From 9bd3e0f4e7f6b01fe79a1f6f8cec9df218826a8f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= Date: Tue, 1 Feb 2022 17:39:57 -0300 Subject: [PATCH 01/41] Initial indexer changes --- .../defaults/main.yml | 69 --------------- .../handlers/main.yml | 5 -- .../opendistro-elasticsearch/tasks/RedHat.yml | 50 ----------- .../tasks/local_actions.yml | 87 ------------------- .../opendistro-kibana/handlers/main.yml | 3 - .../opendistro-kibana/vars/debian.yml | 3 - .../wazuh-dashboard}/defaults/main.yml | 9 +- .../wazuh-dashboard/handlers/main.yml | 4 + .../wazuh-dashboard}/tasks/Debian.yml | 7 +- .../wazuh-dashboard}/tasks/RMRedHat.yml | 0 .../wazuh-dashboard}/tasks/RedHat.yml | 4 +- .../tasks/build_wazuh_plugin.yml | 3 + .../wazuh-dashboard}/tasks/main.yml | 62 ++++++------- .../tasks/security_actions.yml | 0 .../templates/opendistro_kibana.yml.j2 | 0 .../wazuh-dashboard}/templates/wazuh.yml.j2 | 0 .../wazuh-dashboard/vars/debian.yml | 3 + .../wazuh-indexer/defaults/main.yml | 77 ++++++++++++++++ .../wazuh-indexer/handlers/main.yml | 6 ++ .../wazuh-indexer}/meta/main.yml | 0 .../wazuh-indexer}/tasks/Debian.yml | 36 ++++---- .../wazuh-indexer}/tasks/RMRedHat.yml | 1 + .../opensearch/wazuh-indexer/tasks/RedHat.yml | 54 ++++++++++++ .../wazuh-indexer/tasks/local_actions.yml | 76 ++++++++++++++++ .../wazuh-indexer}/tasks/main.yml | 76 +++++++++------- .../wazuh-indexer}/tasks/security_actions.yml | 77 ++++++++-------- .../wazuh-indexer/templates/config.yml.j2 | 33 +++++++ .../templates/disabledlog4j.options.j2 | 0 .../templates/elasticsearch.yml.j2 | 0 .../templates/internal_users.yml.j2 | 0 .../templates/jvm.options copy.j2 | 83 ++++++++++++++++++ .../wazuh-indexer}/templates/jvm.options.j2 | 12 +-- .../wazuh-indexer/templates/opensearch.yml.j2 | 52 +++++++++++ .../wazuh-indexer}/templates/tlsconfig.yml.j2 | 0 34 files changed, 551 insertions(+), 341 deletions(-) delete mode 100644 roles/opendistro/opendistro-elasticsearch/defaults/main.yml delete mode 100644 roles/opendistro/opendistro-elasticsearch/handlers/main.yml delete mode 100644 roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml delete mode 100644 roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml delete mode 100644 roles/opendistro/opendistro-kibana/handlers/main.yml delete mode 100644 roles/opendistro/opendistro-kibana/vars/debian.yml rename roles/{opendistro/opendistro-kibana => opensearch/wazuh-dashboard}/defaults/main.yml (80%) create mode 100644 roles/opensearch/wazuh-dashboard/handlers/main.yml rename roles/{opendistro/opendistro-kibana => opensearch/wazuh-dashboard}/tasks/Debian.yml (59%) rename roles/{opendistro/opendistro-kibana => opensearch/wazuh-dashboard}/tasks/RMRedHat.yml (100%) rename roles/{opendistro/opendistro-kibana => opensearch/wazuh-dashboard}/tasks/RedHat.yml (79%) rename roles/{opendistro/opendistro-kibana => opensearch/wazuh-dashboard}/tasks/build_wazuh_plugin.yml (96%) rename roles/{opendistro/opendistro-kibana => opensearch/wazuh-dashboard}/tasks/main.yml (69%) rename roles/{opendistro/opendistro-kibana => opensearch/wazuh-dashboard}/tasks/security_actions.yml (100%) rename roles/{opendistro/opendistro-kibana => opensearch/wazuh-dashboard}/templates/opendistro_kibana.yml.j2 (100%) rename roles/{opendistro/opendistro-kibana => opensearch/wazuh-dashboard}/templates/wazuh.yml.j2 (100%) create mode 100644 roles/opensearch/wazuh-dashboard/vars/debian.yml create mode 100644 roles/opensearch/wazuh-indexer/defaults/main.yml create mode 100644 roles/opensearch/wazuh-indexer/handlers/main.yml rename roles/{opendistro/opendistro-elasticsearch => opensearch/wazuh-indexer}/meta/main.yml (100%) rename roles/{opendistro/opendistro-elasticsearch => opensearch/wazuh-indexer}/tasks/Debian.yml (57%) rename roles/{opendistro/opendistro-elasticsearch => opensearch/wazuh-indexer}/tasks/RMRedHat.yml (69%) create mode 100644 roles/opensearch/wazuh-indexer/tasks/RedHat.yml create mode 100644 roles/opensearch/wazuh-indexer/tasks/local_actions.yml rename roles/{opendistro/opendistro-elasticsearch => opensearch/wazuh-indexer}/tasks/main.yml (61%) rename roles/{opendistro/opendistro-elasticsearch => opensearch/wazuh-indexer}/tasks/security_actions.yml (63%) create mode 100644 roles/opensearch/wazuh-indexer/templates/config.yml.j2 rename roles/{opendistro/opendistro-elasticsearch => opensearch/wazuh-indexer}/templates/disabledlog4j.options.j2 (100%) rename roles/{opendistro/opendistro-elasticsearch => opensearch/wazuh-indexer}/templates/elasticsearch.yml.j2 (100%) rename roles/{opendistro/opendistro-elasticsearch => opensearch/wazuh-indexer}/templates/internal_users.yml.j2 (100%) create mode 100644 roles/opensearch/wazuh-indexer/templates/jvm.options copy.j2 rename roles/{opendistro/opendistro-elasticsearch => opensearch/wazuh-indexer}/templates/jvm.options.j2 (88%) create mode 100644 roles/opensearch/wazuh-indexer/templates/opensearch.yml.j2 rename roles/{opendistro/opendistro-elasticsearch => opensearch/wazuh-indexer}/templates/tlsconfig.yml.j2 (100%) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml deleted file mode 100644 index 615a7ddc..00000000 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ /dev/null @@ -1,69 +0,0 @@ ---- -# Cluster Settings -opendistro_version: 1.13.2 - -single_node: false -elasticsearch_node_name: node-1 -opendistro_cluster_name: wazuh -elasticsearch_network_host: '0.0.0.0' - -elasticsearch_node_master: true -elasticsearch_node_data: true -elasticsearch_node_ingest: true -elasticsearch_start_timeout: 90 - -elasticsearch_lower_disk_requirements: false -elasticsearch_cluster_nodes: - - 127.0.0.1 -elasticsearch_discovery_nodes: - - 127.0.0.1 - -local_certs_path: "{{ playbook_dir }}/opendistro/certificates" - -# Minimum master nodes in cluster, 2 for 3 nodes elasticsearch cluster -minimum_master_nodes: 2 - -# Configure hostnames for Elasticsearch nodes -# Example es1.example.com, es2.example.com -domain_name: wazuh.com - -# The OpenDistro package repository -package_repos: - yum: - opendistro: - baseurl: 'https://packages.wazuh.com/4.x/yum/' - gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' - apt: - opendistro: - baseurl: 'deb https://packages.wazuh.com/4.x/apt/ stable main' - gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' - openjdk: - baseurl: 'deb http://deb.debian.org/debian stretch-backports main' - -opendistro_sec_plugin_conf_path: /usr/share/elasticsearch/plugins/opendistro_security/securityconfig -opendistro_sec_plugin_tools_path: /usr/share/elasticsearch/plugins/opendistro_security/tools -opendistro_conf_path: /etc/elasticsearch/ - -# Security password -opendistro_custom_user: "" -opendistro_custom_user_role: "admin" - -# Set JVM memory limits -opendistro_jvm_xms: null - -opendistro_http_port: 9200 - -certs_gen_tool_version: 1.8 - -# Url of Search Guard certificates generator tool -certs_gen_tool_url: "https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-tlstool/{{ certs_gen_tool_version }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" - - -opendistro_admin_password: changeme -opendistro_kibana_password: changeme - -# Deployment settings -generate_certs: true -perform_installation: true - -opendistro_nolog_sensible: true diff --git a/roles/opendistro/opendistro-elasticsearch/handlers/main.yml b/roles/opendistro/opendistro-elasticsearch/handlers/main.yml deleted file mode 100644 index 3cfaa6b0..00000000 --- a/roles/opendistro/opendistro-elasticsearch/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: restart elasticsearch - service: - name: elasticsearch - state: restarted diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml deleted file mode 100644 index ee2482f6..00000000 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -- block: - - - name: RedHat/CentOS/Fedora | Add OpenDistro repo - yum_repository: - file: opendistro - name: opendistro_repo - description: Opendistro yum repository - baseurl: "{{ package_repos.yum.opendistro.baseurl }}" - gpgkey: "{{ package_repos.yum.opendistro.gpg }}" - gpgcheck: true - changed_when: false - - - name: RedHat/CentOS/Fedora | Install OpenJDK 11 - yum: - name: java-11-openjdk-devel - state: present - when: - - ansible_distribution != 'Amazon' - - - name: Amazon Linux | Install OpenJDK 11 - block: - - name: Install Amazon extras - yum: - name: amazon-linux-extras - state: present - - - name: Install OpenJDK 11 - shell: amazon-linux-extras install java-openjdk11 -y - - when: - - ansible_distribution == 'Amazon' - - - name: RedHat/CentOS/Fedora | Install OpenDistro dependencies - yum: - name: "{{ packages }}" - vars: - packages: - - wget - - unzip - - - name: Install OpenDistro - package: - name: opendistroforelasticsearch-{{ opendistro_version }} - state: present - register: install - tags: install - - tags: - - install diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml deleted file mode 100644 index 6e54fdf2..00000000 --- a/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml +++ /dev/null @@ -1,87 +0,0 @@ ---- -- name: Check if certificates already exists - stat: - path: "{{ local_certs_path }}" - register: certificates_folder - delegate_to: localhost - become: no - tags: - - generate-certs - - -- block: - - - name: Local action | Create local temporary directory for certificates generation - file: - path: "{{ local_certs_path }}" - mode: 0755 - state: directory - - - name: Local action | Check that the generation tool exists - stat: - path: "{{ local_certs_path }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" - register: tool_package - - - name: Local action | Download certificates generation tool - get_url: - url: "{{ certs_gen_tool_url }}" - dest: "{{ local_certs_path }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" - when: not tool_package.stat.exists - - - name: Local action | Extract the certificates generation tool - unarchive: - src: "{{ local_certs_path }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" - dest: "{{ local_certs_path }}/" - - - name: Local action | Add the execution bit to the binary - file: - dest: "{{ local_certs_path }}/tools/sgtlstool.sh" - mode: a+x - - - name: Local action | Prepare the certificates generation template file - template: - src: "templates/tlsconfig.yml.j2" - dest: "{{ local_certs_path }}/config/tlsconfig.yml" - mode: 0644 - register: tlsconfig_template - - - name: Create a directory if it does not exist - file: - path: "{{ local_certs_path }}/certs/" - state: directory - mode: '0755' - - - name: Local action | Check if root CA file exists - stat: - path: "{{ local_certs_path }}/certs/root-ca.key" - register: root_ca_file - - - name: Local action | Generate the node & admin certificates in local - command: >- - {{ local_certs_path }}/tools/sgtlstool.sh - -c {{ local_certs_path }}/config/tlsconfig.yml - -ca -crt - -t {{ local_certs_path }}/certs/ - -f -o - when: - - not root_ca_file.stat.exists - - tlsconfig_template.changed - - - name: Local action | Generate the node & admin certificates using an existing root CA - command: >- - {{ local_certs_path }}/tools/sgtlstool.sh - -c {{ local_certs_path }}/config/tlsconfig.yml - -crt - -t {{ local_certs_path }}/certs/ - -f - when: - - root_ca_file.stat.exists - - tlsconfig_template.changed - - run_once: true - delegate_to: localhost - become: no - tags: - - generate-certs - when: - - not certificates_folder.stat.exists diff --git a/roles/opendistro/opendistro-kibana/handlers/main.yml b/roles/opendistro/opendistro-kibana/handlers/main.yml deleted file mode 100644 index 55ea3d3c..00000000 --- a/roles/opendistro/opendistro-kibana/handlers/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- name: restart kibana - service: name=kibana state=restarted diff --git a/roles/opendistro/opendistro-kibana/vars/debian.yml b/roles/opendistro/opendistro-kibana/vars/debian.yml deleted file mode 100644 index 9edcdddc..00000000 --- a/roles/opendistro/opendistro-kibana/vars/debian.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- - -kibana_opendistro_version: 1.13.2 \ No newline at end of file diff --git a/roles/opendistro/opendistro-kibana/defaults/main.yml b/roles/opensearch/wazuh-dashboard/defaults/main.yml similarity index 80% rename from roles/opendistro/opendistro-kibana/defaults/main.yml rename to roles/opensearch/wazuh-dashboard/defaults/main.yml index 6441ad3d..dc93c18c 100644 --- a/roles/opendistro/opendistro-kibana/defaults/main.yml +++ b/roles/opensearch/wazuh-dashboard/defaults/main.yml @@ -4,17 +4,21 @@ elasticsearch_http_port: 9200 elastic_api_protocol: https kibana_conf_path: /etc/kibana +## 732 check the path kibana_node_name: node-1 kibana_server_host: "0.0.0.0" kibana_server_port: "5601" kibana_server_name: "kibana" kibana_max_payload_bytes: 1048576 -elastic_stack_version: 7.10.2 +elastic_stack_version: 4.3.0 +## 732 check if it is the right version wazuh_version: 4.3.0 wazuh_app_url: https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana +## 732 check if it is needed. # The OpenDistro package repository -kibana_opendistro_version: 1.13.2-1 # Version includes the - for RedHat family compatibility, replace with = for Debian hosts +kibana_opendistro_version: 4.3.0-1 # Version includes the - for RedHat family compatibility, replace with = for Debian hosts +## 732 check if it is the right version package_repos: yum: @@ -55,6 +59,7 @@ nodejs: # Build from sources build_from_sources: false wazuh_plugin_branch: 4.1-7.10 +## 732 check if it is the right version and if it is needed #Nodejs NODE_OPTIONS node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536 diff --git a/roles/opensearch/wazuh-dashboard/handlers/main.yml b/roles/opensearch/wazuh-dashboard/handlers/main.yml new file mode 100644 index 00000000..ac7f23e7 --- /dev/null +++ b/roles/opensearch/wazuh-dashboard/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: restart wazuh-dashboard + service: name=wazuh-dashboard state=restarted +## 732 service name should be updated \ No newline at end of file diff --git a/roles/opendistro/opendistro-kibana/tasks/Debian.yml b/roles/opensearch/wazuh-dashboard/tasks/Debian.yml similarity index 59% rename from roles/opendistro/opendistro-kibana/tasks/Debian.yml rename to roles/opensearch/wazuh-dashboard/tasks/Debian.yml index 140b2582..c40799ca 100644 --- a/roles/opendistro/opendistro-kibana/tasks/Debian.yml +++ b/roles/opensearch/wazuh-dashboard/tasks/Debian.yml @@ -3,19 +3,22 @@ - include_vars: debian.yml - name: Add apt repository signing key +## 732 will not be needed. The wazuh repo should be added apt_key: url: "{{ package_repos.apt.opendistro.gpg }}" state: present - name: Debian systems | Add OpenDistro repo +## 732 will not be needed. The wazuh repo should be added apt_repository: repo: "{{ package_repos.apt.opendistro.baseurl }}" state: present update_cache: yes - - name: Install Kibana + - name: Install Wazuh-Dashboard +## 732 package name and task name should be updated. apt: - name: "opendistroforelasticsearch-kibana={{ kibana_opendistro_version }}" + name: "wazuh-dashboard={{ kibana_opendistro_version }}" state: present register: install diff --git a/roles/opendistro/opendistro-kibana/tasks/RMRedHat.yml b/roles/opensearch/wazuh-dashboard/tasks/RMRedHat.yml similarity index 100% rename from roles/opendistro/opendistro-kibana/tasks/RMRedHat.yml rename to roles/opensearch/wazuh-dashboard/tasks/RMRedHat.yml diff --git a/roles/opendistro/opendistro-kibana/tasks/RedHat.yml b/roles/opensearch/wazuh-dashboard/tasks/RedHat.yml similarity index 79% rename from roles/opendistro/opendistro-kibana/tasks/RedHat.yml rename to roles/opensearch/wazuh-dashboard/tasks/RedHat.yml index 4407e165..280baa66 100644 --- a/roles/opendistro/opendistro-kibana/tasks/RedHat.yml +++ b/roles/opensearch/wazuh-dashboard/tasks/RedHat.yml @@ -10,9 +10,9 @@ gpgkey: "{{ package_repos.yum.opendistro.gpg }}" gpgcheck: true - - name: Install Kibana + - name: Install Wazuh-Dashboard package: - name: "opendistroforelasticsearch-kibana-{{ kibana_opendistro_version }}" + name: "wazuh-dashboard-{{ kibana_opendistro_version }}" state: present register: install diff --git a/roles/opendistro/opendistro-kibana/tasks/build_wazuh_plugin.yml b/roles/opensearch/wazuh-dashboard/tasks/build_wazuh_plugin.yml similarity index 96% rename from roles/opendistro/opendistro-kibana/tasks/build_wazuh_plugin.yml rename to roles/opensearch/wazuh-dashboard/tasks/build_wazuh_plugin.yml index b7ceb87f..5f11ae00 100644 --- a/roles/opendistro/opendistro-kibana/tasks/build_wazuh_plugin.yml +++ b/roles/opensearch/wazuh-dashboard/tasks/build_wazuh_plugin.yml @@ -1,4 +1,5 @@ --- +## 732 will not be needed - name: Ensure the Git package is present package: name: git @@ -33,12 +34,14 @@ changed_when: install_yarn_result == 0 - name: Remove old wazuh-kibana-app git directory +## 732 check if it is needed file: path: /tmp/app state: absent changed_when: false - name: Clone wazuh-kibana-app repository # Using command as git module doesn't cover single-branch nor depth +## 732 will not be needed command: git clone https://github.com/wazuh/wazuh-kibana-app -b {{ wazuh_plugin_branch }} --single-branch --depth=1 app # noqa 303 register: clone_app_repo_result changed_when: false diff --git a/roles/opendistro/opendistro-kibana/tasks/main.yml b/roles/opensearch/wazuh-dashboard/tasks/main.yml similarity index 69% rename from roles/opendistro/opendistro-kibana/tasks/main.yml rename to roles/opensearch/wazuh-dashboard/tasks/main.yml index acfd1f90..10bd2e65 100755 --- a/roles/opendistro/opendistro-kibana/tasks/main.yml +++ b/roles/opensearch/wazuh-dashboard/tasks/main.yml @@ -32,7 +32,7 @@ owner: kibana mode: 0640 marker: "## {mark} Kibana general settings ##" - notify: restart kibana + notify: restart wazuh-dashboard tags: - install - configure @@ -46,38 +46,38 @@ group: kibana recurse: yes -- name: Build and Install Wazuh Kibana Plugin from sources - import_tasks: build_wazuh_plugin.yml - when: - - build_from_sources is defined - - build_from_sources +#- name: Build and Install Wazuh Kibana Plugin from sources +# import_tasks: build_wazuh_plugin.yml +# when: +# - build_from_sources is defined +# - build_from_sources -- name: Install Wazuh Plugin (can take a while) - shell: >- - NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana-plugin install - {{ wazuh_app_url }}-{{ wazuh_version }}_{{ elastic_stack_version }}-1.zip - args: - executable: /bin/bash - creates: /usr/share/kibana/plugins/wazuh/package.json - chdir: /usr/share/kibana - become: yes - become_user: kibana - notify: restart kibana - tags: - - install - - skip_ansible_lint - when: - - not build_from_sources +#- name: Install Wazuh Plugin (can take a while) +# shell: >- +# NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana-plugin install +# {{ wazuh_app_url }}-{{ wazuh_version }}_{{ elastic_stack_version }}-1.zip +# args: +# executable: /bin/bash +# creates: /usr/share/kibana/plugins/wazuh/package.json +# chdir: /usr/share/kibana +# become: yes +# become_user: kibana +# notify: restart kibana +# tags: +# - install +# - skip_ansible_lint +# when: +# - not build_from_sources -- name: Kibana optimization (can take a while) - shell: /usr/share/kibana/node/bin/node {{ node_options }} /usr/share/kibana/src/cli/cli.js --optimize -c {{ kibana_conf_path }}/kibana.yml - args: - executable: /bin/bash - become: yes - become_user: kibana - changed_when: false - tags: - - skip_ansible_lint +#- name: Kibana optimization (can take a while) +# shell: /usr/share/kibana/node/bin/node {{ node_options }} /usr/share/kibana/src/cli/cli.js --optimize -c {{ kibana_conf_path }}/kibana.yml +# args: +# executable: /bin/bash +# become: yes +# become_user: kibana +# changed_when: false +# tags: +# - skip_ansible_lint - name: Wait for Elasticsearch port wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} diff --git a/roles/opendistro/opendistro-kibana/tasks/security_actions.yml b/roles/opensearch/wazuh-dashboard/tasks/security_actions.yml similarity index 100% rename from roles/opendistro/opendistro-kibana/tasks/security_actions.yml rename to roles/opensearch/wazuh-dashboard/tasks/security_actions.yml diff --git a/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 b/roles/opensearch/wazuh-dashboard/templates/opendistro_kibana.yml.j2 similarity index 100% rename from roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 rename to roles/opensearch/wazuh-dashboard/templates/opendistro_kibana.yml.j2 diff --git a/roles/opendistro/opendistro-kibana/templates/wazuh.yml.j2 b/roles/opensearch/wazuh-dashboard/templates/wazuh.yml.j2 similarity index 100% rename from roles/opendistro/opendistro-kibana/templates/wazuh.yml.j2 rename to roles/opensearch/wazuh-dashboard/templates/wazuh.yml.j2 diff --git a/roles/opensearch/wazuh-dashboard/vars/debian.yml b/roles/opensearch/wazuh-dashboard/vars/debian.yml new file mode 100644 index 00000000..bf53c169 --- /dev/null +++ b/roles/opensearch/wazuh-dashboard/vars/debian.yml @@ -0,0 +1,3 @@ +--- + +kibana_opendistro_version: 4.3.0 \ No newline at end of file diff --git a/roles/opensearch/wazuh-indexer/defaults/main.yml b/roles/opensearch/wazuh-indexer/defaults/main.yml new file mode 100644 index 00000000..18b86c5f --- /dev/null +++ b/roles/opensearch/wazuh-indexer/defaults/main.yml @@ -0,0 +1,77 @@ +--- +# Cluster Settings +opendistro_version: 4.3.0 + +single_node: false +elasticsearch_node_name: node-1 +opendistro_cluster_name: wazuh +elasticsearch_network_host: '0.0.0.0' + +elasticsearch_node_master: true +elasticsearch_node_data: true +elasticsearch_node_ingest: true +elasticsearch_start_timeout: 90 + +elasticsearch_lower_disk_requirements: false +elasticsearch_cluster_nodes: + - 127.0.0.1 +elasticsearch_discovery_nodes: + - 127.0.0.1 + +local_certs_path: "{{ playbook_dir }}/opendistro/certificates" +##check if it is the correct directory + +# Minimum master nodes in cluster, 2 for 3 nodes elasticsearch cluster +minimum_master_nodes: 2 + +# Configure hostnames for Elasticsearch nodes +# Example es1.example.com, es2.example.com +domain_name: wazuh.com + +# The OpenDistro package repository +package_repos: + yum: + opendistro: + #baseurl: 'https://packages.wazuh.com/4.x/yum/' + baseurl: 'https://packages-dev.wazuh.com/pre-release/yum/' + #gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' + gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH' + apt: + opendistro: + #baseurl: 'deb https://packages.wazuh.com/4.x/apt/ stable main' + baseurl: 'deb https://packages-dev.wazuh.com/pre-release/apt/ unstable main' + #gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' + gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH' + openjdk: + baseurl: 'deb http://deb.debian.org/debian stretch-backports main' + +opendistro_sec_plugin_conf_path: /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig +opendistro_sec_plugin_tools_path: /usr/share/wazuh-indexer/plugins/opensearch-security/tools +opendistro_conf_path: /etc/wazuh-indexer/ +opendistro_index_path: /var/lib/wazuh-indexer/ + +# Security password +opendistro_custom_user: "" +opendistro_custom_user_role: "admin" + +# Set JVM memory limits +opendistro_jvm_xms: null + +opendistro_http_port: 9700 +## 732 this port changes to 9700 + +certs_gen_tool_version: 4.3 +## 732 will no longer be needed. /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-cert-tool.sh comes with the package. + +# Url of Search Guard certificates generator tool +certs_gen_tool_url: "https://packages-dev.wazuh.com/resources/{{ certs_gen_tool_version }}/install_functions/opendistro/wazuh-cert-tool.sh" +## 732 will no longer be needed. /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-cert-tool.sh comes with the package. + +opendistro_admin_password: changeme +opendistro_kibana_password: changeme + +# Deployment settings +generate_certs: true +perform_installation: true + +opendistro_nolog_sensible: true diff --git a/roles/opensearch/wazuh-indexer/handlers/main.yml b/roles/opensearch/wazuh-indexer/handlers/main.yml new file mode 100644 index 00000000..ceb73dfe --- /dev/null +++ b/roles/opensearch/wazuh-indexer/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart wazuh-indexer + service: + name: wazuh-indexer + state: restarted +## 732 the name of the service changes to wazuh-indexer \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/meta/main.yml b/roles/opensearch/wazuh-indexer/meta/main.yml similarity index 100% rename from roles/opendistro/opendistro-elasticsearch/meta/main.yml rename to roles/opensearch/wazuh-indexer/meta/main.yml diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/Debian.yml b/roles/opensearch/wazuh-indexer/tasks/Debian.yml similarity index 57% rename from roles/opendistro/opendistro-elasticsearch/tasks/Debian.yml rename to roles/opensearch/wazuh-indexer/tasks/Debian.yml index 5b490844..d81b7de6 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/Debian.yml +++ b/roles/opensearch/wazuh-indexer/tasks/Debian.yml @@ -9,7 +9,8 @@ when: (ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_major_version'] == "9") block: - - name: Install OpenDistro dependencies + - name: Install Wazuh-Indexer dependencies + ## 732 change task name apt: name: [ 'unzip', 'wget', 'curl', 'apt-transport-https', software-properties-common @@ -21,22 +22,24 @@ keyserver: keyserver.ubuntu.com id: 648ACFD622F3D138 - - name: Add openjdk repository - apt_repository: - repo: "{{ package_repos.apt.openjdk.baseurl }}" - state: present - update_cache: yes - filename: 'wazuh-openjdk' +# - name: Add openjdk repository +# apt_repository: +# repo: "{{ package_repos.apt.openjdk.baseurl }}" +# state: present +# update_cache: yes +# filename: 'wazuh-openjdk' -- name: Install openjdk-11-jdk - apt: - name: openjdk-11-jdk - state: present - environment: - JAVA_HOME: /usr +#- name: Install openjdk-11-jdk +### 732 will not be needed as indexer comes with the jdk. +# apt: +# name: openjdk-11-jdk +# state: present +# environment: +# JAVA_HOME: /usr -- name: Add Opendistro repository +- name: Add Wazuh-Indexer repository block: + ## 732 the wazuh repo should be added instead - name: Add apt repository signing key apt_key: url: "{{ package_repos.apt.opendistro.gpg }}" @@ -49,9 +52,10 @@ filename: 'wazuh-opendistro' update_cache: yes -- name: Install OpenDistro +- name: Install Wazuh-Indexer +## the indexer package should be installed instead apt: - name: opendistroforelasticsearch={{ opendistro_version }}-1 + name: wazuh-indexer={{ opendistro_version }}-1 state: present register: install tags: install \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml b/roles/opensearch/wazuh-indexer/tasks/RMRedHat.yml similarity index 69% rename from roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml rename to roles/opensearch/wazuh-indexer/tasks/RMRedHat.yml index 31f0416a..3d162cdf 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RMRedHat.yml +++ b/roles/opensearch/wazuh-indexer/tasks/RMRedHat.yml @@ -1,5 +1,6 @@ --- - name: RedHat/CentOS/Fedora | Remove Elasticsearch repository (and clean up left-over metadata) + ## 732 will not be needed and if it is needed the wazuh repo should be removed. yum_repository: name: opendistro_repo state: absent diff --git a/roles/opensearch/wazuh-indexer/tasks/RedHat.yml b/roles/opensearch/wazuh-indexer/tasks/RedHat.yml new file mode 100644 index 00000000..97d2487f --- /dev/null +++ b/roles/opensearch/wazuh-indexer/tasks/RedHat.yml @@ -0,0 +1,54 @@ +--- +- block: + + - name: RedHat/CentOS/Fedora | Add Wazuh-Indexer repo + ## 732 wazuh repo should be added instead. + yum_repository: + file: opendistro + name: opendistro_repo + description: Opendistro yum repository + baseurl: "{{ package_repos.yum.opendistro.baseurl }}" + gpgkey: "{{ package_repos.yum.opendistro.gpg }}" + gpgcheck: true + changed_when: false + +# - name: RedHat/CentOS/Fedora | Install OpenJDK 11 +# ## 732 will not be needed +# yum: +# name: java-11-openjdk-devel +# state: present +# when: +# - ansible_distribution != 'Amazon' + +# - name: Amazon Linux | Install OpenJDK 11 +# ## 732 will not be needed +# block: +# - name: Install Amazon extras +# yum: +# name: amazon-linux-extras +# state: present + +# - name: Install OpenJDK 11 +# shell: amazon-linux-extras install java-openjdk11 -y + +# when: +# - ansible_distribution == 'Amazon' + + - name: RedHat/CentOS/Fedora | Install OpenDistro dependencies + yum: + name: "{{ packages }}" + vars: + packages: + - wget + - unzip + + - name: Install Wazuh-Indexer + ## 732 the package name should be updated + package: + name: wazuh-indexer-{{ opendistro_version }} + state: present + register: install + tags: install + + tags: + - install diff --git a/roles/opensearch/wazuh-indexer/tasks/local_actions.yml b/roles/opensearch/wazuh-indexer/tasks/local_actions.yml new file mode 100644 index 00000000..74febb15 --- /dev/null +++ b/roles/opensearch/wazuh-indexer/tasks/local_actions.yml @@ -0,0 +1,76 @@ +--- +- name: Check if certificates already exists + stat: + path: "{{ local_certs_path }}" + register: certificates_folder + delegate_to: localhost + become: no + tags: + - generate-certs + + +- block: + + - name: Local action | Create local temporary directory for certificates generation + file: + path: "{{ local_certs_path }}" + mode: 0755 + state: directory + + - name: Local action | Check that the generation tool exists + ## 732 will not be needed + stat: + path: "{{ local_certs_path }}/wazuh-cert-tool.sh" + register: tool_package + + - name: Local action | Download certificates generation tool + ## 732 will not be needed + get_url: + url: "{{ certs_gen_tool_url }}" + dest: "{{ local_certs_path }}/wazuh-cert-tool.sh" + #search-guard-tlstool-{{ certs_gen_tool_version }}.zip" + when: not tool_package.stat.exists + +# - name: Local action | Extract the certificates generation tool +# ## 732 will not be needed +# unarchive: +# src: "{{ local_certs_path }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" +# dest: "{{ local_certs_path }}/" + +# - name: Local action | Add the execution bit