afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #337 from wazuh/devel

Browse Source 
Wazuh Release 3.11.0_7.5.1
This commit is contained in:
Jose M. Garcia 2019-12-26 14:54:06 +01:00 committed by GitHub
commit c5a36f58d0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
40 changed files with 1195 additions and 411 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
CHANGELOG.md Normal file → Executable file
View File

@ -1,6 +1,56 @@
# Change Log
All notable changes to this project will be documented in this file.
## [v3.11.0_7.5.1]
### Added
- Update to Wazuh v3.11.0
- Wazuh Agent registration task now explicitly notify restart ([@jm404](https://github.com/jm404)) [PR#302](https://github.com/wazuh/wazuh-ansible/pull/302)
- Support both IP and DNS when creating elastic cluster ([@xr09](https://github.com/xr09)) [PR#252](https://github.com/wazuh/wazuh-ansible/pull/252)
- Added config tag to the Wazuh Agent's enable task ([@xr09](https://github.com/xr09)) [PR#261](https://github.com/wazuh/wazuh-ansible/pull/261)
- Implement task to configure Elasticsearch user on every cluster node ([@xr09](https://github.com/xr09)) [PR#270](https://github.com/wazuh/wazuh-ansible/pull/270)
- Added SCA to Wazuh Agent and Manager installation ([@jm404](https://github.com/jm404)) [PR#260](https://github.com/wazuh/wazuh-ansible/pull/260)
- Added support for environments with low disk space ([@xr09](https://github.com/xr09)) [PR#281](https://github.com/wazuh/wazuh-ansible/pull/281)
- Add parameters to configure an Elasticsearch coordinating node ([@jm404](https://github.com/jm404)) [PR#292](https://github.com/wazuh/wazuh-ansible/pull/292)
### Changed
- Updated Filebeat and Elasticsearch templates ([@manuasir](https://github.com/manuasir)) [PR#285](https://github.com/wazuh/wazuh-ansible/pull/285)
- Make ossec.conf file more readable by removing trailing whitespaces ([@jm404](https://github.com/jm404)) [PR#286](https://github.com/wazuh/wazuh-ansible/pull/286)
- Wazuh repositories can now be configured to different sources URLs ([@jm404](https://github.com/jm404)) [PR#288](https://github.com/wazuh/wazuh-ansible/pull/288)
- Wazuh App URL is now flexible ([@jm404](https://github.com/jm404)) [PR#304](https://github.com/wazuh/wazuh-ansible/pull/304)
- Agent installation task now does not hardcodes the "-1" sufix ([@jm404](https://github.com/jm404)) [PR#310](https://github.com/wazuh/wazuh-ansible/pull/310)
- Enhanced task importation in Wazuh Manager role and removed deprecated warnings ([@xr09](https://github.com/xr09)) [PR#320](https://github.com/wazuh/wazuh-ansible/pull/320)
- Wazuh API installation task have been upgraded ([@rshad](https://github.com/rshad)) [PR#330](https://github.com/wazuh/wazuh-ansible/pull/330)
- It's now possible to install Wazuh Manager and Agent from sources ([@jm404](https://github.com/jm404)) [PR#329](https://github.com/wazuh/wazuh-ansible/pull/329)
### Fixed
- Ansible upgrade from 6.x to 7.x ([@jm404](https://github.com/jm404)) [PR#252](https://github.com/wazuh/wazuh-ansible/pull/251)
- Wazuh Agent registration using agent name has been fixed ([@jm404](https://github.com/jm404)) [PR#298](https://github.com/wazuh/wazuh-ansible/pull/298)
- Fix Wazuh repository and installation conditionals ([@jm404](https://github.com/jm404)) [PR#299](https://github.com/wazuh/wazuh-ansible/pull/299)
- Fixed Wazuh Agent registration using an Agent's name ([@jm404](https://github.com/jm404)) [PR#334](https://github.com/wazuh/wazuh-ansible/pull/334)
## [v3.10.2_7.3.2]
### Added

4
VERSION
View File

@ -1,2 +1,2 @@
WAZUH-ANSIBLE_VERSION="v3.10.2"
REVISION="31020"
WAZUH-ANSIBLE_VERSION="v3.11.0"
REVISION="31100"

8
playbooks/wazuh-elastic_stack-single.yml
View File

@ -1,6 +1,8 @@
---
- hosts: <your server host>
roles:
- {role: ../roles/wazuh/ansible-wazuh-manager}
- {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '0.0.0.0', single_node: true}
- { role: ../roles/elastic-stack/ansible-kibana, elasticsearch_network_host: 'localhost' }
- {role: ../roles/wazuh/ansible-wazuh-manager}
- role: ../roles/wazuh/ansible-filebeat
filebeat_output_elasticsearch_hosts: localhost:9200
- {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '0.0.0.0', single_node: true}
- { role: ../roles/elastic-stack/ansible-kibana, elasticsearch_network_host: '0.0.0.0', elasticsearch_reachable_host: 'localhost' }

82
roles/elastic-stack/ansible-elasticsearch/README.md
View File

@ -13,6 +13,8 @@ This role will work on:
* Debian
* Ubuntu
For the elasticsearch role with XPack security the `unzip` command must be available on the Ansible master.
Role Variables
--------------
@ -46,13 +48,89 @@ Example Playbook
- hosts: 172.16.0.162
roles:
- {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '172.16.0.162', elasticsearch_master_candidate: true, elasticsearch_cluster_nodes: ['172.16.0.162','172.16.0.163','172.16.0.161']}
- {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '172.16.0.162', elasticsearch_node_master: true, elasticsearch_cluster_nodes: ['172.16.0.162','172.16.0.163','172.16.0.161']}
- hosts: 172.16.0.163
roles:
- {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '172.16.0.163', elasticsearch_master_candidate: true, elasticsearch_cluster_nodes: ['172.16.0.162','172.16.0.163','172.16.0.161']}
- {role: ../roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: '172.16.0.163', elasticsearch_node_master: true, elasticsearch_cluster_nodes: ['172.16.0.162','172.16.0.163','172.16.0.161']}
```
- Three nodes Elasticsearch cluster with XPack security
```
---
- hosts: elastic-1
roles:
- role: ../roles/elastic-stack/ansible-elasticsearch
elasticsearch_network_host: 172.16.0.111
elasticsearch_node_name: node-1
single_node: false
elasticsearch_node_master: true
elasticsearch_bootstrap_node: true
elasticsearch_cluster_nodes:
- 172.16.0.111
- 172.16.0.112
- 172.16.0.113
elasticsearch_discovery_nodes:
- 172.16.0.111
- 172.16.0.112
- 172.16.0.113
elasticsearch_xpack_security: true
node_certs_generator: true
node_certs_generator_ip: 172.16.0.111
vars:
instances:
node-1:
name: node-1
ip: 172.16.0.111
node-2:
name: node-2
ip: 172.16.0.112
node-3:
name: node-3
ip: 172.16.0.113
- hosts: elastic-2
roles:
- role: ../roles/elastic-stack/ansible-elasticsearch
elasticsearch_network_host: 172.16.0.112
elasticsearch_node_name: node-2
single_node: false
elasticsearch_xpack_security: true
elasticsearch_node_master: true
node_certs_generator_ip: 172.16.0.111
elasticsearch_discovery_nodes:
- 172.16.0.111
- 172.16.0.112
- 172.16.0.113
- hosts: elastic-3
roles:
- role: ../roles/elastic-stack/ansible-elasticsearch
elasticsearch_network_host: 172.16.0.113
elasticsearch_node_name: node-3
single_node: false
elasticsearch_xpack_security: true
elasticsearch_node_master: true
node_certs_generator_ip: 172.16.0.111
elasticsearch_discovery_nodes:
- 172.16.0.111
- 172.16.0.112
- 172.16.0.113
vars:
elasticsearch_xpack_users:
anne:
password: 'PasswordHere'
roles: '["kibana_user", "monitoring_user"]'
jack:
password: 'PasswordHere'
roles: '["superuser"]'
```
It is possible to define users directly on the playbook, these must be defined on a variable `elasticsearch_xpack_users` on the last node of the cluster as in the example.
