Merge pull request #537 from wazuh/release-4.0.4

Release 4.0.4

CHANGELOG.md

@@ -1,6 +1,30 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+## [v4.0.4]
+
+### Added
+
+- Update to [Wazuh v4.0.4](https://github.com/wazuh/wazuh/blob/v4.0.4/CHANGELOG.md#v404)
+
+- Support for new Wazuh API config options.
+
+- Add localfile labels to agent ossec.conf template ([@dragospe](https://github.com/dragospe)) [PR#521](https://github.com/wazuh/wazuh-ansible/pull/521)
+
+### Changed
+
+- Please notice that default Kibana user in role defaults changed from `kibanaserver` to `admin`. See listed PRs below for details.
+
+### Fixed
+
+- `create_user.py` generates invalid passwords ([@singuliere](https://github.com/singuliere)) [PR#519](https://github.com/wazuh/wazuh-ansible/pull/519)
+- Fix invalid Jinja2 syntax in centralized configuration template ([@kravietz](https://github.com/kravietz)) [PR#528](https://github.com/wazuh/wazuh-ansible/pull/528)
+- Replace default user for `opendistro-kibana` role ([@zenidd](https://github.com/zenidd)) [PR#529](https://github.com/wazuh/wazuh-ansible/pull/529)
+- Remove legacy declarations of `od_node_name` in `opendistro-elasticsearch` ([@neonmei](https://github.com/neonmei), [@dragospe](https://github.com/dragospe))  [PR#530](https://github.com/wazuh/wazuh-ansible/pull/530)
+- Add missing variable `elasticsearch_node_master` in `opendistro-elasticsearch` ([@neonmei](https://github.com/neonmei)) [PR#534](https://github.com/wazuh/wazuh-ansible/pull/534)
+- Add missing variable `elasticsearch_network_host` in `opendistro-elasticsearch` ([@neonmei](https://github.com/neonmei)) [PR#540](https://github.com/wazuh/wazuh-ansible/pull/540)
+
+
 ## [v4.0.3]
 
 ### Added

LICENSE

@@ -1,5 +1,5 @@
 
- Portions Copyright (C) 2020 Wazuh, Inc.
+ Portions Copyright (C) 2021 Wazuh, Inc.
  Based on work Copyright (C) 2003 - 2013 Trend Micro, Inc.
 
  This program is a free software; you can redistribute it and/or modify

README.md

@@ -15,7 +15,7 @@ These playbooks install and configure Wazuh agent, manager and Elastic Stack.
 
 | Wazuh version | Elastic | ODFE   |
 |---------------|---------|--------|
-| v4.0.3        | 7.9.3   | 1.11.0 |
+| v4.0.4        | 7.9.3   | 1.11.0 |
 
 ## Documentation
 
@@ -357,7 +357,7 @@ https://github.com/dj-wasabi/ansible-ossec-server
 ## License and copyright
 
 WAZUH
-Copyright (C) 2016-2020 Wazuh Inc.  (License GPLv2)
+Copyright (C) 2016-2021 Wazuh Inc.  (License GPLv2)
 
 ## Web references
 

molecule/default/tests/test_default.py

@@ -8,7 +8,7 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
 
 def get_wazuh_version():
     """This return the version of Wazuh."""
-    return "4.0.1"
+    return "4.0.4"
 
 
 def test_wazuh_packages_are_installed(host):

molecule/distributed-wazuh-elk-xpack/group_vars/all.yml

@@ -18,11 +18,11 @@ elastic_stack_version: 7.9.3
 filebeat_version: 7.9.3
 
 # Debian packages need the ${VERSION}-1
-wazuh_manager_version: 4.0.3-1
-wazuh_agent_version: 4.0.3-1
+wazuh_manager_version: 4.0.4-1
+wazuh_agent_version: 4.0.4-1
 
