afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'feature-126-delegate-registration' into 126-agent-registration

Browse Source
This commit is contained in:
Manuel J. Bernal 2020-05-12 21:47:29 +02:00 committed by GitHub
commit 8b278f316b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
115 changed files with 7782 additions and 2678 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@ -4,5 +4,7 @@ wazuh-elastic_stack-distributed.yml
wazuh-elastic_stack-single.yml wazuh-elastic_stack-single.yml
wazuh-elastic.yml wazuh-elastic.yml
wazuh-kibana.yml wazuh-kibana.yml
wazuh-logstash.yml
wazuh-manager.yml wazuh-manager.yml
*.pyc
Pipfile.lock
*.swp

16
.yamllint Normal file
View File

@ -0,0 +1,16 @@
extends: default
rules:
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
line-length: disable
# NOTE(retr0h): Templates no longer fail this lint rule.
# Uncomment if running old Molecule templates.
# truthy: disable
ignore: |
.travis.yml
config.yml

299
CHANGELOG.md Normal file → Executable file
View File

@ -1,6 +1,303 @@
# Change Log # Change Log
All notable changes to this project will be documented in this file. All notable changes to this project will be documented in this file.
## [v3.12.3_7.6.2]
### Added
- Update to Wazuh v3.12.2
- AWS S3 block to template ([@limitup](https://github.com/limitup)) [PR#404](https://github.com/wazuh/wazuh-ansible/pull/413)
### Changed
- Update Kibana optimize task parameters and command ([@jm404](https://github.com/jm404)) [PR#404](https://github.com/wazuh/wazuh-ansible/pull/412)
- Update Kibana optimize folder and owner ([@jm404](https://github.com/jm404)) [PR#404](https://github.com/wazuh/wazuh-ansible/pull/410)
## [v3.12.2_7.6.2]
### Added
- Update to Wazuh v3.12.2
### Fixed
- Adjusting Kibana plugin optimization max memory ([@Zenidd](https://github.com/Zenidd)) [PR#404](https://github.com/wazuh/wazuh-ansible/pull/404)
- Removed python-cryptography library tasks ([@Zenidd](https://github.com/Zenidd)) [PR#401](https://github.com/wazuh/wazuh-ansible/pull/401)
- Removed duplicated task block ([@manuasir](https://github.com/manuasir)) [PR#400](https://github.com/wazuh/wazuh-ansible/pull/400)
## [v3.12.0_7.6.1]
### Added
- Update to Wazuh v3.12.0
- Added registration address variable to wazuh-agent playbook ([@Zenidd](https://github.com/Zenidd)) [PR#392](https://github.com/wazuh/wazuh-ansible/pull/392)
### Changed
- Bump NodeJS version to 10.x ([@manuasir](https://github.com/manuasir)) [PR#386](https://github.com/wazuh/wazuh-ansible/pull/386)
- Add flag to enable/disable Windows MD5 check ([@jm404](https://github.com/jm404)) [PR#383](https://github.com/wazuh/wazuh-ansible/pull/383)
- Rule paths are now relative to playbooks. ([@Zenidd ](https://github.com/Zenidd)) [PR#393](https://github.com/wazuh/wazuh-ansible/pull/393)
- Add the option to create agent groups and add an agent to 1 or more group. ([@rshad](https://github.com/rshad)) [PR#361](https://github.com/wazuh/wazuh-ansible/pull/361)
### Fixed
- Removed bad formed XML comments. ([@manuasir](https://github.com/manuasir)) [PR#391](https://github.com/wazuh/wazuh-ansible/pull/391)
- NodeJS node_options variable and Kibana plugin optimization fix. ([@Zenidd](https://github.com/Zenidd)) [PR#385](https://github.com/wazuh/wazuh-ansible/pull/385)
- Restrictive permissions for certificate files. ([@Zenidd](https://github.com/Zenidd)) [PR#382](https://github.com/wazuh/wazuh-ansible/pull/382)
## [v3.11.4_7.6.1]
### Added
- Update to Wazuh v3.11.4
- Support for RHEL/CentOS 8 ([@jm404](https://github.com/jm404)) [PR#377](https://github.com/wazuh/wazuh-ansible/pull/377)
### Changed
- Disabled shared configuration by default ([@jm404](https://github.com/jm404)) [PR#369](https://github.com/wazuh/wazuh-ansible/pull/369)
- Add chdir argument to Wazuh Kibana Plugin installation tasks ([@jm404](https://github.com/jm404)) [PR#375](https://github.com/wazuh/wazuh-ansible/pull/375)
- Adjustments for systems without (direct) internet connection ([@joschneid](https://github.com/joschneid)) [PR#348](https://github.com/wazuh/wazuh-ansible/pull/348)
### Fixed
- Avoid to install Wazuh API in worker nodes ([@manuasir](https://github.com/manuasir)) [PR#371](https://github.com/wazuh/wazuh-ansible/pull/371)
- Conditionals of custom Wazuh packages installation tasks ([@rshad](https://github.com/rshad)) [PR#372](https://github.com/wazuh/wazuh-ansible/pull/372)
- Fix Ansible elastic_stack-distributed template ([@francobep](https://github.com/francobep)) [PR#352](https://github.com/wazuh/wazuh-ansible/pull/352)
- Fix manager API verification ([@Zenidd](https://github.com/Zenidd)) [PR#360](https://github.com/wazuh/wazuh-ansible/pull/360)
## [v3.11.3_7.5.2]
### Added
- Update to Wazuh v3.11.3
### Fixed
- Fix Wazuh Agent configuration file for RHEL 8 ([@xr09](https://github.com/xr09)) [PR#354](https://github.com/wazuh/wazuh-ansible/pull/354)
- Fix default port used in Wazuh Agent playbook ([@jm404](https://github.com/jm404)) [PR#347](https://github.com/wazuh/wazuh-ansible/pull/347)
## [v3.11.2_7.5.1]
### Added
- Update to Wazuh v3.11.2
### Changed
- Update templates for Python 3 compatibility ([@xr09](https://github.com/xr09)) [PR#344](https://github.com/wazuh/wazuh-ansible/pull/344)
## [v3.11.1_7.5.1]
### Added
- Update to Wazuh v3.11.1
## [v3.11.0_7.5.1]
### Added
- Update to Wazuh v3.11.0
- Implemented changes to configure Wazuh API using the `wazuh.yml` file ([@xr09](https://github.com/xr09)) [PR#342](https://github.com/wazuh/wazuh-ansible/pull/342)
- Wazuh Agent registration task now explicitly notify restart ([@jm404](https://github.com/jm404)) [PR#302](https://github.com/wazuh/wazuh-ansible/pull/302)
- Support both IP and DNS when creating elastic cluster ([@xr09](https://github.com/xr09)) [PR#252](https://github.com/wazuh/wazuh-ansible/pull/252)
- Added config tag to the Wazuh Agent's enable task ([@xr09](https://github.com/xr09)) [PR#261](https://github.com/wazuh/wazuh-ansible/pull/261)
- Implement task to configure Elasticsearch user on every cluster node ([@xr09](https://github.com/xr09)) [PR#270](https://github.com/wazuh/wazuh-ansible/pull/270)
- Added SCA to Wazuh Agent and Manager installation ([@jm404](https://github.com/jm404)) [PR#260](https://github.com/wazuh/wazuh-ansible/pull/260)
- Added support for environments with low disk space ([@xr09](https://github.com/xr09)) [PR#281](https://github.com/wazuh/wazuh-ansible/pull/281)
- Add parameters to configure an Elasticsearch coordinating node ([@jm404](https://github.com/jm404)) [PR#292](https://github.com/wazuh/wazuh-ansible/pull/292)
### Changed
- Updated Filebeat and Elasticsearch templates ([@manuasir](https://github.com/manuasir)) [PR#285](https://github.com/wazuh/wazuh-ansible/pull/285)
- Make ossec.conf file more readable by removing trailing whitespaces ([@jm404](https://github.com/jm404)) [PR#286](https://github.com/wazuh/wazuh-ansible/pull/286)
- Wazuh repositories can now be configured to different sources URLs ([@jm404](https://github.com/jm404)) [PR#288](https://github.com/wazuh/wazuh-ansible/pull/288)
- Wazuh App URL is now flexible ([@jm404](https://github.com/jm404)) [PR#304](https://github.com/wazuh/wazuh-ansible/pull/304)
- Agent installation task now does not hardcodes the "-1" sufix ([@jm404](https://github.com/jm404)) [PR#310](https://github.com/wazuh/wazuh-ansible/pull/310)
- Enhanced task importation in Wazuh Manager role and removed deprecated warnings ([@xr09](https://github.com/xr09)) [PR#320](https://github.com/wazuh/wazuh-ansible/pull/320)
- Wazuh API installation task have been upgraded ([@rshad](https://github.com/rshad)) [PR#330](https://github.com/wazuh/wazuh-ansible/pull/330)
- It's now possible to install Wazuh Manager and Agent from sources ([@jm404](https://github.com/jm404)) [PR#329](https://github.com/wazuh/wazuh-ansible/pull/329)
### Fixed
- Ansible upgrade from 6.x to 7.x ([@jm404](https://github.com/jm404)) [PR#252](https://github.com/wazuh/wazuh-ansible/pull/251)
- Wazuh Agent registration using agent name has been fixed ([@jm404](https://github.com/jm404)) [PR#298](https://github.com/wazuh/wazuh-ansible/pull/298)
- Fix Wazuh repository and installation conditionals ([@jm404](https://github.com/jm404)) [PR#299](https://github.com/wazuh/wazuh-ansible/pull/299)
- Fixed Wazuh Agent registration using an Agent's name ([@jm404](https://github.com/jm404)) [PR#334](https://github.com/wazuh/wazuh-ansible/pull/334)
## [v3.11.0_7.3.2]
### Added
- Update to Wazuh v3.11.0
### Changed
- Moved molecule folder to Wazuh QA Repository [manuasir](https://github.com/manuasir) [#120ed16](https://github.com/wazuh/wazuh-ansible/commit/120ed163b6f131315848938beca65c1f1cad7f1b)
- Refactored XPack Security configuration tasks [@jm404](https://github.com/jm404) [#246](https://github.com/wazuh/wazuh-ansible/pull/246)
### Fixed
- Fixed ES bootstrap password configuration [@jm404](https://github.com/jm404) [#b8803de](https://github.com/wazuh/wazuh-ansible/commit/b8803de85fb71edf090b0c076d4fe3684cd7cb36)
## [v3.10.0_7.3.2]
### Added
- Update to Wazuh v3.10.0
### Changed
- Updated Kibana [@jm404](https://github.com/jm404) [#237](https://github.com/wazuh/wazuh-ansible/pull/237)
- Updated agent.conf template [@moodymob](https://github.com/moodymob) [#222](https://github.com/wazuh/wazuh-ansible/pull/222)
- Improved molecule tests [@rshad](https://github.com/rshad) [#223](https://github.com/wazuh/wazuh-ansible/pull/223/files)
- Moved "run_cluster_mode.sh" script to molecule folder [@jm404](https://github.com/jm404) [#a9d2c52](https://github.com/wazuh/wazuh-ansible/commit/a9d2c5201047c273c2c4fead5a54e576111da455)
### Fixed
- Fixed typo in the `agent.conf` template [@joey1a2b3c](https://github.com/joey1a2b3c) [#227](https://github.com/wazuh/wazuh-ansible/pull/227)
- Updated conditionals in tasks to fix Amazon Linux installation [@jm404](https://github.com/jm404) [#229](https://github.com/wazuh/wazuh-ansible/pull/229)
- Fixed Kibana installation in Amazon Linux [@jm404](https://github.com/jm404) [#232](https://github.com/wazuh/wazuh-ansible/pull/232)
- Fixed Windows Agent installation and configuration [@jm404](https://github.com/jm404) [#234](https://github.com/wazuh/wazuh-ansible/pull/234)
### Fixed
- Removed registry key check on Wazuh Agent installation in windows [@jm404](https://github.com/jm404) [#265](https://github.com/wazuh/wazuh-ansible/pull/265)
## [v3.9.5_7.2.1]
### Added
- Update to Wazuh v3.9.5
- Update to Elastic Stack to v7.2.1
## [v3.9.4_7.2.0]
### Added
- Support for registring agents behind NAT [@jheikki100](https://github.com/jheikki100) [#208](https://github.com/wazuh/wazuh-ansible/pull/208)
### Changed
- Default protocol to TCP [@ionphractal](https://github.com/ionphractal) [#204](https://github.com/wazuh/wazuh-ansible/pull/204).
### Fixed
- Fixed network.host is not localhost [@rshad](https://github.com/rshad) [#204](https://github.com/wazuh/wazuh-ansible/pull/212).
## [v3.9.3_7.2.0]
### Added
- Update to Wazuh v3.9.3 ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#))
- Added Versioning Control for Wazuh stack's components installation, so now it's possible to specify which package to install for wazuh-manager, wazuh-agent, Filebeat, Elasticsearch and Kibana. ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#))
- Fixes for Molecule testing issues. Issues such as Ansible-Lint and None-Idempotent tasks. ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#))
- Fixes for Wazuh components installations' related issues. Such issues were related to determined OS distributions such as `Ubuntu Trusty` and `CetOS 6`. ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#))
- Created Ansible playbook and role in order to automate the uninstallation of already installed Wazuh components. ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#))
## [v3.9.2_7.1.1]
### Added
- Update to Wazuh v3.9.2
- Support for Elastic 7
- Ability to deploy an Elasticsearch cluster [#6b95e3](https://github.com/wazuh/wazuh-ansible/commit/6b95e304b6ac4dfec08df5cd0fe29be9cc7dc22c)
## [v3.9.2_6.8.0]
### Added
- Update to Wazuh v3.9.2
## [v3.9.1]
### Added
- Update to Wazuh v3.9.1
- Support for ELK v6.8.0
## [v3.9.0]
### Added
- Update to Wazuh Wazuh v3.9.0 ([manuasir](https://github.com/manuasir) [#177](https://github.com/wazuh/wazuh-ansible/pull/177)).
- Support for Elasticsearch v6.7.1 ([LuisGi91](https://github.com/LuisGi91) [#168](https://github.com/wazuh/wazuh-ansible/pull/168)).
- Added Molecule testing suit ([JJediny](https://github.com/JJediny) [#151](https://github.com/wazuh/wazuh-ansible/pull/151)).
- Added Molecule tests for Wazuh Manager ([dj-wasabi](https://github.com/dj-wasabi) [#169](https://github.com/wazuh/wazuh-ansible/pull/169)).
- Added Molecule tests for Wazuh Agent ([dj-wasabi](https://github.com/dj-wasabi) [#174](https://github.com/wazuh/wazuh-ansible/pull/174)).
### Changed
- Updated network commands ([kravietz](https://github.com/kravietz) [#159](https://github.com/wazuh/wazuh-ansible/pull/159)).
- Enable active response section ([kravietz](https://github.com/kravietz) [#155](https://github.com/wazuh/wazuh-ansible/pull/155)).
### Fixed
- Fix default active response ([LuisGi93](https://github.com/LuisGi93) [#164](https://github.com/wazuh/wazuh-ansible/pull/164)).
- Changing from Oracle Java to OpenJDK ([LuisGi93](https://github.com/LuisGi93) [#173](https://github.com/wazuh/wazuh-ansible/pull/173)).
- Adding alias to agent config file template ([LuisGi93](https://github.com/LuisGi93) [#163](https://github.com/wazuh/wazuh-ansible/pull/163)).
## [v3.8.2]
### Changed
- Update to Wazuh version v3.8.2. ([#150](https://github.com/wazuh/wazuh-ansible/pull/150))
## [v3.8.1]
### Changed
- Update to Wazuh version v3.8.1. ([#148](https://github.com/wazuh/wazuh-ansible/pull/148))
## [v3.8.0]
### Added
- Added custom name for single agent registration ([#117](https://github.com/wazuh/wazuh-ansible/pull/117))
- Adapt ossec.conf file for windows agents ([#118](https://github.com/wazuh/wazuh-ansible/pull/118))
- Added labels to ossec.conf ([#135](https://github.com/wazuh/wazuh-ansible/pull/135))
### Changed
- Changed Windows installation directory ([#116](https://github.com/wazuh/wazuh-ansible/pull/116))
- move redundant tags to the outer block ([#133](https://github.com/wazuh/wazuh-ansible/pull/133))
- Adapt new version (3.8.0-6.5.4) ([#144](https://github.com/wazuh/wazuh-ansible/pull/144))
### Fixed
- Fixed a couple linting issues with yamllint and ansible-review ([#111](https://github.com/wazuh/wazuh-ansible/pull/111))
- Fixes typos: The word credentials doesn't have two consecutive e's ([#130](https://github.com/wazuh/wazuh-ansible/pull/130))
- Fixed multiple remote connection ([#120](https://github.com/wazuh/wazuh-ansible/pull/120))
- Fixed null value for wazuh_manager_fqdn ([#132](https://github.com/wazuh/wazuh-ansible/pull/132))
- Erasing extra spaces in playbooks ([#131](https://github.com/wazuh/wazuh-ansible/pull/131))
- Fixed oracle java cookies ([#143](https://github.com/wazuh/wazuh-ansible/pull/143))
### Removed
- delete useless files from wazuh-manager role ([#137](https://github.com/wazuh/wazuh-ansible/pull/137))
## [v3.7.2] ## [v3.7.2]
### Changed ### Changed
@ -59,10 +356,8 @@ Ansible starting point.
Roles: Roles:
- Elastic Stack: - Elastic Stack:
- ansible-elasticsearch: This role is prepared to install elasticsearch on the host that runs it. - ansible-elasticsearch: This role is prepared to install elasticsearch on the host that runs it.
- ansible-logstash: This role involves the installation of logstash on the host that runs it.
- ansible-kibana: Using this role we will install Kibana on the host that runs it. - ansible-kibana: Using this role we will install Kibana on the host that runs it.
- Wazuh: - Wazuh:
- ansible-filebeat: This role is prepared to install filebeat on the host that runs it. - ansible-filebeat: This role is prepared to install filebeat on the host that runs it.
- ansible-wazuh-manager: With this role we will install Wazuh manager and Wazuh API on the host that runs it. - ansible-wazuh-manager: With this role we will install Wazuh manager and Wazuh API on the host that runs it.
- ansible-wazuh-agent: Using this role we will install Wazuh agent on the host that runs it and is able to register it. - ansible-wazuh-agent: Using this role we will install Wazuh agent on the host that runs it and is able to register it.

27
README.md
View File

@ -1,6 +1,6 @@
# Wazuh-Ansible # Wazuh-Ansible
[![Slack](https://img.shields.io/badge/slack-join-blue.svg)](https://goo.gl/forms/M2AoZC4b2R9A9Zy12) [![Slack](https://img.shields.io/badge/slack-join-blue.svg)](https://wazuh.com/community/join-us-on-slack/)
[![Email](https://img.shields.io/badge/email-join-blue.svg)](https://groups.google.com/forum/#!forum/wazuh) [![Email](https://img.shields.io/badge/email-join-blue.svg)](https://groups.google.com/forum/#!forum/wazuh)
[![Documentation](https://img.shields.io/badge/docs-view-green.svg)](https://documentation.wazuh.com) [![Documentation](https://img.shields.io/badge/docs-view-green.svg)](https://documentation.wazuh.com)
[![Documentation](https://img.shields.io/badge/web-view-green.svg)](https://wazuh.com) [![Documentation](https://img.shields.io/badge/web-view-green.svg)](https://wazuh.com)
@ -18,7 +18,6 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack.
│ ├── roles │ ├── roles
│ │ ├── elastic-stack │ │ ├── elastic-stack
│ │ │ ├── ansible-elasticsearch │ │ │ ├── ansible-elasticsearch
│ │ │ ├── ansible-logstash
│ │ │ ├── ansible-kibana │ │ │ ├── ansible-kibana
│ │ │ │
│ │ ├── wazuh │ │ ├── wazuh
@ -35,7 +34,6 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack.
│ │ ├── wazuh-elastic_stack-distributed.yml │ │ ├── wazuh-elastic_stack-distributed.yml
│ │ ├── wazuh-elastic_stack-single.yml │ │ ├── wazuh-elastic_stack-single.yml
│ │ ├── wazuh-kibana.yml │ │ ├── wazuh-kibana.yml
│ │ ├── wazuh-logstash.yml
│ │ ├── wazuh-manager.yml │ │ ├── wazuh-manager.yml
│ ├── README.md │ ├── README.md
@ -48,6 +46,29 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack.
* `stable` branch on correspond to the last Wazuh-Ansible stable version. * `stable` branch on correspond to the last Wazuh-Ansible stable version.
* `master` branch contains the latest code, be aware of possible bugs on this branch. * `master` branch contains the latest code, be aware of possible bugs on this branch.
## Testing
1. Get the `wazuh-ansible` folder from the `wazuh-qa` [repository](https://github.com/wazuh/wazuh-qa/tree/master/ansible/wazuh-ansible).
```
git clone https://github.com/wazuh/wazuh-qa
```
2. Copy the `Pipfile` and the `molecule` folder into the root wazuh-ansible directory:
```
cp wazuh-qa/ansible/wazuh-ansible/* . -R
```
3. Follow these steps for launching the tests. Check the Pipfile for running different scenarios:
```
pip install pipenv
sudo pipenv install
pipenv run test
pipenv run agent
```
## Contribute ## Contribute
If you want to contribute to our repository, please fork our Github repository and submit a pull request. If you want to contribute to our repository, please fork our Github repository and submit a pull request.

4
VERSION
View File

@ -1,2 +1,2 @@
WAZUH-ANSIBLE_VERSION="v3.7.2" WAZUH-ANSIBLE_VERSION="v4"
REVISION="3712" REVISION="31220"

4
playbooks/wazuh-agent.yml
View File

@ -1,6 +1,7 @@
---
- hosts: <your wazuh agents hosts> - hosts: <your wazuh agents hosts>
roles: roles:
- /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-agent - ../roles/wazuh/ansible-wazuh-agent
vars: vars:
wazuh_managers: wazuh_managers:
- address: <your manager IP> - address: <your manager IP>
@ -10,6 +11,7 @@
api_proto: 'http' api_proto: 'http'
api_user: ansible api_user: ansible
wazuh_agent_authd: wazuh_agent_authd:
registration_address: <registration IP>
enable: true enable: true
port: 1515 port: 1515
ssl_agent_ca: null ssl_agent_ca: null

6
playbooks/wazuh-elastic.yml
View File

@ -1,3 +1,5 @@
- hosts: <your elasticsearch host> ---
- hosts: <YOUR_ELASTICSEARCH_IP>
roles: roles:
- { role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: 'your elasticsearch IP' } - role: ../roles/elastic-stack/ansible-elasticsearch
elasticsearch_network_host: '<YOUR_ELASTICSEARCH_IP>'

96
playbooks/wazuh-elastic_stack-distributed.yml
View File

@ -1,9 +1,91 @@
- hosts: <your wazuh server host> ---
- hosts: <node-1 IP>
roles: roles:
- role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-manager - role: ../roles/elastic-stack/ansible-elasticsearch
- { role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-filebeat, filebeat_output_logstash_hosts: 'your elastic stack server IP' } elasticsearch_network_host: <node-1 IP>
- hosts: <your elastic stack server host> elasticsearch_node_name: node-1
elasticsearch_bootstrap_node: true
elasticsearch_cluster_nodes:
- <node-1 IP>
- <node-2 IP>
- <node-3 IP>
elasticsearch_discovery_nodes:
- <node-1 IP>
- <node-2 IP>
- <node-3 IP>
elasticsearch_xpack_security: true
node_certs_generator: true
elasticsearch_xpack_security_password: elastic_pass
single_node: false
vars:
instances:
node1:
name: node-1 # Important: must be equal to elasticsearch_node_name.
ip: <node-1 IP> # When unzipping, the node will search for its node name folder to get the cert.
node2:
name: node-2
ip: <node-2 IP>
node3:
name: node-3
ip: <node-3 IP>
- hosts: <node-2 IP>
roles: roles:
- { role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: 'localhost' } - role: ../roles/elastic-stack/ansible-elasticsearch
- { role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-logstash, logstash_input_beats: true, elasticsearch_network_host: 'localhost' } elasticsearch_network_host: <node-2 IP>
- { role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-kibana, elasticsearch_network_host: 'localhost' } elasticsearch_node_name: node-2
single_node: false
elasticsearch_xpack_security: true
elasticsearch_master_candidate: true
elasticsearch_discovery_nodes:
- <node-1 IP>
- <node-2 IP>
- <node-3 IP>
- hosts: <node-3 IP>
roles:
- role: ../roles/elastic-stack/ansible-elasticsearch
elasticsearch_network_host: <node-3 IP>
elasticsearch_node_name: node-3
single_node: false
elasticsearch_xpack_security: true
elasticsearch_master_candidate: true
elasticsearch_discovery_nodes:
- <node-1 IP>
- <node-2 IP>
- <node-3 IP>
# - hosts: 172.16.0.162
# roles:
# - role: ../roles/wazuh/ansible-wazuh-manager
# - role: ../roles/wazuh/ansible-filebeat
# filebeat_output_elasticsearch_hosts: 172.16.0.161:9200
# filebeat_xpack_security: true
# filebeat_node_name: node-2
# node_certs_generator: false
# elasticsearch_xpack_security_password: elastic_pass
# - role: ../roles/elastic-stack/ansible-elasticsearch
# elasticsearch_network_host: 172.16.0.162
# node_name: node-2
# elasticsearch_bootstrap_node: false
# elasticsearch_master_candidate: true
# elasticsearch_discovery_nodes:
# - 172.16.0.161
# - 172.16.0.162
# elasticsearch_xpack_security: true
# node_certs_generator: false
# - hosts: 172.16.0.163
# roles:
# - role: ../roles/elastic-stack/ansible-kibana
# kibana_xpack_security: true
# kibana_node_name: node-3
# elasticsearch_network_host: 172.16.0.161
# node_certs_generator: false
# elasticsearch_xpack_security_password: elastic_pass

12
playbooks/wazuh-elastic_stack-single.yml
View File

@ -1,6 +1,8 @@
- hosts: <your single server host> ---
- hosts: <your server host>
roles: roles:
- { role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-manager } - {role: ../roles/wazuh/ansible-wazuh-manager}
- { role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: 'localhost' } - role: ../roles/wazuh/ansible-filebeat
- { role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-logstash, elasticsearch_network_host: 'localhost' } filebeat_output_elasticsearch_hosts: localhost:9200
- { role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-kibana, elasticsearch_network_host: 'localhost' } - {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '0.0.0.0', single_node: true}
- { role: ../roles/elastic-stack/ansible-kibana, elasticsearch_network_host: '0.0.0.0', elasticsearch_reachable_host: 'localhost' }

7
playbooks/wazuh-kibana.yml
View File

@ -1,3 +1,6 @@
- hosts: <your kibana host> ---
- hosts: <KIBANA_HOST>
roles: roles:
- { role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-kibana, elasticsearch_network_host: 'your elasticsearch IP' } - role: ../roles/elastic-stack/ansible-kibana
elasticsearch_network_host: <YOUR_ELASTICSEARCH_IP>

3
playbooks/wazuh-logstash.yml
View File

@ -1,3 +0,0 @@
- hosts: <your logstash host>
roles:
- { role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-logstash, elasticsearch_network_host: ["localhost"] }

10
playbooks/wazuh-manager.yml
View File

@ -1,4 +1,8 @@
- hosts: <your wazuh server host> ---
- hosts: <WAZUH_MANAGER_HOST>
roles: roles:
- role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-wazuh-manager - role: ../roles/wazuh/ansible-wazuh-manager
- { role: /etc/ansible/roles/wazuh-ansible/roles/wazuh/ansible-filebeat, filebeat_output_logstash_hosts: 'your logstash IP' } - role: ../roles/wazuh/ansible-filebeat
filebeat_output_elasticsearch_hosts: <YOUR_ELASTICSEARCH_IP>:9200

4
playbooks/wazuh-opendistro.yml Normal file
View File

@ -0,0 +1,4 @@
---
- hosts: es-cluster
roles:
- role: ../roles/opendistro/opendistro-elasticsearch

97
roles/elastic-stack/ansible-elasticsearch/README.md
View File

@ -13,6 +13,8 @@ This role will work on:
* Debian * Debian
* Ubuntu * Ubuntu
For the elasticsearch role with XPack security the `unzip` command must be available on the Ansible master.
Role Variables Role Variables
-------------- --------------
@ -30,12 +32,105 @@ Defaults variables are listed below, along with its values (see `defaults/main.y
Example Playbook Example Playbook
---------------- ----------------
- Single-node
``` ```
- hosts: elasticsearch - hosts: elasticsearch
roles: roles:
- { role: ansible-role-elasticsearch, elasticsearch_network_host: '192.168.33.182' } - { role: ansible-role-elasticsearch, elasticsearch_network_host: '192.168.33.182', single_host: true }
``` ```
- Three nodes Elasticsearch cluster
```
---
- hosts: 172.16.0.161
roles:
- {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '172.16.0.161', elasticsearch_bootstrap_node: true, elasticsearch_cluster_nodes: ['172.16.0.162','172.16.0.163','172.16.0.161']}
- hosts: 172.16.0.162
roles:
- {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '172.16.0.162', elasticsearch_node_master: true, elasticsearch_cluster_nodes: ['172.16.0.162','172.16.0.163','172.16.0.161']}
- hosts: 172.16.0.163
roles:
- {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '172.16.0.163', elasticsearch_node_master: true, elasticsearch_cluster_nodes: ['172.16.0.162','172.16.0.163','172.16.0.161']}
```
- Three nodes Elasticsearch cluster with XPack security
```
---
- hosts: elastic-1
roles:
- role: ../roles/elastic-stack/ansible-elasticsearch
elasticsearch_network_host: 172.16.0.111
elasticsearch_node_name: node-1
single_node: false
elasticsearch_node_master: true
elasticsearch_bootstrap_node: true
elasticsearch_cluster_nodes:
- 172.16.0.111
- 172.16.0.112
- 172.16.0.113
elasticsearch_discovery_nodes:
- 172.16.0.111
- 172.16.0.112
- 172.16.0.113
elasticsearch_xpack_security: true
node_certs_generator: true
node_certs_generator_ip: 172.16.0.111
vars:
instances:
node-1:
name: node-1
ip: 172.16.0.111
node-2:
name: node-2
ip: 172.16.0.112
node-3:
name: node-3
ip: 172.16.0.113
- hosts: elastic-2
roles:
- role: ../roles/elastic-stack/ansible-elasticsearch
elasticsearch_network_host: 172.16.0.112
elasticsearch_node_name: node-2
single_node: false
elasticsearch_xpack_security: true
elasticsearch_node_master: true
node_certs_generator_ip: 172.16.0.111
elasticsearch_discovery_nodes:
- 172.16.0.111
- 172.16.0.112
- 172.16.0.113
- hosts: elastic-3
roles:
- role: ../roles/elastic-stack/ansible-elasticsearch
elasticsearch_network_host: 172.16.0.113
elasticsearch_node_name: node-3
single_node: false
elasticsearch_xpack_security: true
elasticsearch_node_master: true
node_certs_generator_ip: 172.16.0.111
elasticsearch_discovery_nodes:
- 172.16.0.111
- 172.16.0.112
- 172.16.0.113
vars:
elasticsearch_xpack_users:
anne:
password: 'PasswordHere'
roles: '["kibana_user", "monitoring_user"]'
jack:
password: 'PasswordHere'
roles: '["superuser"]'
```
It is possible to define users directly on the playbook, these must be defined on a variable `elasticsearch_xpack_users` on the last node of the cluster as in the example.
License and copyright License and copyright
--------------------- ---------------------

45
roles/elastic-stack/ansible-elasticsearch/defaults/main.yml
View File

@ -1,10 +1,43 @@
--- ---
elasticsearch_cluster_name: wazuh
elasticsearch_node_name: node-1
elasticsearch_http_port: 9200 elasticsearch_http_port: 9200
elasticsearch_network_host: 127.0.0.1 elasticsearch_network_host: 127.0.0.1
elasticsearch_reachable_host: 127.0.0.1
elasticsearch_jvm_xms: null elasticsearch_jvm_xms: null
elastic_stack_version: 6.5.4 elastic_stack_version: 7.6.2
elasticsearch_shards: 5 elasticsearch_lower_disk_requirements: false
elasticsearch_replicas: 1
elasticsearch_install_java: yes elasticrepo:
apt: 'https://artifacts.elastic.co/packages/7.x/apt'
yum: 'https://artifacts.elastic.co/packages/7.x/yum'
gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4'
# Cluster Settings
single_node: true
elasticsearch_cluster_name: wazuh
elasticsearch_node_name: node-1
elasticsearch_bootstrap_node: false
elasticsearch_node_master: false
elasticsearch_cluster_nodes:
- 127.0.0.1
elasticsearch_discovery_nodes:
- 127.0.0.1
elasticsearch_node_data: true
elasticsearch_node_ingest: true
# X-Pack Security
elasticsearch_xpack_security: false
elasticsearch_xpack_security_user: elastic
elasticsearch_xpack_security_password: elastic_pass
node_certs_generator: false
node_certs_source: /usr/share/elasticsearch
node_certs_destination: /etc/elasticsearch/certs
# CA generation
master_certs_path: /es_certs
generate_CA: true
ca_key_name: ""
ca_cert_name: ""
ca_password: ""

50
roles/elastic-stack/ansible-elasticsearch/tasks/Debian.yml
View File

@ -1,50 +1,42 @@
--- ---
- name: Debian/Ubuntu | Install apt-transport-https and ca-certificates - name: Debian/Ubuntu | Install apt-transport-https and ca-certificates
apt: apt:
name: "{{ item }}" name:
state: present
cache_valid_time: 3600
with_items:
- apt-transport-https - apt-transport-https
- ca-certificates - ca-certificates
- when: elasticsearch_install_java
block:
- name: Debian/Ubuntu | Setting webupd8 repository
apt_repository:
repo: 'ppa:webupd8team/java'
codename: 'xenial'
update_cache: yes
- name: Debian/Ubuntu | Accept Oracle Java 8 license
debconf:
name: oracle-java8-installer
question: shared/accepted-oracle-license-v1-1
value: true
vtype: boolean
- name: Debian/Ubuntu | Oracle Java 8 installer
apt:
name: oracle-java8-installer
state: present state: present
cache_valid_time: 3600 register: elasticsearch_ca_packages_installed
tags: install until: elasticsearch_ca_packages_installed is succeeded
- name: Update and upgrade apt packages
become: true
apt:
upgrade: yes
update_cache: yes
cache_valid_time: 86400 #One day
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version | int == 14
- name: Debian/Ubuntu | Add Elasticsearch GPG key. - name: Debian/Ubuntu | Add Elasticsearch GPG key.
apt_key: apt_key:
url: "https://artifacts.elastic.co/GPG-KEY-elasticsearch" url: "{{ elasticrepo.gpg }}"
id: "{{ elasticrepo.key_id }}"
state: present state: present
- name: Debian/Ubuntu | Install Elastic repo - name: Debian/Ubuntu | Install Elastic repo
apt_repository: apt_repository:
repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main' repo: "deb {{ elasticrepo.apt }} stable main"
state: present state: present
filename: 'elastic_repo' filename: 'elastic_repo_7'
update_cache: yes update_cache: true
changed_when: false
- name: Debian/Ubuntu | Install Elasticsarch - name: Debian/Ubuntu | Install Elasticsarch
apt: apt:
name: "elasticsearch={{ elastic_stack_version }}" name: "elasticsearch={{ elastic_stack_version }}"
state: present state: present
cache_valid_time: 3600 cache_valid_time: 3600
register: elasticsearch_main_packages_installed
until: elasticsearch_main_packages_installed is succeeded
tags: install tags: install

3
roles/elastic-stack/ansible-elasticsearch/tasks/RMDebian.yml
View File

@ -1,5 +1,6 @@
--- ---
- name: Debian/Ubuntu | Removing Elasticsearch repository - name: Debian/Ubuntu | Removing Elasticsearch repository
apt_repository: apt_repository:
repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main repo: "deb {{ elasticrepo.apt }} stable main"
state: absent state: absent
changed_when: false

3
roles/elastic-stack/ansible-elasticsearch/tasks/RMRedHat.yml
View File

@ -1,5 +1,6 @@
--- ---
- name: RedHat/CentOS/Fedora | Remove Elasticsearch repository (and clean up left-over metadata) - name: RedHat/CentOS/Fedora | Remove Elasticsearch repository (and clean up left-over metadata)
yum_repository: yum_repository:
name: elastic_repo name: elastic_repo_7
state: absent state: absent
changed_when: false

26
roles/elastic-stack/ansible-elasticsearch/tasks/RedHat.yml
View File

@ -1,28 +1,14 @@
--- ---
- when: elasticsearch_install_java
block:
- name: RedHat/CentOS/Fedora | download Oracle Java RPM
get_url:
url: https://download.oracle.com/otn-pub/java/jdk/8u191-b12/2787e4a523244c269598db4e85c51e0c/jre-8u191-linux-x64.rpm
dest: /tmp/jre-8-linux-x64.rpm
headers: 'Cookie:oraclelicense=accept-securebackup-cookie'
register: oracle_java_task_rpm_download
- name: RedHat/CentOS/Fedora | Install Oracle Java RPM
package: name=/tmp/jre-8-linux-x64.rpm state=present
when: oracle_java_task_rpm_download is defined
register: oracle_java_task_rpm_installed
tags: install
- name: RedHat/CentOS/Fedora | Install Elastic repo - name: RedHat/CentOS/Fedora | Install Elastic repo
yum_repository: yum_repository:
name: elastic_repo name: elastic_repo_7
description: Elastic repository for 6.x packages description: Elastic repository for 7.x packages
baseurl: https://artifacts.elastic.co/packages/6.x/yum baseurl: "{{ elasticrepo.yum }}"
gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch gpgkey: "{{ elasticrepo.gpg }}"
gpgcheck: yes gpgcheck: true
changed_when: false
- name: RedHat/CentOS/Fedora | Install Elasticsarch - name: RedHat/CentOS/Fedora | Install Elasticsarch
package: name=elasticsearch-{{ elastic_stack_version }} state=present package: name=elasticsearch-{{ elastic_stack_version }} state=present
when: not elasticsearch_install_java or oracle_java_task_rpm_installed is defined
tags: install tags: install

113
roles/elastic-stack/ansible-elasticsearch/tasks/main.yml
View File

@ -48,16 +48,6 @@
- ansible_service_mgr != "systemd" - ansible_service_mgr != "systemd"
- ansible_os_family == "RedHat" - ansible_os_family == "RedHat"
- name: Configure Elasticsearch.
template:
src: elasticsearch.yml.j2
dest: /etc/elasticsearch/elasticsearch.yml
owner: root
group: elasticsearch
mode: 0660
notify: restart elasticsearch
tags: configure
- name: Configure Elasticsearch JVM memmory. - name: Configure Elasticsearch JVM memmory.
template: template:
src: jvm.options.j2 src: jvm.options.j2
@ -68,46 +58,95 @@
notify: restart elasticsearch notify: restart elasticsearch
tags: configure tags: configure
- name: Reload systemd # fix in new PR (ignore_errors)
systemd: daemon_reload=yes
ignore_errors: yes - import_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat"
- import_tasks: "xpack_security.yml"
when: when:
- not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") - elasticsearch_xpack_security
- not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<'))
- not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) - name: Configure Elasticsearch.
template:
src: elasticsearch.yml.j2
dest: /etc/elasticsearch/elasticsearch.yml
owner: root
group: elasticsearch
mode: 0660
notify: restart elasticsearch
tags: configure
- name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.conf
lineinfile:
path: /etc/security/limits.conf
line: elasticsearch - memlock unlimited
create: yes
become: true
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version | int == 14
changed_when: false
- name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.d/elasticsearch.conf
lineinfile:
path: /etc/security/limits.d/elasticsearch.conf
line: elasticsearch - memlock unlimited
create: yes
become: true
changed_when: false
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version | int == 14
- name: Ensure Elasticsearch started and enabled - name: Ensure Elasticsearch started and enabled
service: service:
name: elasticsearch name: elasticsearch
enabled: yes enabled: true
state: started state: started
- name: Make sure Elasticsearch is running before proceeding
wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=300
tags: tags:
- configure - configure
- init - init
- name: Check for Wazuh Alerts template - name: Make sure Elasticsearch is running before proceeding
uri: wait_for: host={{ elasticsearch_reachable_host }} port={{ elasticsearch_http_port }} delay=3 timeout=400
url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh" tags:
method: GET - configure
status_code: 200, 404 - init
register: wazuh_alerts_template_exits
tags: init
- name: Installing Wazuh Alerts template
uri:
url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh"
method: PUT
status_code: 200
body_format: json
body: "{{ lookup('template','wazuh-elastic6-template-alerts.json.j2') }}"
when: wazuh_alerts_template_exits.status != 200
tags: init
- import_tasks: "RMRedHat.yml" - import_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat" when: ansible_os_family == "RedHat"
- import_tasks: "RMDebian.yml" - import_tasks: "RMDebian.yml"
when: ansible_os_family == "Debian" when: ansible_os_family == "Debian"
- name: Wait for Elasticsearch API
uri:
url: "https://{{ node_certs_generator_ip }}:{{ elasticsearch_http_port }}/_cluster/health/"
user: "elastic" # Default Elasticsearch user is always "elastic"
password: "{{ elasticsearch_xpack_security_password }}"
validate_certs: no
status_code: 200,401
return_content: yes
timeout: 4
register: _result
until: ( _result.json is defined) and (_result.json.status == "green")
retries: 24
delay: 5
when:
- elasticsearch_xpack_users is defined
- name: Create elasticsearch users
uri:
url: "https://{{ node_certs_generator_ip }}:{{ elasticsearch_http_port }}/_security/user/{{ item.key }}"
method: POST
body_format: json
user: "elastic"
password: "{{ elasticsearch_xpack_security_password }}"
body: '{ "password" : "{{ item.value["password"] }}", "roles" : {{ item.value["roles"] }} }'
validate_certs: no
loop: "{{ elasticsearch_xpack_users|default({})|dict2items }}"
register: http_response
failed_when: http_response.status != 200
when:
- elasticsearch_xpack_users is defined

197
roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml Normal file
View File

@ -0,0 +1,197 @@
- name: Check if certificate exists locally
stat:
path: "{{ node_certs_destination }}/{{ elasticsearch_node_name }}.crt"
register: certificate_file_exists
- name: Write the instances.yml file in the selected node (force = no)
template:
src: instances.yml.j2
dest: "{{ node_certs_source }}/instances.yml"
force: no
register: instances_file_exists
tags:
- config
- xpack-security
when:
- node_certs_generator
- not certificate_file_exists.stat.exists
- name: Update instances.yml status after generation
stat:
path: "{{ node_certs_source }}/instances.yml"
register: instances_file_exists
when:
- node_certs_generator
- name: Check if the certificates ZIP file exists
stat:
path: "{{ node_certs_source }}/certs.zip"
register: xpack_certs_zip
when:
- node_certs_generator
- name: Importing custom CA key
copy:
src: "{{ master_certs_path }}/ca/{{ ca_key_name }}"
dest: "{{ node_certs_source }}/{{ ca_key_name }}"
mode: 0440
when:
- not generate_CA
- node_certs_generator
tags: xpack-security
- name: Importing custom CA cert
copy:
src: "{{ master_certs_path }}/ca/{{ ca_cert_name }}"
dest: "{{ node_certs_source }}/{{ ca_cert_name }}"
mode: 0440
when:
- not generate_CA
- node_certs_generator
tags: xpack-security
- name: Generating certificates for Elasticsearch security (generating CA)
command: >-
/usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem
--in {{ node_certs_source }}/instances.yml
--out {{ node_certs_source }}/certs.zip
when:
- node_certs_generator
- not xpack_certs_zip.stat.exists
- generate_CA
tags:
- xpack-security
- molecule-idempotence-notest
- name: Generating certificates for Elasticsearch security (using provided CA | Without CA Password)
command: >-
/usr/share/elasticsearch/bin/elasticsearch-certutil cert
--ca-key {{ node_certs_source }}/{{ ca_key_name }}
--ca-cert {{ node_certs_source }}/{{ ca_cert_name }}
--pem --in {{ node_certs_source }}/instances.yml
--out {{ node_certs_source }}/certs.zip
when:
- node_certs_generator
- not xpack_certs_zip.stat.exists
- not generate_CA
- ca_password | length == 0
tags:
- xpack-security
- molecule-idempotence-notest
- name: Generating certificates for Elasticsearch security (using provided CA | Using CA Password)
command: >-
/usr/share/elasticsearch/bin/elasticsearch-certutil cert
--ca-key {{ node_certs_source }}/{{ ca_key_name }}
--ca-cert {{ node_certs_source }}/{{ ca_cert_name }}
--pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip
--ca-pass {{ ca_password }}
when:
- node_certs_generator
- not xpack_certs_zip.stat.exists
- not generate_CA
- ca_password | length > 0
tags:
- xpack-security
- molecule-idempotence-notest
- name: Verify the Elastic certificates directory
file:
path: "{{ master_certs_path }}"
state: directory
mode: 0700
delegate_to: "127.0.0.1"
when:
- node_certs_generator
- name: Verify the Certificates Authority directory
file:
path: "{{ master_certs_path }}/ca/"
state: directory
mode: 0700
delegate_to: "127.0.0.1"
when:
- node_certs_generator
- name: Copying certificates to Ansible master
fetch:
src: "{{ node_certs_source }}/certs.zip"
dest: "{{ master_certs_path }}/"
flat: yes
mode: 0700
when:
- node_certs_generator
tags:
- xpack-security
- molecule-idempotence-notest
- name: Delete certs.zip in Generator node
file:
state: absent
path: "{{ node_certs_source }}/certs.zip"
when:
- node_certs_generator
tags: molecule-idempotence-notest
- name: Unzip generated certs.zip
unarchive:
src: "{{ master_certs_path }}/certs.zip"
dest: "{{ master_certs_path }}/"
delegate_to: "127.0.0.1"
when:
- node_certs_generator
tags:
- xpack-security
- molecule-idempotence-notest
- name: Copying node's certificate from master
copy:
src: "{{ item }}"
dest: "{{ node_certs_destination }}/"
mode: 0440
with_items:
- "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key"
- "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt"
- "{{ master_certs_path }}/ca/ca.crt"
when:
- generate_CA
tags:
- xpack-security
- molecule-idempotence-notest
- name: Copying node's certificate from master (Custom CA)
copy:
src: "{{ item }}"
dest: "{{ node_certs_destination }}/"
mode: 0440
with_items:
- "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key"
- "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt"
- "{{ master_certs_path }}/ca/{{ ca_cert_name }}"
when:
- not generate_CA
tags:
- xpack-security
- molecule-idempotence-notest
- name: Ensuring folder permissions
file:
path: "{{ node_certs_destination }}/"
mode: 0774
state: directory
recurse: yes
when:
- elasticsearch_xpack_security
- generate_CA
tags: xpack-security
- name: Set elasticsearch bootstrap password
shell: |
set -o pipefail
echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password
args:
executable: /bin/bash
when:
- node_certs_generator
tags: molecule-idempotence-notest

139
roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2
View File

@ -1,89 +1,64 @@
# {{ ansible_managed }} # {{ ansible_managed }}
# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
# Before you set out to tweak and tune the configuration, make sure you
# understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: {{ elasticsearch_cluster_name }} cluster.name: {{ elasticsearch_cluster_name }}
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
node.name: {{ elasticsearch_node_name }} node.name: {{ elasticsearch_node_name }}
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /var/lib/elasticsearch path.data: /var/lib/elasticsearch
#
# Path to log files:
#
path.logs: /var/log/elasticsearch path.logs: /var/log/elasticsearch
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
bootstrap.memory_lock: true bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: {{ elasticsearch_network_host }} network.host: {{ elasticsearch_network_host }}
#
# Set a custom port for HTTP: {% if single_node %}
# discovery.type: single-node
#http.port: 9200 {% elif elasticsearch_bootstrap_node %}
# node.master: true
# For more information, consult the network module documentation. cluster.initial_master_nodes:
# {% for item in elasticsearch_cluster_nodes %}
# --------------------------------- Discovery ---------------------------------- - {{ item }}
# {% endfor %}
# Pass an initial list of hosts to perform discovery when new node is started: discovery.seed_hosts:
# The default list of hosts is ["127.0.0.1", "[::1]"] {% for item in elasticsearch_discovery_nodes %}
# - {{ item }}
#discovery.zen.ping.unicast.hosts: ["host1", "host2"] {% endfor %}
# {% else %}
# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1): node.master: {{ elasticsearch_node_master|lower }}
# {% if elasticsearch_node_data|lower == 'false' %}
#discovery.zen.minimum_master_nodes: 3 node.data: false
# {% endif %}
# For more information, consult the zen discovery module documentation. {% if elasticsearch_node_ingest|lower == 'false' %}
# node.ingest: false
# ---------------------------------- Gateway ----------------------------------- {% endif %}
# discovery.seed_hosts:
# Block initial recovery after a full cluster restart until N nodes are started: {% for item in elasticsearch_discovery_nodes %}
# - {{ item }}
#gateway.recover_after_nodes: 3 {% endfor %}
# {% endif %}
# For more information, consult the gateway module documentation.
# {% if elasticsearch_lower_disk_requirements %}
# ---------------------------------- Various ----------------------------------- cluster.routing.allocation.disk.threshold_enabled: true
# cluster.routing.allocation.disk.watermark.flood_stage: 200mb
# Require explicit names when deleting indices: cluster.routing.allocation.disk.watermark.low: 500mb
# cluster.routing.allocation.disk.watermark.high: 300mb
#action.destructive_requires_name: true {% endif %}
{% if elasticsearch_xpack_security %}
# XPACK Security
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: {{node_certs_destination}}/{{ elasticsearch_node_name }}.key
xpack.security.transport.ssl.certificate: {{node_certs_destination}}/{{ elasticsearch_node_name }}.crt
{% if generate_CA == true %}
xpack.security.transport.ssl.certificate_authorities: [ "{{ node_certs_destination }}/ca.crt" ]
{% elif generate_CA == false %}
xpack.security.transport.ssl.certificate_authorities: [ "{{ node_certs_destination }}/{{ca_cert_name}}" ]
{% endif %}
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: {{node_certs_destination}}/{{ elasticsearch_node_name }}.key
xpack.security.http.ssl.certificate: {{node_certs_destination}}/{{ elasticsearch_node_name }}.crt
{% if generate_CA == true %}
xpack.security.http.ssl.certificate_authorities: [ "{{ node_certs_destination }}/ca.crt" ]
{% elif generate_CA == false %}
xpack.security.http.ssl.certificate_authorities: [ "{{ node_certs_destination }}/{{ca_cert_name}}" ]
{% endif %}
{% endif %}

17
roles/elastic-stack/ansible-elasticsearch/templates/instances.yml.j2 Normal file
View File

@ -0,0 +1,17 @@
# {{ ansible_managed }}
# TO-DO
{% if node_certs_generator %}
instances:
{% for (key,value) in instances.items() %}
- name: "{{ value.name }}"
{% if value.ip is defined and value.ip | length > 0 %}
ip:
- "{{ value.ip }}"
{% elif value.dns is defined and value.dns | length > 0 %}
dns:
- "{{ value.dns }}"
{% endif %}
{% endfor %}
{% endif %}

621
roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic6-template-alerts.json.j2
View File

@ -1,621 +0,0 @@
{
"order": 0,
"template": "wazuh-alerts-3.x-*",
"settings": {
"index.refresh_interval": "5s"
},
"mappings": {
"wazuh": {
"dynamic_templates": [
{
"string_as_keyword": {
"match_mapping_type": "string",
"mapping": {
"type": "keyword",
"doc_values": "true"
}
}
}
],
"properties": {
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"@version": {
"type": "text"
},
"agent": {
"properties": {
"ip": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"name": {
"type": "keyword",
"doc_values": "true"
}
}
},
"manager": {
"properties": {
"name": {
"type": "keyword",
"doc_values": "true"
}
}
},
"cluster": {
"properties": {
"name": {
"type": "keyword",
"doc_values": "true"
}
}
},
"AlertsFile": {
"type": "keyword",
"doc_values": "true"
},
"full_log": {
"type": "text"
},
"previous_log": {
"type": "text"
},
"GeoLocation": {
"properties": {
"area_code": {
"type": "long"
},
"city_name": {
"type": "keyword",
"doc_values": "true"
},
"continent_code": {
"type": "text"
},
"coordinates": {
"type": "double"
},
"country_code2": {
"type": "text"
},
"country_code3": {
"type": "text"
},
"country_name": {
"type": "keyword",
"doc_values": "true"
},
"dma_code": {
"type": "long"
},
"ip": {
"type": "keyword",
"doc_values": "true"
},
"latitude": {
"type": "double"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "double"
},
"postal_code": {
"type": "keyword"
},
"real_region_name": {
"type": "keyword",
"doc_values": "true"
},
"region_name": {
"type": "keyword",
"doc_values": "true"
},
"timezone": {
"type": "text"
}
}
},
"host": {
"type": "keyword",
"doc_values": "true"
},
"syscheck": {
"properties": {
"path": {
"type": "keyword",
"doc_values": "true"
},
"sha1_before": {
"type": "keyword",
"doc_values": "true"
},
"sha1_after": {
"type": "keyword",
"doc_values": "true"
},
"uid_before": {
"type": "keyword",
"doc_values": "true"
},
"uid_after": {
"type": "keyword",
"doc_values": "true"
},
"gid_before": {
"type": "keyword",
"doc_values": "true"
},
"gid_after": {
"type": "keyword",
"doc_values": "true"
},
"perm_before": {
"type": "keyword",
"doc_values": "true"
},
"perm_after": {
"type": "keyword",
"doc_values": "true"
},
"md5_after": {
"type": "keyword",
"doc_values": "true"
},
"md5_before": {
"type": "keyword",
"doc_values": "true"
},
"gname_after": {
"type": "keyword",
"doc_values": "true"
},
"gname_before": {
"type": "keyword",
"doc_values": "true"
},
"inode_after": {
"type": "keyword",
"doc_values": "true"
},
"inode_before": {
"type": "keyword",
"doc_values": "true"
},
"mtime_after": {
"type": "date",
"format": "dateOptionalTime",
"doc_values": "true"
},
"mtime_before": {
"type": "date",
"format": "dateOptionalTime",
"doc_values": "true"
},
"uname_after": {
"type": "keyword",
"doc_values": "true"
},
"uname_before": {
"type": "keyword",
"doc_values": "true"
},
"size_before": {
"type": "long",
"doc_values": "true"
},
"size_after": {
"type": "long",
"doc_values": "true"
},
"diff": {
"type": "keyword",
"doc_values": "true"
},
"event": {
"type": "keyword",
"doc_values": "true"
}
}
},
"location": {
"type": "keyword",
"doc_values": "true"
},
"message": {
"type": "text"
},
"offset": {
"type": "keyword"
},
"rule": {
"properties": {
"description": {
"type": "keyword",
"doc_values": "true"
},
"groups": {
"type": "keyword",
"doc_values": "true"
},
"level": {
"type": "long",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"cve": {
"type": "keyword",
"doc_values": "true"
},
"info": {
"type": "keyword",
"doc_values": "true"
},
"frequency": {
"type": "long",
"doc_values": "true"
},
"firedtimes": {
"type": "long",
"doc_values": "true"
},
"cis": {
"type": "keyword",
"doc_values": "true"
},
"pci_dss": {
"type": "keyword",
"doc_values": "true"
},
"gdpr": {
"type": "keyword",
"doc_values": "true"
},
"gpg13": {
"type": "keyword",
"doc_values": "true"
}
}
},
"decoder": {
"properties": {
"parent": {
"type": "keyword",
"doc_values": "true"
},
"name": {
"type": "keyword",
"doc_values": "true"
},
"ftscomment": {
"type": "keyword",
"doc_values": "true"
},
"fts": {
"type": "long",
"doc_values": "true"
},
"accumulate": {
"type": "long",
"doc_values": "true"
}
}
},
"data": {
"properties": {
"protocol": {
"type": "keyword",
"doc_values": "true"
},
"action": {
"type": "keyword",
"doc_values": "true"
},
"srcip": {
"type": "keyword",
"doc_values": "true"
},
"dstip": {
"type": "keyword",
"doc_values": "true"
},
"srcport": {
"type": "keyword",
"doc_values": "true"
},
"dstport": {
"type": "keyword",
"doc_values": "true"
},
"srcuser": {
"type": "keyword",
"doc_values": "true"
},
"dstuser": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"status": {
"type": "keyword",
"doc_values": "true"
},
"data": {
"type": "keyword",
"doc_values": "true"
},
"system_name": {
"type": "keyword",
"doc_values": "true"
},
"url": {
"type": "keyword",
"doc_values": "true"
},
"oscap": {
"properties": {
"check.title": {
"type": "keyword",
"doc_values": "true"
},
"check.id": {
"type": "keyword",
"doc_values": "true"
},
"check.result": {
"type": "keyword",
"doc_values": "true"
},
"check.severity": {
"type": "keyword",
"doc_values": "true"
},
"check.description": {
"type": "text"
},
"check.rationale": {
"type": "text"
},
"check.references": {
"type": "text"
},
"check.identifiers": {
"type": "text"
},
"check.oval.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.content": {
"type": "keyword",
"doc_values": "true"
},
"scan.benchmark.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.title": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.score": {
"type": "double",
"doc_values": "true"
},
"scan.return_code": {
"type": "long",
"doc_values": "true"
}
}
},
"audit": {
"properties": {
"type": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"syscall": {
"type": "keyword",
"doc_values": "true"
},
"exit": {
"type": "keyword",
"doc_values": "true"
},
"ppid": {
"type": "keyword",
"doc_values": "true"
},
"pid": {
"type": "keyword",
"doc_values": "true"
},
"auid": {
"type": "keyword",
"doc_values": "true"
},
"uid": {
"type": "keyword",
"doc_values": "true"
},
"gid": {
"type": "keyword",
"doc_values": "true"
},
"euid": {
"type": "keyword",
"doc_values": "true"
},
"suid": {
"type": "keyword",
"doc_values": "true"
},
"fsuid": {
"type": "keyword",
"doc_values": "true"
},
"egid": {
"type": "keyword",
"doc_values": "true"
},
"sgid": {
"type": "keyword",
"doc_values": "true"
},
"fsgid": {
"type": "keyword",
"doc_values": "true"
},
"tty": {
"type": "keyword",
"doc_values": "true"
},
"session": {
"type": "keyword",
"doc_values": "true"
},
"command": {
"type": "keyword",
"doc_values": "true"
},
"exe": {
"type": "keyword",
"doc_values": "true"
},
"key": {
"type": "keyword",
"doc_values": "true"
},
"cwd": {
"type": "keyword",
"doc_values": "true"
},
"directory.name": {
"type": "keyword",
"doc_values": "true"
},
"directory.inode": {
"type": "keyword",
"doc_values": "true"
},
"directory.mode": {
"type": "keyword",
"doc_values": "true"
},
"file.name": {
"type": "keyword",
"doc_values": "true"
},
"file.inode": {
"type": "keyword",
"doc_values": "true"
},
"file.mode": {
"type": "keyword",
"doc_values": "true"
},
"acct": {
"type": "keyword",
"doc_values": "true"
},
"dev": {
"type": "keyword",
"doc_values": "true"
},
"enforcing": {
"type": "keyword",
"doc_values": "true"
},
"list": {
"type": "keyword",
"doc_values": "true"
},
"old-auid": {
"type": "keyword",
"doc_values": "true"
},
"old-ses": {
"type": "keyword",
"doc_values": "true"
},
"old_enforcing": {
"type": "keyword",
"doc_values": "true"
},
"old_prom": {
"type": "keyword",
"doc_values": "true"
},
"op": {
"type": "keyword",
"doc_values": "true"
},
"prom": {
"type": "keyword",
"doc_values": "true"
},
"res": {
"type": "keyword",
"doc_values": "true"
},
"srcip": {
"type": "keyword",
"doc_values": "true"
},
"subj": {
"type": "keyword",
"doc_values": "true"
},
"success": {
"type": "keyword",
"doc_values": "true"
}
}
}
}
},
"program_name": {
"type": "keyword",
"doc_values": "true"
},
"command": {
"type": "keyword",
"doc_values": "true"
},
"type": {
"type": "text"
},
"title": {
"type": "keyword",
"doc_values": "true"
}
}
}
}
}