License and copyright
---------------------

18
roles/elastic-stack/ansible-elasticsearch/defaults/main.yml
View File

@ -1,20 +1,24 @@
---
elasticsearch_cluster_name: wazuh
elasticsearch_node_name: node-1
elasticsearch_http_port: 9200
elasticsearch_network_host: 127.0.0.1
elasticsearch_reachable_host: 127.0.0.1
elasticsearch_jvm_xms: null
elastic_stack_version: 7.4.2
elastic_stack_version: 7.5.1
elasticsearch_lower_disk_requirements: false
# Cluster Settings
single_node: true
elasticsearch_cluster_name: wazuh
elasticsearch_node_name: node-1
elasticsearch_bootstrap_node: false
elasticsearch_master_candidate: false
elasticsearch_node_master: false
elasticsearch_cluster_nodes:
- 127.0.0.1
elasticsearch_discovery_nodes:
- 127.0.0.1
elasticsearch_node_data: true
elasticsearch_node_ingest: true
# X-Pack Security
elasticsearch_xpack_security: false
@ -25,15 +29,9 @@ node_certs_generator: false
node_certs_source: /usr/share/elasticsearch
node_certs_destination: /etc/elasticsearch/certs
# CA generation
master_certs_path: /es_certs
generate_CA: true
ca_key_name: ""
ca_cert_name: ""
ca_password: ""

2
roles/elastic-stack/ansible-elasticsearch/tasks/Debian.yml
View File

@ -38,7 +38,7 @@
apt_repository:
repo: 'deb https://artifacts.elastic.co/packages/7.x/apt stable main'
state: present
filename: 'elastic_repo'
filename: 'elastic_repo_7'
update_cache: true
changed_when: false

2
roles/elastic-stack/ansible-elasticsearch/tasks/RedHat.yml
View File

@ -2,7 +2,7 @@
- name: RedHat/CentOS/Fedora | Install Elastic repo
yum_repository:
name: elastic_repo
name: elastic_repo_7
description: Elastic repository for 7.x packages
baseurl: https://artifacts.elastic.co/packages/7.x/yum
gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch

33
roles/elastic-stack/ansible-elasticsearch/tasks/main.yml
View File

@ -109,7 +109,7 @@
- init
- name: Make sure Elasticsearch is running before proceeding
wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=400
wait_for: host={{ elasticsearch_reachable_host }} port={{ elasticsearch_http_port }} delay=3 timeout=400
tags:
- configure
- init
@ -119,3 +119,34 @@
- import_tasks: "RMDebian.yml"
when: ansible_os_family == "Debian"
- name: Wait for Elasticsearch API
uri:
url: "https://{{ node_certs_generator_ip }}:{{ elasticsearch_http_port }}/_cluster/health/"
user: "elastic" # Default Elasticsearch user is always "elastic"
password: "{{ elasticsearch_xpack_security_password }}"
validate_certs: no
status_code: 200,401
return_content: yes
timeout: 4
register: _result
until: ( _result.json is defined) and (_result.json.status == "green")
retries: 24
delay: 5
when:
- elasticsearch_xpack_users is defined
- name: Create elasticsearch users
uri:
url: "https://{{ node_certs_generator_ip }}:{{ elasticsearch_http_port }}/_security/user/{{ item.key }}"
method: POST
body_format: json
user: "elastic"
password: "{{ elasticsearch_xpack_security_password }}"
body: '{ "password" : "{{ item.value["password"] }}", "roles" : {{ item.value["roles"] }} }'
validate_certs: no
loop: "{{ elasticsearch_xpack_users|default({})|dict2items }}"
register: http_response
failed_when: http_response.status != 200
when:
- elasticsearch_xpack_users is defined

45
roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml
View File

@ -1,12 +1,4 @@
- name: Install unzip dependency.
package:
name: unzip
state: present
delegate_to: "127.0.0.1"
when:
- node_certs_generator
- name: Check if certificate exists locally
stat:
path: "{{ node_certs_destination }}/{{ elasticsearch_node_name }}.crt"
@ -68,7 +60,9 @@
- node_certs_generator
- not xpack_certs_zip.stat.exists
- generate_CA
tags: xpack-security
tags:
- xpack-security
- molecule-idempotence-notest
- name: Generating certificates for Elasticsearch security (using provided CA | Without CA Password)
command: >-
@ -82,7 +76,9 @@
- not xpack_certs_zip.stat.exists
- not generate_CA
- ca_password | length == 0
tags: xpack-security
tags:
- xpack-security
- molecule-idempotence-notest
- name: Generating certificates for Elasticsearch security (using provided CA | Using CA Password)
command: >-
@ -96,7 +92,9 @@
- not xpack_certs_zip.stat.exists
- not generate_CA
- ca_password | length > 0
tags: xpack-security
tags:
- xpack-security
- molecule-idempotence-notest
- name: Verify the Elastic certificates directory
file:
@ -124,7 +122,9 @@
mode: 0700
when:
- node_certs_generator
tags: xpack-security
tags:
- xpack-security
- molecule-idempotence-notest
- name: Delete certs.zip in Generator node
file:
@ -132,16 +132,18 @@
path: "{{ node_certs_source }}/certs.zip"
when:
- node_certs_generator
tags: molecule-idempotence-notest
- name: Unzip generated certs.zip
unarchive:
src: "{{ master_certs_path }}/certs.zip"
dest: "{{ master_certs_path }}/"
become: true
delegate_to: "127.0.0.1"
when:
- node_certs_generator
tags: xpack-security
tags:
- xpack-security
- molecule-idempotence-notest
- name: Copying node's certificate from master
copy:
@ -153,7 +155,9 @@
- "{{ master_certs_path }}/ca/ca.crt"
when:
- generate_CA
tags: xpack-security
tags:
- xpack-security
- molecule-idempotence-notest
- name: Copying node's certificate from master (Custom CA)
copy:
@ -165,7 +169,9 @@
- "{{ master_certs_path }}/ca/{{ ca_cert_name }}"
when:
- not generate_CA
tags: xpack-security
tags:
- xpack-security
- molecule-idempotence-notest
- name: Ensuring folder permissions
file:
@ -179,8 +185,11 @@
tags: xpack-security
- name: Set elasticsearch bootstrap password
shell: >-
set -o pipefail;
shell: |
set -o pipefail
echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password
args:
executable: /bin/bash
when:
- node_certs_generator
tags: molecule-idempotence-notest

16
roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2
View File

@ -20,16 +20,28 @@ discovery.seed_hosts:
- {{ item }}
{% endfor %}
{% else %}
node.master: {{ elasticsearch_master_candidate|lower }}
node.master: {{ elasticsearch_node_master|lower }}
{% if elasticsearch_node_data|lower == 'false' %}
node.data: false
{% endif %}
{% if elasticsearch_node_ingest|lower == 'false' %}
node.ingest: false
{% endif %}
discovery.seed_hosts:
{% for item in elasticsearch_discovery_nodes %}
- {{ item }}
{% endfor %}
{% endif %}
# XPACK Security
{% if elasticsearch_lower_disk_requirements %}
cluster.routing.allocation.disk.threshold_enabled: true
cluster.routing.allocation.disk.watermark.flood_stage: 200mb
cluster.routing.allocation.disk.watermark.low: 500mb
cluster.routing.allocation.disk.watermark.high: 300mb
{% endif %}
{% if elasticsearch_xpack_security %}
# XPACK Security
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate

10
roles/elastic-stack/ansible-elasticsearch/templates/instances.yml.j2
View File

@ -4,10 +4,14 @@
{% if node_certs_generator %}
instances:
{% for (key,value) in instances.iteritems() %}
{% for (key,value) in instances.items() %}
- name: "{{ value.name }}"
{% if value.ip is defined and value.ip | length > 0 %}
ip:
- "{{ value.ip }}"
{% endfor %}
{% elif value.dns is defined and value.dns | length > 0 %}
dns:
- "{{ value.dns }}"
{% endif %}
{% endfor %}
{% endif %}

15
roles/elastic-stack/ansible-kibana/defaults/main.yml
View File

@ -5,8 +5,8 @@ elasticsearch_http_port: "9200"
elasticsearch_network_host: "127.0.0.1"
kibana_server_host: "0.0.0.0"
kibana_server_port: "5601"
elastic_stack_version: 7.4.2
wazuh_version: 3.10.2
elastic_stack_version: 7.5.1
wazuh_version: 3.11.0
wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp
# Xpack Security
@ -23,3 +23,14 @@ node_certs_destination: /etc/kibana/certs
master_certs_path: /es_certs
generate_CA: true
ca_cert_name: ""
# Nodejs
nodejs:
repo_dict:
debian: "deb"
redhat: "rpm"
repo_url_ext: "nodesource.com/setup_8.x"
# Build from sources
build_from_sources: false
wazuh_plugin_branch: 3.10-7.4

2
roles/elastic-stack/ansible-kibana/tasks/Debian.yml
View File

@ -17,7 +17,7 @@
apt_repository:
repo: 'deb https://artifacts.elastic.co/packages/7.x/apt stable main'
state: present
filename: 'elastic_repo'
filename: 'elastic_repo_7'
update_cache: true
changed_when: false

2
roles/elastic-stack/ansible-kibana/tasks/RedHat.yml
View File

@ -1,7 +1,7 @@
---
- name: RedHat/CentOS/Fedora | Install Elastic repo
yum_repository:
name: elastic_repo
name: elastic_repo_7
description: Elastic repository for 7.x packages
baseurl: https://artifacts.elastic.co/packages/7.x/yum
gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch

77
roles/elastic-stack/ansible-kibana/tasks/build_wazuh_plugin.yml Normal file
View File

@ -0,0 +1,77 @@
---
- name: Ensure the Git package is present
package:
name: git
