStamps
#-XX:+PrintClassHistogram
#-XX:+PrintTenuringDistribution
#-XX:+PrintGCApplicationStoppedTime
# log GC status to a file with time stamps
# ensure the directory exists
#-Xloggc:${loggc}
# By default, the GC log file will not rotate.
# By uncommenting the lines below, the GC log file
# will be rotated every 128MB at most 32 times.
#-XX:+UseGCLogFileRotation
#-XX:NumberOfGCLogFiles=32
#-XX:GCLogFileSize=128M

61
roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 Normal file
View File

@ -0,0 +1,61 @@
ca:
root:
dn: CN=root.ca.{{ domain_name }},OU=CA,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
keysize: 2048
validityDays: 730
pkPassword: none
file: root-ca.pem
### Default values and global settings
defaults:
validityDays: 730
pkPassword: none
# Set this to true in order to generate config and certificates for
# the HTTP interface of nodes
httpsEnabled: true
reuseTransportCertificatesForHttp: false
verifyHostnames: false
resolveHostnames: false
###
### Nodes
###
#
# Specify the nodes of your ES cluster here
#
nodes:
{% for item in groups['es_cluster'] %}
- name: {{ item }}
dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
dns: {{ item }}.{{ domain_name }}
ip: {{ hostvars[item]['ip'] }}
{% endfor %}
{% if groups['kibana'] is defined and groups['kibana']|length > 0 %}
{% for item in groups['kibana'] %}
- name: {{ item }}
dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
dns: {{ item }}.{{ domain_name }}
ip: {{ hostvars[item]['ip'] }}
{% endfor %}
{% endif %}
{% if groups['managers'] is defined and groups['managers']|length > 0 %}
{% for item in groups['managers'] %}
- name: {{ item }}
dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
dns: {{ item }}.{{ domain_name }}
ip: {{ hostvars[item]['ip'] }}
{% endfor %}
{% endif %}
###
### Clients
###
#
# Specify the clients that shall access your ES cluster with certificate authentication here
#
# At least one client must be an admin user (i.e., a super-user). Admin users can
# be specified with the attribute admin: true
#
clients:
- name: admin
dn: CN=admin.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
admin: true

62
roles/opendistro/opendistro-kibana/defaults/main.yml Normal file
View File

@ -0,0 +1,62 @@
---
elasticsearch_http_port: 9200
elasticsearch_nodes: |-
{% for item in groups['es_cluster'] -%}
{{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %}
{%- endfor %}
elasticsearch_network_host: 172.16.0.161
elastic_api_protocol: https
kibana_conf_path: /etc/kibana
kibana_server_host: "0.0.0.0"
kibana_server_port: "5601"
kibana_server_name: "kibana"
kibana_max_payload_bytes: 1048576
elastic_stack_version: 7.7.1
wazuh_version: 3.13.0
wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp
# The OpenDistro package repository
package_repos:
yum:
opendistro:
baseurl: 'https://d3g5vo6xdbdb9a.cloudfront.net/yum/noarch/'
gpg: 'https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch'
elasticsearch_oss:
baseurl: 'https://artifacts.elastic.co/packages/oss-7.x/yum'
gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
# API credentials
wazuh_api_credentials:
- id: "default"
url: "http://localhost"
port: 55000
user: "foo"
password: "bar"
# opendistro Security
kibana_opendistro_security: true
kibana_newsfeed_enabled: "false"
kibana_telemetry_optin: "false"
kibana_telemetry_enabled: "false"
opendistro_security_user: elastic
opendistro_admin_password: changeme
opendistro_kibana_user: kibanaserver
opendistro_kibana_password: changeme
local_certs_path: /tmp/opendistro-nodecerts
# Nodejs
nodejs:
repo_dict:
debian: "deb"
redhat: "rpm"
repo_url_ext: "nodesource.com/setup_10.x"
# Build from sources
build_from_sources: false
wazuh_plugin_branch: 3.13-7.7
#Nodejs NODE_OPTIONS
node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536

3
roles/opendistro/opendistro-kibana/handlers/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
- name: restart kibana
service: name=kibana state=restarted

6
roles/opendistro/opendistro-kibana/tasks/RMRedHat.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Remove Elasticsearch repository (and clean up left-over metadata)
yum_repository:
name: opendistro_repo
state: absent
changed_when: false

23
roles/opendistro/opendistro-kibana/tasks/RedHat.yml Normal file
View File

@ -0,0 +1,23 @@
---
- block:
- name: RedHat/CentOS/Fedora | Add OpenDistro repo
yum_repository:
file: opendistro
name: opendistro_repo
description: Opendistro yum repository
baseurl: "{{ package_repos.yum.opendistro.baseurl }}"
gpgkey: "{{ package_repos.yum.opendistro.gpg }}"
gpgcheck: true
- name: RedHat/CentOS/Fedora | Add Elasticsearch-oss repo
yum_repository:
file: opendistro
name: elasticsearch_oss_repo
description: Elasticsearch-oss yum repository
baseurl: "{{ package_repos.yum.elasticsearch_oss.baseurl }}"
gpgkey: "{{ package_repos.yum.elasticsearch_oss.gpg }}"
gpgcheck: true
tags:
- install

76
roles/opendistro/opendistro-kibana/tasks/build_wazuh_plugin.yml Normal file
View File

@ -0,0 +1,76 @@
---
- name: Ensure the Git package is present
package:
name: git
state: present
- name: Modify repo url if host is in Debian family
set_fact:
node_js_repo_type: deb
when:
- ansible_os_family | lower == "debian"
- name: Download script to install Nodejs repository
get_url:
url: "https://{{ nodejs['repo_dict'][ansible_os_family|lower] }}.{{ nodejs['repo_url_ext'] }}"
dest: "/tmp/setup_nodejs_repo.sh"
mode: 0700
- name: Execute downloaded script to install Nodejs repo
command: /tmp/setup_nodejs_repo.sh
register: node_repo_installation_result
changed_when: false
- name: Install Nodejs
package:
name: nodejs
state: present
- name: Install yarn dependency to build the Wazuh Kibana Plugin
# Using shell due to errors when evaluating text between @ with command
shell: "npm install -g {{ 'yarn' }}{{ '@' }}{{ '1.10.1'}}" # noqa 305
register: install_yarn_result
changed_when: install_yarn_result == 0
- name: Remove old wazuh-kibana-app git directory
file:
path: /tmp/app
state: absent
changed_when: false
- name: Clone wazuh-kibana-app repository # Using command as git module doesn't cover single-branch nor depth
command: git clone https://github.com/wazuh/wazuh-kibana-app -b {{ wazuh_plugin_branch }} --single-branch --depth=1 app # noqa 303
register: clone_app_repo_result
changed_when: false
args:
chdir: "/tmp"
- name: Executing yarn to build the package
command: "{{ item }}"
with_items:
- "yarn"
- "yarn build"
register: yarn_execution_result
changed_when: false
args:
chdir: "/tmp/app/"
- name: Obtain name of generated package
shell: "find ./ -name 'wazuh-*.zip' -printf '%f\\n'"
register: wazuhapp_package_name
changed_when: false
args:
chdir: "/tmp/app/build"
- name: Install Wazuh Plugin (can take a while)
shell: NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana-plugin install file:///tmp/app/build/{{ wazuhapp_package_name.stdout }}
args:
executable: /bin/bash
creates: /usr/share/kibana/plugins/wazuh/package.json
chdir: /usr/share/kibana
become: yes
become_user: kibana
notify: restart kibana
tags:
- install
- skip_ansible_lint

133
roles/opendistro/opendistro-kibana/tasks/main.yml Normal file
View File

@ -0,0 +1,133 @@
---
- name: Stopping early, trying to compile Wazuh Kibana Plugin on Debian 10 is not possible
fail:
msg: "It's not possible to compile the Wazuh Kibana plugin on Debian 10 due to: https://github.com/wazuh/wazuh-kibana-app/issues/1924"
when:
- build_from_sources
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "10"
- import_tasks: RedHat.yml
when: ansible_os_family == 'RedHat'
- name: Reload systemd
systemd:
daemon_reload: true
ignore_errors: true
when:
- not (ansible_distribution == "Amazon" and ansible_distribution_version == "(Karoo)")
- not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<'))
- not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<'))
- not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<'))
- name: Install Kibana
package:
name: opendistroforelasticsearch-kibana
state: present
register: install
tags: install
- name: Remove Kibana configuration file
file:
path: "{{ kibana_conf_path }}/kibana.yml"
state: absent
when: install.changed
tags: install
- import_tasks: security_actions.yml
- name: Copy Configuration File
blockinfile:
block: "{{ lookup('template', 'opendistro_kibana.yml.j2') }}"
dest: "{{ kibana_conf_path }}/kibana.yml"
create: true
group: kibana
owner: kibana
mode: 0640
marker: "## {mark} Kibana general settings ##"
notify: restart kibana
tags:
- install
- configure
- name: Build and Install Wazuh Kibana Plugin from sources
import_tasks: build_wazuh_plugin.yml
when:
- build_from_sources is defined
- build_from_sources
- name: Install Wazuh Plugin (can take a while)
shell: >-
NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana-plugin install
{{ wazuh_app_url }}-{{ wazuh_version }}_{{ elastic_stack_version }}.zip
args:
executable: /bin/bash
creates: /usr/share/kibana/plugins/wazuh/package.json
chdir: /usr/share/kibana
become: yes
become_user: kibana
notify: restart kibana
tags:
- install
- skip_ansible_lint
when:
- not build_from_sources
- name: Kibana optimization (can take a while)
shell: /usr/share/kibana/node/bin/node {{ node_options }} /usr/share/kibana/src/cli --optimize
args:
executable: /bin/bash
become: yes
become_user: kibana
changed_when: false
tags:
- skip_ansible_lint
- name: Wait for Elasticsearch port
wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }}
- name: Select correct API protocol
set_fact:
elastic_api_protocol: "{% if kibana_opendistro_security is defined and kibana_opendistro_security %}https{% else %}http{% endif %}"
- name: Attempting to delete legacy Wazuh index if exists
uri:
url: "{{ elastic_api_protocol }}://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}/.wazuh"
method: DELETE
user: "admin"
password: "{{ opendistro_admin_password }}"
validate_certs: no
status_code: 200, 404
- name: Create wazuh plugin config directory
file:
path: /usr/share/kibana/optimize/wazuh/config/
state: directory
recurse: yes
owner: kibana
group: kibana
mode: 0751
changed_when: False
- name: Configure Wazuh Kibana Plugin
template:
src: wazuh.yml.j2
dest: /usr/share/kibana/optimize/wazuh/config/wazuh.yml
owner: kibana
group: kibana
mode: 0751
changed_when: False
- name: Reload systemd configuration
systemd:
daemon_reload: true
- name: Ensure Kibana started and enabled
service:
name: kibana
enabled: true
state: started
- import_tasks: RMRedHat.yml
when: ansible_os_family == 'RedHat'