1679
roles/elastic-stack/ansible-elasticsearch/templates/wazuh-elastic7-template-alerts.json.j2 Normal file
View File

File diff suppressed because it is too large Load Diff

49
roles/elastic-stack/ansible-kibana/defaults/main.yml
View File

@ -1,8 +1,53 @@
--- ---
kibana_node_name: node-1
elasticsearch_http_port: "9200" elasticsearch_http_port: "9200"
elasticsearch_network_host: "127.0.0.1" elasticsearch_network_host: "127.0.0.1"
kibana_server_host: "0.0.0.0" kibana_server_host: "0.0.0.0"
kibana_server_port: "5601" kibana_server_port: "5601"
elastic_stack_version: 6.5.4 elastic_stack_version: 7.6.2
wazuh_version: 3.7.2 wazuh_version: 3.12.3
wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp
elasticrepo:
apt: 'https://artifacts.elastic.co/packages/7.x/apt'
yum: 'https://artifacts.elastic.co/packages/7.x/yum'
gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4'
# API credentials
wazuh_api_credentials:
- id: "default"
url: "http://localhost"
port: 55000
user: "foo"
password: "bar"
# Xpack Security
kibana_xpack_security: false
elasticsearch_xpack_security_user: elastic
elasticsearch_xpack_security_password: elastic_pass
node_certs_generator: false
node_certs_source: /usr/share/elasticsearch
node_certs_destination: /etc/kibana/certs
# CA Generation
master_certs_path: /es_certs
generate_CA: true
ca_cert_name: ""
# Nodejs
nodejs:
repo_dict:
debian: "deb"
redhat: "rpm"
repo_url_ext: "nodesource.com/setup_10.x"
# Build from sources
build_from_sources: false
wazuh_plugin_branch: 3.12-7.6
#Nodejs NODE_OPTIONS
node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536

20
roles/elastic-stack/ansible-kibana/tasks/Debian.yml
View File

@ -1,28 +1,32 @@
--- ---
- name: Debian/Ubuntu | Install apt-transport-https and ca-certificates - name: Debian/Ubuntu | Install apt-transport-https and ca-certificates
apt: apt:
name: "{{ item }}" name:
state: present
cache_valid_time: 3600
with_items:
- apt-transport-https - apt-transport-https
- ca-certificates - ca-certificates
state: present
register: kibana_installing_ca_package
until: kibana_installing_ca_package is succeeded
- name: Debian/Ubuntu | Add Elasticsearch GPG key - name: Debian/Ubuntu | Add Elasticsearch GPG key
apt_key: apt_key:
url: "https://artifacts.elastic.co/GPG-KEY-elasticsearch" url: "{{ elasticrepo.gpg }}"
id: "{{ elasticrepo.key_id }}"
state: present state: present
- name: Debian/Ubuntu | Install Elastic repo - name: Debian/Ubuntu | Install Elastic repo
apt_repository: apt_repository:
repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main' repo: "deb {{ elasticrepo.apt }} stable main"
state: present state: present
filename: 'elastic_repo' filename: 'elastic_repo_7'
update_cache: yes update_cache: true
changed_when: false
- name: Debian/Ubuntu | Install Kibana - name: Debian/Ubuntu | Install Kibana
apt: apt:
name: "kibana={{ elastic_stack_version }}" name: "kibana={{ elastic_stack_version }}"
state: present state: present
cache_valid_time: 3600 cache_valid_time: 3600
register: installing_kibana_package
until: installing_kibana_package is succeeded
tags: install tags: install

3
roles/elastic-stack/ansible-kibana/tasks/RMDebian.yml
View File

@ -1,5 +1,6 @@
--- ---
- name: Debian/Ubuntu | Removing Elasticsearch repository - name: Debian/Ubuntu | Removing Elasticsearch repository
apt_repository: apt_repository:
repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main repo: "deb {{ elasticrepo.apt }} stable main"
state: absent state: absent
changed_when: false

3
roles/elastic-stack/ansible-kibana/tasks/RMRedHat.yml
View File

@ -1,5 +1,6 @@
--- ---
- name: Remove Elasticsearch repository (and clean up left-over metadata) - name: Remove Elasticsearch repository (and clean up left-over metadata)
yum_repository: yum_repository:
name: elastic_repo name: elastic_repo_7
state: absent state: absent
changed_when: false

13
roles/elastic-stack/ansible-kibana/tasks/RedHat.yml
View File

@ -1,12 +1,15 @@
--- ---
- name: RedHat/CentOS/Fedora | Install Elastic repo - name: RedHat/CentOS/Fedora | Install Elastic repo
yum_repository: yum_repository:
name: elastic_repo name: elastic_repo_7
description: Elastic repository for 6.x packages description: Elastic repository for 7.x packages
baseurl: https://artifacts.elastic.co/packages/6.x/yum baseurl: "{{ elasticrepo.yum }}"
gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch gpgkey: "{{ elasticrepo.gpg }}"
gpgcheck: yes gpgcheck: true
changed_when: false
- name: RedHat/CentOS/Fedora | Install Kibana - name: RedHat/CentOS/Fedora | Install Kibana
package: name=kibana-{{ elastic_stack_version }} state=present package: name=kibana-{{ elastic_stack_version }} state=present
register: installing_kibana_package
until: installing_kibana_package is succeeded
tags: install tags: install

76
roles/elastic-stack/ansible-kibana/tasks/build_wazuh_plugin.yml Normal file
View File

@ -0,0 +1,76 @@
---
- name: Ensure the Git package is present
package:
name: git
state: present
- name: Modify repo url if host is in Debian family
set_fact:
node_js_repo_type: deb
when:
- ansible_os_family | lower == "debian"
- name: Download script to install Nodejs repository
get_url:
url: "https://{{ nodejs['repo_dict'][ansible_os_family|lower] }}.{{ nodejs['repo_url_ext'] }}"
dest: "/tmp/setup_nodejs_repo.sh"
mode: 0700
- name: Execute downloaded script to install Nodejs repo
command: /tmp/setup_nodejs_repo.sh
register: node_repo_installation_result
changed_when: false
- name: Install Nodejs
package:
name: nodejs
state: present
- name: Install yarn dependency to build the Wazuh Kibana Plugin
# Using shell due to errors when evaluating text between @ with command
shell: "npm install -g {{ 'yarn' }}{{ '@' }}{{ '1.10.1'}}" # noqa 305
register: install_yarn_result
changed_when: install_yarn_result == 0
- name: Remove old wazuh-kibana-app git directory
file:
path: /tmp/app
state: absent
changed_when: false
- name: Clone wazuh-kibana-app repository # Using command as git module doesn't cover single-branch nor depth
command: git clone https://github.com/wazuh/wazuh-kibana-app -b {{ wazuh_plugin_branch }} --single-branch --depth=1 app # noqa 303
register: clone_app_repo_result
changed_when: false
args:
chdir: "/tmp"
- name: Executing yarn to build the package
command: "{{ item }}"
with_items:
- "yarn"
- "yarn build"
register: yarn_execution_result
changed_when: false
args:
chdir: "/tmp/app/"
- name: Obtain name of generated package
shell: "find ./ -name 'wazuh-*.zip' -printf '%f\\n'"
register: wazuhapp_package_name
changed_when: false
args:
chdir: "/tmp/app/build"
- name: Install Wazuh Plugin (can take a while)
shell: NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana-plugin install file:///tmp/app/build/{{ wazuhapp_package_name.stdout }}
args:
executable: /bin/bash
creates: /usr/share/kibana/plugins/wazuh/package.json
chdir: /usr/share/kibana
become: yes
become_user: kibana
notify: restart kibana
tags:
- install
- skip_ansible_lint

182
roles/elastic-stack/ansible-kibana/tasks/main.yml
View File

@ -1,21 +1,77 @@
--- ---
- name: Stopping early, trying to compile Wazuh Kibana Plugin on Debian 10 is not possible
fail:
msg: "It's not possible to compile the Wazuh Kibana plugin on Debian 10 due to: https://github.com/wazuh/wazuh-kibana-app/issues/1924"
when:
- build_from_sources
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "10"
- import_tasks: RedHat.yml - import_tasks: RedHat.yml
when: ansible_os_family == 'RedHat' when: ansible_os_family == 'RedHat'
- import_tasks: Debian.yml - import_tasks: Debian.yml
when: ansible_os_family == 'Debian' when: ansible_os_family == 'Debian'
- name: Make sure Elasticsearch is running before proceeding.
wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=300
tags: configure
- name: Reload systemd - name: Reload systemd
systemd: daemon_reload=yes systemd:
ignore_errors: yes daemon_reload: true
ignore_errors: true
when: when:
- not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") - not (ansible_distribution == "Amazon" and ansible_distribution_version == "(Karoo)")
- not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<')) - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<'))
- not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<'))
- not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<'))
- name: Copying node's certificate from master
copy:
src: "{{ item }}"
dest: "{{ node_certs_destination }}/"
mode: 0440
with_items:
- "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key"
- "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.crt"
- "{{ master_certs_path }}/ca/ca.crt"
tags: xpack-security
when:
- kibana_xpack_security
- generate_CA
- name: Copying node's certificate from master (Custom CA)
copy:
src: "{{ item }}"
dest: "{{ node_certs_destination }}/"
mode: 0440
with_items:
- "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key"
- "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.crt"
- "{{ master_certs_path }}/ca/{{ ca_cert_name }}"
when:
- kibana_xpack_security
- not generate_CA
tags: xpack-security
- name: Ensuring certificates folder owner
file:
path: "{{ node_certs_destination }}/"
state: directory
recurse: yes
owner: kibana
group: kibana
when:
- kibana_xpack_security
tags: xpack-security
- name: Ensuring certificates folder owner
file:
path: "{{ node_certs_destination }}/"
mode: 0770
recurse: yes
when:
- kibana_xpack_security
notify: restart kibana
tags: xpack-security
- name: Kibana configuration - name: Kibana configuration
template: template:
@ -23,41 +79,115 @@
dest: /etc/kibana/kibana.yml dest: /etc/kibana/kibana.yml
owner: root owner: root
group: root group: root
mode: 0664 mode: 0644
notify: restart kibana notify: restart kibana
tags: configure tags: configure
- name: Checking Wazuh-APP version - name: Checking Wazuh-APP version
shell: "grep -c -E 'version.*{{ elastic_stack_version }}' /usr/share/kibana/plugins/wazuh/package.json | xargs echo" shell: >-
grep -c -E 'version.*{{ elastic_stack_version }}' /usr/share/kibana/plugins/wazuh/package.json
args: args:
executable: /bin/bash
removes: /usr/share/kibana/plugins/wazuh/package.json removes: /usr/share/kibana/plugins/wazuh/package.json
register: wazuh_app_verify register: wazuh_app_verify
changed_when: False changed_when: false
tags: install failed_when:
- wazuh_app_verify.rc != 0
- wazuh_app_verify.rc != 1
- name: Removing old Wazuh-APP - name: Removing old Wazuh-APP
command: /usr/share/kibana/bin/kibana-plugin remove wazuh command: /usr/share/kibana/bin/kibana-plugin --allow-root remove wazuh
when: wazuh_app_verify.stdout == "0" when: wazuh_app_verify.rc == 1
tags: install tags: install
- name: Removing bundles - name: Removing bundles
file: path=/usr/share/kibana/optimize/bundles state=absent file:
when: wazuh_app_verify.stdout == "0" path: /usr/share/kibana/optimize/bundles
state: absent
when: wazuh_app_verify.rc == 1
tags: install tags: install
- name: Install Wazuh-APP (can take a while) - name: Explicitly starting Kibana to generate "wazuh-"
shell: "/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-{{ wazuh_version }}_{{ elastic_stack_version }}.zip"
environment:
NODE_OPTIONS: "--max-old-space-size=3072"
args:
creates: /usr/share/kibana/plugins/wazuh/package.json
notify: restart kibana
tags: install
- name: Ensure Kibana started and enabled
service: service:
name: kibana name: kibana
enabled: yes state: started
- name: Build and Install Wazuh Kibana Plugin from sources
import_tasks: build_wazuh_plugin.yml
when:
- build_from_sources is defined
- build_from_sources
- name: Install Wazuh Plugin (can take a while)
shell: >-
NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana-plugin install
{{ wazuh_app_url }}-{{ wazuh_version }}_{{ elastic_stack_version }}.zip
args:
executable: /bin/bash
creates: /usr/share/kibana/plugins/wazuh/package.json
chdir: /usr/share/kibana
become: yes
become_user: kibana
notify: restart kibana
tags:
- install
- skip_ansible_lint
when:
- not build_from_sources
- name: Kibana optimization (can take a while)
shell: /usr/share/kibana/node/bin/node {{ node_options }} /usr/share/kibana/src/cli --optimize
args:
executable: /bin/bash
become: yes
become_user: kibana
changed_when: false
tags:
- skip_ansible_lint
- name: Wait for Elasticsearch port
wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }}
- name: Select correct API protocol
set_fact:
elastic_api_protocol: "{% if kibana_xpack_security %}https{% else %}http{% endif %}"
- name: Attempting to delete legacy Wazuh index if exists
uri:
url: "{{ elastic_api_protocol }}://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}/.wazuh"
method: DELETE
user: "{{ elasticsearch_xpack_security_user }}"
password: "{{ elasticsearch_xpack_security_password }}"
validate_certs: no
status_code: 200, 404
- name: Create wazuh plugin config directory
file:
path: /usr/share/kibana/optimize/wazuh/config/
state: directory
recurse: yes
owner: kibana
group: kibana
mode: 0751
changed_when: False
- name: Configure Wazuh Kibana Plugin
template:
src: wazuh.yml.j2
dest: /usr/share/kibana/optimize/wazuh/config/wazuh.yml
owner: kibana
group: kibana
mode: 0751
changed_when: False
- name: Reload systemd configuration
systemd:
daemon_reload: true
- name: Ensure Kibana is started and enabled
service:
name: kibana
enabled: true
state: started state: started
- import_tasks: RMRedHat.yml - import_tasks: RMRedHat.yml

20
roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2
View File

@ -19,7 +19,11 @@ server.host: {{ kibana_server_host }}
#server.name: "your-hostname" #server.name: "your-hostname"
# The URL of the Elasticsearch instance to use for all your queries. # The URL of the Elasticsearch instance to use for all your queries.
elasticsearch.url: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" {% if kibana_xpack_security %}
elasticsearch.hosts: "https://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}"
{% else %}
elasticsearch.hosts: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}"
{% endif %}
# When this setting's value is true Kibana uses the hostname specified in the server.host # When this setting's value is true Kibana uses the hostname specified in the server.host
# setting. When the value of this setting is false, Kibana uses the hostname of the host # setting. When the value of this setting is false, Kibana uses the hostname of the host
@ -98,3 +102,17 @@ elasticsearch.url: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_htt
# Set the interval in milliseconds to sample system and process performance # Set the interval in milliseconds to sample system and process performance
# metrics. Minimum is 100ms. Defaults to 5000. # metrics. Minimum is 100ms. Defaults to 5000.
#ops.interval: 5000 #ops.interval: 5000
# Xpack Security
{% if kibana_xpack_security %}
elasticsearch.username: "{{ elasticsearch_xpack_security_user }}"
elasticsearch.password: "{{ elasticsearch_xpack_security_password }}"
server.ssl.enabled: true
server.ssl.key: "{{node_certs_destination}}/{{ kibana_node_name }}.key"
server.ssl.certificate: "{{node_certs_destination}}/{{ kibana_node_name }}.crt"
{% if generate_CA == true %}
elasticsearch.ssl.certificateAuthorities: ["{{ node_certs_destination }}/ca.crt"]
{% elif generate_CA == false %}
elasticsearch.ssl.certificateAuthorities: ["{{ node_certs_destination }}/{{ca_cert_name}}"]
{% endif %}
{% endif %}

134
roles/elastic-stack/ansible-kibana/templates/wazuh.yml.j2 Normal file
View File

@ -0,0 +1,134 @@
---
#
# Wazuh app - App configuration file
# Copyright (C) 2015-2019 Wazuh, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Find more information about this on the LICENSE file.
#
# ======================== Wazuh app configuration file ========================
#
# Please check the documentation for more information on configuration options:
# https://documentation.wazuh.com/current/installation-guide/index.html
#
# Also, you can check our repository:
# https://github.com/wazuh/wazuh-kibana-app
#
# ------------------------------- Index patterns -------------------------------
#
# Default index pattern to use.
#pattern: wazuh-alerts-3.x-*
#
# ----------------------------------- Checks -----------------------------------
#
# Defines which checks must to be consider by the healthcheck
# step once the Wazuh app starts. Values must to be true or false.
#checks.pattern : true
#checks.template: true
#checks.api : true
#checks.setup : true
#
# --------------------------------- Extensions ---------------------------------
#
# Defines which extensions should be activated when you add a new API entry.
# You can change them after Wazuh app starts.
# Values must to be true or false.
#extensions.pci : true
#extensions.gdpr : true
#extensions.hipaa : true
#extensions.nist : true
#extensions.audit : true
#extensions.oscap : false
#extensions.ciscat : false
#extensions.aws : false
#extensions.virustotal: false
#extensions.osquery : false
#extensions.docker : false
#
# ---------------------------------- Time out ----------------------------------
#
# Defines maximum timeout to be used on the Wazuh app requests.
# It will be ignored if it is bellow 1500.
# It means milliseconds before we consider a request as failed.
# Default: 20000
#timeout: 20000
#
# ------------------------------ Advanced indices ------------------------------
#
# Configure .wazuh indices shards and replicas.
#wazuh.shards : 1
#wazuh.replicas : 0
#
# --------------------------- Index pattern selector ---------------------------
#
# Defines if the user is allowed to change the selected
# index pattern directly from the Wazuh app top menu.
# Default: true
#ip.selector: true
#
# List of index patterns to be ignored
#ip.ignore: []
#
# -------------------------------- X-Pack RBAC ---------------------------------
#
# Custom setting to enable/disable built-in X-Pack RBAC security capabilities.
# Default: enabled
#xpack.rbac.enabled: true
#
# ------------------------------ wazuh-monitoring ------------------------------
#
# Custom setting to enable/disable wazuh-monitoring indices.
# Values: true, false, worker
# If worker is given as value, the app will show the Agents status
# visualization but won't insert data on wazuh-monitoring indices.
# Default: true
#wazuh.monitoring.enabled: true
#
# Custom setting to set the frequency for wazuh-monitoring indices cron task.
# Default: 900 (s)
#wazuh.monitoring.frequency: 900
#
# Configure wazuh-monitoring-3.x-* indices shards and replicas.
#wazuh.monitoring.shards: 2
#wazuh.monitoring.replicas: 0
#
# Configure wazuh-monitoring-3.x-* indices custom creation interval.
# Values: h (hourly), d (daily), w (weekly), m (monthly)
# Default: d
#wazuh.monitoring.creation: d
#
# Default index pattern to use for Wazuh monitoring
#wazuh.monitoring.pattern: wazuh-monitoring-3.x-*
#
#
# ------------------------------- App privileges --------------------------------
#admin: true
#
# ------------------------------- App logging level -----------------------------
# Set the logging level for the Wazuh App log files.
# Default value: info
# Allowed values: info, debug
#logs.level: info
#
#-------------------------------- API entries -----------------------------------
#The following configuration is the default structure to define an API entry.
#
#hosts:
# - <id>:
# url: http(s)://<url>
# port: <port>
# user: <user>
# password: <password>
hosts:
{% for api in wazuh_api_credentials %}
- {{ api['id'] }}:
url: {{ api['url'] }}
port: {{ api['port'] }}
user: {{ api['user'] }}
password: {{ api['password'] }}
{% endfor %}

53
roles/elastic-stack/ansible-logstash/README.md
View File

@ -1,53 +0,0 @@
Ansible Role: Logstash
----------------------
An Ansible Role that installs [Logstash](https://www.elastic.co/products/logstash)
Requirements
------------
This role will work on:
* Red Hat
* CentOS
* Fedora
* Debian
* Ubuntu
Role Variables
--------------
```
---
logstash_create_config: true
logstash_input_beats: false
elasticsearch_network_host: "127.0.0.1"
elasticsearch_http_port: "9200"
elastic_stack_version: 5.5.0
logstash_ssl: false
logstash_ssl_dir: /etc/pki/logstash
logstash_ssl_certificate_file: ""
logstash_ssl_key_file: ""
```
Example Playbook
----------------
```
- hosts: logstash
roles:
- { role: ansible-role-logstash, elasticsearch_network_host: '192.168.33.182' }
```
License and copyright
---------------------
WAZUH Copyright (C) 2017 Wazuh Inc. (License GPLv3)
### Based on previous work from geerlingguy
- https://github.com/geerlingguy/ansible-role-elasticsearch
### Modified by Wazuh
The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem.

19
roles/elastic-stack/ansible-logstash/defaults/main.yml
View File

@ -1,19 +0,0 @@
---
logstash_create_config: true
logstash_input_beats: false
#You can introduce Multiples IPs
# elasticseacrh_network_host: ["Localhost1", "Localhost2", "Localhost3", ...]
elasticsearch_network_host: ["Localhost"]
elasticsearch_http_port: "9200"
elasticsearch_shards: 5
elasticsearch_replicas: 1
elastic_stack_version: 6.5.4
logstash_ssl: false
logstash_ssl_dir: /etc/pki/logstash
logstash_ssl_certificate_file: ""
logstash_ssl_key_file: ""
logstash_install_java: yes

3
roles/elastic-stack/ansible-logstash/handlers/main.yml
View File

@ -1,3 +0,0 @@
---
- name: restart logstash
service: name=logstash state=restarted

24
roles/elastic-stack/ansible-logstash/meta/main.yml
View File

@ -1,24 +0,0 @@
---
galaxy_info:
author: Wazuh
description: Installing and maintaining Elasticsearch server.
company: wazuh.com
license: license (GPLv3)
min_ansible_version: 2.0
platforms:
- name: EL
versions:
- all
- name: Fedora
versions:
- all
- name: Debian
versions:
- all
- name: Ubuntu
versions:
- all
galaxy_tags:
- web
- system
- monitoring

64
roles/elastic-stack/ansible-logstash/tasks/Debian.yml
View File

@ -1,64 +0,0 @@
---
- name: Debian/Ubuntu | Install apt-transport-https and ca-certificates
apt:
name: "{{ item }}"
state: present
cache_valid_time: 3600
with_items:
- apt-transport-https
- ca-certificates
- when: logstash_install_java
block:
- name: Debian/Ubuntu | Setting webupd8 repository
apt_repository:
repo: 'ppa:webupd8team/java'
codename: 'xenial'
- name: Debian/Ubuntu | Accept Oracle Java 8 license
debconf:
name: oracle-java8-installer
question: shared/accepted-oracle-license-v1-1
value: true
vtype: boolean
- name: Debian/Ubuntu | Oracle Java 8 installer
apt:
name: oracle-java8-installer
state: present
cache_valid_time: 3600
tags: install
- name: Debian/Ubuntu | Add Elasticsearch GPG key
apt_key:
url: "https://artifacts.elastic.co/GPG-KEY-elasticsearch"
state: present
- name: Debian/Ubuntu | Install Elasticsearch repo
apt_repository:
repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main'
state: present
filename: 'elastic_repo'
- name: Debian/Ubuntu | Install Logstash
apt:
name: "logstash=1:{{ elastic_stack_version }}-1"
state: present
update_cache: yes
tags: install
- name: Debian/Ubuntu | Checking if wazuh-manager is installed
command: dpkg -l wazuh-manager
register: wazuh_manager_check_deb
when: logstash_input_beats == false
args:
warn: no
- name: Debian/Ubuntu | Add user logstash to group ossec
user:
name: logstash
groups: ossec
append: yes
when:
- logstash_input_beats == false
- wazuh_manager_check_deb.rc == 0

5
roles/elastic-stack/ansible-logstash/tasks/RMDebian.yml
View File

@ -1,5 +0,0 @@
---
- name: Debian/Ubuntu | Removing Elasticsearch repository
apt_repository:
repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main
state: absent

5
roles/elastic-stack/ansible-logstash/tasks/RMRedHat.yml
View File

@ -1,5 +0,0 @@
---
- name: RedHat/CentOS/Fedora | Remove logstash repository (and clean up left-over metadata)
yum_repository:
name: elastic_repo
state: absent

51
roles/elastic-stack/ansible-logstash/tasks/RedHat.yml
View File

@ -1,51 +0,0 @@
---
- when: logstash_install_java
block:
- name: RedHat/CentOS/Fedora | download Oracle Java RPM
get_url:
url: https://download.oracle.com/otn-pub/java/jdk/8u191-b12/2787e4a523244c269598db4e85c51e0c/jre-8u191-linux-x64.rpm
dest: /tmp/jre-8-linux-x64.rpm
headers: 'Cookie:oraclelicense=accept-securebackup-cookie'
register: oracle_java_task_rpm_download
- name: RedHat/CentOS/Fedora | Install Oracle Java RPM
package: name=/tmp/jre-8-linux-x64.rpm state=present
when: oracle_java_task_rpm_download is defined
register: oracle_java_task_rpm_installed
tags: install
- name: RedHat/CentOS/Fedora | Install Logstash repo
yum_repository:
name: elastic_repo
description: Elastic repository for 6.x packages
baseurl: https://artifacts.elastic.co/packages/6.x/yum
gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
gpgcheck: yes
- name: RedHat/CentOS/Fedora | Install Logstash
package: name=logstash-{{ elastic_stack_version }} state=present
when: not logstash_install_java or oracle_java_task_rpm_installed is defined
tags: install
- name: RedHat/CentOS/Fedora | Checking if wazuh-manager is installed
command: rpm -q wazuh-manager
register: wazuh_manager_check_rpm
when: logstash_input_beats == false
args:
warn: no
- name: RedHat/CentOS/Fedora | Add user logstash to group ossec
user:
name: logstash
groups: ossec
append: yes
when:
- logstash_input_beats == false
- wazuh_manager_check_rpm.rc == 0
- name: Amazon Linux change startup group
shell: sed -i 's/.*LS_GROUP=logstash.*/LS_GROUP=ossec/' /etc/logstash/startup.options
when:
- logstash_input_beats == false
- wazuh_manager_check_rpm.rc == 0
- ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA"

27
roles/elastic-stack/ansible-logstash/tasks/config.yml
View File

@ -1,27 +0,0 @@
---
- name: Ensure Logstash SSL key pair directory exists.
file:
path: "{{ logstash_ssl_dir }}"
state: directory
when: logstash_ssl
tags: configure
- name: Copy SSL key and cert for logstash.
copy:
src: "{{ item }}"
dest: "{{ logstash_ssl_dir }}/{{ item | basename }}"
mode: 0644
with_items:
- "{{ logstash_ssl_key_file }}"
- "{{ logstash_ssl_certificate_file }}"
when: logstash_ssl
tags: configure
- name: Logstash configuration
template:
src: 01-wazuh.conf.j2
dest: /etc/logstash/conf.d/01-wazuh.conf
owner: root
group: root
notify: restart logstash
tags: configure

40
roles/elastic-stack/ansible-logstash/tasks/main.yml
View File

@ -1,40 +0,0 @@
---
- import_tasks: RedHat.yml
when: ansible_os_family == 'RedHat'
- import_tasks: Debian.yml
when: ansible_os_family == "Debian"
- import_tasks: config.yml
when: logstash_create_config
- name: Reload systemd
systemd: daemon_reload=yes
ignore_errors: yes
when:
- not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA")
- not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<'))
- not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<'))
- name: Amazon Linux create service
shell: /usr/share/logstash/bin/system-install /etc/logstash/startup.options
when: ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA"
- name: Ensure Logstash started and enabled
service:
name: logstash
enabled: yes
state: started
- name: Amazon Linux start Logstash
service:
name: logstash
enabled: yes
state: started
when: ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA"
- import_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat"
- import_tasks: "RMDebian.yml"
when: ansible_os_family == "Debian"