state: present
- name: Modify repo url if host is in Debian family
set_fact:
node_js_repo_type: deb
when:
- ansible_os_family | lower == "debian"
- name: Download script to install Nodejs repository
get_url:
url: "https://{{ nodejs['repo_dict'][ansible_os_family|lower] }}.{{ nodejs['repo_url_ext'] }}"
dest: "/tmp/setup_nodejs_repo.sh"
mode: "0700"
- name: Execute downloaded script to install Nodejs repo
command: /tmp/setup_nodejs_repo.sh
register: node_repo_installation_result
changed_when: false
- name: Install Nodejs
package:
name: nodejs
state: present
- name: Install yarn dependency to build the Wazuh Kibana Plugin
# Using shell due to errors when evaluating text between @ with command
shell: "npm install -g {{ 'yarn' }}{{ '@' }}{{ '1.10.1'}}" # noqa 305
register: install_yarn_result
changed_when: install_yarn_result == 0
- name: Remove old wazuh-kibana-app git directory
file:
path: /tmp/app
state: absent
changed_when: false
- name: Clone wazuh-kibana-app repository # Using command as git module doesn't cover single-branch nor depth
command: git clone https://github.com/wazuh/wazuh-kibana-app -b {{ wazuh_plugin_branch }} --single-branch --depth=1 app # noqa 303
register: clone_app_repo_result
changed_when: false
args:
chdir: "/tmp"
- name: Executing yarn to build the package
command: "{{ item }}"
with_items:
- "yarn"
- "yarn build"
register: yarn_execution_result
changed_when: false
args:
chdir: "/tmp/app/"
- name: Obtain name of generated package
shell: "find ./ -name 'wazuh-*.zip' -printf '%f\\n'"
register: wazuhapp_package_name
changed_when: false
args:
chdir: "/tmp/app/build"
- name: Install Wazuh Plugin (can take a while)
shell: "/usr/share/kibana/bin/kibana-plugin install file:///tmp/app/build/{{ wazuhapp_package_name.stdout }}"
environment:
NODE_OPTIONS: "--max-old-space-size=3072"
args:
executable: /bin/bash
creates: /usr/share/kibana/plugins/wazuh/package.json
become: yes
become_user: kibana
notify: restart kibana
tags:
- install
- skip_ansible_lint

46
roles/elastic-stack/ansible-kibana/tasks/main.yml
View File

@ -1,4 +1,13 @@
---
- name: Stopping early, trying to compile Wazuh Kibana Plugin on Debian 10 is not possible
fail:
msg: "It's not possible to compile the Wazuh Kibana plugin on Debian 10 due to: https://github.com/wazuh/wazuh-kibana-app/issues/1924"
when:
- build_from_sources
- ansible_distribution == "Debian"
- ansible_distribution_major_version == "10"
- import_tasks: RedHat.yml
when: ansible_os_family == 'RedHat'
@ -74,28 +83,43 @@
tags: configure
- name: Checking Wazuh-APP version
shell: |
set -o pipefail
grep -c -E 'version.*{{ elastic_stack_version }}' /usr/share/kibana/plugins/wazuh/package.json | xargs echo
shell: >-
grep -c -E 'version.*{{ elastic_stack_version }}' /usr/share/kibana/plugins/wazuh/package.json
args:
executable: /bin/bash
removes: /usr/share/kibana/plugins/wazuh/package.json
register: wazuh_app_verify
changed_when: false
tags: install
failed_when:
- wazuh_app_verify.rc != 0
- wazuh_app_verify.rc != 1
- name: Removing old Wazuh-APP
command: /usr/share/kibana/bin/kibana-plugin remove wazuh
when: wazuh_app_verify.stdout == "0"
command: /usr/share/kibana/bin/kibana-plugin --allow-root remove wazuh
when: wazuh_app_verify.rc == 1
tags: install
- name: Removing bundles
file: path=/usr/share/kibana/optimize/bundles state=absent
when: wazuh_app_verify.stdout == "0"
file:
path: /usr/share/kibana/optimize/bundles
state: absent
when: wazuh_app_verify.rc == 1
tags: install
- name: Install Wazuh-APP (can take a while)
shell: "/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-{{ wazuh_version }}_{{ elastic_stack_version }}.zip"
- name: Explicitly starting Kibana to generate "wazuh-"
service:
name: kibana
state: started
- name: Build and Install Wazuh Kibana Plugin from sources
import_tasks: build_wazuh_plugin.yml
when:
- build_from_sources is defined
- build_from_sources
- name: Install Wazuh Plugin (can take a while)
shell: "/usr/share/kibana/bin/kibana-plugin install {{ wazuh_app_url }}-{{ wazuh_version }}_{{ elastic_stack_version }}.zip"
environment:
NODE_OPTIONS: "--max-old-space-size=3072"
args:
@ -107,6 +131,8 @@
tags:
- install
- skip_ansible_lint
when:
- not build_from_sources
- name: Reload systemd configuration
systemd:

2
roles/wazuh/ansible-filebeat/defaults/main.yml
View File

@ -1,5 +1,5 @@
---
filebeat_version: 7.4.2
filebeat_version: 7.5.1
filebeat_create_config: true

8
roles/wazuh/ansible-filebeat/tasks/main.yml
View File

@ -1,8 +1,8 @@
---
- import_tasks: RedHat.yml
- include_tasks: RedHat.yml
when: ansible_os_family == 'RedHat'
- import_tasks: Debian.yml
- include_tasks: Debian.yml
when: ansible_os_family == 'Debian'
- name: CentOS/RedHat | Install Filebeat.
@ -116,8 +116,8 @@
state: started
enabled: true
- import_tasks: "RMRedHat.yml"
- include_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat"
- import_tasks: "RMDebian.yml"
- include_tasks: "RMDebian.yml"
when: ansible_os_family == "Debian"

56
roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2
View File

@ -1,58 +1,24 @@
# Wazuh - Filebeat configuration file
filebeat.inputs:
- type: log
paths:
- '/var/ossec/logs/alerts/alerts.json'
# Wazuh - Filebeat configuration file
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
setup.template.json.enabled: true
setup.template.json.path: "/etc/filebeat/wazuh-template.json"
setup.template.json.name: "wazuh"
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false
processors:
- decode_json_fields:
fields: ['message']
process_array: true
max_depth: 200
target: ''
overwrite_keys: true
- drop_fields:
fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host']
- rename:
fields:
- from: "data.aws.sourceIPAddress"
to: "@src_ip"
ignore_missing: true
fail_on_error: false
when:
regexp:
data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
- rename:
fields:
- from: "data.srcip"
to: "@src_ip"
ignore_missing: true
fail_on_error: false
when:
regexp:
data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
- rename:
fields:
- from: "data.win.eventdata.ipAddress"
to: "@src_ip"
ignore_missing: true
fail_on_error: false
when:
regexp:
data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
# Send events directly to Elasticsearch
output.elasticsearch:
hosts: {{ filebeat_output_elasticsearch_hosts | to_json }}
#pipeline: geoip
indices:
- index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}'
{% if filebeat_xpack_security %}
username: {{ elasticsearch_xpack_security_user }}
password: {{ elasticsearch_xpack_security_password }}

42
roles/wazuh/ansible-wazuh-agent/defaults/main.yml
View File

@ -1,5 +1,28 @@
---
wazuh_agent_version: 3.10.2
wazuh_agent_version: 3.11.0-1
wazuh_agent_sources_installation:
enabled: false
branch: "v3.11.0"
user_language: "y"
user_no_stop: "y"
user_install_type: "agent"
user_dir: "/var/ossec"
user_delete_dir: "y"
user_enable_active_response: "y"
user_enable_syscheck: "y"
user_enable_rootcheck: "y"
user_enable_openscap: "y"
user_enable_sca: "y"
user_enable_authd: "y"
user_generate_authd_cert: "n"
user_update: "y"
user_binaryinstall: null
user_agent_server_ip: "YOUR_MANAGER_IP"
user_agent_server_name: null
user_agent_config_profile: null
user_ca_store: "/var/ossec/wpk_root.pem"
wazuh_managers:
- address: 127.0.0.1
port: 1514
@ -12,6 +35,7 @@ wazuh_auto_restart: 'yes'
wazuh_agent_authd:
enable: false
port: 1515
agent_name: null
ssl_agent_ca: null
ssl_agent_cert: null
ssl_agent_key: null
@ -26,11 +50,15 @@ wazuh_winagent_config:
auth_path: C:\Program Files\ossec-agent\agent-auth.exe
# Adding quotes to auth_path_x86 since win_shell outputs error otherwise
auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe
version: '3.10.2'
version: '3.11.0'
revision: '1'
repo: https://packages.wazuh.com/3.x/windows/
md5: 71650780904cbfc2e45eae4298adb7a3
wazuh_agent_config:
repo:
apt: 'deb https://packages.wazuh.com/3.x/apt/ stable main'
yum: 'https://packages.wazuh.com/3.x/yum/'
gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
active_response:
ar_disabled: 'no'
ca_store: '/var/ossec/etc/wpk_root.pem'
@ -213,7 +241,7 @@ wazuh_agent_config:
rootcheck:
frequency: 43200
openscap:
disable: 'no'
disable: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
@ -236,6 +264,14 @@ wazuh_agent_config:
packages: 'yes'
ports_no: 'yes'
processes: 'yes'
sca:
enabled: 'yes'
scan_on_start: 'yes'
interval: '12h'
skip_nfs: 'yes'
day: ''
wday: ''
time: ''
cis_cat:
disable: 'yes'
install_java: 'yes'

10
roles/wazuh/ansible-wazuh-agent/tasks/Debian.yml
View File

@ -20,17 +20,23 @@
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version | int == 14