13
roles/opendistro/opendistro-kibana/tasks/security_actions.yml Normal file
View File

@ -0,0 +1,13 @@
- block:
- name: Copy the certificates from local to the Kibana instance
copy:
src: "{{ local_certs_path }}/certs/{{ item }}"
dest: /usr/share/kibana
mode: 0644
with_items:
- "{{ inventory_hostname }}_http.key"
- "{{ inventory_hostname }}_http.pem"
tags:
- security
when: install.changed

38
roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 Normal file
View File

@ -0,0 +1,38 @@
# {{ ansible_managed }}
# Description:
# Default Kibana configuration for Open Distro.
server.port: {{ kibana_server_port }}
#server.basePath: ""
server.maxPayloadBytes: {{ kibana_max_payload_bytes }}
server.name: {{ kibana_server_name }}
server.host: {{ kibana_server_host }}
{% if kibana_opendistro_security %}
elasticsearch.hosts: "https://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}"
{% else %}
elasticsearch.hosts: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}"
{% endif %}
elasticsearch.username: {{ opendistro_kibana_user }}
elasticsearch.password: {{ opendistro_kibana_password }}
elasticsearch.ssl.verificationMode: none
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opendistro_security.multitenancy.enabled: false # FIXME: should be enabled starting with Wazuh App v3.13
opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
opendistro_security.readonly_mode.roles: ["kibana_read_only"]
# OpenDistro Security
{% if kibana_opendistro_security %}
server.ssl.enabled: true
server.ssl.certificate: "/usr/share/kibana/{{ inventory_hostname }}_http.pem"
server.ssl.key: "/usr/share/kibana//{{ inventory_hostname }}_http.key"
{% endif %}
newsfeed.enabled: {{ kibana_newsfeed_enabled }}
telemetry.optIn: {{ kibana_telemetry_optin }}
telemetry.enabled: {{ kibana_telemetry_enabled }}

134
roles/opendistro/opendistro-kibana/templates/wazuh.yml.j2 Normal file
View File