73
roles/elastic-stack/ansible-logstash/templates/01-wazuh.conf.j2
View File

@ -1,73 +0,0 @@
#jinja2: trim_blocks:False
# {{ ansible_managed }}
# Wazuh - Logstash configuration file
{% if logstash_input_beats == true %}
## Remote Wazuh Manager - Filebeat input
input {
beats {
port => 5000
codec => "json_lines"
{% if logstash_ssl == true %}
ssl => true
ssl_certificate => "{{ logstash_ssl_dir }}/{{ logstash_ssl_certificate_file | basename }}"
ssl_key => "{{ logstash_ssl_dir }}/{{ logstash_ssl_key_file | basename }}"
{% endif %}
}
}
{% else %}
## Local Wazuh Manager - JSON file input
input {
file {
type => "wazuh-alerts"
path => "/var/ossec/logs/alerts/alerts.json"
codec => "json"
}
}
{% endif %}
filter {
if [data][srcip] {
mutate {
add_field => [ "@src_ip", "%{[data][srcip]}" ]
}
}
if [data][aws][sourceIPAddress] {
mutate {
add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
}
}
}
filter {
if [data][srcip] {
mutate {
add_field => [ "@src_ip", "%{[data][srcip]}" ]
}
}
if [data][aws][sourceIPAddress] {
mutate {
add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
}
}
}
filter {
geoip {
source => "@src_ip"
target => "GeoLocation"
fields => ["city_name", "country_name", "region_name", "location"]
}
date {
match => ["timestamp", "ISO8601"]
target => "@timestamp"
}
mutate {
remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]
}
}
output {
#stdout { codec => rubydebug }
elasticsearch {
hosts => {{ elasticsearch_network_host | to_json}}
index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
document_type => "wazuh"
}
}

58
roles/opendistro/opendistro-elasticsearch/defaults/main.yml Normal file
View File

@ -0,0 +1,58 @@
---
# The OpenDistro version
opendistro_version: 1.6.0
elasticsearch_cluster_name: wazuh-cluster
# Minimum master nodes in cluster, 2 for 3 nodes elasticsearch cluster
minimum_master_nodes: 2
# Elasticsearch version
es_version: "7.3.2"
es_major_version: "7.x"
# Configure hostnames for Elasticsearch nodes
# Example es1.example.com, es2.example.com
domain_name: wazuh.com
# The OpenDistro package repository
package_repos:
yum:
opendistro:
baseurl: 'https://d3g5vo6xdbdb9a.cloudfront.net/yum/noarch/'
gpg: 'https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch'
elasticsearch_oss:
baseurl: 'https://artifacts.elastic.co/packages/oss-7.x/yum'
gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
opendistro_sec_plugin_conf_path: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig
opendistro_sec_plugin_tools_path: /usr/share/elasticsearch/plugins/opendistro_security/tools
opendistro_conf_path: /etc/elasticsearch/
es_nodes: |-
{% for item in groups['es-cluster'] -%}
{{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %}
{%- endfor %}
# Security password
opendistro_security_password: admin
# Set JVM memory limits
opendistro_jvm_xms: null
opendistro_http_port: 9200
certs_gen_tool_version: 1.7
# Url of Search Guard certificates generator tool
certs_gen_tool_url: "https://releases.floragunn.com/search-guard-tlstool/{{ certs_gen_tool_version }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip"
elasticrepo:
apt: 'https://artifacts.elastic.co/packages/7.x/apt'
yum: 'https://artifacts.elastic.co/packages/7.x/yum'
gpg: 'https://artifacts.elastic.co/GPG-KEY-opendistro'
key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4'
opendistro_admin_password: changeme
opendistro_kibana_password: changeme
# Cluster Settings
single_node: true
opendistro_cluster_name: wazuh
local_certs_path: /tmp/opendistro-nodecerts

5
roles/opendistro/opendistro-elasticsearch/handlers/main.yml Normal file
View File

@ -0,0 +1,5 @@
---
- name: restart elasticsearch
service:
name: elasticsearch
state: restarted

24
roles/opendistro/opendistro-elasticsearch/meta/main.yml Normal file
View File

@ -0,0 +1,24 @@
---
galaxy_info:
author: Wazuh
description: Installing and maintaining Opendistro server.
company: wazuh.com
license: license (GPLv3)
min_ansible_version: 2.0
platforms:
- name: EL
versions:
- all
- name: Ubuntu
versions:
- all
- name: Debian
versions:
- all
- name: Fedora
versions:
- all
galaxy_tags:
- web
- system
- monitoring

6
roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: RedHat/CentOS/Fedora | Remove Elasticsearch repository (and clean up left-over metadata)
yum_repository:
name: elastic_repo_7
state: absent
changed_when: false

38
roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml Normal file
View File

@ -0,0 +1,38 @@
---
- block:
- name: RedHat/CentOS/Fedora | Add OpenDistro repo
yum_repository:
file: opendistro
name: opendistro_repo
description: Opendistro yum repository
baseurl: "{{ package_repos.yum.opendistro.baseurl }}"
gpgkey: "{{ package_repos.yum.opendistro.gpg }}"
gpgcheck: true
changed_when: false
- name: RedHat/CentOS/Fedora | Add Elasticsearch-oss repo
yum_repository:
file: opendistro
name: elasticsearch_oss_repo
description: Elasticsearch-oss yum repository
baseurl: "{{ package_repos.yum.elasticsearch_oss.baseurl }}"
gpgkey: "{{ package_repos.yum.elasticsearch_oss.gpg }}"
gpgcheck: true
changed_when: false
- name: RedHat/CentOS/Fedora | Install OpenJDK 11
yum:
name: java-11-openjdk-devel
state: present
- name: RedHat/CentOS/Fedora | Install OpenDistro dependencies
yum:
name: "{{ packages }}"
vars:
packages:
- wget
- unzip
tags:
- install

51
roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml Normal file
View File

@ -0,0 +1,51 @@
---
- block:
- name: Local action | Create local temporary directory for certificates generation
local_action:
module: file
path: "{{ local_certs_path }}"
state: directory
run_once: true
- name: Local action | Download certificates generation tool
local_action:
module: get_url
url: "{{ certs_gen_tool_url }}"
dest: "{{ local_certs_path }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip"
run_once: true
- name: Local action | Extract the certificates generation tool
local_action:
module: unarchive
src: "{{ local_certs_path }}/search-guard-tlstool-1.7.zip"
dest: "{{ local_certs_path }}/"
- name: Local action | Add the execution bit to the binary
local_action:
module: file
dest: "{{ local_certs_path }}/tools/sgtlstool.sh"
mode: a+x
run_once: true
- name: Local action | Prepare the certificates generation template file
local_action:
module: template
src: "templates/tlsconfig.yml.j2"
dest: "{{ local_certs_path }}/config/tlsconfig.yml"
run_once: true
- name: Local action | Check if root CA file exists
local_action:
module: stat
path: "{{ local_certs_path }}/config/root-ca.key"
register: root_ca_file
- name: Local action | Generate the node & admin certificates in local
local_action:
module: command {{ local_certs_path }}/tools/sgtlstool.sh -c {{ local_certs_path }}/config/tlsconfig.yml -ca -crt -t {{ local_certs_path }}/config/ -f -o
run_once: true
when: root_ca_file.stat.exists == False
tags:
- generate-certs

68
roles/opendistro/opendistro-elasticsearch/tasks/main.yml Normal file
View File

@ -0,0 +1,68 @@
---
- import_tasks: local_actions.yml
- import_tasks: RedHat.yml
when: ansible_os_family == 'RedHat'
- name: Install OpenDistro
package:
name: opendistroforelasticsearch-{{ opendistro_version }}
state: present
register: install
tags: install
- name: Remove elasticsearch configuration file
file:
path: "{{ opendistro_conf_path }}/elasticsearch.yml"
state: absent
when: install.changed
tags: install
- name: Copy Configuration File
blockinfile:
block: "{{ lookup('template', 'elasticsearch.yml.j2') }}"
dest: "{{ opendistro_conf_path }}/elasticsearch.yml"
create: true
group: elasticsearch
mode: 0640
marker: "## {mark} Opendistro general settings ##"
when: install.changed
tags: install
- import_tasks: security_actions.yml
- name: Configure OpenDistro Elasticsearch JVM memmory.
template:
src: "templates/jvm.options.j2"
dest: /etc/elasticsearch/jvm.options
owner: root
group: elasticsearch
mode: 0644
force: yes
notify: restart elasticsearch
tags: install
- name: Ensure Elasticsearch started and enabled
service:
name: elasticsearch
enabled: true
state: started
- name: Wait for Elasticsearch API
uri:
url: "https://{{ es_nodes.split(',')[0].split('\"')[0] }}:9200/_cluster/health/"
user: "admin" # Default OpenDistro user is always "admin"
password: "{{ opendistro_admin_password }}"
validate_certs: no
status_code: 200,401
return_content: yes
timeout: 4
register: _result
until: ( _result.json is defined) and (_result.json.status == "green")
retries: 24
delay: 5
tags: debug
- import_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat"

80
roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml Normal file
View File

@ -0,0 +1,80 @@
- block:
- name: Remove demo certs
file:
path: "{{ item }}"
state: absent
with_items:
- "{{ opendistro_conf_path }}/kirk.pem"
- "{{ opendistro_conf_path }}/kirk-key.pem"
- "{{ opendistro_conf_path }}/esnode.pem"
- "{{ opendistro_conf_path }}/esnode-key.pem"
- name: Copy the node & admin certificates to Elasticsearch cluster
copy:
src: "{{ local_certs_path }}/config/{{ item }}"
dest: /etc/elasticsearch/
mode: 0644
with_items:
- root-ca.pem
- root-ca.key
- "{{ inventory_hostname }}.key"
- "{{ inventory_hostname }}.pem"
- "{{ inventory_hostname }}_http.key"
- "{{ inventory_hostname }}_http.pem"
- "{{ inventory_hostname }}_elasticsearch_config_snippet.yml"
- admin.key
- admin.pem
- name: Copy the OpenDistro security configuration file to cluster
blockinfile:
block: "{{ lookup('file', '{{ local_certs_path }}/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}"
dest: "{{ opendistro_conf_path }}/elasticsearch.yml"
insertafter: EOF
marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##"
- name: Prepare the OpenDistro security configuration file
replace:
path: "{{ opendistro_conf_path }}/elasticsearch.yml"
regexp: 'searchguard'
replace: 'opendistro_security'
tags: local
- name: Restart elasticsearch with security configuration
systemd:
name: elasticsearch
state: restarted
- name: Copy the OpenDistro security internal users template
template:
src: "templates/internal_users.yml.j2"
dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
mode: 0644
run_once: true
- name: Set the Admin user password
shell: >
sed -i 's,{{ opendistro_admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }} | tail -1)','
{{ opendistro_sec_plugin_conf_path }}/internal_users.yml
run_once: true
- name: Set the kibanaserver role/user pasword
shell: >
sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)','
{{ opendistro_sec_plugin_conf_path }}/internal_users.yml
run_once: true
- name: Initialize the OpenDistro security index in elasticsearch
command: >
{{ opendistro_sec_plugin_tools_path }}/securityadmin.sh
-cacert {{ opendistro_conf_path }}/root-ca.pem
-cert {{ opendistro_conf_path }}/admin.pem
-key {{ opendistro_conf_path }}/admin.key
-cd {{ opendistro_sec_plugin_conf_path }}/
-nhnv -icl
-h {{ hostvars[inventory_hostname]['ip'] }}
run_once: true
tags:
- production_ready
when: install.changed

22
roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 Normal file
View File

@ -0,0 +1,22 @@
cluster.name: "{{ opendistro_cluster_name }}"
node.name: "{{ inventory_hostname }}"
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: "{{ hostvars[inventory_hostname]['ip'] }}"
http.port: "{{ opendistro_http_port }}"
discovery.seed_hosts: ["{{ es_nodes }}"]
cluster.initial_master_nodes: ["{{ es_nodes }}"]
discovery.zen.minimum_master_nodes: "{{ minimum_master_nodes }}"
opendistro_security.allow_default_init_securityindex: true
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]

21
roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 Normal file
View File

@ -0,0 +1,21 @@
---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
_meta:
type: "internalusers"
config_version: 2
# Define your internal users here
admin:
hash: "{{ opendistro_admin_password }}"
reserved: true
backend_roles:
- "admin"
description: "admin user"
kibanaserver:
hash: "{{ opendistro_kibana_password }}"
reserved: true
description: "kibanaserver user"

117
roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 Normal file
View File

@ -0,0 +1,117 @@
#jinja2: trim_blocks:False
# {{ ansible_managed }}
## JVM configuration
################################################################
## IMPORTANT: JVM heap size
################################################################
##
## You should always set the min and max JVM heap
## size to the same value. For example, to set
## the heap to 4 GB, set:
##
## -Xms4g
## -Xmx4g
##
## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html
## for more information
##
################################################################
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
{% if opendistro_jvm_xms is not none %}
{% if opendistro_jvm_xms < 32000 %}
-Xms{{ opendistro_jvm_xms }}m
-Xmx{{ opendistro_jvm_xms }}m
{% else %}
-Xms32000m
-Xmx32000m
{% endif %}
{% else %}
-Xms{% if ansible_memtotal_mb < 64000 %}{{ ((ansible_memtotal_mb|int)/2)|int }}m{% else %}32000m{% endif %}
-Xmx{% if ansible_memtotal_mb < 64000 %}{{ ((ansible_memtotal_mb|int)/2)|int }}m{% else %}32000m{% endif %}
{% endif %}
################################################################
## Expert settings
################################################################
##
## All settings below this section are considered
## expert settings. Don't tamper with them unless
## you understand what you are doing
##
################################################################
## GC configuration
-XX:+UseConcMarkSweepGC
-XX:CMSInitiatingOccupancyFraction=75
-XX:+UseCMSInitiatingOccupancyOnly
## optimizations
# pre-touch memory pages used by the JVM during initialization
-XX:+AlwaysPreTouch
## basic
# force the server VM
-server
# explicitly set the stack size
-Xss1m
# set to headless, just in case
-Djava.awt.headless=true
# ensure UTF-8 encoding by default (e.g. filenames)
-Dfile.encoding=UTF-8
# use our provided JNA always versus the system one
-Djna.nosys=true
# turn off a JDK optimization that throws away stack traces for common
# exceptions because stack traces are important for debugging
-XX:-OmitStackTraceInFastThrow
# flags to configure Netty
-Dio.netty.noUnsafe=true
-Dio.netty.noKeySetOptimization=true
-Dio.netty.recycler.maxCapacityPerThread=0
# log4j 2
-Dlog4j.shutdownHookEnabled=false
-Dlog4j2.disable.jmx=true
## heap dumps
# generate a heap dump when an allocation from the Java heap fails
# heap dumps are created in the working directory of the JVM
-XX:+HeapDumpOnOutOfMemoryError
# specify an alternative path for heap dumps
# ensure the directory exists and has sufficient space
-XX:HeapDumpPath=/var/lib/elasticsearch
## GC logging
#-XX:+PrintGCDetails
#-XX:+PrintGCTimeStamps
#-XX:+PrintGCDateStamps
#-XX:+PrintClassHistogram
#-XX:+PrintTenuringDistribution
#-XX:+PrintGCApplicationStoppedTime
# log GC status to a file with time stamps
# ensure the directory exists
#-Xloggc:${loggc}
# By default, the GC log file will not rotate.
# By uncommenting the lines below, the GC log file
# will be rotated every 128MB at most 32 times.
#-XX:+UseGCLogFileRotation
#-XX:NumberOfGCLogFiles=32
#-XX:GCLogFileSize=128M

47
roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 Normal file
View File

@ -0,0 +1,47 @@
ca:
root:
dn: CN=root.ca.{{ domain_name }},OU=CA,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
keysize: 2048
validityDays: 730
pkPassword: none
file: root-ca.pem
### Default values and global settings
defaults:
validityDays: 730
pkPassword: none
# Set this to true in order to generate config and certificates for
# the HTTP interface of nodes
httpsEnabled: true
reuseTransportCertificatesForHttp: false
verifyHostnames: false
resolveHostnames: false
###
### Nodes
###
#
# Specify the nodes of your ES cluster here
#
nodes:
{% for item in groups['es-cluster'] %}
- name: {{ item }}
dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
dns: {{ item }}.{{ domain_name }}
ip: {{ hostvars[item]['ip'] }}
{% endfor %}
###
### Clients
###
#
# Specify the clients that shall access your ES cluster with certificate authentication here
#
# At least one client must be an admin user (i.e., a super-user). Admin users can
# be specified with the attribute admin: true
#
clients:
- name: admin
dn: CN=admin.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
admin: true

24
roles/wazuh/ansible-filebeat/README.md
View File

@ -19,34 +19,10 @@ Role Variables
Available variables are listed below, along with default values (see `defaults/main.yml`): Available variables are listed below, along with default values (see `defaults/main.yml`):
``` ```
filebeat_create_config: true
filebeat_prospectors:
- input_type: log
paths:
- "/var/ossec/logs/alerts/alerts.json"
document_type: json
json.message_key: log
json.keys_under_root: true
json.overwrite_keys: true
filebeat_output_elasticsearch_enabled: false filebeat_output_elasticsearch_enabled: false
filebeat_output_elasticsearch_hosts: filebeat_output_elasticsearch_hosts:
- "localhost:9200" - "localhost:9200"
filebeat_output_logstash_enabled: true
filebeat_output_logstash_hosts:
- "192.168.212.158:5000"
filebeat_enable_logging: true
filebeat_log_level: debug
filebeat_log_dir: /var/log/mybeat
filebeat_log_filename: mybeat.log
filebeat_ssl_dir: /etc/pki/logstash
filebeat_ssl_certificate_file: ""
filebeat_ssl_key_file: ""
filebeat_ssl_insecure: "false"
``` ```
License and copyright License and copyright

38
roles/wazuh/ansible-filebeat/defaults/main.yml
View File

@ -1,4 +1,6 @@
--- ---
filebeat_version: 7.6.2
filebeat_create_config: true filebeat_create_config: true
filebeat_prospectors: filebeat_prospectors:
@ -10,20 +12,46 @@ filebeat_prospectors:
json.keys_under_root: true json.keys_under_root: true
json.overwrite_keys: true json.overwrite_keys: true
filebeat_node_name: node-1
filebeat_output_elasticsearch_enabled: false filebeat_output_elasticsearch_enabled: false
filebeat_output_elasticsearch_hosts: filebeat_output_elasticsearch_hosts:
- "localhost:9200" - "localhost:9200"
filebeat_output_logstash_enabled: true
filebeat_output_logstash_hosts:
- "192.168.212.158:5000"
filebeat_enable_logging: true filebeat_enable_logging: true
filebeat_log_level: debug filebeat_log_level: debug
filebeat_log_dir: /var/log/mybeat filebeat_log_dir: /var/log/mybeat
filebeat_log_filename: mybeat.log filebeat_log_filename: mybeat.log
filebeat_ssl_dir: /etc/pki/logstash filebeat_ssl_dir: /etc/pki/filebeat
filebeat_ssl_certificate_file: "" filebeat_ssl_certificate_file: ""
filebeat_ssl_key_file: "" filebeat_ssl_key_file: ""
filebeat_ssl_insecure: "false" filebeat_ssl_insecure: "false"
filebeat_module_package_url: https://packages.wazuh.com/3.x/filebeat
filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz
filebeat_module_package_path: /tmp/
filebeat_module_destination: /usr/share/filebeat/module
filebeat_module_folder: /usr/share/filebeat/module/wazuh
# Xpack Security
filebeat_xpack_security: false
elasticsearch_xpack_security_user: elastic
elasticsearch_xpack_security_password: elastic_pass
node_certs_generator : false
node_certs_source: /usr/share/elasticsearch
node_certs_destination: /etc/filebeat/certs
# CA Generation
master_certs_path: /es_certs
generate_CA: true
ca_cert_name: ""
elasticrepo:
apt: 'https://artifacts.elastic.co/packages/7.x/apt'
yum: 'https://artifacts.elastic.co/packages/7.x/yum'
gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4'

16
roles/wazuh/ansible-filebeat/tasks/Debian.yml
View File

@ -1,20 +1,22 @@
--- ---
- name: Debian/Ubuntu | Install apt-transport-https and ca-certificates - name: Debian/Ubuntu | Install apt-transport-https and ca-certificates
apt: apt:
name: "{{ item }}" name:
state: present
cache_valid_time: 3600
with_items:
- apt-transport-https - apt-transport-https
- ca-certificates - ca-certificates
state: present
register: filebeat_ca_packages_install
until: filebeat_ca_packages_install is succeeded
- name: Debian/Ubuntu | Add Elasticsearch apt key. - name: Debian/Ubuntu | Add Elasticsearch apt key.
apt_key: apt_key:
url: https://artifacts.elastic.co/GPG-KEY-elasticsearch url: "{{ elasticrepo.gpg }}"
id: "{{ elasticrepo.key_id }}"
state: present state: present
- name: Debian/Ubuntu | Add Filebeat repository. - name: Debian/Ubuntu | Add Filebeat repository.
apt_repository: apt_repository:
repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main' repo: "deb {{ elasticrepo.apt }} stable main"
state: present state: present
update_cache: yes update_cache: true
changed_when: false

3
roles/wazuh/ansible-filebeat/tasks/RMDebian.yml
View File

@ -1,5 +1,6 @@
--- ---
- name: Debian/Ubuntu | Remove Filebeat repository (and clean up left-over metadata) - name: Debian/Ubuntu | Remove Filebeat repository (and clean up left-over metadata)
apt_repository: apt_repository:
repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main repo: "deb {{ elasticrepo.apt }} stable main"
state: absent state: absent
changed_when: false

3
roles/wazuh/ansible-filebeat/tasks/RMRedHat.yml
View File

@ -1,5 +1,6 @@
--- ---
- name: RedHat/CentOS/Fedora | Remove Filebeat repository (and clean up left-over metadata) - name: RedHat/CentOS/Fedora | Remove Filebeat repository (and clean up left-over metadata)
yum_repository: yum_repository:
name: elastic_repo name: elastic_repo_7
state: absent state: absent
changed_when: false

11
roles/wazuh/ansible-filebeat/tasks/RedHat.yml
View File

@ -1,8 +1,9 @@
--- ---
- name: RedHat/CentOS/Fedora/Amazon Linux | Install Filebeats repo - name: RedHat/CentOS/Fedora/Amazon Linux | Install Filebeats repo
yum_repository: yum_repository:
name: elastic_repo name: elastic_repo_7
description: Elastic repository for 6.x packages description: Elastic repository for 7.x packages
baseurl: https://artifacts.elastic.co/packages/6.x/yum baseurl: "{{ elasticrepo.yum }}"
gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch gpgkey: "{{ elasticrepo.gpg }}"
gpgcheck: yes gpgcheck: true
changed_when: false

14
roles/wazuh/ansible-filebeat/tasks/config.yml
View File

@ -5,7 +5,17 @@
dest: "/etc/filebeat/filebeat.yml" dest: "/etc/filebeat/filebeat.yml"
owner: root owner: root
group: root group: root
mode: 0644 mode: 0400
notify: restart filebeat
tags: configure
- name: Copy Elasticsearch template.
template:
src: elasticsearch.yml.j2
dest: "/etc/filebeat/wazuh-template.json"
owner: root
group: root
mode: 0400
notify: restart filebeat notify: restart filebeat
tags: configure tags: configure
@ -20,7 +30,7 @@
copy: copy:
src: "{{ item }}" src: "{{ item }}"
dest: "{{ filebeat_ssl_dir }}/{{ item | basename }}" dest: "{{ filebeat_ssl_dir }}/{{ item | basename }}"
mode: 0644 mode: 0400
with_items: with_items:
- "{{ filebeat_ssl_key_file }}" - "{{ filebeat_ssl_key_file }}"
- "{{ filebeat_ssl_certificate_file }}" - "{{ filebeat_ssl_certificate_file }}"

107
roles/wazuh/ansible-filebeat/tasks/main.yml
View File

@ -1,34 +1,125 @@
--- ---
- import_tasks: RedHat.yml - include_tasks: RedHat.yml
when: ansible_os_family == 'RedHat' when: ansible_os_family == 'RedHat'
- import_tasks: Debian.yml - include_tasks: Debian.yml
when: ansible_os_family == 'Debian' when: ansible_os_family == 'Debian'
- name: Install Filebeat. - name: CentOS/RedHat | Install Filebeat.
package: name=filebeat state=present package: name=filebeat-{{ filebeat_version }} state=present
register: filebeat_installing_package
until: filebeat_installing_package is succeeded
when:
- ansible_distribution in ['CentOS','RedHat', 'Amazon']
tags: tags:
- install - install
- name: Debian/Ubuntu | Install Filebeat.
apt:
name: filebeat={{ filebeat_version }}
state: present
cache_valid_time: 3600
register: filebeat_installing_package_debian
until: filebeat_installing_package_debian is succeeded
when:
- not (ansible_distribution in ['CentOS','RedHat', 'Amazon'])
tags:
- init
- name: Copying node's certificate from master
copy:
src: "{{ item }}"
dest: "{{ node_certs_destination }}/"
mode: 0440
with_items:
- "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key"
- "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt"
- "{{ master_certs_path }}/ca/ca.crt"
when:
- generate_CA
- filebeat_xpack_security
tags: xpack-security
- name: Copying node's certificate from master (Custom CA)
copy:
src: "{{ item }}"
dest: "{{ node_certs_destination }}/"
mode: 0440
with_items:
- "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key"
- "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt"
- "{{ master_certs_path }}/ca/{{ ca_cert_name }}"
when:
- not generate_CA
- filebeat_xpack_security
tags: xpack-security
- name: Ensuring folder & certs permissions
file:
path: "{{ node_certs_destination }}/"
mode: 0774
state: directory
recurse: yes
when:
- filebeat_xpack_security
tags: xpack-security
- name: Checking if Filebeat Module folder file exists
stat:
path: "{{ filebeat_module_folder }}"
register: filebeat_module_folder
- name: Download Filebeat module package
get_url:
url: "{{ filebeat_module_package_url }}/{{ filebeat_module_package_name }}"
dest: "{{ filebeat_module_package_path }}"
when: not filebeat_module_folder.stat.exists
- name: Unpakcing Filebeat module package
unarchive:
src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
dest: "{{ filebeat_module_destination }}"
remote_src: yes
when: not filebeat_module_folder.stat.exists
- name: Setting 0755 permission for Filebeat module folder
file: dest={{ filebeat_module_folder }} mode=u=rwX,g=rwX,o=rwX recurse=yes
when: not filebeat_module_folder.stat.exists
- name: Checking if Filebeat Module package file exists
stat:
path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
register: filebeat_module_package
when: filebeat_module_package is not defined
- name: Delete Filebeat module package file
file:
state: absent
path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
when: filebeat_module_package.stat.exists
- import_tasks: config.yml - import_tasks: config.yml
when: filebeat_create_config when: filebeat_create_config
notify: restart filebeat
- name: Reload systemd - name: Reload systemd
systemd: daemon_reload=yes systemd: daemon_reload=yes
ignore_errors: yes ignore_errors: true
when: when:
- not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") - not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA")
- not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<')) - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<'))
- not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<'))
- not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<'))
- name: Ensure Filebeat is started and enabled at boot. - name: Ensure Filebeat is started and enabled at boot.
service: service:
name: filebeat name: filebeat
state: started state: started
enabled: yes enabled: true
- import_tasks: "RMRedHat.yml" - include_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat" when: ansible_os_family == "RedHat"
- import_tasks: "RMDebian.yml" - include_tasks: "RMDebian.yml"
when: ansible_os_family == "Debian" when: ansible_os_family == "Debian"

1800
roles/wazuh/ansible-filebeat/templates/elasticsearch.yml.j2 Normal file
View File

