From 337e3de09fe1f0cb2fd4161317867da6e3bc60d6 Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 30 Jul 2019 14:26:15 +0200 Subject: [PATCH 01/48] Add master_certs_destination parameter --- roles/elastic-stack/ansible-elasticsearch/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml index 1340dabb..fa84ec81 100644 --- a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml @@ -23,6 +23,8 @@ node_certs_generator_ip: 172.16.0.161 node_certs_source: /usr/share/elasticsearch node_certs_destination: /etc/elasticsearch/certs +master_certs_destination: /es_certs + # Rsync rsync_path: /usr/bin/rsync rsync_user: vagrant From 5d4e53b089cec4b0aa5071902dbdcda8cbd9948f Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 30 Jul 2019 14:27:10 +0200 Subject: [PATCH 02/48] Modified task propagation of certificates --- .../ansible-elasticsearch/tasks/main.yml | 137 ++++++++++++------ 1 file changed, 89 insertions(+), 48 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index 48c25b98..de1e4fa4 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -110,55 +110,83 @@ register: certs_file_generated tags: xpack-security +# - name: Unzip generated certs.zip +# unarchive: +# src: "{{node_certs_source}}/certs.zip" +# dest: "{{node_certs_source}}/" +# remote_src: yes +# when: +# - node_certs_generator +# - elasticsearch_xpack_security +# - certs_file_generated is defined +# - not certificate_file_exists.stat.exists +# tags: xpack-security + +# - name: Copy key & certificate files in generator node (locally) +# synchronize: +# src: "{{node_certs_source}}/{{elasticsearch_node_name}}/" +# dest: "{{node_certs_destination}}/" +# delegate_to: "{{ node_certs_generator_ip }}" +# when: +# - node_certs_generator +# - elasticsearch_xpack_security +# tags: xpack-security + +# - name: Copy ca certificate file in generator node (locally) +# synchronize: +# src: "{{node_certs_source}}/ca/" +# dest: "{{node_certs_destination}}/" +# delegate_to: "{{ node_certs_generator_ip }}" +# register: check_certs_permissions +# when: +# - node_certs_generator +# - elasticsearch_xpack_security +# tags: xpack-security + +- name: Create the certificates directory + file: + path: "{{master_certs_destination}}" + state: directory + mode: '0700' + delegate_to: "127.0.0.1" + when: + - node_certs_generator + - elasticsearch_xpack_security + +- name: Copying certificates to Ansible master + fetch: + src: "{{node_certs_source}}/certs.zip" + dest: "{{master_certs_destination}}/" + flat: yes + mode: 0700 + when: + - node_certs_generator + - elasticsearch_xpack_security + tags: xpack-security + - name: Unzip generated certs.zip unarchive: - src: "{{node_certs_source}}/certs.zip" - dest: "{{node_certs_source}}/" - remote_src: yes - when: - - node_certs_generator - - elasticsearch_xpack_security - - certs_file_generated is defined - - not certificate_file_exists.stat.exists - tags: xpack-security - -- name: Copy key & certificate files in generator node (locally) - synchronize: - src: "{{node_certs_source}}/{{elasticsearch_node_name}}/" - dest: "{{node_certs_destination}}/" - delegate_to: "{{ node_certs_generator_ip }}" + src: "{{master_certs_destination}}/certs.zip" + dest: "{{master_certs_destination}}/" + become: true + delegate_to: "127.0.0.1" when: - node_certs_generator - elasticsearch_xpack_security tags: xpack-security -- name: Copy ca certificate file in generator node (locally) - synchronize: - src: "{{node_certs_source}}/ca/" - dest: "{{node_certs_destination}}/" - delegate_to: "{{ node_certs_generator_ip }}" - register: check_certs_permissions - when: - - node_certs_generator - - elasticsearch_xpack_security - tags: xpack-security - -- name: Importing key & certificate files from generator node - shell: "{{rsync_path}} {{rsync_extra_parameters}} {{rsync_user}}@{{node_certs_generator_ip}}:{{node_certs_source}}/{{elasticsearch_node_name}}/ {{node_certs_destination}}/" - when: - - not node_certs_generator - - elasticsearch_xpack_security - - not certificate_file_exists.stat.exists - tags: xpack-security - -- name: Importing ca certificate file from generator node - shell: "{{rsync_path}} {{rsync_extra_parameters}} {{rsync_user}}@{{node_certs_generator_ip}}:{{node_certs_source}}/ca/ {{node_certs_destination}}/" - when: - - not node_certs_generator - - elasticsearch_xpack_security - - not certificate_file_exists.stat.exists - register: check_certs_permissions - tags: xpack-security +# - name: Unzip generated certs.zip +# unarchive: +# src: "/tmp/elastic_certificates/certs.zip" +# dest: "/tmp/elastic_certificates" +# become: true +# when: +# - node_certs_generator +# - elasticsearch_xpack_security +# - certs_file_generated is defined +# - not certificate_file_exists.stat.exists +# tags: xpack-security + - name: Ensuring certificates folder owner shell: "chown -R elasticsearch: {{node_certs_destination}}/" @@ -173,15 +201,28 @@ - check_certs_permissions is defined - elasticsearch_xpack_security tags: xpack-security - -- name: Remove generated certs file - shell: /bin/rm -f {{node_certs_source}}/certs.zip* - when: - - node_certs_generator - - elasticsearch_xpack_security + +# Importing certificates + +- name: Copying node's certificate from master + copy: + src: "{{item}}" + dest: "{{node_certs_destination}}/" + with_items: + - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" + - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" + - "{{master_certs_destination}}/ca/ca.crt" tags: xpack-security + +# - name: Remove generated certs file +# shell: /bin/rm -f {{node_certs_source}}/certs.zip* +# when: +# - node_certs_generator +# - elasticsearch_xpack_security +# tags: xpack-security + - name: Configure Elasticsearch. template: src: elasticsearch.yml.j2 From db44b6f450a0b56f2adf7c0b9e55f9cfb57793ab Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 30 Jul 2019 14:27:33 +0200 Subject: [PATCH 03/48] Modified template to accept newly defined variables --- .../ansible-elasticsearch/templates/instances.yml.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/templates/instances.yml.j2 b/roles/elastic-stack/ansible-elasticsearch/templates/instances.yml.j2 index 6279c380..c74b1700 100644 --- a/roles/elastic-stack/ansible-elasticsearch/templates/instances.yml.j2 +++ b/roles/elastic-stack/ansible-elasticsearch/templates/instances.yml.j2 @@ -4,10 +4,10 @@ {% if node_certs_generator %} instances: -{% for node in instances %} -- name: "{{ node.name }}" +{% for (key,value) in instances.iteritems() %} +- name: "{{ value.name }}" ip: - - "{{ node.ip }}" + - "{{ value.ip }}" {% endfor %} -{% endif %} \ No newline at end of file +{% endif %} From 55635383f2a9b5b96eea3cc5df72bad38990f0a7 Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 30 Jul 2019 14:30:23 +0200 Subject: [PATCH 04/48] Changed instances list format --- playbooks/wazuh-elastic_stack-distributed.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/playbooks/wazuh-elastic_stack-distributed.yml b/playbooks/wazuh-elastic_stack-distributed.yml index a422e50b..42f4cf03 100644 --- a/playbooks/wazuh-elastic_stack-distributed.yml +++ b/playbooks/wazuh-elastic_stack-distributed.yml @@ -20,14 +20,15 @@ vars: instances: - - name: node-1 # Important: must be equal to elasticsearch_node_name. - ip: # When unzipping, the node will search for its node name folder to get the cert. - - - name: node-2 - ip: - - - name: node-3 - ip: + node1: + name: node-1 # Important: must be equal to elasticsearch_node_name. + ip: 172.16.0.161 # When unzipping, the node will search for its node name folder to get the cert. + node2: + name: node-2 + ip: 172.16.0.162 + node3: + name: node-3 + ip: 172.16.0.163 - hosts: roles: From b1faf023df41461c8302088e4b14075e85cebc0b Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 30 Jul 2019 14:30:34 +0200 Subject: [PATCH 05/48] Update instances list --- playbooks/wazuh-elastic_stack-distributed.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/playbooks/wazuh-elastic_stack-distributed.yml b/playbooks/wazuh-elastic_stack-distributed.yml index 42f4cf03..b582df9b 100644 --- a/playbooks/wazuh-elastic_stack-distributed.yml +++ b/playbooks/wazuh-elastic_stack-distributed.yml @@ -22,13 +22,13 @@ instances: node1: name: node-1 # Important: must be equal to elasticsearch_node_name. - ip: 172.16.0.161 # When unzipping, the node will search for its node name folder to get the cert. + ip: # When unzipping, the node will search for its node name folder to get the cert. node2: name: node-2 - ip: 172.16.0.162 + ip: node3: name: node-3 - ip: 172.16.0.163 + ip: - hosts: roles: From d877738d45c97be4994d053eb909b84ec072a1f2 Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 30 Jul 2019 15:18:55 +0200 Subject: [PATCH 06/48] Removing unneeded blocks and commenting latest implementation for centos and trusty --- .../ansible-elasticsearch/tasks/main.yml | 93 +++++++------------ 1 file changed, 36 insertions(+), 57 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index de1e4fa4..80f23884 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -175,19 +175,6 @@ - elasticsearch_xpack_security tags: xpack-security -# - name: Unzip generated certs.zip -# unarchive: -# src: "/tmp/elastic_certificates/certs.zip" -# dest: "/tmp/elastic_certificates" -# become: true -# when: -# - node_certs_generator -# - elasticsearch_xpack_security -# - certs_file_generated is defined -# - not certificate_file_exists.stat.exists -# tags: xpack-security - - - name: Ensuring certificates folder owner shell: "chown -R elasticsearch: {{node_certs_destination}}/" when: @@ -202,9 +189,6 @@ - elasticsearch_xpack_security tags: xpack-security - -# Importing certificates - - name: Copying node's certificate from master copy: src: "{{item}}" @@ -215,14 +199,6 @@ - "{{master_certs_destination}}/ca/ca.crt" tags: xpack-security - -# - name: Remove generated