to the binary +# ## 732 will not be needed +# file: +# dest: "{{ local_certs_path }}/tools/sgtlstool.sh" +# mode: a+x + + - name: Local action | Prepare the certificates generation template file +## 732 need to resolve the certificate creation (config.yml) + template: + src: "templates/config.yml.j2" + dest: "{{ local_certs_path }}/config.yml" + mode: 0644 + register: tlsconfig_template + +# - name: Create a directory if it does not exist +# file: +# path: "{{ local_certs_path }}/certs/" +# state: directory +# mode: '0755' + +# - name: Local action | Check if root CA file exists +# stat: +# path: "{{ local_certs_path }}/certs/root-ca.key" +# register: root_ca_file + + - name: Local action | Generate the node & admin certificates in local + command: >- + bash {{ local_certs_path }}/wazuh-cert-tool.sh + become: yes + + run_once: true + delegate_to: localhost + become: no + tags: + - generate-certs + when: + - not certificates_folder.stat.exists diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opensearch/wazuh-indexer/tasks/main.yml similarity index 61% rename from roles/opendistro/opendistro-elasticsearch/tasks/main.yml rename to roles/opensearch/wazuh-indexer/tasks/main.yml index cc37efad..ba6b8657 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opensearch/wazuh-indexer/tasks/main.yml @@ -11,32 +11,35 @@ - import_tasks: Debian.yml when: ansible_os_family == 'Debian' - - name: Remove performance analyzer plugin from elasticsearch - become: true - command: ./elasticsearch-plugin remove opendistro-performance-analyzer - ignore_errors: true - args: - chdir: /usr/share/elasticsearch/bin/ - register: remove_elasticsearch_performance_analyzer - failed_when: - - remove_elasticsearch_performance_analyzer.rc != 0 - - '"not found" not in remove_elasticsearch_performance_analyzer.stderr' - changed_when: "remove_elasticsearch_performance_analyzer.rc == 0" +# - name: Remove performance analyzer plugin from elasticsearch +# ## 732 will not be needed +# become: true +# command: ./elasticsearch-plugin remove opendistro-performance-analyzer +# ignore_errors: true +# args: +# chdir: /usr/share/elasticsearch/bin/ +# register: remove_elasticsearch_performance_analyzer +# failed_when: +# - remove_elasticsearch_performance_analyzer.rc != 0 +# - '"not found" not in remove_elasticsearch_performance_analyzer.stderr' +# changed_when: "remove_elasticsearch_performance_analyzer.rc == 0" - name: Remove elasticsearch configuration file + ## 732 will not be needed file: - path: "{{ opendistro_conf_path }}/elasticsearch.yml" + path: "{{ opendistro_conf_path }}/opensearch.yml" state: absent tags: install - name: Copy Configuration File - blockinfile: - block: "{{ lookup('template', 'elasticsearch.yml.j2') }}" - dest: "{{ opendistro_conf_path }}/elasticsearch.yml" - create: true - group: elasticsearch + ## 732 will not be needed + template: + src: "templates/opensearch.yml.j2" + dest: "{{ opendistro_conf_path }}/opensearch.yml" + owner: root + group: wazuh-indexer mode: 0640 - marker: "## {mark} Opendistro general settings ##" + force: yes tags: install - include_tasks: security_actions.yml @@ -45,44 +48,59 @@ - name: Configure OpenDistro Elasticsearch JVM memmory. + ## 732 will not be needed and if it is needed the path should be updated. template: src: "templates/jvm.options.j2" - dest: /etc/elasticsearch/jvm.options + dest: "{{ opendistro_conf_path }}/jvm.options" owner: root - group: elasticsearch + group: wazuh-indexer mode: 0644 force: yes - notify: restart elasticsearch + notify: restart wazuh-indexer tags: install - name: Configure disabled log4j. + ## 732 will not be needed template: src: "templates/disabledlog4j.options.j2" - dest: /etc/elasticsearch/jvm.options.d/disabledlog4j.options + dest: "{{ opendistro_conf_path }}/jvm.options.d/disabledlog4j.options" owner: root - group: elasticsearch + group: wazuh-indexer mode: 2750 force: yes - notify: restart elasticsearch + notify: restart wazuh-indexer tags: install - name: Ensure extra time for Elasticsearch to start on reboots lineinfile: - path: /usr/lib/systemd/system/elasticsearch.service + path: /usr/lib/systemd/system/wazuh-indexer.service regexp: '^TimeoutStartSec=' line: "TimeoutStartSec={{ elasticsearch_start_timeout }}" become: yes tags: configure + - name: Index files to remove + find: + paths: "{{ opendistro_index_path }}" + patterns: "*" + register: files_to_delete + + - name: Remove Index Files + file: + path: "{{ item.path }}" + state: absent + with_items: "{{ files_to_delete.files }}" + - name: Ensure Elasticsearch started and enabled + ## 732 the service name should be updated service: - name: elasticsearch + name: wazuh-indexer enabled: true state: started - name: Wait for Elasticsearch API uri: - url: "https://{{ inventory_hostname if not single_node else elasticsearch_network_host }}:{{ opendistro_http_port }}/_cluster/health/" + url: "https://{{ inventory_hostname if not single_node else elasticsearch_network_host }}:{{ opendistro_http_port }}/_cat/health/" user: "admin" # Default OpenDistro user is always "admin" password: "{{ opendistro_admin_password }}" validate_certs: no @@ -101,7 +119,7 @@ - name: Wait for Elasticsearch API (Private IP) uri: - url: "https://{{ hostvars[inventory_hostname]['private_ip'] if not single_node else elasticsearch_network_host }}:{{ opendistro_http_port }}/_cluster/health/" + url: "https://{{ hostvars[inventory_hostname]['private_ip'] if not single_node else elasticsearch_network_host }}:{{ opendistro_http_port }}/_cat/health/" user: "admin" # Default OpenDistro user is always "admin" password: "{{ opendistro_admin_password }}" validate_certs: no @@ -125,5 +143,5 @@ systemd: daemon_reload: true become: yes - notify: restart elasticsearch + notify: restart wazuh-indexer when: perform_installation diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml b/roles/opensearch/wazuh-indexer/tasks/security_actions.yml similarity index 63% rename from roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml rename to roles/opensearch/wazuh-indexer/tasks/security_actions.yml index 56d13ae9..98473b4f 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml +++ b/roles/opensearch/wazuh-indexer/tasks/security_actions.yml @@ -1,12 +1,13 @@ -- name: Remove demo certs - file: - path: "{{ item }}" - state: absent - with_items: - - "{{ opendistro_conf_path }}/kirk.pem" - - "{{ opendistro_conf_path }}/kirk-key.pem" - - "{{ opendistro_conf_path }}/esnode.pem" - - "{{ opendistro_conf_path }}/esnode-key.pem" +#- name: Remove demo certs +# ## 732 will not be needed +# file: +# path: "{{ item }}" +# state: absent +# with_items: +# - "{{ opendistro_conf_path }}/kirk.pem" +# - "{{ opendistro_conf_path }}/kirk-key.pem" +# - "{{ opendistro_conf_path }}/esnode.pem" +# - "{{ opendistro_conf_path }}/esnode-key.pem" - name: Configure IP (Private address) set_fact: @@ -24,38 +25,39 @@ - name: Copy the node & admin certificates to Elasticsearch cluster copy: src: "{{ local_certs_path }}/certs/{{ item }}" - dest: /etc/elasticsearch/ + dest: "{{ opendistro_conf_path }}/certs/" mode: 0644 + become: yes with_items: - root-ca.pem - root-ca.key - - "{{ elasticsearch_node_name }}.key" + - "{{ elasticsearch_node_name }}-key.pem" - "{{ elasticsearch_node_name }}.pem" - - "{{ elasticsearch_node_name }}_http.key" - - "{{ elasticsearch_node_name }}_http.pem" - - "{{ elasticsearch_node_name }}_elasticsearch_config_snippet.yml" - - admin.key + #- "{{ elasticsearch_node_name }}_http.key" + #- "{{ elasticsearch_node_name }}_http.pem" + #- "{{ elasticsearch_node_name }}_elasticsearch_config_snippet.yml" + - admin-key.pem - admin.pem -- name: Copy the OpenDistro security configuration file to cluster - blockinfile: - block: "{{ lookup('file', snippet_path ) }}" - dest: "{{ opendistro_conf_path }}/elasticsearch.yml" - insertafter: EOF - marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" - vars: - snippet_path: '{{ local_certs_path }}/certs/{{ elasticsearch_node_name }}_elasticsearch_config_snippet.yml' +#- name: Copy the OpenDistro security configuration file to cluster +# blockinfile: +# block: "{{ lookup('file', snippet_path ) }}" +# dest: "{{ opendistro_conf_path }}/elasticsearch.yml" +# insertafter: EOF +# marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" +# vars: +# snippet_path: '{{ local_certs_path }}/certs/{{ elasticsearch_node_name }}_elasticsearch_config_snippet.yml' -- name: Prepare the OpenDistro security configuration file - replace: - path: "{{ opendistro_conf_path }}/elasticsearch.yml" - regexp: 'searchguard' - replace: 'opendistro_security' - tags: local +#- name: Prepare the OpenDistro security configuration file +# replace: +# path: "{{ opendistro_conf_path }}/elasticsearch.yml" +# regexp: 'searchguard' +# replace: 'opendistro_security' +# tags: local - name: Restart elasticsearch with security configuration systemd: - name: elasticsearch + name: wazuh-indexer state: restarted - name: Copy the OpenDistro security internal users template @@ -98,18 +100,21 @@ - name: Initialize the OpenDistro security index in elasticsearch command: > + sudo -u wazuh-indexer OPENSEARCH_PATH_CONF=/etc/wazuh-indexer + JAVA_HOME=/usr/share/wazuh-indexer/jdk {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh - -cacert {{ opendistro_conf_path }}/root-ca.pem - -cert {{ opendistro_conf_path }}/admin.pem - -key {{ opendistro_conf_path }}/admin.key - -cd {{ opendistro_sec_plugin_conf_path }}/ - -nhnv -icl + -cd {{ opendistro_sec_plugin_tools_path }}/ + -icl -p 9800 -cd /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig + -cacert {{ opendistro_conf_path }}/certs/root-ca.pem + -cert {{ opendistro_conf_path }}/certs/admin.pem + -key {{ opendistro_conf_path }}/certs/admin-key.pem + -nhnv -h {{ target_address }} run_once: true # noqa 301 - name: Create custom user uri: - url: "https://{{ target_address }}:{{ opendistro_http_port }}/_opendistro/_security/api/internalusers/{{ opendistro_custom_user }}" + url: "https://{{ target_address }}:{{ opendistro_http_port }}/_plugins/_security/api/internalusers/{{ opendistro_custom_user }}" method: PUT user: "admin" # Default OpenDistro user is always "admin" password: "{{ opendistro_admin_password }}" diff --git a/roles/opensearch/wazuh-indexer/templates/config.yml.j2 b/roles/opensearch/wazuh-indexer/templates/config.yml.j2 new file mode 100644 index 00000000..8b1babf1 --- /dev/null +++ b/roles/opensearch/wazuh-indexer/templates/config.yml.j2 @@ -0,0 +1,33 @@ +nodes: + # Elasticsearch server nodes + elasticsearch: +{% for (key,value) in instances.items() %} +{% if (value.role is defined and value.role == 'indexer') %} + name: {{ value.name }} + ip: {{ value.ip }} +{% endif %} +{% endfor %} + + # Wazuh server nodes + # Use node_type only with more than one Wazuh manager + wazuh_servers: +{% for (key,value) in instances.items() %} +{% if (value.role is defined and value.role == 'wazuh') %} + name: {{ value.name }} + ip: {{ value.ip }} +{% endif %} +{% if (value.node_type is defined and value.node_type == 'master') %} + node_type: master +{% elif (value.node_type is defined and value.node_type == 'worker') %} + node_type: worker +{% endif %} +{% endfor %} + + # Kibana node + kibana: +{% for (key,value) in instances.items() %} +{% if (value.role is defined and value.role == 'dashboard') %} + name: {{ value.name }} + ip: {{ value.ip }} +{% endif %} +{% endfor %} diff --git a/roles/opendistro/opendistro-elasticsearch/templates/disabledlog4j.options.j2 b/roles/opensearch/wazuh-indexer/templates/disabledlog4j.options.j2 similarity index 100% rename from roles/opendistro/opendistro-elasticsearch/templates/disabledlog4j.options.j2 rename to roles/opensearch/wazuh-indexer/templates/disabledlog4j.options.j2 diff --git a/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 b/roles/opensearch/wazuh-indexer/templates/elasticsearch.yml.j2 similarity index 100% rename from roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 rename to roles/opensearch/wazuh-indexer/templates/elasticsearch.yml.j2 diff --git a/roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 b/roles/opensearch/wazuh-indexer/templates/internal_users.yml.j2 similarity index 100% rename from roles/opendistro/opendistro-elasticsearch/templates/internal_users.yml.j2 rename to roles/opensearch/wazuh-indexer/templates/internal_users.yml.j2 diff --git a/roles/opensearch/wazuh-indexer/templates/jvm.options copy.j2 b/roles/opensearch/wazuh-indexer/templates/jvm.options copy.j2 new file mode 100644 index 00000000..0b658f0d --- /dev/null +++ b/roles/opensearch/wazuh-indexer/templates/jvm.options copy.j2 @@ -0,0 +1,83 @@ +## JVM configuration + +################################################################ +## IMPORTANT: JVM heap size +################################################################ +## +## You should always set the min and max JVM heap +## size to the same value. For example, to set +## the heap to 4 GB, set: +## +## -Xms4g +## -Xmx4g +## +## See https://opensearch.org/docs/opensearch/install/important-settings/ +## for more information +## +################################################################ + +# Xms represents the initial size of total heap space +# Xmx represents the maximum size of total heap space + +-Xms1g +-Xmx1g + +################################################################ +## Expert settings +################################################################ +## +## All settings below this section are considered +## expert settings. Don't tamper with them unless +## you understand what you are doing +## +################################################################ + +## GC configuration +8-13:-XX:+UseConcMarkSweepGC +8-13:-XX:CMSInitiatingOccupancyFraction=75 +8-13:-XX:+UseCMSInitiatingOccupancyOnly + +## G1GC Configuration +# NOTE: G1 GC is only supported on JDK version 10 or later +# to use G1GC, uncomment the next two lines and update the version on the +# following three lines to your version of the JDK +# 10-13:-XX:-UseConcMarkSweepGC +# 10-13:-XX:-UseCMSInitiatingOccupancyOnly +14-:-XX:+UseG1GC +14-:-XX:G1ReservePercent=25 +14-:-XX:InitiatingHeapOccupancyPercent=30 + +## JVM temporary directory +-Djava.io.tmpdir=${OPENSEARCH_TMPDIR} + +## heap dumps + +# generate a heap dump when an allocation from the Java heap fails +# heap dumps are created in the working directory of the JVM +-XX:+HeapDumpOnOutOfMemoryError + +# specify an alternative path for heap dumps; ensure the directory exists and +# has sufficient space +-XX:HeapDumpPath=data + +# specify an alternative path for JVM fatal error logs +-XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log + +## JDK 8 GC logging +8:-XX:+PrintGCDetails +8:-XX:+PrintGCDateStamps +8:-XX:+PrintTenuringDistribution +8:-XX:+PrintGCApplicationStoppedTime +8:-Xloggc:/var/log/wazuh-indexer/gc.log +8:-XX:+UseGCLogFileRotation +8:-XX:NumberOfGCLogFiles=32 +8:-XX:GCLogFileSize=64m + +# JDK 9+ GC logging +9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m + + +## OpenDistro Performance Analyzer +-Dclk.tck=100 +-Djdk.attach.allowAttachSelf=true +-Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opendistro-performance-analyzer/pa_config/es_security.policy diff --git a/roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 b/roles/opensearch/wazuh-indexer/templates/jvm.options.j2 similarity index 88% rename from roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 rename to roles/opensearch/wazuh-indexer/templates/jvm.options.j2 index c4758969..53922429 100644 --- a/roles/opendistro/opendistro-elasticsearch/templates/jvm.options.j2 +++ b/roles/opensearch/wazuh-indexer/templates/jvm.options.j2 @@ -62,7 +62,7 @@ 14-:-XX:InitiatingHeapOccupancyPercent=30 ## JVM temporary directory --Djava.io.tmpdir=${ES_TMPDIR} +-Djava.io.tmpdir=${OPENSEARCH_TMPDIR} ## heap dumps @@ -72,25 +72,25 @@ # specify an alternative path for heap dumps; ensure the directory exists and # has sufficient space --XX:HeapDumpPath=/var/lib/elasticsearch +-XX:HeapDumpPath=data # specify an alternative path for JVM fatal error logs --XX:ErrorFile=/var/log/elasticsearch/hs_err_pid%p.log +-XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log ## JDK 8 GC logging 8:-XX:+PrintGCDetails 8:-XX:+PrintGCDateStamps 8:-XX:+PrintTenuringDistribution 8:-XX:+PrintGCApplicationStoppedTime -8:-Xloggc:/var/log/elasticsearch/gc.log +8:-Xloggc:/var/log/wazuh-indexer/gc.log 8:-XX:+UseGCLogFileRotation 8:-XX:NumberOfGCLogFiles=32 8:-XX:GCLogFileSize=64m # JDK 9+ GC logging -9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/elasticsearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m +9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m ## OpenDistro Performance Analyzer -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true --Djava.security.policy=file:///usr/share/elasticsearch/plugins/opendistro_performance_analyzer/pa_config/es_security.policy +-Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy diff --git a/roles/opensearch/wazuh-indexer/templates/opensearch.yml.j2 b/roles/opensearch/wazuh-indexer/templates/opensearch.yml.j2 new file mode 100644 index 00000000..411cb24a --- /dev/null +++ b/roles/opensearch/wazuh-indexer/templates/opensearch.yml.j2 @@ -0,0 +1,52 @@ +network.host: {{ elasticsearch_network_host }} +node.name: {{ elasticsearch_node_name }} +{% if single_node == true %} +discovery.type: single-node +{% else %} +cluster.initial_master_nodes: +{% for item in elasticsearch_cluster_nodes %} + - {{ item }} +{% endfor %} +{% endif %} +cluster.name: {{ opendistro_cluster_name }} + +http.port: 9700-9799 +transport.tcp.port: 9800-9899 +node.max_local_storage_nodes: "3" +path.data: /var/lib/wazuh-indexer +path.logs: /var/log/wazuh-indexer + + +############################################################################### +# # +# WARNING: Demo certificates set up in this file. # +# Please change on production cluster! # +# # +############################################################################### + +plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/{{ elasticsearch_node_name }}.pem +plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/{{ elasticsearch_node_name }}-key.pem +plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem +plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/{{ elasticsearch_node_name }}.pem +plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/{{ elasticsearch_node_name }}-key.pem +plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem +plugins.security.ssl.http.enabled: true +plugins.security.ssl.transport.enforce_hostname_verification: false +plugins.security.ssl.transport.resolve_hostname: false + +plugins.security.audit.type: internal_opensearch +plugins.security.authcz.admin_dn: +- "CN=admin,OU=Docu,O=Wazuh,L=California,C=US" +plugins.security.check_snapshot_restore_write_privileges: true +plugins.security.enable_snapshot_restore_privilege: true +plugins.security.nodes_dn: +- "CN={{ elasticsearch_node_name }},OU=Docu,O=Wazuh,L=California,C=US" +plugins.security.restapi.roles_enabled: +- "all_access" +- "security_rest_api_access" + +plugins.security.system_indices.enabled: true +plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"] + +### Option to allow Filebeat-oss 7.10.2 to work ### +compatibility.override_main_response_version: true diff --git a/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 b/roles/opensearch/wazuh-indexer/templates/tlsconfig.yml.j2 similarity index 100% rename from roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 rename to roles/opensearch/wazuh-indexer/templates/tlsconfig.yml.j2 From 93d6bdb32a393860a64f6423d030db60851babf9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= Date: Wed, 2 Feb 2022 13:17:37 -0300 Subject: [PATCH 02/41] Indexer variables update --- .../wazuh-dashboard/defaults/main.yml | 6 +- .../wazuh-dashboard/tasks/Debian.yml | 4 +- .../wazuh-dashboard/tasks/RedHat.yml | 4 +- .../opensearch/wazuh-dashboard/tasks/main.yml | 6 +- .../templates/opendistro_kibana.yml.j2 | 6 +- .../wazuh-indexer/defaults/main.yml | 56 +++++++-------- roles/opensearch/wazuh-indexer/meta/main.yml | 2 +- .../opensearch/wazuh-indexer/tasks/Debian.yml | 6 +- .../opensearch/wazuh-indexer/tasks/RedHat.yml | 6 +- roles/opensearch/wazuh-indexer/tasks/main.yml | 38 +++++----- .../wazuh-indexer/tasks/security_actions.yml | 72 +++++++++---------- .../templates/elasticsearch.yml.j2 | 6 +- .../templates/internal_users.yml.j2 | 4 +- .../wazuh-indexer/templates/jvm.options.j2 | 8 +-- .../wazuh-indexer/templates/opensearch.yml.j2 | 18 ++--- 15 files changed, 121 insertions(+), 121 deletions(-) diff --git a/roles/opensearch/wazuh-dashboard/defaults/main.yml b/roles/opensearch/wazuh-dashboard/defaults/main.yml index dc93c18c..d405b61e 100644 --- a/roles/opensearch/wazuh-dashboard/defaults/main.yml +++ b/roles/opensearch/wazuh-dashboard/defaults/main.yml @@ -44,10 +44,10 @@ kibana_newsfeed_enabled: "false" kibana_telemetry_optin: "false" kibana_telemetry_enabled: "false" -opendistro_admin_password: changeme +indexer_admin_password: changeme opendistro_kibana_user: kibanaserver -opendistro_kibana_password: changeme -local_certs_path: "{{ playbook_dir }}/opendistro/certificates" +dashboard_password: changeme +local_certs_path: "{{ playbook_dir }}/indexer/certificates" # Nodejs nodejs: diff --git a/roles/opensearch/wazuh-dashboard/tasks/Debian.yml b/roles/opensearch/wazuh-dashboard/tasks/Debian.yml index c40799ca..557e785c 100644 --- a/roles/opensearch/wazuh-dashboard/tasks/Debian.yml +++ b/roles/opensearch/wazuh-dashboard/tasks/Debian.yml @@ -5,13 +5,13 @@ - name: Add apt repository signing key ## 732 will not be needed. The wazuh repo should be added apt_key: - url: "{{ package_repos.apt.opendistro.gpg }}" + url: "{{ package_repos.apt.indexer.gpg }}" state: present - name: Debian systems | Add OpenDistro repo ## 732 will not be needed. The wazuh repo should be added apt_repository: - repo: "{{ package_repos.apt.opendistro.baseurl }}" + repo: "{{ package_repos.apt.indexer.baseurl }}" state: present update_cache: yes diff --git a/roles/opensearch/wazuh-dashboard/tasks/RedHat.yml b/roles/opensearch/wazuh-dashboard/tasks/RedHat.yml index 280baa66..514dbb85 100644 --- a/roles/opensearch/wazuh-dashboard/tasks/RedHat.yml +++ b/roles/opensearch/wazuh-dashboard/tasks/RedHat.yml @@ -6,8 +6,8 @@ file: opendistro name: opendistro_repo description: Opendistro yum repository - baseurl: "{{ package_repos.yum.opendistro.baseurl }}" - gpgkey: "{{ package_repos.yum.opendistro.gpg }}" + baseurl: "{{ package_repos.yum.indexer.baseurl }}" + gpgkey: "{{ package_repos.yum.indexer.gpg }}" gpgcheck: true - name: Install Wazuh-Dashboard diff --git a/roles/opensearch/wazuh-dashboard/tasks/main.yml b/roles/opensearch/wazuh-dashboard/tasks/main.yml index 10bd2e65..514944ad 100755 --- a/roles/opensearch/wazuh-dashboard/tasks/main.yml +++ b/roles/opensearch/wazuh-dashboard/tasks/main.yml @@ -80,7 +80,7 @@ # - skip_ansible_lint - name: Wait for Elasticsearch port - wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} + wait_for: host={{ indexer_network_host }} port={{ elasticsearch_http_port }} - name: Select correct API protocol set_fact: @@ -88,10 +88,10 @@ - name: Attempting to delete legacy Wazuh index if exists uri: - url: "{{ elastic_api_protocol }}://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}/.wazuh" + url: "{{ elastic_api_protocol }}://{{ indexer_network_host }}:{{ elasticsearch_http_port }}/.wazuh" method: DELETE user: "admin" - password: "{{ opendistro_admin_password }}" + password: "{{ indexer_admin_password }}" validate_certs: no status_code: 200, 404 diff --git a/roles/opensearch/wazuh-dashboard/templates/opendistro_kibana.yml.j2 b/roles/opensearch/wazuh-dashboard/templates/opendistro_kibana.yml.j2 index 9280daca..95461cd4 100644 --- a/roles/opensearch/wazuh-dashboard/templates/opendistro_kibana.yml.j2 +++ b/roles/opensearch/wazuh-dashboard/templates/opendistro_kibana.yml.j2 @@ -11,9 +11,9 @@ server.host: {{ kibana_server_host }} {% if kibana_opendistro_security %} -elasticsearch.hosts: "https://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" +elasticsearch.hosts: "https://{{ indexer_network_host }}:{{ elasticsearch_http_port }}" elasticsearch.username: {{ opendistro_kibana_user }} -elasticsearch.password: {{ opendistro_kibana_password }} +elasticsearch.password: {{ dashboard_password }} server.ssl.enabled: true server.ssl.certificate: "/usr/share/kibana/{{ kibana_node_name }}_http.pem" server.ssl.key: "/usr/share/kibana/{{ kibana_node_name }}_http.key" @@ -21,7 +21,7 @@ elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/root-ca.pem"] elasticsearch.ssl.verificationMode: full {% else %} -elasticsearch.hosts: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" +elasticsearch.hosts: "http://{{ indexer_network_host }}:{{ elasticsearch_http_port }}" {% endif %} elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"] diff --git a/roles/opensearch/wazuh-indexer/defaults/main.yml b/roles/opensearch/wazuh-indexer/defaults/main.yml index 18b86c5f..182721c6 100644 --- a/roles/opensearch/wazuh-indexer/defaults/main.yml +++ b/roles/opensearch/wazuh-indexer/defaults/main.yml @@ -1,24 +1,24 @@ --- # Cluster Settings -opendistro_version: 4.3.0 +indexer_version: 4.3.0 single_node: false -elasticsearch_node_name: node-1 -opendistro_cluster_name: wazuh -elasticsearch_network_host: '0.0.0.0' +indexer_node_name: node-1 +indexer_cluster_name: wazuh +indexer_network_host: '0.0.0.0' -elasticsearch_node_master: true -elasticsearch_node_data: true -elasticsearch_node_ingest: true -elasticsearch_start_timeout: 90 +indexer_node_master: true +indexer_node_data: true +indexer_node_ingest: true +indexer_start_timeout: 90 -elasticsearch_lower_disk_requirements: false -elasticsearch_cluster_nodes: - - 127.0.0.1 -elasticsearch_discovery_nodes: +#elasticsearch_lower_disk_requirements: false +indexer_cluster_nodes: - 127.0.0.1 +#elasticsearch_discovery_nodes: +# - 127.0.0.1 -local_certs_path: "{{ playbook_dir }}/opendistro/certificates" +local_certs_path: "{{ playbook_dir }}/indexer/certificates" ##check if it is the correct directory # Minimum master nodes in cluster, 2 for 3 nodes elasticsearch cluster @@ -31,33 +31,33 @@ domain_name: wazuh.com # The OpenDistro package repository package_repos: yum: - opendistro: + indexer: #baseurl: 'https://packages.wazuh.com/4.x/yum/' baseurl: 'https://packages-dev.wazuh.com/pre-release/yum/' #gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH' apt: - opendistro: + indexer: #baseurl: 'deb https://packages.wazuh.com/4.x/apt/ stable main' baseurl: 'deb https://packages-dev.wazuh.com/pre-release/apt/ unstable main' #gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH' - openjdk: - baseurl: 'deb http://deb.debian.org/debian stretch-backports main' +# openjdk: +# baseurl: 'deb http://deb.debian.org/debian stretch-backports main' -opendistro_sec_plugin_conf_path: /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig -opendistro_sec_plugin_tools_path: /usr/share/wazuh-indexer/plugins/opensearch-security/tools -opendistro_conf_path: /etc/wazuh-indexer/ -opendistro_index_path: /var/lib/wazuh-indexer/ +indexer_sec_plugin_conf_path: /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig +indexer_sec_plugin_tools_path: /usr/share/wazuh-indexer/plugins/opensearch-security/tools +indexer_conf_path: /etc/wazuh-indexer/ +indexer_index_path: /var/lib/wazuh-indexer/ # Security password -opendistro_custom_user: "" -opendistro_custom_user_role: "admin" +indexer_custom_user: "" +indexer_custom_user_role: "admin" # Set JVM memory limits -opendistro_jvm_xms: null +indexer_jvm_xms: null -opendistro_http_port: 9700 +indexer_http_port: 9700 ## 732 this port changes to 9700 certs_gen_tool_version: 4.3 @@ -67,11 +67,11 @@ certs_gen_tool_version: 4.3 certs_gen_tool_url: "https://packages-dev.wazuh.com/resources/{{ certs_gen_tool_version }}/install_functions/opendistro/wazuh-cert-tool.sh" ## 732 will no longer be needed. /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-cert-tool.sh comes with the package. -opendistro_admin_password: changeme -opendistro_kibana_password: changeme +indexer_admin_password: changeme +dashboard_password: changeme # Deployment settings generate_certs: true perform_installation: true -opendistro_nolog_sensible: true +indexer_nolog_sensible: true diff --git a/roles/opensearch/wazuh-indexer/meta/main.yml b/roles/opensearch/wazuh-indexer/meta/main.yml index e09933c7..eed34479 100644 --- a/roles/opensearch/wazuh-indexer/meta/main.yml +++ b/roles/opensearch/wazuh-indexer/meta/main.yml @@ -1,7 +1,7 @@ --- galaxy_info: author: Wazuh - description: Installing and maintaining Opendistro server. + description: Installing and maintaining Opensearch server. company: wazuh.com license: license (GPLv3) min_ansible_version: 2.0 diff --git a/roles/opensearch/wazuh-indexer/tasks/Debian.yml b/roles/opensearch/wazuh-indexer/tasks/Debian.yml index d81b7de6..1036cf97 100644 --- a/roles/opensearch/wazuh-indexer/tasks/Debian.yml +++ b/roles/opensearch/wazuh-indexer/tasks/Debian.yml @@ -42,12 +42,12 @@ ## 732 the wazuh repo should be added instead - name: Add apt repository signing key apt_key: - url: "{{ package_repos.apt.opendistro.gpg }}" + url: "{{ package_repos.apt.indexer.gpg }}" state: present - name: Add Opendistro repository apt_repository: - repo: "{{ package_repos.apt.opendistro.baseurl }}" + repo: "{{ package_repos.apt.indexer.baseurl }}" state: present filename: 'wazuh-opendistro' update_cache: yes @@ -55,7 +55,7 @@ - name: Install Wazuh-Indexer ## the indexer package should be installed instead apt: - name: wazuh-indexer={{ opendistro_version }}-1 + name: wazuh-indexer={{ indexer_version }}-1 state: present register: install tags: install \ No newline at end of file diff --git a/roles/opensearch/wazuh-indexer/tasks/RedHat.yml b/roles/opensearch/wazuh-indexer/tasks/RedHat.yml index 97d2487f..f292156c 100644 --- a/roles/opensearch/wazuh-indexer/tasks/RedHat.yml +++ b/roles/opensearch/wazuh-indexer/tasks/RedHat.yml @@ -7,8 +7,8 @@ file: opendistro name: opendistro_repo description: Opendistro yum repository - baseurl: "{{ package_repos.yum.opendistro.baseurl }}" - gpgkey: "{{ package_repos.yum.opendistro.gpg }}" + baseurl: "{{ package_repos.yum.indexer.baseurl }}" + gpgkey: "{{ package_repos.yum.indexer.gpg }}" gpgcheck: true changed_when: false @@ -45,7 +45,7 @@ - name: Install Wazuh-Indexer ## 732 the package name should be updated package: - name: wazuh-indexer-{{ opendistro_version }} + name: wazuh-indexer-{{ indexer_version }} state: present register: install tags: install diff --git a/roles/opensearch/wazuh-indexer/tasks/main.yml b/roles/opensearch/wazuh-indexer/tasks/main.yml index ba6b8657..ddf17a49 100644 --- a/roles/opensearch/wazuh-indexer/tasks/main.yml +++ b/roles/opensearch/wazuh-indexer/tasks/main.yml @@ -24,18 +24,18 @@ # - '"not found" not in remove_elasticsearch_performance_analyzer.stderr' # changed_when: "remove_elasticsearch_performance_analyzer.rc == 0" - - name: Remove elasticsearch configuration file + - name: Remove Opensearch configuration file ## 732 will not be needed file: - path: "{{ opendistro_conf_path }}/opensearch.yml" + path: "{{ indexer_conf_path }}/opensearch.yml" state: absent tags: install - - name: Copy Configuration File + - name: Copy Opensearch Configuration File ## 732 will not be needed template: src: "templates/opensearch.yml.j2" - dest: "{{ opendistro_conf_path }}/opensearch.yml" + dest: "{{ indexer_conf_path }}/opensearch.yml" owner: root group: wazuh-indexer mode: 0640 @@ -47,11 +47,11 @@ - security - - name: Configure OpenDistro Elasticsearch JVM memmory. + - name: Configure Wazuh-Indexer JVM memmory. ## 732 will not be needed and if it is needed the path should be updated. template: src: "templates/jvm.options.j2" - dest: "{{ opendistro_conf_path }}/jvm.options" + dest: "{{ indexer_conf_path }}/jvm.options" owner: root group: wazuh-indexer mode: 0644 @@ -63,7 +63,7 @@ ## 732 will not be needed template: src: "templates/disabledlog4j.options.j2" - dest: "{{ opendistro_conf_path }}/jvm.options.d/disabledlog4j.options" + dest: "{{ indexer_conf_path }}/jvm.options.d/disabledlog4j.options" owner: root group: wazuh-indexer mode: 2750 @@ -71,17 +71,17 @@ notify: restart wazuh-indexer tags: install - - name: Ensure extra time for Elasticsearch to start on reboots + - name: Ensure extra time for Wazuh-Indexer to start on reboots lineinfile: path: /usr/lib/systemd/system/wazuh-indexer.service regexp: '^TimeoutStartSec=' - line: "TimeoutStartSec={{ elasticsearch_start_timeout }}" + line: "TimeoutStartSec={{ indexer_start_timeout }}" become: yes tags: configure - name: Index files to remove find: - paths: "{{ opendistro_index_path }}" + paths: "{{ indexer_index_path }}" patterns: "*" register: files_to_delete @@ -98,19 +98,19 @@ enabled: true state: started - - name: Wait for Elasticsearch API + - name: Wait for Wazuh-Indexer API uri: - url: "https://{{ inventory_hostname if not single_node else elasticsearch_network_host }}:{{ opendistro_http_port }}/_cat/health/" + url: "https://{{ inventory_hostname if not single_node else indexer_network_host }}:{{ indexer_http_port }}/_cat/health/" user: "admin" # Default OpenDistro user is always "admin" - password: "{{ opendistro_admin_password }}" + password: "{{ indexer_admin_password }}" validate_certs: no status_code: 200,401 return_content: yes timeout: 4 register: _result until: - - _result.json is defined - - _result.json.status == "green" or ( _result.json.status == "yellow" and single_node ) + - _result is defined + - '"green" in _result.content or ( "yellow" in _result.content and single_node )' retries: 24 delay: 5 tags: debug @@ -119,17 +119,17 @@ - name: Wait for Elasticsearch API (Private IP) uri: - url: "https://{{ hostvars[inventory_hostname]['private_ip'] if not single_node else elasticsearch_network_host }}:{{ opendistro_http_port }}/_cat/health/" + url: "https://{{ hostvars[inventory_hostname]['private_ip'] if not single_node else indexer_network_host }}:{{ indexer_http_port }}/_cat/health/" user: "admin" # Default OpenDistro user is always "admin" - password: "{{ opendistro_admin_password }}" + password: "{{ indexer_admin_password }}" validate_certs: no status_code: 200,401 return_content: yes timeout: 4 register: _result until: - - _result.json is defined - - _result.json.status == "green" or ( _result.json.status == "yellow" and single_node ) + - _result is defined + - '"green" in _result.content or ( "yellow" in _result.content and single_node )' retries: 24 delay: 5 tags: debug diff --git a/roles/opensearch/wazuh-indexer/tasks/security_actions.yml b/roles/opensearch/wazuh-indexer/tasks/security_actions.yml index 98473b4f..cdf9a151 100644 --- a/roles/opensearch/wazuh-indexer/tasks/security_actions.yml +++ b/roles/opensearch/wazuh-indexer/tasks/security_actions.yml @@ -4,20 +4,20 @@ # path: "{{ item }}" # state: absent # with_items: -# - "{{ opendistro_conf_path }}/kirk.pem" -# - "{{ opendistro_conf_path }}/kirk-key.pem" -# - "{{ opendistro_conf_path }}/esnode.pem" -# - "{{ opendistro_conf_path }}/esnode-key.pem" +# - "{{ indexer_conf_path }}/kirk.pem" +# - "{{ indexer_conf_path }}/kirk-key.pem" +# - "{{ indexer_conf_path }}/esnode.pem" +# - "{{ indexer_conf_path }}/esnode-key.pem" - name: Configure IP (Private address) set_fact: - target_address: "{{ hostvars[inventory_hostname]['private_ip'] if not single_node else elasticsearch_network_host }}" + target_address: "{{ hostvars[inventory_hostname]['private_ip'] if not single_node else indexer_network_host }}" when: - hostvars[inventory_hostname]['private_ip'] is defined - name: Configure IP (Public address) set_fact: - target_address: "{{ inventory_hostname if not single_node else elasticsearch_network_host }}" + target_address: "{{ inventory_hostname if not single_node else indexer_network_host }}" when: - hostvars[inventory_hostname]['private_ip'] is not defined @@ -25,32 +25,32 @@ - name: Copy the node & admin certificates to Elasticsearch cluster copy: src: "{{ local_certs_path }}/certs/{{ item }}" - dest: "{{ opendistro_conf_path }}/certs/" + dest: "{{ indexer_conf_path }}/certs/" mode: 0644 become: yes with_items: - root-ca.pem - root-ca.key - - "{{ elasticsearch_node_name }}-key.pem" - - "{{ elasticsearch_node_name }}.pem" - #- "{{ elasticsearch_node_name }}_http.key" - #- "{{ elasticsearch_node_name }}_http.pem" - #- "{{ elasticsearch_node_name }}_elasticsearch_config_snippet.yml" + - "{{ indexer_node_name }}-key.pem" + - "{{ indexer_node_name }}.pem" + #- "{{ indexer_node_name }}_http.key" + #- "{{ indexer_node_name }}_http.pem" + #- "{{ indexer_node_name }}_elasticsearch_config_snippet.yml" - admin-key.pem - admin.pem #- name: Copy the OpenDistro security configuration file to cluster # blockinfile: # block: "{{ lookup('file', snippet_path ) }}" -# dest: "{{ opendistro_conf_path }}/elasticsearch.yml" +# dest: "{{ indexer_conf_path }}/elasticsearch.yml" # insertafter: EOF # marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" # vars: -# snippet_path: '{{ local_certs_path }}/certs/{{ elasticsearch_node_name }}_elasticsearch_config_snippet.yml' +# snippet_path: '{{ local_certs_path }}/certs/{{ indexer_node_name }}_elasticsearch_config_snippet.yml' #- name: Prepare the OpenDistro security configuration file # replace: -# path: "{{ opendistro_conf_path }}/elasticsearch.yml" +# path: "{{ indexer_conf_path }}/elasticsearch.yml" # regexp: 'searchguard' # replace: 'opendistro_security' # tags: local @@ -63,35 +63,35 @@ - name: Copy the OpenDistro security internal users template template: src: "templates/internal_users.yml.j2" - dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" + dest: "{{ indexer_sec_plugin_conf_path }}/internal_users.yml" mode: 0644 run_once: true - name: Hashing the custom admin password - command: "{{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }}" # noqa 301 - register: opendistro_admin_password_hashed - no_log: '{{ opendistro_nolog_sensible | bool }}' + command: "{{ indexer_sec_plugin_tools_path }}/hash.sh -p {{ indexer_admin_password }}" # noqa 301 + register: indexer_admin_password_hashed + no_log: '{{ indexer_nolog_sensible | bool }}' run_once: true - name: Set the Admin user password replace: - path: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" + path: "{{ indexer_sec_plugin_conf_path }}/internal_users.yml" regexp: '(?<=admin:\n hash: )(.*)(?=)' replace: "{{ odfe_password_hash | quote }}" vars: - odfe_password_hash: "{{ opendistro_admin_password_hashed.stdout_lines | last }}" + odfe_password_hash: "{{ indexer_admin_password_hashed.stdout_lines | last }}" run_once: true # this can also be achieved with password_hash, but it requires dependencies on the controller - name: Hash the kibanaserver role/user pasword - command: "{{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }}" # noqa 301 + command: "{{ indexer_sec_plugin_tools_path }}/hash.sh -p {{ dashboard_password }}" # noqa 301 register: opendistro_kibanaserver_password_hashed - no_log: '{{ opendistro_nolog_sensible | bool }}' + no_log: '{{ indexer_nolog_sensible | bool }}' run_once: true - name: Set the kibanaserver user password replace: - path: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" + path: "{{ indexer_sec_plugin_conf_path }}/internal_users.yml" regexp: '(?<=kibanaserver:\n hash: )(.*)(?=)' replace: "{{ odfe_password_hash | quote }}" vars: @@ -100,28 +100,28 @@ - name: Initialize the OpenDistro security index in elasticsearch command: > - sudo -u wazuh-indexer OPENSEARCH_PATH_CONF=/etc/wazuh-indexer + sudo -u wazuh-indexer OPENSEARCH_PATH_CONF={{ indexer_conf_path }} JAVA_HOME=/usr/share/wazuh-indexer/jdk - {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh - -cd {{ opendistro_sec_plugin_tools_path }}/ - -icl -p 9800 -cd /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig - -cacert {{ opendistro_conf_path }}/certs/root-ca.pem - -cert {{ opendistro_conf_path }}/certs/admin.pem - -key {{ opendistro_conf_path }}/certs/admin-key.pem + {{ indexer_sec_plugin_tools_path }}/securityadmin.sh + -cd {{ indexer_sec_plugin_conf_path }}/ + -icl -p 9800 -cd {{ indexer_sec_plugin_conf_path }}/ -nhnv + -cacert {{ indexer_conf_path }}/certs/root-ca.pem + -cert {{ indexer_conf_path }}/certs/admin.pem + -key {{ indexer_conf_path }}/certs/admin-key.pem -h {{ target_address }} run_once: true # noqa 301 - name: Create custom user uri: - url: "https://{{ target_address }}:{{ opendistro_http_port }}/_plugins/_security/api/internalusers/{{ opendistro_custom_user }}" + url: "https://{{ target_address }}:{{ indexer_http_port }}/_plugins/_security/api/internalusers/{{ indexer_custom_user }}" method: PUT user: "admin" # Default OpenDistro user is always "admin" - password: "{{ opendistro_admin_password }}" + password: "{{ indexer_admin_password }}" body: | { - "password": "{{ opendistro_admin_password }}", - "backend_roles": ["{{ opendistro_custom_user_role }}"] + "password": "{{ indexer_admin_password }}", + "backend_roles": ["{{ indexer_custom_user_role }}"] } body_format: json validate_certs: no @@ -129,6 +129,6 @@ return_content: yes timeout: 4 when: - - opendistro_custom_user is defined and opendistro_custom_user + - indexer_custom_user is defined and indexer_custom_user diff --git a/roles/opensearch/wazuh-indexer/templates/elasticsearch.yml.j2 b/roles/opensearch/wazuh-indexer/templates/elasticsearch.yml.j2 index 96e585e2..ae40f4b5 100644 --- a/roles/opensearch/wazuh-indexer/templates/elasticsearch.yml.j2 +++ b/roles/opensearch/wazuh-indexer/templates/elasticsearch.yml.j2 @@ -4,7 +4,7 @@ path.data: /var/lib/elasticsearch path.logs: /var/log/elasticsearch network.host: {{ elasticsearch_network_host }} -node.master: {{ elasticsearch_node_master|lower }} +node.master: {{ indexer_node_master|lower }} {% if single_node == true %} discovery.type: single-node @@ -20,11 +20,11 @@ discovery.seed_hosts: {% endfor %} {% endif %} -{% if elasticsearch_node_data|lower == 'false' %} +{% if indexer_node_data|lower == 'false' %} node.data: false {% endif %} -{% if elasticsearch_node_ingest|lower == 'false' %} +{% if indexer_node_ingest|lower == 'false' %} node.ingest: false {% endif %} diff --git a/roles/opensearch/wazuh-indexer/templates/internal_users.yml.j2 b/roles/opensearch/wazuh-indexer/templates/internal_users.yml.j2 index 471a5c28..e00ebe01 100644 --- a/roles/opensearch/wazuh-indexer/templates/internal_users.yml.j2 +++ b/roles/opensearch/wazuh-indexer/templates/internal_users.yml.j2 @@ -9,13 +9,13 @@ _meta: # Define your internal users here admin: - hash: "{{ opendistro_admin_password }}" + hash: "{{ indexer_admin_password }}" reserved: true backend_roles: - "admin" description: "admin user" kibanaserver: - hash: "{{ opendistro_kibana_password }}" + hash: "{{ dashboard_password }}" reserved: true description: "kibanaserver user" diff --git a/roles/opensearch/wazuh-indexer/templates/jvm.options.j2 b/roles/opensearch/wazuh-indexer/templates/jvm.options.j2 index 53922429..1d3de5b7 100644 --- a/roles/opensearch/wazuh-indexer/templates/jvm.options.j2 +++ b/roles/opensearch/wazuh-indexer/templates/jvm.options.j2 @@ -19,11 +19,11 @@ # Xms represents the initial size of total heap space # Xmx represents the maximum size of total heap space -{% if opendistro_jvm_xms is not none %} -{% if opendistro_jvm_xms < 32000 %} --Xms{{ opendistro_jvm_xms }}m +{% if indexer_jvm_xms is not none %} +{% if indexer_jvm_xms < 32000 %} +-Xms{{ indexer_jvm_xms }}m --Xmx{{ opendistro_jvm_xms }}m +-Xmx{{ indexer_jvm_xms }}m {% else %} -Xms32000m diff --git a/roles/opensearch/wazuh-indexer/templates/opensearch.yml.j2 b/roles/opensearch/wazuh-indexer/templates/opensearch.yml.j2 index 411cb24a..bb3d8cab 100644 --- a/roles/opensearch/wazuh-indexer/templates/opensearch.yml.j2 +++ b/roles/opensearch/wazuh-indexer/templates/opensearch.yml.j2 @@ -1,14 +1,14 @@ -network.host: {{ elasticsearch_network_host }} -node.name: {{ elasticsearch_node_name }} +network.host: {{ indexer_network_host }} +node.name: {{ indexer_node_name }} {% if single_node == true %} discovery.type: single-node {% else %} cluster.initial_master_nodes: -{% for item in elasticsearch_cluster_nodes %} +{% for item in indexer_cluster_nodes %} - {{ item }} {% endfor %} {% endif %} -cluster.name: {{ opendistro_cluster_name }} +cluster.name: {{ indexer_cluster_name }} http.port: 9700-9799 transport.tcp.port: 9800-9899 @@ -24,11 +24,11 @@ path.logs: /var/log/wazuh-indexer # # ############################################################################### -plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/{{ elasticsearch_node_name }}.pem -plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/{{ elasticsearch_node_name }}-key.pem +plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/{{ indexer_node_name }}.pem +plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/{{ indexer_node_name }}-key.pem plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem -plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/{{ elasticsearch_node_name }}.pem -plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/{{ elasticsearch_node_name }}-key.pem +plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/{{ indexer_node_name }}.pem +plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/{{ indexer_node_name }}-key.pem plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem plugins.security.ssl.http.enabled: true plugins.security.ssl.transport.enforce_hostname_verification: false @@ -40,7 +40,7 @@ plugins.security.authcz.admin_dn: plugins.security.check_snapshot_restore_write_privileges: true plugins.security.enable_snapshot_restore_privilege: true plugins.security.nodes_dn: -- "CN={{ elasticsearch_node_name }},OU=Docu,O=Wazuh,L=California,C=US" +- "CN={{ indexer_node_name }},OU=Docu,O=Wazuh,L=California,C=US" plugins.security.restapi.roles_enabled: - "all_access" - "security_rest_api_access" From c722e5bc87657082378b34fd27707a5cfd960768 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= Date: Wed, 2 Feb 2022 17:27:05 -0300 Subject: [PATCH 03/41] Wazuh dashboard role created --- .../wazuh-dashboard/defaults/main.yml | 52 ++++++++-------- .../wazuh-dashboard/tasks/Debian.yml | 9 +-- .../wazuh-dashboard/tasks/RMRedHat.yml | 4 +- .../wazuh-dashboard/tasks/RedHat.yml | 14 ++--- .../opensearch/wazuh-dashboard/tasks/main.yml | 59 +++++++++---------- .../tasks/security_actions.yml | 8 +-- .../templates/dashboard.yml.j2 | 15 +++++ .../templates/opendistro_kibana.yml.j2 | 8 +-- .../wazuh-dashboard/vars/debian.yml | 2 +- .../opensearch/wazuh-indexer/tasks/RedHat.yml | 6 +- 10 files changed, 96 insertions(+), 81 deletions(-) create mode 100644 roles/opensearch/wazuh-dashboard/templates/dashboard.yml.j2 diff --git a/roles/opensearch/wazuh-dashboard/defaults/main.yml b/roles/opensearch/wazuh-dashboard/defaults/main.yml index d405b61e..f1a87302 100644 --- a/roles/opensearch/wazuh-dashboard/defaults/main.yml +++ b/roles/opensearch/wazuh-dashboard/defaults/main.yml @@ -1,34 +1,38 @@ --- -# Kibana configuration -elasticsearch_http_port: 9200 -elastic_api_protocol: https -kibana_conf_path: /etc/kibana +# Dashboard configuration +indexer_http_port: 9700 +indexer_api_protocol: https +dashboard_conf_path: /etc/wazuh-dashboard/ ## 732 check the path -kibana_node_name: node-1 -kibana_server_host: "0.0.0.0" -kibana_server_port: "5601" -kibana_server_name: "kibana" -kibana_max_payload_bytes: 1048576 -elastic_stack_version: 4.3.0 +dashboard_node_name: node-1 +dashboard_server_host: "0.0.0.0" +dashboard_server_port: "5601" +dashboard_server_name: "dashboard" +#kibana_max_payload_bytes: 1048576 +#elastic_stack_version: 4.3.0 ## 732 check if it is the right version wazuh_version: 4.3.0 -wazuh_app_url: https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana +#wazuh_app_url: https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana ## 732 check if it is needed. # The OpenDistro package repository -kibana_opendistro_version: 4.3.0-1 # Version includes the - for RedHat family compatibility, replace with = for Debian hosts +dashboard_version: "4.3.0" # Version includes the - for RedHat family compatibility, replace with = for Debian hosts ## 732 check if it is the right version package_repos: yum: - opendistro: - baseurl: 'https://packages.wazuh.com/4.x/yum/' - gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' + dashboard: + #baseurl: 'https://packages.wazuh.com/4.x/yum/' + baseurl: 'https://packages-dev.wazuh.com/pre-release/yum/' + #gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' + gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH' apt: - opendistro: - baseurl: 'deb https://packages.wazuh.com/4.x/apt/ stable main' - gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' + dashboard: + #baseurl: 'deb https://packages.wazuh.com/4.x/apt/ stable main' + baseurl: 'deb https://packages-dev.wazuh.com/pre-release/apt/ unstable main' + #gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' + gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH' # API credentials wazuh_api_credentials: @@ -39,13 +43,13 @@ wazuh_api_credentials: password: "wazuh" # opendistro Security -kibana_opendistro_security: true -kibana_newsfeed_enabled: "false" -kibana_telemetry_optin: "false" -kibana_telemetry_enabled: "false" +dashboard_security: true +#kibana_newsfeed_enabled: "false" +#kibana_telemetry_optin: "false" +#kibana_telemetry_enabled: "false" indexer_admin_password: changeme -opendistro_kibana_user: kibanaserver +dashboard_user: dashboardserver dashboard_password: changeme local_certs_path: "{{ playbook_dir }}/indexer/certificates" @@ -58,7 +62,7 @@ nodejs: # Build from sources build_from_sources: false -wazuh_plugin_branch: 4.1-7.10 +#wazuh_plugin_branch: 4.1-7.10 ## 732 check if it is the right version and if it is needed #Nodejs NODE_OPTIONS diff --git a/roles/opensearch/wazuh-dashboard/tasks/Debian.yml b/roles/opensearch/wazuh-dashboard/tasks/Debian.yml index 557e785c..84ff2723 100644 --- a/roles/opensearch/wazuh-dashboard/tasks/Debian.yml +++ b/roles/opensearch/wazuh-dashboard/tasks/Debian.yml @@ -3,22 +3,19 @@ - include_vars: debian.yml - name: Add apt repository signing key -## 732 will not be needed. The wazuh repo should be added apt_key: - url: "{{ package_repos.apt.indexer.gpg }}" + url: "{{ package_repos.apt.dashboard.gpg }}" state: present - name: Debian systems | Add OpenDistro repo -## 732 will not be needed. The wazuh repo should be added apt_repository: - repo: "{{ package_repos.apt.indexer.baseurl }}" + repo: "{{ package_repos.apt.dashboard.baseurl }}" state: present update_cache: yes - name: Install Wazuh-Dashboard -## 732 package name and task name should be updated. apt: - name: "wazuh-dashboard={{ kibana_opendistro_version }}" + name: "wazuh-dashboard={{ dashboard_version }}-1" state: present register: install diff --git a/roles/opensearch/wazuh-dashboard/tasks/RMRedHat.yml b/roles/opensearch/wazuh-dashboard/tasks/RMRedHat.yml index 959c70e9..893ec065 100644 --- a/roles/opensearch/wazuh-dashboard/tasks/RMRedHat.yml +++ b/roles/opensearch/wazuh-dashboard/tasks/RMRedHat.yml @@ -1,6 +1,6 @@ --- -- name: Remove Elasticsearch repository (and clean up left-over metadata) +- name: Remove Wazuh-Dashboard repository (and clean up left-over metadata) yum_repository: - name: opendistro_repo + name: wazuh_repo state: absent changed_when: false diff --git a/roles/opensearch/wazuh-dashboard/tasks/RedHat.yml b/roles/opensearch/wazuh-dashboard/tasks/RedHat.yml index 514dbb85..a6db8256 100644 --- a/roles/opensearch/wazuh-dashboard/tasks/RedHat.yml +++ b/roles/opensearch/wazuh-dashboard/tasks/RedHat.yml @@ -1,18 +1,18 @@ --- - block: - - name: RedHat/CentOS/Fedora | Add OpenDistro repo + - name: RedHat/CentOS/Fedora | Add Wazuh-Dashboard repo yum_repository: - file: opendistro - name: opendistro_repo - description: Opendistro yum repository - baseurl: "{{ package_repos.yum.indexer.baseurl }}" - gpgkey: "{{ package_repos.yum.indexer.gpg }}" + file: wazuh + name: wazuh_repo + description: Wazuh yum repository + baseurl: "{{ package_repos.yum.dashboard.baseurl }}" + gpgkey: "{{ package_repos.yum.dashboard.gpg }}" gpgcheck: true - name: Install Wazuh-Dashboard package: - name: "wazuh-dashboard-{{ kibana_opendistro_version }}" + name: "wazuh-dashboard-{{ dashboard_version }}" state: present register: install diff --git a/roles/opensearch/wazuh-dashboard/tasks/main.yml b/roles/opensearch/wazuh-dashboard/tasks/main.yml index 514944ad..93c8f5ed 100755 --- a/roles/opensearch/wazuh-dashboard/tasks/main.yml +++ b/roles/opensearch/wazuh-dashboard/tasks/main.yml @@ -1,8 +1,8 @@ --- -- name: Stopping early, trying to compile Wazuh Kibana Plugin on Debian 10 is not possible +- name: Stopping early, trying to compile Wazuh Dashboard Plugin on Debian 10 is not possible fail: - msg: "It's not possible to compile the Wazuh Kibana plugin on Debian 10 due to: https://github.com/wazuh/wazuh-kibana-app/issues/1924" + msg: "It's not possible to compile the Wazuh Dashboard plugin on Debian 10 due to: https://github.com/wazuh/wazuh-kibana-app/issues/1924" when: - build_from_sources - ansible_distribution == "Debian" @@ -14,36 +14,35 @@ - import_tasks: Debian.yml when: ansible_os_family == 'Debian' -- name: Remove Kibana configuration file +- name: Remove Dashboard configuration file file: # noqa 503 - path: "{{ kibana_conf_path }}/kibana.yml" + path: "{{ dashboard_conf_path }}/dashboard.yml" state: absent tags: install - import_tasks: security_actions.yml - name: Copy Configuration File - blockinfile: - block: "{{ lookup('template', 'opendistro_kibana.yml.j2') }}" - dest: "{{ kibana_conf_path }}/kibana.yml" - create: true - group: kibana - owner: kibana + template: + src: "templates/dashboard.yml.j2" + dest: "{{ dashboard_conf_path }}/dashboard.yml" + group: wazuh-dashboard + owner: wazuh-dashboard mode: 0640 - marker: "## {mark} Kibana general settings ##" + force: yes notify: restart wazuh-dashboard tags: - install - configure -- name: Ensuring Kibana directory owner +- name: Ensuring Wazuh-Dashboard directory owner file: # noqa 208 - path: "/usr/share/kibana" + path: "/usr/share/wazuh-dashboard" state: directory - owner: kibana - group: kibana + owner: wazuh-dashboard + group: wazuh-dashboard recurse: yes #- name: Build and Install Wazuh Kibana Plugin from sources @@ -70,7 +69,7 @@ # - not build_from_sources #- name: Kibana optimization (can take a while) -# shell: /usr/share/kibana/node/bin/node {{ node_options }} /usr/share/kibana/src/cli/cli.js --optimize -c {{ kibana_conf_path }}/kibana.yml +# shell: /usr/share/kibana/node/bin/node {{ node_options }} /usr/share/kibana/src/cli/cli.js --optimize -c {{ dashboard_conf_path }}/kibana.yml # args: # executable: /bin/bash # become: yes @@ -79,44 +78,44 @@ # tags: # - skip_ansible_lint -- name: Wait for Elasticsearch port - wait_for: host={{ indexer_network_host }} port={{ elasticsearch_http_port }} +- name: Wait for Wazuh-Indexer port + wait_for: host={{ indexer_network_host }} port={{ indexer_http_port }} - name: Select correct API protocol set_fact: - elastic_api_protocol: "{% if kibana_opendistro_security is defined and kibana_opendistro_security %}https{% else %}http{% endif %}" + indexer_api_protocol: "{% if dashboard_security is defined and dashboard_security %}https{% else %}http{% endif %}" - name: Attempting to delete legacy Wazuh index if exists uri: - url: "{{ elastic_api_protocol }}://{{ indexer_network_host }}:{{ elasticsearch_http_port }}/.wazuh" + url: "{{ indexer_api_protocol }}://{{ indexer_network_host }}:{{ indexer_http_port }}/.wazuh" method: DELETE user: "admin" password: "{{ indexer_admin_password }}" validate_certs: no status_code: 200, 404 -- name: Create wazuh plugin config directory +- name: Create Wazuh Plugin config directory file: - path: /usr/share/kibana/data/wazuh/config/ + path: /usr/share/wazuh-dashboard/data/wazuh/config/ state: directory recurse: yes - owner: kibana - group: kibana + owner: wazuh-dashboard + group: wazuh-dashboard mode: 0751 changed_when: False -- name: Configure Wazuh Kibana Plugin +- name: Configure Wazuh Dashboard Plugin template: src: wazuh.yml.j2 - dest: /usr/share/kibana/data/wazuh/config/wazuh.yml - owner: kibana - group: kibana + dest: /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml + owner: wazuh-dashboard + group: wazuh-dashboard mode: 0751 changed_when: False -- name: Ensure Kibana started and enabled +- name: Ensure Wazuh-Dashboard started and enabled service: - name: kibana + name: wazuh-dashboard enabled: true state: started diff --git a/roles/opensearch/wazuh-dashboard/tasks/security_actions.yml b/roles/opensearch/wazuh-dashboard/tasks/security_actions.yml index ee21f1c1..223ae09d 100644 --- a/roles/opensearch/wazuh-dashboard/tasks/security_actions.yml +++ b/roles/opensearch/wazuh-dashboard/tasks/security_actions.yml @@ -1,13 +1,13 @@ - block: - - name: Copy the certificates from local to the Kibana instance + - name: Copy the certificates from local to the Wazuh-Dashboard instance copy: src: "{{ local_certs_path }}/certs/{{ item }}" - dest: /usr/share/kibana + dest: /etc/wazuh-dashboard/certs/ mode: 0644 with_items: - "root-ca.pem" - - "{{ kibana_node_name }}_http.key" - - "{{ kibana_node_name }}_http.pem" + - "{{ dashboard_node_name }}-key.pem" + - "{{ dashboard_node_name }}.pem" tags: - security diff --git a/roles/opensearch/wazuh-dashboard/templates/dashboard.yml.j2 b/roles/opensearch/wazuh-dashboard/templates/dashboard.yml.j2 new file mode 100644 index 00000000..9795b557 --- /dev/null +++ b/roles/opensearch/wazuh-dashboard/templates/dashboard.yml.j2 @@ -0,0 +1,15 @@ +server.host: {{ dashboard_server_host }} +server.port: {{ dashboard_server_port }} +opensearch.hosts: "https://{{ indexer_network_host }}:{{ indexer_http_port }}" +opensearch.ssl.verificationMode: certificate +opensearch.username: {{ dashboard_user }} +opensearch.password: {{ dashboard_password }} +opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"] +opensearch_security.multitenancy.enabled: true +opensearch_security.readonly_mode.roles: ["kibana_read_only"] +server.ssl.enabled: true +server.ssl.key: "/etc/wazuh-dashboard/certs/{{ dashboard_node_name }}-key.pem" +server.ssl.certificate: "/etc/wazuh-dashboard/certs/{{ dashboard_node_name }}.pem" +opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"] +logging.dest: "/var/log/wazuh-dashboard/wazuh-dashboard.log" +uiSettings.overrides.defaultRoute: /app/wazuh?security_tenant=global diff --git a/roles/opensearch/wazuh-dashboard/templates/opendistro_kibana.yml.j2 b/roles/opensearch/wazuh-dashboard/templates/opendistro_kibana.yml.j2 index 95461cd4..fb5aaf2e 100644 --- a/roles/opensearch/wazuh-dashboard/templates/opendistro_kibana.yml.j2 +++ b/roles/opensearch/wazuh-dashboard/templates/opendistro_kibana.yml.j2 @@ -1,17 +1,17 @@ # {{ ansible_managed }} # Description: # Default Kibana configuration for Open Distro. -server.port: {{ kibana_server_port }} +server.port: {{ dashboard_server_port }} #server.basePath: "" server.maxPayloadBytes: {{ kibana_max_payload_bytes }} -server.name: {{ kibana_server_name }} +server.name: {{ dashboard_server_name }} server.host: {{ kibana_server_host }} {% if kibana_opendistro_security %} -elasticsearch.hosts: "https://{{ indexer_network_host }}:{{ elasticsearch_http_port }}" +elasticsearch.hosts: "https://{{ indexer_network_host }}:{{ indexer_http_port }}" elasticsearch.username: {{ opendistro_kibana_user }} elasticsearch.password: {{ dashboard_password }} server.ssl.enabled: true @@ -21,7 +21,7 @@ elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/root-ca.pem"] elasticsearch.ssl.verificationMode: full {% else %} -elasticsearch.hosts: "http://{{ indexer_network_host }}:{{ elasticsearch_http_port }}" +elasticsearch.hosts: "http://{{ indexer_network_host }}:{{ indexer_http_port }}" {% endif %} elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"] diff --git