File diff suppressed because it is too large Load Diff

173
roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2
View File

@ -1,150 +1,39 @@
filebeat: # Wazuh - Filebeat configuration file
# List of prospectors to fetch data.
prospectors:
{{ filebeat_prospectors | to_json }}
# Configure what outputs to use when sending the data collected by the beat. # Wazuh - Filebeat configuration file
# Multiple outputs may be used. filebeat.modules:
output: - module: wazuh
alerts:
enabled: true
archives:
enabled: false
{% if filebeat_output_elasticsearch_enabled %} setup.template.json.enabled: true
### Elasticsearch as output setup.template.json.path: '/etc/filebeat/wazuh-template.json'
elasticsearch: setup.template.json.name: 'wazuh'
# Array of hosts to connect to. setup.template.overwrite: true
setup.ilm.enabled: false
# Send events directly to Elasticsearch
output.elasticsearch:
hosts: {{ filebeat_output_elasticsearch_hosts | to_json }} hosts: {{ filebeat_output_elasticsearch_hosts | to_json }}
# Optional protocol and basic auth credentials. These are deprecated. {% if filebeat_xpack_security %}
#protocol: "https" username: {{ elasticsearch_xpack_security_user }}
#username: "admin" password: {{ elasticsearch_xpack_security_password }}
#password: "s3cr3t" protocol: https
{% if generate_CA == true %}
# Number of workers per Elasticsearch host. ssl.certificate_authorities:
#worker: 1 - {{node_certs_destination}}/ca.crt
{% elif generate_CA == false %}
# Optional index name. The default is "filebeat" and generates ssl.certificate_authorities:
# [filebeat-]YYYY.MM.DD keys. - {{node_certs_destination}}/{{ca_cert_name}}
#index: "filebeat"
# Optional HTTP Path
#path: "/elasticsearch"
# Proxy server URL
# proxy_url: http://proxy:3128
# The number of times a particular Elasticsearch index operation is attempted. If
# the indexing operation doesn't succeed after this many retries, the events are
# dropped. The default is 3.
#max_retries: 3
# The maximum number of events to bulk in a single Elasticsearch bulk API index request.
# The default is 50.
#bulk_max_size: 50
# Configure http request timeout before failing an request to Elasticsearch.
#timeout: 90
# The number of seconds to wait for new events between two bulk API index requests.
# If `bulk_max_size` is reached before this interval expires, addition bulk index
# requests are made.
#flush_interval: 1
# Boolean that sets if the topology is kept in Elasticsearch. The default is
# false. This option makes sense only for Packetbeat.
#save_topology: false
# The time to live in seconds for the topology information that is stored in
# Elasticsearch. The default is 15 seconds.
#topology_expire: 15
{% if filebeat_ssl_certificate_file and filebeat_ssl_key_file %}
# tls configuration. By default is off.
tls:
# List of root certificates for HTTPS server verifications
#certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for TLS client authentication
certificate: "{{ filebeat_ssl_dir }}/{{ filebeat_ssl_certificate_file | basename }}"
# Client Certificate Key
certificate_key: "{{ filebeat_ssl_dir }}/{{ filebeat_ssl_key_file | basename}}"
# Controls whether the client verifies server certificates and host name.
# If insecure is set to true, all server host names and certificates will be
# accepted. In this mode TLS based connections are susceptible to
# man-in-the-middle attacks. Use only for testing.
insecure: {{ filebeat_ssl_insecure }}
# Configure cipher suites to be used for TLS connections
#cipher_suites: []
# Configure curve types for ECDHE based cipher suites
#curve_types: []
# Configure minimum TLS version allowed for connection to logstash
#min_version: 1.0
# Configure maximum TLS version allowed for connection to logstash
#max_version: 1.2
{% endif %}
{% endif %} {% endif %}
{% if filebeat_output_logstash_enabled %} ssl.certificate: "{{node_certs_destination}}/{{ filebeat_node_name }}.crt"
### Logstash as output ssl.key: "{{node_certs_destination}}/{{ filebeat_node_name }}.key"
logstash:
# The Logstash hosts
hosts: {{ filebeat_output_logstash_hosts | to_json }}
# Number of workers per Logstash host.
#worker: 1
# Optional load balance the events between the Logstash hosts
#loadbalance: true
# Optional index name. The default index name depends on the each beat.
# For Packetbeat, the default is set to packetbeat, for Topbeat
# top topbeat and for Filebeat to filebeat.
#index: filebeat
{% if filebeat_ssl_certificate_file and filebeat_ssl_key_file %}
# Optional TLS. By default is off.
tls:
# List of root certificates for HTTPS server verifications
#certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for TLS client authentication
certificate: "{{ filebeat_ssl_dir }}/{{ filebeat_ssl_certificate_file | basename }}"
# Client Certificate Key
certificate_key: "{{ filebeat_ssl_dir }}/{{ filebeat_ssl_key_file | basename}}"
# Controls whether the client verifies server certificates and host name.
# If insecure is set to true, all server host names and certificates will be
# accepted. In this mode TLS based connections are susceptible to
# man-in-the-middle attacks. Use only for testing.
#insecure: true
insecure: {{ filebeat_ssl_insecure }}
# Configure cipher suites to be used for TLS connections
#cipher_suites: []
# Configure curve types for ECDHE based cipher suites
#curve_types: []
{% endif %} {% endif %}
{% if filebeat_enable_logging %} # Optional. Send events to Logstash instead of Elasticsearch
logging: #output.logstash.hosts: ["YOUR_LOGSTASH_SERVER_IP:5000"]
### Filebeat log
level: {{ filebeat_log_level }}
# Enable file rotation with default configuration
to_files: true
# Do not log to syslog
to_syslog: false
files:
path: {{ filebeat_log_dir }}
name: {{ filebeat_log_filename }}
keepfiles: 7
{% endif %}
{% endif %}

1
roles/wazuh/ansible-filebeat/tests/requirements.yml
View File

@ -1,4 +1,3 @@
--- ---
- src: geerlingguy.java - src: geerlingguy.java
- src: geerlingguy.elasticsearch - src: geerlingguy.elasticsearch
- src: geerlingguy.logstash

1
roles/wazuh/ansible-filebeat/tests/test.yml
View File

@ -17,5 +17,4 @@
roles: roles:
- geerlingguy.java - geerlingguy.java
- geerlingguy.elasticsearch - geerlingguy.elasticsearch
- geerlingguy.logstash
- role_under_test - role_under_test

3
roles/wazuh/ansible-wazuh-agent/README.md
View File

@ -32,11 +32,12 @@ The following is an example of how this role can be used:
wazuh_managers: wazuh_managers:
- address: 127.0.0.1 - address: 127.0.0.1
port: 1514 port: 1514
protocol: udp protocol: tcp
api_port: 55000 api_port: 55000
api_proto: 'http' api_proto: 'http'
api_user: 'ansible' api_user: 'ansible'
wazuh_agent_authd: wazuh_agent_authd:
registration_address: 127.0.0.1
enable: true enable: true
port: 1515 port: 1515
ssl_agent_ca: null ssl_agent_ca: null

208
roles/wazuh/ansible-wazuh-agent/defaults/main.yml
View File

@ -1,17 +1,54 @@
--- ---
wazuh_agent_version: 3.12.3-1
# Custom packages installation
wazuh_custom_packages_installation_agent_enabled: false
wazuh_custom_packages_installation_agent_deb_url: ""
wazuh_custom_packages_installation_agent_rpm_url: ""
# Sources installation
wazuh_agent_sources_installation:
enabled: false
branch: "v3.12.3"
user_language: "y"
user_no_stop: "y"
user_install_type: "agent"
user_dir: "/var/ossec"
user_delete_dir: "y"
user_enable_active_response: "y"
user_enable_syscheck: "y"
user_enable_rootcheck: "y"
user_enable_openscap: "y"
user_enable_sca: "y"
user_enable_authd: "y"
user_generate_authd_cert: "n"
user_update: "y"
user_binaryinstall: null
user_agent_server_ip: "YOUR_MANAGER_IP"
user_agent_server_name: null
user_agent_config_profile: null
user_ca_store: "/var/ossec/wpk_root.pem"
wazuh_managers: wazuh_managers:
- address: 127.0.0.1 - address: 127.0.0.1
port: 1514 port: 1514
protocol: tcp protocol: udp
api_port: 55000 api_port: 55000
api_proto: 'http' api_proto: 'http'
api_user: null api_user: null
wazuh_api_reachable_from_agent: false wazuh_api_reachable_from_agent: false
wazuh_profile: null wazuh_profile_centos: 'centos, centos7, centos7.6'
wazuh_profile_ubuntu: 'ubuntu, ubuntu18, ubuntu18.04'
wazuh_auto_restart: 'yes' wazuh_auto_restart: 'yes'
wazuh_agent_authd: wazuh_agent_authd:
registration_address: 127.0.0.1
enable: false enable: false
port: 1515 port: 1515
agent_name: null
groups: []
ssl_agent_ca: null ssl_agent_ca: null
ssl_agent_cert: null ssl_agent_cert: null
ssl_agent_key: null ssl_agent_key: null
@ -20,15 +57,26 @@ wazuh_notify_time: '10'
wazuh_time_reconnect: '60' wazuh_time_reconnect: '60'
wazuh_crypto_method: 'aes' wazuh_crypto_method: 'aes'
wazuh_winagent_config: wazuh_winagent_config:
install_dir: 'C:\wazuh-agent\' download_dir: C:\
version: '3.7.0' install_dir: C:\Program Files\ossec-agent\
revision: '1' install_dir_x86: C:\Program Files (x86)\ossec-agent\
repo: https://packages.wazuh.com/3.x/windows/ auth_path: C:\Program Files\ossec-agent\agent-auth.exe
md5: 43936e7bc7eb51bd186f47dac4a6f477 # Adding quotes to auth_path_x86 since win_shell outputs error otherwise
auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe
check_md5: True
md5: 4ae4e930d3ae9d572b07cd9e7207d783
wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.12.3-1.msi
wazuh_winagent_package_name: wazuh-agent-3.12.3-1.msi
wazuh_agent_config: wazuh_agent_config:
repo:
apt: 'deb https://packages.wazuh.com/3.x/apt/ stable main'
yum: 'https://packages.wazuh.com/3.x/yum/'
gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145'
active_response: active_response:
ar_disabled: 'no' ar_disabled: 'no'
ca_store: '/var/ossec/etc/wpk_root.pem' ca_store: '/var/ossec/etc/wpk_root.pem'
ca_store_win: 'wpk_root.pem'
ca_verification: 'yes' ca_verification: 'yes'
log_format: 'plain' log_format: 'plain'
client_buffer: client_buffer:
@ -39,13 +87,19 @@ wazuh_agent_config:
frequency: 43200 frequency: 43200
scan_on_start: 'yes' scan_on_start: 'yes'
auto_ignore: 'no' auto_ignore: 'no'
alert_new_files: 'yes' win_audit_interval: 60
remove_old_diff: 'yes'
restart_audit: 'yes'
skip_nfs: 'yes' skip_nfs: 'yes'
skip_dev: 'yes'
skip_proc: 'yes'
skip_sys: 'yes'
process_priority: 10
max_eps: 100
sync_enabled: 'yes'
sync_interval: '5m'
sync_max_interval: '1h'
sync_max_eps: 10
ignore: ignore:
- /etc/mtab - /etc/mtab
#- /etc/mnttab
- /etc/hosts.deny - /etc/hosts.deny
- /etc/mail/statistics - /etc/mail/statistics
- /etc/random-seed - /etc/random-seed
@ -57,32 +111,102 @@ wazuh_agent_config:
- /etc/cups/certs - /etc/cups/certs
- /etc/dumpdates - /etc/dumpdates
- /etc/svc/volatile - /etc/svc/volatile
- /sys/kernel/security ignore_linux_type:
- /sys/kernel/debug - '.log$|.swp$'
ignore_win:
- '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
no_diff: no_diff:
- /etc/ssl/private.key - /etc/ssl/private.key
directories: directories:
- dirs: /etc,/usr/bin,/usr/sbin - dirs: /etc,/usr/bin,/usr/sbin
checks: 'check_all="yes"' checks: ''
- dirs: /bin,/sbin - dirs: /bin,/sbin,/boot
checks: 'check_all="yes"' checks: ''
win_directories:
- dirs: '%WINDIR%'
checks: 'recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$"'
- dirs: '%WINDIR%\SysNative'
checks: >-
recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|
net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$"
- dirs: '%WINDIR%\SysNative\drivers\etc%'
checks: 'recursion_level="0"'
- dirs: '%WINDIR%\SysNative\wbem'
checks: 'recursion_level="0" restrict="WMIC.exe$"'
- dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0'
checks: 'recursion_level="0" restrict="powershell.exe$"'
- dirs: '%WINDIR%\SysNative'
checks: 'recursion_level="0" restrict="winrm.vbs$"'
- dirs: '%WINDIR%\System32'
checks: >-
recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|
netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$"
- dirs: '%WINDIR%\System32\drivers\etc'
checks: 'recursion_level="0"'
- dirs: '%WINDIR%\System32\wbem'
checks: 'recursion_level="0" restrict="WMIC.exe$"'
- dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0'
checks: 'recursion_level="0" restrict="powershell.exe$"'
- dirs: '%WINDIR%\System32'
checks: 'recursion_level="0" restrict="winrm.vbs$"'
- dirs: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup'
checks: 'realtime="yes"'
windows_registry: windows_registry:
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
arch: 'both' - key: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder' - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Policies'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Security'
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'
- key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs'
- key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'
arch: "both"
windows_registry_ignore:
- key: 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets'
- key: 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users'
- key: '\Enum$'
type: "sregex"
rootcheck: rootcheck:
frequency: 43200 frequency: 43200
openscap: openscap:
disable: 'no' disable: 'yes'
timeout: 1800 timeout: 1800
interval: '1d' interval: '1d'
scan_on_start: 'yes' scan_on_start: 'yes'
osquery: osquery:
disable: 'yes' disable: 'yes'
run_daemon: 'yes' run_daemon: 'yes'
bin_path_win: 'C:\Program Files\osquery\osqueryd'
log_path: '/var/log/osquery/osqueryd.results.log' log_path: '/var/log/osquery/osqueryd.results.log'
log_path_win: 'C:\Program Files\osquery\log\osqueryd.results.log'
config_path: '/etc/osquery/osquery.conf' config_path: '/etc/osquery/osquery.conf'
ad_labels: 'yes' config_path_win: 'C:\Program Files\osquery\osquery.conf'
add_labels: 'yes'
syscollector: syscollector:
disable: 'no' disable: 'no'
interval: '1h' interval: '1h'
@ -93,18 +217,24 @@ wazuh_agent_config:
packages: 'yes' packages: 'yes'
ports_no: 'yes' ports_no: 'yes'
processes: 'yes' processes: 'yes'
sca:
enabled: 'yes'
scan_on_start: 'yes'
interval: '12h'
skip_nfs: 'yes'
day: ''
wday: ''
time: ''
cis_cat: cis_cat:
disable: 'yes' disable: 'yes'
install_java: 'yes' install_java: 'no'
timeout: 1800 timeout: 1800
interval: '1d' interval: '1d'
scan_on_start: 'yes' scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin' java_path: 'wodles/java'
ciscat_path: '/var/ossec/wodles/ciscat' java_path_win: '\\server\jre\bin\java.exe'
content: ciscat_path: 'wodles/ciscat'
- type: 'xccdf' ciscat_path_win: 'C:\cis-cat'
path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
vuls: vuls:
disable: 'yes' disable: 'yes'
interval: '1d' interval: '1d'
@ -134,16 +264,32 @@ wazuh_agent_config:
location: '/var/log/maillog' location: '/var/log/maillog'
- format: 'audit' - format: 'audit'
location: '/var/log/audit/audit.log' location: '/var/log/audit/audit.log'
common: linux:
- format: 'syslog' - format: 'syslog'
location: '/var/ossec/logs/active-responses.log' location: '/var/ossec/logs/active-responses.log'
- format: 'full_command'
command: 'last -n 20'
frequency: '360'
- format: 'command' - format: 'command'
command: 'df -P' command: df -P
frequency: '360' frequency: '360'
- format: 'full_command' - format: 'full_command'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports' alias: 'netstat listening ports'
frequency: '360' frequency: '360'
- format: 'full_command' windows:
command: 'last -n 20' - format: 'eventlog'
frequency: '360' location: 'Application'
- format: 'eventchannel'
location: 'Security'
query: 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]'
- format: 'eventlog'
location: 'System'
- format: 'syslog'
location: 'active-response\active-responses.log'
labels:
enable: false
list:
- key: Env
value: Production
wazuh_agent_nat: false

2
roles/wazuh/ansible-wazuh-agent/handlers/main.yml
View File

@ -2,5 +2,5 @@
- name: restart wazuh-agent - name: restart wazuh-agent
service: name=wazuh-agent state=restarted enabled=yes service: name=wazuh-agent state=restarted enabled=yes
- name: restart wazuh-agent windows - name: Windows | Restart Wazuh Agent
win_service: name=OssecSvc start_mode=auto state=restarted win_service: name=OssecSvc start_mode=auto state=restarted

2
roles/wazuh/ansible-wazuh-agent/meta/main.yml
View File

@ -18,6 +18,6 @@ galaxy_info:
- name: Fedora - name: Fedora
versions: versions:
- all - all
categories: galaxy_tags:
- monitoring - monitoring
dependencies: [] dependencies: []

83
roles/wazuh/ansible-wazuh-agent/tasks/Debian.yml
View File

@ -1,68 +1,85 @@
--- ---
- name: Debian/Ubuntu | Install apt-transport-https and ca-certificates - name: Debian/Ubuntu | Install apt-transport-https and ca-certificates
apt: apt:
name: "{{ item }}" name:
state: present
cache_valid_time: 3600
with_items:
- apt-transport-https - apt-transport-https
- ca-certificates - ca-certificates
state: present
register: wazuh_agent_ca_package_install
until: wazuh_agent_ca_package_install is succeeded
- name: Debian/Ubuntu | Installing repository key - name: Debian/Ubuntu | Installing Wazuh repository key (Ubuntu 14)
apt_key: url=https://packages.wazuh.com/key/GPG-KEY-WAZUH become: true
shell: |
set -o pipefail
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
args:
warn: false
executable: /bin/bash
changed_when: false
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version | int == 14
- not wazuh_agent_sources_installation.enabled
- not wazuh_custom_packages_installation_agent_enabled
- name: Debian/Ubuntu | Installing Wazuh repository key
apt_key:
url: "{{ wazuh_agent_config.repo.gpg }}"
id: "{{ wazuh_agent_config.repo.key_id }}"
when:
- not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- not wazuh_agent_sources_installation.enabled
- not wazuh_custom_packages_installation_agent_enabled
- name: Debian/Ubuntu | Add Wazuh repositories - name: Debian/Ubuntu | Add Wazuh repositories
apt_repository: apt_repository:
repo: 'deb https://packages.wazuh.com/3.x/apt/ stable main' filename: wazuh_repo
repo: "{{ wazuh_agent_config.repo.apt }}"
state: present state: present
update_cache: yes update_cache: true
when:
- not wazuh_agent_sources_installation.enabled
- not wazuh_custom_packages_installation_agent_enabled
- name: Debian/Ubuntu | Set Distribution CIS filename for debian - name: Debian/Ubuntu | Set Distribution CIS filename for debian
set_fact: set_fact:
cis_distribution_filename: cis_debian_linux_rcl.txt cis_distribution_filename: cis_debian_linux_rcl.txt
when: ansible_os_family == "Debian" when: ansible_os_family == "Debian"
- name: Debian/Ubuntu | Install OpenJDK-8 repo
apt_repository:
repo: 'ppa:openjdk-r/ppa'
state: present
update_cache: true
when:
- (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- when: - when:
- wazuh_agent_config.cis_cat.disable == 'no' - wazuh_agent_config.cis_cat.disable == 'no'
- wazuh_agent_config.cis_cat.install_java == 'yes' - wazuh_agent_config.cis_cat.install_java == 'yes'
block: block:
- name: Debian/Ubuntu | Setting webupd8 repository - name: Debian/Ubuntu | Install OpenJDK 1.8
apt_repository: apt: name=openjdk-8-jre state=present cache_valid_time=3600
repo: 'ppa:webupd8team/java'
codename: 'xenial'
update_cache: yes
- name: Debian/Ubuntu | Accept Oracle Java 8 license
debconf:
name: oracle-java8-installer
question: shared/accepted-oracle-license-v1-1
value: true
vtype: boolean
- name: Debian/Ubuntu | Oracle Java 8 installer
apt:
name: oracle-java8-installer
state: present
cache_valid_time: 3600
tags: tags:
- init - init
- name: Debian/Ubuntu | Install OpenScap - name: Debian/Ubuntu | Install OpenScap
apt: apt:
name: "{{ item }}" name:
state: present
cache_valid_time: 3600
when: wazuh_agent_config.openscap.disable == 'no'
with_items:
- libopenscap8 - libopenscap8
- xsltproc - xsltproc
state: present
when: wazuh_agent_config.openscap.disable == 'no'
tags: tags:
- init - init
register: wazuh_agent_OpenScap_package_install
until: wazuh_agent_OpenScap_package_install is succeeded
- name: Debian/Ubuntu | Get OpenScap installed version - name: Debian/Ubuntu | Get OpenScap installed version
shell: "dpkg-query --showformat='${Version}' --show libopenscap8" shell: "dpkg-query --showformat='${Version}' --show libopenscap8"
register: openscap_version register: openscap_version
changed_when: true changed_when: false
when: wazuh_agent_config.openscap.disable == 'no' when: wazuh_agent_config.openscap.disable == 'no'
tags: tags:
- config - config
@ -70,7 +87,7 @@
- name: Debian/Ubuntu | Check OpenScap version - name: Debian/Ubuntu | Check OpenScap version
shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?" shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?"
register: openscap_version_valid register: openscap_version_valid
changed_when: true changed_when: false
when: wazuh_agent_config.openscap.disable == 'no' when: wazuh_agent_config.openscap.disable == 'no'
tags: tags:
- config - config

126
roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml
View File

@ -1,14 +1,40 @@
--- ---
- import_tasks: "RedHat.yml" - include_tasks: "RedHat.yml"
when: ansible_os_family == "RedHat" when: ansible_os_family == "RedHat"
- import_tasks: "Debian.yml" - include_tasks: "Debian.yml"
when: ansible_os_family == "Debian" when: ansible_os_family == "Debian"
- name: Linux | Install wazuh-agent - include_tasks: "installation_from_sources.yml"
package: name=wazuh-agent state=present when:
- wazuh_agent_sources_installation.enabled
- include_tasks: "installation_from_custom_packages.yml"
when:
- wazuh_custom_packages_installation_agent_enabled
- name: Linux CentOS/RedHat | Install wazuh-agent
package:
name: wazuh-agent-{{ wazuh_agent_version }}
state: present
async: 90 async: 90
poll: 15 poll: 30
when:
- ansible_os_family|lower == "redhat"
- not wazuh_agent_sources_installation.enabled
- not wazuh_custom_packages_installation_agent_enabled
tags:
- init
- name: Linux Debian | Install wazuh-agent
apt:
name: "wazuh-agent={{ wazuh_agent_version }}"
state: present
cache_valid_time: 3600
when:
- ansible_os_family|lower != "redhat"
- not wazuh_agent_sources_installation.enabled
- not wazuh_custom_packages_installation_agent_enabled
tags: tags:
- init - init
@ -23,9 +49,6 @@
- name: Retrieving authd Credentials - name: Retrieving authd Credentials
include_vars: authd_pass.yml include_vars: authd_pass.yml
tags:
- config
- authd
- name: Copy CA, SSL key and cert for authd - name: Copy CA, SSL key and cert for authd
copy: copy:
@ -36,58 +59,63 @@
- "{{ wazuh_agent_authd.ssl_agent_ca }}" - "{{ wazuh_agent_authd.ssl_agent_ca }}"
- "{{ wazuh_agent_authd.ssl_agent_cert }}" - "{{ wazuh_agent_authd.ssl_agent_cert }}"
- "{{ wazuh_agent_authd.ssl_agent_key }}" - "{{ wazuh_agent_authd.ssl_agent_key }}"
tags:
- config
- authd
when: when:
- wazuh_agent_authd.ssl_agent_ca is not none - wazuh_agent_authd.ssl_agent_ca is not none
- name: Linux | Register agent (via authd) - name: Linux | Register agent (via authd)
shell: > shell: >
/var/ossec/bin/agent-auth /var/ossec/bin/agent-auth
-m {{ wazuh_managers.0.address }} {% if wazuh_agent_authd.agent_name is defined and wazuh_agent_authd.agent_name != None %}
-A {{ wazuh_agent_authd.agent_name }}
{% endif %}
-m {{ wazuh_agent_authd.registration_address }}
-p {{ wazuh_agent_authd.port }} -p {{ wazuh_agent_authd.port }}
{% if wazuh_agent_nat %} -I "any" {% endif %}
{% if authd_pass is defined %} -P {{ authd_pass }} {% endif %} {% if authd_pass is defined %} -P {{ authd_pass }} {% endif %}
{% if wazuh_agent_authd.ssl_agent_ca is not none %} {% if wazuh_agent_authd.ssl_agent_ca is defined and wazuh_agent_authd.ssl_agent_ca != None %}
-v "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}" -v "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}"
{% endif %}
{% if wazuh_agent_authd.ssl_agent_cert is defined and wazuh_agent_authd.ssl_agent_cert != None %}
-x "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_cert | basename }}" -x "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_cert | basename }}"
{% endif %}
{% if wazuh_agent_authd.ssl_agent_key is defined and wazuh_agent_authd.ssl_agent_key != None %}
-k "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_key | basename }}" -k "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_key | basename }}"
{% endif %} {% endif %}
{% if wazuh_agent_authd.ssl_auto_negotiate == 'yes' %} -a {% endif %} {% if wazuh_agent_authd.ssl_auto_negotiate == 'yes' %} -a {% endif %}
{% if wazuh_agent_authd.groups is defined and wazuh_agent_authd.groups | length > 0 %}
-G "{{ wazuh_agent_authd.groups | join(',') }}"
{% endif %}
register: agent_auth_output register: agent_auth_output
notify: restart wazuh-agent
vars:
agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ ansible_hostname }}{% endif %}"
when: when:
- check_keys.stat.exists == false or check_keys.stat.size == 0 - not check_keys.stat.exists or check_keys.stat.size == 0
- wazuh_managers.0.address is not none - wazuh_agent_authd.registration_address is not none
tags:
- config
- authd
- name: Linux | Verify agent registration - name: Linux | Verify agent registration
shell: echo {{ agent_auth_output }} | grep "Valid key created" shell: echo {{ agent_auth_output }} | grep "Valid key created"
when: when:
- check_keys.stat.exists == false or check_keys.stat.size == 0 - not check_keys.stat.exists or check_keys.stat.size == 0
- wazuh_managers.0.address is not none - wazuh_agent_authd.registration_address is not none
when: wazuh_agent_authd.enable
tags: tags:
- config - config
- authd - authd
when: wazuh_agent_authd.enable == true
- name: Linux | Agent registration via rest-API - name: Linux | Agent registration via rest-API
block: block:
- name: Retrieving rest-API Credentials - name: Retrieving rest-API Credentials
include_vars: api_pass.yml include_vars: api_pass.yml
tags:
- config
- api
- name: Linux | Create the agent key via rest-API - name: Linux | Create the agent key via rest-API
uri: uri:
url: "{{ wazuh_managers.0.api_proto }}://{{ wazuh_managers.0.address }}:{{ wazuh_managers.0.api_port }}/agents/" url: "{{ wazuh_managers.0.api_proto }}://{{ wazuh_agent_authd.registration_address }}:{{ wazuh_managers.0.api_port }}/agents/"
validate_certs: no validate_certs: false
method: POST method: POST
body: {"name":"{{ inventory_hostname }}"} body: '{"name":"{{ agent_name }}"}'
body_format: json body_format: json
status_code: 200 status_code: 200
headers: headers:
@ -107,15 +135,17 @@
- name: Linux | Retieve new agent data via rest-API - name: Linux | Retieve new agent data via rest-API
uri: uri:
url: "{{ wazuh_managers.0.api_proto }}://{{ wazuh_managers.0.address }}:{{ wazuh_managers.0.api_port }}/agents/{{ newagent_api.json.data.id }}" url: >-
validate_certs: no "{{ wazuh_managers.0.api_proto }}://{{ wazuh_agent_authd.registration_address
}}:{{ wazuh_managers.0.api_port }}/agents/{{ newagent_api.json.data.id }}"
validate_certs: false
method: GET method: GET
return_content: yes return_content: true
user: "{{ wazuh_managers.0.api_user }}" user: "{{ wazuh_managers.0.api_user }}"
password: "{{ api_pass }}" password: "{{ api_pass }}"
when: when:
- check_keys.stat.exists == false or check_keys.stat.size == 0 - not check_keys.stat.exists or check_keys.stat.size == 0
- wazuh_managers.0.address is not none - wazuh_agent_authd.registration_address is not none
- newagent_api.json.error == 0 - newagent_api.json.error == 0
register: newagentdata_api register: newagentdata_api
delegate_to: "{{ 'localhost' if not wazuh_api_reachable_from_agent else inventory_hostname }}" delegate_to: "{{ 'localhost' if not wazuh_api_reachable_from_agent else inventory_hostname }}"
@ -129,21 +159,22 @@
environment: environment:
OSSEC_ACTION: i OSSEC_ACTION: i
OSSEC_AGENT_NAME: '{{ newagentdata_api.json.data.name }}' OSSEC_AGENT_NAME: '{{ newagentdata_api.json.data.name }}'
OSSEC_AGENT_IP: '{{ newagentdata_api.json.data.ip }}' OSSEC_AGENT_IP: '{% if wazuh_agent_nat %}any{% else %}{{ newagentdata_api.json.data.ip }}{% endif %}'
OSSEC_AGENT_ID: '{{ newagent_api.json.data.id }}' OSSEC_AGENT_ID: '{{ newagent_api.json.data.id }}'
OSSEC_AGENT_KEY: '{{ newagent_api.json.data.key }}' OSSEC_AGENT_KEY: '{{ newagent_api.json.data.key }}'
OSSEC_ACTION_CONFIRMED: y OSSEC_ACTION_CONFIRMED: y
register: manage_agents_output register: manage_agents_output
when: when:
- check_keys.stat.exists == false or check_keys.stat.size == 0 - not check_keys.stat.exists or check_keys.stat.size == 0
- wazuh_managers.0.address is not none - wazuh_agent_authd.registration_address is not none
- newagent_api.changed - newagent_api.changed
notify: restart wazuh-agent
when:
- not wazuh_agent_authd.enable
tags: tags:
- config - config
- api - api
notify: restart wazuh-agent
when: wazuh_agent_authd.enable == false
- name: Linux | Vuls integration deploy (runs in background, can take a while) - name: Linux | Vuls integration deploy (runs in background, can take a while)
command: /var/ossec/wodles/vuls/deploy_vuls.sh {{ ansible_distribution|lower }} {{ ansible_distribution_major_version|int }} command: /var/ossec/wodles/vuls/deploy_vuls.sh {{ ansible_distribution|lower }} {{ ansible_distribution_major_version|int }}
@ -153,7 +184,7 @@
poll: 0 poll: 0
when: when:
- wazuh_agent_config.vuls.disable != 'yes' - wazuh_agent_config.vuls.disable != 'yes'
- ansible_distribution == 'Redhat' or ansible_distribution == 'CentOS' or ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' or ansible_distribution == 'Oracle' - ansible_distribution in ['Redhat', 'CentOS', 'Ubuntu', 'Debian', 'Oracle']
tags: tags:
- init - init
@ -182,11 +213,16 @@
- name: Linux | Ensure Wazuh Agent service is started and enabled - name: Linux | Ensure Wazuh Agent service is started and enabled
service: service:
name: wazuh-agent name: wazuh-agent
enabled: yes enabled: true
state: started state: started
tags: config
- import_tasks: "RMRedHat.yml" - include_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat" when:
- ansible_os_family == "RedHat"
- not wazuh_agent_sources_installation.enabled
- import_tasks: "RMDebian.yml" - include_tasks: "RMDebian.yml"
when: ansible_os_family == "Debian" when:
- ansible_os_family == "Debian"
- not wazuh_agent_sources_installation.enabled