certs file -# shell: /bin/rm -f {{node_certs_source}}/certs.zip* -# when: -# - node_certs_generator -# - elasticsearch_xpack_security -# tags: xpack-security - - name: Configure Elasticsearch. template: src: elasticsearch.yml.j2 @@ -238,49 +214,52 @@ when: - elasticsearch_xpack_security -- name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.conf - lineinfile: - path: /etc/security/limits.conf - line: elasticsearch - memlock unlimited - create: yes - become: true - when: - - ansible_distribution == "Ubuntu" - - ansible_distribution_major_version | int == 14 - changed_when: false +# - name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.conf +# lineinfile: +# path: /etc/security/limits.conf +# line: elasticsearch - memlock unlimited +# create: yes +# become: true +# when: +# - ansible_distribution == "Ubuntu" +# - ansible_distribution_major_version | int == 14 +# changed_when: false -- name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.d/elasticsearch.conf - lineinfile: - path: /etc/security/limits.d/elasticsearch.conf - line: elasticsearch - memlock unlimited - create: yes - become: true - changed_when: false - when: - - ansible_distribution == "Ubuntu" - - ansible_distribution_major_version | int == 14 +# - name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.d/elasticsearch.conf +# lineinfile: +# path: /etc/security/limits.d/elasticsearch.conf +# line: elasticsearch - memlock unlimited +# create: yes +# become: true +# changed_when: false +# when: +# - ansible_distribution == "Ubuntu" +# - ansible_distribution_major_version | int == 14 -- name: Distribution != one of [ centos 6.*, trusty ] | Reload systemd - systemd: daemon_reload=true - ignore_errors: true - when: - - not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") - - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<')) - - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) - - not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<')) +# - name: Distribution != one of [ centos 6.*, trusty ] | Reload systemd +# systemd: daemon_reload=true +# ignore_errors: true +# when: +# - not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") +# - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<')) +# - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) +# - not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<')) -- name: Distribution is centos 6.* | Enable Elasticsearch - service: name=elasticsearch enabled=yes +# - name: Distribution is centos 6.* | Enable Elasticsearch +# service: name=elasticsearch enabled=yes -- name: Distribution is centos 6.* | Start Elasticsearch - service: name=elasticsearch state=started - ignore_errors: true +# - name: Distribution is centos 6.* | Start Elasticsearch +# service: name=elasticsearch state=started +# ignore_errors: true - name: Ensure Elasticsearch started and enabled service: name: elasticsearch enabled: true state: started + tags: + - configure + - init - name: Make sure Elasticsearch is running before proceeding wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=300 From fbbf79a15359fb34d322b96488c045d76b12084d Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 30 Jul 2019 17:35:20 +0200 Subject: [PATCH 07/48] Remove daemon reload and centos 6 blocks --- .../ansible-elasticsearch/tasks/main.yml | 83 +++++-------------- 1 file changed, 20 insertions(+), 63 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index 80f23884..904a565a 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -214,44 +214,27 @@ when: - elasticsearch_xpack_security -# - name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.conf -# lineinfile: -# path: /etc/security/limits.conf -# line: elasticsearch - memlock unlimited -# create: yes -# become: true -# when: -# - ansible_distribution == "Ubuntu" -# - ansible_distribution_major_version | int == 14 -# changed_when: false - -# - name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.d/elasticsearch.conf -# lineinfile: -# path: /etc/security/limits.d/elasticsearch.conf -# line: elasticsearch - memlock unlimited -# create: yes -# become: true -# changed_when: false -# when: -# - ansible_distribution == "Ubuntu" -# - ansible_distribution_major_version | int == 14 - -# - name: Distribution != one of [ centos 6.*, trusty ] | Reload systemd -# systemd: daemon_reload=true -# ignore_errors: true -# when: -# - not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") -# - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<')) -# - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) -# - not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<')) - -# - name: Distribution is centos 6.* | Enable Elasticsearch -# service: name=elasticsearch enabled=yes - -# - name: Distribution is centos 6.* | Start Elasticsearch -# service: name=elasticsearch state=started -# ignore_errors: true +- name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.conf + lineinfile: + path: /etc/security/limits.conf + line: elasticsearch - memlock unlimited + create: yes + become: true + when: + - ansible_distribution == "Ubuntu" + - ansible_distribution_major_version | int == 14 + changed_when: false +- name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.d/elasticsearch.conf + lineinfile: + path: /etc/security/limits.d/elasticsearch.conf + line: elasticsearch - memlock unlimited + create: yes + become: true + changed_when: false + when: + - ansible_distribution == "Ubuntu" + - ansible_distribution_major_version | int == 14 - name: Ensure Elasticsearch started and enabled service: name: elasticsearch @@ -267,32 +250,6 @@ - configure - init -- name: Check for Wazuh Alerts template (http) - uri: - url: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}/_template/wazuh" - method: GET - status_code: 200, 404 - when: - - elasticsearch_bootstrap_node or single_node - - not elasticsearch_xpack_security - poll: 30 - register: wazuh_alerts_template_exits - until: wazuh_alerts_template_exits is succeeded - tags: init - -- name: Installing Wazuh Alerts template (http) - uri: - url: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}/_template/wazuh" - method: PUT - status_code: 200 - body_format: json - body: "{{ lookup('template','wazuh-elastic7-template-alerts.json.j2') }}" - when: - - wazuh_alerts_template_exits.status is defined - - wazuh_alerts_template_exits.status != 200 - - not elasticsearch_xpack_security - tags: init - - import_tasks: "RMRedHat.yml" when: ansible_os_family == "RedHat" From 431bc16343ae59f141f3d53521cbeceb145fb9dc Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 30 Jul 2019 17:35:39 +0200 Subject: [PATCH 08/48] Add default value master_certs_destination for kibana --- roles/elastic-stack/ansible-kibana/defaults/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index dcaa0f59..4de06f9b 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -19,6 +19,9 @@ node_certs_generator_ip: 172.16.0.161 node_certs_source: /usr/share/elasticsearch node_certs_destination: /etc/kibana/certs +master_certs_destination: /es_certs + + # Rsync rsync_path: /usr/bin/rsync rsync_user: vagrant From 2656feac52303962aa84a3a01fa6fba5ccbecad2 Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 30 Jul 2019 17:36:09 +0200 Subject: [PATCH 09/48] Update kibana certs importing --- .../ansible-kibana/tasks/main.yml | 56 +++---------------- 1 file changed, 8 insertions(+), 48 deletions(-) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index 4e12b1b2..512d3198 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -14,54 +14,14 @@ - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<')) - not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<')) -- name: Check if certificate exists locally - stat: - path: "{{ node_certs_destination }}/{{ kibana_node_name }}.crt" - register: certificate_file_exists - when: - - kibana_xpack_security - -- name: Copy key & certificate files in generator node (locally) - synchronize: - src: "{{ node_certs_source }}/{{ kibana_node_name }}/" - dest: "{{ node_certs_destination }}/" - delegate_to: "{{ node_certs_generator_ip }}" - when: - - node_certs_generator - - kibana_xpack_security - - not certificate_file_exists.stat.exists - tags: xpack-security - -- name: Copy ca certificate file in generator node (locally) - synchronize: - src: "{{ node_certs_source }}/ca/" - dest: "{{ node_certs_destination }}/" - delegate_to: "{{ node_certs_generator_ip }}" - when: - - node_certs_generator - - kibana_xpack_security - - not certificate_file_exists.stat.exists - tags: xpack-security - -- name: Importing key & certificate files from generator node - command: >- - {{ rsync_path }} {{ rsync_extra_parameters }} {{ rsync_user }}@{{ node_certs_generator_ip }}: - {{ node_certs_source }}/{{ kibana_node_name }}/ {{ node_certs_destination }}/ - when: - - not node_certs_generator - - kibana_xpack_security - - not certificate_file_exists.stat.exists - tags: xpack-security - -- name: Importing ca certificate file from generator node - command: >- - {{ rsync_path }} {{ rsync_extra_parameters }} {{ rsync_user }}@{{ node_certs_generator_ip }}: - {{ node_certs_source }}/ca/ {{ node_certs_destination }}/ - when: - - not node_certs_generator - - kibana_xpack_security - - not certificate_file_exists.stat.exists - register: check_certs_permissions +- name: Copying node's certificate from master + copy: + src: "{{item}}" + dest: "{{node_certs_destination}}/" + with_items: + - "{{master_certs_destination}}/{{kibana_node_name}}/{{ kibana_node_name }}.key" + - "{{master_certs_destination}}/{{kibana_node_name}}/{{ kibana_node_name }}.crt" + - "{{master_certs_destination}}/ca/ca.crt" tags: xpack-security - name: Ensuring certificates folder owner From 229f273e275210fb44409fe27fed43ce2504f16b Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 30 Jul 2019 17:36:31 +0200 Subject: [PATCH 