From c1c8165c680ce202aada3c4715b2ca8f271ded82 Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 24 Jun 2020 10:00:30 +0200 Subject: [PATCH 01/43] Add instances var to wazuh-opendistro.yml --- playbooks/wazuh-opendistro.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/playbooks/wazuh-opendistro.yml b/playbooks/wazuh-opendistro.yml index 271dfa5b..63b54eb2 100644 --- a/playbooks/wazuh-opendistro.yml +++ b/playbooks/wazuh-opendistro.yml @@ -2,3 +2,16 @@ - hosts: es_cluster roles: - role: ../roles/opendistro/opendistro-elasticsearch + + vars: + instances: # A certificate will be generated for every node using the name as CN. + node1: + name: node-1 + ip: + node2: + name: node-2 + ip: + node3: + name: node-3 + ip: + From 7642d7feb51a3ab1be7cf2c369dbf17a70d7b7a0 Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 24 Jun 2020 10:00:52 +0200 Subject: [PATCH 02/43] Make local_certs_path relative to playbook path --- roles/opendistro/opendistro-elasticsearch/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index aa683033..19e260a2 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -55,4 +55,4 @@ opendistro_kibana_password: changeme single_node: true opendistro_cluster_name: wazuh -local_certs_path: /tmp/opendistro-nodecerts \ No newline at end of file +local_certs_path: ../opendistro/certificates \ No newline at end of file From acc248f5d0dd108f223757696543bd07a83b68b1 Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 24 Jun 2020 10:01:15 +0200 Subject: [PATCH 03/43] Change tlsconfig.yml.j2 to render the template using the instances var --- .../templates/tlsconfig.yml.j2 | 26 +++++-------------- 1 file changed, 6 insertions(+), 20 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 index 0f7671e2..67ab5470 100644 --- a/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 +++ b/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 @@ -24,28 +24,14 @@ defaults: # Specify the nodes of your ES cluster here # nodes: -{% for item in groups['es_cluster'] %} - - name: {{ item }} - dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} - dns: {{ item }}.{{ domain_name }} - ip: {{ hostvars[item]['ip'] }} -{% endfor %} -{% if groups['kibana'] is defined and groups['kibana']|length > 0 %} -{% for item in groups['kibana'] %} - - name: {{ item }} - dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} - dns: {{ item }}.{{ domain_name }} - ip: {{ hostvars[item]['ip'] }} -{% endfor %} +{% for (key,value) in instances.items() %} +{% if (value.ip is defined and value.ip | length > 0) %} + - name: {{ value.name }} + dn: CN={{ value.name }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} + dns: {{ value.name }}.{{ domain_name }} + ip: {{ value.ip }} {% endif %} -{% if groups['managers'] is defined and groups['managers']|length > 0 %} -{% for item in groups['managers'] %} - - name: {{ item }} - dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} - dns: {{ item }}.{{ domain_name }} - ip: {{ hostvars[item]['ip'] }} {% endfor %} -{% endif %} ### ### Clients ### From 4c0d16c304b587cd65e432c1231fa567b3c6da99 Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 24 Jun 2020 11:22:00 +0200 Subject: [PATCH 04/43] Change variables in Opendistro Elasticsearch configuration file --- .../templates/elasticsearch.yml.j2 | 35 ++++++++++++++----- 1 file changed, 26 insertions(+), 9 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 index 58a8ece2..2049387f 100644 --- a/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 @@ -1,18 +1,35 @@ -cluster.name: "{{ opendistro_cluster_name }}" - -node.name: "{{ inventory_hostname }}" - +cluster.name: {{ elasticsearch_cluster_name }} +node.name: {{ elasticsearch_node_name }} path.data: /var/lib/elasticsearch - path.logs: /var/log/elasticsearch +bootstrap.memory_lock: true +network.host: {{ elasticsearch_network_host }} -network.host: "{{ hostvars[inventory_hostname]['ip'] }}" +node.master: {{ elasticsearch_node_master|lower }} -http.port: "{{ opendistro_http_port }}" +cluster.initial_master_nodes: +{% for item in elasticsearch_cluster_nodes %} + - {{ item }} -discovery.seed_hosts: ["{{ es_nodes }}"] +discovery.seed_hosts: +{% for item in elasticsearch_discovery_nodes %} + - {{ item }} -cluster.initial_master_nodes: ["{{ es_nodes }}"] +{% if elasticsearch_node_data|lower == 'false' %} +node.data: false +{% endif %} + +{% if elasticsearch_node_ingest|lower == 'false' %} +node.ingest: false +{% endif %} + + +{% if elasticsearch_lower_disk_requirements %} +cluster.routing.allocation.disk.threshold_enabled: true +cluster.routing.allocation.disk.watermark.flood_stage: 200mb +cluster.routing.allocation.disk.watermark.low: 500mb +cluster.routing.allocation.disk.watermark.high: 300mb +{% endif %} discovery.zen.minimum_master_nodes: "{{ minimum_master_nodes }}" opendistro_security.allow_default_init_securityindex: true From 9aa083ff2e3b1c26a1acff4db1706cbae6a4152e Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 24 Jun 2020 15:48:10 +0200 Subject: [PATCH 05/43] Update opendistro_kibana.yml.j2 template --- .../templates/opendistro_kibana.yml.j2 | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 b/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 index 40dd9d6c..3c57d73d 100644 --- a/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 +++ b/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 @@ -10,27 +10,24 @@ server.host: {{ kibana_server_host }} {% if kibana_opendistro_security %} + elasticsearch.hosts: "https://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" +elasticsearch.username: {{ opendistro_kibana_user }} +elasticsearch.password: {{ opendistro_kibana_password }} +elasticsearch.ssl.verificationMode: certificate +server.ssl.enabled: true +server.ssl.certificate: "/usr/share/kibana/{{ kibana_node_name }}_http.pem" +server.ssl.key: "/usr/share/kibana//{{ kibana_node_name }}_http.key" + {% else %} elasticsearch.hosts: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" {% endif %} -elasticsearch.username: {{ opendistro_kibana_user }} -elasticsearch.password: {{ opendistro_kibana_password }} -elasticsearch.ssl.verificationMode: none - elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"] opendistro_security.multitenancy.enabled: false # FIXME: should be enabled starting with Wazuh App v3.13 opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"] opendistro_security.readonly_mode.roles: ["kibana_read_only"] -# OpenDistro Security -{% if kibana_opendistro_security %} -server.ssl.enabled: true -server.ssl.certificate: "/usr/share/kibana/{{ inventory_hostname }}_http.pem" -server.ssl.key: "/usr/share/kibana//{{ inventory_hostname }}_http.key" -{% endif %} - newsfeed.enabled: {{ kibana_newsfeed_enabled }} telemetry.optIn: {{ kibana_telemetry_optin }} telemetry.enabled: {{ kibana_telemetry_enabled }} From 10f3d22464c815fa452e67f1c409abc778bd454e Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 24 Jun 2020 16:17:07 +0200 Subject: [PATCH 06/43] Install amazon-linux-extras before OpenJDK on Amazon Linux hosts --- .../opendistro-elasticsearch/tasks/RedHat.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index f018c9f7..85bacf0c 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -25,6 +25,22 @@ yum: name: java-11-openjdk-devel state: present + when: + - ansible_distribution != 'Amazon' + + - name: Amazon Linux | Install OpenJDK 11 + block: + - name: Install Amazon extras + yum: + name: amazon-linux-extras + state: present + + - name: Install OpenJDK 11 + yum: + name: java-openjdk11 + state: present + when: + - ansible_distribution == 'Amazon' - name: RedHat/CentOS/Fedora | Install OpenDistro dependencies yum: From f355044a516dd8851838b650a7f3badbc7026221 Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 24 Jun 2020 16:38:08 +0200 Subject: [PATCH 07/43] Update openjdk install task for Amazon Linux hosts --- roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index 85bacf0c..0b109027 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -35,10 +35,9 @@ name: amazon-linux-extras state: present + - name: Install OpenJDK 11 - yum: - name: java-openjdk11 - state: present + shell: amazon-linux-extras install java-openjdk11 -y when: - ansible_distribution == 'Amazon' From ab601a52f3ceac2a0b2bc3ef5cccb054030b44b4 Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 24 Jun 2020 16:38:20 +0200 Subject: [PATCH 08/43] Format fixes --- roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index 0b109027..402cf3c3 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -35,9 +35,9 @@ name: amazon-linux-extras state: present - - name: Install OpenJDK 11 shell: amazon-linux-extras install java-openjdk11 -y + when: - ansible_distribution == 'Amazon' From abd9514f14449a6928f98ebf0eb072ba7b2984e4 Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 24 Jun 2020 16:41:14 +0200 Subject: [PATCH 09/43] Fix Opendistro elasticsearch.yml syntax error --- .../opendistro-elasticsearch/templates/elasticsearch.yml.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 index 2049387f..4c150bf1 100644 --- a/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 @@ -10,10 +10,12 @@ node.master: {{ elasticsearch_node_master|lower }} cluster.initial_master_nodes: {% for item in elasticsearch_cluster_nodes %} - {{ item }} +{% endfor %} discovery.seed_hosts: {% for item in elasticsearch_discovery_nodes %} - {{ item }} +{% endfor %} {% if elasticsearch_node_data|lower == 'false' %} node.data: false From f47d4b446f079304549408841b7fa5cf2d25a651 Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 24 Jun 2020 16:52:16 +0200 Subject: [PATCH 10/43] Add elasticsearch_node_data variable --- roles/opendistro/opendistro-elasticsearch/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index 19e260a2..c53eccaa 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -54,5 +54,6 @@ opendistro_kibana_password: changeme # Cluster Settings single_node: true opendistro_cluster_name: wazuh +elasticsearch_node_data: true local_certs_path: ../opendistro/certificates \ No newline at end of file From 0c9d77790e576d2bc7aae0b2c5c147d5fc9f7f0e Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 24 Jun 2020 16:58:15 +0200 Subject: [PATCH 11/43] Add elasticsearch_ne_ingest var to defaults --- roles/opendistro/opendistro-elasticsearch/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index c53eccaa..29f5d05a 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -55,5 +55,6 @@ opendistro_kibana_password: changeme single_node: true opendistro_cluster_name: wazuh elasticsearch_node_data: true +elasticsearch_node_ingest: true local_certs_path: ../opendistro/certificates \ No newline at end of file From f4942e58da1ccf50b108965f92d90a5d68d6f931 Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 24 Jun 2020 17:03:26 +0200 Subject: [PATCH 12/43] Add elasticsearch_lower_disk_requirements var --- roles/opendistro/opendistro-elasticsearch/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index 29f5d05a..344f0411 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -56,5 +56,6 @@ single_node: true opendistro_cluster_name: wazuh elasticsearch_node_data: true elasticsearch_node_ingest: true +elasticsearch_lower_disk_requirements: false local_certs_path: ../opendistro/certificates \ No newline at end of file From d4895f41c4e951fab532aacd5aeee6dc5c75c107 Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 24 Jun 2020 17:39:42 +0200 Subject: [PATCH 13/43] Make security_actions.yml work with different node names --- .../tasks/security_actions.yml | 36 +++++++++++++++---- 1 file changed, 29 insertions(+), 7 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml index ea48874e..cceac0aa 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml @@ -9,6 +9,28 @@ - "{{ opendistro_conf_path }}/esnode.pem" - "{{ opendistro_conf_path }}/esnode-key.pem" + + - name: Configure node name + block: + - name: Setting node name (Elasticsearch) + set_fact: + od_node_name: elasticsearch_node_name + when: + elasticsearch_node_name is defined and kibana_node_name is not defined + + - name: Setting node name (Kibana) + set_fact: + od_node_name: kibana_node_name + when: + kibana_node_name is defined + + - name: Setting node name (Filebeat) + set_fact: + od_node_name: filebeat_node_name + when: + filebeat_node_name is defined + + - name: Copy the node & admin certificates to Elasticsearch cluster copy: src: "{{ local_certs_path }}/certs/{{ item }}" @@ -17,17 +39,17 @@ with_items: - root-ca.pem - root-ca.key - - "{{ inventory_hostname }}.key" - - "{{ inventory_hostname }}.pem" - - "{{ inventory_hostname }}_http.key" - - "{{ inventory_hostname }}_http.pem" - - "{{ inventory_hostname }}_elasticsearch_config_snippet.yml" + - "{{ od_node_name }}.key" + - "{{ od_node_name }}.pem" + - "{{ od_node_name }}_http.key" + - "{{ od_node_name }}_http.pem" + - "{{ od_node_name }}_elasticsearch_config_snippet.yml" - admin.key - admin.pem - name: Copy the OpenDistro security configuration file to cluster blockinfile: - block: "{{ lookup('file', '{{ local_certs_path }}/certs/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" + block: "{{ lookup('file', '{{ local_certs_path }}/certs/{{ od_node_name }}_elasticsearch_config_snippet.yml') }}" dest: "{{ opendistro_conf_path }}/elasticsearch.yml" insertafter: EOF marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" @@ -71,7 +93,7 @@ -key {{ opendistro_conf_path }}/admin.key -cd {{ opendistro_sec_plugin_conf_path }}/ -nhnv -icl - -h {{ hostvars[inventory_hostname]['ip'] }} + -h {{ hostvars[od_node_name]['ip'] }} run_once: true tags: From ccbc8f5213603b17a3fdce8ff54fff5e16972d10 Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 24 Jun 2020 17:48:20 +0200 Subject: [PATCH 14/43] Fix sintax on security_actions.yml --- .../opendistro-elasticsearch/tasks/security_actions.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml index cceac0aa..5efc62fc 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml @@ -14,19 +14,19 @@ block: - name: Setting node name (Elasticsearch) set_fact: - od_node_name: elasticsearch_node_name + od_node_name: "{{ elasticsearch_node_name }}" when: elasticsearch_node_name is defined and kibana_node_name is not defined - name: Setting node name (Kibana) set_fact: - od_node_name: kibana_node_name + od_node_name: "{{ kibana_node_name }}" when: kibana_node_name is defined - name: Setting node name (Filebeat) set_fact: - od_node_name: filebeat_node_name + od_node_name: "{{ kibana_node_name }}" when: filebeat_node_name is defined From 2ec2cd39fa48d285fb89b83b4088802be7d6135f Mon Sep 17 00:00:00 2001 From: Jose M Date: Wed, 24 Jun 2020 18:40:01 +0200 Subject: [PATCH 15/43] Disable bootstrap memmory lock --- .../opendistro-elasticsearch/templates/elasticsearch.yml.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 index 4c150bf1..fa98feea 100644 --- a/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 @@ -2,7 +2,6 @@ cluster.name: {{ elasticsearch_cluster_name }} node.name: {{ elasticsearch_node_name }} path.data: /var/lib/elasticsearch path.logs: /var/log/elasticsearch -bootstrap.memory_lock: true network.host: {{ elasticsearch_network_host }} node.master: {{ elasticsearch_node_master|lower }} From 383d9beec106ffcf7134113c7d9e58f04918d57c Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 25 Jun 2020 11:38:32 +0200 Subject: [PATCH 16/43] Reorganize ES Opendistro vars --- .../defaults/main.yml | 31 ++++++++++--------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index 344f0411..22bdd390 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -1,15 +1,22 @@ --- -# The OpenDistro version +# Cluster Settings +es_version: "7.3.2" +es_major_version: "7.x" + opendistro_version: 1.8.0 + elasticsearch_cluster_name: wazuh-cluster +single_node: true +opendistro_cluster_name: wazuh +elasticsearch_node_data: true +elasticsearch_node_ingest: true +elasticsearch_lower_disk_requirements: false + +local_certs_path: ../opendistro/certificates # Minimum master nodes in cluster, 2 for 3 nodes elasticsearch cluster minimum_master_nodes: 2 -# Elasticsearch version -es_version: "7.3.2" -es_major_version: "7.x" - # Configure hostnames for Elasticsearch nodes # Example es1.example.com, es2.example.com domain_name: wazuh.com @@ -34,12 +41,16 @@ es_nodes: |- # Security password opendistro_security_password: admin +opendistro_custom_user: "" +opendistro_cusom_user_role: "admin" + # Set JVM memory limits opendistro_jvm_xms: null opendistro_http_port: 9200 certs_gen_tool_version: 1.7 + # Url of Search Guard certificates generator tool certs_gen_tool_url: "https://releases.floragunn.com/search-guard-tlstool/{{ certs_gen_tool_version }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" @@ -50,12 +61,4 @@ elasticrepo: key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' opendistro_admin_password: changeme -opendistro_kibana_password: changeme -# Cluster Settings -single_node: true -opendistro_cluster_name: wazuh -elasticsearch_node_data: true -elasticsearch_node_ingest: true -elasticsearch_lower_disk_requirements: false - -local_certs_path: ../opendistro/certificates \ No newline at end of file +opendistro_kibana_password: changeme \ No newline at end of file From d1a08c1a3fa9f80676468bcbab9f92f8fc6d8b0f Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 25 Jun 2020 11:38:54 +0200 Subject: [PATCH 17/43] Change ip to inventory_hostname in Wait for ES API task --- roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index 9df1e01c..8def6314 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -51,7 +51,7 @@ - name: Wait for Elasticsearch API uri: - url: "https://{{ es_nodes.split(',')[0].split('\"')[0] }}:9200/_cluster/health/" + url: "https://{{ inventory_hostname }}:9200/_cluster/health/" user: "admin" # Default OpenDistro user is always "admin" password: "{{ opendistro_admin_password }}" validate_certs: no From 9bedd8ad95d9ad8ff69e3bc251c9d094a7ad7d25 Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 25 Jun 2020 11:39:02 +0200 Subject: [PATCH 18/43] Add task to create a custom user --- .../tasks/security_actions.yml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml index 5efc62fc..46d70e84 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml @@ -96,6 +96,26 @@ -h {{ hostvars[od_node_name]['ip'] }} run_once: true + - name: Create custom user + uri: + url: "https://{{ inventory_hostname }}:9200/_cluster/health/" + method: PUT + user: "admin" # Default OpenDistro user is always "admin" + password: "{{ opendistro_admin_password }}" + body: | + { + "password": "{{ opendistro_admin_password }}", + "backend_roles": ["{{ opendistro_custom_user_role }}"], + } + } + body_format: json + validate_certs: no + status_code: 200,401 + return_content: yes + timeout: 4 + when: + - opendistro_custom_user != "" + tags: - security when: install.changed \ No newline at end of file From 282e3959eb9d21f6f22f2ba64810e868f2fbab20 Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 25 Jun 2020 11:54:12 +0200 Subject: [PATCH 19/43] Fix h parameter in securityadmin.sh execution task --- .../opendistro-elasticsearch/tasks/security_actions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml index 46d70e84..b12d9ee7 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml @@ -93,7 +93,7 @@ -key {{ opendistro_conf_path }}/admin.key -cd {{ opendistro_sec_plugin_conf_path }}/ -nhnv -icl - -h {{ hostvars[od_node_name]['ip'] }} + -h {{ inventory_hostname }} run_once: true - name: Create custom user From 3c40f819395829c0de0195eabb0f381a9ce2e968 Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 25 Jun 2020 12:10:49 +0200 Subject: [PATCH 20/43] Add task to check API using private IP --- .../opendistro-elasticsearch/tasks/main.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index 8def6314..f57afedb 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -63,6 +63,25 @@ retries: 24 delay: 5 tags: debug + when: + - hostvars[inventory_hostname]['private_ip'] is not defined + +- name: Wait for Elasticsearch API (Private IP) + uri: + url: "https://{{ hostvars[inventory_hostname]['private_ip'] }}:9200/_cluster/health/" + user: "admin" # Default OpenDistro user is always "admin" + password: "{{ opendistro_admin_password }}" + validate_certs: no + status_code: 200,401 + return_content: yes + timeout: 4 + register: _result + until: ( _result.json is defined) and (_result.json.status == "green") + retries: 24 + delay: 5 + tags: debug + when: + - hostvars[inventory_hostname]['private_ip'] is defined and hostvars[inventory_hostname]['private_ip'] != "" - import_tasks: "RMRedHat.yml" when: ansible_os_family == "RedHat" \ No newline at end of file From 3c723a94efcf84ea0c55d9f48c4702d82b1169a5 Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 25 Jun 2020 12:13:35 +0200 Subject: [PATCH 21/43] Update conditional in Wait for Elasticsaarch API (Opendistro) --- roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index f57afedb..03fd4ce1 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -64,7 +64,7 @@ delay: 5 tags: debug when: - - hostvars[inventory_hostname]['private_ip'] is not defined + - hostvars[inventory_hostname]['private_ip'] is not defined or hostvars[inventory_hostname]['private_ip'] == "" - name: Wait for Elasticsearch API (Private IP) uri: From 9e9fd386f08d46f66bef2b4cc04e64ebb1e2fc4a Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 25 Jun 2020 12:37:39 +0200 Subject: [PATCH 22/43] Update hashing tasks --- .../tasks/security_actions.yml | 26 ++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml index b12d9ee7..1582d418 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml @@ -73,10 +73,30 @@ mode: 0644 run_once: true + - name: Hashing the custom admin password + shell: "{{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }}" + register: opendistro_admin_password_hashed + run_once: true + + - name: Filtering hash result in case java path is not defined + set_fact: + opendistro_admin_password_hashed_filtered: "{{ opendistro_admin_password_hashed.stdout_lines[1] }}" + when: + - opendistro_admin_password_hashed.stdout_lines[1] is defined + run_once: true + + - name: Setting admin hash result + set_fact: + opendistro_admin_password_hashed_filtered: "{{ opendistro_admin_password_hashed.stdout_lines[0] }}" + when: + - opendistro_admin_password_hashed.stdout_lines[1] is not defined + run_once: true + - name: Set the Admin user password - shell: > - sed -i 's,{{ opendistro_admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }} | tail -1)',' - {{ opendistro_sec_plugin_conf_path }}/internal_users.yml + replace: + path: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" + regexp: '(?<=admin:\n hash: )(.*)(?=)' + replace: "\"{{ opendistro_admin_password_hashed_filtered }}\"" run_once: true - name: Set the kibanaserver role/user pasword From 87f5eb61b9479c9f9382184714c5360672d26178 Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 25 Jun 2020 12:53:57 +0200 Subject: [PATCH 23/43] Add tasks compatibility with private and public addresses --- .../tasks/security_actions.yml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml index 1582d418..d2db187b 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml @@ -30,6 +30,18 @@ when: filebeat_node_name is defined + - name: Configure IP (Private address) + set_fact: + target_address: "{{ hostvars[inventory_hostname]['private_ip'] }}" + when: + - hostvars[inventory_hostname]['private_ip'] is defined + + - name: Configure IP (Public address) + set_fact: + target_address: "{{ inventory_hostname }}" + when: + - hostvars[inventory_hostname]['private_ip'] is not defined + - name: Copy the node & admin certificates to Elasticsearch cluster copy: @@ -113,12 +125,12 @@ -key {{ opendistro_conf_path }}/admin.key -cd {{ opendistro_sec_plugin_conf_path }}/ -nhnv -icl - -h {{ inventory_hostname }} + -h {{ target_address }} run_once: true - name: Create custom user uri: - url: "https://{{ inventory_hostname }}:9200/_cluster/health/" + url: "https://{{ target_address }}:9200/_cluster/health/" method: PUT user: "admin" # Default OpenDistro user is always "admin" password: "{{ opendistro_admin_password }}" From 65b0dc8ad5ae947d1339c81d66c1b44603c23227 Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 25 Jun 2020 13:03:04 +0200 Subject: [PATCH 24/43] Fix sintax on OD custom user creation task --- .../opendistro-elasticsearch/tasks/security_actions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml index d2db187b..3aabe82d 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml @@ -130,7 +130,7 @@ - name: Create custom user uri: - url: "https://{{ target_address }}:9200/_cluster/health/" + url: "https://{{ target_address }}:9200/_opendistro/_security/api/internalusers/{{ opendistro_custom_user }}" method: PUT user: "admin" # Default OpenDistro user is always "admin" password: "{{ opendistro_admin_password }}" From 77c75476f4168d7bd7e1f613c6bc284a1de738b8 Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 25 Jun 2020 13:16:53 +0200 Subject: [PATCH 25/43] Fix body format in Create custom user task for OD --- .../opendistro-elasticsearch/tasks/security_actions.