1
roles/wazuh/ansible-wazuh-agent/tasks/RMDebian.yml
View File

@ -3,3 +3,4 @@
apt_repository: apt_repository:
repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main
state: absent state: absent
changed_when: false

1
roles/wazuh/ansible-wazuh-agent/tasks/RMRedHat.yml
View File

@ -3,3 +3,4 @@
yum_repository: yum_repository:
name: wazuh_repo name: wazuh_repo
state: absent state: absent
changed_when: false

66
roles/wazuh/ansible-wazuh-agent/tasks/RedHat.yml
View File

@ -1,55 +1,40 @@
--- ---
- name: RedHat/CentOS/Fedora | Install Wazuh repo
yum_repository:
name: wazuh_repo
description: Wazuh repository
baseurl: https://packages.wazuh.com/3.x/yum/
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
gpgcheck: yes
when:
- ansible_distribution_major_version|int > 5
- name: RedHat/CentOS 5 | Install Wazuh repo - name: RedHat/CentOS 5 | Install Wazuh repo
yum_repository: yum_repository:
name: wazuh_repo name: wazuh_repo
description: Wazuh repository description: Wazuh repository
baseurl: https://packages.wazuh.com/3.x/yum/5/ baseurl: "{{ wazuh_agent_config.repo.yum }}5/"
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH-5 gpgkey: "{{ wazuh_agent_config.repo.gpg }}-5"
gpgcheck: yes gpgcheck: true
changed_when: false
when: when:
- ansible_distribution_major_version|int == 5 - (ansible_facts['os_family']|lower == 'redhat') and (ansible_distribution|lower != 'amazon')
- (ansible_distribution_major_version|int <= 5)
- not wazuh_agent_sources_installation.enabled
- not wazuh_custom_packages_installation_agent_enabled
register: repo_v5_installed
- name: AmazonLinux | Install Wazuh repo - name: RedHat/CentOS/Fedora | Install Wazuh repo
yum_repository: yum_repository:
name: wazuh_repo name: wazuh_repo
description: Wazuh repository description: Wazuh repository
baseurl: https://packages.wazuh.com/3.x/yum/ baseurl: "{{ wazuh_agent_config.repo.yum }}"
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH gpgkey: "{{ wazuh_agent_config.repo.gpg }}"
gpgcheck: yes gpgcheck: true
changed_when: false
when: when:
- ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA" - repo_v5_installed is skipped
- not wazuh_agent_sources_installation.enabled
- not wazuh_custom_packages_installation_agent_enabled
- name: RedHat/CentOS/Fedora | download Oracle Java RPM - name: RedHat/CentOS/Fedora | Install OpenJDK 1.8
get_url: yum: name=java-1.8.0-openjdk state=present
url: http://download.oracle.com/otn-pub/java/jdk/8u171-b11/512cd62ec5174c3487ac17c61aaa89e8/jre-8u171-linux-x64.rpm
dest: /tmp/jre-8-linux-x64.rpm
headers: 'Cookie:oraclelicense=accept-securebackup-cookie'
register: oracle_java_task_rpm_download
when: when:
- wazuh_agent_config.cis_cat.disable == 'no' - wazuh_agent_config.cis_cat.disable == 'no'
- wazuh_agent_config.cis_cat.install_java == 'yes' - wazuh_agent_config.cis_cat.install_java == 'yes'
tags: tags:
- init - init
- name: RedHat/CentOS/Fedora | Install Oracle Java RPM
package: name=/tmp/jre-8-linux-x64.rpm state=present
when:
- wazuh_agent_config.cis_cat.disable == 'no'
- wazuh_agent_config.cis_cat.install_java == 'yes'
- oracle_java_task_rpm_download is defined
tags:
- init
- name: Set Distribution CIS filename for RHEL5 - name: Set Distribution CIS filename for RHEL5
set_fact: set_fact:
cis_distribution_filename: cis_rhel5_linux_rcl.txt cis_distribution_filename: cis_rhel5_linux_rcl.txt
@ -63,10 +48,21 @@
- name: Set Distribution CIS filename for RHEL7 - name: Set Distribution CIS filename for RHEL7
set_fact: set_fact:
cis_distribution_filename: cis_rhel7_linux_rcl.txt cis_distribution_filename: cis_rhel7_linux_rcl.txt
when: (ansible_os_family == "RedHat" and ansible_distribution_major_version == "7") or (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") when:
- ansible_os_family == "RedHat"
- ansible_distribution_major_version == "7"
- name: Set Distribution CIS filename for RHEL7 (Amazon)
set_fact:
cis_distribution_filename: cis_rhel7_linux_rcl.txt
when:
- ansible_distribution == "Amazon"
- ansible_distribution_major_version == "NA"
- name: RedHat/CentOS/RedHat | Install openscap - name: RedHat/CentOS/RedHat | Install openscap
package: name=openscap-scanner state=present package: name=openscap-scanner state=present
register: wazuh_agent_openscap_package_install
until: wazuh_agent_openscap_package_install is succeeded
when: wazuh_agent_config.openscap.disable == 'no' when: wazuh_agent_config.openscap.disable == 'no'
tags: tags:
- init - init

115
roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml
View File

@ -1,47 +1,56 @@
--- ---
- name: Windows | Get current installed version - name: Windows | Check if Program Files (x86) exists
win_shell: "{{ wazuh_winagent_config.install_dir }}ossec-agent.exe -h"
args:
removes: "{{ wazuh_winagent_config.install_dir }}ossec-agent.exe"
register: agent_version
failed_when: False
changed_when: False
- name: Windows | Check Wazuh agent version installed
set_fact: correct_version=true
when:
- agent_version.stdout is defined
- wazuh_winagent_config.version in agent_version.stdout
- name: Windows | Downloading windows Wazuh agent installer
win_get_url:
dest: C:\wazuh-agent-installer.msi
url: "{{ wazuh_winagent_config.repo }}wazuh-agent-{{ wazuh_winagent_config.version }}-{{ wazuh_winagent_config.revision }}.msi"
when:
- correct_version is not defined
- name: Windows | Verify the downloaded Wazuh agent installer
win_stat: win_stat:
path: C:\wazuh-agent-installer.msi path: C:\Program Files (x86)
get_checksum: yes register: check_path
checksum_algorithm: md5
register: installer_md5
when:
- correct_version is not defined
failed_when:
- installer_md5.stat.checksum != wazuh_winagent_config.md5
- name: Windows | Install Wazuh agent - name: Windows | Set Win Path (x86)
win_package: set_fact:
path: C:\wazuh-agent-installer.msi wazuh_agent_win_path: "{{ wazuh_winagent_config.install_dir_x86 }}"
arguments: APPLICATIONFOLDER={{ wazuh_winagent_config.install_dir }} wazuh_agent_win_auth_path: "{{ wazuh_winagent_config.auth_path_x86 }}"
when: when:
- correct_version is not defined - check_path.stat.exists
- name: Windows | Set Win Path (x64)
set_fact:
wazuh_agent_win_path: "{{ wazuh_winagent_config.install_dir }}"
wazuh_agent_win_auth_path: "{{ wazuh_winagent_config.auth_path }}"
when:
- not check_path.stat.exists
- name: Windows | Check if Wazuh installer is already downloaded
win_stat:
path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}"
register: wazuh_package_downloaded
- name: Windows | Download Wazuh Agent package
win_get_url:
url: "{{ wazuh_winagent_config_url }}"
dest: "{{ wazuh_winagent_config.download_dir }}"
when:
- not wazuh_package_downloaded.stat.exists
- name: Windows | Verify the Wazuh Agent installer
win_stat:
path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}"
get_checksum: true
checksum_algorithm: md5
register: wazuh_agent_status
failed_when:
- wazuh_agent_status.stat.checksum != wazuh_winagent_config.md5
when:
- wazuh_winagent_config.check_md5
- name: Windows | Install Agent if not already installed
win_package:
path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}"
state: present
- name: Windows | Check if client.keys exists - name: Windows | Check if client.keys exists
win_stat: path="{{ wazuh_winagent_config.install_dir }}client.keys" win_stat:
path: "{{ wazuh_agent_win_path }}client.keys"
register: check_windows_key register: check_windows_key
notify: restart wazuh-agent windows
tags: tags:
- config - config
@ -52,38 +61,42 @@
- name: Windows | Register agent - name: Windows | Register agent
win_shell: > win_shell: >
{{ wazuh_winagent_config.install_dir }}agent-auth.exe {{ wazuh_agent_win_auth_path }}
-m {{ wazuh_managers.0.address }} -m {{ wazuh_agent_authd.registration_address }}
-p {{ wazuh_agent_authd.port }} -p {{ wazuh_agent_authd.port }}
{% if wazuh_agent_authd.agent_name is defined %}-A {{ wazuh_agent_authd.agent_name }} {% endif %}
{% if authd_pass is defined %} -P {{ authd_pass }}{% endif %} {% if authd_pass is defined %} -P {{ authd_pass }}{% endif %}
args:
chdir: "{{ wazuh_winagent_config.install_dir }}"
register: agent_auth_output register: agent_auth_output
notify: restart wazuh-agent windows notify: Windows | Restart Wazuh Agent
when: when:
- wazuh_agent_authd.enable == true - wazuh_agent_authd.enable
- check_windows_key.stat.exists == false or check_windows_key.stat.size == 0 - not check_windows_key.stat.exists or check_windows_key.stat.size == 0
- wazuh_managers.0.address is not none - wazuh_agent_authd.registration_address is not none
tags: tags:
- config - config
- name: Windows | Check if ossec folder is accessible
win_file:
path: "{{ wazuh_agent_win_path }}"
state: directory
- name: Windows | Installing agent configuration (ossec.conf) - name: Windows | Installing agent configuration (ossec.conf)
win_template: template:
src: var-ossec-etc-ossec-agent.conf.j2 src: var-ossec-etc-ossec-agent.conf.j2
dest: "{{ wazuh_winagent_config.install_dir }}ossec.conf" dest: "{{ wazuh_agent_win_path }}ossec.conf"
notify: restart wazuh-agent windows notify: Windows | Restart Wazuh Agent
tags: tags:
- config - config
- name: Windows | Installing local_internal_options.conf - name: Windows | Installing local_internal_options.conf
win_template: win_template:
src: var-ossec-etc-local-internal-options.conf.j2 src: var-ossec-etc-local-internal-options.conf.j2
dest: "{{ wazuh_winagent_config.install_dir }}local_internal_options.conf" dest: "{{ wazuh_agent_win_path }}local_internal_options.conf"
notify: restart wazuh-agent windows notify: Windows | Restart Wazuh Agent
tags: tags:
- config - config
- name: Windows | Delete downloaded Wazuh agent installer file - name: Windows | Delete downloaded Wazuh agent installer file
win_file: win_file:
path: C:\wazuh-agent-installer.msi path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}"
state: absent state: absent

28
roles/wazuh/ansible-wazuh-agent/tasks/installation_from_custom_packages.yml Normal file
View File

@ -0,0 +1,28 @@
---
- name: Install Wazuh Agent from .deb packages
apt:
deb: "{{ wazuh_custom_packages_installation_agent_deb_url }}"
state: present
when:
- ansible_os_family|lower == "debian"
- wazuh_custom_packages_installation_agent_enabled
- name: Install Wazuh Agent from .rpm packages | yum
yum:
name: "{{ wazuh_custom_packages_installation_agent_rpm_url }}"
state: present
when:
- ansible_os_family|lower == "redhat"
- wazuh_custom_packages_installation_agent_enabled
- not (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8")
- not (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8")
- name: Install Wazuh Agent from .rpm packages | dnf
dnf:
name: "{{ wazuh_custom_packages_installation_agent_rpm_url }}"
state: present
when:
- ansible_os_family|lower == "redhat"
- wazuh_custom_packages_installation_agent_enabled
- (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") or
(ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8")

99
roles/wazuh/ansible-wazuh-agent/tasks/installation_from_sources.yml Normal file
View File

@ -0,0 +1,99 @@
---
- name: Install dependencies to build Wazuh packages
package:
name:
- make
- gcc
- automake
- autoconf
- libtool
- tar
state: present
- name: Removing old files
file:
path: "/tmp/{{ wazuh_agent_sources_installation.branch }}.tar.gz"
state: absent
- name: Removing old folders
file:
path: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}"
state: absent
- name: Installing policycoreutils-python (RedHat families)
package:
name:
- policycoreutils-python
when:
- ansible_os_family|lower == "redhat"
- name: Installing policycoreutils-python-utils (Debian families)
package:
name:
- libc6-dev
- curl
- policycoreutils
when:
- ansible_os_family|lower == "debian"
- name: Download required packages from github.com/wazuh/wazuh
get_url:
url: "https://github.com/wazuh/wazuh/archive/{{ wazuh_agent_sources_installation.branch }}.tar.gz"
dest: "/tmp/{{ wazuh_agent_sources_installation.branch }}.tar.gz"
delegate_to: "{{ inventory_hostname }}"
changed_when: false
- name: Create folder to extract Wazuh branch
file:
path: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}"
state: directory
changed_when: false
- name: Extract downloaded Wazuh branch from Github # Using shell instead of unarchive due to that module not working properlyh with --strip
command: >-
tar -xzvf /tmp/{{ wazuh_agent_sources_installation.branch }}.tar.gz
--strip 1
--directory /tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}
register: wazuh_untar
changed_when: false
args:
warn: false
- name: Clean remaining files from others builds
command: "make -C src {{ item }}"
args:
chdir: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}/src/"
with_items:
- "clean"
- "clean-deps"
register: clean_result
changed_when: clean_result.rc == 0
failed_when: false
- name: Render the "preloaded-vars.conf" file
template:
src: "templates/preloaded_vars_agent.conf.j2"
dest: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}/etc/preloaded-vars.conf"
owner: root
group: root
mode: 0644
changed_when: false
- name: Executing "install.sh" script to build and install the Wazuh Agent
shell: ./install.sh > /tmp/build_agent_log.txt
register: installation_result
changed_when: installation_result == 0
args:
chdir: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}"
- name: Cleanup downloaded files
file:
path: "/tmp/{{ wazuh_agent_sources_installation.branch }}.tar.gz"
state: absent
changed_when: false
- name: Cleanup created folders
file:
path: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}"
state: absent
changed_when: false

4
roles/wazuh/ansible-wazuh-agent/tasks/main.yml
View File

@ -1,6 +1,6 @@
--- ---
- import_tasks: "Windows.yml" - include_tasks: "Windows.yml"
when: ansible_os_family == "Windows" when: ansible_os_family == "Windows"
- import_tasks: "Linux.yml" - include_tasks: "Linux.yml"
when: ansible_system == "Linux" when: ansible_system == "Linux"

7
roles/wazuh/ansible-wazuh-agent/templates/preloaded_vars_agent.conf.j2 Normal file
View File

@ -0,0 +1,7 @@
{% for key, value in wazuh_agent_sources_installation.items() %}
{% if "user_" in key %}
{% if value is defined and value is not none %}
{{ key|upper }}="{{ value }}"
{% endif %}
{% endif %}
{% endfor %}

4
roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-local-internal-options.conf.j2
View File

@ -10,3 +10,7 @@
# This is the template of Ansible for the file local_internal_options.conf # This is the template of Ansible for the file local_internal_options.conf
# In this file you could include the configuration settings for your agents # In this file you could include the configuration settings for your agents
# Logcollector - If it should accept remote commands from the manager
logcollector.remote_commands=1

306
roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
View File

@ -1,4 +1,4 @@
#jinja2: trim_blocks: False #jinja2: lstrip_blocks: True
<!-- {{ ansible_managed }} --> <!-- {{ ansible_managed }} -->
<!-- <!--
Wazuh - Agent Wazuh - Agent
@ -8,7 +8,6 @@
<ossec_config> <ossec_config>
<client> <client>
{% for manager in wazuh_managers %} {% for manager in wazuh_managers %}
<server> <server>
<address>{{ manager.address }}</address> <address>{{ manager.address }}</address>
@ -20,9 +19,12 @@
{% endif %} {% endif %}
</server> </server>
{% endfor %} {% endfor %}
{% if wazuh_profile_centos is not none or wazuh_profile_ubuntu is not none %}
{% if wazuh_profile is not none %} {% if ansible_distribution == 'CentOS' %}
<config-profile>{{ wazuh_profile }}</config-profile> <config-profile>{{ wazuh_profile_centos }}</config-profile>
{% elif ansible_distribution == "Ubuntu" %}
<config-profile>{{ wazuh_profile_ubuntu }}</config-profile>
{% endif %}
{% endif %} {% endif %}
{% if wazuh_notify_time is not none and wazuh_time_reconnect is not none %} {% if wazuh_notify_time is not none and wazuh_time_reconnect is not none %}
<notify_time>{{ wazuh_notify_time }}</notify_time> <notify_time>{{ wazuh_notify_time }}</notify_time>
@ -31,26 +33,18 @@
<auto_restart>{{ wazuh_auto_restart }}</auto_restart> <auto_restart>{{ wazuh_auto_restart }}</auto_restart>
<crypto_method>{{ wazuh_crypto_method }}</crypto_method> <crypto_method>{{ wazuh_crypto_method }}</crypto_method>
</client> </client>
<client_buffer> <client_buffer>
<!-- Agent buffer options --> <!-- Agent buffer options -->
<disabled>{{ wazuh_agent_config.client_buffer.disable }}</disabled> <disabled>{{ wazuh_agent_config.client_buffer.disable }}</disabled>
<queue_size>{{ wazuh_agent_config.client_buffer.queue_size }}</queue_size> <queue_size>{{ wazuh_agent_config.client_buffer.queue_size }}</queue_size>
<events_per_second>{{ wazuh_agent_config.client_buffer.events_per_sec }}</events_per_second> <events_per_second>{{ wazuh_agent_config.client_buffer.events_per_sec }}</events_per_second>
</client_buffer> </client_buffer>
<logging>
<log_format>{{ wazuh_agent_config.log_format }}</log_format>
</logging>
<active-response>
<disabled>{{ wazuh_agent_config.active_response.ar|default('no') }}</disabled>
<ca_store>{{ wazuh_agent_config.active_response.ca_store }}</ca_store>
<ca_verification>{{ wazuh_agent_config.active_response.ca_verification }}</ca_verification>
</active-response>
{% if wazuh_agent_config.rootcheck is defined %} {% if wazuh_agent_config.rootcheck is defined %}
<rootcheck> <rootcheck>
<disabled>no</disabled> <disabled>no</disabled>
<check_unixaudit>yes</check_unixaudit> {% if ansible_system == "Linux" %}
<check_files>yes</check_files> <check_files>yes</check_files>
<check_trojans>yes</check_trojans> <check_trojans>yes</check_trojans>
<check_dev>yes</check_dev> <check_dev>yes</check_dev>
@ -62,83 +56,22 @@
<!-- Frequency that rootcheck is executed - every 12 hours --> <!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>{{ wazuh_agent_config.rootcheck.frequency }}</frequency> <frequency>{{ wazuh_agent_config.rootcheck.frequency }}</frequency>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
{% endif %}
{% if ansible_os_family == "Windows" %} {% if ansible_os_family == "Windows" %}
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps> <windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware> <windows_malware>./shared/win_malware_rcl.txt</windows_malware>
{% endif %} {% endif %}
{% if ansible_system == "Linux" %}
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
{% if cis_distribution_filename is defined %}
<system_audit>/var/ossec/etc/shared/{{ cis_distribution_filename }}</system_audit>
{% endif %}
{% endif %}
<skip_nfs>yes</skip_nfs>
</rootcheck> </rootcheck>
{% endif %} {% endif %}
<!-- Directories to check (perform all possible verifications) -->
{% if wazuh_agent_config.syscheck is defined %}
<syscheck>
<disabled>no</disabled>
{% if ansible_system == "Linux" %} {% if ansible_system == "Linux" %}
<!-- #<directories check_all="yes" realtime="yes" restrict="^/var/ossec/etc/shared/agent.conf$">/var/ossec/etc/shared</directories> -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
{% endif %}
<auto_ignore>{{ wazuh_agent_config.syscheck.auto_ignore }}</auto_ignore>
<!-- #<alert_new_files>{{ wazuh_agent_config.syscheck.alert_new_files }}</alert_new_files> -->
<!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency>
<scan_on_start>{{ wazuh_agent_config.syscheck.scan_on_start }}</scan_on_start>
<!-- Directories to check (perform all possible verifications) -->
{% if wazuh_agent_config.syscheck.directories is defined %}
{% for directory in wazuh_agent_config.syscheck.directories %}
<directories {{ directory.checks }}>{{ directory.dirs }}</directories>
{% endfor %}
{% endif %}
<!-- Files/directories to ignore -->
{% if wazuh_agent_config.syscheck.ignore is defined %}
{% for ignore in wazuh_agent_config.syscheck.ignore %}
<ignore>{{ ignore }}</ignore>
{% endfor %}
{% endif %}
<!-- Files no diff -->
{% for no_diff in wazuh_agent_config.syscheck.no_diff %}
<nodiff>{{ no_diff }}</nodiff>
{% endfor %}
<skip_nfs>{{ wazuh_agent_config.syscheck.skip_nfs }}</skip_nfs>
<!-- Remove not monitored files -->
<remove_old_diff>{{ wazuh_agent_config.syscheck.remove_old_diff }}</remove_old_diff>
<!-- Allow the system to restart Auditd after installing the plugin -->
<restart_audit>{{ wazuh_agent_config.syscheck.restart_audit }}</restart_audit>
{% if ansible_os_family == "Windows" %}
{% for registry_key in wazuh_agent_config.syscheck.windows_registry %}
{% if registry_key.arch is defined %}
<windows_registry arch="{{ registry_key.arch }}">{{ registry_key.key }}</windows_registry>
{% else %}
<windows_registry>{{ registry_key.key }}</windows_registry>
{% endif %}
{% endfor %}
{% endif %}
</syscheck>
{% endif %}
{% if ansible_system == "Linux" and wazuh_agent_config.openscap.disable == 'no' %}
<wodle name="open-scap"> <wodle name="open-scap">
<disabled>no</disabled> <disabled>{{ wazuh_agent_config.openscap.disable }}</disabled>
<timeout>{{ wazuh_agent_config.openscap.timeout }}</timeout> <timeout>{{ wazuh_agent_config.openscap.timeout }}</timeout>
<interval>{{ wazuh_agent_config.openscap.interval }}</interval> <interval>{{ wazuh_agent_config.openscap.interval }}</interval>
<scan-on-start>{{ wazuh_agent_config.openscap.scan_on_start }}</scan-on-start> <scan-on-start>{{ wazuh_agent_config.openscap.scan_on_start }}</scan-on-start>
@ -158,23 +91,33 @@
<content type="oval" path="cve-debian-9-oval.xml"/> <content type="oval" path="cve-debian-9-oval.xml"/>
{% endif %} {% endif %}
{% elif ansible_distribution == 'CentOS' %} {% elif ansible_distribution == 'CentOS' %}
{% if ansible_distribution_major_version == '7' %} {% if ansible_distribution_major_version == '8' %}
{# Policy not available #}
{% elif ansible_distribution_major_version == '7' %}
<content type="xccdf" path="ssg-centos-7-ds.xml"> <content type="xccdf" path="ssg-centos-7-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% elif ansible_distribution_major_version == '6' %} {% elif ansible_distribution_major_version == '6' %}
<content type="xccdf" path="ssg-centos-6-ds.xml"> <content type="xccdf" path="ssg-centos-6-ds.xml">
{% endif %}
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile> <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile> <profile>xccdf_org.ssgproject.content_profile_common</profile>
</content> </content>
{% endif %}
{% elif ansible_distribution == 'RedHat' %} {% elif ansible_distribution == 'RedHat' %}
{% if ansible_distribution_major_version == '7' %} {% if ansible_distribution_major_version == '8' %}
{# Policy not available #}
{% elif ansible_distribution_major_version == '7' %}
<content type="xccdf" path="ssg-rhel-7-ds.xml"> <content type="xccdf" path="ssg-rhel-7-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% elif ansible_distribution_major_version == '6' %} {% elif ansible_distribution_major_version == '6' %}
<content type="xccdf" path="ssg-rhel-6-ds.xml"> <content type="xccdf" path="ssg-rhel-6-ds.xml">
{% endif %}
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile> <profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile> <profile>xccdf_org.ssgproject.content_profile_common</profile>
</content> </content>
{% endif %}
{% if ansible_distribution_major_version == '7' %} {% if ansible_distribution_major_version == '7' %}
<content type="oval" path="cve-redhat-7-ds.xml"/> <content type="oval" path="cve-redhat-7-ds.xml"/>
{% elif ansible_distribution_major_version == '6' %} {% elif ansible_distribution_major_version == '6' %}
@ -189,33 +132,31 @@
</wodle> </wodle>
{% endif %} {% endif %}
{% if ansible_system == "Linux" and wazuh_agent_config.cis_cat.disable == 'no' %}
<wodle name="cis-cat"> <wodle name="cis-cat">
<disabled>no</disabled> <disabled>{{ wazuh_agent_config.cis_cat.disable }}</disabled>
<timeout>{{ wazuh_agent_config.cis_cat.timeout }}</timeout> <timeout>{{ wazuh_agent_config.cis_cat.timeout }}</timeout>
<interval>{{ wazuh_agent_config.cis_cat.interval }}</interval> <interval>{{ wazuh_agent_config.cis_cat.interval }}</interval>
<scan-on-start>{{ wazuh_agent_config.cis_cat.scan_on_start }}</scan-on-start> <scan-on-start>{{ wazuh_agent_config.cis_cat.scan_on_start }}</scan-on-start>
{% if wazuh_agent_config.cis_cat.install_java == 'yes' and ansible_system == "Linux" %} {% if wazuh_agent_config.cis_cat.install_java == 'yes' and ansible_system == "Linux" %}
<java_path>/usr/bin</java_path> <java_path>/usr/bin</java_path>
{% elif ansible_os_family == "Windows" %}
<java_path>{{ wazuh_agent_config.cis_cat.java_path_win }}</java_path>
{% else %} {% else %}
<java_path>{{ wazuh_agent_config.cis_cat.java_path }}</java_path> <java_path>{{ wazuh_agent_config.cis_cat.java_path }}</java_path>
{% endif %} {% endif %}
<ciscat_path>{{ wazuh_agent_config.cis_cat.ciscat_path }}</ciscat_path> <ciscat_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.cis_cat.ciscat_path_win }}{% else %}{{ wazuh_agent_config.cis_cat.ciscat_path }}{% endif %}</ciscat_path>
{% for benchmark in wazuh_agent_config.cis_cat.content %}
<content type="{{ benchmark.type }}" path="{{ benchmark.path }}">
<profile>{{ benchmark.profile }}</profile>
</content>
{% endfor %}
</wodle> </wodle>
{% endif %}
<!-- Osquery integration --> <!-- Osquery integration -->
<wodle name="osquery"> <wodle name="osquery">
<disabled>{{ wazuh_agent_config.osquery.disable }}</disabled> <disabled>{{ wazuh_agent_config.osquery.disable }}</disabled>
<run_daemon>{{ wazuh_agent_config.osquery.run_daemon }}</run_daemon> <run_daemon>{{ wazuh_agent_config.osquery.run_daemon }}</run_daemon>
<log_path>{{ wazuh_agent_config.osquery.log_path }}</log_path> {% if ansible_os_family == "Windows" %}
<config_path>{{ wazuh_agent_config.osquery.config_path }}</config_path> <bin_path>{{ wazuh_agent_config.osquery.bin_path_win }}</bin_path>
<add_labels>{{ wazuh_agent_config.osquery.ad_labels }}</add_labels> {% endif %}
<log_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.osquery.log_path_win }}{% else %}{{ wazuh_agent_config.osquery.log_path }}{% endif %}</log_path>
<config_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.osquery.config_path_win }}{% else %}{{ wazuh_agent_config.osquery.config_path }}{% endif %}</config_path>
<add_labels>{{ wazuh_agent_config.osquery.add_labels }}</add_labels>
</wodle> </wodle>
<!-- System inventory --> <!-- System inventory -->
@ -231,6 +172,125 @@
<processes>{{ wazuh_agent_config.syscollector.processes }}</processes> <processes>{{ wazuh_agent_config.syscollector.processes }}</processes>
</wodle> </wodle>
<sca>
{% if wazuh_agent_config.sca.enabled | length > 0 %}
<enabled>{{ wazuh_agent_config.sca.enabled }}</enabled>
{% endif %}
{% if wazuh_agent_config.sca.scan_on_start | length > 0 %}
<scan_on_start>{{ wazuh_agent_config.sca.scan_on_start }}</scan_on_start>
{% endif %}
{% if wazuh_agent_config.sca.interval | length > 0 %}
<interval>{{ wazuh_agent_config.sca.interval }}</interval>
{% endif %}
{% if wazuh_agent_config.sca.skip_nfs | length > 0 %}
<skip_nfs>yes</skip_nfs>
{% endif %}
{% if wazuh_agent_config.sca.day | length > 0 %}
<day>yes</day>
{% endif %}
{% if wazuh_agent_config.sca.wday | length > 0 %}
<wday>yes</wday>
{% endif %}
{% if wazuh_agent_config.sca.time | length > 0 %}
<time>yes</time>
{% endif %}
</sca>
<!-- Directories to check (perform all possible verifications) -->
{% if wazuh_agent_config.syscheck is defined %}
<syscheck>
<disabled>no</disabled>
<frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency>
{% if ansible_system == "Linux" %}
<scan_on_start>{{ wazuh_agent_config.syscheck.scan_on_start }}</scan_on_start>
<!-- Directories to check (perform all possible verifications) -->
{% if wazuh_agent_config.syscheck.directories is defined and ansible_system == "Linux" %}
{% for directory in wazuh_agent_config.syscheck.directories %}
<directories {{ directory.checks }}>{{ directory.dirs }}</directories>
{% endfor %}
{% endif %}
{% endif %}
<!-- Directories to check (perform all possible verifications) -->
{% if wazuh_agent_config.syscheck.win_directories is defined and ansible_system == "Windows" %}
{% for directory in wazuh_agent_config.syscheck.win_directories %}
<directories {{ directory.checks }}>{{ directory.dirs }}</directories>
{% endfor %}
{% endif %}
<!-- Files/directories to ignore -->
{% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Linux" %}
{% for ignore in wazuh_agent_config.syscheck.ignore %}
<ignore>{{ ignore }}</ignore>
{% endfor %}
{% endif %}
<!-- File types to ignore -->
{% if wazuh_agent_config.syscheck.ignore_linux_type is defined %}
{% for ignore in wazuh_agent_config.syscheck.ignore_linux_type %}
<ignore type="sregex">{{ ignore }}</ignore>
{% endfor %}
{% endif %}
{% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Windows" %}
{% for ignore in wazuh_agent_config.syscheck.ignore_win %}
<ignore type="sregex">{{ ignore }}</ignore>
{% endfor %}
{% endif %}
{% if ansible_system == "Linux" %}
<!-- Files no diff -->
{% for no_diff in wazuh_agent_config.syscheck.no_diff %}
<nodiff>{{ no_diff }}</nodiff>
{% endfor %}
<skip_nfs>{{ wazuh_agent_config.syscheck.skip_nfs }}</skip_nfs>
<skip_dev>{{ wazuh_agent_config.syscheck.skip_dev }}</skip_dev>
<skip_proc>{{ wazuh_agent_config.syscheck.skip_proc }}</skip_proc>
<skip_sys>{{ wazuh_agent_config.syscheck.skip_sys }}</skip_sys>
{% endif %}
{% if ansible_os_family == "Windows" %}
{% for registry_key in wazuh_agent_config.syscheck.windows_registry %}
{% if registry_key.arch is defined %}
<windows_registry arch="{{ registry_key.arch }}">{{ registry_key.key }}</windows_registry>
{% else %}
<windows_registry>{{ registry_key.key }}</windows_registry>
{% endif %}
{% endfor %}
{% endif %}
{% if ansible_os_family == "Windows" %}
{% for registry_key in wazuh_agent_config.syscheck.windows_registry_ignore %}
{% if registry_key.type is defined %}
<registry_ignore type="{{ registry_key.type }}">{{ registry_key.key }}</registry_ignore>
{% else %}
<registry_ignore>{{ registry_key.key }}</registry_ignore>
{% endif %}
{% endfor %}
{% endif %}
{% if ansible_os_family == "Windows" %}
<!-- Frequency for ACL checking (seconds) -->
<windows_audit_interval>{{ wazuh_agent_config.syscheck.win_audit_interval }}</windows_audit_interval>
{% endif %}
<!-- Nice value for Syscheck module -->
<process_priority>{{ wazuh_agent_config.syscheck.process_priority }}</process_priority>
<!-- Maximum output throughput -->
<max_eps>{{ wazuh_agent_config.syscheck.max_eps }}</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>{{ wazuh_agent_config.syscheck.sync_enabled }}</enabled>
<interval>{{ wazuh_agent_config.syscheck.sync_interval }}</interval>
<max_interval>{{ wazuh_agent_config.syscheck.sync_max_interval }}</max_interval>
<max_eps>{{ wazuh_agent_config.syscheck.sync_max_eps }}</max_eps>
</synchronization>
</syscheck>
{% endif %}
{% if ansible_system == "Linux" and wazuh_agent_config.vuls.disable == 'no' %} {% if ansible_system == "Linux" and wazuh_agent_config.vuls.disable == 'no' %}
@ -245,25 +305,35 @@
{% endif %} {% endif %}
<!-- Files to monitor (localfiles) --> <!-- Files to monitor (localfiles) -->
{% for localfile in wazuh_agent_config.localfiles.common %} {% if ansible_system == "Linux" %}
{% for localfile in wazuh_agent_config.localfiles.linux %}
<localfile> <localfile>
<log_format>{{ localfile.format }}</log_format> <log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %} {% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command> <command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency> <frequency>{{ localfile.frequency }}</frequency>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% else %} {% else %}
<location>{{ localfile.location }}</location> <location>{{ localfile.location }}</location>
{% endif %} {% endif %}
</localfile> </localfile>
{% endfor %} {% endfor %}
{% endif %}
{% if ansible_os_family == "Debian" %} {% if ansible_os_family == "Debian" %}
{% for localfile in wazuh_agent_config.localfiles.debian %} {% for localfile in wazuh_agent_config.localfiles.debian %}
<localfile> <localfile>
<log_format>{{ localfile.format }}</log_format> <log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %} {% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command> <command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency> <frequency>{{ localfile.frequency }}</frequency>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% else %} {% else %}
<location>{{ localfile.location }}</location> <location>{{ localfile.location }}</location>
{% endif %} {% endif %}
@ -273,15 +343,53 @@
{% if ansible_os_family == "RedHat" %} {% if ansible_os_family == "RedHat" %}
{% for localfile in wazuh_agent_config.localfiles.centos %} {% for localfile in wazuh_agent_config.localfiles.centos %}
<localfile> <localfile>
<log_format>{{ localfile.format }}</log_format> <log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %} {% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command> <command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency> <frequency>{{ localfile.frequency }}</frequency>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% else %} {% else %}
<location>{{ localfile.location }}</location> <location>{{ localfile.location }}</location>
{% endif %} {% endif %}
</localfile> </localfile>
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if ansible_os_family == "Windows" %}
{% for localfile in wazuh_agent_config.localfiles.windows %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'eventchannel' %}
<location>{{ localfile.location }}</location>
<query>{{ localfile.query}}</query>
{% else %}
<location>{{ localfile.location }}</location>
{% endif %}
</localfile>
{% endfor %}
{% endif %}
{% if wazuh_agent_config.labels.enable == true %}
<labels>
{% for label in wazuh_agent_config.labels.list %}
<label key="{{ label.key }}"{% if label.hidden is defined %} hidden="{{ label.hidden }}"{% endif %}>{{ label.value }}</label>
{% endfor %}
</labels>
{% endif %}
<active-response>
<disabled>{{ wazuh_agent_config.active_response.ar_disabled|default('no') }}</disabled>
<ca_store>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.active_response.ca_store_win }}{% else %}{{ wazuh_agent_config.active_response.ca_store }}{% endif %}</ca_store>
<ca_verification>{{ wazuh_agent_config.active_response.ca_verification }}</ca_verification>
</active-response>
<logging>
<log_format>{{ wazuh_agent_config.log_format }}</log_format>
</logging>
</ossec_config> </ossec_config>