@ -0,0 +1,134 @@
---
#
# Wazuh app - App configuration file
# Copyright (C) 2015-2019 Wazuh, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Find more information about this on the LICENSE file.
#
# ======================== Wazuh app configuration file ========================
#
# Please check the documentation for more information on configuration options:
# https://documentation.wazuh.com/current/installation-guide/index.html
#
# Also, you can check our repository:
# https://github.com/wazuh/wazuh-kibana-app
#
# ------------------------------- Index patterns -------------------------------
#
# Default index pattern to use.
#pattern: wazuh-alerts-3.x-*
#
# ----------------------------------- Checks -----------------------------------
#
# Defines which checks must to be consider by the healthcheck
# step once the Wazuh app starts. Values must to be true or false.
#checks.pattern : true
#checks.template: true
#checks.api : true
#checks.setup : true
#
# --------------------------------- Extensions ---------------------------------
#
# Defines which extensions should be activated when you add a new API entry.
# You can change them after Wazuh app starts.
# Values must to be true or false.
#extensions.pci : true
#extensions.gdpr : true
#extensions.hipaa : true
#extensions.nist : true
#extensions.audit : true
#extensions.oscap : false
#extensions.ciscat : false
#extensions.aws : false
#extensions.virustotal: false
#extensions.osquery : false
#extensions.docker : false
#
# ---------------------------------- Time out ----------------------------------
#
# Defines maximum timeout to be used on the Wazuh app requests.
# It will be ignored if it is bellow 1500.
# It means milliseconds before we consider a request as failed.
# Default: 20000
#timeout: 20000
#
# ------------------------------ Advanced indices ------------------------------
#
# Configure .wazuh indices shards and replicas.
#wazuh.shards : 1
#wazuh.replicas : 0
#
# --------------------------- Index pattern selector ---------------------------
#
# Defines if the user is allowed to change the selected
# index pattern directly from the Wazuh app top menu.
# Default: true
#ip.selector: true
#
# List of index patterns to be ignored
#ip.ignore: []
#
# -------------------------------- X-Pack RBAC ---------------------------------
#
# Custom setting to enable/disable built-in X-Pack RBAC security capabilities.
# Default: enabled
#xpack.rbac.enabled: true
#
# ------------------------------ wazuh-monitoring ------------------------------
#
# Custom setting to enable/disable wazuh-monitoring indices.
# Values: true, false, worker
# If worker is given as value, the app will show the Agents status
# visualization but won't insert data on wazuh-monitoring indices.
# Default: true
#wazuh.monitoring.enabled: true
#
# Custom setting to set the frequency for wazuh-monitoring indices cron task.
# Default: 900 (s)
#wazuh.monitoring.frequency: 900
#
# Configure wazuh-monitoring-3.x-* indices shards and replicas.
#wazuh.monitoring.shards: 2
#wazuh.monitoring.replicas: 0
#
# Configure wazuh-monitoring-3.x-* indices custom creation interval.
# Values: h (hourly), d (daily), w (weekly), m (monthly)
# Default: d
#wazuh.monitoring.creation: d
#
# Default index pattern to use for Wazuh monitoring
#wazuh.monitoring.pattern: wazuh-monitoring-3.x-*
#
#
# ------------------------------- App privileges --------------------------------
#admin: true
#
# ------------------------------- App logging level -----------------------------
# Set the logging level for the Wazuh App log files.
# Default value: info
# Allowed values: info, debug
#logs.level: info
#
#-------------------------------- API entries -----------------------------------
#The following configuration is the default structure to define an API entry.
#
#hosts:
# - <id>:
# url: http(s)://<url>
# port: <port>
# user: <user>
# password: <password>
hosts:
{% for api in wazuh_api_credentials %}
- {{ api['id'] }}:
url: {{ api['url'] }}
port: {{ api['port'] }}
user: {{ api['user'] }}
password: {{ api['password'] }}
{% endfor %}

39
roles/wazuh/ansible-filebeat-oss/README.md Normal file
View File

@ -0,0 +1,39 @@
Ansible Role: Filebeat for Elastic Stack
------------------------------------
An Ansible Role that installs [Filebeat-oss](https://www.elastic.co/products/beats/filebeat), this can be used in conjunction with [ansible-wazuh-manager](https://github.com/wazuh/wazuh-ansible/ansible-wazuh-server).
Requirements
------------
This role will work on:
* Red Hat
* CentOS
* Fedora
* Debian
* Ubuntu
Role Variables
--------------
Available variables are listed below, along with default values (see `defaults/main.yml`):
```
filebeat_output_elasticsearch_enabled: false
filebeat_output_elasticsearch_hosts:
- "localhost:9200"
```
License and copyright
---------------------
WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3)
### Based on previous work from geerlingguy
- https://github.com/geerlingguy/ansible-role-filebeat
### Modified by Wazuh
The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem.

32
roles/wazuh/ansible-filebeat-oss/defaults/main.yml Normal file
View File

@ -0,0 +1,32 @@
---
filebeat_version: 7.7.0
wazuh_template_branch: v3.13.0
filebeat_create_config: true
filebeat_output_elasticsearch_enabled: false
filebeat_output_elasticsearch_hosts:
- "localhost:9200"
filebeat_module_package_url: https://packages.wazuh.com/3.x/filebeat
filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz
filebeat_module_package_path: /tmp/
filebeat_module_destination: /usr/share/filebeat/module
filebeat_module_folder: /usr/share/filebeat/module/wazuh
elasticsearch_security_user: admin
elasticsearch_security_password: changeme
# Security plugin
filebeat_security: true
filebeat_security_user: admin
filebeat_security_password: changeme
filebeat_ssl_dir: /etc/pki/filebeat
# Local path to store the generated certificates (OpenDistro security plugin)
local_certs_path: /tmp/opendistro-nodecerts
elasticrepo:
apt: 'https://artifacts.elastic.co/packages/oss-7.x/apt'
yum: 'https://artifacts.elastic.co/packages/oss-7.x/yum'
gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4'

3
roles/wazuh/ansible-filebeat-oss/handlers/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
- name: restart filebeat
service: name=filebeat state=restarted

29
roles/wazuh/ansible-filebeat-oss/meta/main.yml Normal file
View File

@ -0,0 +1,29 @@
---
dependencies: []
galaxy_info:
author: Wazuh
description: Installing and maintaining Filebeat-oss.
company: wazuh.com
license: license (GPLv3)
min_ansible_version: 2.0
platforms:
- name: EL
versions:
- 6
- 7
- name: Fedora
versions:
- all
- name: Debian
versions:
- jessie
- name: Ubuntu
versions:
- precise
- trusty
- xenial
galaxy_tags:
- web
- system
- monitoring

22
roles/wazuh/ansible-filebeat-oss/tasks/Debian.yml Normal file
View File

@ -0,0 +1,22 @@
---
- name: Debian/Ubuntu | Install apt-transport-https and ca-certificates
apt:
name:
- apt-transport-https
- ca-certificates
state: present
register: filebeat_ca_packages_install
until: filebeat_ca_packages_install is succeeded
- name: Debian/Ubuntu | Add Elasticsearch apt key.
apt_key:
url: "{{ elasticrepo.gpg }}"
id: "{{ elasticrepo.key_id }}"
state: present
- name: Debian/Ubuntu | Add Filebeat-oss repository.
apt_repository:
repo: "deb {{ elasticrepo.apt }} stable main"
state: present
update_cache: true
changed_when: false

6
roles/wazuh/ansible-filebeat-oss/tasks/RMDebian.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Debian/Ubuntu | Remove Filebeat repository (and clean up left-over metadata)
apt_repository:
repo: "deb {{ elasticrepo.apt }} stable main"
state: absent
changed_when: false

6
roles/wazuh/ansible-filebeat-oss/tasks/RMRedHat.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: RedHat/CentOS/Fedora | Remove Filebeat repository (and clean up left-over metadata)
yum_repository:
name: elastic_oss-repo_7
state: absent
changed_when: false

9
roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml Normal file
View File

@ -0,0 +1,9 @@
---
- name: RedHat/CentOS/Fedora/Amazon Linux | Install Filebeats repo
yum_repository:
name: elastic_oss-repo_7
description: Elastic repository for 7.x packages
baseurl: "{{ elasticrepo.yum }}"
gpgkey: "{{ elasticrepo.gpg }}"
gpgcheck: true
changed_when: false

22
roles/wazuh/ansible-filebeat-oss/tasks/config.yml Normal file
View File

@ -0,0 +1,22 @@
---
- block:
- name: Copy Filebeat configuration.
template:
src: filebeat.yml.j2
dest: "/etc/filebeat/filebeat.yml"
owner: root
group: root
mode: 0400
notify: restart filebeat
- name: Fetch latest Wazuh alerts template
get_url:
url: https://raw.githubusercontent.com/wazuh/wazuh/{{ wazuh_template_branch }}/extensions/elasticsearch/7.x/wazuh-template.json
dest: "/etc/filebeat/wazuh-template.json"
owner: root
group: root
mode: 0400
notify: restart filebeat
tags:
- configure

67
roles/wazuh/ansible-filebeat-oss/tasks/main.yml Normal file
View File

@ -0,0 +1,67 @@
---
- include_tasks: RedHat.yml
when: ansible_os_family == 'RedHat'
- include_tasks: Debian.yml
when: ansible_os_family == 'Debian'
- name: Install Filebeat
package:
name: filebeat
state: present
register: install
tags:
- install
- init
- name: Checking if Filebeat Module folder file exists
stat:
path: "{{ filebeat_module_folder }}"
register: filebeat_module_folder
- name: Download Filebeat module package
get_url:
url: "{{ filebeat_module_package_url }}/{{ filebeat_module_package_name }}"
dest: "{{ filebeat_module_package_path }}"
when: not filebeat_module_folder.stat.exists
- name: Unpack Filebeat module package
unarchive:
src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
dest: "{{ filebeat_module_destination }}"
remote_src: yes
when: not filebeat_module_folder.stat.exists
- name: Setting 0755 permission for Filebeat module folder
file: dest={{ filebeat_module_folder }} mode=u=rwX,g=rwX,o=rwX recurse=yes
when: not filebeat_module_folder.stat.exists
- name: Checking if Filebeat Module package file exists
stat:
path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
register: filebeat_module_package
when: filebeat_module_package is not defined
- name: Delete Filebeat module package file
file:
state: absent
path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
when: filebeat_module_package.stat.exists
- import_tasks: config.yml
notify: restart filebeat
- include_tasks: security_actions.yml
when: filebeat_security
- name: Ensure Filebeat is started and enabled at boot.
service:
name: filebeat
state: started
enabled: true
- include_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat"
- include_tasks: "RMDebian.yml"
when: ansible_os_family == "Debian"

28
roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml Normal file
View File

@ -0,0 +1,28 @@
- block:
- name: Ensure Filebeat SSL key pair directory exists.
file:
path: "{{ filebeat_ssl_dir }}"
state: directory
- name: Copy the certificates from local to the Manager instance
copy:
src: "{{ local_certs_path }}/certs/{{ item }}"
dest: "{{ filebeat_ssl_dir }}"
mode: 0644
with_items:
- "{{ inventory_hostname }}.key"
- "{{ inventory_hostname }}.pem"
- "root-ca.pem"
- name: Ensuring folder & certs permissions
file:
path: "{{ filebeat_ssl_dir }}/"
mode: 0774
state: directory
recurse: yes
tags:
- security
when:
- filebeat_security