a/roles/opensearch/wazuh-dashboard/vars/debian.yml b/roles/opensearch/wazuh-dashboard/vars/debian.yml index bf53c169..d7e764f2 100644 --- a/roles/opensearch/wazuh-dashboard/vars/debian.yml +++ b/roles/opensearch/wazuh-dashboard/vars/debian.yml @@ -1,3 +1,3 @@ --- -kibana_opendistro_version: 4.3.0 \ No newline at end of file +dashboard_version: 4.3.0 \ No newline at end of file diff --git a/roles/opensearch/wazuh-indexer/tasks/RedHat.yml b/roles/opensearch/wazuh-indexer/tasks/RedHat.yml index f292156c..f6be9302 100644 --- a/roles/opensearch/wazuh-indexer/tasks/RedHat.yml +++ b/roles/opensearch/wazuh-indexer/tasks/RedHat.yml @@ -4,9 +4,9 @@ - name: RedHat/CentOS/Fedora | Add Wazuh-Indexer repo ## 732 wazuh repo should be added instead. yum_repository: - file: opendistro - name: opendistro_repo - description: Opendistro yum repository + file: wazuh + name: wazuh_repo + description: Wazuh yum repository baseurl: "{{ package_repos.yum.indexer.baseurl }}" gpgkey: "{{ package_repos.yum.indexer.gpg }}" gpgcheck: true From d67ae787129edd3cf742d45c1ebf2a3155ea25f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= Date: Fri, 4 Feb 2022 16:58:21 -0300 Subject: [PATCH 04/41] Updates to Wazuh and Opensearch roles --- .../templates/dashboard.yml.j2 | 5 +- .../wazuh-indexer/defaults/main.yml | 4 +- .../opensearch/wazuh-indexer/tasks/Debian.yml | 26 +++++----- .../opensearch/wazuh-indexer/tasks/RedHat.yml | 48 ++++++++++++------- .../wazuh-indexer/tasks/local_actions.yml | 14 ++++++ .../wazuh-indexer/tasks/security_actions.yml | 2 +- .../wazuh-indexer/templates/opensearch.yml.j2 | 10 +++- .../ansible-filebeat-oss/defaults/main.yml | 26 +++++----- .../ansible-filebeat-oss/tasks/Debian.yml | 6 +-- .../ansible-filebeat-oss/tasks/RMDebian.yml | 2 +- .../ansible-filebeat-oss/tasks/RedHat.yml | 4 +- .../tasks/security_actions.yml | 2 +- .../templates/filebeat.yml.j2 | 6 +-- .../ansible-wazuh-agent/defaults/main.yml | 9 ++-- .../ansible-wazuh-manager/defaults/main.yml | 9 ++-- 15 files changed, 110 insertions(+), 63 deletions(-) diff --git a/roles/opensearch/wazuh-dashboard/templates/dashboard.yml.j2 b/roles/opensearch/wazuh-dashboard/templates/dashboard.yml.j2 index 9795b557..6f29aa87 100644 --- a/roles/opensearch/wazuh-dashboard/templates/dashboard.yml.j2 +++ b/roles/opensearch/wazuh-dashboard/templates/dashboard.yml.j2 @@ -1,6 +1,9 @@ server.host: {{ dashboard_server_host }} server.port: {{ dashboard_server_port }} -opensearch.hosts: "https://{{ indexer_network_host }}:{{ indexer_http_port }}" +opensearch.hosts: +{% for item in indexer_cluster_nodes %} + - https://{{ item }}:{{ indexer_http_port }} +{% endfor %} opensearch.ssl.verificationMode: certificate opensearch.username: {{ dashboard_user }} opensearch.password: {{ dashboard_password }} diff --git a/roles/opensearch/wazuh-indexer/defaults/main.yml b/roles/opensearch/wazuh-indexer/defaults/main.yml index 182721c6..19548e8a 100644 --- a/roles/opensearch/wazuh-indexer/defaults/main.yml +++ b/roles/opensearch/wazuh-indexer/defaults/main.yml @@ -42,8 +42,8 @@ package_repos: baseurl: 'deb https://packages-dev.wazuh.com/pre-release/apt/ unstable main' #gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH' -# openjdk: -# baseurl: 'deb http://deb.debian.org/debian stretch-backports main' + openjdk: + baseurl: 'deb http://deb.debian.org/debian stretch-backports main' indexer_sec_plugin_conf_path: /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig indexer_sec_plugin_tools_path: /usr/share/wazuh-indexer/plugins/opensearch-security/tools diff --git a/roles/opensearch/wazuh-indexer/tasks/Debian.yml b/roles/opensearch/wazuh-indexer/tasks/Debian.yml index 1036cf97..c5748e3c 100644 --- a/roles/opensearch/wazuh-indexer/tasks/Debian.yml +++ b/roles/opensearch/wazuh-indexer/tasks/Debian.yml @@ -22,20 +22,20 @@ keyserver: keyserver.ubuntu.com id: 648ACFD622F3D138 -# - name: Add openjdk repository -# apt_repository: -# repo: "{{ package_repos.apt.openjdk.baseurl }}" -# state: present -# update_cache: yes -# filename: 'wazuh-openjdk' + - name: Add openjdk repository + apt_repository: + repo: "{{ package_repos.apt.openjdk.baseurl }}" + state: present + update_cache: yes + filename: 'wazuh-openjdk' -#- name: Install openjdk-11-jdk -### 732 will not be needed as indexer comes with the jdk. -# apt: -# name: openjdk-11-jdk -# state: present -# environment: -# JAVA_HOME: /usr +- name: Install openjdk-11-jdk +## 732 will not be needed as indexer comes with the jdk. + apt: + name: openjdk-11-jdk + state: present + environment: + JAVA_HOME: /usr - name: Add Wazuh-Indexer repository block: diff --git a/roles/opensearch/wazuh-indexer/tasks/RedHat.yml b/roles/opensearch/wazuh-indexer/tasks/RedHat.yml index f6be9302..8e17326f 100644 --- a/roles/opensearch/wazuh-indexer/tasks/RedHat.yml +++ b/roles/opensearch/wazuh-indexer/tasks/RedHat.yml @@ -12,27 +12,39 @@ gpgcheck: true changed_when: false -# - name: RedHat/CentOS/Fedora | Install OpenJDK 11 -# ## 732 will not be needed -# yum: -# name: java-11-openjdk-devel -# state: present -# when: -# - ansible_distribution != 'Amazon' + - name: RedHat/CentOS/Fedora | Install OpenJDK 11 + ## 732 will not be needed + yum: + name: java-11-openjdk-devel + state: present + when: + - ansible_distribution != 'Amazon' -# - name: Amazon Linux | Install OpenJDK 11 -# ## 732 will not be needed -# block: -# - name: Install Amazon extras -# yum: -# name: amazon-linux-extras -# state: present + - name: Amazon Linux | Install OpenJDK 11 + ## 732 will not be needed + block: + - name: Install Amazon extras + yum: + name: amazon-linux-extras + state: present -# - name: Install OpenJDK 11 -# shell: amazon-linux-extras install java-openjdk11 -y + - name: Install OpenJDK 11 + shell: amazon-linux-extras install java-openjdk11 -y -# when: -# - ansible_distribution == 'Amazon' + - name: Configure vm.max_map_count + lineinfile: + line: "vm.max_map_count=262144" + dest: "/etc/sysctl.conf" + insertafter: EOF + create: true + become: yes + + - name: Update vm.max_map_count + shell: sysctl -p + become: yes + + when: + - ansible_distribution == 'Amazon' - name: RedHat/CentOS/Fedora | Install OpenDistro dependencies yum: diff --git a/roles/opensearch/wazuh-indexer/tasks/local_actions.yml b/roles/opensearch/wazuh-indexer/tasks/local_actions.yml index 74febb15..270c48db 100644 --- a/roles/opensearch/wazuh-indexer/tasks/local_actions.yml +++ b/roles/opensearch/wazuh-indexer/tasks/local_actions.yml @@ -67,6 +67,20 @@ bash {{ local_certs_path }}/wazuh-cert-tool.sh become: yes + - name: Get Certificate files + find: + paths: "{{ local_certs_path }}/certs" + patterns: "*" + register: certificate_files + + - name: Change Certificates Ownership + file: + path: "{{ item.path }}" + owner: "{{ ansible_effective_user_id }}" + group: "{{ ansible_effective_user_id }}" + become: yes + with_items: "{{ certificate_files.files }}" + run_once: true delegate_to: localhost become: no diff --git a/roles/opensearch/wazuh-indexer/tasks/security_actions.yml b/roles/opensearch/wazuh-indexer/tasks/security_actions.yml index cdf9a151..c63afd16 100644 --- a/roles/opensearch/wazuh-indexer/tasks/security_actions.yml +++ b/roles/opensearch/wazuh-indexer/tasks/security_actions.yml @@ -70,7 +70,7 @@ - name: Hashing the custom admin password command: "{{ indexer_sec_plugin_tools_path }}/hash.sh -p {{ indexer_admin_password }}" # noqa 301 register: indexer_admin_password_hashed - no_log: '{{ indexer_nolog_sensible | bool }}' + #no_log: '{{ indexer_nolog_sensible | bool }}' run_once: true - name: Set the Admin user password diff --git a/roles/opensearch/wazuh-indexer/templates/opensearch.yml.j2 b/roles/opensearch/wazuh-indexer/templates/opensearch.yml.j2 index bb3d8cab..19413f70 100644 --- a/roles/opensearch/wazuh-indexer/templates/opensearch.yml.j2 +++ b/roles/opensearch/wazuh-indexer/templates/opensearch.yml.j2 @@ -7,7 +7,13 @@ cluster.initial_master_nodes: {% for item in indexer_cluster_nodes %} - {{ item }} {% endfor %} + +discovery.seed_hosts: +{% for item in elasticsearch_discovery_nodes %} + - {{ item }} +{% endfor %} {% endif %} + cluster.name: {{ indexer_cluster_name }} http.port: 9700-9799 @@ -40,7 +46,9 @@ plugins.security.authcz.admin_dn: plugins.security.check_snapshot_restore_write_privileges: true plugins.security.enable_snapshot_restore_privilege: true plugins.security.nodes_dn: -- "CN={{ indexer_node_name }},OU=Docu,O=Wazuh,L=California,C=US" +{% for (key,value) in instances.items() %} +- "CN={{ value.name }},OU=Docu,O=Wazuh,L=California,C=US" +{% endfor %} plugins.security.restapi.roles_enabled: - "all_access" - "security_rest_api_access" diff --git a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml index dd469d1e..dfd9fb04 100644 --- a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml @@ -1,27 +1,31 @@ --- filebeat_version: 7.10.2 -wazuh_template_branch: v4.3.0 +wazuh_template_branch: v4.2.5 filebeat_output_elasticsearch_hosts: - - "localhost:9200" + - "localhost:9700" -filebeat_module_package_url: https://packages.wazuh.com/4.x/filebeat +#filebeat_module_package_url: https://packages.wazuh.com/4.x/filebeat +filebeat_module_package_url: https://packages-dev.wazuh.com/pre-release/filebeat filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz filebeat_module_package_path: /tmp/ filebeat_module_destination: /usr/share/filebeat/module filebeat_module_folder: /usr/share/filebeat/module/wazuh -elasticsearch_security_user: admin -elasticsearch_security_password: changeme +indexer_security_user: admin +indexer_security_password: changeme # Security plugin filebeat_security: true filebeat_ssl_dir: /etc/pki/filebeat # Local path to store the generated certificates (OpenDistro security plugin) -local_certs_path: ./opendistro/certificates +local_certs_path: ./indexer/certificates -elasticrepo: - apt: 'https://artifacts.elastic.co/packages/oss-7.x/apt' - yum: 'https://artifacts.elastic.co/packages/oss-7.x/yum' - gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' - key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' +filebeatrepo: + #apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main' + apt: 'deb https://packages-dev.wazuh.com/pre-release/apt/ unstable main' + #yum: 'https://packages.wazuh.com/4.x/yum/' + yum: 'https://packages-dev.wazuh.com/pre-release/yum/' + #gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' + gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH' + key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' \ No newline at end of file diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/Debian.yml b/roles/wazuh/ansible-filebeat-oss/tasks/Debian.yml index 718d584b..638dbcff 100644 --- a/roles/wazuh/ansible-filebeat-oss/tasks/Debian.yml +++ b/roles/wazuh/ansible-filebeat-oss/tasks/Debian.yml @@ -11,13 +11,13 @@ - name: Debian/Ubuntu | Add Elasticsearch apt key. apt_key: - url: "{{ elasticrepo.gpg }}" - id: "{{ elasticrepo.key_id }}" + url: "{{ filebeatrepo.gpg }}" + id: "{{ filebeatrepo.key_id }}" state: present - name: Debian/Ubuntu | Add Filebeat-oss repository. apt_repository: - repo: "deb {{ elasticrepo.apt }} stable main" + repo: "{{ filebeatrepo.apt }}" state: present update_cache: true changed_when: false diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/RMDebian.yml b/roles/wazuh/ansible-filebeat-oss/tasks/RMDebian.yml index 25a33909..a51e3f73 100644 --- a/roles/wazuh/ansible-filebeat-oss/tasks/RMDebian.yml +++ b/roles/wazuh/ansible-filebeat-oss/tasks/RMDebian.yml @@ -1,6 +1,6 @@ --- - name: Debian/Ubuntu | Remove Filebeat repository (and clean up left-over metadata) apt_repository: - repo: "deb {{ elasticrepo.apt }} stable main" + repo: "{{ filebeatrepo.apt }}" state: absent changed_when: false diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml b/roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml index 74873aca..d4024e25 100644 --- a/roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml +++ b/roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml @@ -3,7 +3,7 @@ yum_repository: name: elastic_oss-repo_7 description: Elastic repository for 7.x packages - baseurl: "{{ elasticrepo.yum }}" - gpgkey: "{{ elasticrepo.gpg }}" + baseurl: "{{ filebeatrepo.yum }}" + gpgkey: "{{ filebeatrepo.gpg }}" gpgcheck: true changed_when: false diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml b/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml index fdec3c04..795c0c96 100644 --- a/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml +++ b/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml @@ -16,7 +16,7 @@ group: root mode: 0644 with_items: - - "{{ filebeat_node_name }}.key" + - "{{ filebeat_node_name }}-key.pem" - "{{ filebeat_node_name }}.pem" - "root-ca.pem" diff --git a/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 b/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 index c918ccda..8b013a74 100644 --- a/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 +++ b/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 @@ -19,13 +19,13 @@ output.elasticsearch: hosts: {{ filebeat_output_elasticsearch_hosts | to_json }} {% if filebeat_security %} - username: {{ elasticsearch_security_user }} - password: {{ elasticsearch_security_password }} + username: {{ indexer_security_user }} + password: {{ indexer_security_password }} protocol: https ssl.certificate_authorities: - {{ filebeat_ssl_dir }}/root-ca.pem ssl.certificate: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}.pem" - ssl.key: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}.key" + ssl.key: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}-key.pem" {% endif %} # Optional. Send events to Logstash instead of Elasticsearch diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 8706a992..63b1fbaf 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -61,9 +61,12 @@ wazuh_winagent_package_name: wazuh-agent-4.3.0-1.msi wazuh_dir: "/var/ossec" wazuh_agent_repo: - apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main' - yum: 'https://packages.wazuh.com/4.x/yum/' - gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' + #apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main' + apt: 'deb https://packages-dev.wazuh.com/pre-release/apt/ unstable main' + #yum: 'https://packages.wazuh.com/4.x/yum/' + yum: 'https://packages-dev.wazuh.com/pre-release/yum/' + #gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' + gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH' key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' # This is deprecated, see: wazuh_agent_address diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index 2e694ab5..94eac58d 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -38,9 +38,12 @@ wazuh_manager_sources_installation: wazuh_dir: "/var/ossec" wazuh_manager_repo: - apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main' - yum: 'https://packages.wazuh.com/4.x/yum/' - gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' + #apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main' + apt: 'deb https://packages-dev.wazuh.com/pre-release/apt/ unstable main' + #yum: 'https://packages.wazuh.com/4.x/yum/' + yum: 'https://packages-dev.wazuh.com/pre-release/yum/' + #gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' + gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH' key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' From a5441ddc8a1a8ab52c9d1ac2b1122619b1c7a550 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= Date: Mon, 7 Feb 2022 17:01:52 -0300 Subject: [PATCH 05/41] Indexer and dashboard variables names updated --- README.md | 6 +++--- playbooks/wazuh-manager-oss.yml | 2 +- playbooks/wazuh-odfe-production-ready.yml | 12 +++++------ playbooks/wazuh-odfe-single.yml | 6 +++--- playbooks/wazuh-opendistro-kibana.yml | 2 +- playbooks/wazuh-opendistro.yml | 2 +- .../wazuh-dashboard/defaults/main.yml | 2 +- .../wazuh-dashboard/tasks/Debian.yml | 2 +- .../wazuh-indexer/defaults/main.yml | 4 ++-- .../opensearch/wazuh-indexer/tasks/Debian.yml | 4 ++-- .../wazuh-indexer/tasks/RMRedHat.yml | 4 ++-- .../opensearch/wazuh-indexer/tasks/RedHat.yml | 2 +- roles/opensearch/wazuh-indexer/tasks/main.yml | 8 ++++---- .../wazuh-indexer/tasks/security_actions.yml | 20 +++++++++---------- .../wazuh-indexer/templates/config.yml.j2 | 2 ++ .../wazuh-indexer/templates/opensearch.yml.j2 | 2 +- roles/wazuh/ansible-filebeat-oss/README.md | 2 +- .../ansible-filebeat-oss/defaults/main.yml | 4 ++-- .../ansible-filebeat-oss/tasks/RMRedHat.yml | 2 +- .../ansible-filebeat-oss/tasks/RedHat.yml | 4 ++-- .../templates/filebeat.yml.j2 | 6 +++--- 21 files changed, 50 insertions(+), 48 deletions(-) diff --git a/README.md b/README.md index 9e0d589d..db7ac89f 100644 --- a/README.md +++ b/README.md @@ -180,7 +180,7 @@ The hereunder example playbook uses the `wazuh-ansible` role to provision a prod nodes: - "{{ hostvars.manager.private_ip }}" hidden: 'no' - filebeat_output_elasticsearch_hosts: + filebeat_output_indexer_hosts: - "{{ hostvars.es1.private_ip }}" - "{{ hostvars.es2.private_ip }}" - "{{ hostvars.es3.private_ip }}" @@ -209,7 +209,7 @@ The hereunder example playbook uses the `wazuh-ansible` role to provision a prod nodes: - "{{ hostvars.manager.private_ip }}" hidden: 'no' - filebeat_output_elasticsearch_hosts: + filebeat_output_indexer_hosts: - "{{ hostvars.es1.private_ip }}" - "{{ hostvars.es2.private_ip }}" - "{{ hostvars.es3.private_ip }}" @@ -319,7 +319,7 @@ The hereunder example playbook uses the `wazuh-ansible` role to provision a sing elasticsearch_node_master: true elasticsearch_network_host: filebeat_node_name: node-1 - filebeat_output_elasticsearch_hosts: + filebeat_output_indexer_hosts: ansible_ssh_user: vagrant ansible_ssh_private_key_file: /path/to/ssh/key.pem ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' diff --git a/playbooks/wazuh-manager-oss.yml b/playbooks/wazuh-manager-oss.yml index ba7b9444..d28b8736 100644 --- a/playbooks/wazuh-manager-oss.yml +++ b/playbooks/wazuh-manager-oss.yml @@ -3,7 +3,7 @@ roles: - role: ../roles/wazuh/ansible-wazuh-manager - role: ../roles/wazuh/ansible-filebeat-oss - filebeat_output_elasticsearch_hosts: + filebeat_output_indexer_hosts: - ":9200" - ":9200" - ":9200" diff --git a/playbooks/wazuh-odfe-production-ready.yml b/playbooks/wazuh-odfe-production-ready.yml index 75cc30e9..1068cbdc 100644 --- a/playbooks/wazuh-odfe-production-ready.yml +++ b/playbooks/wazuh-odfe-production-ready.yml @@ -2,7 +2,7 @@ # Certificates generation - hosts: es1 roles: - - role: ../roles/opendistro/opendistro-elasticsearch + - role: ../roles/opensearch/wazuh-indexer elasticsearch_network_host: "{{ private_ip }}" elasticsearch_cluster_nodes: - "{{ hostvars.es1.private_ip }}" @@ -43,7 +43,7 @@ - hosts: odfe_cluster strategy: free roles: - - role: ../roles/opendistro/opendistro-elasticsearch + - role: ../roles/opensearch/wazuh-indexer elasticsearch_network_host: "{{ private_ip }}" become: yes become_user: root @@ -105,7 +105,7 @@ wazuh_api_users: - username: custom-user password: .S3cur3Pa55w0rd*- - filebeat_output_elasticsearch_hosts: + filebeat_output_indexer_hosts: - "{{ hostvars.es1.private_ip }}" - "{{ hostvars.es2.private_ip }}" - "{{ hostvars.es3.private_ip }}" @@ -134,7 +134,7 @@ nodes: - "{{ hostvars.manager.private_ip }}" hidden: 'no' - filebeat_output_elasticsearch_hosts: + filebeat_output_indexer_hosts: - "{{ hostvars.es1.private_ip }}" - "{{ hostvars.es2.private_ip }}" - "{{ hostvars.es3.private_ip }}" @@ -142,8 +142,8 @@ #ODFE+Kibana node - hosts: kibana roles: - - role: "../roles/opendistro/opendistro-elasticsearch" - - role: "../roles/opendistro/opendistro-kibana" + - role: "../roles/opensearch/wazuh-indexer" + - role: "../roles/opensearch/wazuh-dashboard" become: yes become_user: root vars: diff --git a/playbooks/wazuh-odfe-single.yml b/playbooks/wazuh-odfe-single.yml index 53b7dee3..9249fc20 100644 --- a/playbooks/wazuh-odfe-single.yml +++ b/playbooks/wazuh-odfe-single.yml @@ -4,17 +4,17 @@ become: yes become_user: root roles: - - role: ../roles/opendistro/opendistro-elasticsearch + - role: ../roles/opensearch/wazuh-indexer - role: ../roles/wazuh/ansible-wazuh-manager - role: ../roles/wazuh/ansible-filebeat-oss - - role: ../roles/opendistro/opendistro-kibana + - role: ../roles/opensearch/wazuh-dashboard vars: single_node: true minimum_master_nodes: 1 elasticsearch_node_master: true elasticsearch_network_host: 127.0.0.1 filebeat_node_name: node-1 - filebeat_output_elasticsearch_hosts: 127.0.0.1 + filebeat_output_indexer_hosts: 127.0.0.1 instances: node1: name: node-1 # Important: must be equal to elasticsearch_node_name. diff --git a/playbooks/wazuh-opendistro-kibana.yml b/playbooks/wazuh-opendistro-kibana.yml index 8d195ad5..2a762639 100644 --- a/playbooks/wazuh-opendistro-kibana.yml +++ b/playbooks/wazuh-opendistro-kibana.yml @@ -1,6 +1,6 @@ --- - hosts: es1 roles: - - role: ../roles/opendistro/opendistro-kibana + - role: ../roles/opensearch/wazuh-dashboard vars: ansible_shell_allow_world_readable_temp: true diff --git a/playbooks/wazuh-opendistro.yml b/playbooks/wazuh-opendistro.yml index 63b54eb2..8de1c16c 100644 --- a/playbooks/wazuh-opendistro.yml +++ b/playbooks/wazuh-opendistro.yml @@ -1,7 +1,7 @@ --- - hosts: es_cluster roles: - - role: ../roles/opendistro/opendistro-elasticsearch + - role: ../roles/opensearch/wazuh-indexer vars: instances: # A certificate will be generated for every node using the name as CN. diff --git a/roles/opensearch/wazuh-dashboard/defaults/main.yml b/roles/opensearch/wazuh-dashboard/defaults/main.yml index f1a87302..ecea6dfc 100644 --- a/roles/opensearch/wazuh-dashboard/defaults/main.yml +++ b/roles/opensearch/wazuh-dashboard/defaults/main.yml @@ -49,7 +49,7 @@ dashboard_security: true #kibana_telemetry_enabled: "false" indexer_admin_password: changeme -dashboard_user: dashboardserver +dashboard_user: kibanaserver dashboard_password: changeme local_certs_path: "{{ playbook_dir }}/indexer/certificates" diff --git a/roles/opensearch/wazuh-dashboard/tasks/Debian.yml b/roles/opensearch/wazuh-dashboard/tasks/Debian.yml index 84ff2723..5ff2b2be 100644 --- a/roles/opensearch/wazuh-dashboard/tasks/Debian.yml +++ b/roles/opensearch/wazuh-dashboard/tasks/Debian.yml @@ -7,7 +7,7 @@ url: "{{ package_repos.apt.dashboard.gpg }}" state: present - - name: Debian systems | Add OpenDistro repo + - name: Debian systems | Add Wazuh-Dashboard repo apt_repository: repo: "{{ package_repos.apt.dashboard.baseurl }}" state: present diff --git a/roles/opensearch/wazuh-indexer/defaults/main.yml b/roles/opensearch/wazuh-indexer/defaults/main.yml index 19548e8a..0c72b624 100644 --- a/roles/opensearch/wazuh-indexer/defaults/main.yml +++ b/roles/opensearch/wazuh-indexer/defaults/main.yml @@ -15,8 +15,8 @@ indexer_start_timeout: 90 #elasticsearch_lower_disk_requirements: false indexer_cluster_nodes: - 127.0.0.1 -#elasticsearch_discovery_nodes: -# - 127.0.0.1 +indexer_discovery_nodes: + - 127.0.0.1 local_certs_path: "{{ playbook_dir }}/indexer/certificates" ##check if it is the correct directory diff --git a/roles/opensearch/wazuh-indexer/tasks/Debian.yml b/roles/opensearch/wazuh-indexer/tasks/Debian.yml index c5748e3c..e29db550 100644 --- a/roles/opensearch/wazuh-indexer/tasks/Debian.yml +++ b/roles/opensearch/wazuh-indexer/tasks/Debian.yml @@ -45,11 +45,11 @@ url: "{{ package_repos.apt.indexer.gpg }}" state: present - - name: Add Opendistro repository + - name: Add Indexer repository apt_repository: repo: "{{ package_repos.apt.indexer.baseurl }}" state: present - filename: 'wazuh-opendistro' + filename: 'wazuh-indexer' update_cache: yes - name: Install Wazuh-Indexer diff --git a/roles/opensearch/wazuh-indexer/tasks/RMRedHat.yml b/roles/opensearch/wazuh-indexer/tasks/RMRedHat.yml index 3d162cdf..c0c769d3 100644 --- a/roles/opensearch/wazuh-indexer/tasks/RMRedHat.yml +++ b/roles/opensearch/wazuh-indexer/tasks/RMRedHat.yml @@ -1,7 +1,7 @@ --- -- name: RedHat/CentOS/Fedora | Remove Elasticsearch repository (and clean up left-over metadata) +- name: RedHat/CentOS/Fedora | Remove Wazuh-Indexer repository (and clean up left-over metadata) ## 732 will not be needed and if it is needed the wazuh repo should be removed. yum_repository: - name: opendistro_repo + name: wazuh_repo state: absent changed_when: false diff --git a/roles/opensearch/wazuh-indexer/tasks/RedHat.yml b/roles/opensearch/wazuh-indexer/tasks/RedHat.yml index 8e17326f..317aa007 100644 --- a/roles/opensearch/wazuh-indexer/tasks/RedHat.yml +++ b/roles/opensearch/wazuh-indexer/tasks/RedHat.yml @@ -46,7 +46,7 @@ when: - ansible_distribution == 'Amazon' - - name: RedHat/CentOS/Fedora | Install OpenDistro dependencies + - name: RedHat/CentOS/Fedora | Install Indexer dependencies yum: name: "{{ packages }}" vars: diff --git a/roles/opensearch/wazuh-indexer/tasks/main.yml b/roles/opensearch/wazuh-indexer/tasks/main.yml index ddf17a49..305dde73 100644 --- a/roles/opensearch/wazuh-indexer/tasks/main.yml +++ b/roles/opensearch/wazuh-indexer/tasks/main.yml @@ -91,7 +91,7 @@ state: absent with_items: "{{ files_to_delete.files }}" - - name: Ensure Elasticsearch started and enabled + - name: Ensure Wazuh-Indexer started and enabled ## 732 the service name should be updated service: name: wazuh-indexer @@ -101,7 +101,7 @@ - name: Wait for Wazuh-Indexer API uri: url: "https://{{ inventory_hostname if not single_node else indexer_network_host }}:{{ indexer_http_port }}/_cat/health/" - user: "admin" # Default OpenDistro user is always "admin" + user: "admin" # Default Indexer user is always "admin" password: "{{ indexer_admin_password }}" validate_certs: no status_code: 200,401 @@ -117,10 +117,10 @@ when: - hostvars[inventory_hostname]['private_ip'] is not defined or not hostvars[inventory_hostname]['private_ip'] - - name: Wait for Elasticsearch API (Private IP) + - name: Wait for Wazuh-Indexer API (Private IP) uri: url: "https://{{ hostvars[inventory_hostname]['private_ip'] if not single_node else indexer_network_host }}:{{ indexer_http_port }}/_cat/health/" - user: "admin" # Default OpenDistro user is always "admin" + user: "admin" # Default Indexer user is always "admin" password: "{{ indexer_admin_password }}" validate_certs: no status_code: 200,401 diff --git a/roles/opensearch/wazuh-indexer/tasks/security_actions.yml b/roles/opensearch/wazuh-indexer/tasks/security_actions.yml index c63afd16..96565941 100644 --- a/roles/opensearch/wazuh-indexer/tasks/security_actions.yml +++ b/roles/opensearch/wazuh-indexer/tasks/security_actions.yml @@ -22,7 +22,7 @@ - hostvars[inventory_hostname]['private_ip'] is not defined -- name: Copy the node & admin certificates to Elasticsearch cluster +- name: Copy the node & admin certificates to Wazuh-Indexer cluster copy: src: "{{ local_certs_path }}/certs/{{ item }}" dest: "{{ indexer_conf_path }}/certs/" @@ -55,12 +55,12 @@ # replace: 'opendistro_security' # tags: local -- name: Restart elasticsearch with security configuration +- name: Restart Wazuh-Indexer with security configuration systemd: name: wazuh-indexer state: restarted -- name: Copy the OpenDistro security internal users template +- name: Copy the Opensearch security internal users template template: src: "templates/internal_users.yml.j2" dest: "{{ indexer_sec_plugin_conf_path }}/internal_users.yml" @@ -77,15 +77,15 @@ replace: path: "{{ indexer_sec_plugin_conf_path }}/internal_users.yml" regexp: '(?<=admin:\n hash: )(.*)(?=)' - replace: "{{ odfe_password_hash | quote }}" + replace: "{{ indexer_password_hash | quote }}" vars: - odfe_password_hash: "{{ indexer_admin_password_hashed.stdout_lines | last }}" + indexer_password_hash: "{{ indexer_admin_password_hashed.stdout_lines | last }}" run_once: true # this can also be achieved with password_hash, but it requires dependencies on the controller - name: Hash the kibanaserver role/user pasword command: "{{ indexer_sec_plugin_tools_path }}/hash.sh -p {{ dashboard_password }}" # noqa 301 - register: opendistro_kibanaserver_password_hashed + register: indexer_kibanaserver_password_hashed no_log: '{{ indexer_nolog_sensible | bool }}' run_once: true @@ -93,12 +93,12 @@ replace: path: "{{ indexer_sec_plugin_conf_path }}/internal_users.yml" regexp: '(?<=kibanaserver:\n hash: )(.*)(?