1
roles/wazuh/ansible-wazuh-manager/.gitignore vendored
View File

@ -1 +0,0 @@
./.kitchen

31
roles/wazuh/ansible-wazuh-manager/CHANGELOG.md
View File

@ -1,31 +0,0 @@
#ansible-ossec-server Release
Below an overview of all changes in the releases.
Version (Release date)
0.2.0 (2017-02-14)
* Added molecule testing
* do not look for specific key ID. It appears that OSSEC released a new… #3 (By pull request: recunius (Thanks!))
* Updates #4 (By pull request: recunius (Thanks!))
* allow providing own local_rules.xml template with var ossec_server_… #5 (By pull request: recunius (Thanks!))
* Update CIS filename to CentOS & Redhat 7 #6 (By pull request: jlruizmlg (Thanks!))
* add ossec authd as service #7 (By pull request: jlruizmlg (Thanks!))
* Fix the permissions in the wazuh-authd in upstart system. #8 (By pull request: jlruizmlg (Thanks!))
* Remove ssl files and add task to generate them + Fix script init task #10 (By pull request: aarnaud (Thanks!))
0.1.0 (2015-11-16)
* Fixes for CentOS/EL7 #1 (By pull request: andskli (Thanks!))
* Updates to support Ubuntu and also adds more configuration options #2 (By pull request: recunius (Thanks!))
* Added kitchen test and serverspec tests
0.0.2 (2014-12-11)
* Added possibilty to use other mail settings
* Reworked module for better setup. Updated readme
0.0.1 (2014-12-04)
* Initial creation