10/48] Fix Kibana APP installation by becoming user kibana --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index 512d3198..dfec0f05 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -78,14 +78,14 @@ tags: install - name: Install Wazuh-APP (can take a while) - shell: "/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-{{ wazuh_version }}_{{ elastic_stack_version }}.zip" + shell: "/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-{{ wazuh_version }}_{{ elastic_stack_version }}.zip" environment: NODE_OPTIONS: "--max-old-space-size=3072" args: executable: /bin/bash creates: /usr/share/kibana/plugins/wazuh/package.json notify: restart kibana - ignore_errors: "{{ kibana_plugin_install_ignore_error }}" + become_user: kibana tags: - install - skip_ansible_lint From a305d4ff6fac2c2659e71d9689bb907df3d0937e Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 30 Jul 2019 17:37:05 +0200 Subject: [PATCH 11/48] Add Filebeat default parameter --- roles/wazuh/ansible-filebeat/defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/wazuh/ansible-filebeat/defaults/main.yml b/roles/wazuh/ansible-filebeat/defaults/main.yml index 103d61eb..cf0cb5a1 100644 --- a/roles/wazuh/ansible-filebeat/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat/defaults/main.yml @@ -39,6 +39,8 @@ node_certs_generator_ip: 172.16.0.161 node_certs_source: /usr/share/elasticsearch node_certs_destination: /etc/filebeat/certs +master_certs_destination: /es_certs + # Rsync rsync_path: /usr/bin/rsync rsync_user: vagrant From c6e14f23a01e4c19184773b41c72d590bf058396 Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 30 Jul 2019 17:44:37 +0200 Subject: [PATCH 12/48] Update Filebeat certificate imports --- roles/wazuh/ansible-filebeat/tasks/main.yml | 57 +++------------------ 1 file changed, 8 insertions(+), 49 deletions(-) diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 7bafcc79..7b89d80d 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -26,55 +26,14 @@ tags: - init -- name: Check if certificate exists locally - stat: - path: "{{ node_certs_destination }}/{{ filebeat_node_name }}.crt" - register: certificate_file_exists - when: - - filebeat_xpack_security - -- name: Copy key & certificate files in generator node (locally) - synchronize: - src: "{{ node_certs_source }}/{{ filebeat_node_name }}/" - dest: "{{ node_certs_destination }}/" - delegate_to: "{{ node_certs_generator_ip }}" - when: - - node_certs_generator - - filebeat_xpack_security - - not certificate_file_exists.stat.exists - tags: xpack-security - -- name: Copy ca certificate file in generator node (locally) - synchronize: - src: "{{ node_certs_source }}/ca/" - dest: "{{ node_certs_destination }}/" - delegate_to: "{{ node_certs_generator_ip }}" - when: - - node_certs_generator - - filebeat_xpack_security - - not certificate_file_exists.stat.exists - register: check_certs_permissions - tags: xpack-security - -- name: Importing key & certificate files from generator node - command: >- - {{ rsync_path }} {{ rsync_extra_parameters }} {{ rsync_user }}@{{ node_certs_generator_ip }}: - {{ node_certs_source }}/{{ filebeat_node_name }}/ {{ node_certs_destination }}/ - when: - - not node_certs_generator - - filebeat_xpack_security - - not certificate_file_exists.stat.exists - tags: xpack-security - -- name: Importing ca certificate file from generator node - command: >- - {{ rsync_path }} {{ rsync_extra_parameters }} {{ rsync_user }}@{{ node_certs_generator_ip }}: - {{ node_certs_source }}/ca/ {{ node_certs_destination }}/ - when: - - not node_certs_generator - - filebeat_xpack_security - - not certificate_file_exists.stat.exists - register: check_certs_permissions +- name: Copying node's certificate from master + copy: + src: "{{item}}" + dest: "{{node_certs_destination}}/" + with_items: + - "{{master_certs_destination}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.key" + - "{{master_certs_destination}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.crt" + - "{{master_certs_destination}}/ca/ca.crt" tags: xpack-security - name: Ensuring certificates folder owner From d027092f6368c9aeb2cdf6f67d388107d5ef126b Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 31 Jul 2019 00:45:57 +0200 Subject: [PATCH 13/48] Remove "elasticsearch_network" parameter --- roles/elastic-stack/ansible-elasticsearch/defaults/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml index e5eb7547..fa84ec81 100644 --- a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml @@ -3,7 +3,6 @@ elasticsearch_cluster_name: wazuh elasticsearch_node_name: node-1 elasticsearch_http_port: 9200 elasticsearch_network_host: 127.0.0.1 -elasticsearch_host: 127.0.0.1 elasticsearch_jvm_xms: null elastic_stack_version: 7.2.0 single_node: false From ed4b2e7947f40e7745d3d057a96e1336c65724be Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 31 Jul 2019 00:46:22 +0200 Subject: [PATCH 14/48] Add unzip dependency installation --- .../elastic-stack/ansible-elasticsearch/tasks/main.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index f3f2f568..07519d4f 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -10,6 +10,16 @@ when: - ansible_service_mgr == "systemd" +- name: Install unzip dependency. + package: + name: unzip + state: present + delegate_to: "127.0.0.1" + when: + - node_certs_generator + - elasticsearch_xpack_security + + - name: Configure Elasticsearch System Resources. template: src: elasticsearch_systemd.conf.j2 From 45356ee3ef68bd3a3d20b578d81e2df77fd26cac Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 31 Jul 2019 00:46:54 +0200 Subject: [PATCH 15/48] Delete certs.zip in generator node --- roles/elastic-stack/ansible-elasticsearch/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index 07519d4f..29dbbbbf 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -143,6 +143,14 @@ - elasticsearch_xpack_security tags: xpack-security +- name: Delete certs.zip in Generator node + file: + state: absent + path: "{{ node_certs_source }}/certs.zip" + when: + - node_certs_generator + - elasticsearch_xpack_security + - name: Unzip generated certs.zip unarchive: src: "{{master_certs_destination}}/certs.zip" From 2104183cdb569a5e94f7849387fc21cbe9a7892f Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 31 Jul 2019 00:48:20 +0200 Subject: [PATCH 16/48] Modify wait_for with previous variable --- roles/elastic-stack/ansible-elasticsearch/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index 29dbbbbf..d9811180 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -242,7 +242,7 @@ - init - name: Make sure Elasticsearch is running before proceeding - wait_for: host={{ elasticsearch_host }} port={{ elasticsearch_http_port }} delay=3 timeout=400 + wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=400 tags: - configure - init From 1d8f8c525364d36f4e91b6e42780e91be10d394e Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 31 Jul 2019 00:49:25 +0200 Subject: [PATCH 17/48] Fix shell comands --- .../ansible-elasticsearch/tasks/main.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index d9811180..0a91d94a 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -111,9 +111,9 @@ - elasticsearch_xpack_security - name: Generating certificates for Elasticsearch security - command: >- - "/usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in - {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip" + shell: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in + {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip when: - node_certs_generator - elasticsearch_xpack_security @@ -205,10 +205,10 @@ tags: configure - name: Set elasticsearch bootstrap password - shell: | - set -o pipefail - "echo '{{ elasticsearch_xpack_security_password }}' | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf 'bootstrap.password'" + shell: >- + echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password when: + - node_certs_generator - elasticsearch_xpack_security - name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.conf From 5c18d5bed554658941e3b97b1d47135fa63efcc4 Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 31 Jul 2019 00:49:43 +0200 Subject: [PATCH 18/48] Update conditionals --- roles/elastic-stack/ansible-elasticsearch/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index 0a91d94a..def0b46d 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -118,7 +118,6 @@ - node_certs_generator - elasticsearch_xpack_security - not xpack_certs_zip.stat.exists - - not certificate_file_exists.stat.exists register: certs_file_generated tags: xpack-security @@ -170,7 +169,6 @@ owner: elasticsearch group: elasticsearch when: - - check_certs_permissions is defined - elasticsearch_xpack_security tags: xpack-security @@ -180,7 +178,6 @@ mode: '0770' recurse: yes when: - - check_certs_permissions is defined - elasticsearch_xpack_security tags: xpack-security @@ -192,6 +189,8 @@ - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" - "{{master_certs_destination}}/ca/ca.crt" + when: + - elasticsearch_xpack_security tags: xpack-security - name: Configure Elasticsearch. @@ -210,7 +209,7 @@ when: - node_certs_generator - elasticsearch_xpack_security - + - name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.conf lineinfile: path: /etc/security/limits.conf @@ -232,6 +231,7 @@ when: - ansible_distribution == "Ubuntu" - ansible_distribution_major_version | int == 14 + - name: Ensure Elasticsearch started and enabled service: name: elasticsearch From 9734ac23041f40b343b2602c2616357c3f06e298 Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 31 Jul 2019 00:50:17 +0200 Subject: [PATCH 19/48] Remove check_certs_permission parameter --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 2 -- roles/wazuh/ansible-filebeat/tasks/main.yml | 2 -- 2 files changed, 4 deletions(-) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index dfec0f05..26c4f16a 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -32,7 +32,6 @@ owner: kibana group: kibana when: - - check_certs_permissions is defined - kibana_xpack_security tags: xpack-security @@ -42,7 +41,6 @@ mode: '0770' recurse: yes when: - - check_certs_permissions is defined - kibana_xpack_security tags: xpack-security diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 7b89d80d..0be4be83 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -41,9 +41,7 @@ path: "{{ node_certs_destination }}/" mode: '0770' recurse: yes - when: - - check_certs_permissions is defined - filebeat_xpack_security tags: xpack-security From 0cc4838e1da6cbb651052481f1a15cacd5dd9fa4 Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 31 Jul 2019 00:51:49 +0200 Subject: [PATCH 20/48] Copy certificates from master now depends on xpack enabled --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 2 ++ roles/wazuh/ansible-filebeat/tasks/main.yml | 3 +++ 2 files changed, 5 insertions(+) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index 26c4f16a..0f3dd7a1 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -23,6 +23,8 @@ - "{{master_certs_destination}}/{{kibana_node_name}}/{{ kibana_node_name }}.crt" - "{{master_certs_destination}}/ca/ca.crt" tags: xpack-security + when: + - elasticsearch_xpack_security - name: Ensuring certificates folder owner file: diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 0be4be83..59bc163c 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -35,6 +35,9 @@ - "{{master_certs_destination}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.crt" - "{{master_certs_destination}}/ca/ca.crt" tags: xpack-security + when: + - elasticsearch_xpack_security + - name: Ensuring certificates folder owner file: From 9580056b747d44144391985984ab012ba38165a7 Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 31 Jul 2019 01:16:36 +0200 Subject: [PATCH 21/48] Fix naming on xpack security conditionals --- roles/elastic-stack/ansible-kibana/tasks/main.yml | 2 +- roles/wazuh/ansible-filebeat/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index 0f3dd7a1..fe91221b 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -24,7 +24,7 @@ - "{{master_certs_destination}}/ca/ca.crt" tags: xpack-security when: - - elasticsearch_xpack_security + - kibana_xpack_security - name: Ensuring certificates folder owner file: diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 59bc163c..2b566ed5 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -36,7 +36,7 @@ - "{{master_certs_destination}}/ca/ca.crt" tags: xpack-security when: - - elasticsearch_xpack_security + - filebeat_xpack_security - name: Ensuring certificates folder owner From f8bda2f7c7c58e9559101c8b5fd224391913ed0f Mon Sep 17 00:00:00 2001 From: Jose M Date: Mon, 5 Aug 2019 12:34:42 +0200 Subject: [PATCH 22/48] Move xpack_security tasks from main.yml to xpack_security.yml --- .../ansible-elasticsearch/tasks/main.yml | 137 +----------------- .../tasks/xpack_security.yml | 126 ++++++++++++++++ 2 files changed, 128 insertions(+), 135 deletions(-) create mode 100644 roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index def0b46d..85706199 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -10,16 +10,6 @@ when: - ansible_service_mgr == "systemd" -- name: Install unzip dependency. - package: - name: unzip - state: present - delegate_to: "127.0.0.1" - when: - - node_certs_generator - - elasticsearch_xpack_security - - - name: Configure Elasticsearch System Resources. template: src: elasticsearch_systemd.conf.j2 @@ -73,126 +63,10 @@ - import_tasks: "RMRedHat.yml" when: ansible_os_family == "RedHat" -- name: Check if certificate exists locally - stat: - path: "{{ node_certs_destination }}/{{ elasticsearch_node_name }}.crt" - register: certificate_file_exists +- import_tasks: "xpack_security.yml" when: - elasticsearch_xpack_security -- name: Write the instances.yml file in the selected node (force = no) - template: - src: instances.yml.j2 - dest: "{{ node_certs_source }}/instances.yml" - force: no - register: instances_file_exists - tags: - - config - - xpack-security - when: - - node_certs_generator - - elasticsearch_xpack_security - - not certificate_file_exists.stat.exists - -- name: Update instances.yml status after generation - stat: - path: "{{ node_certs_source }}/instances.yml" - register: instances_file_exists - when: - - node_certs_generator - - elasticsearch_xpack_security - -- name: Check if the certificates ZIP file exists - stat: - path: "{{ node_certs_source }}/certs.zip" - register: xpack_certs_zip - when: - - node_certs_generator - - elasticsearch_xpack_security - -- name: Generating certificates for Elasticsearch security - shell: >- - /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in - {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip - when: - - node_certs_generator - - elasticsearch_xpack_security - - not xpack_certs_zip.stat.exists - register: certs_file_generated - tags: xpack-security - -- name: Create the certificates directory - file: - path: "{{master_certs_destination}}" - state: directory - mode: '0700' - delegate_to: "127.0.0.1" - when: - - node_certs_generator - - elasticsearch_xpack_security - -- name: Copying certificates to Ansible master - fetch: - src: "{{node_certs_source}}/certs.zip" - dest: "{{master_certs_destination}}/" - flat: yes - mode: 0700 - when: - - node_certs_generator - - elasticsearch_xpack_security - tags: xpack-security - -- name: Delete certs.zip in Generator node - file: - state: absent - path: "{{ node_certs_source }}/certs.zip" - when: - - node_certs_generator - - elasticsearch_xpack_security - -- name: Unzip generated certs.zip - unarchive: - src: "{{master_certs_destination}}/certs.zip" - dest: "{{master_certs_destination}}/" - become: true - delegate_to: "127.0.0.1" - when: - - node_certs_generator - - elasticsearch_xpack_security - tags: xpack-security - -- name: Ensuring certificates folder owner - file: - path: "{{ node_certs_destination }}/" - state: directory - recurse: yes - owner: elasticsearch - group: elasticsearch - when: - - elasticsearch_xpack_security - tags: xpack-security - -- name: Ensuring certificates folder owner - file: - path: "{{ node_certs_destination }}/" - mode: '0770' - recurse: yes - when: - - elasticsearch_xpack_security - tags: xpack-security - -- name: Copying node's certificate from master - copy: - src: "{{item}}" - dest: "{{node_certs_destination}}/" - with_items: - - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" - - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" - - "{{master_certs_destination}}/ca/ca.crt" - when: - - elasticsearch_xpack_security - tags: xpack-security - - name: Configure Elasticsearch. template: src: elasticsearch.yml.j2 @@ -202,14 +76,7 @@ mode: 0660 notify: restart elasticsearch tags: configure - -- name: Set elasticsearch bootstrap password - shell: >- - echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password - when: - - node_certs_generator - - elasticsearch_xpack_security - + - name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.conf lineinfile: path: /etc/security/limits.conf diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml new file mode 100644 index 00000000..3d9f3f7d --- /dev/null +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -0,0 +1,126 @@ + +- name: Install unzip dependency. + package: + name: unzip + state: present + delegate_to: "127.0.0.1" + when: + - node_certs_generator + +- name: Check if certificate exists locally + stat: + path: "{{ node_certs_destination }}/{{ elasticsearch_node_name }}.crt" + register: certificate_file_exists + +- name: Write the instances.yml file in the selected node (force = no) + template: + src: instances.yml.j2 + dest: "{{ node_certs_source }}/instances.yml" + force: no + register: instances_file_exists + tags: + - config + - xpack-security + when: + - node_certs_generator + - not certificate_file_exists.stat.exists + +- name: Update instances.yml status after generation + stat: + path: "{{ node_certs_source }}/instances.yml" + register: instances_file_exists + when: + - node_certs_generator + +- name: Check if the certificates ZIP file exists + stat: + path: "{{ node_certs_source }}/certs.zip" + register: xpack_certs_zip + when: + - node_certs_generator + +- name: Generating certificates for Elasticsearch security (generating CA) + shell: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in + {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip + when: + - node_certs_generator + - not xpack_certs_zip.stat.exists + tags: xpack-security + +- name: Generating certificates for Elasticsearch security (using provided CA) + shell: /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-key /usr/share/elasticsearch/myCA.key --ca-cert /usr/share/elasticsearch/myCA.pem --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip + when: + - node_certs_generator + - not xpack_certs_zip.stat.exists + tags: xpack-security + +- name: Create the certificates directory + file: + path: "{{master_certs_destination}}" + state: directory + mode: '0700' + delegate_to: "127.0.0.1" + when: + - node_certs_generator + +- name: Copying certificates to Ansible master + fetch: + src: "{{node_certs_source}}/certs.zip" + dest: "{{master_certs_destination}}/" + flat: yes + mode: 0700 + when: + - node_certs_generator + tags: xpack-security + +- name: Delete certs.zip in Generator node + file: + state: absent + path: "{{ node_certs_source }}/certs.zip" + when: + - node_certs_generator + + +- name: Unzip generated certs.zip + unarchive: + src: "{{master_certs_destination}}/certs.zip" + dest: "{{master_certs_destination}}/" + become: true + delegate_to: "127.0.0.1" + when: + - node_certs_generator + tags: xpack-security + +- name: Ensuring certificates folder