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml index 3aabe82d..87700adf 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml @@ -137,8 +137,7 @@ body: | { "password": "{{ opendistro_admin_password }}", - "backend_roles": ["{{ opendistro_custom_user_role }}"], - } + "backend_roles": ["{{ opendistro_custom_user_role }}"] } body_format: json validate_certs: no From 2403031b6a431bea7db1e642cfe6c70cecce0c29 Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 25 Jun 2020 13:34:21 +0200 Subject: [PATCH 26/43] Add status code 201 to create user task --- .../opendistro-elasticsearch/tasks/security_actions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml index 87700adf..2d7e9e6d 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml @@ -141,7 +141,7 @@ } body_format: json validate_certs: no - status_code: 200,401 + status_code: 200,201,401 return_content: yes timeout: 4 when: From 6427c5b4cccf36de14c00f30846f0f3cfd1d2894 Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 25 Jun 2020 17:17:02 +0200 Subject: [PATCH 27/43] Change local_certs_path to : ./opendistro/certificates --- roles/opendistro/opendistro-elasticsearch/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index 22bdd390..ba8791fc 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -12,7 +12,7 @@ elasticsearch_node_data: true elasticsearch_node_ingest: true elasticsearch_lower_disk_requirements: false -local_certs_path: ../opendistro/certificates +local_certs_path: ./opendistro/certificates # Minimum master nodes in cluster, 2 for 3 nodes elasticsearch cluster minimum_master_nodes: 2 From 4050cef2be3ed2dd8d57780b6a5300556cab6625 Mon Sep 17 00:00:00 2001 From: Jose M Date: Thu, 25 Jun 2020 17:23:44 +0200 Subject: [PATCH 28/43] Check if certs already exists and skip the generation --- .../opendistro-elasticsearch/tasks/local_actions.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml index 6885276d..ae9d6a32 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml @@ -1,4 +1,10 @@ --- +- name: Check if certificates already exists + stat: + path: "{{ local_certs_path }}" + register: certificates_folder + delegate_to: localhost + - block: - name: Local action | Create local temporary directory for certificates generation @@ -69,4 +75,6 @@ run_once: true delegate_to: localhost tags: - - generate-certs \ No newline at end of file + - generate-certs + when: + - not certificates_folder.stat.exists \ No newline at end of file From 539f1930dfe158170064e1a597984a9b9b188f2d Mon Sep 17 00:00:00 2001 From: Jose M Date: Fri, 26 Jun 2020 10:53:36 +0200 Subject: [PATCH 29/43] Make certs import task for Kibana use kibana_node_name --- roles/opendistro/opendistro-kibana/defaults/main.yml | 1 + roles/opendistro/opendistro-kibana/tasks/security_actions.yml | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/opendistro/opendistro-kibana/defaults/main.yml b/roles/opendistro/opendistro-kibana/defaults/main.yml index 98c70a2d..d1d3d717 100644 --- a/roles/opendistro/opendistro-kibana/defaults/main.yml +++ b/roles/opendistro/opendistro-kibana/defaults/main.yml @@ -8,6 +8,7 @@ elasticsearch_nodes: |- elasticsearch_network_host: 172.16.0.161 elastic_api_protocol: https kibana_conf_path: /etc/kibana +kibana_node_name: node-1 kibana_server_host: "0.0.0.0" kibana_server_port: "5601" kibana_server_name: "kibana" diff --git a/roles/opendistro/opendistro-kibana/tasks/security_actions.yml b/roles/opendistro/opendistro-kibana/tasks/security_actions.yml index be63c9ea..00a285d2 100644 --- a/roles/opendistro/opendistro-kibana/tasks/security_actions.yml +++ b/roles/opendistro/opendistro-kibana/tasks/security_actions.yml @@ -6,8 +6,8 @@ dest: /usr/share/kibana mode: 0644 with_items: - - "{{ inventory_hostname }}_http.key" - - "{{ inventory_hostname }}_http.pem" + - "{{ kibana_node_name }}_http.key" + - "{{ kibana_node_name }}_http.pem" tags: - security when: install.changed \ No newline at end of file From 89178df8e9c855d7ee49b59e918878750f93142b Mon Sep 17 00:00:00 2001 From: Jose M Date: Fri, 26 Jun 2020 11:11:33 +0200 Subject: [PATCH 30/43] Make Opendistro Kibana flexible version --- roles/opendistro/opendistro-kibana/defaults/main.yml | 4 ++++ roles/opendistro/opendistro-kibana/tasks/main.yml | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/opendistro/opendistro-kibana/defaults/main.yml b/roles/opendistro/opendistro-kibana/defaults/main.yml index d1d3d717..f9d5bc85 100644 --- a/roles/opendistro/opendistro-kibana/defaults/main.yml +++ b/roles/opendistro/opendistro-kibana/defaults/main.yml @@ -1,5 +1,6 @@ --- +# Kibana configuration elasticsearch_http_port: 9200 elasticsearch_nodes: |- {% for item in groups['es_cluster'] -%} @@ -18,6 +19,9 @@ wazuh_version: 3.13.0 wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp # The OpenDistro package repository +kibana_opendistro_version: -1.8.0-1 # Version includes the - for RedHat family compatibility, replace with = for Debian hosts +kibana_opendistro_package: "opendistroforelasticsearch-kibana{{ kibana_opendistro_version }}" + package_repos: yum: opendistro: diff --git a/roles/opendistro/opendistro-kibana/tasks/main.yml b/roles/opendistro/opendistro-kibana/tasks/main.yml index 013648db..d6a27c5a 100644 --- a/roles/opendistro/opendistro-kibana/tasks/main.yml +++ b/roles/opendistro/opendistro-kibana/tasks/main.yml @@ -23,7 +23,7 @@ - name: Install Kibana package: - name: opendistroforelasticsearch-kibana + name: "{{ kibana_opendistro_package }}" state: present register: install tags: install From eab58033b7ed7a8ea2fe01fba026d3c8b141911e Mon Sep 17 00:00:00 2001 From: Jose M Date: Fri, 26 Jun 2020 11:14:02 +0200 Subject: [PATCH 31/43] Change local_certs_path for Kibana and Filebeat --- roles/opendistro/opendistro-kibana/defaults/main.yml | 2 +- roles/wazuh/ansible-filebeat-oss/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/opendistro/opendistro-kibana/defaults/main.yml b/roles/opendistro/opendistro-kibana/defaults/main.yml index f9d5bc85..55307648 100644 --- a/roles/opendistro/opendistro-kibana/defaults/main.yml +++ b/roles/opendistro/opendistro-kibana/defaults/main.yml @@ -50,7 +50,7 @@ opendistro_security_user: elastic opendistro_admin_password: changeme opendistro_kibana_user: kibanaserver opendistro_kibana_password: changeme -local_certs_path: /tmp/opendistro-nodecerts +local_certs_path: ./opendistro/certificate # Nodejs nodejs: diff --git a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml index 4159dc9a..3a82434a 100644 --- a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml @@ -23,7 +23,7 @@ filebeat_security_password: changeme filebeat_ssl_dir: /etc/pki/filebeat # Local path to store the generated certificates (OpenDistro security plugin) -local_certs_path: /tmp/opendistro-nodecerts +local_certs_path: ./opendistro/certificate elasticrepo: apt: 'https://artifacts.elastic.co/packages/oss-7.x/apt' From 19bf669183fc3dd49c0b41b4f1b8671a875de7f2 Mon Sep 17 00:00:00 2001 From: Jose M Date: Fri, 26 Jun 2020 11:20:38 +0200 Subject: [PATCH 32/43] Fix syntax error in Kibana.yml template --- .../opendistro-kibana/templates/opendistro_kibana.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 b/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 index 3c57d73d..e045ed1c 100644 --- a/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 +++ b/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 @@ -17,7 +17,7 @@ elasticsearch.password: {{ opendistro_kibana_password }} elasticsearch.ssl.verificationMode: certificate server.ssl.enabled: true server.ssl.certificate: "/usr/share/kibana/{{ kibana_node_name }}_http.pem" -server.ssl.key: "/usr/share/kibana//{{ kibana_node_name }}_http.key" +server.ssl.key: "/usr/share/kibana/{{ kibana_node_name }}_http.key" {% else %} elasticsearch.hosts: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" From 799827aa882135b151aff3ef7880245f5b3eb85d Mon Sep 17 00:00:00 2001 From: Jose M Date: Fri, 26 Jun 2020 11:26:47 +0200 Subject: [PATCH 33/43] Fix syntax error in local_certs_path --- roles/opendistro/opendistro-kibana/defaults/main.yml | 2 +- roles/wazuh/ansible-filebeat-oss/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/opendistro/opendistro-kibana/defaults/main.yml b/roles/opendistro/opendistro-kibana/defaults/main.yml index 55307648..8e676e15 100644 --- a/roles/opendistro/opendistro-kibana/defaults/main.yml +++ b/roles/opendistro/opendistro-kibana/defaults/main.yml @@ -50,7 +50,7 @@ opendistro_security_user: elastic opendistro_admin_password: changeme opendistro_kibana_user: kibanaserver opendistro_kibana_password: changeme -local_certs_path: ./opendistro/certificate +local_certs_path: ./opendistro/certificates # Nodejs nodejs: diff --git a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml index 3a82434a..209f4de3 100644 --- a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml @@ -23,7 +23,7 @@ filebeat_security_password: changeme filebeat_ssl_dir: /etc/pki/filebeat # Local path to store the generated certificates (OpenDistro security plugin) -local_certs_path: ./opendistro/certificate +local_certs_path: ./opendistro/certificates elasticrepo: apt: 'https://artifacts.elastic.co/packages/oss-7.x/apt' From 2adca9533e7beb2fecc78b00a966e3a1d282b85a Mon Sep 17 00:00:00 2001 From: Jose M Date: Fri, 26 Jun 2020 12:49:40 +0200 Subject: [PATCH 34/43] Import root-ca.pem for Kibana and configure it in kibana.yml --- roles/opendistro/opendistro-kibana/tasks/security_actions.yml | 1 + .../opendistro-kibana/templates/opendistro_kibana.yml.j2 | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/opendistro/opendistro-kibana/tasks/security_actions.yml b/roles/opendistro/opendistro-kibana/tasks/security_actions.yml index 00a285d2..d5b784cf 100644 --- a/roles/opendistro/opendistro-kibana/tasks/security_actions.yml +++ b/roles/opendistro/opendistro-kibana/tasks/security_actions.yml @@ -6,6 +6,7 @@ dest: /usr/share/kibana mode: 0644 with_items: + - "root-ca.pem" - "{{ kibana_node_name }}_http.key" - "{{ kibana_node_name }}_http.pem" tags: diff --git a/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 b/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 index e045ed1c..bc166988 100644 --- a/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 +++ b/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 @@ -14,10 +14,11 @@ server.host: {{ kibana_server_host }} elasticsearch.hosts: "https://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" elasticsearch.username: {{ opendistro_kibana_user }} elasticsearch.password: {{ opendistro_kibana_password }} -elasticsearch.ssl.verificationMode: certificate server.ssl.enabled: true server.ssl.certificate: "/usr/share/kibana/{{ kibana_node_name }}_http.pem" server.ssl.key: "/usr/share/kibana/{{ kibana_node_name }}_http.key" +elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/root-ca.pem"] +elasticsearch.ssl.verificationMode: full {% else %} elasticsearch.hosts: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" From c72ac56b39b00dcdbfd6ab902388564ca9942bbe Mon Sep 17 00:00:00 2001 From: Jose M Date: Fri, 26 Jun 2020 12:51:29 +0200 Subject: [PATCH 35/43] Make certs import for Filebeat use 'filebeat_node_name' var --- roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml b/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml index dfea91ee..95503159 100644 --- a/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml +++ b/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml @@ -11,8 +11,8 @@ dest: "{{ filebeat_ssl_dir }}" mode: 0644 with_items: - - "{{ inventory_hostname }}.key" - - "{{ inventory_hostname }}.pem" + - "{{ filebeat_node_name }}.key" + - "{{ filebeat_node_name }}.pem" - "root-ca.pem" - name: Ensuring folder & certs permissions From 4b8f519256320d7c514b3ef34abd6c13d4ff3c0d Mon Sep 17 00:00:00 2001 From: Jose M Date: Fri, 26 Jun 2020 13:04:26 +0200 Subject: [PATCH 36/43] Make filebeat.yml use node name instaed of inventory_hostname --- roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 b/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 index 67a99347..81f1426a 100644 --- a/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 +++ b/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 @@ -24,8 +24,8 @@ output.elasticsearch: protocol: https ssl.certificate_authorities: - {{ filebeat_ssl_dir }}/root-ca.pem - ssl.certificate: "{{ filebeat_ssl_dir }}/{{ inventory_hostname }}.pem" - ssl.key: "{{ filebeat_ssl_dir }}/{{ inventory_hostname }}.key" + ssl.certificate: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}.pem" + ssl.key: "{{ filebeat_ssl_dir }}/{{ filebeat/node/name }}.key" {% endif %} # Optional. Send events to Logstash instead of Elasticsearch From 70f534693e3a7a0d750f6c2ae3b6650766602ce0 Mon Sep 17 00:00:00 2001 From: Jose M Date: Fri, 26 Jun 2020 13:10:38 +0200 Subject: [PATCH 37/43] Fix syntax error on filebeat.yml.j2 --- roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 b/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 index 81f1426a..c918ccda 100644 --- a/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 +++ b/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 @@ -25,7 +25,7 @@ output.elasticsearch: ssl.certificate_authorities: - {{ filebeat_ssl_dir }}/root-ca.pem ssl.certificate: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}.pem" - ssl.key: "{{ filebeat_ssl_dir }}/{{ filebeat/node/name }}.key" + ssl.key: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}.key" {% endif %} # Optional. Send events to Logstash instead of Elasticsearch From d7339ee6fee72e5d1d6f1ea96af620ad3dc7e67d Mon Sep 17 00:00:00 2001 From: Jose M Date: Mon, 29 Jun 2020 15:48:51 +0200 Subject: [PATCH 38/43] Add generate-certs to local_actions.yml tasks --- .../opendistro-elasticsearch/tasks/local_actions.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml index ae9d6a32..463263a5 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml @@ -4,6 +4,9 @@ path: "{{ local_certs_path }}" register: certificates_folder delegate_to: localhost + tags: + - generate-certs + - block: From 2ad6d87ef7862ca12e497ad8b4382760180139c0 Mon Sep 17 00:00:00 2001 From: Jose M Date: Mon, 29 Jun 2020 17:27:23 +0200 Subject: [PATCH 39/43] Add default cluster and discovery node --- roles/opendistro/opendistro-elasticsearch/defaults/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index ba8791fc..08aa6f82 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -11,6 +11,10 @@ opendistro_cluster_name: wazuh elasticsearch_node_data: true elasticsearch_node_ingest: true elasticsearch_lower_disk_requirements: false +elasticsearch_cluster_nodes: + - 127.0.0.1 +elasticsearch_discovery_nodes: + - 127.0.0.1 local_certs_path: ./opendistro/certificates From 5a845d69f1887e5cdc64b698a8cd55b8b6f7f338 Mon Sep 17 00:00:00 2001 From: Jose M Date: Tue, 30 Jun 2020 19:22:42 +0200 Subject: [PATCH 40/43] Add vars and conditionals to control certs generation and installation --- .../defaults/main.yml | 6 +- .../opendistro-elasticsearch/tasks/main.yml | 169 +++++++++--------- 2 files changed, 93 insertions(+), 82 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index 08aa6f82..29d3ad46 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -65,4 +65,8 @@ elasticrepo: key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' opendistro_admin_password: changeme -opendistro_kibana_password: changeme \ No newline at end of file +opendistro_kibana_password: changeme + +# Deployment settings +generate_certs: true +perform_installation: true \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index 03fd4ce1..e76cb351 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -1,87 +1,94 @@ --- - import_tasks: local_actions.yml - -- import_tasks: RedHat.yml - when: ansible_os_family == 'RedHat' - -- name: Install OpenDistro - package: - name: opendistroforelasticsearch-{{ opendistro_version }} - state: present - register: install - tags: install - -- name: Remove elasticsearch configuration file - file: - path: "{{ opendistro_conf_path }}/elasticsearch.yml" - state: absent - when: install.changed - tags: install - -- name: Copy Configuration File - blockinfile: - block: "{{ lookup('template', 'elasticsearch.yml.j2') }}" - dest: "{{ opendistro_conf_path }}/elasticsearch.yml" - create: true - group: elasticsearch - mode: 0640 - marker: "## {mark} Opendistro general settings ##" - when: install.changed - tags: install - -- import_tasks: security_actions.yml - -- name: Configure OpenDistro Elasticsearch JVM memmory. - template: - src: "templates/jvm.options.j2" - dest: /etc/elasticsearch/jvm.options - owner: root - group: elasticsearch - mode: 0644 - force: yes - notify: restart elasticsearch - tags: install - -- name: Ensure Elasticsearch started and enabled - service: - name: elasticsearch - enabled: true - state: started - -- name: Wait for Elasticsearch API - uri: - url: "https://{{ inventory_hostname }}:9200/_cluster/health/" - user: "admin" # Default OpenDistro user is always "admin" - password: "{{ opendistro_admin_password }}" - validate_certs: no - status_code: 200,401 - return_content: yes - timeout: 4 - register: _result - until: ( _result.json is defined) and (_result.json.status == "green") - retries: 24 - delay: 5 - tags: debug when: - - hostvars[inventory_hostname]['private_ip'] is not defined or hostvars[inventory_hostname]['private_ip'] == "" + - generate_certs == true -- name: Wait for Elasticsearch API (Private IP) - uri: - url: "https://{{ hostvars[inventory_hostname]['private_ip'] }}:9200/_cluster/health/" - user: "admin" # Default OpenDistro user is always "admin" - password: "{{ opendistro_admin_password }}" - validate_certs: no - status_code: 200,401 - return_content: yes - timeout: 4 - register: _result - until: ( _result.json is defined) and (_result.json.status == "green") - retries: 24 - delay: 5 - tags: debug - when: - - hostvars[inventory_hostname]['private_ip'] is defined and hostvars[inventory_hostname]['private_ip'] != "" +- block: -- import_tasks: "RMRedHat.yml" - when: ansible_os_family == "RedHat" \ No newline at end of file + - import_tasks: RedHat.yml + when: ansible_os_family == 'RedHat' + + + - name: Install OpenDistro + package: + name: opendistroforelasticsearch-{{ opendistro_version }} + state: present + register: install + tags: install + + - name: Remove elasticsearch configuration file + file: + path: "{{ opendistro_conf_path }}/elasticsearch.yml" + state: absent + when: install.changed + tags: install + + - name: Copy Configuration File + blockinfile: + block: "{{ lookup('template', 'elasticsearch.yml.j2') }}" + dest: "{{ opendistro_conf_path }}/elasticsearch.yml" + create: true + group: elasticsearch + mode: 0640 + marker: "## {mark} Opendistro general settings ##" + when: install.changed + tags: install + + - import_tasks: security_actions.yml + + - name: Configure OpenDistro Elasticsearch JVM memmory. + template: + src: "templates/jvm.options.j2" + dest: /etc/elasticsearch/jvm.options + owner: root + group: elasticsearch + mode: 0644 + force: yes + notify: restart elasticsearch + tags: install + + - name: Ensure Elasticsearch started and enabled + service: + name: elasticsearch + enabled: true + state: started + + - name: Wait for Elasticsearch API + uri: + url: "https://{{ inventory_hostname }}:9200/_cluster/health/" + user: "admin" # Default OpenDistro user is always "admin" + password: "{{ opendistro_admin_password }}" + validate_certs: no + status_code: 200,401 + return_content: yes + timeout: 4 + register: _result + until: ( _result.json is defined) and (_result.json.status == "green") + retries: 24 + delay: 5 + tags: debug + when: + - hostvars[inventory_hostname]['private_ip'] is not defined or hostvars[inventory_hostname]['private_ip'] == "" + + - name: Wait for Elasticsearch API (Private IP) + uri: + url: "https://{{ hostvars[inventory_hostname]['private_ip'] }}:9200/_cluster/health/" + user: "admin" # Default OpenDistro user is always "admin" + password: "{{ opendistro_admin_password }}" + validate_certs: no + status_code: 200,401 + return_content: yes + timeout: 4 + register: _result + until: ( _result.json is defined) and (_result.json.status == "green") + retries: 24 + delay: 5 + tags: debug + when: + - hostvars[inventory_hostname]['private_ip'] is defined and hostvars[inventory_hostname]['private_ip'] != "" + + - import_tasks: "RMRedHat.yml" + when: ansible_os_family == "RedHat" + + when: perform_installation == true \ No newline at end of file From 81f8703749a87f003583bd3349d9cf46f647a8f3 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 3 Jul 2020 20:04:10 +0200 Subject: [PATCH 41/43] Use opendistro_http_port variable --- roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 4 ++-- .../opendistro-elasticsearch/tasks/security_actions.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index e76cb351..7abca273 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -56,7 +56,7 @@ - name: Wait for Elasticsearch API uri: - url: "https://{{ inventory_hostname }}:9200/_cluster/health/" + url: "https://{{ inventory_hostname }}:{{ opendistro_http_port }}/_cluster/health/" user: "admin" # Default OpenDistro user is always "admin" password: "{{ opendistro_admin_password }}" validate_certs: no @@ -73,7 +73,7 @@ - name: Wait for Elasticsearch API (Private IP) uri: - url: "https://{{ hostvars[inventory_hostname]['private_ip'] }}:9200/_cluster/health/" + url: "https://{{ hostvars[inventory_hostname]['private_ip'] }}:{{ opendistro_http_port }}/_cluster/health/" user: "admin" # Default OpenDistro user is always "admin" password: "{{ opendistro_admin_password }}" validate_certs: no diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml index 2d7e9e6d..a9fece85 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml @@ -130,7 +130,7 @@ - name: Create custom user uri: - url: "https://{{ target_address }}:9200/_opendistro/_security/api/internalusers/{{ opendistro_custom_user }}" + url: "https://{{ target_address }}:{{ opendistro_http_port }}/_opendistro/_security/api/internalusers/{{ opendistro_custom_user }}" method: PUT user: "admin" # Default OpenDistro user is always "admin" password: "{{ opendistro_admin_password }}" From 3a63c27f9d638ca6d267f5fce4e652b3e1232634 Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Fri, 3 Jul 2020 20:06:02 +0200 Subject: [PATCH 42/43] Fix Ansible linting errors --- roles/opendistro/opendistro-elasticsearch/tasks/main.yml | 8 ++++---- .../opendistro-elasticsearch/tasks/security_actions.yml | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index 7abca273..7c5b3262 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -2,7 +2,7 @@ - import_tasks: local_actions.yml when: - - generate_certs == true + - generate_certs - block: @@ -69,7 +69,7 @@ delay: 5 tags: debug when: - - hostvars[inventory_hostname]['private_ip'] is not defined or hostvars[inventory_hostname]['private_ip'] == "" + - hostvars[inventory_hostname]['private_ip'] is not defined or not hostvars[inventory_hostname]['private_ip'] - name: Wait for Elasticsearch API (Private IP) uri: @@ -86,9 +86,9 @@ delay: 5 tags: debug when: - - hostvars[inventory_hostname]['private_ip'] is defined and hostvars[inventory_hostname]['private_ip'] != "" + - hostvars[inventory_hostname]['private_ip'] is defined and hostvars[inventory_hostname]['private_ip'] - import_tasks: "RMRedHat.yml" when: ansible_os_family == "RedHat" - when: perform_installation == true \ No newline at end of file + when: perform_installation diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml index a9fece85..95f366f4 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml @@ -86,7 +86,7 @@ run_once: true - name: Hashing the custom admin password - shell: "{{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }}" + command: "{{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }}" register: opendistro_admin_password_hashed run_once: true @@ -145,8 +145,8 @@ return_content: yes timeout: 4 when: - - opendistro_custom_user != "" + - opendistro_custom_user tags: - security - when: install.changed \ No newline at end of file + when: install.changed From d486e4260532fbe5a326e70ae669ec01e956989c Mon Sep 17 00:00:00 2001 From: Manuel Gutierrez <1380243+xr09@users.noreply.github.com> Date: Mon, 6 Jul 2020 15:54:22 +0200 Subject: [PATCH 43/43] Fix condition check --- .../opendistro-elasticsearch/tasks/security_actions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml index 95f366f4..9e6fadb6 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml @@ -145,7 +145,7 @@ return_content: yes timeout: 4 when: - - opendistro_custom_user + - opendistro_custom_user is defined tags: - security