 # Kibana role appends it automatically.
-wazuh_version: 4.0.3
+wazuh_version: 4.0.4
 
 
 ########################################################

molecule/distributed-wazuh-elk-xpack/tests/test_default.py

@@ -8,7 +8,7 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
 
 def get_wazuh_version():
     """This return the version of Wazuh."""
-    return "4.0.1"
+    return "4.0.4"
 
 
 def test_wazuh_packages_are_installed(host):

molecule/distributed-wazuh-elk/group_vars/all.yml

@@ -16,8 +16,8 @@ elastic_stack_version: 7.9.3
 filebeat_version: 7.9.3
 
 # Debian packages need the ${VERSION}-1
-wazuh_manager_version: 4.0.3-1
-wazuh_agent_version: 4.0.3-1
+wazuh_manager_version: 4.0.4-1
+wazuh_agent_version: 4.0.4-1
 
 # Kibana role appends it automatically.
-wazuh_version: 4.0.3
+wazuh_version: 4.0.4

molecule/distributed-wazuh-elk/tests/test_default.py

@@ -8,7 +8,7 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
 
 def get_wazuh_version():
     """This return the version of Wazuh."""
-    return "4.0.1"
+    return "4.0.4"
 
 
 def test_wazuh_packages_are_installed(host):

molecule/distributed-wazuh-odfe/group_vars/all.yml

@@ -40,8 +40,8 @@ filebeat_version: 7.9.1
 kibana_opendistro_version: -1.11.0-1
 
 # Debian packages need the ${VERSION}-1
-wazuh_manager_version: 4.0.3-1
-wazuh_agent_version: 4.0.3-1
+wazuh_manager_version: 4.0.4-1
+wazuh_agent_version: 4.0.4-1
 
 # Kibana role appends it automatically.
-wazuh_version: 4.0.3
+wazuh_version: 4.0.4

molecule/distributed-wazuh-odfe/tests/test_default.py

@@ -8,7 +8,7 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
 
 def get_wazuh_version():
     """This return the version of Wazuh."""
-    return "4.0.1"
+    return "4.0.4"
 
 
 def test_wazuh_packages_are_installed(host):

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "wazuh-ansible"
-version = "4.0.2"
+version = "4.0.4"
 description = ""
 authors = ["neonmei <neonmei@pm.me>"]
 

roles/elastic-stack/ansible-elasticsearch/README.md

@@ -12,7 +12,7 @@ This role will work on:
  * Fedora
  * Debian
  * Ubuntu
- 
+
 For the elasticsearch role with XPack security the `unzip` command must be available on the Ansible master.
 
 Role Variables
@@ -134,7 +134,7 @@ It is possible to define users directly on the playbook, these must be defined o
 License and copyright
 ---------------------
 
-WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3)
+WAZUH Copyright (C) 2021 Wazuh Inc. (License GPLv3)
 
 ### Based on previous work from geerlingguy
 

roles/elastic-stack/ansible-kibana/README.md

@@ -37,7 +37,7 @@ Example Playbook
 License and copyright
 ---------------------
 
-WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3)
+WAZUH Copyright (C) 2021 Wazuh Inc. (License GPLv3)
 
 ### Based on previous work from geerlingguy
 

roles/elastic-stack/ansible-kibana/defaults/main.yml

@@ -7,7 +7,7 @@ kibana_server_host: "0.0.0.0"
 kibana_server_port: "5601"
 kibana_conf_path: /etc/kibana
 elastic_stack_version: 7.9.3
-wazuh_version: 4.0.3
+wazuh_version: 4.0.4
 wazuh_app_url: https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana
 
 elasticrepo:

roles/opendistro/opendistro-elasticsearch/defaults/main.yml

@@ -5,8 +5,12 @@ opendistro_version: 1.11.0
 single_node: false
 elasticsearch_node_name: node-1
 opendistro_cluster_name: wazuh
+elasticsearch_network_host: '0.0.0.0'
+
+elasticsearch_node_master: true
 elasticsearch_node_data: true
 elasticsearch_node_ingest: true
+
 elasticsearch_lower_disk_requirements: false
 elasticsearch_cluster_nodes:
   - 127.0.0.1

roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml

@@ -8,27 +8,6 @@
     - "{{ opendistro_conf_path }}/esnode.pem"
     - "{{ opendistro_conf_path }}/esnode-key.pem"
 
-
-- name: Configure node name
-  block:
-    - name: Setting node name (Elasticsearch)
-      set_fact:
-        od_node_name: "{{ elasticsearch_node_name }}"
-      when:
-        elasticsearch_node_name is defined and kibana_node_name is not defined
-
-    - name: Setting node name (Kibana)
-      set_fact:
-        od_node_name: "{{ kibana_node_name }}"
-      when:
-        kibana_node_name is defined
-
-    - name: Setting node name (Filebeat)
-      set_fact:
-        od_node_name: "{{ kibana_node_name }}"
-      when:
-        filebeat_node_name is defined
-
 - name: Configure IP (Private address)
   set_fact:
     target_address: "{{ hostvars[inventory_hostname]['private_ip'] }}"
@@ -50,11 +29,11 @@
   with_items:
     - root-ca.pem
     - root-ca.key
-    - "{{ od_node_name }}.key"
-    - "{{ od_node_name }}.pem"
-    - "{{ od_node_name }}_http.key"
-    - "{{ od_node_name }}_http.pem"
-    - "{{ od_node_name }}_elasticsearch_config_snippet.yml"
+    - "{{ elasticsearch_node_name }}.key"
+    - "{{ elasticsearch_node_name }}.pem"
+    - "{{ elasticsearch_node_name }}_http.key"
+    - "{{ elasticsearch_node_name }}_http.pem"
+    - "{{ elasticsearch_node_name }}_elasticsearch_config_snippet.yml"
     - admin.key
     - admin.pem
 
@@ -65,7 +44,7 @@
     insertafter: EOF
     marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##"
   vars:
-    snippet_path: '{{ local_certs_path }}/certs/{{ od_node_name }}_elasticsearch_config_snippet.yml'
+    snippet_path: '{{ local_certs_path }}/certs/{{ elasticsearch_node_name }}_elasticsearch_config_snippet.yml'
 
 - name: Prepare the OpenDistro security configuration file
   replace:

roles/opendistro/opendistro-kibana/defaults/main.yml

@@ -10,7 +10,7 @@ kibana_server_port: "5601"
 kibana_server_name: "kibana"
 kibana_max_payload_bytes: 1048576
 elastic_stack_version: 7.9.1
-wazuh_version: 4.0.3
+wazuh_version: 4.0.4
 wazuh_app_url: https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana
 
 # The OpenDistro package repository
@@ -41,7 +41,7 @@ kibana_telemetry_optin: "false"
 kibana_telemetry_enabled: "false"
 
 opendistro_admin_password: changeme
-opendistro_kibana_user: kibanaserver
+opendistro_kibana_user: admin
 opendistro_kibana_password: changeme
 local_certs_path: "{{ playbook_dir }}/opendistro/certificates"
 

roles/wazuh/ansible-filebeat-oss/README.md

@@ -27,7 +27,7 @@ Available variables are listed below, along with default values (see `defaults/m
 License and copyright
 ---------------------
 
-WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3)
+WAZUH Copyright (C) 2021 Wazuh Inc. (License GPLv3)
 
 ### Based on previous work from geerlingguy
 

roles/wazuh/ansible-filebeat-oss/defaults/main.yml

@@ -1,7 +1,7 @@
 ---
 filebeat_version: 7.9.1
 
-wazuh_template_branch: v4.0.3
+wazuh_template_branch: v4.0.4
 
 filebeat_output_elasticsearch_hosts:
   - "localhost:9200"

roles/wazuh/ansible-filebeat/README.md

@@ -27,7 +27,7 @@ Available variables are listed below, along with default values (see `defaults/m
 License and copyright
 ---------------------
 
-WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3)
+WAZUH Copyright (C) 2021 Wazuh Inc. (License GPLv3)
 
 ### Based on previous work from geerlingguy
 

roles/wazuh/ansible-filebeat/defaults/main.yml

@@ -1,7 +1,7 @@
 ---
 filebeat_version: 7.9.3
 
-wazuh_template_branch: v4.0.3
+wazuh_template_branch: v4.0.4
 
 filebeat_create_config: true
 

roles/wazuh/ansible-wazuh-agent/README.md

@@ -47,7 +47,7 @@ The following is an example of how this role can be used:
 License and copyright
 ---------------------
 
-WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3)
+WAZUH Copyright (C) 2021 Wazuh Inc. (License GPLv3)
 
 ### Based on previous work from dj-wasabi
 

roles/wazuh/ansible-wazuh-agent/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-wazuh_agent_version: 4.0.3-1
+wazuh_agent_version: 4.0.4-1
 
 
 # Custom packages installation
@@ -12,7 +12,7 @@ wazuh_custom_packages_installation_agent_rpm_url: ""
 
 wazuh_agent_sources_installation:
   enabled: false
-  branch: "v4.0.3"
+  branch: "v4.0.4"
   user_language: "y"
   user_no_stop: "y"
   user_install_type: "agent"
@@ -55,8 +55,8 @@ wazuh_winagent_config:
   auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe
   check_md5: True
   md5: ac2a7f83cab1f8e217083965de7b0c84
-wazuh_winagent_config_url: https://packages.wazuh.com/4.x/windows/wazuh-agent-4.0.3-1.msi
-wazuh_winagent_package_name: wazuh-agent-4.0.3-1.msi
+wazuh_winagent_config_url: https://packages.wazuh.com/4.x/windows/wazuh-agent-4.0.4-1.msi
+wazuh_winagent_package_name: wazuh-agent-4.0.4-1.msi
 
 wazuh_agent_repo:
   apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main'

roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2

@@ -353,6 +353,11 @@
     {% endif %}
   {% else %}
     <location>{{ localfile.location }}</location>
+    {% if localfile.format == 'json' %}
+    {% for label in localfile.label %}
+    <label key="{{ label.key }}">{{ label.value }}</label>
+    {% endfor %}
+    {% endif %}
     {% endif %}
   </localfile>
   {% endfor %}
@@ -371,6 +376,11 @@
       {% endif %}
   {% else %}
       <location>{{ localfile.location }}</location>
+      {% if localfile.format == 'json' %}
+      {% for label in localfile.label %}
+      <label key="{{ label.key }}">{{ label.value }}</label>
+      {% endfor %}
+      {% endif %}
   {% endif %}
   </localfile>
   {% endfor %}
@@ -389,6 +399,11 @@
       {% endif %}
     {% else %}
       <location>{{ localfile.location }}</location>
+      {% if localfile.format == 'json' %}
+      {% for label in localfile.label %}
+      <label key="{{ label.key }}">{{ label.value }}</label>
+      {% endfor %}
+      {% endif %}
   {% endif %}
   </localfile>
   {% endfor %}
@@ -404,6 +419,11 @@
       <query>{{ localfile.query}}</query>
   {% else %}
       <location>{{ localfile.location }}</location>
+      {% if localfile.format == 'json' %}
+      {% for label in localfile.label %}
+      <label key="{{ label.key }}">{{ label.value }}</label>
+      {% endfor %}
+      {% endif %}
   {% endif %}
   </localfile>
   {% endfor %}

roles/wazuh/ansible-wazuh-manager/README.md

@@ -218,7 +218,7 @@ Including an example of how to use your role (for instance, with variables passe
 License and copyright
 ---------------------
 
-WAZUH Copyright (C) 2020 Wazuh Inc. (License GPLv3)
+WAZUH Copyright (C) 2021 Wazuh Inc. (License GPLv3)
 
 ### Based on previous work from dj-wasabi
 

roles/wazuh/ansible-wazuh-manager/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-wazuh_manager_version: 4.0.3-1
+wazuh_manager_version: 4.0.4-1
 
 wazuh_manager_fqdn: "wazuh-server"
 wazuh_manager_package_state: present
@@ -12,7 +12,7 @@ wazuh_custom_packages_installation_manager_rpm_url: "https://s3-us-west-1.amazon
 # Sources installation
 wazuh_manager_sources_installation:
   enabled: false
-  branch: "v4.0.3"
+  branch: "v4.0.4"
   user_language: "en"
   user_no_stop: "y"
   user_install_type: "server"
@@ -395,6 +395,7 @@ wazuh_manager_api:
   https_cert: "api/configuration/ssl/server.crt"
   https_use_ca: False
   https_ca: "api/configuration/ssl/ca.crt"
+  https_ssl_cipher: "TLSv1.2"
   logging_level: "info"
   logging_path: "logs/api.log"
   cors: no
@@ -410,7 +411,10 @@ wazuh_manager_api:
   use_only_authd: no
   drop_privileges: yes
   experimental_features: no
-
+  remote_commands_localfile: yes
+  remote_commands_localfile_exceptions: []
+  remote_commands_wodle: yes
+  remote_commands_wodle_exceptions: []
 # wazuh_api_users:
 #   - username: custom-user
 #     password: .S3cur3Pa55w0rd*- # Must comply with requirements (8+ length, uppercase, lowercase, specials chars)

roles/wazuh/ansible-wazuh-manager/files/create_user.py

@@ -69,13 +69,20 @@ if __name__ == "__main__":
     # set a random password for all other users
     for name, id in initial_users.items():
         if name != username:
+            specials = "@$!%*?&-_"
             random_pass = "".join(
+                [
+                    random.choice(string.ascii_uppercase),
+                    random.choice(string.ascii_lowercase),
+                    random.choice(string.digits),
+                    random.choice(specials),
+                ] +
                 random.choices(
                     string.ascii_uppercase
                     + string.ascii_lowercase
                     + string.digits
-                    + "@$!%*?&-_",
-                    k=16,
+                    + specials,
+                    k=14,
                 )
             )
             update_user(

roles/wazuh/ansible-wazuh-manager/templates/api.yaml.j2

@@ -14,7 +14,7 @@
   cert: "{{ wazuh_manager_config.api.https_cert }}"
   use_ca: {{ wazuh_manager_config.api.https_use_ca }}
   ca: "{{ wazuh_manager_config.api.https_ca }}"
-
+  ssl_cipher: "{{ wazuh_manager_config.api.https_ssl_cipher }}"
 # Logging configuration
 # Values for API log level: disabled, info, warning, error, debug, debug2 (each level includes the previous level).
  logs:
@@ -41,4 +41,13 @@
 # Drop privileges (Run as ossec user)
  drop_privileges: {{ wazuh_manager_config.api.drop_privileges }}
 # Enable features under development
- experimental_features: {{ wazuh_manager_config.api.experimental_features }}
+ experimental_features: {{ wazuh_manager_config.api.experimental_features }}
+
+# Enable remote commands
+ remote_commands:
+   localfile:
+     enabled: {{ wazuh_manager_config.api.remote_commands_localfile }}
+     exceptions: {{ wazuh_manager_config.api.remote_commands_localfile_exceptions }}
+   wodle_command:
+     enabled: {{ wazuh_manager_config.api.remote_commands_wodle }}
+     exceptions: {{ wazuh_manager_config.api.remote_commands_wodle_exceptions }}

roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2

@@ -66,8 +66,8 @@
        {% endif %}
        {% endif %}
        {% if localfile.format == 'json' and localfile.labels is defined %}
-       {% for key, value in localfile.labels.items() %}
-       <label key="{{ key }}">{{ value }}</label>
+       {% for item in localfile.labels %}
+       <label key="{{ item.key }}">{{ item.value }}</label>
        {% endfor %}
        {% endif %}
        {% if localfile.target is defined %}
@@ -93,7 +93,7 @@
     <!-- Frequency that rootcheck is executed - every 12 hours -->
     <frequency>{{ agent_config.rootcheck.frequency }}</frequency>
 
-    {% if agent_config.rootcheck.cis_distribution_filename is not none %}
+    {% if agent_config.rootcheck.cis_distribution_filename is defined %}
     <system_audit>/var/ossec/etc/shared/default/{{ agent_config.rootcheck.cis_distribution_filename }}</system_audit>
     {% endif %}
     <skip_nfs>yes</skip_nfs>