- not wazuh_agent_sources_installation.enabled
- name: Debian/Ubuntu | Installing Wazuh repository key
apt_key: url=https://packages.wazuh.com/key/GPG-KEY-WAZUH
apt_key:
url: "{{ wazuh_agent_config.repo.gpg }}"
when:
- not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- not wazuh_agent_sources_installation.enabled
- name: Debian/Ubuntu | Add Wazuh repositories
apt_repository:
repo: 'deb https://packages.wazuh.com/3.x/apt/ stable main'
filename: wazuh_repo
repo: "{{ wazuh_agent_config.repo.apt }}"
state: present
update_cache: true
when:
- not wazuh_agent_sources_installation.enabled
- name: Debian/Ubuntu | Set Distribution CIS filename for debian
set_fact:

51
roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml
View File

@ -1,26 +1,34 @@
---
- import_tasks: "RedHat.yml"
- include_tasks: "RedHat.yml"
when: ansible_os_family == "RedHat"
- import_tasks: "Debian.yml"
- include_tasks: "Debian.yml"
when: ansible_os_family == "Debian"
- include_tasks: "installation_from_sources.yml"
when:
- wazuh_agent_sources_installation.enabled
- name: Linux CentOS/RedHat | Install wazuh-agent
package: name=wazuh-agent-{{ wazuh_agent_version }}-1 state=present
package:
name: wazuh-agent-{{ wazuh_agent_version }}
state: present
async: 90
poll: 30
when:
- ansible_distribution in ['CentOS','RedHat']
- ansible_os_family|lower == "redhat"
- not wazuh_agent_sources_installation.enabled
tags:
- init
- name: Linux Debian | Install wazuh-agent
apt:
name: "wazuh-agent={{ wazuh_agent_version }}-1"
name: "wazuh-agent={{ wazuh_agent_version }}"
state: present
cache_valid_time: 3600
when:
- not (ansible_distribution in ['CentOS','RedHat'])
- ansible_os_family|lower != "redhat"
- not wazuh_agent_sources_installation.enabled
tags:
- init
@ -51,18 +59,25 @@
- name: Linux | Register agent (via authd)
shell: >
/var/ossec/bin/agent-auth
-A {{ agent_name }}
{% if wazuh_agent_authd.agent_name is defined and wazuh_agent_authd.agent_name != None %}
-A {{ wazuh_agent_authd.agent_name }}
{% endif %}
-m {{ wazuh_managers.0.address }}
-p {{ wazuh_agent_authd.port }}
{% if wazuh_agent_nat %}-I "any" {% endif %}
{% if authd_pass is defined %}-P {{ authd_pass }}{% endif %}
{% if wazuh_agent_authd.ssl_agent_ca is not none %}
{% if wazuh_agent_nat %} -I "any" {% endif %}
{% if authd_pass is defined %} -P {{ authd_pass }} {% endif %}
{% if wazuh_agent_authd.ssl_agent_ca is defined and wazuh_agent_authd.ssl_agent_ca != None %}
-v "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}"
{% endif %}
{% if wazuh_agent_authd.ssl_agent_cert is defined and wazuh_agent_authd.ssl_agent_cert != None %}
-x "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_cert | basename }}"
{% endif %}
{% if wazuh_agent_authd.ssl_agent_key is defined and wazuh_agent_authd.ssl_agent_key != None %}
-k "/var/ossec/etc/{{ wazuh_agent_authd.ssl_agent_key | basename }}"
{% endif %}
{% if wazuh_agent_authd.ssl_auto_negotiate == 'yes' %}-a{% endif %}
{% if wazuh_agent_authd.ssl_auto_negotiate == 'yes' %} -a {% endif %}
register: agent_auth_output
notify: restart wazuh-agent
vars:
agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ ansible_hostname }}{% endif %}"
when:
@ -99,6 +114,7 @@
user: "{{ wazuh_managers.0.api_user }}"
password: "{{ api_pass }}"
register: newagent_api
notify: restart wazuh-agent
# changed_when: newagent_api.json.error == 0
vars:
agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ inventory_hostname }}{% endif %}"
@ -185,9 +201,14 @@
name: wazuh-agent
enabled: true
state: started
tags: config
- import_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat"
- include_tasks: "RMRedHat.yml"
when:
- ansible_os_family == "RedHat"
- not wazuh_agent_sources_installation.enabled
- import_tasks: "RMDebian.yml"
when: ansible_os_family == "Debian"
- include_tasks: "RMDebian.yml"
when:
- ansible_os_family == "Debian"
- not wazuh_agent_sources_installation.enabled

29
roles/wazuh/ansible-wazuh-agent/tasks/RedHat.yml
View File

@ -1,36 +1,29 @@
---
- name: RedHat/CentOS/Fedora | Install Wazuh repo
yum_repository:
name: wazuh_repo
description: Wazuh repository
baseurl: https://packages.wazuh.com/3.x/yum/
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
gpgcheck: true
changed_when: false
when:
- ansible_distribution_major_version|int > 5
- name: RedHat/CentOS 5 | Install Wazuh repo
yum_repository:
name: wazuh_repo
description: Wazuh repository
baseurl: https://packages.wazuh.com/3.x/yum/5/
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH-5
baseurl: "{{ wazuh_agent_config.repo.yum }}5/"
gpgkey: "{{ wazuh_agent_config.repo.gpg }}-5"
gpgcheck: true
changed_when: false
when:
- ansible_distribution_major_version|int == 5
- (ansible_facts['os_family']|lower == 'redhat') and (ansible_distribution|lower != 'amazon')
- (ansible_distribution_major_version|int <= 5)
- not wazuh_agent_sources_installation.enabled or not wazuh_api_sources_installation.enabled
register: repo_v5_installed
- name: AmazonLinux | Install Wazuh repo
- name: RedHat/CentOS/Fedora | Install Wazuh repo
yum_repository:
name: wazuh_repo
description: Wazuh repository
baseurl: https://packages.wazuh.com/3.x/yum/
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
baseurl: "{{ wazuh_agent_config.repo.yum }}"
gpgkey: "{{ wazuh_agent_config.repo.gpg }}"
gpgcheck: true
changed_when: false
when:
- ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA"
- repo_v5_installed is skipped
- not wazuh_agent_sources_installation.enabled
- name: RedHat/CentOS/Fedora | download Oracle Java RPM
get_url:

1
roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml
View File

@ -60,6 +60,7 @@
{{ wazuh_agent_win_auth_path }}
-m {{ wazuh_managers.0.address }}
-p {{ wazuh_agent_authd.port }}
{% if wazuh_agent_authd.agent_name is defined %}-A {{ wazuh_agent_authd.agent_name }} {% endif %}
{% if authd_pass is defined %} -P {{ authd_pass }}{% endif %}
register: agent_auth_output
notify: Windows | Restart Wazuh Agent

99
roles/wazuh/ansible-wazuh-agent/tasks/installation_from_sources.yml Normal file
View File

@ -0,0 +1,99 @@
---
- name: Install dependencies to build Wazuh packages
package:
name:
- make
- gcc
- automake
- autoconf
- libtool
- tar
state: present
- name: Removing old files
file:
path: "/tmp/{{ wazuh_agent_sources_installation.branch }}.tar.gz"
state: absent
- name: Removing old folders
file:
path: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}"
state: absent
- name: Installing policycoreutils-python (RedHat families)
package:
name:
- policycoreutils-python
when:
- ansible_os_family|lower == "redhat"
- name: Installing policycoreutils-python-utils (Debian families)
package:
name:
- libc6-dev
- curl
- policycoreutils
when:
- ansible_os_family|lower == "debian"
- name: Download required packages from github.com/wazuh/wazuh
get_url:
url: "https://github.com/wazuh/wazuh/archive/{{ wazuh_agent_sources_installation.branch }}.tar.gz"
dest: "/tmp/{{ wazuh_agent_sources_installation.branch }}.tar.gz"
delegate_to: "{{ inventory_hostname }}"
changed_when: false
- name: Create folder to extract Wazuh branch
file:
path: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}"
state: directory
changed_when: false
- name: Extract downloaded Wazuh branch from Github # Using shell instead of unarchive due to that module not working properlyh with --strip
command: >-
tar -xzvf /tmp/{{ wazuh_agent_sources_installation.branch }}.tar.gz
--strip 1
--directory /tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}
register: wazuh_untar
changed_when: false
args:
warn: false
- name: Clean remaining files from others builds
command: "make -C src {{ item }}"
args:
chdir: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}/src/"
with_items:
- "clean"
- "clean-deps"
register: clean_result
changed_when: clean_result.rc == 0
failed_when: false
- name: Render the "preloaded-vars.conf" file
template:
src: "templates/preloaded_vars_agent.conf.j2"
dest: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}/etc/preloaded-vars.conf"
owner: root
group: root
mode: '644'
changed_when: false
- name: Executing "install.sh" script to build and install the Wazuh Agent
shell: ./install.sh > /tmp/build_agent_log.txt
register: installation_result
changed_when: installation_result == 0
args:
chdir: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}"
- name: Cleanup downloaded files
file:
path: "/tmp/{{ wazuh_agent_sources_installation.branch }}.tar.gz"
state: absent
changed_when: false
- name: Cleanup created folders
file:
path: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}"
state: absent
changed_when: false

4
roles/wazuh/ansible-wazuh-agent/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
- import_tasks: "Windows.yml"
- include_tasks: "Windows.yml"
when: ansible_os_family == "Windows"
- import_tasks: "Linux.yml"
- include_tasks: "Linux.yml"
when: ansible_system == "Linux"

7
roles/wazuh/ansible-wazuh-agent/templates/preloaded_vars_agent.conf.j2 Normal file
View File

@ -0,0 +1,7 @@
{% for key, value in wazuh_agent_sources_installation.items() %}
{% if "user_" in key %}
{% if value is defined and value is not none %}
{{ key|upper }}="{{ value }}"
{% endif %}
{% endif %}
{% endfor %}

135
roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
View File

@ -1,4 +1,4 @@
#jinja2: trim_blocks: False
#jinja2: lstrip_blocks: True
<!-- {{ ansible_managed }} -->
<!--
Wazuh - Agent
@ -8,7 +8,6 @@
<ossec_config>
<client>
{% for manager in wazuh_managers %}
<server>
<address>{{ manager.address }}</address>
@ -20,7 +19,6 @@
{% endif %}
</server>
{% endfor %}
{% if wazuh_profile is not none %}
<config-profile>{{ wazuh_profile }}</config-profile>
{% endif %}
@ -31,12 +29,14 @@
<auto_restart>{{ wazuh_auto_restart }}</auto_restart>
<crypto_method>{{ wazuh_crypto_method }}</crypto_method>
</client>
<client_buffer>
<!-- Agent buffer options -->
<disabled>{{ wazuh_agent_config.client_buffer.disable }}</disabled>
<queue_size>{{ wazuh_agent_config.client_buffer.queue_size }}</queue_size>
<events_per_second>{{ wazuh_agent_config.client_buffer.events_per_sec }}</events_per_second>
</client_buffer>
<logging>
<log_format>{{ wazuh_agent_config.log_format }}</log_format>
</logging>
@ -72,7 +72,6 @@
{% endif %}
<skip_nfs>yes</skip_nfs>
{% endif %}
{% if ansible_os_family == "Windows" %}
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
@ -86,11 +85,11 @@
{% if wazuh_agent_config.syscheck is defined %}
<syscheck>
<disabled>no</disabled>
<!-- #<alert_new_files>{{ wazuh_agent_config.syscheck.alert_new_files }}</alert_new_files> -->
<!-- <alert_new_files>{{ wazuh_agent_config.syscheck.alert_new_files }}</alert_new_files> -->
<!-- Frequency that syscheck is executed -- default every 20 hours -->
<frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency>
{% if ansible_system == "Linux" %}
<!-- #<directories check_all="yes" realtime="yes" restrict="^/var/ossec/etc/shared/agent.conf$">/var/ossec/etc/shared</directories> -->
<!-- <directories check_all="yes" realtime="yes" restrict="^/var/ossec/etc/shared/agent.conf$">/var/ossec/etc/shared</directories> -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
@ -270,7 +269,29 @@
<processes>{{ wazuh_agent_config.syscollector.processes }}</processes>
</wodle>
<sca>
{% if wazuh_agent_config.sca.enabled | length > 0 %}
<enabled>{{ wazuh_agent_config.sca.enabled }}</enabled>
{% endif %}
{% if wazuh_agent_config.sca.scan_on_start | length > 0 %}
<scan_on_start>{{ wazuh_agent_config.sca.scan_on_start }}</scan_on_start>
{% endif %}
{% if wazuh_agent_config.sca.interval | length > 0 %}
<interval>{{ wazuh_agent_config.sca.interval }}</interval>
{% endif %}
{% if wazuh_agent_config.sca.skip_nfs | length > 0 %}
<skip_nfs>yes</skip_nfs>
{% endif %}
{% if wazuh_agent_config.sca.day | length > 0 %}
<day>yes</day>
{% endif %}
{% if wazuh_agent_config.sca.wday | length > 0 %}
<wday>yes</wday>
{% endif %}
{% if wazuh_agent_config.sca.time | length > 0 %}
<time>yes</time>
{% endif %}
</sca>
{% if ansible_system == "Linux" and wazuh_agent_config.vuls.disable == 'no' %}
<wodle name="command">
@ -284,68 +305,72 @@
{% endif %}
<!-- Files to monitor (localfiles) -->
{% if ansible_system == "Linux" %}
{% for localfile in wazuh_agent_config.localfiles.linux %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if ansible_system == "Linux" %}
{% for localfile in wazuh_agent_config.localfiles.linux %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% else %}
<location>{{ localfile.location }}</location>
<command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
</localfile>
{% else %}
<location>{{ localfile.location }}</location>
{% endif %}
</localfile>
{% endfor %}
{% endif %}
{% if ansible_os_family == "Debian" %}
{% for localfile in wazuh_agent_config.localfiles.debian %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if ansible_os_family == "Debian" %}
{% for localfile in wazuh_agent_config.localfiles.debian %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% else %}
<location>{{ localfile.location }}</location>
{% endif %}
</localfile>
<command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% else %}
<location>{{ localfile.location }}</location>
{% endif %}
</localfile>
{% endfor %}
{% endif %}
{% if ansible_os_family == "RedHat" %}
{% for localfile in wazuh_agent_config.localfiles.centos %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if ansible_os_family == "RedHat" %}
{% for localfile in wazuh_agent_config.localfiles.centos %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
<command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% else %}
<location>{{ localfile.location }}</location>
{% endif %}
</localfile>
<location>{{ localfile.location }}</location>
{% endif %}
</localfile>
{% endfor %}
{% endif %}
{% if ansible_os_family == "Windows" %}
{% for localfile in wazuh_agent_config.localfiles.windows %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'eventchannel' %}
<location>{{ localfile.location }}</location>
<query>{{ localfile.query}}</query>
{% else %}
<location>{{ localfile.location }}</location>
{% endif %}
</localfile>
{% if ansible_os_family == "Windows" %}
{% for localfile in wazuh_agent_config.localfiles.windows %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'eventchannel' %}
<location>{{ localfile.location }}</location>
<query>{{ localfile.query}}</query>
{% else %}
<location>{{ localfile.location }}</location>
{% endif %}
</localfile>
{% endfor %}
{% endif %}

65
roles/wazuh/ansible-wazuh-manager/defaults/main.yml
View File

@ -1,10 +1,57 @@
---
wazuh_manager_api_version: 3.10.2
wazuh_manager_version: 3.11.0-1
wazuh_manager_fqdn: "wazuh-server"
wazuh_manager_package_state: latest
wazuh_manager_package_state: present
wazuh_manager_sources_installation:
enabled: false
branch: "v3.11.0"
user_language: "en"
user_no_stop: "y"
user_install_type: "server"
user_dir: "/var/ossec"
user_delete_dir: null
user_enable_active_response: null
user_enable_syscheck: "y"
user_enable_rootcheck: "y"
user_enable_openscap: "y"
user_enable_authd: "y"
user_generate_authd_cert: null
user_update: "y"
user_binaryinstall: null
user_enable_email: "n"
user_auto_start: "y"
user_email_address: null
user_email_smpt: null
user_enable_syslog: "n"
user_white_list: "n"
user_ca_store: null
threads: "2"
wazuh_api_sources_installation:
enabled: false
branch: "v3.11.0"
update: "y"
remove: "y"
directory: null
port: 55000
https: "n"
authd: null
proxy: null
country: null
state: null
locality: null
org_name: null
org_unit: null
common_name: null
password: null
wazuh_manager_config:
repo:
apt: 'deb https://packages.wazuh.com/3.x/apt/ stable main'
yum: 'https://packages.wazuh.com/3.x/yum/'
gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
json_output: 'yes'
alerts_log: 'yes'
logall: 'no'
@ -154,6 +201,14 @@ wazuh_manager_config:
packages: 'yes'
ports_no: 'yes'
processes: 'yes'
sca:
enabled: 'yes'
scan_on_start: 'yes'
interval: '12h'
skip_nfs: 'yes'
day: ''
wday: ''
time: ''
vul_detector:
disable: 'yes'
interval: '5m'
@ -314,3 +369,9 @@ wazuh_agent_configs:
format: 'eventchannel'
- location: 'System'
format: 'eventlog'
nodejs:
repo_dict:
debian: "deb"
redhat: "rpm"
repo_url_ext: "nodesource.com/setup_8.x"

2
roles/wazuh/ansible-wazuh-manager/handlers/main.yml
View File

@ -13,5 +13,3 @@
name: wazuh-api
state: restarted
enabled: true
when:
- not (ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' and ansible_distribution_major_version|int < 6)

74
roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml
View File

@ -7,6 +7,7 @@
- gnupg
state: present
cache_valid_time: 3600
install_recommends: false
register: wazuh_manager_https_packages_installed
until: wazuh_manager_https_packages_installed is succeeded
@ -22,43 +23,24 @@
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version | int == 14
- not wazuh_manager_sources_installation.enabled or not wazuh_api_sources_installation.enabled
- name: Debian/Ubuntu | Installing Wazuh repository key
apt_key: url=https://packages.wazuh.com/key/GPG-KEY-WAZUH
apt_key:
url: "{{ wazuh_manager_config.repo.gpg }}"
when:
- not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- not wazuh_manager_sources_installation.enabled or not wazuh_api_sources_installation.enabled
