WIP: First Kibana working approach

2020-05-21 22:32:36 +02:00 · 2020-05-21 22:32:36 +02:00 · 930125cc86
commit 930125cc86
parent aa4f6a01c9
13 changed files with 428 additions and 4 deletions
--- a/playbooks/wazuh-opendistro-kibana.yml
+++ b/playbooks/wazuh-opendistro-kibana.yml
@ -0,0 +1,4 @@
+---
+- hosts: es1
+  roles:
+    - role: ../roles/opendistro/opendistro-kibana
--- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml
+++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml
@ -16,8 +16,8 @@ domain_name: wazuh.com

 # The OpenDistro package repository
 package_repos:
-  yum: 
-    opendistro: 
+  yum:
+    opendistro:
      baseurl: 'https://d3g5vo6xdbdb9a.cloudfront.net/yum/noarch/'
      gpg: 'https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch'
    elasticsearch_oss:
--- a/roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml
+++ b/roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml
@ -1,6 +1,6 @@
 ---
 - name: RedHat/CentOS/Fedora | Remove Elasticsearch repository (and clean up left-over metadata)
  yum_repository:
-    name: elastic_repo_7
+    name: opendistro_repo
    state: absent
  changed_when: false
--- a/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2
+++ b/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2
@ -31,7 +31,14 @@ nodes:
    dns: {{ item }}.{{ domain_name }}
    ip: {{ hostvars[item]['ip'] }}
 {% endfor %}
-
+{% if groups['kibana'] is defined and groups['kibana']|length > 0 %}
+{% for item in groups['kibana'] %}
+  - name: {{ item }}
+    dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
+    dns: {{ item }}.{{ domain_name }}
+    ip: {{ hostvars[item]['ip'] }}
+{% endfor %}
+{% endif %}
 ###
 ### Clients
 ###
--- a/roles/opendistro/opendistro-kibana/defaults/main.yml
+++ b/roles/opendistro/opendistro-kibana/defaults/main.yml
@ -0,0 +1,60 @@
+---
+
+elasticsearch_http_port: "9200"
+elasticsearch_network_host: |-
+        {% for item in groups['kibana'] -%}
+          {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %}
+        {%- endfor %}
+
+kibana_conf_path: /etc/kibana
+kibana_server_host: "0.0.0.0"
+kibana_server_port: "5601"
+kibana_server_name: "kibana"
+kibana_max_payload_bytes: 1048576
+opendistro_version: 7.6.1
+wazuh_version: 3.12.3
+wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp
+
+# The OpenDistro package repository
+package_repos:
+  yum:
+    opendistro:
+      baseurl: 'https://d3g5vo6xdbdb9a.cloudfront.net/yum/noarch/'
+      gpg: 'https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opendistroforelasticsearch'
+    elasticsearch_oss:
+      baseurl: 'https://artifacts.elastic.co/packages/oss-7.x/yum'
+      gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
+
+
+# API credentials
+wazuh_api_credentials:
+  - id: "default"
+    url: "http://localhost"
+    port: 55000
+    user: "foo"
+    password: "bar"
+
+# opendistro Security
+kibana_opendistro_security: true
+kibana_newsfeed_enabled: "false"
+kibana_telemetry_optin: "false"
+kibana_telemetry_enabled: "false"
+
+opendistro_security_user: elastic
+opendistro_kibana_user: kibanaserver
+opendistro_kibana_password: changeme
+local_certs_path: /tmp/opendistro-nodecerts
+
+# Nodejs
+nodejs:
+  repo_dict:
+      debian: "deb"
+      redhat: "rpm"
+  repo_url_ext: "nodesource.com/setup_10.x"
+
+# Build from sources
+build_from_sources: false
+wazuh_plugin_branch: 3.12-7.6
+
+#Nodejs NODE_OPTIONS
+node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536
--- a/roles/opendistro/opendistro-kibana/handlers/main.yml
+++ b/roles/opendistro/opendistro-kibana/handlers/main.yml
@ -0,0 +1,3 @@
+---
+- name: restart kibana
+  service: name=kibana state=restarted
--- a/roles/opendistro/opendistro-kibana/tasks/RMRedHat.yml
+++ b/roles/opendistro/opendistro-kibana/tasks/RMRedHat.yml
@ -0,0 +1,6 @@
+---