32
roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 Normal file
View File

@ -0,0 +1,32 @@
# Wazuh - Filebeat configuration file
# Wazuh - Filebeat configuration file
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false
# Send events directly to Elasticsearch
output.elasticsearch:
hosts: {{ filebeat_output_elasticsearch_hosts | to_json }}
{% if filebeat_security %}
username: {{ elasticsearch_security_user }}
password: {{ elasticsearch_security_password }}
protocol: https
ssl.certificate_authorities:
- {{ filebeat_ssl_dir }}/root-ca.pem
ssl.certificate: "{{ filebeat_ssl_dir }}/{{ inventory_hostname }}.pem"
ssl.key: "{{ filebeat_ssl_dir }}/{{ inventory_hostname }}.key"
{% endif %}
# Optional. Send events to Logstash instead of Elasticsearch
#output.logstash.hosts: ["YOUR_LOGSTASH_SERVER_IP:5000"]

2
roles/wazuh/ansible-filebeat/README.md
View File

@ -28,7 +28,7 @@ Available variables are listed below, along with default values (see `defaults/m
License and copyright
---------------------
WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3)
WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3)
### Based on previous work from geerlingguy

6
roles/wazuh/ansible-filebeat/defaults/main.yml
View File

@ -1,5 +1,7 @@
---
filebeat_version: 7.6.2
filebeat_version: 7.7.0
wazuh_template_branch: v3.13.0
filebeat_create_config: true
@ -22,10 +24,8 @@ filebeat_enable_logging: true
filebeat_log_level: debug
filebeat_log_dir: /var/log/mybeat
filebeat_log_filename: mybeat.log
filebeat_ssl_dir: /etc/pki/filebeat
filebeat_ssl_certificate_file: ""
filebeat_ssl_key_file: ""
filebeat_ssl_insecure: "false"
filebeat_module_package_url: https://packages.wazuh.com/3.x/filebeat

4
roles/wazuh/ansible-filebeat/handlers/main.yml
View File

@ -1,3 +1,5 @@
---
- name: restart filebeat
service: name=filebeat state=restarted
service:
name: filebeat
state: restarted

25
roles/wazuh/ansible-filebeat/tasks/config.yml
View File

@ -9,31 +9,12 @@
notify: restart filebeat
tags: configure
- name: Copy Elasticsearch template.
template:
src: elasticsearch.yml.j2
- name: Fetch latest Wazuh alerts template
get_url:
url: https://raw.githubusercontent.com/wazuh/wazuh/{{ wazuh_template_branch }}/extensions/elasticsearch/7.x/wazuh-template.json
dest: "/etc/filebeat/wazuh-template.json"
owner: root
group: root
mode: 0400
notify: restart filebeat
tags: configure
- name: Ensure Filebeat SSL key pair directory exists.
file:
path: "{{ filebeat_ssl_dir }}"
state: directory
when: filebeat_ssl_key_file
tags: configure
- name: Copy SSL key and cert for filebeat.
copy:
src: "{{ item }}"
dest: "{{ filebeat_ssl_dir }}/{{ item | basename }}"
mode: 0400
with_items:
- "{{ filebeat_ssl_key_file }}"
- "{{ filebeat_ssl_certificate_file }}"
notify: restart filebeat
when: filebeat_ssl_key_file and filebeat_ssl_certificate_file
tags: configure

42
roles/wazuh/ansible-filebeat/tasks/main.yml
View File

@ -30,6 +30,8 @@
copy:
src: "{{ item }}"
dest: "{{ node_certs_destination }}/"
owner: root
group: root
mode: 0440
with_items:
- "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key"
@ -44,6 +46,8 @@
copy:
src: "{{ item }}"
dest: "{{ node_certs_destination }}/"
owner: root
group: root
mode: 0440
with_items:
- "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key"
@ -57,9 +61,9 @@
- name: Ensuring folder & certs permissions
file:
path: "{{ node_certs_destination }}/"
mode: 0774
mode: 0770
state: directory
recurse: yes
recurse: no
when:
- filebeat_xpack_security
tags: xpack-security
@ -67,25 +71,29 @@
- name: Checking if Filebeat Module folder file exists
stat:
path: "{{ filebeat_module_folder }}"
register: filebeat_module_folder
register: filebeat_module_folder_info
- name: Download, uncompress and apply permissions for Filebeat
block:
- name: Download Filebeat module package
get_url:
url: "{{ filebeat_module_package_url }}/{{ filebeat_module_package_name }}"
dest: "{{ filebeat_module_package_path }}"
when: not filebeat_module_folder.stat.exists
- name: Download Filebeat module package
get_url:
url: "{{ filebeat_module_package_url }}/{{ filebeat_module_package_name }}"
dest: "{{ filebeat_module_package_path }}"
- name: Unpakcing Filebeat module package
unarchive:
src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
dest: "{{ filebeat_module_destination }}"
remote_src: yes
when: not filebeat_module_folder.stat.exists
- name: Unpacking Filebeat module package
unarchive:
src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
dest: "{{ filebeat_module_destination }}"
remote_src: yes
- name: Setting 0755 permission for Filebeat module folder
file: dest={{ filebeat_module_folder }} mode=u=rwX,g=rwX,o=rwX recurse=yes
when: not filebeat_module_folder.stat.exists
- name: Setting 0755 permission for Filebeat module folder
file:
path: "{{ filebeat_module_folder }}"
mode: 0755
recurse: yes
when: not filebeat_module_folder_info.stat.exists
- name: Checking if Filebeat Module package file exists
stat:

1800
roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2
View File

File diff suppressed because it is too large Load Diff

3
roles/wazuh/ansible-filebeat/tests/requirements.yml
View File

@ -1,3 +0,0 @@
---
- src: geerlingguy.java
- src: geerlingguy.elasticsearch

20
roles/wazuh/ansible-filebeat/tests/test.yml
View File

@ -1,20 +0,0 @@
---
- hosts: all
pre_tasks:
- name: Update apt cache.
apt:
cache_valid_time: 600
when: ansible_os_family == 'Debian'
- name: Install test dependencies (RedHat).
package: name=which state=present
when: ansible_os_family == 'RedHat'
- name: Install test dependencies.
package: name=curl state=present
roles:
- geerlingguy.java
- geerlingguy.elasticsearch
- role_under_test

13
roles/wazuh/ansible-wazuh-agent/defaults/main.yml
View File

@ -1,5 +1,5 @@
---
wazuh_agent_version: 3.12.3-1
wazuh_agent_version: 3.13.0-1
# Custom packages installation
@ -12,7 +12,7 @@ wazuh_custom_packages_installation_agent_rpm_url: ""
wazuh_agent_sources_installation:
enabled: false
branch: "v3.12.3"
branch: "v3.13.0"
user_language: "y"
user_no_stop: "y"
user_install_type: "agent"
@ -21,7 +21,7 @@ wazuh_agent_sources_installation:
user_enable_active_response: "y"
user_enable_syscheck: "y"
user_enable_rootcheck: "y"
user_enable_openscap: "y"
user_enable_openscap: "n"
user_enable_sca: "y"
user_enable_authd: "y"
user_generate_authd_cert: "n"
@ -39,6 +39,7 @@ wazuh_managers:
api_port: 55000
api_proto: 'http'
api_user: null
wazuh_api_reachable_from_agent: false
wazuh_profile_centos: 'centos, centos7, centos7.6'
wazuh_profile_ubuntu: 'ubuntu, ubuntu18, ubuntu18.04'
wazuh_auto_restart: 'yes'
@ -63,9 +64,9 @@ wazuh_winagent_config:
# Adding quotes to auth_path_x86 since win_shell outputs error otherwise
auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe
check_md5: True
md5: 4ae4e930d3ae9d572b07cd9e7207d783
wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.12.3-1.msi
wazuh_winagent_package_name: wazuh-agent-3.12.3-1.msi
md5: d0f13c0c417c74ccbad7b45f66518513
wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.13.0-1.msi
wazuh_winagent_package_name: wazuh-agent-3.13.0-1.msi
wazuh_agent_config:
repo:
apt: 'deb https://packages.wazuh.com/3.x/apt/ stable main'