=)' - replace: "{{ odfe_password_hash | quote }}" + replace: "{{ indexer_password_hash | quote }}" vars: - odfe_password_hash: "{{ opendistro_kibanaserver_password_hashed.stdout_lines | last }}" + indexer_password_hash: "{{ indexer_kibanaserver_password_hashed.stdout_lines | last }}" run_once: true -- name: Initialize the OpenDistro security index in elasticsearch +- name: Initialize the Opensearch security index in Wazuh-Indexer command: > sudo -u wazuh-indexer OPENSEARCH_PATH_CONF={{ indexer_conf_path }} JAVA_HOME=/usr/share/wazuh-indexer/jdk @@ -116,7 +116,7 @@ uri: url: "https://{{ target_address }}:{{ indexer_http_port }}/_plugins/_security/api/internalusers/{{ indexer_custom_user }}" method: PUT - user: "admin" # Default OpenDistro user is always "admin" + user: "admin" # Default Indexer user is always "admin" password: "{{ indexer_admin_password }}" body: | { diff --git a/roles/opensearch/wazuh-indexer/templates/config.yml.j2 b/roles/opensearch/wazuh-indexer/templates/config.yml.j2 index 8b1babf1..918e947e 100644 --- a/roles/opensearch/wazuh-indexer/templates/config.yml.j2 +++ b/roles/opensearch/wazuh-indexer/templates/config.yml.j2 @@ -1,6 +1,7 @@ nodes: # Elasticsearch server nodes elasticsearch: +## 732 this will change to indexer: {% for (key,value) in instances.items() %} {% if (value.role is defined and value.role == 'indexer') %} name: {{ value.name }} @@ -25,6 +26,7 @@ nodes: # Kibana node kibana: +## 732 this will change to dashboards: {% for (key,value) in instances.items() %} {% if (value.role is defined and value.role == 'dashboard') %} name: {{ value.name }} diff --git a/roles/opensearch/wazuh-indexer/templates/opensearch.yml.j2 b/roles/opensearch/wazuh-indexer/templates/opensearch.yml.j2 index 19413f70..5cc294ad 100644 --- a/roles/opensearch/wazuh-indexer/templates/opensearch.yml.j2 +++ b/roles/opensearch/wazuh-indexer/templates/opensearch.yml.j2 @@ -9,7 +9,7 @@ cluster.initial_master_nodes: {% endfor %} discovery.seed_hosts: -{% for item in elasticsearch_discovery_nodes %} +{% for item in indexer_discovery_nodes %} - {{ item }} {% endfor %} {% endif %} diff --git a/roles/wazuh/ansible-filebeat-oss/README.md b/roles/wazuh/ansible-filebeat-oss/README.md index 81fc8dcc..e8c26f13 100644 --- a/roles/wazuh/ansible-filebeat-oss/README.md +++ b/roles/wazuh/ansible-filebeat-oss/README.md @@ -19,7 +19,7 @@ Role Variables Available variables are listed below, along with default values (see `defaults/main.yml`): ``` - filebeat_output_elasticsearch_hosts: + filebeat_output_indexer_hosts: - "localhost:9200" ``` diff --git a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml index dfd9fb04..01f5becd 100644 --- a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml @@ -3,7 +3,7 @@ filebeat_version: 7.10.2 wazuh_template_branch: v4.2.5 -filebeat_output_elasticsearch_hosts: +filebeat_output_indexer_hosts: - "localhost:9700" #filebeat_module_package_url: https://packages.wazuh.com/4.x/filebeat @@ -18,7 +18,7 @@ indexer_security_password: changeme filebeat_security: true filebeat_ssl_dir: /etc/pki/filebeat -# Local path to store the generated certificates (OpenDistro security plugin) +# Local path to store the generated certificates (Opensearch security plugin) local_certs_path: ./indexer/certificates filebeatrepo: diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/RMRedHat.yml b/roles/wazuh/ansible-filebeat-oss/tasks/RMRedHat.yml index 8565894e..abf858fe 100644 --- a/roles/wazuh/ansible-filebeat-oss/tasks/RMRedHat.yml +++ b/roles/wazuh/ansible-filebeat-oss/tasks/RMRedHat.yml @@ -1,6 +1,6 @@ --- - name: RedHat/CentOS/Fedora | Remove Filebeat repository (and clean up left-over metadata) yum_repository: - name: elastic_oss-repo_7 + name: wazuh_repo state: absent changed_when: false diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml b/roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml index d4024e25..bdf4519b 100644 --- a/roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml +++ b/roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml @@ -1,8 +1,8 @@ --- - name: RedHat/CentOS/Fedora/Amazon Linux | Install Filebeats repo yum_repository: - name: elastic_oss-repo_7 - description: Elastic repository for 7.x packages + name: wazuh_repo + description: Wazuh Repo baseurl: "{{ filebeatrepo.yum }}" gpgkey: "{{ filebeatrepo.gpg }}" gpgcheck: true diff --git a/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 b/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 index 8b013a74..86066f3c 100644 --- a/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 +++ b/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 @@ -14,9 +14,9 @@ setup.template.json.name: 'wazuh' setup.template.overwrite: true setup.ilm.enabled: false -# Send events directly to Elasticsearch +# Send events directly to Opensearch output.elasticsearch: - hosts: {{ filebeat_output_elasticsearch_hosts | to_json }} + hosts: {{ filebeat_output_indexer_hosts | to_json }} {% if filebeat_security %} username: {{ indexer_security_user }} @@ -28,5 +28,5 @@ output.elasticsearch: ssl.key: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}-key.pem" {% endif %} -# Optional. Send events to Logstash instead of Elasticsearch +# Optional. Send events to Logstash instead of Opensearch #output.logstash.hosts: ["YOUR_LOGSTASH_SERVER_IP:5000"] \ No newline at end of file From 2e17343c68a7556058d9d354b5d00f098f379b57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= Date: Fri, 11 Feb 2022 12:04:05 -0300 Subject: [PATCH 06/41] filebeat oss configuration updated --- roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 b/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 index 86066f3c..82379778 100644 --- a/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 +++ b/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 @@ -16,7 +16,10 @@ setup.ilm.enabled: false # Send events directly to Opensearch output.elasticsearch: - hosts: {{ filebeat_output_indexer_hosts | to_json }} + hosts: +{% for item in filebeat_output_indexer_hosts %} + - {{ item }}:9700 +{% endfor %} {% if filebeat_security %} username: {{ indexer_security_user }} From 330ba0c94f891e6ed41fba96cb6efaa3e5499f75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= Date: Mon, 14 Feb 2022 15:35:22 -0300 Subject: [PATCH 07/41] Opensearch dashboard keystore task added --- roles/opensearch/wazuh-dashboard/tasks/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/opensearch/wazuh-dashboard/tasks/main.yml b/roles/opensearch/wazuh-dashboard/tasks/main.yml index 93c8f5ed..ab4c7fca 100755 --- a/roles/opensearch/wazuh-dashboard/tasks/main.yml +++ b/roles/opensearch/wazuh-dashboard/tasks/main.yml @@ -113,6 +113,13 @@ mode: 0751 changed_when: False +- name: Configure opensearch.password in opensearch.keystore + shell: >- + echo ToKDVUeRwxAey3xM | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add -f opensearch.password + args: + executable: /bin/bash + become: yes + - name: Ensure Wazuh-Dashboard started and enabled service: name: wazuh-dashboard From 847de7c752e5c60a0627a09950b523ad496cdc6f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= Date: Tue, 15 Feb 2022 09:26:56 -0300 Subject: [PATCH 08/41] opensearch.password command updated --- roles/opensearch/wazuh-dashboard/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/opensearch/wazuh-dashboard/tasks/main.yml b/roles/opensearch/wazuh-dashboard/tasks/main.yml index ab4c7fca..f80e9347 100755 --- a/roles/opensearch/wazuh-dashboard/tasks/main.yml +++ b/roles/opensearch/wazuh-dashboard/tasks/main.yml @@ -115,7 +115,7 @@ - name: Configure opensearch.password in opensearch.keystore shell: >- - echo ToKDVUeRwxAey3xM | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add -f opensearch.password + echo {{ dashboard_password }} | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add -f --stdin opensearch.password args: executable: /bin/bash become: yes From 4bccd0f97032811c275c0442eea719283ee9ba68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= Date: Tue, 15 Feb 2022 12:10:24 -0300 Subject: [PATCH 09/41] Add sleep before securityadmin --- roles/opensearch/wazuh-indexer/tasks/security_actions.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/opensearch/wazuh-indexer/tasks/security_actions.yml b/roles/opensearch/wazuh-indexer/tasks/security_actions.yml index 96565941..fe4b605a 100644 --- a/roles/opensearch/wazuh-indexer/tasks/security_actions.yml +++ b/roles/opensearch/wazuh-indexer/tasks/security_actions.yml @@ -98,6 +98,10 @@ indexer_password_hash: "{{ indexer_kibanaserver_password_hashed.stdout_lines | last }}" run_once: true +- name: Pause for 2 minute + pause: + minutes: 2 + - name: Initialize the Opensearch security index in Wazuh-Indexer command: > sudo -u wazuh-indexer OPENSEARCH_PATH_CONF={{ indexer_conf_path }} From 5c16fee92055823fcc48745e8ae9e089ecc9e143 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= Date: Tue, 15 Feb 2022 12:38:11 -0300 Subject: [PATCH 10/41] update sleep before securityadmin --- roles/opensearch/wazuh-indexer/tasks/security_actions.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/roles/opensearch/wazuh-indexer/tasks/security_actions.yml b/roles/opensearch/wazuh-indexer/tasks/security_actions.yml index fe4b605a..078bb593 100644 --- a/roles/opensearch/wazuh-indexer/tasks/security_actions.yml +++ b/roles/opensearch/wazuh-indexer/tasks/security_actions.yml @@ -98,9 +98,8 @@ indexer_password_hash: "{{ indexer_kibanaserver_password_hashed.stdout_lines | last }}" run_once: true -- name: Pause for 2 minute - pause: - minutes: 2 +- name: sleep 2 minutes + command: sleep 120 - name: Initialize the Opensearch security index in Wazuh-Indexer command: > From 5faa3effe0eae0f155d982fd2f41dd2386521aaf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= Date: Tue, 15 Feb 2022 14:22:22 -0300 Subject: [PATCH 11/41] add retry to securityadmin --- roles/opensearch/wazuh-indexer/tasks/security_actions.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/opensearch/wazuh-indexer/tasks/security_actions.yml b/roles/opensearch/wazuh-indexer/tasks/security_actions.yml index 078bb593..d999242b 100644 --- a/roles/opensearch/wazuh-indexer/tasks/security_actions.yml +++ b/roles/opensearch/wazuh-indexer/tasks/security_actions.yml @@ -113,7 +113,8 @@ -cert {{ indexer_conf_path }}/certs/admin.pem -key {{ indexer_conf_path }}/certs/admin-key.pem -h {{ target_address }} - run_once: true # noqa 301 + retries: 2 + delay: 5 # noqa 301 - name: Create custom user uri: From 7a8ef4f2930ed2985ddebf7c70f41480b7aee3f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= Date: Wed, 16 Feb 2022 14:52:02 -0300 Subject: [PATCH 12/41] Indexer and Dashboard comments removed --- .../wazuh-dashboard/defaults/main.yml | 32 +------- .../wazuh-dashboard/handlers/main.yml | 1 - .../tasks/build_wazuh_plugin.yml | 79 ------------------- .../opensearch/wazuh-dashboard/tasks/main.yml | 41 ---------- .../templates/opendistro_kibana.yml.j2 | 36 --------- .../wazuh-dashboard/templates/wazuh.yml.j2 | 2 +- .../wazuh-indexer/defaults/main.yml | 13 +-- .../wazuh-indexer/tasks/local_actions.yml | 27 ------- roles/opensearch/wazuh-indexer/tasks/main.yml | 28 +++---- .../wazuh-indexer/tasks/security_actions.yml | 39 +++------ .../wazuh-indexer/templates/config.yml.j2 | 2 +- .../templates/elasticsearch.yml.j2 | 44 ----------- .../wazuh-indexer/templates/jvm.options.j2 | 2 - 13 files changed, 29 insertions(+), 317 deletions(-) delete mode 100644 roles/opensearch/wazuh-dashboard/tasks/build_wazuh_plugin.yml delete mode 100644 roles/opensearch/wazuh-dashboard/templates/opendistro_kibana.yml.j2 delete mode 100644 roles/opensearch/wazuh-indexer/templates/elasticsearch.yml.j2 diff --git a/roles/opensearch/wazuh-dashboard/defaults/main.yml b/roles/opensearch/wazuh-dashboard/defaults/main.yml index ecea6dfc..4bf534f0 100644 --- a/roles/opensearch/wazuh-dashboard/defaults/main.yml +++ b/roles/opensearch/wazuh-dashboard/defaults/main.yml @@ -4,21 +4,14 @@ indexer_http_port: 9700 indexer_api_protocol: https dashboard_conf_path: /etc/wazuh-dashboard/ -## 732 check the path dashboard_node_name: node-1 dashboard_server_host: "0.0.0.0" dashboard_server_port: "5601" dashboard_server_name: "dashboard" -#kibana_max_payload_bytes: 1048576 -#elastic_stack_version: 4.3.0 -## 732 check if it is the right version wazuh_version: 4.3.0 -#wazuh_app_url: https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana -## 732 check if it is needed. -# The OpenDistro package repository -dashboard_version: "4.3.0" # Version includes the - for RedHat family compatibility, replace with = for Debian hosts -## 732 check if it is the right version +# The Wazuh dashboard package repository +dashboard_version: "4.3.0" package_repos: yum: @@ -42,28 +35,9 @@ wazuh_api_credentials: username: "wazuh" password: "wazuh" -# opendistro Security +# Dashboard Security dashboard_security: true -#kibana_newsfeed_enabled: "false" -#kibana_telemetry_optin: "false" -#kibana_telemetry_enabled: "false" - indexer_admin_password: changeme dashboard_user: kibanaserver dashboard_password: changeme local_certs_path: "{{ playbook_dir }}/indexer/certificates" - -# Nodejs -nodejs: - repo_dict: - debian: "deb" - redhat: "rpm" - repo_url_ext: "nodesource.com/setup_10.x" - -# Build from sources -build_from_sources: false -#wazuh_plugin_branch: 4.1-7.10 -## 732 check if it is the right version and if it is needed - -#Nodejs NODE_OPTIONS -node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536 diff --git a/roles/opensearch/wazuh-dashboard/handlers/main.yml b/roles/opensearch/wazuh-dashboard/handlers/main.yml index ac7f23e7..45f71935 100644 --- a/roles/opensearch/wazuh-dashboard/handlers/main.yml +++ b/roles/opensearch/wazuh-dashboard/handlers/main.yml @@ -1,4 +1,3 @@ --- - name: restart wazuh-dashboard service: name=wazuh-dashboard state=restarted -## 732 service name should be updated \ No newline at end of file diff --git a/roles/opensearch/wazuh-dashboard/tasks/build_wazuh_plugin.yml b/roles/opensearch/wazuh-dashboard/tasks/build_wazuh_plugin.yml deleted file mode 100644 index 5f11ae00..00000000 --- a/roles/opensearch/wazuh-dashboard/tasks/build_wazuh_plugin.yml +++ /dev/null @@ -1,79 +0,0 @@ ---- -## 732 will not be needed - - name: Ensure the Git package is present - package: - name: git - state: present - - - name: Modify repo url if host is in Debian family - set_fact: - node_js_repo_type: deb - when: - - ansible_os_family | lower == "debian" - - - name: Download script to install Nodejs repository - get_url: - url: "https://{{ nodejs['repo_dict'][ansible_os_family|lower] }}.{{ nodejs['repo_url_ext'] }}" - dest: "/tmp/setup_nodejs_repo.sh" - mode: 0700 - - - name: Execute downloaded script to install Nodejs repo - command: /tmp/setup_nodejs_repo.sh - register: node_repo_installation_result - changed_when: false - - - name: Install Nodejs - package: - name: nodejs - state: present - - - name: Install yarn dependency to build the Wazuh Kibana Plugin - # Using shell due to errors when evaluating text between @ with command - shell: "npm install -g {{ 'yarn' }}{{ '@' }}{{ '1.10.1'}}" # noqa 305 - register: install_yarn_result - changed_when: install_yarn_result == 0 - - - name: Remove old wazuh-kibana-app git directory -## 732 check if it is needed - file: - path: /tmp/app - state: absent - changed_when: false - - - name: Clone wazuh-kibana-app repository # Using command as git module doesn't cover single-branch nor depth -## 732 will not be needed - command: git clone https://github.com/wazuh/wazuh-kibana-app -b {{ wazuh_plugin_branch }} --single-branch --depth=1 app # noqa 303 - register: clone_app_repo_result - changed_when: false - args: - chdir: "/tmp" - - - name: Executing yarn to build the package - command: "{{ item }}" - with_items: - - "yarn" - - "yarn build" - register: yarn_execution_result - changed_when: false - args: - chdir: "/tmp/app/" - - - name: Obtain name of generated package - shell: "find ./ -name 'wazuh-*.zip' -printf '%f\\n'" - register: wazuhapp_package_name - changed_when: false - args: - chdir: "/tmp/app/build" - - - name: Install Wazuh Plugin (can take a while) - shell: NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana-plugin install file:///tmp/app/build/{{ wazuhapp_package_name.stdout }} - args: - executable: /bin/bash - creates: /usr/share/kibana/plugins/wazuh/package.json - chdir: /usr/share/kibana - become: yes - become_user: kibana - notify: restart kibana - tags: - - install - - skip_ansible_lint diff --git a/roles/opensearch/wazuh-dashboard/tasks/main.yml b/roles/opensearch/wazuh-dashboard/tasks/main.yml index f80e9347..7daf7b1e 100755 --- a/roles/opensearch/wazuh-dashboard/tasks/main.yml +++ b/roles/opensearch/wazuh-dashboard/tasks/main.yml @@ -1,13 +1,5 @@ --- -- name: Stopping early, trying to compile Wazuh Dashboard Plugin on Debian 10 is not possible - fail: - msg: "It's not possible to compile the Wazuh Dashboard plugin on Debian 10 due to: https://github.com/wazuh/wazuh-kibana-app/issues/1924" - when: - - build_from_sources - - ansible_distribution == "Debian" - - ansible_distribution_major_version == "10" - - import_tasks: RedHat.yml when: ansible_os_family == 'RedHat' @@ -45,39 +37,6 @@ group: wazuh-dashboard recurse: yes -#- name: Build and Install Wazuh Kibana Plugin from sources -# import_tasks: build_wazuh_plugin.yml -# when: -# - build_from_sources is defined -# - build_from_sources - -#- name: Install Wazuh Plugin (can take a while) -# shell: >- -# NODE_OPTIONS="{{ node_options }}" /usr/share/kibana/bin/kibana-plugin install -# {{ wazuh_app_url }}-{{ wazuh_version }}_{{ elastic_stack_version }}-1.zip -# args: -# executable: /bin/bash -# creates: /usr/share/kibana/plugins/wazuh/package.json -# chdir: /usr/share/kibana -# become: yes -# become_user: kibana -# notify: restart kibana -# tags: -# - install -# - skip_ansible_lint -# when: -# - not build_from_sources - -#- name: Kibana optimization (can take a while) -# shell: /usr/share/kibana/node/bin/node {{ node_options }} /usr/share/kibana/src/cli/cli.js --optimize -c {{ dashboard_conf_path }}/kibana.yml -# args: -# executable: /bin/bash -# become: yes -# become_user: kibana -# changed_when: false -# tags: -# - skip_ansible_lint - - name: Wait for Wazuh-Indexer port wait_for: host={{ indexer_network_host }} port={{ indexer_http_port }} diff --git a/roles/opensearch/wazuh-dashboard/templates/opendistro_kibana.yml.j2 b/roles/opensearch/wazuh-dashboard/templates/opendistro_kibana.yml.j2 deleted file mode 100644 index fb5aaf2e..00000000 --- a/roles/opensearch/wazuh-dashboard/templates/opendistro_kibana.yml.j2 +++ /dev/null @@ -1,36 +0,0 @@ -# {{ ansible_managed }} -# Description: -# Default Kibana configuration for Open Distro. -server.port: {{ dashboard_server_port }} - -#server.basePath: "" -server.maxPayloadBytes: {{ kibana_max_payload_bytes }} -server.name: {{ dashboard_server_name }} -server.host: {{ kibana_server_host }} - - -{% if kibana_opendistro_security %} - -elasticsearch.hosts: "https://{{ indexer_network_host }}:{{ indexer_http_port }}" -elasticsearch.username: {{ opendistro_kibana_user }} -elasticsearch.password: {{ dashboard_password }} -server.ssl.enabled: true -server.ssl.certificate: "/usr/share/kibana/{{ kibana_node_name }}_http.pem" -server.ssl.key: "/usr/share/kibana/{{ kibana_node_name }}_http.key" -elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/root-ca.pem"] -elasticsearch.ssl.verificationMode: full - -{% else %} -elasticsearch.hosts: "http://{{ indexer_network_host }}:{{ indexer_http_port }}" -{% endif %} - -elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"] -opendistro_security.multitenancy.enabled: true -opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"] -opendistro_security.readonly_mode.roles: ["kibana_read_only"] - -newsfeed.enabled: {{ kibana_newsfeed_enabled }} -telemetry.optIn: {{ kibana_telemetry_optin }} -telemetry.enabled: {{ kibana_telemetry_enabled }} - -server.defaultRoute: /app/wazuh?security_tenant=global diff --git a/roles/opensearch/wazuh-dashboard/templates/wazuh.yml.j2 b/roles/opensearch/wazuh-dashboard/templates/wazuh.yml.j2 index ee70c2ad..268c3023 100644 --- a/roles/opensearch/wazuh-dashboard/templates/wazuh.yml.j2 +++ b/roles/opensearch/wazuh-dashboard/templates/wazuh.yml.j2 @@ -16,7 +16,7 @@ # https://documentation.wazuh.com/current/installation-guide/index.html # # Also, you can check our repository: -# https://github.com/wazuh/wazuh-kibana-app +# https://github.com/wazuh/wazuh-dashboard # # ------------------------------- Index patterns ------------------------------- # diff --git a/roles/opensearch/wazuh-indexer/defaults/main.yml b/roles/opensearch/wazuh-indexer/defaults/main.yml index 0c72b624..514a8b54 100644 --- a/roles/opensearch/wazuh-indexer/defaults/main.yml +++ b/roles/opensearch/wazuh-indexer/defaults/main.yml @@ -12,23 +12,21 @@ indexer_node_data: true indexer_node_ingest: true indexer_start_timeout: 90 -#elasticsearch_lower_disk_requirements: false indexer_cluster_nodes: - 127.0.0.1 indexer_discovery_nodes: - 127.0.0.1 local_certs_path: "{{ playbook_dir }}/indexer/certificates" -##check if it is the correct directory -# Minimum master nodes in cluster, 2 for 3 nodes elasticsearch cluster +# Minimum master nodes in cluster, 2 for 3 nodes Wazuh indexer cluster minimum_master_nodes: 2 -# Configure hostnames for Elasticsearch nodes +# Configure hostnames for Wazuh indexer nodes # Example es1.example.com, es2.example.com domain_name: wazuh.com -# The OpenDistro package repository +# The Wazuh indexer package repository package_repos: yum: indexer: @@ -58,14 +56,11 @@ indexer_custom_user_role: "admin" indexer_jvm_xms: null indexer_http_port: 9700 -## 732 this port changes to 9700 certs_gen_tool_version: 4.3 -## 732 will no longer be needed. /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-cert-tool.sh comes with the package. -# Url of Search Guard certificates generator tool +# Url of certificates generator tool certs_gen_tool_url: "https://packages-dev.wazuh.com/resources/{{ certs_gen_tool_version }}/install_functions/opendistro/wazuh-cert-tool.sh" -## 732 will no longer be needed. /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-cert-tool.sh comes with the package. indexer_admin_password: changeme dashboard_password: changeme diff --git a/roles/opensearch/wazuh-indexer/tasks/local_actions.yml b/roles/opensearch/wazuh-indexer/tasks/local_actions.yml index 270c48db..72e80082 100644 --- a/roles/opensearch/wazuh-indexer/tasks/local_actions.yml +++ b/roles/opensearch/wazuh-indexer/tasks/local_actions.yml @@ -18,50 +18,23 @@ state: directory - name: Local action | Check that the generation tool exists - ## 732 will not be needed stat: path: "{{ local_certs_path }}/wazuh-cert-tool.sh" register: tool_package - name: Local action | Download certificates generation tool - ## 732 will not be needed get_url: url: "{{ certs_gen_tool_url }}" dest: "{{ local_certs_path }}/wazuh-cert-tool.sh" - #search-guard-tlstool-{{ certs_gen_tool_version }}.zip" when: not tool_package.stat.exists -# - name: Local action | Extract the certificates generation tool -# ## 732 will not be needed -# unarchive: -# src: "{{ local_certs_path }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" -# dest: "{{ local_certs_path }}/" - -# - name: Local action | Add the execution bit to the binary -# ## 732 will not be needed -# file: -# dest: "{{ local_certs_path }}/tools/sgtlstool.sh" -# mode: a+x - - name: Local action | Prepare the certificates generation template file -## 732 need to resolve the certificate creation (config.yml) template: src: "templates/config.yml.j2" dest: "{{ local_certs_path }}/config.yml" mode: 0644 register: tlsconfig_template -# - name: Create a directory if it does not exist -# file: -# path: "{{ local_certs_path }}/certs/" -# state: directory -# mode: '0755' - -# - name: Local action | Check if root CA file exists -# stat: -# path: "{{ local_certs_path }}/certs/root-ca.key" -# register: root_ca_file - - name: Local action | Generate the node & admin certificates in local command: >- bash {{ local_certs_path }}/wazuh-cert-tool.sh diff --git a/roles/opensearch/wazuh-indexer/tasks/main.yml b/roles/opensearch/wazuh-indexer/tasks/main.yml index 305dde73..7874fd64 100644 --- a/roles/opensearch/wazuh-indexer/tasks/main.yml +++ b/roles/opensearch/wazuh-indexer/tasks/main.yml @@ -11,28 +11,25 @@ - import_tasks: Debian.yml when: ansible_os_family == 'Debian' -# - name: Remove performance analyzer plugin from elasticsearch -# ## 732 will not be needed -# become: true -# command: ./elasticsearch-plugin remove opendistro-performance-analyzer -# ignore_errors: true -# args: -# chdir: /usr/share/elasticsearch/bin/ -# register: remove_elasticsearch_performance_analyzer -# failed_when: -# - remove_elasticsearch_performance_analyzer.rc != 0 -# - '"not found" not in remove_elasticsearch_performance_analyzer.stderr' -# changed_when: "remove_elasticsearch_performance_analyzer.rc == 0" + - name: Remove performance analyzer plugin from Wazuh indexer + become: true + command: ./opensearch-plugin remove opensearch-performance-analyzer + ignore_errors: true + args: + chdir: /usr/share/wazuh-indexer/bin/ + register: remove_opensearch_performance_analyzer + failed_when: + - remove_opensearch_performance_analyzer.rc != 0 + - '"not found" not in remove_opensearch_performance_analyzer.stderr' + changed_when: "remove_opensearch_performance_analyzer.rc == 0" - name: Remove Opensearch configuration file - ## 732 will not be needed file: path: "{{ indexer_conf_path }}/opensearch.yml" state: absent tags: install - name: Copy Opensearch Configuration File - ## 732 will not be needed template: src: "templates/opensearch.yml.j2" dest: "{{ indexer_conf_path }}/opensearch.yml" @@ -48,7 +45,6 @@ - name: Configure Wazuh-Indexer JVM memmory. - ## 732 will not be needed and if it is needed the path should be updated. template: src: "templates/jvm.options.j2" dest: "{{ indexer_conf_path }}/jvm.options" @@ -60,7 +56,6 @@ tags: install - name: Configure disabled log4j. - ## 732 will not be needed template: src: "templates/disabledlog4j.options.j2" dest: "{{ indexer_conf_path }}/jvm.options.d/disabledlog4j.options" @@ -92,7 +87,6 @@ with_items: "{{ files_to_delete.files }}" - name: Ensure Wazuh-Indexer started and enabled - ## 732 the service name should be updated service: name: wazuh-indexer enabled: true diff --git a/roles/opensearch/wazuh-indexer/tasks/security_actions.yml b/roles/opensearch/wazuh-indexer/tasks/security_actions.yml index d999242b..0e995d75 100644 --- a/roles/opensearch/wazuh-indexer/tasks/security_actions.yml +++ b/roles/opensearch/wazuh-indexer/tasks/security_actions.yml @@ -1,13 +1,11 @@ -#- name: Remove demo certs -# ## 732 will not be needed -# file: -# path: "{{ item }}" -# state: absent -# with_items: -# - "{{ indexer_conf_path }}/kirk.pem" -# - "{{ indexer_conf_path }}/kirk-key.pem" -# - "{{ indexer_conf_path }}/esnode.pem" -# - "{{ indexer_conf_path }}/esnode-key.pem" +- name: Remove demo certs + file: + path: "{{ item }}" + state: absent + with_items: + - "{{ indexer_conf_path }}/demo-indexer-key.pem" + - "{{ indexer_conf_path }}/demo-indexer.pem" + - name: Configure IP (Private address) set_fact: @@ -33,28 +31,9 @@ - root-ca.key - "{{ indexer_node_name }}-key.pem" - "{{ indexer_node_name }}.pem" - #- "{{ indexer_node_name }}_http.key" - #- "{{ indexer_node_name }}_http.pem" - #- "{{ indexer_node_name }}_elasticsearch_config_snippet.yml" - admin-key.pem - admin.pem -#- name: Copy the OpenDistro security configuration file to cluster -# blockinfile: -# block: "{{ lookup('file', snippet_path ) }}" -# dest: "{{ indexer_conf_path }}/elasticsearch.yml" -# insertafter: EOF -# marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" -# vars: -# snippet_path: '{{ local_certs_path }}/certs/{{ indexer_node_name }}_elasticsearch_config_snippet.yml' - -#- name: Prepare the OpenDistro security configuration file -# replace: -# path: "{{ indexer_conf_path }}/elasticsearch.yml" -# regexp: 'searchguard' -# replace: 'opendistro_security' -# tags: local - - name: Restart Wazuh-Indexer with security configuration systemd: name: wazuh-indexer @@ -70,7 +49,7 @@ - name: Hashing the custom admin password command: "{{ indexer_sec_plugin_tools_path }}/hash.sh -p {{ indexer_admin_password }}" # noqa 301 register: indexer_admin_password_hashed - #no_log: '{{ indexer_nolog_sensible | bool }}' + no_log: '{{ indexer_nolog_sensible | bool }}' run_once: true - name: Set the Admin user password diff --git a/roles/opensearch/wazuh-indexer/templates/config.yml.j2 b/roles/opensearch/wazuh-indexer/templates/config.yml.j2 index 918e947e..1de66900 100644 --- a/roles/opensearch/wazuh-indexer/templates/config.yml.j2 +++ b/roles/opensearch/wazuh-indexer/templates/config.yml.j2 @@ -26,7 +26,7 @@ nodes: # Kibana node kibana: -## 732 this will change to dashboards: +## 732 this will change to dashboard: {% for (key,value) in instances.items() %} {% if (value.role is defined and value.role == 'dashboard') %} name: {{ value.name }} diff --git a/roles/opensearch/wazuh-indexer/templates/elasticsearch.yml.j2 b/roles/opensearch/wazuh-indexer/templates/elasticsearch.yml.j2 deleted file mode 100644 index ae40f4b5..00000000 --- a/roles/opensearch/wazuh-indexer/templates/elasticsearch.yml.j2 +++ /dev/null @@ -1,44 +0,0 @@ -cluster.name: {{ opendistro_cluster_name }} -node.name: {{ elasticsearch_node_name }} -path.data: /var/lib/elasticsearch -path.logs: /var/log/elasticsearch -network.host: {{ elasticsearch_network_host }} - -node.master: {{ indexer_node_master|lower }} - -{% if single_node == true %} -discovery.type: single-node -{% else %} -cluster.initial_master_nodes: -{% for item in elasticsearch_cluster_nodes %} - - {{ item }} -{% endfor %} - -discovery.seed_hosts: -{% for item in elasticsearch_discovery_nodes %} - - {{ item }} -{% endfor %} -{% endif %} - -{% if indexer_node_data|lower == 'false' %} -node.data: false -{% endif %} - -{% if indexer_node_ingest|lower == 'false' %} -node.ingest: false -{% endif %} - - -{% if elasticsearch_lower_disk_requirements %} -cluster.routing.allocation.disk.threshold_enabled: true -cluster.routing.allocation.disk.watermark.flood_stage: 200mb -cluster.routing.allocation.disk.watermark.low: 500mb -cluster.routing.allocation.disk.watermark.high: 300mb -{% endif %} - -discovery.zen.minimum_master_nodes: "{{ minimum_master_nodes }}" -opendistro_security.allow_default_init_securityindex: true -opendistro_security.audit.type: internal_elasticsearch -opendistro_security.enable_snapshot_restore_privilege: true -opendistro_security.check_snapshot_restore_write_privileges: true -opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] diff --git a/roles/opensearch/wazuh-indexer/templates/jvm.options.j2 b/roles/opensearch/wazuh-indexer/templates/jvm.options.j2 index 1d3de5b7..68119527 100644 --- a/roles/opensearch/wazuh-indexer/templates/jvm.options.j2 +++ b/roles/opensearch/wazuh-indexer/templates/jvm.options.j2 @@ -11,8 +11,6 @@ ## -Xms4g ## -Xmx4g ## -## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html -## for more information ## ################################################################ From e51e893556f16002f4bf8dac57f0b3e827de9d3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= Date: Thu, 17 Feb 2022 08:22:57 -0300 Subject: [PATCH 13/41] Indexer securityadmin task updated --- roles/opensearch/wazuh-indexer/tasks/security_actions.