owner + file: + path: "{{ node_certs_destination }}/" + state: directory + recurse: yes + owner: elasticsearch + group: elasticsearch + tags: xpack-security + +- name: Ensuring certificates folder owner + file: + path: "{{ node_certs_destination }}/" + mode: '0770' + recurse: yes + tags: xpack-security + +- name: Copying node's certificate from master + copy: + src: "{{item}}" + dest: "{{node_certs_destination}}/" + with_items: + - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" + - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" + - "{{master_certs_destination}}/ca/ca.crt" + tags: xpack-security + +- name: Set elasticsearch bootstrap password + shell: >- + echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password + when: + - node_certs_generator + \ No newline at end of file From 8234bb11d2ba24ac94eef7ebba1c1b76f64b7926 Mon Sep 17 00:00:00 2001 From: Jose M Date: Mon, 5 Aug 2019 15:00:00 +0200 Subject: [PATCH 23/48] Add required variables to use custom CA. --- roles/elastic-stack/ansible-elasticsearch/defaults/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml index fa84ec81..bcbcc819 100644 --- a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml @@ -25,6 +25,12 @@ node_certs_destination: /etc/elasticsearch/certs master_certs_destination: /es_certs +# CA generation +generate_CA: false + +ca_key_name: myCA.key +ca_cert_name: myCA.pem + # Rsync rsync_path: /usr/bin/rsync rsync_user: vagrant From 01d4cfc1288adaa0d7c2f78e7fe19ca4eba880ec Mon Sep 17 00:00:00 2001 From: Jose M Date: Mon, 5 Aug 2019 15:01:21 +0200 Subject: [PATCH 24/48] Implemented tasks to import custom key and cert from Ansible master --- .../tasks/xpack_security.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 3d9f3f7d..d84e1c31 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -39,6 +39,22 @@ when: - node_certs_generator +- name: Importing custom CA key + copy: + src: "{{ master_certs_destination }}/ca/{{ ca_key_name }}" + dest: "{{ node_certs_source }}/{{ ca_key_name }}" + when: + - not generate_CA + tags: xpack-security + +- name: Importing custom CA cert + copy: + src: "{{ master_certs_destination }}/ca/{{ ca_cert_name }}" + dest: "{{ node_certs_source }}/{{ ca_cert_name }}" + when: + - not generate_CA + tags: xpack-security + - name: Generating certificates for Elasticsearch security (generating CA) shell: >- /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in From 39d8e5978b0857b8a41207d2d26e73189ef8de9d Mon Sep 17 00:00:00 2001 From: Jose M Date: Mon, 5 Aug 2019 15:01:59 +0200 Subject: [PATCH 25/48] Fix conditionals of custom CA --- .../ansible-elasticsearch/tasks/xpack_security.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index d84e1c31..5d1c528b 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -62,6 +62,7 @@ when: - node_certs_generator - not xpack_certs_zip.stat.exists + - generate_CA tags: xpack-security - name: Generating certificates for Elasticsearch security (using provided CA) @@ -69,6 +70,7 @@ when: - node_certs_generator - not xpack_certs_zip.stat.exists + - not generate_CA tags: xpack-security - name: Create the certificates directory From 4b8303ece281ffb3a61d9407e51484bb8686325e Mon Sep 17 00:00:00 2001 From: Jose M Date: Mon, 5 Aug 2019 15:02:33 +0200 Subject: [PATCH 26/48] Fix custom CA generation command --- .../ansible-elasticsearch/tasks/xpack_security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 5d1c528b..f8166f94 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -66,7 +66,7 @@ tags: xpack-security - name: Generating certificates for Elasticsearch security (using provided CA) - shell: /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-key /usr/share/elasticsearch/myCA.key --ca-cert /usr/share/elasticsearch/myCA.pem --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip + shell: /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip when: - node_certs_generator - not xpack_certs_zip.stat.exists From c547e905027f226867667dbe1c1ede8545efd616 Mon Sep 17 00:00:00 2001 From: Jose M Date: Mon, 5 Aug 2019 15:04:05 +0200 Subject: [PATCH 27/48] Add verification to ensure ca folder is created --- .../ansible-elasticsearch/tasks/xpack_security.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index f8166f94..2578b05c 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -73,6 +73,14 @@ - not generate_CA tags: xpack-security +- name: Verify the Elastic certificates directory + file: + path: "{{ master_certs_destination }}" + state: directory + mode: '0700' + delegate_to: "127.0.0.1" + when: + - node_certs_generator - name: Create the certificates directory file: path: "{{master_certs_destination}}" From 101a0061784f829b3257814067342e61ffd3fdd7 Mon Sep 17 00:00:00 2001 From: Jose M Date: Mon, 5 Aug 2019 15:04:27 +0200 Subject: [PATCH 28/48] Add folder verification and fix linting --- .../ansible-elasticsearch/tasks/xpack_security.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 2578b05c..3825c3b2 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -81,9 +81,10 @@ delegate_to: "127.0.0.1" when: - node_certs_generator -- name: Create the certificates directory + +- name: Verify the Certificates Authority directory file: - path: "{{master_certs_destination}}" + path: "{{ master_certs_destination }}/ca/" state: directory mode: '0700' delegate_to: "127.0.0.1" @@ -92,8 +93,8 @@ - name: Copying certificates to Ansible master fetch: - src: "{{node_certs_source}}/certs.zip" - dest: "{{master_certs_destination}}/" + src: "{{ node_certs_source }}/certs.zip" + dest: "{{ master_certs_destination }}/" flat: yes mode: 0700 when: From 09647b731b2d2d9498040ec811c8c268b72c52a9 Mon Sep 17 00:00:00 2001 From: Jose M Date: Mon, 5 Aug 2019 15:05:17 +0200 Subject: [PATCH 29/48] Fix typo in task name --- .../ansible-elasticsearch/tasks/xpack_security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 3825c3b2..8fabf6eb 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -128,7 +128,7 @@ group: elasticsearch tags: xpack-security -- name: Ensuring certificates folder owner +- name: Ensuring certificates folder permissions file: path: "{{ node_certs_destination }}/" mode: '0770' From af0e2f0756ff004acb44ec7fb00b9f3c20244f9d Mon Sep 17 00:00:00 2001 From: Jose M Date: Mon, 5 Aug 2019 15:05:49 +0200 Subject: [PATCH 30/48] Add copy block to import node's certificate with custom CA name --- .../tasks/xpack_security.yml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 8fabf6eb..890db757 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -108,7 +108,6 @@ when: - node_certs_generator - - name: Unzip generated certs.zip unarchive: src: "{{master_certs_destination}}/certs.zip" @@ -139,10 +138,24 @@ copy: src: "{{item}}" dest: "{{node_certs_destination}}/" - with_items: + with_items: - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" - "{{master_certs_destination}}/ca/ca.crt" + when: + - generate_CA + tags: xpack-security + +- name: Copying node's certificate from master (Custom CA) + copy: + src: "{{item}}" + dest: "{{node_certs_destination}}/" + with_items: + - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" + - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" + - "{{master_certs_destination}}/ca/{{ca_cert_name}}" + when: + - not generate_CA tags: xpack-security - name: Set elasticsearch bootstrap password From 5ca223726462dc2dac77938bb2adc6059ad4803f Mon Sep 17 00:00:00 2001 From: Jose M Date: Mon, 5 Aug 2019 15:06:04 +0200 Subject: [PATCH 31/48] Updated template to avoid hardcoding the ca format. --- .../templates/elasticsearch.yml.j2 | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 b/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 index f851e900..3cd386da 100644 --- a/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/elastic-stack/ansible-elasticsearch/templates/elasticsearch.yml.j2 @@ -34,12 +34,19 @@ xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.key: {{node_certs_destination}}/{{ elasticsearch_node_name }}.key -xpack.security.transport.ssl.certificate: {{node_certs_destination}}/{{ elasticsearch_node_name }}.crt +xpack.security.transport.ssl.certificate: {{node_certs_destination}}/{{ elasticsearch_node_name }}.crt +{% if generate_CA == true %} xpack.security.transport.ssl.certificate_authorities: [ "{{ node_certs_destination }}/ca.crt" ] - +{% elif generate_CA == false %} +xpack.security.transport.ssl.certificate_authorities: [ "{{ node_certs_destination }}/{{ca_cert_name}}" ] +{% endif %} xpack.security.http.ssl.enabled: true xpack.security.http.ssl.verification_mode: certificate xpack.security.http.ssl.key: {{node_certs_destination}}/{{ elasticsearch_node_name }}.key xpack.security.http.ssl.certificate: {{node_certs_destination}}/{{ elasticsearch_node_name }}.crt +{% if generate_CA == true %} xpack.security.http.ssl.certificate_authorities: [ "{{ node_certs_destination }}/ca.crt" ] +{% elif generate_CA == false %} +xpack.security.http.ssl.certificate_authorities: [ "{{ node_certs_destination }}/{{ca_cert_name}}" ] +{% endif %} {% endif %} \ No newline at end of file From 3d3b3bc1d05b3edfc8f933b8e438a1619d572b28 Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 8 Aug 2019 17:41:53 +0200 Subject: [PATCH 32/48] Fix permissions and add password option --- .../tasks/xpack_security.yml | 80 +++++++++++-------- 1 file changed, 48 insertions(+), 32 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 890db757..e64b71df 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -41,18 +41,22 @@ - name: Importing custom CA key copy: - src: "{{ master_certs_destination }}/ca/{{ ca_key_name }}" + src: "{{ master_certs_path }}/ca/{{ ca_key_name }}" dest: "{{ node_certs_source }}/{{ ca_key_name }}" + mode: '0664' when: - not generate_CA + - node_certs_generator tags: xpack-security - name: Importing custom CA cert copy: - src: "{{ master_certs_destination }}/ca/{{ ca_cert_name }}" + src: "{{ master_certs_path }}/ca/{{ ca_cert_name }}" dest: "{{ node_certs_source }}/{{ ca_cert_name }}" + mode: '0664' when: - not generate_CA + - node_certs_generator tags: xpack-security - name: Generating certificates for Elasticsearch security (generating CA) @@ -65,17 +69,34 @@ - generate_CA tags: xpack-security -- name: Generating certificates for Elasticsearch security (using provided CA) - shell: /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip +- name: Generating certificates for Elasticsearch security (using provided CA | Without CA Password) + shell: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert + --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} + --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip when: - node_certs_generator - not xpack_certs_zip.stat.exists - not generate_CA - tags: xpack-security + - ca_password == "" + tags: xpack-security +- name: Generating certificates for Elasticsearch security (using provided CA | Using CA Password) + shell: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert + --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} + --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip + --ca-pass {{ca_password}} + when: + - node_certs_generator + - not xpack_certs_zip.stat.exists + - not generate_CA + - ca_password != "" + tags: xpack-security + - name: Verify the Elastic certificates directory file: - path: "{{ master_certs_destination }}" + path: "{{ master_certs_path }}" state: directory mode: '0700' delegate_to: "127.0.0.1" @@ -84,7 +105,7 @@ - name: Verify the Certificates Authority directory file: - path: "{{ master_certs_destination }}/ca/" + path: "{{ master_certs_path }}/ca/" state: directory mode: '0700' delegate_to: "127.0.0.1" @@ -94,7 +115,7 @@ - name: Copying certificates to Ansible master fetch: src: "{{ node_certs_source }}/certs.zip" - dest: "{{ master_certs_destination }}/" + dest: "{{ master_certs_path }}/" flat: yes mode: 0700 when: @@ -110,38 +131,22 @@ - name: Unzip generated certs.zip unarchive: - src: "{{master_certs_destination}}/certs.zip" - dest: "{{master_certs_destination}}/" + src: "{{master_certs_path}}/certs.zip" + dest: "{{master_certs_path}}/" become: true delegate_to: "127.0.0.1" when: - node_certs_generator tags: xpack-security -- name: Ensuring certificates folder owner - file: - path: "{{ node_certs_destination }}/" - state: directory - recurse: yes - owner: elasticsearch - group: elasticsearch - tags: xpack-security - -- name: Ensuring certificates folder permissions - file: - path: "{{ node_certs_destination }}/" - mode: '0770' - recurse: yes - tags: xpack-security - - name: Copying node's certificate from master copy: src: "{{item}}" dest: "{{node_certs_destination}}/" with_items: - - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" - - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" - - "{{master_certs_destination}}/ca/ca.crt" + - "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" + - "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" + - "{{master_certs_path}}/ca/ca.crt" when: - generate_CA tags: xpack-security @@ -151,13 +156,24 @@ src: "{{item}}" dest: "{{node_certs_destination}}/" with_items: - - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" - - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" - - "{{master_certs_destination}}/ca/{{ca_cert_name}}" + - "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" + - "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" + - "{{master_certs_path}}/ca/{{ca_cert_name}}" when: - not generate_CA tags: xpack-security +- name: Ensuring folder permissions + file: + path: "{{ node_certs_destination }}/" + mode: '0774' + state: directory + recurse: yes + when: + - elasticsearch_xpack_security + - generate_CA + tags: xpack-security + - name: Set elasticsearch bootstrap password shell: >- echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password From b2876d15e453636d9c7f946bb63d7ccd8ad9aee3 Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 8 Aug 2019 17:43:30 +0200 Subject: [PATCH 33/48] Update attributes, remove rsync parameters. --- .../ansible-elasticsearch/defaults/main.yml | 18 ++++++------------ .../ansible-kibana/defaults/main.yml | 12 ++++-------- roles/wazuh/ansible-filebeat/defaults/main.yml | 10 ++++------ 3 files changed, 14 insertions(+), 26 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml index bcbcc819..63b953f8 100644 --- a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml @@ -19,23 +19,17 @@ elasticsearch_xpack_security_user: elastic elasticsearch_xpack_security_password: elastic_pass node_certs_generator: false -node_certs_generator_ip: 172.16.0.161 node_certs_source: /usr/share/elasticsearch node_certs_destination: /etc/elasticsearch/certs -master_certs_destination: /es_certs + # CA generation -generate_CA: false - -ca_key_name: myCA.key -ca_cert_name: myCA.pem - -# Rsync -rsync_path: /usr/bin/rsync -rsync_user: vagrant -rsync_extra_parameters: -avg -e 'ssh -o StrictHostKeyChecking=no' --rsync-path='sudo rsync' - +master_certs_path: /es_certs +generate_CA: true +ca_key_name: "" +ca_cert_name: "" +ca_password: "" diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index 4de06f9b..f8dece59 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -15,14 +15,10 @@ elasticsearch_xpack_security_user: elastic elasticsearch_xpack_security_password: elastic_pass node_certs_generator: false -node_certs_generator_ip: 172.16.0.161 node_certs_source: /usr/share/elasticsearch node_certs_destination: /etc/kibana/certs -master_certs_destination: /es_certs - - -# Rsync -rsync_path: /usr/bin/rsync -rsync_user: vagrant -rsync_extra_parameters: -avg -e 'ssh -o StrictHostKeyChecking=no' --rsync-path='sudo rsync' +# CA Generation +master_certs_path: /es_certs +generate_CA: true +ca_cert_name: "" diff --git a/roles/wazuh/ansible-filebeat/defaults/main.yml b/roles/wazuh/ansible-filebeat/defaults/main.yml index cf0cb5a1..cbf8cc9d 100644 --- a/roles/wazuh/ansible-filebeat/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat/defaults/main.yml @@ -35,13 +35,11 @@ elasticsearch_xpack_security_user: elastic elasticsearch_xpack_security_password: elastic_pass node_certs_generator : false -node_certs_generator_ip: 172.16.0.161 node_certs_source: /usr/share/elasticsearch node_certs_destination: /etc/filebeat/certs -master_certs_destination: /es_certs -# Rsync -rsync_path: /usr/bin/rsync -rsync_user: vagrant -rsync_extra_parameters: -avg -e 'ssh -o StrictHostKeyChecking=no' --rsync-path='sudo rsync' +# CA Generation +master_certs_path: /es_certs +generate_CA: true +ca_cert_name: "" From 7006f99209ad8d28970f36ae5de7f318f6eded80 Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 8 Aug 2019 17:43:40 +0200 Subject: [PATCH 34/48] Add import to kibana --- .../ansible-kibana/tasks/main.yml | 23 +++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index fe91221b..ada29886 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -19,12 +19,27 @@ src: "{{item}}" dest: "{{node_certs_destination}}/" with_items: - - "{{master_certs_destination}}/{{kibana_node_name}}/{{ kibana_node_name }}.key" - - "{{master_certs_destination}}/{{kibana_node_name}}/{{ kibana_node_name }}.crt" - - "{{master_certs_destination}}/ca/ca.crt" + - "{{master_certs_path}}/{{kibana_node_name}}/{{ kibana_node_name }}.key" + - "{{master_certs_path}}/{{kibana_node_name}}/{{ kibana_node_name }}.crt" + - "{{master_certs_path}}/ca/ca.crt" tags: xpack-security when: - kibana_xpack_security + - generate_CA + +- name: Copying node's certificate from master (Custom CA) + copy: + src: "{{item}}" + dest: "{{node_certs_destination}}/" + mode: '0664' + with_items: + - "{{master_certs_path}}/{{kibana_node_name}}/{{ kibana_node_name }}.key" + - "{{master_certs_path}}/{{kibana_node_name}}/{{ kibana_node_name }}.crt" + - "{{master_certs_path}}/ca/{{ca_cert_name}}" + when: + - kibana_xpack_security + - not generate_CA + tags: xpack-security - name: Ensuring certificates folder owner file: @@ -52,7 +67,7 @@ dest: /etc/kibana/kibana.yml owner: root group: root - mode: 0664 + mode: '0664' notify: restart kibana tags: configure From 625970675586b8544404e67b20c8cf259dadbfba Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 8 Aug 2019 17:43:50 +0200 Subject: [PATCH 35/48] Update kibana template --- roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 b/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 index 76a3c2c4..0f2ef606 100644 --- a/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 +++ b/roles/elastic-stack/ansible-kibana/templates/kibana.yml.j2 @@ -109,6 +109,10 @@ elasticsearch.username: "{{ elasticsearch_xpack_security_user }}" elasticsearch.password: "{{ elasticsearch_xpack_security_password }}" server.ssl.enabled: true server.ssl.key: "{{node_certs_destination}}/{{ kibana_node_name }}.key" -server.ssl.certificate: "{{node_certs_destination}}/{{ kibana_node_name }}.crt" +server.ssl.certificate: "{{node_certs_destination}}/{{ kibana_node_name }}.crt" +{% if generate_CA == true %} elasticsearch.ssl.certificateAuthorities: ["{{ node_certs_destination }}/ca.crt"] +{% elif generate_CA == false %} +elasticsearch.ssl.certificateAuthorities: ["{{ node_certs_destination }}/{{ca_cert_name}}"] +{% endif %} {% endif %} \ No newline at end of file From bb0c79c455cf3cd0ac1a41bce5ce950e8339fe11 Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 8 Aug 2019 17:43:57 +0200 Subject: [PATCH 36/48] Update filebeat template --- roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 b/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 index 0a47af9d..466d9a89 100644 --- a/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 +++ b/roles/wazuh/ansible-filebeat/templates/filebeat.yml.j2 @@ -57,8 +57,14 @@ output.elasticsearch: username: {{ elasticsearch_xpack_security_user }} password: {{ elasticsearch_xpack_security_password }} protocol: https +{% if generate_CA == true %} ssl.certificate_authorities: - {{node_certs_destination}}/ca.crt +{% elif generate_CA == false %} + ssl.certificate_authorities: + - {{node_certs_destination}}/{{ca_cert_name}} +{% endif %} + ssl.certificate: "{{node_certs_destination}}/{{ filebeat_node_name }}.crt" ssl.key: "{{node_certs_destination}}/{{ filebeat_node_name }}.key" {% endif %} From fb76622080c24a3dc626379d73fc8f898c157297 Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 8 Aug 2019 17:44:08 +0200 Subject: [PATCH 37/48] Add import to --- roles/wazuh/ansible-filebeat/tasks/main.yml | 28 +++++++++++++++------ 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 2b566ed5..a968e62d 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -31,18 +31,32 @@ src: "{{item}}" dest: "{{node_certs_destination}}/" with_items: - - "{{master_certs_destination}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.key" - - "{{master_certs_destination}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.crt" - - "{{master_certs_destination}}/ca/ca.crt" - tags: xpack-security + - "{{master_certs_path}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.key" + - "{{master_certs_path}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.crt" + - "{{master_certs_path}}/ca/ca.crt" when: + - generate_CA - filebeat_xpack_security + tags: xpack-security + +- name: Copying node's certificate from master (Custom CA) + copy: + src: "{{item}}" + dest: "{{node_certs_destination}}/" + with_items: + - "{{master_certs_path}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.key" + - "{{master_certs_path}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.crt" + - "{{master_certs_path}}/ca/{{ca_cert_name}}" + when: + - not generate_CA + - filebeat_xpack_security + tags: xpack-security - -- name: Ensuring certificates folder owner +- name: Ensuring folder & certs permissions file: path: "{{ node_certs_destination }}/" - mode: '0770' + mode: '0774' + state: directory recurse: yes when: - filebeat_xpack_security From a1359495a98a966851f171f238b7f372c46f8a78 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Tue, 24 Sep 2019 10:57:23 +0200 Subject: [PATCH 38/48] Fix linting: trailing whitespace --- roles/elastic-stack/ansible-elasticsearch/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml index 85706199..af17e528 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/main.yml @@ -76,7 +76,7 @@ mode: 0660 notify: restart elasticsearch tags: configure - + - name: Trusty | set MAX_LOCKED_MEMORY=unlimited in Elasticsearch in /etc/security/limits.conf lineinfile: path: /etc/security/limits.conf From 02425e0c85a15157882f5db6f559acd12383a945 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Tue, 24 Sep 2019 11:09:21 +0200 Subject: [PATCH 39/48] Fix linting errors Fixed linting on xpack_security.yml --- .../tasks/xpack_security.yml | 67 +++++++++---------- 1 file changed, 33 insertions(+), 34 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index e64b71df..046c3382 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -39,7 +39,7 @@ when: - node_certs_generator -- name: Importing custom CA key +- name: Importing custom CA key copy: src: "{{ master_certs_path }}/ca/{{ ca_key_name }}" dest: "{{ node_certs_source }}/{{ ca_key_name }}" @@ -61,7 +61,7 @@ - name: Generating certificates for Elasticsearch security (generating CA) shell: >- - /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in + /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip when: - node_certs_generator @@ -70,37 +70,37 @@ tags: xpack-security - name: Generating certificates for Elasticsearch security (using provided CA | Without CA Password) - shell: >- - /usr/share/elasticsearch/bin/elasticsearch-certutil cert - --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} + shell: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert + --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip when: - node_certs_generator - not xpack_certs_zip.stat.exists - not generate_CA - - ca_password == "" + - ca_password | length == 0 tags: xpack-security - name: Generating certificates for Elasticsearch security (using provided CA | Using CA Password) - shell: >- - /usr/share/elasticsearch/bin/elasticsearch-certutil cert - --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} - --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip - --ca-pass {{ca_password}} + shell: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert + --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} + --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip + --ca-pass {{ ca_password }} when: - node_certs_generator - not xpack_certs_zip.stat.exists - not generate_CA - - ca_password != "" - tags: xpack-security - + - ca_password | length > 0 + tags: xpack-security + - name: Verify the Elastic certificates directory file: path: "{{ master_certs_path }}" state: directory mode: '0700' delegate_to: "127.0.0.1" - when: + when: - node_certs_generator - name: Verify the Certificates Authority directory @@ -109,7 +109,7 @@ state: directory mode: '0700' delegate_to: "127.0.0.1" - when: + when: - node_certs_generator - name: Copying certificates to Ansible master @@ -118,7 +118,7 @@ dest: "{{ master_certs_path }}/" flat: yes mode: 0700 - when: + when: - node_certs_generator tags: xpack-security @@ -126,39 +126,39 @@ file: state: absent path: "{{ node_certs_source }}/certs.zip" - when: + when: - node_certs_generator - + - name: Unzip generated certs.zip unarchive: - src: "{{master_certs_path}}/certs.zip" - dest: "{{master_certs_path}}/" + src: "{{ master_certs_path }}/certs.zip" + dest: "{{ master_certs_path }}/" become: true delegate_to: "127.0.0.1" - when: + when: - node_certs_generator tags: xpack-security - name: Copying node's certificate from master copy: - src: "{{item}}" - dest: "{{node_certs_destination}}/" + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" with_items: - - "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" - - "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" - - "{{master_certs_path}}/ca/ca.crt" + - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key" + - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt" + - "{{ master_certs_path }}/ca/ca.crt" when: - generate_CA tags: xpack-security - name: Copying node's certificate from master (Custom CA) copy: - src: "{{item}}" - dest: "{{node_certs_destination}}/" - with_items: - - "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" - - "{{master_certs_path}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt" - - "{{master_certs_path}}/ca/{{ca_cert_name}}" + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" + with_items: + - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key" + - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt" + - "{{ master_certs_path }}/ca/{{ ca_cert_name }}" when: - not generate_CA tags: xpack-security @@ -179,4 +179,3 @@ echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password when: - node_certs_generator - \ No newline at end of file From 534704f115628b6d92a8f81100f56d7b64a1c1b2 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Tue, 24 Sep 2019 12:47:28 +0200 Subject: [PATCH 40/48] Fix linting errors on vars --- roles/wazuh/ansible-filebeat/tasks/main.yml | 26 ++++++++++----------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/roles/wazuh/ansible-filebeat/tasks/main.yml b/roles/wazuh/ansible-filebeat/tasks/main.yml index 7cd01cbd..85bd17e1 100644 --- a/roles/wazuh/ansible-filebeat/tasks/main.yml +++ b/roles/wazuh/ansible-filebeat/tasks/main.yml @@ -28,25 +28,25 @@ - name: Copying node's certificate from master copy: - src: "{{item}}" - dest: "{{node_certs_destination}}/" - with_items: - - "{{master_certs_path}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.key" - - "{{master_certs_path}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.crt" - - "{{master_certs_path}}/ca/ca.crt" + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" + with_items: + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt" + - "{{ master_certs_path }}/ca/ca.crt" when: - generate_CA - filebeat_xpack_security tags: xpack-security - + - name: Copying node's certificate from master (Custom CA) copy: - src: "{{item}}" - dest: "{{node_certs_destination}}/" - with_items: - - "{{master_certs_path}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.key" - - "{{master_certs_path}}/{{filebeat_node_name}}/{{ filebeat_node_name }}.crt" - - "{{master_certs_path}}/ca/{{ca_cert_name}}" + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" + with_items: + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key" + - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt" + - "{{ master_certs_path }}/ca/{{ ca_cert_name }}" when: - not generate_CA - filebeat_xpack_security From 4f955fe4988b19c433342daeed87e1bc852b5c78 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez Date: Tue, 24 Sep 2019 12:49:26 +0200 Subject: [PATCH 41/48] Switch tasks from shell to command --- .../tasks/xpack_security.yml | 23 +++++++++++-------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 046c3382..650692c5 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -60,9 +60,10 @@ tags: xpack-security - name: Generating certificates for Elasticsearch security (generating CA) - shell: >- - /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in - {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip + command: >- + /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem + --in {{ node_certs_source }}/instances.yml + --out {{ node_certs_source }}/certs.zip when: - node_certs_generator - not xpack_certs_zip.stat.exists @@ -70,10 +71,12 @@ tags: xpack-security - name: Generating certificates for Elasticsearch security (using provided CA | Without CA Password) - shell: >- + command: >- /usr/share/elasticsearch/bin/elasticsearch-certutil cert - --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} - --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip + --ca-key {{ node_certs_source }}/{{ ca_key_name }} + --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} + --pem --in {{ node_certs_source }}/instances.yml + --out {{ node_certs_source }}/certs.zip when: - node_certs_generator - not xpack_certs_zip.stat.exists @@ -82,9 +85,10 @@ tags: xpack-security - name: Generating certificates for Elasticsearch security (using provided CA | Using CA Password) - shell: >- + command: >- /usr/share/elasticsearch/bin/elasticsearch-certutil cert - --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} + --ca-key {{ node_certs_source }}/{{ ca_key_name }} + --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip --ca-pass {{ ca_password }} when: @@ -175,7 +179,8 @@ tags: xpack-security - name: Set elasticsearch bootstrap password - shell: >- + command: >- + set -o pipefail echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password when: - node_certs_generator From de70f4eecd1ae6d25e907a0124625952305e07a0 Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 24 Sep 2019 18:36:44 +0200 Subject: [PATCH 42/48] Add single_node:false to ES distributed playbook --- playbooks/wazuh-elastic_stack-distributed.