afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'feature-lint-role-opendistro'

Browse Source
This commit is contained in:
neonmei 2020-11-12 13:07:15 -03:00
commit b2723f69e3
No known key found for this signature in database
GPG Key ID: 7EA1832E7E17237E
3 changed files with 27 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
roles/opendistro/opendistro-elasticsearch/defaults/main.yml
View File

@ -70,3 +70,5 @@ opendistro_kibana_password: changeme
# Deployment settings # Deployment settings
generate_certs: true generate_certs: true
perform_installation: true perform_installation: true
opendistro_nolog_sensible: true

2
roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml
View File

@ -14,6 +14,7 @@
- name: Local action | Create local temporary directory for certificates generation - name: Local action | Create local temporary directory for certificates generation
file: file:
path: "{{ local_certs_path }}" path: "{{ local_certs_path }}"
mode: 0755
state: directory state: directory
- name: Local action | Check that the generation tool exists - name: Local action | Check that the generation tool exists
@ -41,6 +42,7 @@
template: template:
src: "templates/tlsconfig.yml.j2" src: "templates/tlsconfig.yml.j2"
dest: "{{ local_certs_path }}/config/tlsconfig.yml" dest: "{{ local_certs_path }}/config/tlsconfig.yml"
mode: 0644
register: tlsconfig_template register: tlsconfig_template
- name: Create a directory if it does not exist - name: Create a directory if it does not exist

45
roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml
View File

@ -60,10 +60,12 @@
- name: Copy the OpenDistro security configuration file to cluster - name: Copy the OpenDistro security configuration file to cluster
blockinfile: blockinfile:
block: "{{ lookup('file', '{{ local_certs_path }}/certs/{{ od_node_name }}_elasticsearch_config_snippet.yml') }}" block: "{{ lookup('file', snippet_path ) }}"
dest: "{{ opendistro_conf_path }}/elasticsearch.yml" dest: "{{ opendistro_conf_path }}/elasticsearch.yml"
insertafter: EOF insertafter: EOF
marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##"
vars:
snippet_path: '{{ local_certs_path }}/certs/{{ od_node_name }}_elasticsearch_config_snippet.yml'
- name: Prepare the OpenDistro security configuration file - name: Prepare the OpenDistro security configuration file
replace: replace:
@ -85,35 +87,34 @@
run_once: true run_once: true
- name: Hashing the custom admin password - name: Hashing the custom admin password
command: "{{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }}" command: "{{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }}" # noqa 301
register: opendistro_admin_password_hashed register: opendistro_admin_password_hashed
run_once: true no_log: '{{ opendistro_nolog_sensible | bool }}'
- name: Filtering hash result in case java path is not defined
set_fact:
opendistro_admin_password_hashed_filtered: "{{ opendistro_admin_password_hashed.stdout_lines[1] }}"
when:
- opendistro_admin_password_hashed.stdout_lines[1] is defined
run_once: true
- name: Setting admin hash result
set_fact:
opendistro_admin_password_hashed_filtered: "{{ opendistro_admin_password_hashed.stdout_lines[0] }}"
when:
- opendistro_admin_password_hashed.stdout_lines[1] is not defined
run_once: true run_once: true
- name: Set the Admin user password - name: Set the Admin user password
replace: replace:
path: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" path: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
regexp: '(?<=admin:\n hash: )(.*)(?=)' regexp: '(?<=admin:\n hash: )(.*)(?=)'
replace: "\"{{ opendistro_admin_password_hashed_filtered }}\"" replace: "{{ odfe_password_hash | quote }}"
vars:
odfe_password_hash: "{{ opendistro_admin_password_hashed.stdout_lines | last }}"
run_once: true run_once: true
- name: Set the kibanaserver role/user pasword # this can also be achieved with password_hash, but it requires dependencies on the controller
shell: > - name: Hash the kibanaserver role/user pasword
sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)',' command: "{{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }}" # noqa 301
{{ opendistro_sec_plugin_conf_path }}/internal_users.yml register: opendistro_kibanaserver_password_hashed
no_log: '{{ opendistro_nolog_sensible | bool }}'
run_once: true
- name: Set the kibanaserver user password
replace:
path: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
regexp: '(?<=kibanaserver:\n hash: )(.*)(?=)'
replace: "{{ odfe_password_hash | quote }}"
vars:
odfe_password_hash: "{{ opendistro_kibanaserver_password_hashed.stdout_lines | last }}"
run_once: true run_once: true
- name: Initialize the OpenDistro security index in elasticsearch - name: Initialize the OpenDistro security index in elasticsearch
@ -125,7 +126,7 @@
-cd {{ opendistro_sec_plugin_conf_path }}/ -cd {{ opendistro_sec_plugin_conf_path }}/
-nhnv -icl -nhnv -icl
-h {{ target_address }} -h {{ target_address }}
run_once: true run_once: true # noqa 301
- name: Create custom user - name: Create custom user
uri: uri: