diff --git a/CHANGELOG.md b/CHANGELOG.md index 3c192f74..ad13d3d3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,22 @@ # Change Log All notable changes to this project will be documented in this file. +## [v3.10.2_7.3.2] + +### Added + +- Update to Wazuh v3.10.2 + +### Changed + +- Moved molecule folder to Wazuh QA Repository [manuasir](https://github.com/manuasir) [#120ed16](https://github.com/wazuh/wazuh-ansible/commit/120ed163b6f131315848938beca65c1f1cad7f1b) + +- Refactored XPack Security configuration tasks [@jm404](https://github.com/jm404) [#246](https://github.com/wazuh/wazuh-ansible/pull/246) + +### Fixed + +- Fixed ES bootstrap password configuration [@jm404](https://github.com/jm404) [#b8803de](https://github.com/wazuh/wazuh-ansible/commit/b8803de85fb71edf090b0c076d4fe3684cd7cb36) + ## [v3.10.0_7.3.2] ### Added diff --git a/VERSION b/VERSION index 2a8b969e..f4d1cb92 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -WAZUH-ANSIBLE_VERSION="v3.10.0" -REVISION="31000" +WAZUH-ANSIBLE_VERSION="v3.10.2" +REVISION="31020" diff --git a/playbooks/wazuh-elastic_stack-distributed.yml b/playbooks/wazuh-elastic_stack-distributed.yml index a422e50b..8c6bc567 100644 --- a/playbooks/wazuh-elastic_stack-distributed.yml +++ b/playbooks/wazuh-elastic_stack-distributed.yml @@ -17,16 +17,18 @@ elasticsearch_xpack_security: true node_certs_generator: true elasticsearch_xpack_security_password: elastic_pass + single_node: false vars: instances: - - name: node-1 # Important: must be equal to elasticsearch_node_name. + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. ip: # When unzipping, the node will search for its node name folder to get the cert. - - - name: node-2 + node2: + name: node-2 ip: - - - name: node-3 + node3: + name: node-3 ip: - hosts: @@ -34,6 +36,7 @@ - role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch elasticsearch_network_host: elasticsearch_node_name: node-2 + single_node: false elasticsearch_xpack_security: true elasticsearch_master_candidate: true elasticsearch_discovery_nodes: @@ -46,6 +49,7 @@ - role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch elasticsearch_network_host: elasticsearch_node_name: node-3 + single_node: false elasticsearch_xpack_security: true elasticsearch_master_candidate: true elasticsearch_discovery_nodes: diff --git a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml index ca6dd06e..f365f66a 100644 --- a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml @@ -19,15 +19,17 @@ elasticsearch_xpack_security_user: elastic elasticsearch_xpack_security_password: elastic_pass node_certs_generator: false -node_certs_generator_ip: 172.16.0.161 node_certs_source: /usr/share/elasticsearch node_certs_destination: /etc/elasticsearch/certs -# Rsync -rsync_path: /usr/bin/rsync -rsync_user: vagrant -rsync_extra_parameters: -avg -e 'ssh -o StrictHostKeyChecking=no' --rsync-path='sudo rsync' - + + +# CA generation +master_certs_path: /es_certs +generate_CA: true +ca_key_name: "" +ca_cert_name: "" +ca_password: "" diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index 7ee77beb..af17e528 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -63,140 +63,10 @@ - import_tasks: "RMRedHat.yml" when: ansible_os_family == "RedHat" -- name: Check if certificate exists locally - stat: - path: "{{ node_certs_destination }}/{{ elasticsearch_node_name }}.crt" - register: certificate_file_exists +- import_tasks: "xpack_security.yml" when: - elasticsearch_xpack_security -- name: Write the instances.yml file in the selected node (force = no) - template: - src: instances.yml.j2 - dest: "{{ node_certs_source }}/instances.yml" - force: no - register: instances_file_exists - tags: - - config - - xpack-security - when: - - node_certs_generator - - elasticsearch_xpack_security - - not certificate_file_exists.stat.exists - -- name: Update instances.yml status after generation - stat: - path: "{{ node_certs_source }}/instances.yml" - register: instances_file_exists - when: - - node_certs_generator - - elasticsearch_xpack_security - -- name: Check if the certificates ZIP file exists - stat: - path: "{{ node_certs_source }}/certs.zip" - register: xpack_certs_zip - when: - - node_certs_generator - - elasticsearch_xpack_security - -- name: Generating certificates for Elasticsearch security - command: >- - "/usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in - {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip" - when: - - node_certs_generator - - elasticsearch_xpack_security - - not xpack_certs_zip.stat.exists - - not certificate_file_exists.stat.exists - register: certs_file_generated - tags: xpack-security - -- name: Unzip generated certs.zip - unarchive: - src: "{{ node_certs_source }}/certs.zip" - dest: "{{ node_certs_source }}/" - remote_src: yes - when: - - node_certs_generator - - elasticsearch_xpack_security - - certs_file_generated is defined - - not certificate_file_exists.stat.exists - tags: xpack-security - -- name: Copy key & certificate files in generator node (locally) - synchronize: - src: "{{ node_certs_source }}/{{ elasticsearch_node_name }}/" - dest: "{{ node_certs_destination }}/" - delegate_to: "{{ node_certs_generator_ip }}" - when: - - node_certs_generator - - elasticsearch_xpack_security - tags: xpack-security - -- name: Copy ca certificate file in generator node (locally) - synchronize: - src: "{{ node_certs_source }}/ca/" - dest: "{{ node_certs_destination }}/" - delegate_to: "{{ node_certs_generator_ip }}" - register: check_certs_permissions - when: - - node_certs_generator - - elasticsearch_xpack_security - tags: xpack-security - -- name: Importing key & certificate files from generator node - command: >- - {{ rsync_path }} {{ rsync_extra_parameters }} {{ rsync_user }}@{{ node_certs_generator_ip }}: - {{ node_certs_source }}/{{ elasticsearch_node_name }}/ {{ node_certs_destination }}/ - when: - - not node_certs_generator - - elasticsearch_xpack_security - - not certificate_file_exists.stat.exists - tags: xpack-security - -- name: Importing ca certificate file from generator node - command: >- - {{ rsync_path }} {{ rsync_extra_parameters }} {{ rsync_user }}@{{ node_certs_generator_ip }}: - {{ node_certs_source }}/ca/ {{ node_certs_destination }}/ - when: - - not node_certs_generator - - elasticsearch_xpack_security - - not certificate_file_exists.stat.exists - register: check_certs_permissions - tags: xpack-security - -- name: Ensuring certificates folder owner - file: - path: "{{ node_certs_destination }}/" - state: directory - recurse: yes - owner: elasticsearch - group: elasticsearch - when: - - check_certs_permissions is defined - - elasticsearch_xpack_security - tags: xpack-security - -- name: Ensuring certificates folder owner - file: - path: "{{ node_certs_destination }}/" - mode: '0770' - recurse: yes - when: - - check_certs_permissions is defined - - elasticsearch_xpack_security - tags: xpack-security - -- name: Remove generated certs file - file: - state: absent - path: "{{ node_certs_source }}/certs.zip*" - when: - - node_certs_generator - - elasticsearch_xpack_security - tags: xpack-security - - name: Configure Elasticsearch. template: src: elasticsearch.yml.j2 @@ -207,13 +77,6 @@ notify: restart elasticsearch tags: configure -- name: Set elasticsearch bootstrap password - shell: | - set -o pipefail - "echo '{{ elasticsearch_xpack_security_password }}' | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf 'bootstrap.password'" - when: - - elasticsearch_xpack_security - - name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.conf lineinfile: path: /etc/security/limits.conf @@ -236,20 +99,14 @@ - ansible_distribution == "Ubuntu" - ansible_distribution_major_version | int == 14 -- name: Distribution != one of [ centos 6.*, trusty ] | Reload systemd - systemd: daemon_reload=true - ignore_errors: true - when: - - not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") - - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<')) - - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) - - not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<')) - - name: Ensure Elasticsearch started and enabled service: name: elasticsearch enabled: true state: started + tags: + - configure + - init - name: Make sure Elasticsearch is running before proceeding wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=400 @@ -257,32 +114,6 @@ - configure - init -- name: Check for Wazuh Alerts template (http) - uri: - url: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}/_template/wazuh" - method: GET - status_code: 200, 404 - when: - - elasticsearch_bootstrap_node or single_node - - not elasticsearch_xpack_security - poll: 30 - register: wazuh_alerts_template_exits - until: wazuh_alerts_template_exits is succeeded - tags: init - -- name: Installing Wazuh Alerts template (http) - uri: - url: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}/_template/wazuh" - method: PUT - status_code: 200 - body_format: json - body: "{{ lookup('template','wazuh-elastic7-template-alerts.json.j2') }}" - when: - - wazuh_alerts_template_exits.status is defined - - wazuh_alerts_template_exits.status != 200 - - not elasticsearch_xpack_security - tags: init - - import_tasks: "RMRedHat.yml" when: ansible_os_family == "RedHat" diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml new file mode 100644 index 00000000..d05c3241 --- /dev/null +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -0,0 +1,186 @@ + +- name: Install unzip dependency. + package: + name: unzip + state: present + delegate_to: "127.0.0.1" + when: + - node_certs_generator + +- name: Check if certificate exists locally + stat: + path: "{{ node_certs_destination }}/{{ elasticsearch_node_name }}.crt" + register: certificate_file_exists + +- name: Write the instances.yml file in the selected node (force = no) + template: + src: instances.yml.j2 + dest: "{{ node_certs_source }}/instances.yml" + force: no + register: instances_file_exists + tags: + - config + - xpack-security + when: + - node_certs_generator + - not certificate_file_exists.stat.exists + +- name: Update instances.yml status after generation + stat: + path: "{{ node_certs_source }}/instances.yml" + register: instances_file_exists + when: + - node_certs_generator + +- name: Check if the certificates ZIP file exists + stat: + path: "{{ node_certs_source }}/certs.zip" + register: xpack_certs_zip + when: + - node_certs_generator + +- name: Importing custom CA key + copy: + src: "{{ master_certs_path }}/ca/{{ ca_key_name }}" + dest: "{{ node_certs_source }}/{{ ca_key_name }}" + mode: '0664' + when: + - not generate_CA + - node_certs_generator + tags: xpack-security + +- name: Importing custom CA cert + copy: + src: "{{ master_certs_path }}/ca/{{ ca_cert_name }}" + dest: "{{ node_certs_source }}/{{ ca_cert_name }}" + mode: '0664' + when: + - not generate_CA + - node_certs_generator + tags: xpack-security + +- name: Generating certificates for Elasticsearch security (generating CA) + command: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem + --in {{ node_certs_source }}/instances.yml + --out {{ node_certs_source }}/certs.zip + when: + - node_certs_generator + - not xpack_certs_zip.stat.exists + - generate_CA + tags: xpack-security + +- name: Generating certificates for Elasticsearch security (using provided CA | Without CA Password) + command: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert + --ca-key {{ node_certs_source }}/{{ ca_key_name }} + --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} + --pem --in {{ node_certs_source }}/instances.yml + --out {{ node_certs_source }}/certs.zip + when: + - node_certs_generator + - not xpack_certs_zip.stat.exists + - not generate_CA + - ca_password | length == 0 + tags: xpack-security + +- name: Generating certificates for Elasticsearch security (using provided CA | Using CA Password) + command: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert + --ca-key {{ node_certs_source }}/{{ ca_key_name }} + --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} + --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip + --ca-pass {{ ca_password }} + when: + - node_certs_generator + - not xpack_certs_zip.stat.exists + - not generate_CA + - ca_password | length > 0 + tags: xpack-security + +- name: Verify the Elastic certificates directory + file: + path: "{{ master_certs_path }}" + state: directory + mode: '0700' + delegate_to: "127.0.0.1" + when: + - node_certs_generator + +- name: Verify the Certificates Authority directory + file: + path: "{{ master_certs_path }}/ca/" + state: directory + mode: '0700' + delegate_to: "127.0.0.1" + when: + - node_certs_generator + +- name: Copying certificates to Ansible master + fetch: + src: "{{ node_certs_source }}/certs.zip" + dest: "{{ master_certs_path }}/" + flat: yes + mode: 0700 + when: + - node_certs_generator + tags: xpack-security + +- name: Delete certs.zip in Generator node + file: + state: absent + path: "{{ node_certs_source }}/certs.zip" + when: + - node_certs_generator + +- name: Unzip generated certs.zip + unarchive: + src: "{{ master_certs_path }}/certs.zip" + dest: "{{ master_certs_path }}/" + become: true + delegate_to: "127.0.0.1" + when: + - node_certs_generator + tags: xpack-security + +- name: Copying node's certificate from master + copy: + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" + with_items: + - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key" + - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt" + - "{{ master_certs_path }}/ca/ca.crt" + when: + - generate_CA + tags: xpack-security + +- name: Copying node's certificate from master (Custom CA) + copy: + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" + with_items: + - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key" + - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt" + - "{{ master_certs_path }}/ca/{{ ca_cert_name }}" + when: + - not generate_CA + tags: xpack-security + +- name: Ensuring folder permissions + file: + path: "{{ node_certs_destination }}/" + mode: '0774' + state: directory + recurse: yes + when: + - elasticsearch_xpack_security + - generate_CA + tags: xpack-security + +- name: Set elasticsearch bootstrap password + shell: >- + set -o pipefail; + echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password + when: + - node_certs_generator diff --git a/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 b/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 index f851e900..3cd386da 100644 --- a/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 @@ -34,12 +34,19 @@ xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.key: {{node_certs_destination}}/{{ elasticsearch_node_name }}.key -xpack.security.transport.ssl.certificate: {{node_certs_destination}}/{{ elasticsearch_node_name }}.crt +xpack.security.transport.ssl.certificate: {{node_certs_destination}}/{{ elasticsearch_node_name }}.crt +{% if generate_CA == true %} xpack.security.transport.ssl.certificate_authorities: [ "{{ node_certs_destination }}/ca.crt" ] - +{% elif generate_CA == false %} +xpack.security.transport.ssl.certificate_authorities: [ "{{ node_certs_destination }}/{{ca_cert_name}}" ] +{% endif %} xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode: certificate xpack.security.http.ssl.key: {{node_certs_destination}}/{{ elasticsearch_node_name }}.key xpack.security.http.ssl.certificate: {{node_certs_destination}}/{{ elasticsearch_node_name }}.crt +{% if generate_CA == true %} xpack.security.http.ssl.certificate_authorities: [ "{{ node_certs_destination }}/ca.crt" ] +{% elif generate_CA == false %} +xpack.security.http.ssl.certificate_authorities: [ "{{ node_certs_destination }}/{{ca_cert_name}}" ] +{% endif %} {% endif %} \ No newline at end of file diff --git a/roles/elastic-stack/ansible-elasticsearch/templates/instances.yml.j2 b/roles/elastic-stack/ansible-elasticsearch/templates/instances.yml.j2 index 6279c380..c74b1700 100644 --- a/roles/elastic-stack/ansible-elasticsearch/templates/instances.yml.j2 +++ b/roles/elastic-stack/ansible-elasticsearch/templates/instances.yml.j2 @@ -4,10 +4,10 @@ {% if node_certs_generator %} instances: -{% for node in instances %} -- name: "{{ node.name }}" +{% for (key,value) in instances.iteritems() %} +- name: "{{ value.name }}" ip: - - "{{ node.ip }}" + - "{{ value.ip }}" {% endfor %} -{% endif %} \ No newline at end of file +{% endif %} diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index 06c2c6af..ad639011 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -6,7 +6,7 @@ elasticsearch_network_host: "127.0.0.1" kibana_server_host: "0.0.0.0" kibana_server_port: "5601" elastic_stack_version: 7.3.2 -wazuh_version: 3.10.0 +wazuh_version: 3.10.2 # Xpack Security kibana_xpack_security: false @@ -15,13 +15,10 @@ elasticsearch_xpack_security_user: elastic elasticsearch_xpack_security_password: elastic_pass node_certs_generator: false -node_certs_generator_ip: 172.16.0.161 node_certs_source: /usr/share/elasticsearch node_certs_destination: /etc/kibana/certs -# Rsync -rsync_path: /usr/bin/rsync -rsync_user: vagrant -rsync_extra_parameters: -avg -e 'ssh -o StrictHostKeyChecking=no' --rsync-path='sudo rsync' - -kibana_plugin_install_ignore_error: true \ No newline at end of file +# CA Generation +master_certs_path: /es_certs +generate_CA: true +ca_cert_name: "" diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index c7c7f551..f2152d00 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -15,54 +15,31 @@ - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) - not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<')) -- name: Check if certificate exists locally - stat: - path: "{{ node_certs_destination }}/{{ kibana_node_name }}.crt" - register: certificate_file_exists - when: - - kibana_xpack_security - -- name: Copy key & certificate files in generator node (locally) - synchronize: - src: "{{ node_certs_source }}/{{ kibana_node_name }}/" +- name: Copying node's certificate from master + copy: + src: "{{ item }}" dest: "{{ node_certs_destination }}/" - delegate_to: "{{ node_certs_generator_ip }}" - when: - - node_certs_generator - - kibana_xpack_security - - not certificate_file_exists.stat.exists + with_items: + - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key" + - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.crt" + - "{{ master_certs_path }}/ca/ca.crt" tags: xpack-security + when: + - kibana_xpack_security + - generate_CA -- name: Copy ca certificate file in generator node (locally) - synchronize: - src: "{{ node_certs_source }}/ca/" +- name: Copying node's certificate from master (Custom CA) + copy: + src: "{{ item }}" dest: "{{ node_certs_destination }}/" - delegate_to: "{{ node_certs_generator_ip }}" + mode: '0664' + with_items: + - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key" + - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.crt" + - "{{ master_certs_path }}/ca/{{ ca_cert_name }}" when: - - node_certs_generator - kibana_xpack_security - - not certificate_file_exists.stat.exists - tags: xpack-security - -- name: Importing key & certificate files from generator node - command: >- - {{ rsync_path }} {{ rsync_extra_parameters }} {{ rsync_user }}@{{ node_certs_generator_ip }}: - {{ node_certs_source }}/{{ kibana_node_name }}/ {{ node_certs_destination }}/ - when: - - not node_certs_generator - - kibana_xpack_security - - not certificate_file_exists.stat.exists - tags: xpack-security - -- name: Importing ca certificate file from generator node - command: >- - {{ rsync_path }} {{ rsync_extra_parameters }} {{ rsync_user }}@{{ node_certs_generator_ip }}: - {{ node_certs_source }}/ca/ {{ node_certs_destination }}/ - when: - - not node_certs_generator - - kibana_xpack_security - - not certificate_file_exists.stat.exists - register: check_certs_permissions + - not generate_CA tags: xpack-security - name: Ensuring certificates folder owner @@ -73,7 +50,6 @@ owner: kibana group: kibana when: - - check_certs_permissions is defined - kibana_xpack_security tags: xpack-security @@ -83,7 +59,6 @@ mode: '0770' recurse: yes when: - - check_certs_permissions is defined - kibana_xpack_security notify: restart kibana tags: xpack-security @@ -94,7 +69,7 @@ dest: /etc/kibana/kibana.yml owner: root group: root - mode: 0664 + mode: '0664' notify: restart kibana tags: configure diff --git a/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 b/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 index 76a3c2c4..0f2ef606 100644 --- a/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 +++ b/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 @@ -109,6 +109,10 @@ elasticsearch.username: "{{ elasticsearch_xpack_security_user }}" elasticsearch.password: "{{ elasticsearch_xpack_security_password }}" server.ssl.enabled: true server.ssl.key: "{{node_certs_destination}}/{{ kibana_node_name }}.key" -server.ssl.certificate: "{{node_certs_destination}}/{{ kibana_node_name }}.crt" +server.ssl.certificate: "{{node_certs_destination}}/{{ kibana_node_name }}.crt" +{% if generate_CA == true %} elasticsearch.ssl.certificateAuthorities: ["{{ node_certs_destination }}/ca.crt"] +{% elif generate_CA == false %} +elasticsearch.ssl.certificateAuthorities: ["{{ node_certs_destination }}/{{ca_cert_name}}"] +{% endif %} {% endif %} \ No newline at end of file diff --git a/roles/wazuh/ansible-filebeat/defaults/main.yml b/roles/wazuh/ansible-filebeat/defaults/main.yml index 180308a6..d38565d9 100644 --- a/roles/wazuh/ansible-filebeat/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat/defaults/main.yml @@ -28,6 +28,11 @@ filebeat_ssl_certificate_file: "" filebeat_ssl_key_file: "" filebeat_ssl_insecure: "false" +filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz +filebeat_module_package_path: /tmp/ +filebeat_module_destination: /usr/share/filebeat/module +filebeat_module_folder: /usr/share/filebeat/module/wazuh + # Xpack Security filebeat_xpack_security: false @@ -35,16 +40,13 @@ elasticsearch_xpack_security_user: elastic elasticsearch_xpack_security_password: elastic_pass node_certs_generator : false -node_certs_generator_ip: 172.16.0.161 node_certs_source: /usr/share/elasticsearch node_certs_destination: /etc/filebeat/certs -# Rsync -rsync_path: /usr/bin/rsync -rsync_user: vagrant -rsync_extra_parameters: -avg -e 'ssh -o StrictHostKeyChecking=no' --rsync-path='sudo rsync' -filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz -filebeat_module_package_path: /root/ -filebeat_module_destination: /usr/share/filebeat/module -filebeat_module_folder: /usr/share/filebeat/module/wazuh \ No newline at end of file +# CA Generation +master_certs_path: /es_certs +generate_CA: true +ca_cert_name: "" + + diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index d9dc11c2..85bd17e1 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -26,65 +26,39 @@ tags: - init -- name: Check if certificate exists locally - stat: - path: "{{ node_certs_destination }}/{{ filebeat_node_name }}.crt" - register: certificate_file_exists - when: - - filebeat_xpack_security - -- name: Copy key & certificate files in generator node (locally) - synchronize: - src: "{{ node_certs_source }}/{{ filebeat_node_name }}/" +- name: Copying node's certificate from master + copy: + src: "{{ item }}" dest: "{{ node_certs_destination }}/" - delegate_to: "{{ node_certs_generator_ip }}" + with_items: + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt" + - "{{ master_certs_path }}/ca/ca.crt" when: - - node_certs_generator + - generate_CA - filebeat_xpack_security - - not certificate_file_exists.stat.exists tags: xpack-security -- name: Copy ca certificate file in generator node (locally) - synchronize: - src: "{{ node_certs_source }}/ca/" +- name: Copying node's certificate from master (Custom CA) + copy: + src: "{{ item }}" dest: "{{ node_certs_destination }}/" - delegate_to: "{{ node_certs_generator_ip }}" + with_items: + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt" + - "{{ master_certs_path }}/ca/{{ ca_cert_name }}" when: - - node_certs_generator + - not generate_CA - filebeat_xpack_security - - not certificate_file_exists.stat.exists - register: check_certs_permissions tags: xpack-security -- name: Importing key & certificate files from generator node - command: >- - {{ rsync_path }} {{ rsync_extra_parameters }} {{ rsync_user }}@{{ node_certs_generator_ip }}: - {{ node_certs_source }}/{{ filebeat_node_name }}/ {{ node_certs_destination }}/ - when: - - not node_certs_generator - - filebeat_xpack_security - - not certificate_file_exists.stat.exists - tags: xpack-security - -- name: Importing ca certificate file from generator node - command: >- - {{ rsync_path }} {{ rsync_extra_parameters }} {{ rsync_user }}@{{ node_certs_generator_ip }}: - {{ node_certs_source }}/ca/ {{ node_certs_destination }}/ - when: - - not node_certs_generator - - filebeat_xpack_security - - not certificate_file_exists.stat.exists - register: check_certs_permissions - tags: xpack-security - -- name: Ensuring certificates folder owner +- name: Ensuring folder & certs permissions file: path: "{{ node_certs_destination }}/" - mode: '0770' + mode: '0774' + state: directory recurse: yes - when: - - check_certs_permissions is defined - filebeat_xpack_security tags: xpack-security diff --git a/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 b/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 index 0a47af9d..466d9a89 100644 --- a/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 +++ b/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 @@ -57,8 +57,14 @@ output.elasticsearch: username: {{ elasticsearch_xpack_security_user }} password: {{ elasticsearch_xpack_security_password }} protocol: https +{% if generate_CA == true %} ssl.certificate_authorities: - {{node_certs_destination}}/ca.crt +{% elif generate_CA == false %} + ssl.certificate_authorities: + - {{node_certs_destination}}/{{ca_cert_name}} +{% endif %} + ssl.certificate: "{{node_certs_destination}}/{{ filebeat_node_name }}.crt" ssl.key: "{{node_certs_destination}}/{{ filebeat_node_name }}.key" {% endif %} diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 32d5963c..68fd9ad9 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -1,5 +1,5 @@ --- -wazuh_agent_version: 3.10.0 +wazuh_agent_version: 3.10.2 wazuh_managers: - address: 127.0.0.1 port: 1514 @@ -26,7 +26,7 @@ wazuh_winagent_config: auth_path: C:\Program Files\ossec-agent\agent-auth.exe # Adding quotes to auth_path_x86 since win_shell outputs error otherwise auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe - version: '3.10.0' + version: '3.10.2' revision: '1' repo: https://packages.wazuh.com/3.x/windows/ md5: 71650780904cbfc2e45eae4298adb7a3 diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index 87ab144b..170a8da5 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -1,5 +1,5 @@ --- -wazuh_manager_api_version: 3.10.0 +wazuh_manager_api_version: 3.10.2 wazuh_manager_fqdn: "wazuh-server" wazuh_manager_package_state: latest