10
roles/wazuh/ansible-wazuh-manager/README.md
View File

@ -18,19 +18,19 @@ Role Variables
This role has some variables which you can or need to override. This role has some variables which you can or need to override.
``` ```
wazuh_manager_fqdn: [] wazuh_manager_fqdn: ~
wazuh_manager_config: [] wazuh_manager_config: []
wazuh_agent_configs: [] shared_agent_config: []
``` ```
Vault variables Vault variables
---------------- ----------------
### vars/agentless_creeds.yml ### vars/agentless_creds.yml
This file has the agenless credentials. This file has the agenless credentials.
``` ```
--- ---
agentless_creeds: agentless_creds:
- type: ssh_integrity_check_linux - type: ssh_integrity_check_linux
frequency: 3600 frequency: 3600
host: root@example.net host: root@example.net
@ -157,7 +157,7 @@ wazuh_manager_config:
level: 6 level: 6
timeout: 600 timeout: 600
wazuh_agent_configs: shared_agent_config:
- type: os - type: os
type_value: linux type_value: linux
frequency_check: 79200 frequency_check: 79200

321
roles/wazuh/ansible-wazuh-manager/defaults/main.yml
View File

@ -1,7 +1,70 @@
--- ---
wazuh_manager_version: 3.12.3-1
wazuh_manager_fqdn: "wazuh-server" wazuh_manager_fqdn: "wazuh-server"
wazuh_manager_package_state: present
# Custom packages installation
wazuh_custom_packages_installation_manager_enabled: false
wazuh_custom_packages_installation_manager_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/"
wazuh_custom_packages_installation_manager_rpm_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/"
wazuh_custom_packages_installation_api_enabled: false
wazuh_custom_packages_installation_api_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/"
wazuh_custom_packages_installation_api_rpm_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/"
# Sources installation
wazuh_manager_sources_installation:
enabled: false
branch: "v3.12.3"
user_language: "en"
user_no_stop: "y"
user_install_type: "server"
user_dir: "/var/ossec"
user_delete_dir: null
user_enable_active_response: null
user_enable_syscheck: "y"
user_enable_rootcheck: "y"
user_enable_openscap: "y"
user_enable_authd: "y"
user_generate_authd_cert: null
user_update: "y"
user_binaryinstall: null
user_enable_email: "n"
user_auto_start: "y"
user_email_address: null
user_email_smpt: null
user_enable_syslog: "n"
user_white_list: "n"
user_ca_store: null
threads: "2"
wazuh_api_sources_installation:
enabled: false
branch: "v3.12.3"
update: "y"
remove: "y"
directory: null
port: 55000
https: "n"
authd: null
proxy: null
country: null
state: null
locality: null
org_name: null
org_unit: null
common_name: null
password: null
wazuh_api_user:
- "foo:$apr1$/axqZYWQ$Xo/nz/IG3PdwV82EnfYKh/"
wazuh_manager_config: wazuh_manager_config:
repo:
apt: 'deb https://packages.wazuh.com/3.x/apt/ stable main'
yum: 'https://packages.wazuh.com/3.x/yum/'
gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145'
json_output: 'yes' json_output: 'yes'
alerts_log: 'yes' alerts_log: 'yes'
logall: 'no' logall: 'no'
@ -29,13 +92,10 @@ wazuh_manager_config:
node_name: 'manager_01' node_name: 'manager_01'
node_type: 'master' node_type: 'master'
key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa' key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa'
interval: '2m'
port: '1516' port: '1516'
bind_addr: '0.0.0.0' bind_addr: '0.0.0.0'
nodes: nodes:
- '172.17.0.2' - 'manager'
- '172.17.0.3'
- '172.17.0.4'
hidden: 'no' hidden: 'no'
connection: connection:
- type: 'secure' - type: 'secure'
@ -45,26 +105,29 @@ wazuh_manager_config:
authd: authd:
enable: true enable: true
port: 1515 port: 1515
use_source_ip: 'yes' use_source_ip: 'no'
force_insert: 'yes' force_insert: 'yes'
force_time: 0 force_time: 0
purge: 'no' purge: 'yes'
use_password: 'no' use_password: 'no'
limit_maxagents: 'yes'
ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH'
ssl_agent_ca: null ssl_agent_ca: null
ssl_verify_host: 'no' ssl_verify_host: 'no'
ssl_manager_cert: '/var/ossec/etc/sslmanager.cert' ssl_manager_cert: 'sslmanager.cert'
ssl_manager_key: '/var/ossec/etc/sslmanager.key' ssl_manager_key: 'sslmanager.key'
ssl_auto_negotiate: 'no' ssl_auto_negotiate: 'no'
email_notification: 'no' email_notification: 'no'
mail_to: mail_to:
- 'admin@example.net' - 'admin@example.net'
mail_smtp_server: localhost mail_smtp_server: smtp.example.wazuh.com
mail_from: wazuh-server@example.com mail_from: ossecm@example.wazuh.com
mail_maxperhour: 12 mail_maxperhour: 12
mail_queue_size: 131072 mail_queue_size: 131072
email_log_source: 'alerts.log'
extra_emails: extra_emails:
- enable: false - enable: false
mail_to: 'admin@example.net' mail_to: 'recipient@example.wazuh.com'
format: full format: full
level: 7 level: 7
event_location: null event_location: null
@ -76,7 +139,7 @@ wazuh_manager_config:
- enable: false - enable: false
category: 'syscheck' category: 'syscheck'
title: 'Daily report: File changes' title: 'Daily report: File changes'
email_to: 'admin@example.net' email_to: 'recipient@example.wazuh.com'
location: null location: null
group: null group: null
rule: null rule: null
@ -89,7 +152,6 @@ wazuh_manager_config:
frequency: 43200 frequency: 43200
scan_on_start: 'yes' scan_on_start: 'yes'
auto_ignore: 'no' auto_ignore: 'no'
alert_new_files: 'yes'
ignore: ignore:
- /etc/mtab - /etc/mtab
- /etc/hosts.deny - /etc/hosts.deny
@ -103,26 +165,33 @@ wazuh_manager_config:
- /etc/cups/certs - /etc/cups/certs
- /etc/dumpdates - /etc/dumpdates
- /etc/svc/volatile - /etc/svc/volatile
- /sys/kernel/security ignore_linux_type:
- /sys/kernel/debug - '.log$|.swp$'
no_diff: no_diff:
- /etc/ssl/private.key - /etc/ssl/private.key
directories: directories:
- dirs: /etc,/usr/bin,/usr/sbin - dirs: /etc,/usr/bin,/usr/sbin
checks: 'check_all="yes"' checks: ''
- dirs: /bin,/sbin,/boot - dirs: /bin,/sbin,/boot
checks: 'check_all="yes"' checks: ''
auto_ignore_frequency: auto_ignore_frequency:
frequency: 'frequency="10"' frequency: 'frequency="10"'
timeframe: 'timeframe="3600"' timeframe: 'timeframe="3600"'
value: 'no' value: 'no'
skip_nfs: 'yes' skip_nfs: 'yes'
remove_old_diff: 'yes' skip_dev: 'yes'
restart_audit: 'yes' skip_proc: 'yes'
skip_sys: 'yes'
process_priority: 10
max_eps: 100
sync_enabled: 'yes'
sync_interval: '5m'
sync_max_interval: '1h'
sync_max_eps: 10
rootcheck: rootcheck:
frequency: 43200 frequency: 43200
openscap: openscap:
disable: 'no' disable: 'yes'
timeout: 1800 timeout: 1800
interval: '1d' interval: '1d'
scan_on_start: 'yes' scan_on_start: 'yes'
@ -134,10 +203,6 @@ wazuh_manager_config:
scan_on_start: 'yes' scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin' java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
ciscat_path: 'wodles/ciscat' ciscat_path: 'wodles/ciscat'
content:
- type: 'xccdf'
path: 'benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml'
profile: 'xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server'
osquery: osquery:
disable: 'yes' disable: 'yes'
run_daemon: 'yes' run_daemon: 'yes'
@ -154,20 +219,43 @@ wazuh_manager_config:
packages: 'yes' packages: 'yes'
ports_no: 'yes' ports_no: 'yes'
processes: 'yes' processes: 'yes'
vul_detector: sca:
disable: 'yes' enabled: 'yes'
scan_on_start: 'yes'
interval: '12h'
skip_nfs: 'yes'
day: ''
wday: ''
time: ''
vulnerability_detector:
enabled: 'no'
interval: '5m' interval: '5m'
ignore_time: '6h' ignore_time: '6h'
run_on_start: 'yes' run_on_start: 'yes'
ubuntu: providers:
disable: 'yes' - enabled: 'no'
os:
- 'trusty'
- 'xenial'
- 'bionic'
update_interval: '1h' update_interval: '1h'
redhat: name: '"canonical"'
disable: 'yes' - enabled: 'no'
os:
- 'wheezy'
- 'stretch'
- 'jessie'
- 'buster'
update_interval: '1h' update_interval: '1h'
debian: name: '"debian"'
disable: 'yes' - enabled: 'no'
update_from_year: '2010'
update_interval: '1h' update_interval: '1h'
name: '"redhat"'
- enabled: 'no'
update_from_year: '2010'
update_interval: '1h'
name: '"nvd"'
vuls: vuls:
disable: 'yes' disable: 'yes'
interval: '1d' interval: '1d'
@ -178,12 +266,12 @@ wazuh_manager_config:
- 'updatenvd' - 'updatenvd'
- 'nvd-year 2016' - 'nvd-year 2016'
- 'autoupdate' - 'autoupdate'
log_level: 1 log_level: 3
email_level: 12 email_level: 12
localfiles: localfiles:
common: common:
- format: 'command' - format: 'command'
command: 'df -P' command: df -P
frequency: '360' frequency: '360'
- format: 'full_command' - format: 'full_command'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
@ -191,6 +279,7 @@ wazuh_manager_config:
frequency: '360' frequency: '360'
- format: 'full_command' - format: 'full_command'
command: 'last -n 20' command: 'last -n 20'
frequency: '360'
- format: 'syslog' - format: 'syslog'
location: '/var/ossec/logs/active-responses.log' location: '/var/ossec/logs/active-responses.log'
debian: debian:
@ -213,20 +302,16 @@ wazuh_manager_config:
location: '/var/log/audit/audit.log' location: '/var/log/audit/audit.log'
globals: globals:
- '127.0.0.1' - '127.0.0.1'
- '192.168.2.1' - '^localhost.localdomain$'
- '127.0.0.53'
commands: commands:
- name: 'disable-account' - name: 'disable-account'
executable: 'disable-account.sh' executable: 'disable-account.sh'
expect: 'user' expect: 'user'
timeout_allowed: 'yes' timeout_allowed: 'yes'
#- name: 'restart-ossec' - name: 'restart-ossec'
# executable: 'restart-ossec.sh' executable: 'restart-ossec.sh'
# expect: ''
# timeout_allowed: 'no'
- name: 'win_restart-ossec'
executable: 'restart-ossec.cmd'
expect: '' expect: ''
timeout_allowed: 'no'
- name: 'firewall-drop' - name: 'firewall-drop'
executable: 'firewall-drop.sh' executable: 'firewall-drop.sh'
expect: 'srcip' expect: 'srcip'
@ -243,6 +328,10 @@ wazuh_manager_config:
executable: 'route-null.cmd' executable: 'route-null.cmd'
expect: 'srcip' expect: 'srcip'
timeout_allowed: 'yes' timeout_allowed: 'yes'
- name: 'win_route-null-2012'
executable: 'route-null-2012.cmd'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'netsh' - name: 'netsh'
executable: 'netsh.cmd' executable: 'netsh.cmd'
expect: 'srcip' expect: 'srcip'
@ -254,73 +343,95 @@ wazuh_manager_config:
ruleset: ruleset:
rules_path: 'custom_ruleset/rules/' rules_path: 'custom_ruleset/rules/'
decoders_path: 'custom_ruleset/decoders/' decoders_path: 'custom_ruleset/decoders/'
cdb_lists:
- 'audit-keys'
- 'security-eventchannel'
- 'amazon/aws-eventnames'
rule_exclude: rule_exclude:
- '0215-policy_rules.xml' - '0215-policy_rules.xml'
active_responses:
- command: 'restart-ossec'
location: 'local'
rules_id: '100002'
- command: 'win_restart-ossec'
location: 'local'
rules_id: '100003'
- command: 'host-deny'
location: 'local'
level: 6
timeout: 600
syslog_outputs: syslog_outputs:
- server: null - server: null
port: null port: null
format: null format: null
integrations:
#slack
- name: null
hook_url: '<hook_url>'
alert_level: 10
alert_format: 'json'
rule_id: null
#pagerduty
- name: null
api_key: '<api_key>'
alert_level: 12
monitor_aws:
disabled: 'yes'
interval: '10m'
run_on_start: 'yes'
skip_on_error: 'yes'
s3:
- name: null
bucket_type: null
path: null
only_logs_after: null
access_key: null
secret_key: null
labels:
enable: false
list:
- key: Env
value: Production
wazuh_agent_configs: # shared_agent_config:
- type: os # - type: os
type_value: Linux # type_value: Linux
syscheck: # syscheck:
frequency: 43200 # frequency: 43200
scan_on_start: 'yes' # scan_on_start: 'yes'
auto_ignore: 'no' # ignore:
alert_new_files: 'yes' # - /etc/mtab
ignore: # - /etc/mnttab
- /etc/mtab # - /etc/hosts.deny
- /etc/mnttab # - /etc/mail/statistics
- /etc/hosts.deny # - /etc/svc/volatile
- /etc/mail/statistics # no_diff:
- /etc/svc/volatile # - /etc/ssl/private.key
no_diff: # rootcheck:
- /etc/ssl/private.key # frequency: 43200
# Example # cis_distribution_filename: null
#directories: # localfiles:
#- dirs: /etc,/usr/bin,/usr/sbin # - format: 'syslog'
# checks: 'check_all="yes"' # location: '/var/log/messages'
rootcheck: # - format: 'syslog'
frequency: 43200 # location: '/var/log/secure'
cis_distribution_filename: null # - format: 'syslog'
localfiles: # location: '/var/log/maillog'
- format: 'syslog' # - format: 'apache'
location: '/var/log/messages' # location: '/var/log/httpd/error_log'
- format: 'syslog' # - format: 'apache'
location: '/var/log/secure' # location: '/var/log/httpd/access_log'
- format: 'syslog' # - format: 'apache'
location: '/var/log/maillog' # location: '/var/ossec/logs/active-responses.log'
- format: 'apache' # - type: os
location: '/var/log/httpd/error_log' # type_value: Windows
- format: 'apache' # syscheck:
location: '/var/log/httpd/access_log' # frequency: 43200
- format: 'apache' # scan_on_start: 'yes'
location: '/var/ossec/logs/active-responses.log' # auto_ignore: 'no'
- type: os # windows_registry:
type_value: Windows # - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
syscheck: # arch: 'both'
frequency: 43200 # - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
scan_on_start: 'yes' # localfiles:
auto_ignore: 'no' # - location: 'Security'
alert_new_files: 'yes' # format: 'eventchannel'
windows_registry: # - location: 'System'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' # format: 'eventlog'
arch: 'both'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder' nodejs:
localfiles: repo_dict:
- location: 'Security' debian: "deb"
format: 'eventchannel' redhat: "rpm"
- location: 'System' repo_url_ext: "nodesource.com/setup_10.x"
format: 'eventlog'
agent_groups: [] # groups to create

17
roles/wazuh/ansible-wazuh-manager/handlers/main.yml
View File

@ -1,13 +1,12 @@
--- ---
- name: rebuild cdb_lists
shell: /var/ossec/bin/ossec-makelists
- name: restart wazuh-manager - name: restart wazuh-manager
service: name=wazuh-manager service:
state=restarted name: wazuh-manager
enabled=yes state: restarted
enabled: true
- name: restart wazuh-api - name: restart wazuh-api
service: name=wazuh-api service:
state=restarted name: wazuh-api
enabled=yes state: restarted
enabled: true

2
roles/wazuh/ansible-wazuh-manager/meta/main.yml
View File

@ -18,6 +18,6 @@ galaxy_info:
- name: Fedora - name: Fedora
versions: versions:
- all - all
categories: galaxy_tags:
- monitoring - monitoring
dependencies: [] dependencies: []

3
roles/wazuh/ansible-wazuh-manager/playbook.yml
View File

@ -1,3 +0,0 @@
- hosts: wazuh-server.example.com
roles:
- { role: ansible-wazuh-server }

135
roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml
View File

@ -1,69 +1,83 @@
--- ---
- name: Debian/Ubuntu | Install apt-transport-https and ca-certificates - name: Debian/Ubuntu | Install apt-transport-https and ca-certificates
apt: apt:
name: "{{ item }}" name:
state: present
cache_valid_time: 3600
with_items:
- apt-transport-https - apt-transport-https
- ca-certificates - ca-certificates
- gnupg
state: present
cache_valid_time: 3600
install_recommends: false
register: wazuh_manager_https_packages_installed
until: wazuh_manager_https_packages_installed is succeeded
- name: Debian/Ubuntu | Installing Wazuh repository key (Ubuntu 14)
become: true
shell: |
set -o pipefail
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
args:
warn: false
executable: /bin/bash
changed_when: false
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version | int == 14
- not wazuh_manager_sources_installation.enabled or not wazuh_api_sources_installation.enabled
- not wazuh_custom_packages_installation_manager_enabled or not wazuh_custom_packages_installation_api_enabled
- name: Debian/Ubuntu | Installing Wazuh repository key - name: Debian/Ubuntu | Installing Wazuh repository key
apt_key: url=https://packages.wazuh.com/key/GPG-KEY-WAZUH apt_key:
url: "{{ wazuh_manager_config.repo.gpg }}"
id: "{{ wazuh_manager_config.repo.key_id }}"
when:
- not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- not wazuh_manager_sources_installation.enabled or not wazuh_api_sources_installation.enabled
- not wazuh_custom_packages_installation_manager_enabled or not wazuh_custom_packages_installation_api_enabled
- name: Debian/Ubuntu | Add Wazuh repositories - name: Debian/Ubuntu | Add Wazuh repositories
apt_repository: apt_repository:
repo: 'deb https://packages.wazuh.com/3.x/apt/ stable main' filename: wazuh_repo
repo: "{{ wazuh_manager_config.repo.apt }}"
state: present state: present
update_cache: yes update_cache: true
changed_when: false
- name: Debian/Ubuntu | Installing NodeJS repository key when:
apt_key: url=https://deb.nodesource.com/gpgkey/nodesource.gpg.key - not wazuh_manager_sources_installation.enabled or not wazuh_api_sources_installation.enabled
- not wazuh_custom_packages_installation_manager_enabled or not wazuh_custom_packages_installation_api_enabled
- name: Debian/Ubuntu | Add NodeSource repositories for Node.js
apt_repository:
repo: "deb https://deb.nodesource.com/node_6.x {{ ansible_distribution_release }} main"
state: present
update_cache: yes
- name: Debian/Ubuntu | Set Distribution CIS filename for Debian/Ubuntu - name: Debian/Ubuntu | Set Distribution CIS filename for Debian/Ubuntu
set_fact: set_fact:
cis_distribution_filename: cis_debian_linux_rcl.txt cis_distribution_filename: cis_debian_linux_rcl.txt
- name: Debian/Ubuntu | Install OpenJDK-8 repo
apt_repository:
repo: 'ppa:openjdk-r/ppa'
state: present
update_cache: true
when:
- (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- when: - when:
- wazuh_manager_config.cis_cat.disable == 'no' - wazuh_manager_config.cis_cat.disable == 'no'
- wazuh_manager_config.cis_cat.install_java == 'yes' - wazuh_manager_config.cis_cat.install_java == 'yes'
block: block:
- name: Debian/Ubuntu | Setting webupd8 repository - name: Debian/Ubuntu | Install OpenJDK 1.8
apt_repository: apt: name=openjdk-8-jre state=present cache_valid_time=3600
repo: 'ppa:webupd8team/java'
codename: 'xenial'
update_cache: yes
- name: Debian/Ubuntu | Accept Oracle Java 8 license
debconf:
name: oracle-java8-installer
question: shared/accepted-oracle-license-v1-1
value: true
vtype: boolean
- name: Debian/Ubuntu | Oracle Java 8 installer
apt:
name: oracle-java8-installer
state: present
cache_valid_time: 3600
tags: tags:
- init - init
- name: Debian/Ubuntu | Install OpenScap - name: Debian/Ubuntu | Install OpenScap
package: apt:
name: "{{ item }}" name:
state: present
cache_valid_time: 3600
when: wazuh_manager_config.openscap.disable == 'no'
with_items:
- libopenscap8 - libopenscap8
- xsltproc - xsltproc
state: present
cache_valid_time: 3600
install_recommends: false
register: wazuh_manager_openscap_installed
until: wazuh_manager_openscap_installed is succeeded
when: wazuh_manager_config.openscap.disable == 'no'
tags: tags:
- init - init
@ -71,7 +85,7 @@
shell: "dpkg-query --showformat='${Version}' --show libopenscap8" shell: "dpkg-query --showformat='${Version}' --show libopenscap8"
when: wazuh_manager_config.openscap.disable == 'no' when: wazuh_manager_config.openscap.disable == 'no'
register: openscap_version register: openscap_version
changed_when: true changed_when: false
tags: tags:
- config - config
@ -79,6 +93,43 @@
shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?" shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?"
when: wazuh_manager_config.openscap.disable == 'no' when: wazuh_manager_config.openscap.disable == 'no'
register: openscap_version_valid register: openscap_version_valid
changed_when: true changed_when: false
tags: tags:
- config - config
- name: Debian/Ubuntu | Install wazuh-manager
apt:
name:
- "wazuh-manager={{ wazuh_manager_version }}"
state: present
cache_valid_time: 3600
install_recommends: false
register: wazuh_manager_main_packages_installed
until: wazuh_manager_main_packages_installed is succeeded
tags: init
when:
- not wazuh_manager_sources_installation.enabled
- not wazuh_custom_packages_installation_manager_enabled
- include_tasks: "installation_from_sources.yml"
when:
- wazuh_manager_sources_installation.enabled or wazuh_api_sources_installation.enabled
- include_tasks: "installation_from_custom_packages.yml"
when:
- wazuh_custom_packages_installation_manager_enabled or wazuh_custom_packages_installation_api_enabled
- name: Debian/Ubuntu | Install wazuh-api
apt:
name:
- "wazuh-api={{ wazuh_manager_version }}"
state: present
cache_valid_time: 3600
install_recommends: false
register: wazuh_manager_main_packages_installed
until: wazuh_manager_main_packages_installed is succeeded
tags: init
when:
- not wazuh_api_sources_installation.enabled
- not wazuh_custom_packages_installation_manager_enabled
- wazuh_manager_config.cluster.node_type == "master"

2
roles/wazuh/ansible-wazuh-manager/tasks/RMDebian.yml
View File

@ -3,8 +3,10 @@
apt_repository: apt_repository:
repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main
state: absent state: absent
changed_when: false
- name: Debian/Ubuntu | Remove Nodejs repository. - name: Debian/Ubuntu | Remove Nodejs repository.
apt_repository: apt_repository:
repo: deb https://deb.nodesource.com/node_6.x {{ ansible_distribution_release }} main repo: deb https://deb.nodesource.com/node_6.x {{ ansible_distribution_release }} main
state: absent state: absent
changed_when: false

2
roles/wazuh/ansible-wazuh-manager/tasks/RMRedHat.yml
View File

@ -3,8 +3,10 @@
yum_repository: yum_repository:
name: NodeJS name: NodeJS
state: absent state: absent
changed_when: false
- name: RedHat/CentOS/Fedora | Remove Wazuh repository (and clean up left-over metadata) - name: RedHat/CentOS/Fedora | Remove Wazuh repository (and clean up left-over metadata)
yum_repository: yum_repository:
name: wazuh_repo name: wazuh_repo
state: absent state: absent
changed_when: false

172
roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml
View File

@ -1,65 +1,46 @@
--- ---
- name: RedHat/CentOS | Install Nodejs repo - name: RedHat/CentOS 5 | Install Wazuh repo
yum_repository: yum_repository:
name: NodeJS name: wazuh_repo
description: NodeJS-$releasever description: Wazuh repository
baseurl: https://rpm.nodesource.com/pub_6.x/el/{{ansible_distribution_major_version}}/x86_64 baseurl: "{{ wazuh_manager_config.repo.yum }}5/"
gpgkey: https://rpm.nodesource.com/pub/el/NODESOURCE-GPG-SIGNING-KEY-EL gpgkey: "{{ wazuh_manager_config.repo.gpg }}-5"
gpgcheck: yes gpgcheck: true
changed_when: false
when: when:
- ansible_distribution_major_version|int > 5 - (ansible_os_family|lower == 'redhat') and (ansible_distribution|lower != 'amazon')
- (ansible_distribution_major_version|int <= 5)
- name: Fedora | Install Nodejs repo - not wazuh_manager_sources_installation.enabled or not wazuh_api_sources_installation.enabled
yum_repository: - not wazuh_custom_packages_installation_manager_enabled or not wazuh_custom_packages_installation_api_enabled
name: NodeJS register: repo_v5_manager_installed
description: NodeJS-$releasever
baseurl: https://rpm.nodesource.com/pub_6.x/fc/$releasever/x86_64
gpgkey: https://rpm.nodesource.com/pub/el/NODESOURCE-GPG-SIGNING-KEY-EL
gpgcheck: yes
when: ansible_distribution == 'Fedora'
- name: AmazonLinux | Get Nodejs
shell: curl --silent --location https://rpm.nodesource.com/setup_8.x | bash -
args:
warn: no
when:
- ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA"
- name: AmazonLinux | Install Nodejs repo
yum:
name: nodejs
state: present
when:
- ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA"
- name: RedHat/CentOS/Fedora | Install Wazuh repo - name: RedHat/CentOS/Fedora | Install Wazuh repo
yum_repository: yum_repository:
name: wazuh_repo name: wazuh_repo
description: Wazuh repository description: Wazuh repository
baseurl: https://packages.wazuh.com/3.x/yum/ baseurl: "{{ wazuh_manager_config.repo.yum }}"
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH gpgkey: "{{ wazuh_manager_config.repo.gpg }}"
gpgcheck: yes gpgcheck: true
changed_when: false
when: when:
- (ansible_distribution_major_version|int > 5) or (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") - repo_v5_manager_installed is skipped
- not wazuh_manager_sources_installation.enabled or not wazuh_api_sources_installation.enabled
- name: RedHat/CentOS 5 | Install Wazuh repo - not wazuh_custom_packages_installation_manager_enabled or not wazuh_custom_packages_installation_api_enabled
yum_repository:
name: wazuh_repo
description: Wazuh repository
baseurl: https://packages.wazuh.com/3.x/yum/5/
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
gpgcheck: yes
when:
- ansible_distribution_major_version|int == 5
- name: RedHat/CentOS/Fedora | Install openscap - name: RedHat/CentOS/Fedora | Install openscap
package: name=openscap-scanner state=present package: name={{ item }} state=present
with_items:
- openscap-scanner
register: wazuh_manager_openscp_packages_installed
until: wazuh_manager_openscp_packages_installed is succeeded
tags: tags:
- init - init
when: not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") when: not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA")
- name: CentOS 6 | Install Software Collections (SCL) Repository - name: CentOS 6 | Install Software Collections (SCL) Repository
package: name=centos-release-scl state=present package: name=centos-release-scl state=present
register: wazuh_manager_scl_packages_installed
until: wazuh_manager_scl_packages_installed is succeeded
when: when:
- ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6' - ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes' - wazuh_manager_config.cluster.disable != 'yes'
@ -75,46 +56,20 @@
- name: CentOS/RedHat 6 | Install Python 2.7 - name: CentOS/RedHat 6 | Install Python 2.7
package: name=python27 state=present package: name=python27 state=present
register: wazuh_manager_python_package_installed
until: wazuh_manager_python_package_installed is succeeded
when: when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6' - ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes' - wazuh_manager_config.cluster.disable != 'yes'
- name: CentOS/RedHat 6 | Install python-cryptography module - name: RedHat/CentOS/Fedora | Install OpenJDK 1.8
shell: pip2.7 install cryptography yum: name=java-1.8.0-openjdk state=present
environment:
PATH: "/opt/rh/python27/root/usr/bin:{{ ansible_env.PATH }}"
LD_LIBRARY_PATH: "/opt/rh/python27/root/usr/lib64:/opt/rh/python27/root/usr/lib"
when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes'
- name: RedHat/CentOS/Fedora | Install python-cryptography module
package: name=python-cryptography state=present
when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat') and ansible_distribution_major_version == '6' )
- wazuh_manager_config.cluster.disable != 'yes'
- name: RedHat/CentOS/Fedora | download Oracle Java RPM
get_url:
url: http://download.oracle.com/otn-pub/java/jdk/8u172-b11/a58eab1ec242421181065cdc37240b08/jre-8u172-linux-x64.rpm
dest: /tmp/jre-8-linux-x64.rpm
headers: 'Cookie:oraclelicense=accept-securebackup-cookie'
register: oracle_java_task_rpm_download
when: when:
- wazuh_manager_config.cis_cat.disable == 'no' - wazuh_manager_config.cis_cat.disable == 'no'
- wazuh_manager_config.cis_cat.install_java == 'yes' - wazuh_manager_config.cis_cat.install_java == 'yes'
tags: tags:
- init - init
- name: RedHat/CentOS/Fedora | Install Oracle Java RPM
package: name=/tmp/jre-8-linux-x64.rpm state=present
when:
- wazuh_manager_config.cis_cat.disable == 'no'
- wazuh_manager_config.cis_cat.install_java == 'yes'
- oracle_java_task_rpm_download is defined
tags:
- init
- name: Set Distribution CIS filename for RHEL5/CentOS-5 - name: Set Distribution CIS filename for RHEL5/CentOS-5
set_fact: set_fact:
cis_distribution_filename: cis_rhel5_linux_rcl.txt cis_distribution_filename: cis_rhel5_linux_rcl.txt
@ -128,4 +83,69 @@
- name: Set Distribution CIS filename for RHEL7/CentOS-7 - name: Set Distribution CIS filename for RHEL7/CentOS-7
set_fact: set_fact:
cis_distribution_filename: cis_rhel7_linux_rcl.txt cis_distribution_filename: cis_rhel7_linux_rcl.txt
when: (ansible_os_family == "RedHat" and ansible_distribution_major_version == '7') or (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") when:
- ansible_os_family == "RedHat" and ansible_distribution_major_version == '7'
- name: Set Distribution CIS filename for RHEL7/CentOS-7 (Amazon)
set_fact:
cis_distribution_filename: cis_rhel7_linux_rcl.txt
when:
- ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA"
- name: CentOS/RedHat/Amazon | Install wazuh-manager
package:
name: "wazuh-manager-{{ wazuh_manager_version }}"
state: "{{ wazuh_manager_package_state }}"
register: wazuh_manager_main_packages_installed
until: wazuh_manager_main_packages_installed is succeeded
when:
- ansible_os_family|lower == "redhat"
- not wazuh_manager_sources_installation.enabled
- not wazuh_custom_packages_installation_manager_enabled
tags:
- init
- include_tasks: "../tasks/installation_from_sources.yml"
when:
- wazuh_manager_sources_installation.enabled or wazuh_api_sources_installation.enabled
- include_tasks: "../tasks/installation_from_custom_packages.yml"
when:
- wazuh_custom_packages_installation_manager_enabled or wazuh_custom_packages_installation_api_enabled
- name: CentOS/RedHat/Amazon | Install wazuh-api
package:
name: "wazuh-api-{{ wazuh_manager_version }}"
state: "{{ wazuh_manager_package_state }}"
register: wazuh_api_main_packages_installed
until: wazuh_api_main_packages_installed is succeeded
when:
- ansible_os_family|lower == "redhat"
- not wazuh_api_sources_installation.enabled
- not wazuh_custom_packages_installation_api_enabled
- wazuh_manager_config.cluster.node_type == "master"
tags:
- init
- name: CentOS/RedHat 6 | Enabling python2.7 and sqlite3
replace:
path: /etc/init.d/wazuh-manager
regexp: 'echo -n "Starting Wazuh-manager: "'
replace: 'echo -n "Starting Wazuh-manager (EL6): "; source /opt/rh/python27/enable; export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/var/ossec/framework/lib'
when:
- ansible_distribution in ['CentOS', 'RedHat', 'Amazon'] and ansible_distribution_major_version|int == 6
- wazuh_manager_config.cluster.disable != 'yes'
- name: Install expect (EL5)
package:
name: "{{ item }}"
state: "{{ wazuh_manager_package_state }}"
with_items:
- expect
register: wazuh_manager_main_packages_installed
until: wazuh_manager_main_packages_installed is succeeded
when:
- ansible_os_family|lower == "RedHat"
- ansible_distribution_major_version|int < 6
tags:
- init

61
roles/wazuh/ansible-wazuh-manager/tasks/installation_from_custom_packages.yml Normal file
View File

@ -0,0 +1,61 @@
---
- block:
- name: Install Wazuh Manager from .deb packages
apt:
deb: "{{ wazuh_custom_packages_installation_manager_deb_url }}"
state: present
when:
- wazuh_custom_packages_installation_manager_enabled
- name: Install Wazuh API from .deb packages
apt:
deb: "{{ wazuh_custom_packages_installation_api_deb_url }}"
state: present
when:
- wazuh_custom_packages_installation_api_enabled
- wazuh_manager_config.cluster.node_type == "master"
when:
- ansible_os_family|lower == "debian"
- block:
- name: Install Wazuh Manager from .rpm packages | yum
yum:
name: "{{ wazuh_custom_packages_installation_manager_rpm_url }}"
state: present
when:
- wazuh_custom_packages_installation_manager_enabled
- not (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8")
- not (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8")
- name: Install Wazuh Manager from .rpm packages | dnf
dnf:
name: "{{ wazuh_custom_packages_installation_manager_rpm_url }}"
state: present
when:
- wazuh_custom_packages_installation_manager_enabled
- (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") or
(ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8")
- name: Install Wazuh API from .rpm packages | yum
yum:
name: "{{ wazuh_custom_packages_installation_api_rpm_url }}"
state: present
when:
- wazuh_custom_packages_installation_api_enabled
- not (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8")
- not (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8")
- wazuh_manager_config.cluster.node_type == "master"
- name: Install Wazuh API from .rpm packages | dnf
dnf:
name: "{{ wazuh_custom_packages_installation_api_rpm_url }}"
state: present
when:
- wazuh_custom_packages_installation_api_enabled
- (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") or
(ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8")
- wazuh_manager_config.cluster.node_type == "master"
when:
- ansible_os_family|lower == "redhat"

185
roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml Normal file
View File

@ -0,0 +1,185 @@
---
# Wazuh Manager
- name: Check if Wazuh Manager is already installed
stat:
path: /var/ossec/bin/ossec-control
register: wazuh_ossec_control
- name: Installing Wazuh Manager from sources
block:
- name: Install dependencies to build Wazuh packages
package:
name:
- make
- gcc
- automake
- autoconf
- libtool
- tar
state: present
- name: Removing old files
file:
path: "/tmp/{{ wazuh_manager_sources_installation.branch }}.tar.gz"
state: absent
- name: Removing old folders
file:
path: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}"
state: absent
- name: Installing policycoreutils-python (RedHat families)
package:
name:
- policycoreutils-python
when:
- ansible_os_family|lower == "redhat"
- name: Installing policycoreutils-python-utils (Debian families)
package:
name:
- libc6-dev
- curl
- policycoreutils
when:
- ansible_os_family|lower == "debian"
- name: Remove old repository folder
file:
path: /tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}
state: absent
- name: Download required packages from github.com/wazuh/wazuh
get_url:
url: "https://github.com/wazuh/wazuh/archive/{{ wazuh_manager_sources_installation.branch }}.tar.gz"
dest: "/tmp/{{ wazuh_manager_sources_installation.branch }}.tar.gz"
delegate_to: "{{ inventory_hostname }}"
- name: Create folder to extract Wazuh branch
file:
path: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}"
state: directory
# When downloading "v3.11.0" extracted folder name is 3.11.0.
# Explicitly creating the folder with proper naming and striping first level in .tar.gz file
- name: Extract downloaded Wazuh branch from Github # Using shell instead of unarchive due to that module not working properlyh with --strip
command: >-
tar -xzvf /tmp/{{ wazuh_manager_sources_installation.branch }}.tar.gz
--strip 1
--directory /tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}
register: wazuh_untar
changed_when: wazuh_untar.rc ==0
args:
warn: false
- name: Clean remaining files from others builds
command: "make -C src {{ item }}"
args:
chdir: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}/src/"
with_items:
- "clean"
- "clean-deps"
register: clean_result
changed_when: clean_result.rc == 0
failed_when: false
- name: Render the "preloaded-vars.conf" file
template:
src: "templates/preloaded_vars_manager.conf.j2"
dest: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}/etc/preloaded-vars.conf"
owner: root
group: root
mode: 0644
- name: Executing "install.sh" script to build and install the Wazuh Manager
shell: ./install.sh > /tmp/build_wazuh_manager_log.txt
register: installation_result
changed_when: installation_result == 0
args:
chdir: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}"
- name: Cleanup downloaded files
file:
path: "/tmp/{{ wazuh_manager_sources_installation.branch }}.tar.gz"
state: absent
- name: Cleanup created folders
file:
path: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}"
state: absent
when:
- not wazuh_ossec_control.stat.exists
- wazuh_manager_sources_installation.enabled
tags:
- manager
# Wazuh API
- name: Check if Wazuh API is already installed
stat:
path: /var/ossec/api/app.js
register: wazuh_api
when:
- wazuh_manager_config.cluster.node_type == "master" or wazuh_manager_config.cluster.node_type == "worker"
- name: Install Wazuh API from sources
block:
- name: Install dependencies to build Wazuh packages
package:
name:
- make
- gcc
- automake
- autoconf
- libtool
- tar
state: present
- name: Explicitly installing npm for Debian hosts
package:
name: npm
state: present
when:
- ansible_distribution == "Debian"
- name: Ensure Git is present in the host
package:
name: git
state: present
- name: Remove old repository folder
file:
path: /tmp/wazuh-api
state: absent
- name: Download the Wazuh API repository
git:
repo: 'https://github.com/wazuh/wazuh-api.git'
version: "{{ wazuh_api_sources_installation.branch }}"
dest: /tmp/wazuh-api
- name: Configure Wazuh API installation
template:
src: "templates/preloaded_vars_api.conf.j2"
dest: "/tmp/wazuh-api/configuration/preloaded_vars.conf"
owner: root
group: root
mode: 0644
- name: Execute Wazuh API installation script
shell: ./install_api.sh > /tmp/build_wazuh_api_log.txt
register: install_api
changed_when: install_api.rc == 0
args:
chdir: "/tmp/wazuh-api"
notify:
- restart wazuh-api
when:
- not wazuh_api.stat.exists
- wazuh_api_sources_installation.enabled
- wazuh_manager_config.cluster.node_type == "master"
tags:
- api

221
roles/wazuh/ansible-wazuh-manager/tasks/main.yml
View File

@ -1,39 +1,58 @@
--- ---
- import_tasks: "RedHat.yml" - name: "Install dependencies"
package:
name:
- unzip
- openssl
- tar
state: present
- name: Check if NodeJS service exists
stat:
path: /usr/bin/node
register: node_service_status
- name: Install NodeJS repository
block:
- name: Download NodeJS repository script
get_url:
url: "https://{{ nodejs['repo_dict'][ansible_os_family|lower] }}.{{ nodejs['repo_url_ext'] }}"
dest: /etc/nodejs.sh
mode: 0775
changed_when: false
- name: Run NodeJS bash script
command: sh /etc/nodejs.sh
register: nodejs_script
changed_when: nodejs_script.rc == 0
when:
- not node_service_status.stat.exists
- wazuh_manager_config.cluster.node_type == "master"
- name: Installing NodeJS
package:
name: nodejs
state: present
register: nodejs_service_is_installed
until: nodejs_service_is_installed is succeeded
when:
- wazuh_manager_config.cluster.node_type == "master"
tags: init
- include_tasks: "RedHat.yml"
when: (ansible_os_family == "RedHat" and ansible_distribution_major_version|int > 5) or (ansible_os_family == "RedHat" and ansible_distribution == "Amazon") when: (ansible_os_family == "RedHat" and ansible_distribution_major_version|int > 5) or (ansible_os_family == "RedHat" and ansible_distribution == "Amazon")
- import_tasks: "Debian.yml" - include_tasks: "Debian.yml"
when: ansible_os_family == "Debian" when: ansible_os_family == "Debian"
- name: Install wazuh-manager, wazuh-api and expect - name: Install expect
package: pkg={{ item }} state=latest package:
with_items: name: expect
- wazuh-manager state: "{{ wazuh_manager_package_state }}"
- wazuh-api
- expect
when: when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 ) - not (ansible_os_family|lower == "redhat" and ansible_distribution_major_version|int < 6)
tags: tags: init
- init
- name: CentOS/RedHat 6 | Enabling python2.7 and sqlite3
replace:
path: /etc/init.d/wazuh-manager
regexp: 'echo -n "Starting Wazuh-manager: "'
replace: 'echo -n "Starting Wazuh-manager (EL6): "; source /opt/rh/python27/enable; export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/var/ossec/framework/lib'
when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes'
- name: Install wazuh-manager and expect (EL5)
package: pkg={{ item }} state=latest
with_items:
- wazuh-manager
- expect
when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6
tags:
- init
- name: Generate SSL files for authd - name: Generate SSL files for authd
command: "openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:1825 -keyout sslmanager.key -out sslmanager.cert -subj /CN={{ wazuh_manager_fqdn }}/" command: "openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:1825 -keyout sslmanager.key -out sslmanager.cert -subj /CN={{ wazuh_manager_fqdn }}/"
@ -42,12 +61,12 @@
chdir: /var/ossec/etc/ chdir: /var/ossec/etc/
tags: tags:
- config - config
when: not wazuh_manager_config.authd.ssl_agent_ca is not none when: wazuh_manager_config.authd.ssl_agent_ca is not none
- name: Copy CA, SSL key and cert for authd - name: Copy CA, SSL key and cert for authd
copy: copy:
src: "{{ item }}" src: "{{ item }}"
dest: "/var/ossec/etc/{{ item | basename }}" dest: "/var/ossec/etc/{{ item }}"
mode: 0644 mode: 0644
with_items: with_items:
- "{{ wazuh_manager_config.authd.ssl_agent_ca }}" - "{{ wazuh_manager_config.authd.ssl_agent_ca }}"
@ -71,7 +90,7 @@
- name: Ensure ossec-authd service is disabled - name: Ensure ossec-authd service is disabled
service: name=ossec-authd enabled=no state=stopped service: name=ossec-authd enabled=no state=stopped
when: old_authd_service.stat.exists == True when: old_authd_service.stat.exists
tags: tags:
- config - config
@ -80,7 +99,7 @@
with_items: with_items:
- "/etc/init.d/ossec-authd" - "/etc/init.d/ossec-authd"
- "/lib/systemd/system/ossec-authd.service" - "/lib/systemd/system/ossec-authd.service"
when: old_authd_service.stat.exists == True when: old_authd_service.stat.exists
tags: tags:
- config - config
@ -144,6 +163,8 @@
tags: tags:
- init - init
- config - config
when:
- shared_agent_config is defined
- name: Installing the config.js (api configuration) - name: Installing the config.js (api configuration)
template: src=var-ossec-api-configuration-config.js.j2 template: src=var-ossec-api-configuration-config.js.j2
@ -152,6 +173,9 @@
group=ossec group=ossec
mode=0740 mode=0740
notify: restart wazuh-api notify: restart wazuh-api
when:
- wazuh_manager_config.cluster.node_type == "master"
tags: tags:
- init - init
- config - config
@ -168,7 +192,7 @@
- config - config
- name: Retrieving Agentless Credentials - name: Retrieving Agentless Credentials
include_vars: agentless_creeds.yml include_vars: agentless_creds.yml
tags: tags:
- config - config
@ -177,17 +201,6 @@
tags: tags:
- config - config
- name: Retrieving Wazuh-API User Credentials
include_vars: wazuh_api_creds.yml
when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 )
tags:
- config
- name: Retrieving CDB lists
include_vars: cdb_lists.yml
tags:
- config
- name: Check if syslog output is enabled - name: Check if syslog output is enabled
set_fact: syslog_output=true set_fact: syslog_output=true
@ -198,11 +211,14 @@
- config - config
- name: Check if client-syslog is enabled - name: Check if client-syslog is enabled
shell: "grep -c 'ossec-csyslogd' /var/ossec/bin/.process_list | xargs echo" shell: |
set -o pipefail
"grep -c 'ossec-csyslogd' /var/ossec/bin/.process_list | xargs echo"
args: args:
removes: /var/ossec/bin/.process_list removes: /var/ossec/bin/.process_list
changed_when: False executable: /bin/bash
check_mode: no changed_when: false
check_mode: false
register: csyslog_enabled register: csyslog_enabled
tags: tags:
- config - config
@ -212,16 +228,19 @@
notify: restart wazuh-manager notify: restart wazuh-manager
when: when:
- csyslog_enabled.stdout == '0' or "skipped" in csyslog_enabled.stdout - csyslog_enabled.stdout == '0' or "skipped" in csyslog_enabled.stdout
- syslog_output is defined and syslog_output == true - syslog_output is defined and syslog_output
tags: tags:
- config - config
- name: Check if ossec-agentlessd is enabled - name: Check if ossec-agentlessd is enabled
shell: "grep -c 'ossec-agentlessd' /var/ossec/bin/.process_list | xargs echo" shell: |
set -o pipefail
"grep -c 'ossec-agentlessd' /var/ossec/bin/.process_list | xargs echo"
args: args:
removes: /var/ossec/bin/.process_list removes: /var/ossec/bin/.process_list
changed_when: False executable: /bin/bash
check_mode: no changed_when: false
check_mode: false
register: agentlessd_enabled register: agentlessd_enabled
tags: tags:
- config - config
@ -231,26 +250,7 @@
notify: restart wazuh-manager notify: restart wazuh-manager
when: when:
- agentlessd_enabled.stdout == '0' or "skipped" in agentlessd_enabled.stdout - agentlessd_enabled.stdout == '0' or "skipped" in agentlessd_enabled.stdout
- agentless_creeds is defined - agentless_creds is defined
tags:
- config
- name: Check if ossec-authd is enabled
shell: "grep -c 'ossec-authd' /var/ossec/bin/.process_list | xargs echo"
args:
removes: /var/ossec/bin/.process_list
changed_when: False
check_mode: no
register: authd_enabled
tags:
- config
- name: Enable ossec-authd
command: /var/ossec/bin/ossec-control enable auth
notify: restart wazuh-manager
when:
- authd_enabled.stdout == '0' or "skipped" in authd_enabled.stdout
- wazuh_manager_config.authd.enable == true
tags: tags:
- config - config
@ -271,7 +271,7 @@
poll: 0 poll: 0
when: when:
- wazuh_manager_config.vuls.disable != 'yes' - wazuh_manager_config.vuls.disable != 'yes'
- ansible_distribution == 'Redhat' or ansible_distribution == 'CentOS' or ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' or ansible_distribution == 'Oracle' - ansible_distribution in ['Redhat', 'CentOS', 'Ubuntu', 'Debian', 'Oracle', 'Amazon']
tags: tags:
- init - init
@ -312,7 +312,7 @@
notify: restart wazuh-api notify: restart wazuh-api
when: when:
- wazuh_api_user is defined - wazuh_api_user is defined
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 ) - wazuh_manager_config.cluster.node_type == "master"
tags: tags:
- config - config
@ -324,60 +324,47 @@
group: root group: root
mode: 0644 mode: 0644
no_log: true no_log: true
when: agentless_creeds is defined when: agentless_creds is defined
tags: tags:
- config - config
- name: Encode the secret - name: Encode the secret
shell: /usr/bin/base64 /var/ossec/agentless/.passlist_tmp > /var/ossec/agentless/.passlist && rm /var/ossec/agentless/.passlist_tmp shell: /usr/bin/base64 /var/ossec/agentless/.passlist_tmp > /var/ossec/agentless/.passlist && rm /var/ossec/agentless/.passlist_tmp
when: agentless_creeds is defined when: agentless_creds is defined
tags: tags:
- config - config
- name: CDB Lists - name: Ensure Wazuh Manager service is started and enabled.
template:
src: cdb_lists.j2
dest: "/var/ossec/etc/lists/{{ item.name }}"
owner: root
group: ossec
mode: 0640
no_log: true
notify:
- rebuild cdb_lists
- restart wazuh-manager
with_items:
- "{{ cdb_lists }}"
when: cdb_lists is defined
tags:
- config
- name: Ensure Wazuh Manager, wazuh API service is started and enabled
service: service:
name: "{{ item }}" name: "wazuh-manager"
enabled: yes enabled: true
state: started
with_items:
- wazuh-manager
- wazuh-api
tags:
- config
environment:
LD_LIBRARY_PATH: "$LD_LIBRARY_PATH:/var/ossec/framework/lib"
when:
- not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 )
- name: Ensure Wazuh Manager is started and enabled (EL5)
service:
name: wazuh-manager
enabled: yes
state: started state: started
tags: tags:
- config - config
- name: Ensure Wazuh API service is started and enabled.
service:
name: "wazuh-api"
enabled: true
state: started
when: wazuh_manager_config.cluster.node_type == "master"
tags:
- config
- name: Create agent groups
command: "/var/ossec/bin/agent_groups -a -g {{ item }} -q"
with_items:
- "{{ agent_groups }}"
when: when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 - ( agent_groups is defined) and ( agent_groups|length > 0)
tags: molecule-idempotence-notest
- import_tasks: "RMRedHat.yml" - include_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat" when:
- ansible_os_family == "RedHat" or ansible_os_family == "Amazon"
- not wazuh_manager_sources_installation.enabled
- import_tasks: "RMDebian.yml" - include_tasks: "RMDebian.yml"
when: ansible_os_family == "Debian" when:
- ansible_os_family == "Debian"
- not wazuh_manager_sources_installation.enabled

2
roles/wazuh/ansible-wazuh-manager/templates/agentless.j2
View File

@ -1,3 +1,3 @@
{% for agentless in agentless_creeds %} {% for agentless in agentless_creds %}
{{ agentless.host }}|{{ agentless.passwd }} {{ agentless.host }}|{{ agentless.passwd }}
{% endfor %} {% endfor %}

Some files were not shown because too many files have changed in this diff Show More