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/playbooks/wazuh-elastic_stack-distributed.yml b/playbooks/wazuh-elastic_stack-distributed.yml index b582df9b..8c6bc567 100644 --- a/playbooks/wazuh-elastic_stack-distributed.yml +++ b/playbooks/wazuh-elastic_stack-distributed.yml @@ -17,6 +17,7 @@ elasticsearch_xpack_security: true node_certs_generator: true elasticsearch_xpack_security_password: elastic_pass + single_node: false vars: instances: @@ -35,6 +36,7 @@ - role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch elasticsearch_network_host: elasticsearch_node_name: node-2 + single_node: false elasticsearch_xpack_security: true elasticsearch_master_candidate: true elasticsearch_discovery_nodes: @@ -47,6 +49,7 @@ - role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch elasticsearch_network_host: elasticsearch_node_name: node-3 + single_node: false elasticsearch_xpack_security: true elasticsearch_master_candidate: true elasticsearch_discovery_nodes: From b8803de85fb71edf090b0c076d4fe3684cd7cb36 Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 24 Sep 2019 18:37:14 +0200 Subject: [PATCH 43/48] Fix set bootstrap password task. Linting OK --- .../ansible-elasticsearch/tasks/xpack_security.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml index 650692c5..d05c3241 100644 --- a/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml +++ b/roles/elastic-stack/ansible-elasticsearch/tasks/xpack_security.yml @@ -179,8 +179,8 @@ tags: xpack-security - name: Set elasticsearch bootstrap password - command: >- - set -o pipefail - echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password + shell: >- + set -o pipefail; + echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password when: - node_certs_generator From 0017b34c6b6ae9ccb7e1d9a4b5a23d299ef4bf64 Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 25 Sep 2019 09:14:07 +0200 Subject: [PATCH 44/48] Update CHANGELOG.md --- CHANGELOG.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 95a9d18b..72c6ae35 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,22 @@ # Change Log All notable changes to this project will be documented in this file. +## [v3.10.2_7.3.2] + +### Added + +- Update to Wazuh v3.10.2 + +### Changed + +- Moved molecule folder to Wazuh QA Repository [manuasir](https://github.com/manuasir) [#120ed16](https://github.com/wazuh/wazuh-ansible/commit/120ed163b6f131315848938beca65c1f1cad7f1b) + +- Refactored XPack Security configuration tasks [@jm404](https://github.com/jm404) [#246](https://github.com/wazuh/wazuh-ansible/pull/246) + +### Fixed + +- Fixed ES bootstrap password configuration [@jm404](https://github.com/jm404) [#b8803de](https://github.com/wazuh/wazuh-ansible/commit/b8803de85fb71edf090b0c076d4fe3684cd7cb36) + ## [v3.10.0_7.3.2] ### Added From 5646848266ceefe513134f0a230d179913442cea Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 25 Sep 2019 09:14:31 +0200 Subject: [PATCH 45/48] Bump version to 3.10.2_7.3.2 --- VERSION | 4 ++-- roles/elastic-stack/ansible-kibana/defaults/main.yml | 2 +- roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 4 ++-- roles/wazuh/ansible-wazuh-manager/defaults/main.yml | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/VERSION b/VERSION index 2a8b969e..f4d1cb92 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -WAZUH-ANSIBLE_VERSION="v3.10.0" -REVISION="31000" +WAZUH-ANSIBLE_VERSION="v3.10.2" +REVISION="31020" diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index 25525d89..ad639011 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -6,7 +6,7 @@ elasticsearch_network_host: "127.0.0.1" kibana_server_host: "0.0.0.0" kibana_server_port: "5601" elastic_stack_version: 7.3.2 -wazuh_version: 3.10.0 +wazuh_version: 3.10.2 # Xpack Security kibana_xpack_security: false diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index f6904240..fe6749ce 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -1,5 +1,5 @@ --- -wazuh_agent_version: 3.10.0 +wazuh_agent_version: 3.10.2 wazuh_managers: - address: 127.0.0.1 port: 1514 @@ -26,7 +26,7 @@ wazuh_winagent_config: auth_path: C:\Program Files\ossec-agent\agent-auth.exe # Adding quotes to auth_path_x86 since win_shell outputs error otherwise auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe - version: '3.10.0' + version: '3.10.2' revision: '1' repo: https://packages.wazuh.com/3.x/windows/ md5: ee5b24216db472d291da4e14f0b3bc63 diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index 87ab144b..170a8da5 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -1,5 +1,5 @@ --- -wazuh_manager_api_version: 3.10.0 +wazuh_manager_api_version: 3.10.2 wazuh_manager_fqdn: "wazuh-server" wazuh_manager_package_state: latest From a0d4967b1fd0ab19e5bfa4fab571345253bef2ba Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 25 Sep 2019 09:48:07 +0200 Subject: [PATCH 46/48] Add filebeat_module_folder to default variables --- roles/wazuh/ansible-filebeat/defaults/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/wazuh/ansible-filebeat/defaults/main.yml b/roles/wazuh/ansible-filebeat/defaults/main.yml index 78a47cf8..46d65654 100644 --- a/roles/wazuh/ansible-filebeat/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat/defaults/main.yml @@ -28,6 +28,8 @@ filebeat_ssl_certificate_file: "" filebeat_ssl_key_file: "" filebeat_ssl_insecure: "false" +filebeat_module_folder: /usr/share/filebeat/module/wazuh + # Xpack Security filebeat_xpack_security: false @@ -43,3 +45,5 @@ node_certs_destination: /etc/filebeat/certs master_certs_path: /es_certs generate_CA: true ca_cert_name: "" + + From 744193008199987e8c589093c45186e3e47c466a Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 25 Sep 2019 11:49:56 +0200 Subject: [PATCH 47/48] Add default filebeat module variables --- roles/wazuh/ansible-filebeat/defaults/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/wazuh/ansible-filebeat/defaults/main.yml b/roles/wazuh/ansible-filebeat/defaults/main.yml index 46d65654..d38565d9 100644 --- a/roles/wazuh/ansible-filebeat/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat/defaults/main.yml @@ -28,6 +28,9 @@ filebeat_ssl_certificate_file: "" filebeat_ssl_key_file: "" filebeat_ssl_insecure: "false" +filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz +filebeat_module_package_path: /tmp/ +filebeat_module_destination: /usr/share/filebeat/module filebeat_module_folder: /usr/share/filebeat/module/wazuh # Xpack Security From 133cda683a6c3e7e9efd5120f955d1b9a57ebe7a Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 25 Sep 2019 12:47:49 +0200 Subject: [PATCH 48/48] Fix linting in ansible-kibana tasks --- .../ansible-kibana/tasks/main.yml | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/roles/elastic-stack/ansible-kibana/tasks/main.yml b/roles/elastic-stack/ansible-kibana/tasks/main.yml index b49cef4e..f2152d00 100644 --- a/roles/elastic-stack/ansible-kibana/tasks/main.yml +++ b/roles/elastic-stack/ansible-kibana/tasks/main.yml @@ -17,12 +17,12 @@ - name: Copying node's certificate from master copy: - src: "{{item}}" - dest: "{{node_certs_destination}}/" - with_items: - - "{{master_certs_path}}/{{kibana_node_name}}/{{ kibana_node_name }}.key" - - "{{master_certs_path}}/{{kibana_node_name}}/{{ kibana_node_name }}.crt" - - "{{master_certs_path}}/ca/ca.crt" + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" + with_items: + - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key" + - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.crt" + - "{{ master_certs_path }}/ca/ca.crt" tags: xpack-security when: - kibana_xpack_security @@ -30,13 +30,13 @@ - name: Copying node's certificate from master (Custom CA) copy: - src: "{{item}}" - dest: "{{node_certs_destination}}/" - mode: '0664' - with_items: - - "{{master_certs_path}}/{{kibana_node_name}}/{{ kibana_node_name }}.key" - - "{{master_certs_path}}/{{kibana_node_name}}/{{ kibana_node_name }}.crt" - - "{{master_certs_path}}/ca/{{ca_cert_name}}" + src: "{{ item }}" + dest: "{{ node_certs_destination }}/" + mode: '0664' + with_items: + - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.key" + - "{{ master_certs_path }}/{{ kibana_node_name }}/{{ kibana_node_name }}.crt" + - "{{ master_certs_path }}/ca/{{ ca_cert_name }}" when: - kibana_xpack_security - not generate_CA @@ -69,7 +69,7 @@ dest: /etc/kibana/kibana.yml owner: root group: root - mode: '0664' + mode: '0664' notify: restart kibana tags: configure