From f43b885dc81b8cc278094c5c5692a3ec6cafab31 Mon Sep 17 00:00:00 2001 From: Pablo Escobar Date: Fri, 22 May 2020 19:28:05 +0200 Subject: [PATCH 1/6] fix permission override and broken idempotence --- .../ansible-elasticsearch/tasks/xpack_security.yml | 2 +- roles/wazuh/ansible-filebeat/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 47438f98..1233fde4 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -180,7 +180,7 @@ path: "{{ node_certs_destination }}/" mode: 0774 state: directory - recurse: yes + recurse: no when: - elasticsearch_xpack_security - generate_CA diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 4948c252..29732104 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -59,7 +59,7 @@ path: "{{ node_certs_destination }}/" mode: 0774 state: directory - recurse: yes + recurse: no when: - filebeat_xpack_security tags: xpack-security From be973340addc998c8eba9720ca35827b3b73e4d3 Mon Sep 17 00:00:00 2001 From: Pablo Escobar Date: Sat, 23 May 2020 00:18:10 +0200 Subject: [PATCH 2/6] allow elasticsearch to readh the ca file --- .../ansible-elasticsearch/tasks/xpack_security.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 1233fde4..47063c4e 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -149,6 +149,8 @@ copy: src: "{{ item }}" dest: "{{ node_certs_destination }}/" + owner: root + group: elasticsearch mode: 0440 with_items: - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key" @@ -164,6 +166,8 @@ copy: src: "{{ item }}" dest: "{{ node_certs_destination }}/" + owner: root + group: elasticsearch mode: 0440 with_items: - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key" @@ -178,6 +182,8 @@ - name: Ensuring folder permissions file: path: "{{ node_certs_destination }}/" + owner: root + group: elasticsearch mode: 0774 state: directory recurse: no From 18d69f8b67ed5d35f007d7aa33dcf2a25baee97b Mon Sep 17 00:00:00 2001 From: Pablo Escobar Date: Sat, 23 May 2020 00:48:38 +0200 Subject: [PATCH 3/6] fix for kibana --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index 220230c8..122b6488 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -56,7 +56,7 @@ file: path: "{{ node_certs_destination }}/" state: directory - recurse: yes + recurse: no owner: kibana group: kibana when: @@ -67,7 +67,7 @@ file: path: "{{ node_certs_destination }}/" mode: 0770 - recurse: yes + recurse: no when: - kibana_xpack_security notify: restart kibana From 57c2a9bb760da8c12eddcd836eec1b993155af48 Mon Sep 17 00:00:00 2001 From: Pablo Escobar Date: Sat, 23 May 2020 01:23:25 +0200 Subject: [PATCH 4/6] fix permissions for kibana --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index 122b6488..b9dde1fe 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -28,6 +28,8 @@ copy: src: "{{ item }}" dest: "{{ node_certs_destination }}/" + owner: root + group: kibana mode: 0440 with_items: - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key" @@ -42,6 +44,8 @@ copy: src: "{{ item }}" dest: "{{ node_certs_destination }}/" + owner: root + group: kibana mode: 0440 with_items: - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key" From d9f7e79b7dc9d61b9002b8c05b52ad4215c98235 Mon Sep 17 00:00:00 2001 From: Pablo Escobar Date: Sat, 23 May 2020 13:20:19 +0200 Subject: [PATCH 5/6] always use 0770 for the certs folder --- .../ansible-elasticsearch/tasks/xpack_security.yml | 2 +- roles/elastic-stack/ansible-kibana/tasks/main.yml | 4 ++-- roles/wazuh/ansible-filebeat/tasks/main.yml | 6 +++++- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 47063c4e..0d9740d4 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -184,7 +184,7 @@ path: "{{ node_certs_destination }}/" owner: root group: elasticsearch - mode: 0774 + mode: 0770 state: directory recurse: no when: diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index b9dde1fe..cb7f3c55 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -56,13 +56,14 @@ - not generate_CA tags: xpack-security -- name: Ensuring certificates folder owner +- name: Ensuring certificates folder owner and permissions file: path: "{{ node_certs_destination }}/" state: directory recurse: no owner: kibana group: kibana + mode: 0770 when: - kibana_xpack_security tags: xpack-security @@ -70,7 +71,6 @@ - name: Ensuring certificates folder owner file: path: "{{ node_certs_destination }}/" - mode: 0770 recurse: no when: - kibana_xpack_security diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 29732104..5a15926d 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -30,6 +30,8 @@ copy: src: "{{ item }}" dest: "{{ node_certs_destination }}/" + owner: root + group: root mode: 0440 with_items: - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" @@ -44,6 +46,8 @@ copy: src: "{{ item }}" dest: "{{ node_certs_destination }}/" + owner: root + group: root mode: 0440 with_items: - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" @@ -57,7 +61,7 @@ - name: Ensuring folder & certs permissions file: path: "{{ node_certs_destination }}/" - mode: 0774 + mode: 0770 state: directory recurse: no when: From 5d211c3b41bc50fcbef3f0d8d13dfe46d13acfc3 Mon Sep 17 00:00:00 2001 From: Pablo Escobar Date: Sat, 23 May 2020 13:22:00 +0200 Subject: [PATCH 6/6] apply kibana certs permissions in a single task --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index cb7f3c55..e4f8b733 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -66,14 +66,6 @@ mode: 0770 when: - kibana_xpack_security - tags: xpack-security - -- name: Ensuring certificates folder owner - file: - path: "{{ node_certs_destination }}/" - recurse: no - when: - - kibana_xpack_security notify: restart kibana tags: xpack-security