From 9fc2b1e3c493ecc33cf34a708b7b1362d989bb4c Mon Sep 17 00:00:00 2001 From: "Manuel J. Bernal" Date: Wed, 8 Apr 2020 17:38:44 +0200 Subject: [PATCH] Added opendistro tasks and templates --- .../defaults/main.yml | 69 ++++++++++- .../opendistro-elasticsearch/tasks/RedHat.yml | 115 ++++++++++++++++++ .../opendistro-elasticsearch/tasks/main.yml | 21 +--- .../templates/elasticsearch.yml.j2 | 22 ++++ .../templates/tlsconfig.yml.j2 | 47 +++++++ 5 files changed, 257 insertions(+), 17 deletions(-) create mode 100644 roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 create mode 100644 roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index f6dd905b..f1bff651 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -2,6 +2,19 @@ # The OpenDistro version opendistro_version: 1.6.0 +elasticsearch_cluster_name: wazuh-cluster + +# Minimum master nodes in cluster, 2 for 3 nodes elasticsearch cluster +minimum_master_nodes: 2 + +# Elasticsearch version +es_version: "7.3.2" +es_major_version: "7.x" + +# Configure hostnames for Elasticsearch nodes +# Example es1.example.com, es2.example.com +domain_name: example.com + # The OpenDistro package repository package_repos: yum: @@ -12,8 +25,60 @@ package_repos: baseurl: 'https://artifacts.elastic.co/packages/oss-7.x/yum' gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' +populate_inventory_to_hosts_file: true + +es_plugin_bin_path: /usr/share/elasticsearch/bin/elasticsearch-plugin +es_sec_plugin_conf_path: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig +es_sec_plugin_tools_path: /usr/share/elasticsearch/plugins/opendistro_security/tools + +es_nodes: |- + {% for item in groups['es-cluster'] -%} + {{ hostvars[item]['ip'] }}{% if not loop.last %}","{% endif %} + {%- endfor %} + # Security password opendistro_security_password: admin - # Set JVM memory limits -elasticsearch_jvm_xms: null \ No newline at end of file +opendistro_jvm_xms: null + +opendistro_http_port: 9200 +opendistro_network_host: 127.0.0.1 +opendistro_reachable_host: 127.0.0.1 +opendistro_jvm_xms: null +elastic_stack_version: 7.6.1 +opendistro_lower_disk_requirements: false + +elasticrepo: + apt: 'https://artifacts.elastic.co/packages/7.x/apt' + yum: 'https://artifacts.elastic.co/packages/7.x/yum' + gpg: 'https://artifacts.elastic.co/GPG-KEY-opendistro' + key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' + +# Cluster Settings +single_node: true +opendistro_cluster_name: wazuh +opendistro_node_name: node-1 +opendistro_bootstrap_node: false +opendistro_node_master: false +opendistro_cluster_nodes: + - 127.0.0.1 +opendistro_discovery_nodes: + - 127.0.0.1 +opendistro_node_data: true +opendistro_node_ingest: true + +# X-Pack Security +opendistro_xpack_security: false +opendistro_xpack_security_user: elastic +opendistro_xpack_security_password: elastic_pass + +node_certs_generator: false +node_certs_source: /usr/share/elasticsearch +node_certs_destination: /etc/elasticsearch/certs + +# CA generation +master_certs_path: /es_certs +generate_CA: true +ca_key_name: "" +ca_cert_name: "" +ca_password: "" diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index c212b007..64b48b7f 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -34,3 +34,118 @@ - name: RedHat/CentOS/Fedora | Install OpenDistro package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present tags: install + +## Here we are going to use self-signed certificates for Transport (Node-Node communication) & REST API layer +## Using searchguard offline TLS tool to create node & root certificates +- name: RedHat/CentOS/Fedora | Create local temporary directory for certificates generation + local_action: + module: file + path: /tmp/opendistro-nodecerts + state: directory + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Download certificates generation tool + local_action: + module: get_url + url: https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-tlstool/1.5/search-guard-tlstool-1.5.zip + dest: /tmp/opendistro-nodecerts/search-guard-tlstool.zip + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Extract the certificates generation tool + local_action: command chdir=/tmp/opendistro-nodecerts tar -xvf search-guard-tlstool.zip + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Add the execution bit to the binary + local_action: + module: file + dest: /tmp/opendistro-nodecerts/tools/sgtlstool.sh + mode: a+x + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Prepare the certificates generation template file + local_action: + module: template + src: tlsconfig.yml + dest: /tmp/opendistro-nodecerts/config/tlsconfig.yml + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Generate the node & admin certificates in local + local_action: + module: command /tmp/opendistro-nodecerts/tools/sgtlstool.sh -c /tmp/opendistro-nodecerts/config/tlsconfig.yml -ca -crt -t /tmp/opendistro-nodecerts/config/ + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Copy the node & admin certificates to Elasticsearch cluster + copy: + src: "/tmp/opendistro-nodecerts/config/{{ item }}" + dest: /etc/elasticsearch/ + mode: 0644 + with_items: + - root-ca.pem + - root-ca.key + - "{{ inventory_hostname }}.key" + - "{{ inventory_hostname }}.pem" + - "{{ inventory_hostname }}_http.key" + - "{{ inventory_hostname }}_http.pem" + - "{{ inventory_hostname }}_elasticsearch_config_snippet.yml" + - admin.key + - admin.pem + when: install.changed + +- name: RedHat/CentOS/Fedora | Copy the opendistro security configuration file to cluster + blockinfile: + block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" + dest: "{{ conf_dir }}/elasticsearch.yml" + backup: yes + insertafter: EOF + marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" + when: install.changed + +- name: RedHat/CentOS/Fedora | Prepare the opendistro security configuration file + command: sed -i 's/searchguard/opendistro_security/g' {{ conf_dir }}/elasticsearch.yml + when: install.changed + +- name: RedHat/CentOS/Fedora | Restart elasticsearch with security configuration + systemd: + name: elasticsearch + state: restarted + when: install.changed + +- name: RedHat/CentOS/Fedora | Copy the opendistro security internal users template + template: + src: internal_users.yml + dest: "{{ es_sec_plugin_conf_path }}/internal_users.yml" + mode: 0644 + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Set the Admin user password + shell: > + sed -i 's,{{ admin_password }},'$(sh {{ es_sec_plugin_tools_path }}/hash.sh -p {{ admin_password }} | tail -1)',' + {{ es_sec_plugin_conf_path }}/internal_users.yml + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Set the kibanaserver user pasword + shell: > + sed -i 's,{{ kibanaserver_password }},'$(sh {{ es_sec_plugin_tools_path }}/hash.sh -p {{ kibanaserver_password }} | tail -1)',' + {{ es_sec_plugin_conf_path }}/internal_users.yml + run_once: true + when: install.changed + +- name: RedHat/CentOS/Fedora | Initialize the opendistro security index in elasticsearch + shell: > + sh {{ es_sec_plugin_tools_path }}/securityadmin.sh + -cacert {{ conf_dir }}/root-ca.pem + -cert {{ conf_dir }}/admin.pem + -key {{ conf_dir }}/admin.key + -cd {{ es_sec_plugin_conf_path }}/ + -nhnv -icl + -h {{ hostvars[inventory_hostname]['ip'] }} + run_once: true + when: install.changed diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index b58afe7a..9f4c438c 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -11,7 +11,8 @@ dest: /etc/elasticsearch/jvm.options owner: root group: elasticsearch - mode: 0660 + mode: 0644 + force: yes notify: restart elasticsearch tags: configure @@ -20,6 +21,10 @@ - import_tasks: "RMRedHat.yml" when: ansible_os_family == "RedHat" +- name: Copy Configuration File + template: src=elasticsearch.yml dest={{conf_dir}}/elasticsearch.yml group=elasticsearch mode=0644 backup=yes + register: system_change + notify: restart elasticsearch - name: Ensure Elasticsearch started and enabled service: @@ -42,17 +47,3 @@ - import_tasks: "RMDebian.yml" when: ansible_os_family == "Debian" -- name: Wait for Elasticsearch API - uri: - url: "https://localhost:9200/_cluster/health/" - user: "admin" # Default Elasticsearch user is always "elastic" - password: "{{ opendistro_security_password }}" - validate_certs: no - status_code: 200,401 - return_content: yes - timeout: 4 - register: _result - until: ( _result.json is defined) and (_result.json.status == "green") - retries: 24 - delay: 5 - diff --git a/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 new file mode 100644 index 00000000..6b025674 --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 @@ -0,0 +1,22 @@ +cluster.name: "{{ elasticsearch_cluster_name }}" + +node.name: "{{ inventory_hostname }}" + +path.data: /var/lib/elasticsearch + +path.logs: /var/log/elasticsearch + +network.host: "{{ hostvars[inventory_hostname]['ip'] }}" + +http.port: "{{ opendistro_http_port }}" + +discovery.seed_hosts: ["{{ es_nodes }}"] + +cluster.initial_master_nodes: ["{{ es_nodes }}"] + +discovery.zen.minimum_master_nodes: "{{ minimum_master_nodes }}" +opendistro_security.allow_default_init_securityindex: true +opendistro_security.audit.type: internal_elasticsearch +opendistro_security.enable_snapshot_restore_privilege: true +opendistro_security.check_snapshot_restore_write_privileges: true +opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] diff --git a/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 new file mode 100644 index 00000000..85792a6a --- /dev/null +++ b/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 @@ -0,0 +1,47 @@ +ca: + root: + dn: CN=root.ca.{{ domain_name }},OU=CA,O={{ domain_name }}\, Inc.,DC={{ domain_name }} + keysize: 2048 + validityDays: 730 + pkPassword: none + file: root-ca.pem + +### Default values and global settings +defaults: + validityDays: 730 + pkPassword: none + # Set this to true in order to generate config and certificates for + # the HTTP interface of nodes + httpsEnabled: true + reuseTransportCertificatesForHttp: false + verifyHostnames: false + resolveHostnames: false + + +### +### Nodes +### +# +# Specify the nodes of your ES cluster here +# +nodes: +{% for item in groups['es-cluster'] %} + - name: {{ item }} + dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} + dns: {{ item }}.{{ domain_name }} + ip: {{ hostvars[item]['ip'] }} +{% endfor %} + +### +### Clients +### +# +# Specify the clients that shall access your ES cluster with certificate authentication here +# +# At least one client must be an admin user (i.e., a super-user). Admin users can +# be specified with the attribute admin: true +# +clients: + - name: admin + dn: CN=admin.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} + admin: true