+- name: Remove Elasticsearch repository (and clean up left-over metadata)
+  yum_repository:
+    name: opendistro_repo
+    state: absent
+  changed_when: false
--- a/roles/opendistro/opendistro-kibana/tasks/RedHat.yml
+++ b/roles/opendistro/opendistro-kibana/tasks/RedHat.yml
@ -0,0 +1,23 @@
+---
+- block:
+
+  - name: RedHat/CentOS/Fedora | Add OpenDistro repo
+    yum_repository:
+      file: opendistro
+      name: opendistro_repo
+      description: Opendistro yum repository
+      baseurl: "{{ package_repos.yum.opendistro.baseurl }}"
+      gpgkey: "{{ package_repos.yum.opendistro.gpg }}"
+      gpgcheck: true
+
+  - name: RedHat/CentOS/Fedora | Add Elasticsearch-oss repo
+    yum_repository:
+      file: opendistro
+      name: elasticsearch_oss_repo
+      description: Elasticsearch-oss yum repository
+      baseurl: "{{ package_repos.yum.elasticsearch_oss.baseurl }}"
+      gpgkey: "{{ package_repos.yum.elasticsearch_oss.gpg }}"
+      gpgcheck: true
+
+  tags:
+    - install
--- a/roles/opendistro/opendistro-kibana/tasks/build_wazuh_plugin.yml
+++ b/roles/opendistro/opendistro-kibana/tasks/build_wazuh_plugin.yml
@ -0,0 +1,76 @@
+---
+  - name: Ensure the Git package is present
+    package:
+      name: git
+      state: present
+
+  - name: Modify repo url if host is in Debian family
+    set_fact:
+      node_js_repo_type: deb
+    when:
+      - ansible_os_family | lower == "debian"
+
+  - name: Download script to install Nodejs repository
+    get_url:
+      url: "https://{{ nodejs['repo_dict'][ansible_os_family|lower] }}.{{ nodejs['repo_url_ext'] }}"
+      dest: "/tmp/setup_nodejs_repo.sh"
+      mode: 0700
+
+  - name: Execute downloaded script to install Nodejs repo
+    command: /tmp/setup_nodejs_repo.sh
+    register: node_repo_installation_result
+    changed_when: false
+
+  - name: Install Nodejs
+    package:
+      name: nodejs
+      state: present
+
+  - name: Install yarn dependency to build the Wazuh Kibana Plugin
+    # Using shell due to errors when evaluating text between @ with command
+    shell: "npm install -g {{ 'yarn' }}{{ '@' }}{{ '1.10.1'}}" # noqa 305
+    register: install_yarn_result
+    changed_when: install_yarn_result == 0
+
+  - name: Remove old wazuh-kibana-app git directory
+    file:
+      path: /tmp/app
+      state: absent
+    changed_when: false
+
+  - name: Clone wazuh-kibana-app repository # Using command as git module doesn't cover single-branch nor depth
+    command: git clone https://github.com/wazuh/wazuh-kibana-app -b {{ wazuh_plugin_branch }} --single-branch --depth=1 app # noqa 303
+    register: clone_app_repo_result
+    changed_when: false
+    args:
+      chdir: "/tmp"
+
+  - name: Executing yarn to build the package
+    command: "{{ item }}"
+    with_items:
+      - "yarn"
+      - "yarn build"
+    register: yarn_execution_result
+    changed_when: false
+    args:
+      chdir: "/tmp/app/"
+
+  - name: Obtain name of generated package
+    shell: "find ./ -name 'wazuh-*.zip' -printf '%f\\n'"
+    register: wazuhapp_package_name
+    changed_when: false
+    args:
+      chdir: "/tmp/app/build"
+
+  - name: Install Wazuh Plugin (can take a while)
+    shell: NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana-plugin install file:///tmp/app/build/{{ wazuhapp_package_name.stdout }}
+    args:
+      executable: /bin/bash
+      creates: /usr/share/kibana/plugins/wazuh/package.json
+      chdir: /usr/share/kibana
+    become: yes
+    become_user: kibana
+    notify: restart kibana
+    tags:
+      - install
+      - skip_ansible_lint
--- a/roles/opendistro/opendistro-kibana/tasks/main.yml
+++ b/roles/opendistro/opendistro-kibana/tasks/main.yml
@ -0,0 +1,62 @@
+---
+
+- name: Stopping early, trying to compile Wazuh Kibana Plugin on Debian 10 is not possible
+  fail:
+    msg: "It's not possible to compile the Wazuh Kibana plugin on Debian 10 due to: https://github.com/wazuh/wazuh-kibana-app/issues/1924"
+  when:
+    - build_from_sources
+    - ansible_distribution == "Debian"
+    - ansible_distribution_major_version == "10"
+
+- import_tasks: RedHat.yml
+  when: ansible_os_family == 'RedHat'
+
+- name: Reload systemd
+  systemd:
+    daemon_reload: true
+  ignore_errors: true
+  when:
+    - not (ansible_distribution == "Amazon" and ansible_distribution_version == "(Karoo)")
+    - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<'))
+    - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<'))
+    - not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<'))
+
+- name: Install Kibana
+  package:
+    name: opendistroforelasticsearch-kibana
+    state: present
+  register: install
+  tags: install
+
+
+- name: Remove Kibana configuration file
+  file:
+    path: "{{ kibana_conf_path }}/kibana.yml"
+    state: absent
+  when: install.changed
+  tags: install
+
+- import_tasks: security_actions.yml
+
+- name: Copy Configuration File
+  blockinfile:
+    block: "{{ lookup('template', 'opendistro_kibana.yml.j2') }}"
+    dest: "{{ kibana_conf_path }}/kibana.yml"
+    create: true
+    group: root
+    mode: 0640
+    marker: "## {mark} Kibana general settings ##"
+  notify: restart kibana
+
+  tags:
+    - install
+    - configure
+
+- name: Ensure Kibana started and enabled
+  service:
+    name: kibana
+    enabled: true
+    state: started
+
+- import_tasks: RMRedHat.yml
+  when: ansible_os_family == 'RedHat'
--- a/roles/opendistro/opendistro-kibana/tasks/security_actions.yml
+++ b/roles/opendistro/opendistro-kibana/tasks/security_actions.yml
@ -0,0 +1,13 @@
+- block:
+
+  - name: Copy the certificates from local to the Kibana instance
+    copy:
+      src: "{{ local_certs_path }}/config/{{ item }}"
+      dest: /usr/share/kibana
+      mode: 0644
+    with_items:
+      - "{{ inventory_hostname }}_http.key"
+      - "{{ inventory_hostname }}_http.pem"
+  tags:
+  - production_ready
+  when: install.changed
--- a/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2
+++ b/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2
@ -0,0 +1,36 @@
+# {{ ansible_managed }}
+# Description:
+# Default Kibana configuration for Open Distro.
+server.port: {{ kibana_server_port }}
+
+#server.basePath: ""
+server.maxPayloadBytes: {{ kibana_max_payload_bytes }}
+server.name: {{ kibana_server_name }}
+server.host: {{ kibana_server_host }}
+{% if kibana_opendistro_security %}
+elasticsearch.hosts: "https://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}"
+{% else %}
+elasticsearch.hosts: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}"
+{% endif %}
+
+elasticsearch.username: {{ opendistro_kibana_user }}
+elasticsearch.password: {{ opendistro_kibana_password }}
+elasticsearch.ssl.verificationMode: none
+
+elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
+opendistro_security.multitenancy.enabled: true
+opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
+opendistro_security.readonly_mode.roles: ["kibana_read_only"]
+
+# OpenDistro Security
+{% if kibana_opendistro_security %}
+server.ssl.enabled: true
+server.ssl.certificate: "/usr/share/kibana/{{ inventory_hostname }}_http.pem"
+server.ssl.key: "/usr/share/kibana//{{ inventory_hostname }}_http.key"
+{% endif %}
+
+newsfeed.enabled: {{ kibana_newsfeed_enabled }}
+telemetry.optIn: {{ kibana_telemetry_optin }}
+telemetry.enabled: {{ kibana_telemetry_enabled }}
+
+
--- a/roles/opendistro/opendistro-kibana/templates/wazuh.yml.j2
+++ b/roles/opendistro/opendistro-kibana/templates/wazuh.yml.j2
@ -0,0 +1,134 @@
+---
+#
+# Wazuh app - App configuration file
+# Copyright (C) 2015-2019 Wazuh, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Find more information about this on the LICENSE file.
+#
+# ======================== Wazuh app configuration file ========================
+#
+# Please check the documentation for more information on configuration options:
+# https://documentation.wazuh.com/current/installation-guide/index.html
+#
+# Also, you can check our repository:
+# https://github.com/wazuh/wazuh-kibana-app
+#
+# ------------------------------- Index patterns -------------------------------
+#
+# Default index pattern to use.
+#pattern: wazuh-alerts-3.x-*
+#
+# ----------------------------------- Checks -----------------------------------
+#
+# Defines which checks must to be consider by the healthcheck
+# step once the Wazuh app starts. Values must to be true or false.
+#checks.pattern : true
+#checks.template: true
+#checks.api     : true
+#checks.setup   : true
+#
+# --------------------------------- Extensions ---------------------------------
+#
+# Defines which extensions should be activated when you add a new API entry.
+# You can change them after Wazuh app starts.
+# Values must to be true or false.
+#extensions.pci       : true
+#extensions.gdpr      : true
+#extensions.hipaa     : true
+#extensions.nist      : true
+#extensions.audit     : true
+#extensions.oscap     : false
+#extensions.ciscat    : false
+#extensions.aws       : false
+#extensions.virustotal: false
+#extensions.osquery   : false
+#extensions.docker    : false
+#
+# ---------------------------------- Time out ----------------------------------
+#
+# Defines maximum timeout to be used on the Wazuh app requests.
+# It will be ignored if it is bellow 1500.
+# It means milliseconds before we consider a request as failed.
+# Default: 20000
+#timeout: 20000
+#
+# ------------------------------ Advanced indices ------------------------------
+#
+# Configure .wazuh indices shards and replicas.
+#wazuh.shards          : 1
+#wazuh.replicas        : 0
+#
+# --------------------------- Index pattern selector ---------------------------
+#
+# Defines if the user is allowed to change the selected
+# index pattern directly from the Wazuh app top menu.
+# Default: true
+#ip.selector: true
+#
+# List of index patterns to be ignored
+#ip.ignore: []
+#
+# -------------------------------- X-Pack RBAC ---------------------------------
+#
+# Custom setting to enable/disable built-in X-Pack RBAC security capabilities.
+# Default: enabled
+#xpack.rbac.enabled: true
+#
+# ------------------------------ wazuh-monitoring ------------------------------
+#
+# Custom setting to enable/disable wazuh-monitoring indices.
+# Values: true, false, worker
+# If worker is given as value, the app will show the Agents status
+# visualization but won't insert data on wazuh-monitoring indices.
+# Default: true
+#wazuh.monitoring.enabled: true
+#
+# Custom setting to set the frequency for wazuh-monitoring indices cron task.
+# Default: 900 (s)
+#wazuh.monitoring.frequency: 900
+#
+# Configure wazuh-monitoring-3.x-* indices shards and replicas.
+#wazuh.monitoring.shards: 2
+#wazuh.monitoring.replicas: 0
+#
+# Configure wazuh-monitoring-3.x-* indices custom creation interval.
+# Values: h (hourly), d (daily), w (weekly), m (monthly)
+# Default: d
+#wazuh.monitoring.creation: d
+#
+# Default index pattern to use for Wazuh monitoring
+#wazuh.monitoring.pattern: wazuh-monitoring-3.x-*
+#
+#
+# ------------------------------- App privileges --------------------------------
+#admin: true
+#
+# ------------------------------- App logging level -----------------------------
+# Set the logging level for the Wazuh App log files.
+# Default value: info
+# Allowed values: info, debug
+#logs.level: info
+#
+#-------------------------------- API entries -----------------------------------
+#The following configuration is the default structure to define an API entry.
+#
+#hosts:
+#  - <id>:
+#     url: http(s)://<url>
+#     port: <port>
+#     user: <user>
+#     password: <password>
+
+hosts:
+{% for api in wazuh_api_credentials %}
+  - {{ api['id'] }}:
+      url: {{ api['url'] }}
+      port: {{ api['port'] }}
+      user: {{ api['user'] }}
+      password: {{ api['password'] }}
+{% endfor %}