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/opensearch/wazuh-indexer/tasks/security_actions.yml b/roles/opensearch/wazuh-indexer/tasks/security_actions.yml index 0e995d75..9bc0016e 100644 --- a/roles/opensearch/wazuh-indexer/tasks/security_actions.yml +++ b/roles/opensearch/wazuh-indexer/tasks/security_actions.yml @@ -93,7 +93,9 @@ -key {{ indexer_conf_path }}/certs/admin-key.pem -h {{ target_address }} retries: 2 - delay: 5 # noqa 301 + delay: 5 + register: result + until: result.rc == 0 - name: Create custom user uri: From 35a14f356911aa99a36447fbb9098811ffe7fb49 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= Date: Thu, 17 Feb 2022 11:36:28 -0300 Subject: [PATCH 14/41] Dashboard username and password removed from yml --- roles/opensearch/wazuh-dashboard/templates/dashboard.yml.j2 | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/opensearch/wazuh-dashboard/templates/dashboard.yml.j2 b/roles/opensearch/wazuh-dashboard/templates/dashboard.yml.j2 index 6f29aa87..a28aa9d3 100644 --- a/roles/opensearch/wazuh-dashboard/templates/dashboard.yml.j2 +++ b/roles/opensearch/wazuh-dashboard/templates/dashboard.yml.j2 @@ -5,8 +5,6 @@ opensearch.hosts: - https://{{ item }}:{{ indexer_http_port }} {% endfor %} opensearch.ssl.verificationMode: certificate -opensearch.username: {{ dashboard_user }} -opensearch.password: {{ dashboard_password }} opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"] opensearch_security.multitenancy.enabled: true opensearch_security.readonly_mode.roles: ["kibana_read_only"] From 8499c6b94190776d39509a56d2cc145bcf4c1c98 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= Date: Fri, 18 Feb 2022 09:07:47 -0300 Subject: [PATCH 15/41] Playbooks updated --- playbooks/wazuh-manager-oss.yml | 6 +- ...ana.yml => wazuh-opensearch-dashboard.yml} | 2 +- ... => wazuh-opensearch-production-ready.yml} | 142 ++++++++++-------- ...single.yml => wazuh-opensearch-single.yml} | 6 +- ...uh-opendistro.yml => wazuh-opensearch.yml} | 5 +- 5 files changed, 94 insertions(+), 67 deletions(-) rename playbooks/{wazuh-opendistro-kibana.yml => wazuh-opensearch-dashboard.yml} (90%) rename playbooks/{wazuh-odfe-production-ready.yml => wazuh-opensearch-production-ready.yml} (52%) rename playbooks/{wazuh-odfe-single.yml => wazuh-opensearch-single.yml} (76%) rename playbooks/{wazuh-opendistro.yml => wazuh-opensearch.yml} (79%) diff --git a/playbooks/wazuh-manager-oss.yml b/playbooks/wazuh-manager-oss.yml index d28b8736..9e9c4cba 100644 --- a/playbooks/wazuh-manager-oss.yml +++ b/playbooks/wazuh-manager-oss.yml @@ -4,6 +4,6 @@ - role: ../roles/wazuh/ansible-wazuh-manager - role: ../roles/wazuh/ansible-filebeat-oss filebeat_output_indexer_hosts: - - ":9200" - - ":9200" - - ":9200" + - ":9200" + - ":9200" + - ":9200" diff --git a/playbooks/wazuh-opendistro-kibana.yml b/playbooks/wazuh-opensearch-dashboard.yml similarity index 90% rename from playbooks/wazuh-opendistro-kibana.yml rename to playbooks/wazuh-opensearch-dashboard.yml index 2a762639..2abc311f 100644 --- a/playbooks/wazuh-opendistro-kibana.yml +++ b/playbooks/wazuh-opensearch-dashboard.yml @@ -1,5 +1,5 @@ --- -- hosts: es1 +- hosts: wi1 roles: - role: ../roles/opensearch/wazuh-dashboard vars: diff --git a/playbooks/wazuh-odfe-production-ready.yml b/playbooks/wazuh-opensearch-production-ready.yml similarity index 52% rename from playbooks/wazuh-odfe-production-ready.yml rename to playbooks/wazuh-opensearch-production-ready.yml index 1068cbdc..76d8ab14 100644 --- a/playbooks/wazuh-odfe-production-ready.yml +++ b/playbooks/wazuh-opensearch-production-ready.yml @@ -1,81 +1,97 @@ --- # Certificates generation - - hosts: es1 + - hosts: wi1 roles: - role: ../roles/opensearch/wazuh-indexer - elasticsearch_network_host: "{{ private_ip }}" - elasticsearch_cluster_nodes: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" - elasticsearch_discovery_nodes: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" + indexer_network_host: "{{ private_ip }}" + indexer_cluster_nodes: + - "{{ hostvars.wi1.private_ip }}" + - "{{ hostvars.wi2.private_ip }}" + - "{{ hostvars.wi3.private_ip }}" + indexer_discovery_nodes: + - "{{ hostvars.wi1.private_ip }}" + - "{{ hostvars.wi2.private_ip }}" + - "{{ hostvars.wi3.private_ip }}" perform_installation: false become: yes become_user: root vars: - elasticsearch_node_master: true + indexer_node_master: true instances: node1: - name: node-1 # Important: must be equal to elasticsearch_node_name. - ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + name: node-1 # Important: must be equal to indexer_node_name. + ip: "{{ hostvars.wi1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + role: indexer node2: name: node-2 - ip: "{{ hostvars.es2.private_ip }}" + ip: "{{ hostvars.wi2.private_ip }}" + role: indexer node3: name: node-3 - ip: "{{ hostvars.es3.private_ip }}" + ip: "{{ hostvars.wi3.private_ip }}" + role: indexer node4: name: node-4 ip: "{{ hostvars.manager.private_ip }}" + role: wazuh + node_type: master node5: name: node-5 ip: "{{ hostvars.worker.private_ip }}" + role: wazuh + node_type: worker node6: name: node-6 - ip: "{{ hostvars.kibana.private_ip }}" + ip: "{{ hostvars.dashboard.private_ip }}" + role: dashboard tags: - generate-certs #ODFE Cluster - - hosts: odfe_cluster + - hosts: wi_cluster strategy: free roles: - role: ../roles/opensearch/wazuh-indexer - elasticsearch_network_host: "{{ private_ip }}" + indexer_network_host: "{{ private_ip }}" become: yes become_user: root vars: - elasticsearch_cluster_nodes: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" - elasticsearch_discovery_nodes: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" - elasticsearch_node_master: true + indexer_cluster_nodes: + - "{{ hostvars.wi1.private_ip }}" + - "{{ hostvars.wi2.private_ip }}" + - "{{ hostvars.wi3.private_ip }}" + indexer_discovery_nodes: + - "{{ hostvars.wi1.private_ip }}" + - "{{ hostvars.wi2.private_ip }}" + - "{{ hostvars.wi3.private_ip }}" + indexer_node_master: true instances: node1: - name: node-1 # Important: must be equal to elasticsearch_node_name. - ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + name: node-1 # Important: must be equal to indexer_node_name. + ip: "{{ hostvars.wi1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + role: indexer node2: name: node-2 - ip: "{{ hostvars.es2.private_ip }}" + ip: "{{ hostvars.wi2.private_ip }}" + role: indexer node3: name: node-3 - ip: "{{ hostvars.es3.private_ip }}" + ip: "{{ hostvars.wi3.private_ip }}" + role: indexer node4: name: node-4 ip: "{{ hostvars.manager.private_ip }}" + role: wazuh + node_type: master node5: name: node-5 ip: "{{ hostvars.worker.private_ip }}" + role: wazuh + node_type: worker node6: name: node-6 - ip: "{{ hostvars.kibana.private_ip }}" + ip: "{{ hostvars.dashboard.private_ip }}" + role: dashboard #Wazuh cluster - hosts: manager @@ -106,9 +122,9 @@ - username: custom-user password: .S3cur3Pa55w0rd*- filebeat_output_indexer_hosts: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" + - "{{ hostvars.wi1.private_ip }}" + - "{{ hostvars.wi2.private_ip }}" + - "{{ hostvars.wi3.private_ip }}" - hosts: worker roles: @@ -135,32 +151,32 @@ - "{{ hostvars.manager.private_ip }}" hidden: 'no' filebeat_output_indexer_hosts: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" + - "{{ hostvars.wi1.private_ip }}" + - "{{ hostvars.wi2.private_ip }}" + - "{{ hostvars.wi3.private_ip }}" - #ODFE+Kibana node - - hosts: kibana + #Indexer+Dashboard node + - hosts: dashboard roles: - role: "../roles/opensearch/wazuh-indexer" - role: "../roles/opensearch/wazuh-dashboard" become: yes become_user: root vars: - elasticsearch_network_host: "{{ hostvars.kibana.private_ip }}" - elasticsearch_node_name: node-6 - elasticsearch_node_master: false - elasticsearch_node_ingest: false - elasticsearch_node_data: false - elasticsearch_cluster_nodes: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" - elasticsearch_discovery_nodes: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" - kibana_node_name: node-6 + indexer_network_host: "{{ hostvars.dashboard.private_ip }}" + indexer_node_name: node-6 + indexer_node_master: false + indexer_node_ingest: false + indexer_node_data: false + indexer_cluster_nodes: + - "{{ hostvars.wi1.private_ip }}" + - "{{ hostvars.wi2.private_ip }}" + - "{{ hostvars.wi3.private_ip }}" + indexer_discovery_nodes: + - "{{ hostvars.wi1.private_ip }}" + - "{{ hostvars.wi2.private_ip }}" + - "{{ hostvars.wi3.private_ip }}" + dashboard_node_name: node-6 wazuh_api_credentials: - id: default url: https://{{ hostvars.manager.private_ip }} @@ -169,21 +185,29 @@ password: .S3cur3Pa55w0rd*- instances: node1: - name: node-1 # Important: must be equal to elasticsearch_node_name. - ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + name: node-1 # Important: must be equal to indexer_node_name. + ip: "{{ hostvars.wi1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + role: indexer node2: name: node-2 - ip: "{{ hostvars.es2.private_ip }}" + ip: "{{ hostvars.wi2.private_ip }}" + role: indexer node3: name: node-3 - ip: "{{ hostvars.es3.private_ip }}" + ip: "{{ hostvars.wi3.private_ip }}" + role: indexer node4: name: node-4 ip: "{{ hostvars.manager.private_ip }}" + role: wazuh + node_type: master node5: name: node-5 ip: "{{ hostvars.worker.private_ip }}" + role: wazuh + node_type: worker node6: name: node-6 - ip: "{{ hostvars.kibana.private_ip }}" + ip: "{{ hostvars.dashboard.private_ip }}" + role: dashboard ansible_shell_allow_world_readable_temp: true diff --git a/playbooks/wazuh-odfe-single.yml b/playbooks/wazuh-opensearch-single.yml similarity index 76% rename from playbooks/wazuh-odfe-single.yml rename to playbooks/wazuh-opensearch-single.yml index 9249fc20..c89f4990 100644 --- a/playbooks/wazuh-odfe-single.yml +++ b/playbooks/wazuh-opensearch-single.yml @@ -11,12 +11,12 @@ vars: single_node: true minimum_master_nodes: 1 - elasticsearch_node_master: true - elasticsearch_network_host: 127.0.0.1 + indexer_node_master: true + indexer_network_host: 127.0.0.1 filebeat_node_name: node-1 filebeat_output_indexer_hosts: 127.0.0.1 instances: node1: - name: node-1 # Important: must be equal to elasticsearch_node_name. + name: node-1 # Important: must be equal to indexer_node_name. ip: 127.0.0.1 ansible_shell_allow_world_readable_temp: true diff --git a/playbooks/wazuh-opendistro.yml b/playbooks/wazuh-opensearch.yml similarity index 79% rename from playbooks/wazuh-opendistro.yml rename to playbooks/wazuh-opensearch.yml index 8de1c16c..c6839efa 100644 --- a/playbooks/wazuh-opendistro.yml +++ b/playbooks/wazuh-opensearch.yml @@ -1,5 +1,5 @@ --- -- hosts: es_cluster +- hosts: wi_cluster roles: - role: ../roles/opensearch/wazuh-indexer @@ -8,10 +8,13 @@ node1: name: node-1 ip: + role: indexer node2: name: node-2 ip: + role: indexer node3: name: node-3 ip: + role: indexer From 78ff9920aa794a105c91b39f756a61d603d5af51 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= Date: Fri, 18 Feb 2022 14:14:23 -0300 Subject: [PATCH 16/41] Single node deployment update --- README.md | 64 ++++++++++++------- playbooks/wazuh-opensearch-single.yml | 22 ++++++- .../wazuh-dashboard/defaults/main.yml | 4 +- .../wazuh-dashboard/tasks/Debian.yml | 1 + .../wazuh-dashboard/tasks/RedHat.yml | 1 + .../opensearch/wazuh-dashboard/tasks/main.yml | 2 +- .../wazuh-indexer/tasks/RMRedHat.yml | 1 - 7 files changed, 66 insertions(+), 29 deletions(-) diff --git a/README.md b/README.md index db7ac89f..172f8524 100644 --- a/README.md +++ b/README.md @@ -304,35 +304,51 @@ The hereunder example playbook uses the `wazuh-ansible` role to provision a sing ```yaml --- +# Certificates generation + - hosts: aio + roles: + - role: ../roles/opensearch/wazuh-indexer + perform_installation: false + become: no + #become_user: root + vars: + indexer_node_master: true + instances: + node1: + name: node-1 # Important: must be equal to indexer_node_name. + ip: 127.0.0.1 + role: indexer + tags: + - generate-certs # Single node - - hosts: server - become: yes - become_user: root - roles: - - role: ../roles/opendistro/opendistro-elasticsearch - - role: "../roles/wazuh/ansible-wazuh-manager" - - role: "../roles/wazuh/ansible-filebeat-oss" - - role: "../roles/opendistro/opendistro-kibana" - vars: - single_node: true - minimum_master_nodes: 1 - elasticsearch_node_master: true - elasticsearch_network_host: - filebeat_node_name: node-1 - filebeat_output_indexer_hosts: - ansible_ssh_user: vagrant - ansible_ssh_private_key_file: /path/to/ssh/key.pem - ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' - instances: - node1: - name: node-1 # Important: must be equal to elasticsearch_node_name. - ip: + - hosts: aio + become: yes + become_user: root + roles: + - role: ../roles/opensearch/wazuh-indexer + - role: ../roles/wazuh/ansible-wazuh-manager + - role: ../roles/wazuh/ansible-filebeat-oss + - role: ../roles/opensearch/wazuh-dashboard + vars: + single_node: true + minimum_master_nodes: 1 + indexer_node_master: true + indexer_network_host: 127.0.0.1 + filebeat_node_name: node-1 + filebeat_output_indexer_hosts: + - 127.0.0.1 + instances: + node1: + name: node-1 # Important: must be equal to indexer_node_name. + ip: 127.0.0.1 + role: indexer + ansible_shell_allow_world_readable_temp: true ``` ### Inventory file ```ini -[server] +[aio] [all:vars] @@ -344,7 +360,7 @@ ansible_ssh_extra_args='-o StrictHostKeyChecking=no' ### Launching the playbook ```bash -ansible-playbook wazuh-odfe-single.yml -i inventory +sudo ansible-playbook wazuh-opensearch-single.yml -i inventory ``` After the playbook execution, the Wazuh UI should be reachable through `https://:5601` diff --git a/playbooks/wazuh-opensearch-single.yml b/playbooks/wazuh-opensearch-single.yml index c89f4990..10e36107 100644 --- a/playbooks/wazuh-opensearch-single.yml +++ b/playbooks/wazuh-opensearch-single.yml @@ -1,6 +1,22 @@ --- +# Certificates generation + - hosts: aio + roles: + - role: ../roles/opensearch/wazuh-indexer + perform_installation: false + become: no + #become_user: root + vars: + indexer_node_master: true + instances: + node1: + name: node-1 # Important: must be equal to indexer_node_name. + ip: 127.0.0.1 + role: indexer + tags: + - generate-certs # Single node - - hosts: + - hosts: aio become: yes become_user: root roles: @@ -14,9 +30,11 @@ indexer_node_master: true indexer_network_host: 127.0.0.1 filebeat_node_name: node-1 - filebeat_output_indexer_hosts: 127.0.0.1 + filebeat_output_indexer_hosts: + - 127.0.0.1 instances: node1: name: node-1 # Important: must be equal to indexer_node_name. ip: 127.0.0.1 + role: indexer ansible_shell_allow_world_readable_temp: true diff --git a/roles/opensearch/wazuh-dashboard/defaults/main.yml b/roles/opensearch/wazuh-dashboard/defaults/main.yml index 4bf534f0..2f6c46f3 100644 --- a/roles/opensearch/wazuh-dashboard/defaults/main.yml +++ b/roles/opensearch/wazuh-dashboard/defaults/main.yml @@ -9,7 +9,9 @@ dashboard_server_host: "0.0.0.0" dashboard_server_port: "5601" dashboard_server_name: "dashboard" wazuh_version: 4.3.0 - +indexer_cluster_nodes: + - 127.0.0.1 + # The Wazuh dashboard package repository dashboard_version: "4.3.0" diff --git a/roles/opensearch/wazuh-dashboard/tasks/Debian.yml b/roles/opensearch/wazuh-dashboard/tasks/Debian.yml index 5ff2b2be..9cee7937 100644 --- a/roles/opensearch/wazuh-dashboard/tasks/Debian.yml +++ b/roles/opensearch/wazuh-dashboard/tasks/Debian.yml @@ -17,6 +17,7 @@ apt: name: "wazuh-dashboard={{ dashboard_version }}-1" state: present + update_cache: yes register: install tags: diff --git a/roles/opensearch/wazuh-dashboard/tasks/RedHat.yml b/roles/opensearch/wazuh-dashboard/tasks/RedHat.yml index a6db8256..c10fab59 100644 --- a/roles/opensearch/wazuh-dashboard/tasks/RedHat.yml +++ b/roles/opensearch/wazuh-dashboard/tasks/RedHat.yml @@ -14,6 +14,7 @@ package: name: "wazuh-dashboard-{{ dashboard_version }}" state: present + update_cache: yes register: install tags: diff --git a/roles/opensearch/wazuh-dashboard/tasks/main.yml b/roles/opensearch/wazuh-dashboard/tasks/main.yml index 7daf7b1e..f166ef4f 100755 --- a/roles/opensearch/wazuh-dashboard/tasks/main.yml +++ b/roles/opensearch/wazuh-dashboard/tasks/main.yml @@ -72,7 +72,7 @@ mode: 0751 changed_when: False -- name: Configure opensearch.password in opensearch.keystore +- name: Configure opensearch.password in opensearch_dashboards.keystore shell: >- echo {{ dashboard_password }} | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add -f --stdin opensearch.password args: diff --git a/roles/opensearch/wazuh-indexer/tasks/RMRedHat.yml b/roles/opensearch/wazuh-indexer/tasks/RMRedHat.yml index c0c769d3..d76bd148 100644 --- a/roles/opensearch/wazuh-indexer/tasks/RMRedHat.yml +++ b/roles/opensearch/wazuh-indexer/tasks/RMRedHat.yml @@ -1,6 +1,5 @@ --- - name: RedHat/CentOS/Fedora | Remove Wazuh-Indexer repository (and clean up left-over metadata) - ## 732 will not be needed and if it is needed the wazuh repo should be removed. yum_repository: name: wazuh_repo state: absent From f531fa272823d18b92da811e8e2b867d596615ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= Date: Mon, 21 Feb 2022 09:41:22 -0300 Subject: [PATCH 17/41] Update README and deployment playbooks --- README.md | 195 ++++++++++-------- .../wazuh-opensearch-production-ready.yml | 5 +- .../files/create_user.py | 75 ++++--- .../ansible-wazuh-manager/tasks/Debian.yml | 2 +- 4 files changed, 157 insertions(+), 120 deletions(-) diff --git a/README.md b/README.md index 172f8524..0e5896ff 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ [![Documentation](https://img.shields.io/badge/docs-view-green.svg)](https://documentation.wazuh.com) [![Documentation](https://img.shields.io/badge/web-view-green.svg)](https://wazuh.com) -These playbooks install and configure Wazuh agent, manager and Elastic Stack. +These playbooks install and configure Wazuh agent, manager and indexer and dashboard. ## Branches * `master` branch contains the latest code, be aware of possible bugs on this branch. @@ -15,7 +15,7 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack. | Wazuh version | Elastic | ODFE | |---------------|---------|--------| -| v4.3.0 | 7.10.2 | 1.13.2 | +| v4.3.0 | | 1.13.2 | | v4.2.5 | 7.10.2 | 1.13.2 | | v4.2.4 | 7.10.2 | 1.13.2 | | v4.2.3 | 7.10.2 | 1.13.2 | @@ -41,9 +41,9 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack. │ │ │ ├── ansible-elasticsearch │ │ │ ├── ansible-kibana │ │ - │ │ ├── opendistro - │ │ │ ├── opendistro-elasticsearch - │ │ │ ├── opendistro-kibana + │ │ ├── opensearch + │ │ │ ├── wazuh-dashboard + │ │ │ ├── wazuh-indexer │ │ │ │ ├── wazuh │ │ │ ├── ansible-filebeat @@ -60,10 +60,12 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack. │ │ ├── wazuh-elastic_stack-distributed.yml │ │ ├── wazuh-elastic_stack-single.yml │ │ ├── wazuh-kibana.yml - │ │ ├── wazuh-manager.yml │ │ ├── wazuh-manager-oss.yml - │ │ ├── wazuh-opendistro.yml - │ │ ├── wazuh-opendistro-kibana.yml + │ │ ├── wazuh-manager.yml + │ │ ├── wazuh-opensearch-dashboard.yml + | | ├── wazuh-opensearch-production-ready + │ │ ├── wazuh-opensearch-single.yml + │ │ ├── wazuh-opensearch.yml │ │ ├── README.md │ ├── VERSION @@ -78,82 +80,97 @@ The hereunder example playbook uses the `wazuh-ansible` role to provision a prod ```yaml --- # Certificates generation - - hosts: es1 + - hosts: wi1 roles: - - role: ../roles/opendistro/opendistro-elasticsearch - elasticsearch_network_host: "{{ private_ip }}" - elasticsearch_cluster_nodes: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" - elasticsearch_discovery_nodes: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" + - role: ../roles/opensearch/wazuh-indexer + indexer_network_host: "{{ private_ip }}" + indexer_cluster_nodes: + - "{{ hostvars.wi1.private_ip }}" + - "{{ hostvars.wi2.private_ip }}" + - "{{ hostvars.wi3.private_ip }}" + indexer_discovery_nodes: + - "{{ hostvars.wi1.private_ip }}" + - "{{ hostvars.wi2.private_ip }}" + - "{{ hostvars.wi3.private_ip }}" perform_installation: false - become: yes - become_user: root + become: no vars: - elasticsearch_node_master: true + indexer_node_master: true instances: node1: - name: node-1 # Important: must be equal to elasticsearch_node_name. - ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + name: node-1 # Important: must be equal to indexer_node_name. + ip: "{{ hostvars.wi1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + role: indexer node2: name: node-2 - ip: "{{ hostvars.es2.private_ip }}" + ip: "{{ hostvars.wi2.private_ip }}" + role: indexer node3: name: node-3 - ip: "{{ hostvars.es3.private_ip }}" + ip: "{{ hostvars.wi3.private_ip }}" + role: indexer node4: name: node-4 ip: "{{ hostvars.manager.private_ip }}" + role: wazuh + node_type: master node5: name: node-5 ip: "{{ hostvars.worker.private_ip }}" + role: wazuh + node_type: worker node6: name: node-6 - ip: "{{ hostvars.kibana.private_ip }}" + ip: "{{ hostvars.dashboard.private_ip }}" + role: dashboard tags: - generate-certs -#ODFE Cluster - - hosts: odfe_cluster +#Wazuh Indexer Cluster + - hosts: wi_cluster strategy: free roles: - - role: ../roles/opendistro/opendistro-elasticsearch - elasticsearch_network_host: "{{ private_ip }}" + - role: ../roles/opensearch/wazuh-indexer + indexer_network_host: "{{ private_ip }}" become: yes become_user: root vars: - elasticsearch_cluster_nodes: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" - elasticsearch_discovery_nodes: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" - elasticsearch_node_master: true + indexer_cluster_nodes: + - "{{ hostvars.wi1.private_ip }}" + - "{{ hostvars.wi2.private_ip }}" + - "{{ hostvars.wi3.private_ip }}" + indexer_discovery_nodes: + - "{{ hostvars.wi1.private_ip }}" + - "{{ hostvars.wi2.private_ip }}" + - "{{ hostvars.wi3.private_ip }}" + indexer_node_master: true instances: node1: - name: node-1 # Important: must be equal to elasticsearch_node_name. - ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + name: node-1 # Important: must be equal to indexer_node_name. + ip: "{{ hostvars.wi1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + role: indexer node2: name: node-2 - ip: "{{ hostvars.es2.private_ip }}" + ip: "{{ hostvars.wi2.private_ip }}" + role: indexer node3: name: node-3 - ip: "{{ hostvars.es3.private_ip }}" + ip: "{{ hostvars.wi3.private_ip }}" + role: indexer node4: name: node-4 ip: "{{ hostvars.manager.private_ip }}" + role: wazuh + node_type: master node5: name: node-5 ip: "{{ hostvars.worker.private_ip }}" + role: wazuh + node_type: worker node6: name: node-6 - ip: "{{ hostvars.kibana.private_ip }}" + ip: "{{ hostvars.dashboard.private_ip }}" + role: dashboard #Wazuh cluster - hosts: manager @@ -180,10 +197,13 @@ The hereunder example playbook uses the `wazuh-ansible` role to provision a prod nodes: - "{{ hostvars.manager.private_ip }}" hidden: 'no' + wazuh_api_users: + - username: custom-user + password: .S3cur3Pa55w0rd*- filebeat_output_indexer_hosts: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" + - "{{ hostvars.wi1.private_ip }}" + - "{{ hostvars.wi2.private_ip }}" + - "{{ hostvars.wi3.private_ip }}" - hosts: worker roles: @@ -210,57 +230,66 @@ The hereunder example playbook uses the `wazuh-ansible` role to provision a prod - "{{ hostvars.manager.private_ip }}" hidden: 'no' filebeat_output_indexer_hosts: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" + - "{{ hostvars.wi1.private_ip }}" + - "{{ hostvars.wi2.private_ip }}" + - "{{ hostvars.wi3.private_ip }}" - #ODFE+Kibana node - - hosts: kibana + #Indexer+Dashboard node + - hosts: dashboard roles: - - role: "../roles/opendistro/opendistro-elasticsearch" - - role: "../roles/opendistro/opendistro-kibana" + - role: "../roles/opensearch/wazuh-indexer" + - role: "../roles/opensearch/wazuh-dashboard" become: yes become_user: root vars: - elasticsearch_network_host: "{{ hostvars.kibana.private_ip }}" - elasticsearch_node_name: node-6 - elasticsearch_node_master: false - elasticsearch_node_ingest: false - elasticsearch_node_data: false - elasticsearch_cluster_nodes: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" - elasticsearch_discovery_nodes: - - "{{ hostvars.es1.private_ip }}" - - "{{ hostvars.es2.private_ip }}" - - "{{ hostvars.es3.private_ip }}" - kibana_node_name: node-6 + indexer_network_host: "{{ hostvars.dashboard.private_ip }}" + indexer_node_name: node-6 + indexer_node_master: false + indexer_node_ingest: false + indexer_node_data: false + indexer_cluster_nodes: + - "{{ hostvars.wi1.private_ip }}" + - "{{ hostvars.wi2.private_ip }}" + - "{{ hostvars.wi3.private_ip }}" + indexer_discovery_nodes: + - "{{ hostvars.wi1.private_ip }}" + - "{{ hostvars.wi2.private_ip }}" + - "{{ hostvars.wi3.private_ip }}" + dashboard_node_name: node-6 wazuh_api_credentials: - id: default url: https://{{ hostvars.manager.private_ip }} port: 55000 - user: foo - password: bar + username: custom-user + password: .S3cur3Pa55w0rd*- instances: node1: - name: node-1 # Important: must be equal to elasticsearch_node_name. - ip: "{{ hostvars.es1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + name: node-1 # Important: must be equal to indexer_node_name. + ip: "{{ hostvars.wi1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + role: indexer node2: name: node-2 - ip: "{{ hostvars.es2.private_ip }}" + ip: "{{ hostvars.wi2.private_ip }}" + role: indexer node3: name: node-3 - ip: "{{ hostvars.es3.private_ip }}" + ip: "{{ hostvars.wi3.private_ip }}" + role: indexer node4: name: node-4 ip: "{{ hostvars.manager.private_ip }}" + role: wazuh + node_type: master node5: name: node-5 ip: "{{ hostvars.worker.private_ip }}" + role: wazuh + node_type: worker node6: name: node-6 - ip: "{{ hostvars.kibana.private_ip }}" + ip: "{{ hostvars.dashboard.private_ip }}" + role: dashboard + ansible_shell_allow_world_readable_temp: true ``` ### Inventory file @@ -271,17 +300,17 @@ The hereunder example playbook uses the `wazuh-ansible` role to provision a prod - The ssh credentials used by Ansible during the provision can be specified in this file too. Another option is including them directly on the playbook. ```ini -es1 ansible_host= private_ip= elasticsearch_node_name=node-1 -es2 ansible_host= private_ip= elasticsearch_node_name=node-2 -es3 ansible_host= private_ip= elasticsearch_node_name=node-3 +wi1 ansible_host= private_ip= elasticsearch_node_name=node-1 +wi2 ansible_host= private_ip= elasticsearch_node_name=node-2 +wi3 ansible_host= private_ip= elasticsearch_node_name=node-3 kibana ansible_host= private_ip= manager ansible_host= private_ip= worker ansible_host= private_ip= -[odfe_cluster] -es1 -es2 -es3 +[wi_cluster] +wi1 +wi2 +wi3 [all:vars] ansible_ssh_user=vagrant diff --git a/playbooks/wazuh-opensearch-production-ready.yml b/playbooks/wazuh-opensearch-production-ready.yml index 76d8ab14..c23d9ff4 100644 --- a/playbooks/wazuh-opensearch-production-ready.yml +++ b/playbooks/wazuh-opensearch-production-ready.yml @@ -13,8 +13,7 @@ - "{{ hostvars.wi2.private_ip }}" - "{{ hostvars.wi3.private_ip }}" perform_installation: false - become: yes - become_user: root + become: no vars: indexer_node_master: true instances: @@ -47,7 +46,7 @@ tags: - generate-certs -#ODFE Cluster +#Wazuh Indexer Cluster - hosts: wi_cluster strategy: free roles: diff --git a/roles/wazuh/ansible-wazuh-manager/files/create_user.py b/roles/wazuh/ansible-wazuh-manager/files/create_user.py index 6bb966fa..5ecb88e2 100644 --- a/roles/wazuh/ansible-wazuh-manager/files/create_user.py +++ b/roles/wazuh/ansible-wazuh-manager/files/create_user.py @@ -3,13 +3,17 @@ import sys import json import random import string -import argparse import os # Set framework path -sys.path.append("/var/ossec/framework") +sys.path.append(os.path.dirname(sys.argv[0]) + "/../framework") + +USER_FILE_PATH = "/var/ossec/api/configuration/admin.json" +SPECIAL_CHARS = "@$!%*?&-_" + try: + from wazuh.rbac.orm import create_rbac_db from wazuh.security import ( create_user, get_users, @@ -22,6 +26,12 @@ except Exception as e: sys.exit(1) +def read_user_file(path=USER_FILE_PATH): + with open(path) as user_file: + data = json.load(user_file) + return data["username"], data["password"] + + def db_users(): users_result = get_users() return {user["username"]: user["id"] for user in users_result.affected_items} @@ -31,15 +41,35 @@ def db_roles(): roles_result = get_roles() return {role["name"]: role["id"] for role in roles_result.affected_items} +def disable_user(uid): + random_pass = "".join( + random.choices( + string.ascii_uppercase + + string.ascii_lowercase + + string.digits + + SPECIAL_CHARS, + k=8, + ) + ) + # assure there must be at least one character from each group + random_pass = random_pass + ''.join([random.choice(chars) for chars in [string.ascii_lowercase, string.digits, string.ascii_uppercase, SPECIAL_CHARS]]) + random_pass = ''.join(random.sample(random_pass,len(random_pass))) + update_user( + user_id=[ + str(uid), + ], + password=random_pass, + ) + if __name__ == "__main__": - parser = argparse.ArgumentParser(description='add_user script') - parser.add_argument('--username', action="store", dest="username") - parser.add_argument('--password', action="store", dest="password") - results = parser.parse_args() + if not os.path.exists(USER_FILE_PATH): + # abort if no user file detected + sys.exit(0) + username, password = read_user_file() - username = results.username - password = results.password + # create RBAC database + create_rbac_db() initial_users = db_users() if username not in initial_users: @@ -66,28 +96,7 @@ if __name__ == "__main__": ], password=password, ) - # set a random password for all other users - for name, id in initial_users.items(): - if name != username: - specials = "@$!%*?