Updates to Wazuh and Opensearch roles

2022-02-04 16:58:21 -03:00 · 2022-02-04 16:58:21 -03:00 · d67ae78712
commit d67ae78712
parent c722e5bc87
15 changed files with 110 additions and 63 deletions
--- a/roles/opensearch/wazuh-dashboard/templates/dashboard.yml.j2
+++ b/roles/opensearch/wazuh-dashboard/templates/dashboard.yml.j2
@ -1,6 +1,9 @@
 server.host: {{ dashboard_server_host }}
 server.port: {{ dashboard_server_port }}
-opensearch.hosts: "https://{{ indexer_network_host }}:{{ indexer_http_port }}"
+opensearch.hosts:
+{% for item in indexer_cluster_nodes %}
+  - https://{{ item }}:{{ indexer_http_port }}
+{% endfor %}
 opensearch.ssl.verificationMode: certificate
 opensearch.username: {{ dashboard_user }}
 opensearch.password: {{ dashboard_password }}
--- a/roles/opensearch/wazuh-indexer/defaults/main.yml
+++ b/roles/opensearch/wazuh-indexer/defaults/main.yml
@ -42,8 +42,8 @@ package_repos:
      baseurl: 'deb https://packages-dev.wazuh.com/pre-release/apt/ unstable main'
      #gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
      gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH'
-#    openjdk:
-#      baseurl: 'deb http://deb.debian.org/debian stretch-backports main'
+    openjdk:
+      baseurl: 'deb http://deb.debian.org/debian stretch-backports main'
      
 indexer_sec_plugin_conf_path: /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig
 indexer_sec_plugin_tools_path: /usr/share/wazuh-indexer/plugins/opensearch-security/tools
--- a/roles/opensearch/wazuh-indexer/tasks/Debian.yml
+++ b/roles/opensearch/wazuh-indexer/tasks/Debian.yml
@ -22,20 +22,20 @@
        keyserver: keyserver.ubuntu.com
        id: 648ACFD622F3D138
    
-#    - name: Add openjdk repository
-#      apt_repository:
-#        repo: "{{ package_repos.apt.openjdk.baseurl }}"
-#        state: present
-#        update_cache: yes
-#        filename: 'wazuh-openjdk'
+    - name: Add openjdk repository
+      apt_repository:
+        repo: "{{ package_repos.apt.openjdk.baseurl }}"
+        state: present
+        update_cache: yes
+        filename: 'wazuh-openjdk'

-#- name: Install openjdk-11-jdk
-### 732 will not be needed as indexer comes with the jdk.
-#  apt:
-#    name: openjdk-11-jdk
-#    state: present
-#  environment:
-#    JAVA_HOME: /usr
+- name: Install openjdk-11-jdk
+## 732 will not be needed as indexer comes with the jdk.
+  apt:
+    name: openjdk-11-jdk
+    state: present
+  environment:
+    JAVA_HOME: /usr

 - name: Add Wazuh-Indexer repository
  block:
--- a/roles/opensearch/wazuh-indexer/tasks/RedHat.yml
+++ b/roles/opensearch/wazuh-indexer/tasks/RedHat.yml
@ -12,27 +12,39 @@
      gpgcheck: true
    changed_when: false

-#  - name: RedHat/CentOS/Fedora | Install OpenJDK 11
-#  ## 732 will not be needed
-#    yum:
-#      name: java-11-openjdk-devel
-#      state: present
-#    when:
-#      - ansible_distribution != 'Amazon'
+  - name: RedHat/CentOS/Fedora | Install OpenJDK 11
+  ## 732 will not be needed
+    yum:
+      name: java-11-openjdk-devel
+      state: present
+    when:
+      - ansible_distribution != 'Amazon'

-#  - name: Amazon Linux | Install OpenJDK 11
-#  ## 732 will not be needed
-#    block:
-#      - name: Install Amazon extras
-#        yum:
-#          name: amazon-linux-extras
-#          state: present
+  - name: Amazon Linux | Install OpenJDK 11
+  ## 732 will not be needed
+    block:
+      - name: Install Amazon extras
+        yum:
+          name: amazon-linux-extras
+          state: present

-#      - name: Install OpenJDK 11
-#        shell: amazon-linux-extras install java-openjdk11 -y
+      - name: Install OpenJDK 11
+        shell: amazon-linux-extras install java-openjdk11 -y