- name: Debian/Ubuntu | Add Wazuh repositories
apt_repository:
repo: 'deb https://packages.wazuh.com/3.x/apt/ stable main'
filename: wazuh_repo
repo: "{{ wazuh_manager_config.repo.apt }}"
state: present
update_cache: true
changed_when: false
- name: Debian/Ubuntu | Installing NodeJS repository key (Ubuntu 14)
become: true
shell: |
set -o pipefail
curl -s https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add -
args:
warn: false
executable: /bin/bash
changed_when: false
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version | int == 14
- name: Debian/Ubuntu | Installing NodeJS repository key
apt_key: url=https://deb.nodesource.com/gpgkey/nodesource.gpg.key
when:
- not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- name: Debian/Ubuntu | Add NodeSource repositories for Node.js
apt_repository:
repo: "deb https://deb.nodesource.com/node_6.x {{ ansible_distribution_release }} main"
state: present
update_cache: true
changed_when: false
- not wazuh_manager_sources_installation.enabled or not wazuh_api_sources_installation.enabled
- name: Debian/Ubuntu | Set Distribution CIS filename for Debian/Ubuntu
set_fact:
@ -82,16 +64,16 @@
- init
- name: Debian/Ubuntu | Install OpenScap
package:
name: "{{ item }}"
apt:
name:
- libopenscap8
- xsltproc
state: present
cache_valid_time: 3600
install_recommends: false
register: wazuh_manager_openscap_installed
until: wazuh_manager_openscap_installed is succeeded
when: wazuh_manager_config.openscap.disable == 'no'
with_items:
- libopenscap8
- xsltproc
tags:
- init
@ -110,3 +92,33 @@
changed_when: false
tags:
- config
- name: Debian/Ubuntu | Install wazuh-manager
apt:
name:
- "wazuh-manager={{ wazuh_manager_version }}"
state: present
cache_valid_time: 3600
install_recommends: false
register: wazuh_manager_main_packages_installed
until: wazuh_manager_main_packages_installed is succeeded
tags: init
when:
- not wazuh_manager_sources_installation.enabled
- include_tasks: "installation_from_sources.yml"
when:
- wazuh_manager_sources_installation.enabled or wazuh_api_sources_installation.enabled
- name: Debian/Ubuntu | Install wazuh-api
apt:
name:
- "wazuh-api={{ wazuh_manager_version }}"
state: present
cache_valid_time: 3600
install_recommends: false
register: wazuh_manager_main_packages_installed
until: wazuh_manager_main_packages_installed is succeeded
tags: init
when:
- not wazuh_api_sources_installation.enabled

113
roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml
View File

@ -1,69 +1,34 @@
---
- name: RedHat/CentOS | Install Nodejs repo
- name: RedHat/CentOS 5 | Install Wazuh repo
yum_repository:
name: NodeJS
description: NodeJS-$releasever
baseurl: https://rpm.nodesource.com/pub_6.x/el/{{ ansible_distribution_major_version }}/x86_64
gpgkey: https://rpm.nodesource.com/pub/el/NODESOURCE-GPG-SIGNING-KEY-EL
name: wazuh_repo
description: Wazuh repository
baseurl: "{{ wazuh_manager_config.repo.yum }}5/"
gpgkey: "{{ wazuh_manager_config.repo.gpg }}-5"
gpgcheck: true
changed_when: false
when:
- ansible_distribution_major_version|int > 5
- name: Fedora | Install Nodejs repo
yum_repository:
name: NodeJS
description: NodeJS-$releasever
baseurl: https://rpm.nodesource.com/pub_6.x/fc/$releasever/x86_64
gpgkey: https://rpm.nodesource.com/pub/el/NODESOURCE-GPG-SIGNING-KEY-EL
gpgcheck: true
when: ansible_distribution == 'Fedora'
- name: AmazonLinux | Get Nodejs
shell: |
set -o pipefail
curl --silent --location https://rpm.nodesource.com/setup_8.x | bash -
args:
warn: false
executable: /bin/bash
when:
- ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA"
- name: AmazonLinux | Install Nodejs repo
yum:
name: nodejs
state: present
register: wazuh_manager_amz_node_packages_installed
until: wazuh_manager_amz_node_packages_installed is succeeded
when:
- ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA"
- (ansible_os_family|lower == 'redhat') and (ansible_distribution|lower != 'amazon')
- (ansible_distribution_major_version|int <= 5)
- not wazuh_manager_sources_installation.enabled or not wazuh_api_sources_installation.enabled
register: repo_v5_manager_installed
- name: RedHat/CentOS/Fedora | Install Wazuh repo
yum_repository:
name: wazuh_repo
description: Wazuh repository
baseurl: https://packages.wazuh.com/3.x/yum/
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
baseurl: "{{ wazuh_manager_config.repo.yum }}"
gpgkey: "{{ wazuh_manager_config.repo.gpg }}"
gpgcheck: true
changed_when: false
when:
- (ansible_distribution_major_version|int > 5) or (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA")
- name: RedHat/CentOS 5 | Install Wazuh repo
yum_repository:
name: wazuh_repo
description: Wazuh repository
baseurl: https://packages.wazuh.com/3.x/yum/5/
gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
gpgcheck: true
when:
- ansible_distribution_major_version|int == 5
- repo_v5_manager_installed is skipped
- not wazuh_manager_sources_installation.enabled or not wazuh_api_sources_installation.enabled
- name: RedHat/CentOS/Fedora | Install openscap
package: name={{ item }} state=present
with_items:
- openscap-scanner
- openssl
register: wazuh_manager_openscp_packages_installed
until: wazuh_manager_openscp_packages_installed is succeeded
tags:
@ -143,3 +108,55 @@
cis_distribution_filename: cis_rhel7_linux_rcl.txt
when:
- ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA"
- name: CentOS/RedHat/Amazon | Install wazuh-manager
package:
name: "wazuh-manager-{{ wazuh_manager_version }}"
state: "{{ wazuh_manager_package_state }}"
register: wazuh_manager_main_packages_installed
until: wazuh_manager_main_packages_installed is succeeded
when:
- ansible_os_family|lower == "redhat"
- not wazuh_manager_sources_installation.enabled
tags:
- init
- include_tasks: "../tasks/installation_from_sources.yml"
when:
- wazuh_manager_sources_installation.enabled or wazuh_api_sources_installation.enabled
- name: CentOS/RedHat/Amazon | Install wazuh-api
package:
name: "wazuh-api-{{ wazuh_manager_version }}"
state: "{{ wazuh_manager_package_state }}"
register: wazuh_api_main_packages_installed
until: wazuh_api_main_packages_installed is succeeded
when:
- ansible_os_family|lower == "redhat"
- not wazuh_api_sources_installation.enabled
tags:
- init
- name: CentOS/RedHat 6 | Enabling python2.7 and sqlite3
replace:
path: /etc/init.d/wazuh-manager
regexp: 'echo -n "Starting Wazuh-manager: "'
replace: 'echo -n "Starting Wazuh-manager (EL6): "; source /opt/rh/python27/enable; export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/var/ossec/framework/lib'
when:
- ansible_distribution in ['CentOS', 'RedHat', 'Amazon'] and ansible_distribution_major_version|int == 6
- wazuh_manager_config.cluster.disable != 'yes'
- name: Install expect (EL5)
package:
name: "{{ item }}"
state: "{{ wazuh_manager_package_state }}"
with_items:
- expect
register: wazuh_manager_main_packages_installed
until: wazuh_manager_main_packages_installed is succeeded
when:
- ansible_os_family|lower == "RedHat"
- ansible_distribution_major_version|int < 6
tags:
- init

181
roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml Normal file
View File

@ -0,0 +1,181 @@
---
# Wazuh Manager
- name: Check if Wazuh Manager is already installed
stat:
path: /var/ossec/bin/ossec-control
register: wazuh_ossec_control
- name: Installing Wazuh Manager from sources
block:
- name: Install dependencies to build Wazuh packages
package:
name:
- make
- gcc
- automake
- autoconf
- libtool
- tar
state: present
- name: Removing old files
file:
path: "/tmp/{{ wazuh_manager_sources_installation.branch }}.tar.gz"
state: absent
- name: Removing old folders
file:
path: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}"
state: absent
- name: Installing policycoreutils-python (RedHat families)
package:
name:
- policycoreutils-python
when:
- ansible_os_family|lower == "redhat"
- name: Installing policycoreutils-python-utils (Debian families)
package:
name:
- libc6-dev
- curl
- policycoreutils
when:
- ansible_os_family|lower == "debian"
- name: Remove old repository folder
file:
path: /tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}
state: absent
- name: Download required packages from github.com/wazuh/wazuh
get_url:
url: "https://github.com/wazuh/wazuh/archive/{{ wazuh_manager_sources_installation.branch }}.tar.gz"
dest: "/tmp/{{ wazuh_manager_sources_installation.branch }}.tar.gz"
delegate_to: "{{ inventory_hostname }}"
- name: Create folder to extract Wazuh branch
file:
path: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}"