&-_" - random_pass = "".join( - [ - random.choice(string.ascii_uppercase), - random.choice(string.ascii_lowercase), - random.choice(string.digits), - random.choice(specials), - ] + - random.choices( - string.ascii_uppercase - + string.ascii_lowercase - + string.digits - + specials, - k=14, - ) - ) - update_user( - user_id=[ - str(id), - ], - password=random_pass, - ) + # disable unused default users + for def_user in ['wazuh', 'wazuh-wui']: + if def_user != username: + disable_user(initial_users[def_user]) \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml b/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml index 717add8c..eec63592 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml @@ -16,7 +16,7 @@ become: true shell: | set -o pipefail - curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - + curl -s https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - args: warn: false executable: /bin/bash From 769d28edf49a997ca7c1128f78435fc51783fb8c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= Date: Mon, 21 Feb 2022 13:55:04 -0300 Subject: [PATCH 18/41] Playbook and readme updated --- README.md | 26 +++++++++---------- .../wazuh-opensearch-production-ready.yml | 8 +++--- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 0e5896ff..d4e8180f 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ These playbooks install and configure Wazuh agent, manager and indexer and dashb | Wazuh version | Elastic | ODFE | |---------------|---------|--------| -| v4.3.0 | | 1.13.2 | +| v4.3.0 | | | | v4.2.5 | 7.10.2 | 1.13.2 | | v4.2.4 | 7.10.2 | 1.13.2 | | v4.2.3 | 7.10.2 | 1.13.2 | @@ -75,7 +75,7 @@ These playbooks install and configure Wazuh agent, manager and indexer and dashb ## Example: production-ready distributed environment ### Playbook -The hereunder example playbook uses the `wazuh-ansible` role to provision a production-ready Wazuh environment. The architecture includes 2 Wazuh nodes, 3 ODFE nodes and a mixed ODFE-Kibana node. +The hereunder example playbook uses the `wazuh-ansible` role to provision a production-ready Wazuh environment. The architecture includes 2 Wazuh nodes, 3 Wazuh Indexer nodes and a mixed Wazuh dashboard node. ```yaml --- @@ -199,7 +199,7 @@ The hereunder example playbook uses the `wazuh-ansible` role to provision a prod hidden: 'no' wazuh_api_users: - username: custom-user - password: .S3cur3Pa55w0rd*- + password: SecretPassword! filebeat_output_indexer_hosts: - "{{ hostvars.wi1.private_ip }}" - "{{ hostvars.wi2.private_ip }}" @@ -261,10 +261,10 @@ The hereunder example playbook uses the `wazuh-ansible` role to provision a prod url: https://{{ hostvars.manager.private_ip }} port: 55000 username: custom-user - password: .S3cur3Pa55w0rd*- + password: SecretPassword! instances: node1: - name: node-1 # Important: must be equal to indexer_node_name. + name: node-1 ip: "{{ hostvars.wi1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. role: indexer node2: @@ -289,7 +289,7 @@ The hereunder example playbook uses the `wazuh-ansible` role to provision a prod name: node-6 ip: "{{ hostvars.dashboard.private_ip }}" role: dashboard - ansible_shell_allow_world_readable_temp: true + ansible_shell_allow_world_readable_temp: true ``` ### Inventory file @@ -300,10 +300,10 @@ The hereunder example playbook uses the `wazuh-ansible` role to provision a prod - The ssh credentials used by Ansible during the provision can be specified in this file too. Another option is including them directly on the playbook. ```ini -wi1 ansible_host= private_ip= elasticsearch_node_name=node-1 -wi2 ansible_host= private_ip= elasticsearch_node_name=node-2 -wi3 ansible_host= private_ip= elasticsearch_node_name=node-3 -kibana ansible_host= private_ip= +wi1 ansible_host= private_ip= indexer_node_name=node-1 +wi2 ansible_host= private_ip= indexer_node_name=node-2 +wi3 ansible_host= private_ip= indexer_node_name=node-3 +dashboard ansible_host= private_ip= manager ansible_host= private_ip= worker ansible_host= private_ip= @@ -321,15 +321,15 @@ ansible_ssh_extra_args='-o StrictHostKeyChecking=no' ### Launching the playbook ```bash -ansible-playbook wazuh-odfe-production-ready.yml -i inventory +sudo ansible-playbook wazuh-opensearch-production-ready.yml -i inventory ``` -After the playbook execution, the Wazuh UI should be reachable through `https://:5601` +After the playbook execution, the Wazuh UI should be reachable through `https://:5601` ## Example: single-host environment ### Playbook -The hereunder example playbook uses the `wazuh-ansible` role to provision a single-host Wazuh environment. This architecture includes all the Wazuh and ODFE components in a single node. +The hereunder example playbook uses the `wazuh-ansible` role to provision a single-host Wazuh environment. This architecture includes all the Wazuh and Opensearch components in a single node. ```yaml --- diff --git a/playbooks/wazuh-opensearch-production-ready.yml b/playbooks/wazuh-opensearch-production-ready.yml index c23d9ff4..f8542096 100644 --- a/playbooks/wazuh-opensearch-production-ready.yml +++ b/playbooks/wazuh-opensearch-production-ready.yml @@ -119,7 +119,7 @@ hidden: 'no' wazuh_api_users: - username: custom-user - password: .S3cur3Pa55w0rd*- + password: SecretPassword! filebeat_output_indexer_hosts: - "{{ hostvars.wi1.private_ip }}" - "{{ hostvars.wi2.private_ip }}" @@ -181,10 +181,10 @@ url: https://{{ hostvars.manager.private_ip }} port: 55000 username: custom-user - password: .S3cur3Pa55w0rd*- + password: SecretPassword! instances: node1: - name: node-1 # Important: must be equal to indexer_node_name. + name: node-1 ip: "{{ hostvars.wi1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. role: indexer node2: @@ -209,4 +209,4 @@ name: node-6 ip: "{{ hostvars.dashboard.private_ip }}" role: dashboard - ansible_shell_allow_world_readable_temp: true + ansible_shell_allow_world_readable_temp: true From 1f8dcbd38462af2249d3770818922bf2d7ca8289 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= Date: Mon, 21 Feb 2022 14:40:06 -0300 Subject: [PATCH 19/41] Comments removed --- roles/opensearch/wazuh-indexer/handlers/main.yml | 1 - roles/opensearch/wazuh-indexer/tasks/Debian.yml | 3 --- roles/opensearch/wazuh-indexer/tasks/RedHat.yml | 4 ---- 3 files changed, 8 deletions(-) diff --git a/roles/opensearch/wazuh-indexer/handlers/main.yml b/roles/opensearch/wazuh-indexer/handlers/main.yml index ceb73dfe..0c463d0e 100644 --- a/roles/opensearch/wazuh-indexer/handlers/main.yml +++ b/roles/opensearch/wazuh-indexer/handlers/main.yml @@ -3,4 +3,3 @@ service: name: wazuh-indexer state: restarted -## 732 the name of the service changes to wazuh-indexer \ No newline at end of file diff --git a/roles/opensearch/wazuh-indexer/tasks/Debian.yml b/roles/opensearch/wazuh-indexer/tasks/Debian.yml index e29db550..c640be34 100644 --- a/roles/opensearch/wazuh-indexer/tasks/Debian.yml +++ b/roles/opensearch/wazuh-indexer/tasks/Debian.yml @@ -10,7 +10,6 @@ block: - name: Install Wazuh-Indexer dependencies - ## 732 change task name apt: name: [ 'unzip', 'wget', 'curl', 'apt-transport-https', software-properties-common @@ -30,7 +29,6 @@ filename: 'wazuh-openjdk' - name: Install openjdk-11-jdk -## 732 will not be needed as indexer comes with the jdk. apt: name: openjdk-11-jdk state: present @@ -39,7 +37,6 @@ - name: Add Wazuh-Indexer repository block: - ## 732 the wazuh repo should be added instead - name: Add apt repository signing key apt_key: url: "{{ package_repos.apt.indexer.gpg }}" diff --git a/roles/opensearch/wazuh-indexer/tasks/RedHat.yml b/roles/opensearch/wazuh-indexer/tasks/RedHat.yml index 317aa007..4aa31848 100644 --- a/roles/opensearch/wazuh-indexer/tasks/RedHat.yml +++ b/roles/opensearch/wazuh-indexer/tasks/RedHat.yml @@ -2,7 +2,6 @@ - block: - name: RedHat/CentOS/Fedora | Add Wazuh-Indexer repo - ## 732 wazuh repo should be added instead. yum_repository: file: wazuh name: wazuh_repo @@ -13,7 +12,6 @@ changed_when: false - name: RedHat/CentOS/Fedora | Install OpenJDK 11 - ## 732 will not be needed yum: name: java-11-openjdk-devel state: present @@ -21,7 +19,6 @@ - ansible_distribution != 'Amazon' - name: Amazon Linux | Install OpenJDK 11 - ## 732 will not be needed block: - name: Install Amazon extras yum: @@ -55,7 +52,6 @@ - unzip - name: Install Wazuh-Indexer - ## 732 the package name should be updated package: name: wazuh-indexer-{{ indexer_version }} state: present From 43e792754ac9d0d3e8f660113aea9d4ccc291ff4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= Date: Tue, 22 Feb 2022 14:25:58 -0300 Subject: [PATCH 20/41] Custom user configuration updated --- playbooks/wazuh-opensearch-production-ready.yml | 2 +- roles/wazuh/ansible-wazuh-manager/files/create_user.py | 6 +++--- roles/wazuh/ansible-wazuh-manager/tasks/main.yml | 9 +++++++++ .../wazuh/ansible-wazuh-manager/templates/admin.json.j2 | 4 ++++ 4 files changed, 17 insertions(+), 4 deletions(-) create mode 100644 roles/wazuh/ansible-wazuh-manager/templates/admin.json.j2 diff --git a/playbooks/wazuh-opensearch-production-ready.yml b/playbooks/wazuh-opensearch-production-ready.yml index f8542096..e52cfca7 100644 --- a/playbooks/wazuh-opensearch-production-ready.yml +++ b/playbooks/wazuh-opensearch-production-ready.yml @@ -119,7 +119,7 @@ hidden: 'no' wazuh_api_users: - username: custom-user - password: SecretPassword! + password: SecretPassword1! filebeat_output_indexer_hosts: - "{{ hostvars.wi1.private_ip }}" - "{{ hostvars.wi2.private_ip }}" diff --git a/roles/wazuh/ansible-wazuh-manager/files/create_user.py b/roles/wazuh/ansible-wazuh-manager/files/create_user.py index 5ecb88e2..abb44eec 100644 --- a/roles/wazuh/ansible-wazuh-manager/files/create_user.py +++ b/roles/wazuh/ansible-wazuh-manager/files/create_user.py @@ -97,6 +97,6 @@ if __name__ == "__main__": password=password, ) # disable unused default users - for def_user in ['wazuh', 'wazuh-wui']: - if def_user != username: - disable_user(initial_users[def_user]) \ No newline at end of file + #for def_user in ['wazuh', 'wazuh-wui']: + # if def_user != username: + # disable_user(initial_users[def_user]) \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml index b7640a5c..65ded135 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml @@ -260,6 +260,15 @@ group: wazuh mode: 0644 + - name: Create admin.json + template: + src: templates/admin.json.j2 + dest: "{{ wazuh_dir }}/api/configuration/admin.json" + owner: wazuh + group: wazuh + mode: 0644 + no_log: true + - name: Execute create_user script script: chdir: "{{ wazuh_dir }}/framework/scripts/" diff --git a/roles/wazuh/ansible-wazuh-manager/templates/admin.json.j2 b/roles/wazuh/ansible-wazuh-manager/templates/admin.json.j2 new file mode 100644 index 00000000..6522f530 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/templates/admin.json.j2 @@ -0,0 +1,4 @@ + +{% for api in wazuh_api_users %} +{"username":"{{ api['username'] }}", "password": "{{ api['password'] }}"} +{% endfor %} \ No newline at end of file From 501bb9c13fefaf3e52f367757ed6bed01187e997 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= Date: Wed, 23 Feb 2022 16:19:14 -0300 Subject: [PATCH 21/41] jvm options copy removed --- .../templates/jvm.options copy.j2 | 83 ------------------- 1 file changed, 83 deletions(-) delete mode 100644 roles/opensearch/wazuh-indexer/templates/jvm.options copy.j2 diff --git a/roles/opensearch/wazuh-indexer/templates/jvm.options copy.j2 b/roles/opensearch/wazuh-indexer/templates/jvm.options copy.j2 deleted file mode 100644 index 0b658f0d..00000000 --- a/roles/opensearch/wazuh-indexer/templates/jvm.options copy.j2 +++ /dev/null @@ -1,83 +0,0 @@ -## JVM configuration - -################################################################ -## IMPORTANT: JVM heap size -################################################################ -## -## You should always set the min and max JVM heap -## size to the same value. For example, to set -## the heap to 4 GB, set: -## -## -Xms4g -## -Xmx4g -## -## See https://opensearch.org/docs/opensearch/install/important-settings/ -## for more information -## -################################################################ - -# Xms represents the initial size of total heap space -# Xmx represents the maximum size of total heap space - --Xms1g --Xmx1g - -################################################################ -## Expert settings -################################################################ -## -## All settings below this section are considered -## expert settings. Don't tamper with them unless -## you understand what you are doing -## -################################################################ - -## GC configuration -8-13:-XX:+UseConcMarkSweepGC -8-13:-XX:CMSInitiatingOccupancyFraction=75 -8-13:-XX:+UseCMSInitiatingOccupancyOnly - -## G1GC Configuration -# NOTE: G1 GC is only supported on JDK version 10 or later -# to use G1GC, uncomment the next two lines and update the version on the -# following three lines to your version of the JDK -# 10-13:-XX:-UseConcMarkSweepGC -# 10-13:-XX:-UseCMSInitiatingOccupancyOnly -14-:-XX:+UseG1GC -14-:-XX:G1ReservePercent=25 -14-:-XX:InitiatingHeapOccupancyPercent=30 - -## JVM temporary directory --Djava.io.tmpdir=${OPENSEARCH_TMPDIR} - -## heap dumps - -# generate a heap dump when an allocation from the Java heap fails -# heap dumps are created in the working directory of the JVM --XX:+HeapDumpOnOutOfMemoryError - -# specify an alternative path for heap dumps; ensure the directory exists and -# has sufficient space --XX:HeapDumpPath=data - -# specify an alternative path for JVM fatal error logs --XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log - -## JDK 8 GC logging -8:-XX:+PrintGCDetails -8:-XX:+PrintGCDateStamps -8:-XX:+PrintTenuringDistribution -8:-XX:+PrintGCApplicationStoppedTime -8:-Xloggc:/var/log/wazuh-indexer/gc.log -8:-XX:+UseGCLogFileRotation -8:-XX:NumberOfGCLogFiles=32 -8:-XX:GCLogFileSize=64m - -# JDK 9+ GC logging -9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m - - -## OpenDistro Performance Analyzer --Dclk.tck=100 --Djdk.attach.allowAttachSelf=true --Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opendistro-performance-analyzer/pa_config/es_security.policy From e5ed0f52ac6e90b3bdf6500e5b4a8f2e3d2973fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= Date: Wed, 2 Mar 2022 18:55:08 -0300 Subject: [PATCH 22/41] Dashboard yml renamed --- README.md | 2 +- roles/opensearch/wazuh-dashboard/tasks/main.yml | 6 +++--- .../{dashboard.yml.j2 => opensearch_dashboards.yml.j2} | 0 3 files changed, 4 insertions(+), 4 deletions(-) rename roles/opensearch/wazuh-dashboard/templates/{dashboard.yml.j2 => opensearch_dashboards.yml.j2} (100%) diff --git a/README.md b/README.md index d4e8180f..4f73f1d8 100644 --- a/README.md +++ b/README.md @@ -62,7 +62,7 @@ These playbooks install and configure Wazuh agent, manager and indexer and dashb │ │ ├── wazuh-kibana.yml │ │ ├── wazuh-manager-oss.yml │ │ ├── wazuh-manager.yml - │ │ ├── wazuh-opensearch-dashboard.yml + │ │ ├── wazuh-opensearch-opensearch_dashboards.yml | | ├── wazuh-opensearch-production-ready │ │ ├── wazuh-opensearch-single.yml │ │ ├── wazuh-opensearch.yml diff --git a/roles/opensearch/wazuh-dashboard/tasks/main.yml b/roles/opensearch/wazuh-dashboard/tasks/main.yml index f166ef4f..e4e7f526 100755 --- a/roles/opensearch/wazuh-dashboard/tasks/main.yml +++ b/roles/opensearch/wazuh-dashboard/tasks/main.yml @@ -9,7 +9,7 @@ - name: Remove Dashboard configuration file file: # noqa 503 - path: "{{ dashboard_conf_path }}/dashboard.yml" + path: "{{ dashboard_conf_path }}/opensearch_dashboards.yml" state: absent tags: install @@ -17,8 +17,8 @@ - name: Copy Configuration File template: - src: "templates/dashboard.yml.j2" - dest: "{{ dashboard_conf_path }}/dashboard.yml" + src: "templates/opensearch_dashboards.yml.j2" + dest: "{{ dashboard_conf_path }}/opensearch_dashboards.yml" group: wazuh-dashboard owner: wazuh-dashboard mode: 0640 diff --git a/roles/opensearch/wazuh-dashboard/templates/dashboard.yml.j2 b/roles/opensearch/wazuh-dashboard/templates/opensearch_dashboards.yml.j2 similarity index 100% rename from roles/opensearch/wazuh-dashboard/templates/dashboard.yml.j2 rename to roles/opensearch/wazuh-dashboard/templates/opensearch_dashboards.yml.j2 From 64eda5292fd71f4795aa59bbe81a456af6e2f23e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= Date: Wed, 2 Mar 2022 18:58:46 -0300 Subject: [PATCH 23/41] Indexer default ports updated --- roles/opensearch/wazuh-dashboard/defaults/main.yml | 2 +- roles/opensearch/wazuh-indexer/defaults/main.yml | 2 +- roles/opensearch/wazuh-indexer/tasks/security_actions.yml | 2 +- roles/opensearch/wazuh-indexer/templates/opensearch.yml.j2 | 4 ++-- roles/wazuh/ansible-filebeat-oss/defaults/main.yml | 2 +- roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/opensearch/wazuh-dashboard/defaults/main.yml b/roles/opensearch/wazuh-dashboard/defaults/main.yml index 2f6c46f3..d3f8ed78 100644 --- a/roles/opensearch/wazuh-dashboard/defaults/main.yml +++ b/roles/opensearch/wazuh-dashboard/defaults/main.yml @@ -1,7 +1,7 @@ --- # Dashboard configuration -indexer_http_port: 9700 +indexer_http_port: 9200 indexer_api_protocol: https dashboard_conf_path: /etc/wazuh-dashboard/ dashboard_node_name: node-1 diff --git a/roles/opensearch/wazuh-indexer/defaults/main.yml b/roles/opensearch/wazuh-indexer/defaults/main.yml index 514a8b54..82e3ba5d 100644 --- a/roles/opensearch/wazuh-indexer/defaults/main.yml +++ b/roles/opensearch/wazuh-indexer/defaults/main.yml @@ -55,7 +55,7 @@ indexer_custom_user_role: "admin" # Set JVM memory limits indexer_jvm_xms: null -indexer_http_port: 9700 +indexer_http_port: 9200 certs_gen_tool_version: 4.3 diff --git a/roles/opensearch/wazuh-indexer/tasks/security_actions.yml b/roles/opensearch/wazuh-indexer/tasks/security_actions.yml index 9bc0016e..bdef63c9 100644 --- a/roles/opensearch/wazuh-indexer/tasks/security_actions.yml +++ b/roles/opensearch/wazuh-indexer/tasks/security_actions.yml @@ -86,7 +86,7 @@ JAVA_HOME=/usr/share/wazuh-indexer/jdk {{ indexer_sec_plugin_tools_path }}/securityadmin.sh -cd {{ indexer_sec_plugin_conf_path }}/ - -icl -p 9800 -cd {{ indexer_sec_plugin_conf_path }}/ + -icl -p 9300 -cd {{ indexer_sec_plugin_conf_path }}/ -nhnv -cacert {{ indexer_conf_path }}/certs/root-ca.pem -cert {{ indexer_conf_path }}/certs/admin.pem diff --git a/roles/opensearch/wazuh-indexer/templates/opensearch.yml.j2 b/roles/opensearch/wazuh-indexer/templates/opensearch.yml.j2 index 5cc294ad..654c979d 100644 --- a/roles/opensearch/wazuh-indexer/templates/opensearch.yml.j2 +++ b/roles/opensearch/wazuh-indexer/templates/opensearch.yml.j2 @@ -16,8 +16,8 @@ discovery.seed_hosts: cluster.name: {{ indexer_cluster_name }} -http.port: 9700-9799 -transport.tcp.port: 9800-9899 +http.port: 9200-9299 +transport.tcp.port: 9300-9399 node.max_local_storage_nodes: "3" path.data: /var/lib/wazuh-indexer path.logs: /var/log/wazuh-indexer diff --git a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml index 01f5becd..bbbbc494 100644 --- a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml @@ -4,7 +4,7 @@ filebeat_version: 7.10.2 wazuh_template_branch: v4.2.5 filebeat_output_indexer_hosts: - - "localhost:9700" + - "localhost:9200" #filebeat_module_package_url: https://packages.wazuh.com/4.x/filebeat filebeat_module_package_url: https://packages-dev.wazuh.com/pre-release/filebeat diff --git a/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 b/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 index 82379778..b84edd87 100644 --- a/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 +++ b/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 @@ -18,7 +18,7 @@ setup.ilm.enabled: false output.elasticsearch: hosts: {% for item in filebeat_output_indexer_hosts %} - - {{ item }}:9700 + - {{ item }}:9200 {% endfor %} {% if filebeat_security %} From b3cadea610aee1c16f9b4e166cd80461111fc4d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= Date: Thu, 3 Mar 2022 09:04:24 -0300 Subject: [PATCH 24/41] Changes to packages prod repository --- roles/opensearch/wazuh-dashboard/defaults/main.yml | 12 ++++-------- roles/opensearch/wazuh-indexer/defaults/main.yml | 14 +++++--------- roles/wazuh/ansible-filebeat-oss/defaults/main.yml | 12 ++++-------- roles/wazuh/ansible-wazuh-agent/defaults/main.yml | 9 +++------ .../wazuh/ansible-wazuh-manager/defaults/main.yml | 9 +++------ roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml | 2 +- 6 files changed, 20 insertions(+), 38 deletions(-) diff --git a/roles/opensearch/wazuh-dashboard/defaults/main.yml b/roles/opensearch/wazuh-dashboard/defaults/main.yml index d3f8ed78..b69e8369 100644 --- a/roles/opensearch/wazuh-dashboard/defaults/main.yml +++ b/roles/opensearch/wazuh-dashboard/defaults/main.yml @@ -18,16 +18,12 @@ dashboard_version: "4.3.0" package_repos: yum: dashboard: - #baseurl: 'https://packages.wazuh.com/4.x/yum/' - baseurl: 'https://packages-dev.wazuh.com/pre-release/yum/' - #gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' - gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH' + baseurl: 'https://packages.wazuh.com/4.x/yum/' + gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' apt: dashboard: - #baseurl: 'deb https://packages.wazuh.com/4.x/apt/ stable main' - baseurl: 'deb https://packages-dev.wazuh.com/pre-release/apt/ unstable main' - #gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' - gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH' + baseurl: 'deb https://packages.wazuh.com/4.x/apt/ stable main' + gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' # API credentials wazuh_api_credentials: diff --git a/roles/opensearch/wazuh-indexer/defaults/main.yml b/roles/opensearch/wazuh-indexer/defaults/main.yml index 82e3ba5d..64f227ca 100644 --- a/roles/opensearch/wazuh-indexer/defaults/main.yml +++ b/roles/opensearch/wazuh-indexer/defaults/main.yml @@ -30,16 +30,12 @@ domain_name: wazuh.com package_repos: yum: indexer: - #baseurl: 'https://packages.wazuh.com/4.x/yum/' - baseurl: 'https://packages-dev.wazuh.com/pre-release/yum/' - #gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' - gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH' + baseurl: 'https://packages.wazuh.com/4.x/yum/' + gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' apt: indexer: - #baseurl: 'deb https://packages.wazuh.com/4.x/apt/ stable main' - baseurl: 'deb https://packages-dev.wazuh.com/pre-release/apt/ unstable main' - #gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' - gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH' + baseurl: 'deb https://packages.wazuh.com/4.x/apt/ stable main' + gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' openjdk: baseurl: 'deb http://deb.debian.org/debian stretch-backports main' @@ -60,7 +56,7 @@ indexer_http_port: 9200 certs_gen_tool_version: 4.3 # Url of certificates generator tool -certs_gen_tool_url: "https://packages-dev.wazuh.com/resources/{{ certs_gen_tool_version }}/install_functions/opendistro/wazuh-cert-tool.sh" +certs_gen_tool_url: "https://packages.wazuh.com/resources/{{ certs_gen_tool_version }}/install_functions/opendistro/wazuh-cert-tool.sh" indexer_admin_password: changeme dashboard_password: changeme diff --git a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml index bbbbc494..0de5d2d0 100644 --- a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml @@ -6,8 +6,7 @@ wazuh_template_branch: v4.2.5 filebeat_output_indexer_hosts: - "localhost:9200" -#filebeat_module_package_url: https://packages.wazuh.com/4.x/filebeat -filebeat_module_package_url: https://packages-dev.wazuh.com/pre-release/filebeat +filebeat_module_package_url: https://packages.wazuh.com/4.x/filebeat filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz filebeat_module_package_path: /tmp/ filebeat_module_destination: /usr/share/filebeat/module @@ -22,10 +21,7 @@ filebeat_ssl_dir: /etc/pki/filebeat local_certs_path: ./indexer/certificates filebeatrepo: - #apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main' - apt: 'deb https://packages-dev.wazuh.com/pre-release/apt/ unstable main' - #yum: 'https://packages.wazuh.com/4.x/yum/' - yum: 'https://packages-dev.wazuh.com/pre-release/yum/' - #gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' - gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH' + apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main' + yum: 'https://packages.wazuh.com/4.x/yum/' + gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 63b1fbaf..8706a992 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -61,12 +61,9 @@ wazuh_winagent_package_name: wazuh-agent-4.3.0-1.msi wazuh_dir: "/var/ossec" wazuh_agent_repo: - #apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main' - apt: 'deb https://packages-dev.wazuh.com/pre-release/apt/ unstable main' - #yum: 'https://packages.wazuh.com/4.x/yum/' - yum: 'https://packages-dev.wazuh.com/pre-release/yum/' - #gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' - gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH' + apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main' + yum: 'https://packages.wazuh.com/4.x/yum/' + gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' # This is deprecated, see: wazuh_agent_address diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index 94eac58d..2e694ab5 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -38,12 +38,9 @@ wazuh_manager_sources_installation: wazuh_dir: "/var/ossec" wazuh_manager_repo: - #apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main' - apt: 'deb https://packages-dev.wazuh.com/pre-release/apt/ unstable main' - #yum: 'https://packages.wazuh.com/4.x/yum/' - yum: 'https://packages-dev.wazuh.com/pre-release/yum/' - #gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' - gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH' + apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main' + yum: 'https://packages.wazuh.com/4.x/yum/' + gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml b/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml index eec63592..717add8c 100644 --- a/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml +++ b/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml @@ -16,7 +16,7 @@ become: true shell: | set -o pipefail - curl -s https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - + curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - args: warn: false executable: /bin/bash From b4f9b93e1f42496a26070fdd9c9cdd76d94f97c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= Date: Thu, 3 Mar 2022 15:19:32 -0300 Subject: [PATCH 25/41] Sleep removed --- roles/opensearch/wazuh-indexer/tasks/security_actions.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/roles/opensearch/wazuh-indexer/tasks/security_actions.yml b/roles/opensearch/wazuh-indexer/tasks/security_actions.yml index bdef63c9..29d9fc09 100644 --- a/roles/opensearch/wazuh-indexer/tasks/security_actions.yml +++ b/roles/opensearch/wazuh-indexer/tasks/security_actions.yml @@ -77,9 +77,6 @@ indexer_password_hash: "{{ indexer_kibanaserver_password_hashed.stdout_lines | last }}" run_once: true -- name: sleep 2 minutes - command: sleep 120 - - name: Initialize the Opensearch security index in Wazuh-Indexer command: > sudo -u wazuh-indexer OPENSEARCH_PATH_CONF={{ indexer_conf_path }} From 1932f683a86e158a89f4022545090b4dc1d656c9 Mon Sep 17 00:00:00 2001 From: Alberto R Date: Fri, 4 Mar 2022 09:35:20 +0100 Subject: [PATCH 26/41] Minor format fix --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 4f73f1d8..5f4b9563 100644 --- a/README.md +++ b/README.md @@ -75,7 +75,7 @@ These playbooks install and configure Wazuh agent, manager and indexer and dashb ## Example: production-ready distributed environment ### Playbook -The hereunder example playbook uses the `wazuh-ansible` role to provision a production-ready Wazuh environment. The architecture includes 2 Wazuh nodes, 3 Wazuh Indexer nodes and a mixed Wazuh dashboard node. +The hereunder example playbook uses the `wazuh-ansible` role to provision a production-ready Wazuh environment. The architecture includes 2 Wazuh nodes, 3 Wazuh indexer nodes and a mixed Wazuh dashboard node. ```yaml --- @@ -126,7 +126,7 @@ The hereunder example playbook uses the `wazuh-ansible` role to provision a prod tags: - generate-certs -#Wazuh Indexer Cluster +# Wazuh indexer cluster - hosts: wi_cluster strategy: free roles: @@ -172,7 +172,7 @@ The hereunder example playbook uses the `wazuh-ansible` role to provision a prod ip: "{{ hostvars.dashboard.private_ip }}" role: dashboard - #Wazuh cluster +# Wazuh cluster - hosts: manager roles: - role: "../roles/wazuh/ansible-wazuh-manager" @@ -234,7 +234,7 @@ The hereunder example playbook uses the `wazuh-ansible` role to provision a prod - "{{ hostvars.wi2.private_ip }}" - "{{ hostvars.wi3.private_ip }}" - #Indexer+Dashboard node +# Indexer + dashboard node - hosts: dashboard roles: - role: "../roles/opensearch/wazuh-indexer" From 3919e555035a0c90d59c0168277311f61de51798 Mon Sep 17 00:00:00 2001 From: Alberto R Date: Fri, 4 Mar 2022 09:40:27 +0100 Subject: [PATCH 27/41] Minor format changes on production ready --- playbooks/wazuh-opensearch-production-ready.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/playbooks/wazuh-opensearch-production-ready.yml b/playbooks/wazuh-opensearch-production-ready.yml index e52cfca7..73797b0e 100644 --- a/playbooks/wazuh-opensearch-production-ready.yml +++ b/playbooks/wazuh-opensearch-production-ready.yml @@ -46,7 +46,7 @@ tags: - generate-certs -#Wazuh Indexer Cluster +# Wazuh indexer cluster - hosts: wi_cluster strategy: free roles: @@ -92,7 +92,7 @@ ip: "{{ hostvars.dashboard.private_ip }}" role: dashboard - #Wazuh cluster +# Wazuh cluster - hosts: manager roles: - role: "../roles/wazuh/ansible-wazuh-manager" @@ -154,7 +154,7 @@ - "{{ hostvars.wi2.private_ip }}" - "{{ hostvars.wi3.private_ip }}" - #Indexer+Dashboard node +# Indexer + dashboard node - hosts: dashboard roles: - role: "../roles/opensearch/wazuh-indexer" From 376f55943303b6dbb2c2997710395ca1742765c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gonzalo=20Acu=C3=B1a?