-#    when:
-#      - ansible_distribution == 'Amazon'
+      - name: Configure vm.max_map_count
+        lineinfile:
+          line: "vm.max_map_count=262144"
+          dest: "/etc/sysctl.conf"
+          insertafter: EOF
+          create: true
+        become: yes
+
+      - name: Update vm.max_map_count
+        shell: sysctl -p
+        become: yes
+
+    when:
+      - ansible_distribution == 'Amazon'

  - name: RedHat/CentOS/Fedora | Install OpenDistro dependencies
    yum:
--- a/roles/opensearch/wazuh-indexer/tasks/local_actions.yml
+++ b/roles/opensearch/wazuh-indexer/tasks/local_actions.yml
@ -67,6 +67,20 @@
      bash {{ local_certs_path }}/wazuh-cert-tool.sh
    become: yes

+  - name: Get Certificate files
+    find:
+      paths: "{{ local_certs_path }}/certs"
+      patterns: "*"
+    register: certificate_files
+
+  - name: Change Certificates Ownership
+    file: 
+      path: "{{ item.path }}"
+      owner: "{{ ansible_effective_user_id }}"
+      group: "{{ ansible_effective_user_id }}"
+    become: yes
+    with_items: "{{ certificate_files.files }}"
+
  run_once: true
  delegate_to: localhost
  become: no
--- a/roles/opensearch/wazuh-indexer/tasks/security_actions.yml
+++ b/roles/opensearch/wazuh-indexer/tasks/security_actions.yml
@ -70,7 +70,7 @@
 - name: Hashing the custom admin password
  command: "{{ indexer_sec_plugin_tools_path }}/hash.sh -p {{ indexer_admin_password }}" # noqa 301
  register: indexer_admin_password_hashed
-  no_log: '{{ indexer_nolog_sensible | bool }}'
+  #no_log: '{{ indexer_nolog_sensible | bool }}'
  run_once: true

 - name: Set the Admin user password
--- a/roles/opensearch/wazuh-indexer/templates/opensearch.yml.j2
+++ b/roles/opensearch/wazuh-indexer/templates/opensearch.yml.j2
@ -7,7 +7,13 @@ cluster.initial_master_nodes:
 {% for item in indexer_cluster_nodes %}
  - {{ item }}
 {% endfor %}
+
+discovery.seed_hosts:
+{% for item in elasticsearch_discovery_nodes %}
+  - {{ item }}
+{% endfor %}
 {% endif %}
+
 cluster.name: {{ indexer_cluster_name }}

 http.port: 9700-9799
@ -40,7 +46,9 @@ plugins.security.authcz.admin_dn:
 plugins.security.check_snapshot_restore_write_privileges: true
 plugins.security.enable_snapshot_restore_privilege: true
 plugins.security.nodes_dn:
- "CN={{ indexer_node_name }},OU=Docu,O=Wazuh,L=California,C=US"
+{% for (key,value) in instances.items() %}
+- "CN={{ value.name }},OU=Docu,O=Wazuh,L=California,C=US"
+{% endfor %}
 plugins.security.restapi.roles_enabled:
 - "all_access"
 - "security_rest_api_access"
--- a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml
+++ b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml
@ -1,27 +1,31 @@
 ---
 filebeat_version: 7.10.2

-wazuh_template_branch: v4.3.0
+wazuh_template_branch: v4.2.5

 filebeat_output_elasticsearch_hosts:
-  - "localhost:9200"
+  - "localhost:9700"

-filebeat_module_package_url: https://packages.wazuh.com/4.x/filebeat
+#filebeat_module_package_url: https://packages.wazuh.com/4.x/filebeat
+filebeat_module_package_url: https://packages-dev.wazuh.com/pre-release/filebeat
 filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz
 filebeat_module_package_path: /tmp/
 filebeat_module_destination: /usr/share/filebeat/module
 filebeat_module_folder: /usr/share/filebeat/module/wazuh
-elasticsearch_security_user: admin
-elasticsearch_security_password: changeme
+indexer_security_user: admin
+indexer_security_password: changeme
 # Security plugin
 filebeat_security: true
 filebeat_ssl_dir: /etc/pki/filebeat

 # Local path to store the generated certificates (OpenDistro security plugin)
-local_certs_path: ./opendistro/certificates
+local_certs_path: ./indexer/certificates

