From 9591e6be3dd6e53e3ed7bc81cee99e1bba9a6043 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= <teddytpc1@gmail.com>
Date: Thu, 31 Mar 2022 14:52:35 -0300
Subject: [PATCH] Certificates permissions updated

---
 .../ansible-filebeat-oss/tasks/security_actions.yml  |  4 ++--
 .../wazuh/wazuh-dashboard/tasks/security_actions.yml | 12 +++++++++++-
 roles/wazuh/wazuh-indexer/tasks/security_actions.yml | 12 ++++++++++--
 3 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml b/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml
index c9b90070..e4fe6c41 100644
--- a/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml
+++ b/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml
@@ -6,7 +6,7 @@
       state: directory
       owner: root
       group: root
-      mode: 0774
+      mode: 500
 
   - name: Copy the certificates from local to the Manager instance
     copy:
@@ -14,7 +14,7 @@
       dest: "{{ filebeat_ssl_dir }}"
       owner: root
       group: root
-      mode: 0644
+      mode: 400
     with_items:
       - "{{ filebeat_node_name }}-key.pem"
       - "{{ filebeat_node_name }}.pem"
diff --git a/roles/wazuh/wazuh-dashboard/tasks/security_actions.yml b/roles/wazuh/wazuh-dashboard/tasks/security_actions.yml
index b2df81cb..6c81dbad 100644
--- a/roles/wazuh/wazuh-dashboard/tasks/security_actions.yml
+++ b/roles/wazuh/wazuh-dashboard/tasks/security_actions.yml
@@ -1,10 +1,20 @@
 - block:
 
+  - name: Ensure Indexer certificates directory permissions.
+    file:
+      path: "/etc/wazuh-dashboard/certs/"
+      state: directory
+      owner: wazuh-dashboard
+      group: wazuh-dashboard
+      mode: 500
+
   - name: Copy the certificates from local to the Wazuh dashboard instance
     copy:
       src: "{{ local_certs_path }}/wazuh-certificates/{{ item }}"
       dest: /etc/wazuh-dashboard/certs/
-      mode: 0644
+      owner: wazuh-dashboard
+      group: wazuh-dashboard
+      mode: 0400
     with_items:
       - "root-ca.pem"
       - "{{ dashboard_node_name }}-key.pem"
diff --git a/roles/wazuh/wazuh-indexer/tasks/security_actions.yml b/roles/wazuh/wazuh-indexer/tasks/security_actions.yml
index 5a556af6..61efbe5c 100644
--- a/roles/wazuh/wazuh-indexer/tasks/security_actions.yml
+++ b/roles/wazuh/wazuh-indexer/tasks/security_actions.yml
@@ -19,13 +19,21 @@
   when:
     - hostvars[inventory_hostname]['private_ip'] is not defined
 
+- name: Ensure Indexer certificates directory permissions.
+  file:
+    path: "{{ indexer_conf_path }}/certs/"
+    state: directory
+    owner: wazuh-indexer
+    group: wazuh-indexer
+    mode: 500
 
 - name: Copy the node & admin certificates to Wazuh indexer cluster
   copy:
     src: "{{ local_certs_path }}/wazuh-certificates/{{ item }}"
     dest: "{{ indexer_conf_path }}/certs/"
-    mode: 0644
-  become: yes
+    owner: wazuh-indexer
+    group: wazuh-indexer
+    mode: 0400
   with_items:
     - root-ca.pem
     - root-ca.key