= Date: Fri, 4 Mar 2022 09:36:18 -0300 Subject: [PATCH 28/41] Opensearch roles and playbooks renamed --- README.md | 14 +++++++------- ...pensearch-dashboard.yml => wazuh-dashboard.yml} | 2 +- .../{wazuh-opensearch.yml => wazuh-indexer.yml} | 2 +- ...uction-ready.yml => wazuh-production-ready.yml} | 8 ++++---- ...azuh-opensearch-single.yml => wazuh-single.yml} | 6 +++--- .../wazuh-dashboard/defaults/main.yml | 0 .../wazuh-dashboard/handlers/main.yml | 0 .../wazuh-dashboard/tasks/Debian.yml | 0 .../wazuh-dashboard/tasks/RMRedHat.yml | 0 .../wazuh-dashboard/tasks/RedHat.yml | 0 .../wazuh-dashboard/tasks/main.yml | 0 .../wazuh-dashboard/tasks/security_actions.yml | 0 .../templates/opensearch_dashboards.yml.j2 | 0 .../wazuh-dashboard/templates/wazuh.yml.j2 | 0 .../wazuh-dashboard/vars/debian.yml | 0 .../wazuh-indexer/defaults/main.yml | 0 .../wazuh-indexer/handlers/main.yml | 0 .../wazuh-indexer/meta/main.yml | 0 .../wazuh-indexer/tasks/Debian.yml | 0 .../wazuh-indexer/tasks/RMRedHat.yml | 0 .../wazuh-indexer/tasks/RedHat.yml | 0 .../wazuh-indexer/tasks/local_actions.yml | 0 .../wazuh-indexer/tasks/main.yml | 0 .../wazuh-indexer/tasks/security_actions.yml | 0 .../wazuh-indexer/templates/config.yml.j2 | 0 .../templates/disabledlog4j.options.j2 | 0 .../wazuh-indexer/templates/internal_users.yml.j2 | 0 .../wazuh-indexer/templates/jvm.options.j2 | 0 .../wazuh-indexer/templates/opensearch.yml.j2 | 0 .../wazuh-indexer/templates/tlsconfig.yml.j2 | 0 30 files changed, 16 insertions(+), 16 deletions(-) rename playbooks/{wazuh-opensearch-dashboard.yml => wazuh-dashboard.yml} (63%) rename playbooks/{wazuh-opensearch.yml => wazuh-indexer.yml} (89%) rename playbooks/{wazuh-opensearch-production-ready.yml => wazuh-production-ready.yml} (97%) rename playbooks/{wazuh-opensearch-single.yml => wazuh-single.yml} (86%) rename roles/{opensearch => wazuh}/wazuh-dashboard/defaults/main.yml (100%) rename roles/{opensearch => wazuh}/wazuh-dashboard/handlers/main.yml (100%) rename roles/{opensearch => wazuh}/wazuh-dashboard/tasks/Debian.yml (100%) rename roles/{opensearch => wazuh}/wazuh-dashboard/tasks/RMRedHat.yml (100%) rename roles/{opensearch => wazuh}/wazuh-dashboard/tasks/RedHat.yml (100%) rename roles/{opensearch => wazuh}/wazuh-dashboard/tasks/main.yml (100%) rename roles/{opensearch => wazuh}/wazuh-dashboard/tasks/security_actions.yml (100%) rename roles/{opensearch => wazuh}/wazuh-dashboard/templates/opensearch_dashboards.yml.j2 (100%) rename roles/{opensearch => wazuh}/wazuh-dashboard/templates/wazuh.yml.j2 (100%) rename roles/{opensearch => wazuh}/wazuh-dashboard/vars/debian.yml (100%) rename roles/{opensearch => wazuh}/wazuh-indexer/defaults/main.yml (100%) rename roles/{opensearch => wazuh}/wazuh-indexer/handlers/main.yml (100%) rename roles/{opensearch => wazuh}/wazuh-indexer/meta/main.yml (100%) rename roles/{opensearch => wazuh}/wazuh-indexer/tasks/Debian.yml (100%) rename roles/{opensearch => wazuh}/wazuh-indexer/tasks/RMRedHat.yml (100%) rename roles/{opensearch => wazuh}/wazuh-indexer/tasks/RedHat.yml (100%) rename roles/{opensearch => wazuh}/wazuh-indexer/tasks/local_actions.yml (100%) rename roles/{opensearch => wazuh}/wazuh-indexer/tasks/main.yml (100%) rename roles/{opensearch => wazuh}/wazuh-indexer/tasks/security_actions.yml (100%) rename roles/{opensearch => wazuh}/wazuh-indexer/templates/config.yml.j2 (100%) rename roles/{opensearch => wazuh}/wazuh-indexer/templates/disabledlog4j.options.j2 (100%) rename roles/{opensearch => wazuh}/wazuh-indexer/templates/internal_users.yml.j2 (100%) rename roles/{opensearch => wazuh}/wazuh-indexer/templates/jvm.options.j2 (100%) rename roles/{opensearch => wazuh}/wazuh-indexer/templates/opensearch.yml.j2 (100%) rename roles/{opensearch => wazuh}/wazuh-indexer/templates/tlsconfig.yml.j2 (100%) diff --git a/README.md b/README.md index 4f73f1d8..e1838aa5 100644 --- a/README.md +++ b/README.md @@ -82,7 +82,7 @@ The hereunder example playbook uses the `wazuh-ansible` role to provision a prod # Certificates generation - hosts: wi1 roles: - - role: ../roles/opensearch/wazuh-indexer + - role: ../roles/wazuh/wazuh-indexer indexer_network_host: "{{ private_ip }}" indexer_cluster_nodes: - "{{ hostvars.wi1.private_ip }}" @@ -130,7 +130,7 @@ The hereunder example playbook uses the `wazuh-ansible` role to provision a prod - hosts: wi_cluster strategy: free roles: - - role: ../roles/opensearch/wazuh-indexer + - role: ../roles/wazuh/wazuh-indexer indexer_network_host: "{{ private_ip }}" become: yes become_user: root @@ -237,8 +237,8 @@ The hereunder example playbook uses the `wazuh-ansible` role to provision a prod #Indexer+Dashboard node - hosts: dashboard roles: - - role: "../roles/opensearch/wazuh-indexer" - - role: "../roles/opensearch/wazuh-dashboard" + - role: "../roles/wazuh/wazuh-indexer" + - role: "../roles/wazuh/wazuh-dashboard" become: yes become_user: root vars: @@ -336,7 +336,7 @@ The hereunder example playbook uses the `wazuh-ansible` role to provision a sing # Certificates generation - hosts: aio roles: - - role: ../roles/opensearch/wazuh-indexer + - role: ../roles/wazuh/wazuh-indexer perform_installation: false become: no #become_user: root @@ -354,10 +354,10 @@ The hereunder example playbook uses the `wazuh-ansible` role to provision a sing become: yes become_user: root roles: - - role: ../roles/opensearch/wazuh-indexer + - role: ../roles/wazuh/wazuh-indexer - role: ../roles/wazuh/ansible-wazuh-manager - role: ../roles/wazuh/ansible-filebeat-oss - - role: ../roles/opensearch/wazuh-dashboard + - role: ../roles/wazuh/wazuh-dashboard vars: single_node: true minimum_master_nodes: 1 diff --git a/playbooks/wazuh-opensearch-dashboard.yml b/playbooks/wazuh-dashboard.yml similarity index 63% rename from playbooks/wazuh-opensearch-dashboard.yml rename to playbooks/wazuh-dashboard.yml index 2abc311f..5a50cbab 100644 --- a/playbooks/wazuh-opensearch-dashboard.yml +++ b/playbooks/wazuh-dashboard.yml @@ -1,6 +1,6 @@ --- - hosts: wi1 roles: - - role: ../roles/opensearch/wazuh-dashboard + - role: ../roles/wazuh/wazuh-dashboard vars: ansible_shell_allow_world_readable_temp: true diff --git a/playbooks/wazuh-opensearch.yml b/playbooks/wazuh-indexer.yml similarity index 89% rename from playbooks/wazuh-opensearch.yml rename to playbooks/wazuh-indexer.yml index c6839efa..34d999c4 100644 --- a/playbooks/wazuh-opensearch.yml +++ b/playbooks/wazuh-indexer.yml @@ -1,7 +1,7 @@ --- - hosts: wi_cluster roles: - - role: ../roles/opensearch/wazuh-indexer + - role: ../roles/wazuh/wazuh-indexer vars: instances: # A certificate will be generated for every node using the name as CN. diff --git a/playbooks/wazuh-opensearch-production-ready.yml b/playbooks/wazuh-production-ready.yml similarity index 97% rename from playbooks/wazuh-opensearch-production-ready.yml rename to playbooks/wazuh-production-ready.yml index e52cfca7..57fb880f 100644 --- a/playbooks/wazuh-opensearch-production-ready.yml +++ b/playbooks/wazuh-production-ready.yml @@ -2,7 +2,7 @@ # Certificates generation - hosts: wi1 roles: - - role: ../roles/opensearch/wazuh-indexer + - role: ../roles/wazuh/wazuh-indexer indexer_network_host: "{{ private_ip }}" indexer_cluster_nodes: - "{{ hostvars.wi1.private_ip }}" @@ -50,7 +50,7 @@ - hosts: wi_cluster strategy: free roles: - - role: ../roles/opensearch/wazuh-indexer + - role: ../roles/wazuh/wazuh-indexer indexer_network_host: "{{ private_ip }}" become: yes become_user: root @@ -157,8 +157,8 @@ #Indexer+Dashboard node - hosts: dashboard roles: - - role: "../roles/opensearch/wazuh-indexer" - - role: "../roles/opensearch/wazuh-dashboard" + - role: "../roles/wazuh/wazuh-indexer" + - role: "../roles/wazuh/wazuh-dashboard" become: yes become_user: root vars: diff --git a/playbooks/wazuh-opensearch-single.yml b/playbooks/wazuh-single.yml similarity index 86% rename from playbooks/wazuh-opensearch-single.yml rename to playbooks/wazuh-single.yml index 10e36107..38499f5c 100644 --- a/playbooks/wazuh-opensearch-single.yml +++ b/playbooks/wazuh-single.yml @@ -2,7 +2,7 @@ # Certificates generation - hosts: aio roles: - - role: ../roles/opensearch/wazuh-indexer + - role: ../roles/wazuh/wazuh-indexer perform_installation: false become: no #become_user: root @@ -20,10 +20,10 @@ become: yes become_user: root roles: - - role: ../roles/opensearch/wazuh-indexer + - role: ../roles/wazuh/wazuh-indexer - role: ../roles/wazuh/ansible-wazuh-manager - role: ../roles/wazuh/ansible-filebeat-oss - - role: ../roles/opensearch/wazuh-dashboard + - role: ../roles/wazuh/wazuh-dashboard vars: single_node: true minimum_master_nodes: 1 diff --git a/roles/opensearch/wazuh-dashboard/defaults/main.yml b/roles/wazuh/wazuh-dashboard/defaults/main.yml similarity index 100% rename from roles/opensearch/wazuh-dashboard/defaults/main.yml rename to roles/wazuh/wazuh-dashboard/defaults/main.yml diff --git a/roles/opensearch/wazuh-dashboard/handlers/main.yml b/roles/wazuh/wazuh-dashboard/handlers/main.yml similarity index 100% rename from roles/opensearch/wazuh-dashboard/handlers/main.yml rename to roles/wazuh/wazuh-dashboard/handlers/main.yml diff --git a/roles/opensearch/wazuh-dashboard/tasks/Debian.yml b/roles/wazuh/wazuh-dashboard/tasks/Debian.yml similarity index 100% rename from roles/opensearch/wazuh-dashboard/tasks/Debian.yml rename to roles/wazuh/wazuh-dashboard/tasks/Debian.yml diff --git a/roles/opensearch/wazuh-dashboard/tasks/RMRedHat.yml b/roles/wazuh/wazuh-dashboard/tasks/RMRedHat.yml similarity index 100% rename from roles/opensearch/wazuh-dashboard/tasks/RMRedHat.yml rename to roles/wazuh/wazuh-dashboard/tasks/RMRedHat.yml diff --git a/roles/opensearch/wazuh-dashboard/tasks/RedHat.yml b/roles/wazuh/wazuh-dashboard/tasks/RedHat.yml similarity index 100% rename from roles/opensearch/wazuh-dashboard/tasks/RedHat.yml rename to roles/wazuh/wazuh-dashboard/tasks/RedHat.yml diff --git a/roles/opensearch/wazuh-dashboard/tasks/main.yml b/roles/wazuh/wazuh-dashboard/tasks/main.yml similarity index 100% rename from roles/opensearch/wazuh-dashboard/tasks/main.yml rename to roles/wazuh/wazuh-dashboard/tasks/main.yml diff --git a/roles/opensearch/wazuh-dashboard/tasks/security_actions.yml b/roles/wazuh/wazuh-dashboard/tasks/security_actions.yml similarity index 100% rename from roles/opensearch/wazuh-dashboard/tasks/security_actions.yml rename to roles/wazuh/wazuh-dashboard/tasks/security_actions.yml diff --git a/roles/opensearch/wazuh-dashboard/templates/opensearch_dashboards.yml.j2 b/roles/wazuh/wazuh-dashboard/templates/opensearch_dashboards.yml.j2 similarity index 100% rename from roles/opensearch/wazuh-dashboard/templates/opensearch_dashboards.yml.j2 rename to roles/wazuh/wazuh-dashboard/templates/opensearch_dashboards.yml.j2 diff --git a/roles/opensearch/wazuh-dashboard/templates/wazuh.yml.j2 b/roles/wazuh/wazuh-dashboard/templates/wazuh.yml.j2 similarity index 100% rename from roles/opensearch/wazuh-dashboard/templates/wazuh.yml.j2 rename to roles/wazuh/wazuh-dashboard/templates/wazuh.yml.j2 diff --git a/roles/opensearch/wazuh-dashboard/vars/debian.yml b/roles/wazuh/wazuh-dashboard/vars/debian.yml similarity index 100% rename from roles/opensearch/wazuh-dashboard/vars/debian.yml rename to roles/wazuh/wazuh-dashboard/vars/debian.yml diff --git a/roles/opensearch/wazuh-indexer/defaults/main.yml b/roles/wazuh/wazuh-indexer/defaults/main.yml similarity index 100% rename from roles/opensearch/wazuh-indexer/defaults/main.yml rename to roles/wazuh/wazuh-indexer/defaults/main.yml diff --git a/roles/opensearch/wazuh-indexer/handlers/main.yml b/roles/wazuh/wazuh-indexer/handlers/main.yml similarity index 100% rename from roles/opensearch/wazuh-indexer/handlers/main.yml rename to roles/wazuh/wazuh-indexer/handlers/main.yml diff --git a/roles/opensearch/wazuh-indexer/meta/main.yml b/roles/wazuh/wazuh-indexer/meta/main.yml similarity index 100% rename from roles/opensearch/wazuh-indexer/meta/main.yml rename to roles/wazuh/wazuh-indexer/meta/main.yml diff --git a/roles/opensearch/wazuh-indexer/tasks/Debian.yml b/roles/wazuh/wazuh-indexer/tasks/Debian.yml similarity index 100% rename from roles/opensearch/wazuh-indexer/tasks/Debian.yml rename to roles/wazuh/wazuh-indexer/tasks/Debian.yml diff --git a/roles/opensearch/wazuh-indexer/tasks/RMRedHat.yml b/roles/wazuh/wazuh-indexer/tasks/RMRedHat.yml similarity index 100% rename from roles/opensearch/wazuh-indexer/tasks/RMRedHat.yml rename to roles/wazuh/wazuh-indexer/tasks/RMRedHat.yml diff --git a/roles/opensearch/wazuh-indexer/tasks/RedHat.yml b/roles/wazuh/wazuh-indexer/tasks/RedHat.yml similarity index 100% rename from roles/opensearch/wazuh-indexer/tasks/RedHat.yml rename to roles/wazuh/wazuh-indexer/tasks/RedHat.yml diff --git a/roles/opensearch/wazuh-indexer/tasks/local_actions.yml b/roles/wazuh/wazuh-indexer/tasks/local_actions.yml similarity index 100% rename from roles/opensearch/wazuh-indexer/tasks/local_actions.yml rename to roles/wazuh/wazuh-indexer/tasks/local_actions.yml diff --git a/roles/opensearch/wazuh-indexer/tasks/main.yml b/roles/wazuh/wazuh-indexer/tasks/main.yml similarity index 100% rename from roles/opensearch/wazuh-indexer/tasks/main.yml rename to roles/wazuh/wazuh-indexer/tasks/main.yml diff --git a/roles/opensearch/wazuh-indexer/tasks/security_actions.yml b/roles/wazuh/wazuh-indexer/tasks/security_actions.yml similarity index 100% rename from roles/opensearch/wazuh-indexer/tasks/security_actions.yml rename to roles/wazuh/wazuh-indexer/tasks/security_actions.yml diff --git a/roles/opensearch/wazuh-indexer/templates/config.yml.j2 b/roles/wazuh/wazuh-indexer/templates/config.yml.j2 similarity index 100% rename from roles/opensearch/wazuh-indexer/templates/config.yml.j2 rename to roles/wazuh/wazuh-indexer/templates/config.yml.j2 diff --git a/roles/opensearch/wazuh-indexer/templates/disabledlog4j.options.j2 b/roles/wazuh/wazuh-indexer/templates/disabledlog4j.options.j2 similarity index 100% rename from roles/opensearch/wazuh-indexer/templates/disabledlog4j.options.j2 rename to roles/wazuh/wazuh-indexer/templates/disabledlog4j.options.j2 diff --git a/roles/opensearch/wazuh-indexer/templates/internal_users.yml.j2 b/roles/wazuh/wazuh-indexer/templates/internal_users.yml.j2 similarity index 100% rename from roles/opensearch/wazuh-indexer/templates/internal_users.yml.j2 rename to roles/wazuh/wazuh-indexer/templates/internal_users.yml.j2 diff --git a/roles/opensearch/wazuh-indexer/templates/jvm.options.j2 b/roles/wazuh/wazuh-indexer/templates/jvm.options.j2 similarity index 100% rename from roles/opensearch/wazuh-indexer/templates/jvm.options.j2 rename to roles/wazuh/wazuh-indexer/templates/jvm.options.j2 diff --git a/roles/opensearch/wazuh-indexer/templates/opensearch.yml.j2 b/roles/wazuh/wazuh-indexer/templates/opensearch.yml.j2 similarity index 100% rename from roles/opensearch/wazuh-indexer/templates/opensearch.yml.j2 rename to roles/wazuh/wazuh-indexer/templates/opensearch.yml.j2 diff --git a/roles/opensearch/wazuh-indexer/templates/tlsconfig.yml.j2 b/roles/wazuh/wazuh-indexer/templates/tlsconfig.yml.j2 similarity index 100% rename from roles/opensearch/wazuh-indexer/templates/tlsconfig.yml.j2 rename to roles/wazuh/wazuh-indexer/templates/tlsconfig.yml.j2 From 43add01612843ca257dccbb7033044e9704f836e Mon Sep 17 00:00:00 2001 From: Alberto R Date: Fri, 4 Mar 2022 15:04:57 +0100 Subject: [PATCH 29/41] Fixed wazuh_template_branch version --- roles/wazuh/ansible-filebeat-oss/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml index 0de5d2d0..15d21b1f 100644 --- a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml @@ -1,7 +1,7 @@ --- filebeat_version: 7.10.2 -wazuh_template_branch: v4.2.5 +wazuh_template_branch: v4.3.0 filebeat_output_indexer_hosts: - "localhost:9200" From 8e7aa833f63d6e303d34f2d1e9ea55768d703e6b Mon Sep 17 00:00:00 2001 From: Alberto R Date: Fri, 4 Mar 2022 15:10:25 +0100 Subject: [PATCH 30/41] Changed opensearch comment by indexer --- roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 b/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 index b84edd87..558b5cf8 100644 --- a/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 +++ b/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 @@ -1,5 +1,3 @@ -# Wazuh - Filebeat configuration file - # Wazuh - Filebeat configuration file filebeat.modules: - module: wazuh @@ -14,7 +12,7 @@ setup.template.json.name: 'wazuh' setup.template.overwrite: true setup.ilm.enabled: false -# Send events directly to Opensearch +# Send events directly to Wazuh indexer output.elasticsearch: hosts: {% for item in filebeat_output_indexer_hosts %} @@ -31,5 +29,5 @@ output.elasticsearch: ssl.key: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}-key.pem" {% endif %} -# Optional. Send events to Logstash instead of Opensearch +# Optional. Send events to Logstash instead of Wazuh indexer #output.logstash.hosts: ["YOUR_LOGSTASH_SERVER_IP:5000"] \ No newline at end of file From 6bca974bf0cbf5fc27d1f67a55cbf9477416e0b2 Mon Sep 17 00:00:00 2001 From: Alberto R Date: Fri, 4 Mar 2022 15:21:09 +0100 Subject: [PATCH 31/41] Minor format changes --- roles/wazuh/wazuh-dashboard/tasks/Debian.yml | 8 ++++---- roles/wazuh/wazuh-dashboard/tasks/RMRedHat.yml | 2 +- roles/wazuh/wazuh-dashboard/tasks/RedHat.yml | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/roles/wazuh/wazuh-dashboard/tasks/Debian.yml b/roles/wazuh/wazuh-dashboard/tasks/Debian.yml index 9cee7937..2d6c67b7 100644 --- a/roles/wazuh/wazuh-dashboard/tasks/Debian.yml +++ b/roles/wazuh/wazuh-dashboard/tasks/Debian.yml @@ -1,19 +1,19 @@ --- - block: - - include_vars: debian.yml + - include_vars: debian.yml - name: Add apt repository signing key apt_key: url: "{{ package_repos.apt.dashboard.gpg }}" state: present - - name: Debian systems | Add Wazuh-Dashboard repo + - name: Debian systems | Add Wazuh dashboard repo apt_repository: repo: "{{ package_repos.apt.dashboard.baseurl }}" state: present update_cache: yes - - name: Install Wazuh-Dashboard + - name: Install Wazuh dashboard apt: name: "wazuh-dashboard={{ dashboard_version }}-1" state: present @@ -21,4 +21,4 @@ register: install tags: - - install \ No newline at end of file + - install \ No newline at end of file diff --git a/roles/wazuh/wazuh-dashboard/tasks/RMRedHat.yml b/roles/wazuh/wazuh-dashboard/tasks/RMRedHat.yml index 893ec065..b34970ea 100644 --- a/roles/wazuh/wazuh-dashboard/tasks/RMRedHat.yml +++ b/roles/wazuh/wazuh-dashboard/tasks/RMRedHat.yml @@ -1,5 +1,5 @@ --- -- name: Remove Wazuh-Dashboard repository (and clean up left-over metadata) +- name: Remove Wazuh dashboard repository (and clean up left-over metadata) yum_repository: name: wazuh_repo state: absent diff --git a/roles/wazuh/wazuh-dashboard/tasks/RedHat.yml b/roles/wazuh/wazuh-dashboard/tasks/RedHat.yml index c10fab59..994f2a0f 100644 --- a/roles/wazuh/wazuh-dashboard/tasks/RedHat.yml +++ b/roles/wazuh/wazuh-dashboard/tasks/RedHat.yml @@ -1,7 +1,7 @@ --- - block: - - name: RedHat/CentOS/Fedora | Add Wazuh-Dashboard repo + - name: RedHat/CentOS/Fedora | Add Wazuh dashboard repo yum_repository: file: wazuh name: wazuh_repo @@ -10,12 +10,12 @@ gpgkey: "{{ package_repos.yum.dashboard.gpg }}" gpgcheck: true - - name: Install Wazuh-Dashboard + - name: Install Wazuh dashboard package: name: "wazuh-dashboard-{{ dashboard_version }}" state: present update_cache: yes register: install - + tags: - install From c154f5fc53671e5658c6a9ae9fa2ee25f6577098 Mon Sep 17 00:00:00 2001 From: Alberto R Date: Fri, 4 Mar 2022 15:51:13 +0100 Subject: [PATCH 32/41] Minor format change --- roles/wazuh/wazuh-dashboard/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/wazuh/wazuh-dashboard/tasks/main.yml b/roles/wazuh/wazuh-dashboard/tasks/main.yml index e4e7f526..c477df58 100755 --- a/roles/wazuh/wazuh-dashboard/tasks/main.yml +++ b/roles/wazuh/wazuh-dashboard/tasks/main.yml @@ -28,7 +28,7 @@ - install - configure -- name: Ensuring Wazuh-Dashboard directory owner +- name: Ensuring Wazuh dashboard directory owner file: # noqa 208 path: "/usr/share/wazuh-dashboard" @@ -79,7 +79,7 @@ executable: /bin/bash become: yes -- name: Ensure Wazuh-Dashboard started and enabled +- name: Ensure Wazuh dashboard started and enabled service: name: wazuh-dashboard enabled: true From a23f67f7eb9aeda9674ae883936ec76205253e58 Mon Sep 17 00:00:00 2001 From: Alberto R Date: Fri, 4 Mar 2022 15:53:34 +0100 Subject: [PATCH 33/41] Fix dashboard name format --- roles/wazuh/wazuh-dashboard/tasks/security_actions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wazuh/wazuh-dashboard/tasks/security_actions.yml b/roles/wazuh/wazuh-dashboard/tasks/security_actions.yml index 223ae09d..a71579a9 100644 --- a/roles/wazuh/wazuh-dashboard/tasks/security_actions.yml +++ b/roles/wazuh/wazuh-dashboard/tasks/security_actions.yml @@ -1,6 +1,6 @@ - block: - - name: Copy the certificates from local to the Wazuh-Dashboard instance + - name: Copy the certificates from local to the Wazuh dashboard instance copy: src: "{{ local_certs_path }}/certs/{{ item }}" dest: /etc/wazuh-dashboard/certs/ From a293c3353ac72e0663e92ab00ea6282352c56b5c Mon Sep 17 00:00:00 2001 From: Alberto R Date: Fri, 4 Mar 2022 15:58:00 +0100 Subject: [PATCH 34/41] Fix indexer name format --- roles/wazuh/wazuh-indexer/meta/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wazuh/wazuh-indexer/meta/main.yml b/roles/wazuh/wazuh-indexer/meta/main.yml index eed34479..1b9648a6 100644 --- a/roles/wazuh/wazuh-indexer/meta/main.yml +++ b/roles/wazuh/wazuh-indexer/meta/main.yml @@ -1,7 +1,7 @@ --- galaxy_info: author: Wazuh - description: Installing and maintaining Opensearch server. + description: Installing and maintaining Wazuh indexer. company: wazuh.com license: license (GPLv3) min_ansible_version: 2.0 From 8807df5e64a3e0329b2540b12ab45f088d307b05 Mon Sep 17 00:00:00 2001 From: Alberto R Date: Fri, 4 Mar 2022 15:59:30 +0100 Subject: [PATCH 35/41] Fix indexer name format --- roles/wazuh/wazuh-indexer/tasks/Debian.yml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/roles/wazuh/wazuh-indexer/tasks/Debian.yml b/roles/wazuh/wazuh-indexer/tasks/Debian.yml index c640be34..7e67fb2f 100644 --- a/roles/wazuh/wazuh-indexer/tasks/Debian.yml +++ b/roles/wazuh/wazuh-indexer/tasks/Debian.yml @@ -8,8 +8,8 @@ - name: Debian 9 (Stretch) when: (ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_major_version'] == "9") block: - - - name: Install Wazuh-Indexer dependencies + + - name: Install Wazuh indexer dependencies apt: name: [ 'unzip', 'wget', 'curl', 'apt-transport-https', software-properties-common @@ -20,7 +20,7 @@ ansible.builtin.apt_key: keyserver: keyserver.ubuntu.com id: 648ACFD622F3D138 - + - name: Add openjdk repository apt_repository: repo: "{{ package_repos.apt.openjdk.baseurl }}" @@ -35,24 +35,23 @@ environment: JAVA_HOME: /usr -- name: Add Wazuh-Indexer repository +- name: Add Wazuh indexer repository block: - name: Add apt repository signing key apt_key: url: "{{ package_repos.apt.indexer.gpg }}" state: present - - name: Add Indexer repository + - name: Add Wazuh indexer repository apt_repository: repo: "{{ package_repos.apt.indexer.baseurl }}" state: present filename: 'wazuh-indexer' update_cache: yes -- name: Install Wazuh-Indexer -## the indexer package should be installed instead +- name: Install Wazuh indexer apt: name: wazuh-indexer={{ indexer_version }}-1 state: present register: install - tags: install \ No newline at end of file + tags: install \ No newline at end of file From 631e9be49d142180e4c337e1dbe14bf266c5dc38 Mon Sep 17 00:00:00 2001 From: Alberto R Date: Fri, 4 Mar 2022 16:00:22 +0100 Subject: [PATCH 36/41] Fix indexer name format --- roles/wazuh/wazuh-indexer/tasks/RMRedHat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wazuh/wazuh-indexer/tasks/RMRedHat.yml b/roles/wazuh/wazuh-indexer/tasks/RMRedHat.yml index d76bd148..d4e79892 100644 --- a/roles/wazuh/wazuh-indexer/tasks/RMRedHat.yml +++ b/roles/wazuh/wazuh-indexer/tasks/RMRedHat.yml @@ -1,5 +1,5 @@ --- -- name: RedHat/CentOS/Fedora | Remove Wazuh-Indexer repository (and clean up left-over metadata) +- name: RedHat/CentOS/Fedora | Remove Wazuh indexer repository (and clean up left-over metadata) yum_repository: name: wazuh_repo state: absent From 49143dfdc6711a51cfef5615a8fc166683e67804 Mon Sep 17 00:00:00 2001 From: Alberto R Date: Fri, 4 Mar 2022 16:01:17 +0100 Subject: [PATCH 37/41] Fix indexer name format --- roles/wazuh/wazuh-indexer/tasks/RedHat.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/wazuh/wazuh-indexer/tasks/RedHat.yml b/roles/wazuh/wazuh-indexer/tasks/RedHat.yml index 4aa31848..4bb1ca05 100644 --- a/roles/wazuh/wazuh-indexer/tasks/RedHat.yml +++ b/roles/wazuh/wazuh-indexer/tasks/RedHat.yml @@ -1,7 +1,7 @@ --- - block: - - name: RedHat/CentOS/Fedora | Add Wazuh-Indexer repo + - name: RedHat/CentOS/Fedora | Add Wazuh indexer repo yum_repository: file: wazuh name: wazuh_repo @@ -51,7 +51,7 @@ - wget - unzip - - name: Install Wazuh-Indexer + - name: Install Wazuh indexer package: name: wazuh-indexer-{{ indexer_version }} state: present From dc6a5c38b199530708420016595f4ad4e64422e7 Mon Sep 17 00:00:00 2001 From: Alberto R Date: Fri, 4 Mar 2022 16:09:38 +0100 Subject: [PATCH 38/41] Fix indexer name format --- roles/wazuh/wazuh-indexer/tasks/main.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/wazuh/wazuh-indexer/tasks/main.yml b/roles/wazuh/wazuh-indexer/tasks/main.yml index 7874fd64..dc19821e 100644 --- a/roles/wazuh/wazuh-indexer/tasks/main.yml +++ b/roles/wazuh/wazuh-indexer/tasks/main.yml @@ -44,7 +44,7 @@ - security - - name: Configure Wazuh-Indexer JVM memmory. + - name: Configure Wazuh indexer JVM memmory. template: src: "templates/jvm.options.j2" dest: "{{ indexer_conf_path }}/jvm.options" @@ -66,7 +66,7 @@ notify: restart wazuh-indexer tags: install - - name: Ensure extra time for Wazuh-Indexer to start on reboots + - name: Ensure extra time for Wazuh indexer to start on reboots lineinfile: path: /usr/lib/systemd/system/wazuh-indexer.service regexp: '^TimeoutStartSec=' @@ -81,18 +81,18 @@ register: files_to_delete - name: Remove Index Files - file: + file: path: "{{ item.path }}" state: absent with_items: "{{ files_to_delete.files }}" - - name: Ensure Wazuh-Indexer started and enabled + - name: Ensure Wazuh indexer started and enabled service: name: wazuh-indexer enabled: true state: started - - name: Wait for Wazuh-Indexer API + - name: Wait for Wazuh indexer API uri: url: "https://{{ inventory_hostname if not single_node else indexer_network_host }}:{{ indexer_http_port }}/_cat/health/" user: "admin" # Default Indexer user is always "admin" @@ -111,7 +111,7 @@ when: - hostvars[inventory_hostname]['private_ip'] is not defined or not hostvars[inventory_hostname]['private_ip'] - - name: Wait for Wazuh-Indexer API (Private IP) + - name: Wait for Wazuh indexer API (Private IP) uri: url: "https://{{ hostvars[inventory_hostname]['private_ip'] if not single_node else indexer_network_host }}:{{ indexer_http_port }}/_cat/health/" user: "admin" # Default Indexer user is always "admin" From 2b2c05c695f406bb64fab32be11844ac291e7450 Mon Sep 17 00:00:00 2001 From: Alberto R Date: Fri, 4 Mar 2022 16:10:58 +0100 Subject: [PATCH 39/41] Fix indexer name format --- roles/wazuh/wazuh-indexer/tasks/security_actions.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/wazuh/wazuh-indexer/tasks/security_actions.yml b/roles/wazuh/wazuh-indexer/tasks/security_actions.yml index 29d9fc09..3055ec0a 100644 --- a/roles/wazuh/wazuh-indexer/tasks/security_actions.yml +++ b/roles/wazuh/wazuh-indexer/tasks/security_actions.yml @@ -20,7 +20,7 @@ - hostvars[inventory_hostname]['private_ip'] is not defined -- name: Copy the node & admin certificates to Wazuh-Indexer cluster +- name: Copy the node & admin certificates to Wazuh indexer cluster copy: src: "{{ local_certs_path }}/certs/{{ item }}" dest: "{{ indexer_conf_path }}/certs/" @@ -34,7 +34,7 @@ - admin-key.pem - admin.pem -- name: Restart Wazuh-Indexer with security configuration +- name: Restart Wazuh indexer with security configuration systemd: name: wazuh-indexer state: restarted @@ -77,7 +77,7 @@ indexer_password_hash: "{{ indexer_kibanaserver_password_hashed.stdout_lines | last }}" run_once: true -- name: Initialize the Opensearch security index in Wazuh-Indexer +- name: Initialize the Opensearch security index in Wazuh indexer command: > sudo -u wazuh-indexer OPENSEARCH_PATH_CONF={{ indexer_conf_path }} JAVA_HOME=/usr/share/wazuh-indexer/jdk From 7cf9f230b6f446cd8794d798048988007262532c Mon Sep 17 00:00:00 2001 From: Alberto R Date: Fri, 4 Mar 2022 16:12:12 +0100 Subject: [PATCH 40/41] Fix indexer name format --- roles/wazuh/wazuh-indexer/templates/config.yml.j2 | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/wazuh/wazuh-indexer/templates/config.yml.j2 b/roles/wazuh/wazuh-indexer/templates/config.yml.j2 index 1de66900..8b1babf1 100644 --- a/roles/wazuh/wazuh-indexer/templates/config.yml.j2 +++ b/roles/wazuh/wazuh-indexer/templates/config.yml.j2 @@ -1,7 +1,6 @@ nodes: # Elasticsearch server nodes elasticsearch: -## 732 this will change to indexer: {% for (key,value) in instances.items() %} {% if (value.role is defined and value.role == 'indexer') %} name: {{ value.name }} @@ -26,7 +25,6 @@ nodes: # Kibana node kibana: -## 732 this will change to dashboard: {% for (key,value) in instances.items() %} {% if (value.role is defined and value.role == 'dashboard') %} name: {{ value.name }} From 7985e973d9b8137fab05ded48de4ea85d53121ff Mon Sep 17 00:00:00 2001 From: Alberto R Date: Fri, 4 Mar 2022 16:13:49 +0100 Subject: [PATCH 41/41] Removed disable log4j --- roles/wazuh/wazuh-indexer/tasks/main.yml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/roles/wazuh/wazuh-indexer/tasks/main.yml b/roles/wazuh/wazuh-indexer/tasks/main.yml index dc19821e..03316b38 100644 --- a/roles/wazuh/wazuh-indexer/tasks/main.yml +++ b/roles/wazuh/wazuh-indexer/tasks/main.yml @@ -55,17 +55,6 @@ notify: restart wazuh-indexer tags: install - - name: Configure disabled log4j. - template: - src: "templates/disabledlog4j.options.j2" - dest: "{{ indexer_conf_path }}/jvm.options.d/disabledlog4j.options" - owner: root - group: wazuh-indexer - mode: 2750 - force: yes - notify: restart wazuh-indexer - tags: install - - name: Ensure extra time for Wazuh indexer to start on reboots lineinfile: path: /usr/lib/systemd/system/wazuh-indexer.service