state: directory
# When downloading "v3.11.0" extracted folder name is 3.11.0.
# Explicitly creating the folder with proper naming and striping first level in .tar.gz file
- name: Extract downloaded Wazuh branch from Github # Using shell instead of unarchive due to that module not working properlyh with --strip
command: >-
tar -xzvf /tmp/{{ wazuh_manager_sources_installation.branch }}.tar.gz
--strip 1
--directory /tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}
register: wazuh_untar
changed_when: wazuh_untar.rc ==0
args:
warn: false
- name: Clean remaining files from others builds
command: "make -C src {{ item }}"
args:
chdir: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}/src/"
with_items:
- "clean"
- "clean-deps"
register: clean_result
changed_when: clean_result.rc == 0
failed_when: false
- name: Render the "preloaded-vars.conf" file
template:
src: "templates/preloaded_vars_manager.conf.j2"
dest: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}/etc/preloaded-vars.conf"
owner: root
group: root
mode: '644'
- name: Executing "install.sh" script to build and install the Wazuh Manager
shell: ./install.sh > /tmp/build_wazuh_manager_log.txt
register: installation_result
changed_when: installation_result == 0
args:
chdir: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}"
- name: Cleanup downloaded files
file:
path: "/tmp/{{ wazuh_manager_sources_installation.branch }}.tar.gz"
state: absent
- name: Cleanup created folders
file:
path: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}"
state: absent
when:
- not wazuh_ossec_control.stat.exists
- wazuh_manager_sources_installation.enabled
tags:
- manager
# Wazuh API
- name: Check if Wazuh API is already installed
stat:
path: /var/ossec/api/app.js
register: wazuh_api
- name: Install Wazuh API from sources
block:
- name: Install dependencies to build Wazuh packages
package:
name:
- make
- gcc
- automake
- autoconf
- libtool
- tar
state: present
- name: Explicitly installing npm for Debian hosts
package:
name: npm
state: present
when:
- ansible_distribution == "Debian"
- name: Ensure Git is present in the host
package:
name: git
state: present
- name: Remove old repository folder
file:
path: /tmp/wazuh-api
state: absent
- name: Download the Wazuh API repository
git:
repo: 'https://github.com/wazuh/wazuh-api.git'
version: "{{ wazuh_api_sources_installation.branch }}"
dest: /tmp/wazuh-api
- name: Configure Wazuh API installation
template:
src: "templates/preloaded_vars_api.conf.j2"
dest: "/tmp/wazuh-api/configuration/preloaded_vars.conf"
owner: root
group: root
mode: '644'
- name: Execute Wazuh API installation script
shell: ./install_api.sh > /tmp/build_wazuh_api_log.txt
register: install_api
changed_when: install_api.rc == 0
args:
chdir: "/tmp/wazuh-api"
notify:
- restart wazuh-api
when:
- not wazuh_api.stat.exists
- wazuh_api_sources_installation.enabled
tags:
- api

109
roles/wazuh/ansible-wazuh-manager/tasks/main.yml
View File

@ -1,63 +1,54 @@
---
- import_tasks: "RedHat.yml"
- name: "Install dependencies"
package:
name:
- unzip
- openssl
- tar
state: present
- name: Check if NodeJS service exists
stat:
path: /usr/bin/node
register: node_service_status
- name: Install NodeJS repository
block:
- name: Download NodeJS repository script
get_url:
url: "https://{{ nodejs['repo_dict'][ansible_os_family|lower] }}.{{ nodejs['repo_url_ext'] }}"
dest: /etc/nodejs.sh
mode: '0775'
changed_when: false
- name: Run NodeJS bash script
command: sh /etc/nodejs.sh
register: nodejs_script
changed_when: nodejs_script.rc == 0
when: not node_service_status.stat.exists
- name: Installing NodeJS
package:
name: nodejs
state: present
register: nodejs_service_is_installed
until: nodejs_service_is_installed is succeeded
tags: init
- include_tasks: "RedHat.yml"
when: (ansible_os_family == "RedHat" and ansible_distribution_major_version|int > 5) or (ansible_os_family == "RedHat" and ansible_distribution == "Amazon")
- import_tasks: "Debian.yml"
- include_tasks: "Debian.yml"
when: ansible_os_family == "Debian"
- name: CentOS/RedHat/Amazon | Install wazuh-manager, wazuh-api
package: pkg={{ item }}-{{ wazuh_manager_api_version }}-1 state={{ wazuh_manager_package_state }}
with_items:
- wazuh-manager
- wazuh-api
register: wazuh_manager_main_packages_installed
until: wazuh_manager_main_packages_installed is succeeded
when:
- ansible_distribution in ['CentOS','RedHat', 'Amazon']
tags:
- init
- name: Debian/Ubuntu | Install wazuh-manager, wazuh-api
apt:
name: "{{ item }}={{ wazuh_manager_api_version }}-1"
state: present
cache_valid_time: 3600
with_items:
- wazuh-manager
- wazuh-api
register: wazuh_manager_main_packages_installed
until: wazuh_manager_main_packages_installed is succeeded
when:
- not (ansible_distribution in ['CentOS','RedHat', 'Amazon'])
tags: init
- name: Install expect
package: pkg=expect state={{ wazuh_manager_package_state }}
package:
name: expect
state: "{{ wazuh_manager_package_state }}"
when:
- not (ansible_distribution in ['CentOS','RedHat', 'Amazon'] and ansible_distribution_major_version|int < 6)
- not (ansible_os_family|lower == "redhat" and ansible_distribution_major_version|int < 6)
tags: init
- name: CentOS/RedHat 6 | Enabling python2.7 and sqlite3
replace:
path: /etc/init.d/wazuh-manager
regexp: 'echo -n "Starting Wazuh-manager: "'
replace: 'echo -n "Starting Wazuh-manager (EL6): "; source /opt/rh/python27/enable; export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/var/ossec/framework/lib'
when:
- ansible_distribution in ['CentOS', 'RedHat', 'Amazon'] and ansible_distribution_major_version|int == 6
- wazuh_manager_config.cluster.disable != 'yes'
- name: Install wazuh-manager and expect (EL5)
package: pkg={{ item }} state={{ wazuh_manager_package_state }}
with_items:
- wazuh-manager-{{ wazuh_manager_api_version }}
- expect
register: wazuh_manager_main_packages_installed
until: wazuh_manager_main_packages_installed is succeeded
when:
- ansible_distribution in ['CentOS','RedHat', 'Amazon'] and ansible_distribution_major_version|int < 6
tags:
- init
- name: Generate SSL files for authd
command: "openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:1825 -keyout sslmanager.key -out sslmanager.cert -subj /CN={{ wazuh_manager_fqdn }}/"
args:
@ -65,7 +56,7 @@
chdir: /var/ossec/etc/
tags:
- config
when: not wazuh_manager_config.authd.ssl_agent_ca is not none
when: wazuh_manager_config.authd.ssl_agent_ca is not none
- name: Copy CA, SSL key and cert for authd
copy:
@ -322,8 +313,6 @@
notify: restart wazuh-api
when:
- wazuh_api_user is defined
- not (ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' or ansible_distribution == 'Amazon')
- ansible_distribution_major_version|int < 6
tags:
- config
@ -392,8 +381,12 @@
when:
- ansible_distribution in ['CentOS', 'RedHat', 'Amazon'] and ansible_distribution_major_version|int < 6
- import_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat" or ansible_os_family == "Amazon"
- include_tasks: "RMRedHat.yml"
when:
- ansible_os_family == "RedHat" or ansible_os_family == "Amazon"
- not wazuh_manager_sources_installation.enabled
- import_tasks: "RMDebian.yml"
when: ansible_os_family == "Debian"
- include_tasks: "RMDebian.yml"
when:
- ansible_os_family == "Debian"
- not wazuh_manager_sources_installation.enabled

7
roles/wazuh/ansible-wazuh-manager/templates/preloaded_vars_api.conf.j2 Normal file
View File

@ -0,0 +1,7 @@
{% for key, value in wazuh_api_sources_installation.items() %}
{% if "enabled" not in key and "branch" not in key %}
{% if value is defined and value is not none %}
{{ key|upper }}="{{ value }}"
{% endif %}
{% endif %}
{% endfor %}

7
roles/wazuh/ansible-wazuh-manager/templates/preloaded_vars_manager.conf.j2 Normal file
View File

@ -0,0 +1,7 @@
{% for key, value in wazuh_manager_sources_installation.items() %}
{% if "user_" in key %}
{% if value is defined and value is not none %}
{{ key|upper }}="{{ value }}"
{% endif %}
{% endif %}
{% endfor %}

170
roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
View File

@ -1,4 +1,4 @@
#jinja2: trim_blocks: False
#jinja2: lstrip_blocks: True
<!--
Wazuh - Manager - Default configuration
More info at: https://documentation.wazuh.com
@ -62,11 +62,15 @@
<log_format>{{ wazuh_manager_config.log_format }}</log_format>
</logging>
{% for connection in wazuh_manager_config.connection %}
<remote>
{% for connection in wazuh_manager_config.connection %}
<remote>
<connection>{{ connection.type }}</connection>
{% if connection.port is defined %}<port>{{ connection.port }}</port>{% endif %}
{% if connection.protocol is defined %}<protocol>{{ connection.protocol }}</protocol>{% endif %}
{% if connection.port is defined %}
<port>{{ connection.port }}</port>
{% endif %}
{% if connection.protocol is defined %}
<protocol>{{ connection.protocol }}</protocol>
{% endif %}
{% if connection.allowed_ips is defined %}
{% for allowed_ip in connection.allowed_ips %}