39
roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml
View File

@ -50,17 +50,25 @@
- name: Retrieving authd Credentials
include_vars: authd_pass.yml
- name: Copy CA, SSL key and cert for authd
- name: Copy CA root certificate to verify authd
copy:
src: "{{ wazuh_agent_authd.ssl_agent_ca }}"
dest: "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}"
mode: 0644
when:
- wazuh_agent_authd.ssl_agent_ca is not none
- name: Copy TLS/SSL certificate for agent verification
copy:
src: "{{ item }}"
dest: "/var/ossec/etc/{{ item | basename }}"
mode: 0644
with_items:
- "{{ wazuh_agent_authd.ssl_agent_ca }}"
- "{{ wazuh_agent_authd.ssl_agent_cert }}"
- "{{ wazuh_agent_authd.ssl_agent_key }}"
when:
- wazuh_agent_authd.ssl_agent_ca is not none
- wazuh_agent_authd.ssl_agent_cert is not none
- wazuh_agent_authd.ssl_agent_key is not none
- name: Linux | Register agent (via authd)
shell: >
@ -123,17 +131,17 @@
user: "{{ wazuh_managers.0.api_user }}"
password: "{{ api_pass }}"
register: newagent_api
notify: restart wazuh-agent
# changed_when: newagent_api.json.error == 0
vars:
agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ inventory_hostname }}{% endif %}"
delegate_to: "{{ 'localhost' if not wazuh_api_reachable_from_agent else inventory_hostname }}"
become: no
changed_when: newagent_api.json.error == 0
when:
- not check_keys.stat.exists or check_keys.stat.size == 0
- wazuh_agent_authd.registration_address is not none
become: false
ignore_errors: true
- wazuh_managers.0.address is not none
tags:
- config
- api
- name: Linux | Retieve new agent data via rest-API
- name: Linux | Retrieve new agent data via rest-API
uri:
url: >-
"{{ wazuh_managers.0.api_proto }}://{{ wazuh_agent_authd.registration_address
@ -148,8 +156,11 @@
- wazuh_agent_authd.registration_address is not none
- newagent_api.json.error == 0
register: newagentdata_api
delegate_to: localhost
become: false
delegate_to: "{{ 'localhost' if not wazuh_api_reachable_from_agent else inventory_hostname }}"
become: no
tags:
- config
- api
- name: Linux | Register agent (via rest-API)
command: /var/ossec/bin/manage_agents
@ -164,7 +175,7 @@
when:
- not check_keys.stat.exists or check_keys.stat.size == 0
- wazuh_agent_authd.registration_address is not none
- newagent_api.changed
- newagent_api.json.error == 0
notify: restart wazuh-agent
when:

2
roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
View File

@ -69,7 +69,7 @@
{% endif %}
{% if ansible_system == "Linux" %}
{% if ansible_system == "Linux" and wazuh_agent_config.openscap.disable == 'no' %}
<wodle name="open-scap">
<disabled>{{ wazuh_agent_config.openscap.disable }}</disabled>
<timeout>{{ wazuh_agent_config.openscap.timeout }}</timeout>

2
roles/wazuh/ansible-wazuh-manager/README.md
View File

@ -218,7 +218,7 @@ Including an example of how to use your role (for instance, with variables passe
License and copyright
---------------------
WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3)
WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3)
### Based on previous work from dj-wasabi

8
roles/wazuh/ansible-wazuh-manager/defaults/main.yml
View File

@ -1,5 +1,5 @@
---
wazuh_manager_version: 3.12.3-1
wazuh_manager_version: 3.13.0-1
wazuh_manager_fqdn: "wazuh-server"
wazuh_manager_package_state: present
@ -15,7 +15,7 @@ wazuh_custom_packages_installation_api_rpm_url: "https://s3-us-west-1.amazonaws.
# Sources installation
wazuh_manager_sources_installation:
enabled: false
branch: "v3.12.3"
branch: "v3.13.0"
user_language: "en"
user_no_stop: "y"
user_install_type: "server"
@ -24,7 +24,7 @@ wazuh_manager_sources_installation:
user_enable_active_response: null
user_enable_syscheck: "y"
user_enable_rootcheck: "y"
user_enable_openscap: "y"
user_enable_openscap: "n"
user_enable_authd: "y"
user_generate_authd_cert: null
user_update: "y"
@ -40,7 +40,7 @@ wazuh_manager_sources_installation:
wazuh_api_sources_installation:
enabled: false
branch: "v3.12.3"
branch: "v3.13.0"
update: "y"
remove: "y"
directory: null

2
roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml
View File

@ -123,7 +123,7 @@
path: /var/ossec/api/app.js
register: wazuh_api
when:
- wazuh_manager_config.cluster.node_type == "master"
- wazuh_manager_config.cluster.node_type == "master" or wazuh_manager_config.cluster.node_type == "worker"
- name: Install Wazuh API from sources
block:

8
roles/wazuh/ansible-wazuh-manager/tasks/main.yml
View File

@ -106,7 +106,7 @@
- name: Installing the local_rules.xml (default local_rules.xml)
template: src=var-ossec-rules-local_rules.xml.j2
dest=/var/ossec/etc/rules/local_rules.xml
owner=root
owner=ossec
group=ossec
mode=0640
notify: restart wazuh-manager
@ -118,7 +118,7 @@
- name: Adding local rules files
copy: src="{{ wazuh_manager_config.ruleset.rules_path }}"
dest=/var/ossec/etc/rules/
owner=root
owner=ossec
group=ossec
mode=0640
notify: restart wazuh-manager
@ -130,7 +130,7 @@
- name: Installing the local_decoder.xml
template: src=var-ossec-rules-local_decoder.xml.j2
dest=/var/ossec/etc/decoders/local_decoder.xml
owner=root
owner=ossec
group=ossec
mode=0640
notify: restart wazuh-manager
@ -142,7 +142,7 @@
- name: Adding local decoders files
copy: src="{{ wazuh_manager_config.ruleset.decoders_path }}"
dest=/var/ossec/etc/decoders/
owner=root
owner=ossec
group=ossec
mode=0640
notify: restart wazuh-manager