-elasticrepo:
-  apt: 'https://artifacts.elastic.co/packages/oss-7.x/apt'
-  yum: 'https://artifacts.elastic.co/packages/oss-7.x/yum'
-  gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
-  key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4'
+filebeatrepo:
+  #apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main'
+  apt: 'deb https://packages-dev.wazuh.com/pre-release/apt/ unstable main'
+  #yum: 'https://packages.wazuh.com/4.x/yum/'
+  yum: 'https://packages-dev.wazuh.com/pre-release/yum/'
+  #gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
+  gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH'
+  key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145'
--- a/roles/wazuh/ansible-filebeat-oss/tasks/Debian.yml
+++ b/roles/wazuh/ansible-filebeat-oss/tasks/Debian.yml
@ -11,13 +11,13 @@

 - name: Debian/Ubuntu | Add Elasticsearch apt key.
  apt_key:
-    url: "{{ elasticrepo.gpg }}"
-    id: "{{ elasticrepo.key_id }}"
+    url: "{{ filebeatrepo.gpg }}"
+    id: "{{ filebeatrepo.key_id }}"
    state: present

 - name: Debian/Ubuntu | Add Filebeat-oss repository.
  apt_repository:
-    repo: "deb {{ elasticrepo.apt }} stable main"
+    repo: "{{ filebeatrepo.apt }}"
    state: present
    update_cache: true
  changed_when: false
--- a/roles/wazuh/ansible-filebeat-oss/tasks/RMDebian.yml
+++ b/roles/wazuh/ansible-filebeat-oss/tasks/RMDebian.yml
@ -1,6 +1,6 @@
 ---
 - name: Debian/Ubuntu | Remove Filebeat repository (and clean up left-over metadata)
  apt_repository:
-    repo: "deb {{ elasticrepo.apt }} stable main"
+    repo: "{{ filebeatrepo.apt }}"
    state: absent
  changed_when: false
--- a/roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml
+++ b/roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml
@ -3,7 +3,7 @@
  yum_repository:
    name: elastic_oss-repo_7
    description: Elastic repository for 7.x packages
-    baseurl: "{{ elasticrepo.yum }}"
-    gpgkey: "{{ elasticrepo.gpg }}"
+    baseurl: "{{ filebeatrepo.yum }}"
+    gpgkey: "{{ filebeatrepo.gpg }}"
    gpgcheck: true
  changed_when: false
--- a/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml
+++ b/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml
@ -16,7 +16,7 @@
      group: root
      mode: 0644
    with_items:
-      - "{{ filebeat_node_name }}.key"
+      - "{{ filebeat_node_name }}-key.pem"
      - "{{ filebeat_node_name }}.pem"
      - "root-ca.pem"

--- a/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2
+++ b/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2
@ -19,13 +19,13 @@ output.elasticsearch:
  hosts: {{ filebeat_output_elasticsearch_hosts | to_json }}

 {% if filebeat_security %}
-  username: {{ elasticsearch_security_user }}
-  password: {{ elasticsearch_security_password }}
+  username: {{ indexer_security_user }}
+  password: {{ indexer_security_password }}
  protocol: https
  ssl.certificate_authorities:
    - {{ filebeat_ssl_dir }}/root-ca.pem
  ssl.certificate: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}.pem"
-  ssl.key: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}.key"
+  ssl.key: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}-key.pem"
 {% endif %}

 # Optional. Send events to Logstash instead of Elasticsearch
--- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
+++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
@ -61,9 +61,12 @@ wazuh_winagent_package_name: wazuh-agent-4.3.0-1.msi
 wazuh_dir: "/var/ossec"

 wazuh_agent_repo:
-  apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main'
-  yum: 'https://packages.wazuh.com/4.x/yum/'
-  gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
+  #apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main'
+  apt: 'deb https://packages-dev.wazuh.com/pre-release/apt/ unstable main'
+  #yum: 'https://packages.wazuh.com/4.x/yum/'
+  yum: 'https://packages-dev.wazuh.com/pre-release/yum/'
+  #gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
+  gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH'
  key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145'

 # This is deprecated, see: wazuh_agent_address
--- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
+++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml
@ -38,9 +38,12 @@ wazuh_manager_sources_installation:

 wazuh_dir: "/var/ossec"
 wazuh_manager_repo:
-  apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main'
-  yum: 'https://packages.wazuh.com/4.x/yum/'
-  gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
+  #apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main'
+  apt: 'deb https://packages-dev.wazuh.com/pre-release/apt/ unstable main'
+  #yum: 'https://packages.wazuh.com/4.x/yum/'
+  yum: 'https://packages-dev.wazuh.com/pre-release/yum/'
+  #gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
+  gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH'
  key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145'