<allowed-ips>{{ allowed_ip }}</allowed-ips>
@ -77,11 +81,17 @@
<denied-ips>{{ denied_ip }}</denied-ips>
{% endfor %}
{% endif %}
{% if connection.local_ip is defined %}<local_ip>{{ connection.local_ip }}</local_ip>{% endif %}
{% if connection.ipv6 is defined %}<ipv6>{{ connection.ipv6 }}</ipv6>{% endif %}
{% if connection.queue_size is defined %}<queue_size>{{connection.queue_size}}</queue_size>{% endif %}
{% if connection.local_ip is defined %}
<local_ip>{{ connection.local_ip }}</local_ip>
{% endif %}
{% if connection.ipv6 is defined %}
<ipv6>{{ connection.ipv6 }}</ipv6>
{% endif %}
{% if connection.queue_size is defined %}
<queue_size>{{connection.queue_size}}</queue_size>
{% endif %}
</remote>
{% endfor %}
{% endfor %}
{% if wazuh_manager_config.reports is defined %}
{% for report in wazuh_manager_config.reports %}
@ -102,7 +112,6 @@
{% endfor %}
{% endif %}
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
@ -222,6 +231,30 @@
<processes>{{ wazuh_manager_config.syscollector.processes }}</processes>
</wodle>
<sca>
{% if wazuh_manager_config.sca.enabled | length > 0 %}
<enabled>{{ wazuh_manager_config.sca.enabled }}</enabled>
{% endif %}
{% if wazuh_manager_config.sca.scan_on_start | length > 0 %}
<scan_on_start>{{ wazuh_manager_config.sca.scan_on_start }}</scan_on_start>
{% endif %}
{% if wazuh_manager_config.sca.interval | length > 0 %}
<interval>{{ wazuh_manager_config.sca.interval }}</interval>
{% endif %}
{% if wazuh_manager_config.sca.skip_nfs | length > 0 %}
<skip_nfs>yes</skip_nfs>
{% endif %}
{% if wazuh_manager_config.sca.day | length > 0 %}
<day>yes</day>
{% endif %}
{% if wazuh_manager_config.sca.wday | length > 0 %}
<wday>yes</wday>
{% endif %}
{% if wazuh_manager_config.sca.time | length > 0 %}
<time>yes</time>
{% endif %}
</sca>
<wodle name="vulnerability-detector">
<disabled>{{ wazuh_manager_config.vul_detector.disable }}</disabled>
<interval>{{ wazuh_manager_config.vul_detector.interval }}</interval>
@ -273,7 +306,6 @@
{% for no_diff in wazuh_manager_config.syscheck.no_diff %}
<nodiff>{{ no_diff }}</nodiff>
{% endfor %}
{% if wazuh_manager_config.syscheck.skip_nfs is defined %}
<skip_nfs>{{ wazuh_manager_config.syscheck.skip_nfs }}</skip_nfs>
{% endif %}
@ -295,53 +327,77 @@
{% endfor %}
</global>
{% for command in wazuh_manager_config.commands %}
<command>
<name>{{ command.name }}</name>
<executable>{{ command.executable }}</executable>
<expect>{{ command.expect }}</expect>
<timeout_allowed>{{ command.timeout_allowed }}</timeout_allowed>
</command>
{% for command in wazuh_manager_config.commands %}
<command>
<name>{{ command.name }}</name>
<executable>{{ command.executable }}</executable>
<expect>{{ command.expect }}</expect>
<timeout_allowed>{{ command.timeout_allowed }}</timeout_allowed>
</command>
{% endfor %}
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
{% if wazuh_manager_config.rule_exclude is defined %}
{% for rule in wazuh_manager_config.rule_exclude %}
<rule_exclude>{{ rule }}</rule_exclude>
{% endfor %}
{% endif %}
{% if cdb_lists is defined %}
{% for list in cdb_lists %}
<list>etc/lists/{{ list.name }}</list>
{% endfor %}
{% endif %}
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
{% if wazuh_manager_config.rule_exclude is defined %}
{% for rule in wazuh_manager_config.rule_exclude %}
<rule_exclude>{{ rule }}</rule_exclude>
{% endfor %}
{% endif %}
{% if cdb_lists is defined %}
{% for list in cdb_lists %}
<list>etc/lists/{{ list.name }}</list>
{% endfor %}
{% endif %}
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
{% if wazuh_manager_config.authd.enable == true %}
<auth>
<disabled>no</disabled>
{% if wazuh_manager_config.authd.port is not none %}<port>{{wazuh_manager_config.authd.port}}</port>{% else %}<port>1515</port>{% endif %}
{% if wazuh_manager_config.authd.use_source_ip is not none %}<use_source_ip>{{wazuh_manager_config.authd.use_source_ip}}</use_source_ip>{% endif %}
{% if wazuh_manager_config.authd.force_insert is not none %}<force_insert>{{wazuh_manager_config.authd.force_insert}}</force_insert>{% endif %}
{% if wazuh_manager_config.authd.force_time is not none %}<force_time>{{wazuh_manager_config.authd.force_time}}</force_time>{% endif %}
{% if wazuh_manager_config.authd.purge is not none %}<purge>{{wazuh_manager_config.authd.purge}}</purge>{% endif %}
{% if wazuh_manager_config.authd.use_password is not none %}<use_password>{{wazuh_manager_config.authd.use_password}}</use_password>{% endif %}
{% if wazuh_manager_config.authd.ssl_agent_ca is not none %}<ssl_agent_ca>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}}</ssl_agent_ca>{% endif %}
{% if wazuh_manager_config.authd.ssl_verify_host is not none %}<ssl_verify_host>{{wazuh_manager_config.authd.ssl_verify_host}}</ssl_verify_host>{% endif %}
{% if wazuh_manager_config.authd.ssl_manager_cert is not none %}<ssl_manager_cert>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_cert | basename}}</ssl_manager_cert>{% endif %}
{% if wazuh_manager_config.authd.ssl_manager_key is not none %}<ssl_manager_key>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_key | basename}}</ssl_manager_key>{% endif %}
{% if wazuh_manager_config.authd.ssl_auto_negotiate is not none %}<ssl_auto_negotiate>{{wazuh_manager_config.authd.ssl_auto_negotiate}}</ssl_auto_negotiate>{% endif %}
{% if wazuh_manager_config.authd.port is not none %}
<port>{{wazuh_manager_config.authd.port}}</port>
{% else %}
<port>1515</port>
{% endif %}
{% if wazuh_manager_config.authd.use_source_ip is not none %}
<use_source_ip>{{wazuh_manager_config.authd.use_source_ip}}</use_source_ip>
{% endif %}
{% if wazuh_manager_config.authd.force_insert is not none %}
<force_insert>{{wazuh_manager_config.authd.force_insert}}</force_insert>
{% endif %}
{% if wazuh_manager_config.authd.force_time is not none %}
<force_time>{{wazuh_manager_config.authd.force_time}}</force_time>
{% endif %}
{% if wazuh_manager_config.authd.purge is not none %}
<purge>{{wazuh_manager_config.authd.purge}}</purge>
{% endif %}
{% if wazuh_manager_config.authd.use_password is not none %}
<use_password>{{wazuh_manager_config.authd.use_password}}</use_password>
{% endif %}
{% if wazuh_manager_config.authd.ssl_agent_ca is not none %}
<ssl_agent_ca>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}}</ssl_agent_ca>
{% endif %}
{% if wazuh_manager_config.authd.ssl_verify_host is not none %}
<ssl_verify_host>{{wazuh_manager_config.authd.ssl_verify_host}}</ssl_verify_host>
{% endif %}
{% if wazuh_manager_config.authd.ssl_manager_cert is not none %}
<ssl_manager_cert>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_cert | basename}}</ssl_manager_cert>
{% endif %}
{% if wazuh_manager_config.authd.ssl_manager_key is not none %}
<ssl_manager_key>/var/ossec/etc/{{wazuh_manager_config.authd.ssl_manager_key | basename}}</ssl_manager_key>
{% endif %}
{% if wazuh_manager_config.authd.ssl_auto_negotiate is not none %}
<ssl_auto_negotiate>{{wazuh_manager_config.authd.ssl_auto_negotiate}}</ssl_auto_negotiate>
{% endif %}
</auth>
{% endif %}
<cluster>
<disabled>{{ wazuh_manager_config.cluster.disable }}</disabled>
<name>{{ wazuh_manager_config.cluster.name }}</name>
@ -361,7 +417,7 @@
<hidden>{{ wazuh_manager_config.cluster.hidden }}</hidden>
</cluster>
{% if ansible_system == "Linux" and wazuh_manager_config.vuls.disable == 'no' %}
{% if ansible_system == "Linux" and wazuh_manager_config.vuls.disable == 'no' %}
<wodle name="command">
<disabled>no</disabled>
<tag>Wazuh-VULS</tag>
@ -370,7 +426,7 @@
<ignore_output>yes</ignore_output>
<run_on_start>{{ wazuh_manager_config.vuls.run_on_start }}</run_on_start>
</wodle>
{% endif %}
{% endif -%}
{% if agentless_creds is defined %}
{% for agentless in agentless_creds %}
@ -383,11 +439,8 @@
<arguments>{{ agentless.arguments }}</arguments>
{% endif %}
</agentless>
{% endfor %}
{% endif %}
{% endif -%}
{% if wazuh_manager_config.active_responses is defined %}
{% for response in wazuh_manager_config.active_responses %}
@ -403,10 +456,11 @@
{%if response.repeated_offenders is defined %}<repeated_offenders>{{ response.repeated_offenders }}</repeated_offenders>{% endif %}
</active-response>
{% endfor %}
{% endif %}
{% endif -%}
<!-- Files to monitor (localfiles) -->
{% for localfile in wazuh_manager_config.localfiles.common %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
@ -444,6 +498,7 @@
{% if ansible_os_family == "Debian" %}
{% for localfile in wazuh_manager_config.localfiles.debian %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
@ -478,10 +533,11 @@
{% endif %}
</localfile>
{% endfor %}
{% endif %}
{% endif -%}
{% if ansible_os_family == "RedHat" %}
{% for localfile in wazuh_manager_config.localfiles.centos %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
@ -516,7 +572,7 @@
{% endif %}
</localfile>
{% endfor %}
{% endif %}
{% endif -%}
{% if wazuh_manager_config.syslog_outputs is defined %}
{% for syslog_output in wazuh_manager_config.syslog_outputs %}