afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

roles/opendistro-elasticsearch: remove use of command module with sed and change it to replace module. Also add a nolog to the tasks guarded by opendistro_nolog_sensible to avoid outputting non-hashed passwords in deploy log

Browse Source
This commit is contained in:
neonmei 2020-11-12 11:04:32 -03:00
parent 15f15170f3
commit c0d48e3ad4
No known key found for this signature in database
GPG Key ID: 7EA1832E7E17237E
1 changed files with 20 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml
View File

@ -87,35 +87,34 @@
run_once: true run_once: true
- name: Hashing the custom admin password - name: Hashing the custom admin password
command: "{{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }}" command: "{{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }}" # noqa 301
register: opendistro_admin_password_hashed register: opendistro_admin_password_hashed
run_once: true no_log: '{{ opendistro_nolog_sensible | bool }}'
- name: Filtering hash result in case java path is not defined
set_fact:
opendistro_admin_password_hashed_filtered: "{{ opendistro_admin_password_hashed.stdout_lines[1] }}"
when:
- opendistro_admin_password_hashed.stdout_lines[1] is defined
run_once: true
- name: Setting admin hash result
set_fact:
opendistro_admin_password_hashed_filtered: "{{ opendistro_admin_password_hashed.stdout_lines[0] }}"
when:
- opendistro_admin_password_hashed.stdout_lines[1] is not defined
run_once: true run_once: true
- name: Set the Admin user password - name: Set the Admin user password
replace: replace:
path: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" path: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
regexp: '(?<=admin:\n hash: )(.*)(?=)' regexp: '(?<=admin:\n hash: )(.*)(?=)'
replace: "\"{{ opendistro_admin_password_hashed_filtered }}\"" replace: "{{ odfe_password_hash | quote }}"
vars:
odfe_password_hash: "{{ opendistro_admin_password_hashed.stdout_lines | last }}"
run_once: true run_once: true
- name: Set the kibanaserver role/user pasword # this can also be achieved with password_hash, but it requires dependencies on the controller
shell: > - name: Hash the kibanaserver role/user pasword
sed -i 's,{{ opendistro_kibana_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }} | tail -1)',' command: "{{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }}" # noqa 301
{{ opendistro_sec_plugin_conf_path }}/internal_users.yml register: opendistro_kibanaserver_password_hashed
no_log: '{{ opendistro_nolog_sensible | bool }}'
run_once: true
- name: Set the kibanaserver user password
replace:
path: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
regexp: '(?<=kibanaserver:\n hash: )(.*)(?=)'
replace: "{{ odfe_password_hash | quote }}"
vars:
odfe_password_hash: "{{ opendistro_kibanaserver_password_hashed.stdout_lines | last }}"
run_once: true run_once: true
- name: Initialize the OpenDistro security index in elasticsearch - name: Initialize the OpenDistro security index in elasticsearch
@ -127,7 +126,7 @@
-cd {{ opendistro_sec_plugin_conf_path }}/ -cd {{ opendistro_sec_plugin_conf_path }}/
-nhnv -icl -nhnv -icl
-h {{ target_address }} -h {{ target_address }}
run_once: true run_once: true # noqa 301
- name: Create custom user - name: Create custom user
uri: uri: