- Refactoring security local actions

- Added Filebeat OSS repositories

playbooks/wazuh-manager-oss.yml

@@ -0,0 +1,8 @@
+---
+- hosts: <WAZUH_MANAGER_HOST>
+  roles:
+    - role: ../roles/wazuh/ansible-wazuh-manager
+    - role: ../roles/wazuh/filebeat-oss
+      filebeat_output_elasticsearch_hosts: 172.16.0.161:9200
+
+

roles/opendistro/hosts

@@ -0,0 +1,49 @@
+# This is the default ansible 'hosts' file.
+#
+# It should live in /etc/ansible/hosts
+#
+#   - Comments begin with the '#' character
+#   - Blank lines are ignored
+#   - Groups of hosts are delimited by [header] elements
+#   - You can enter hostnames or ip addresses
+#   - A hostname/ip can be a member of multiple groups
+
+# Ex 1: Ungrouped hosts, specify before any group headers.
+
+## green.example.com
+## blue.example.com
+## 192.168.100.1
+## 192.168.100.10
+
+# Ex 2: A collection of hosts belonging to the 'webservers' group
+#[elasticsearch_first
+
+
+es1 ansible_host=172.16.0.161  ansible_user=vagrant ip=172.16.0.161
+es2 ansible_host=172.16.0.162 ansible_user=vagrant ip=172.16.0.162
+es3 ansible_host=172.16.0.163  ansible_user=vagrant ip=172.16.0.163
+manager1 ansible_host=172.16.1.250 ansible_user=vagrant ip=172.16.1.250
+
+[managers]
+manager1
+
+[es-cluster]
+es1
+es2
+es3
+manager1
+
+[kibana]
+es1
+
+[single-host]
+172.16.1.15 ansible_ssh_user=vagrant
+[elastic-cluster]
+172.16.0.161 ansible_ssh_user=vagrant
+172.16.0.162 ansible_ssh_user=vagrant
+172.16.0.163 ansible_ssh_user=vagrant
+[agents]
+172.16.0.131 ansible_ssh_user=vagrant
+172.16.0.132 ansible_ssh_user=vagrant
+# If you have multiple hosts following a pattern you can specify
+# them like this:

roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml

@@ -6,14 +6,12 @@
       module: file
       path: "{{ local_certs_path }}"
       state: directory
-    run_once: true
 
   - name: Local action | Download certificates generation tool
     local_action:
       module: get_url
       url: "{{ certs_gen_tool_url }}"
       dest: "{{ local_certs_path }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip"
-    run_once: true
 
   - name: Local action | Extract the certificates generation tool
     local_action:
@@ -26,26 +24,36 @@
       module: file
       dest: "{{ local_certs_path }}/tools/sgtlstool.sh"
       mode: a+x
-    run_once: true
 
   - name: Local action | Prepare the certificates generation template file
     local_action:
       module: template
       src: "templates/tlsconfig.yml.j2"
       dest: "{{ local_certs_path }}/config/tlsconfig.yml"
-    run_once: true
+
+
+  - name: Create a directory if it does not exist
+    file:
+      path: "{{ local_certs_path }}/certs/"
+      state: directory
+      mode: '0755'
+    delegate_to: localhost
 
   - name: Local action | Check if root CA file exists
     local_action:
       module: stat
-      path: "{{ local_certs_path }}/config/root-ca.key"
+      path: "{{ local_certs_path }}/certs/root-ca.key"
     register: root_ca_file
 
   - name: Local action | Generate the node & admin certificates in local
     local_action:
-      module: command {{ local_certs_path }}/tools/sgtlstool.sh -c {{ local_certs_path }}/config/tlsconfig.yml -ca -crt -t {{ local_certs_path }}/config/ -f -o
-    run_once: true
-    when: root_ca_file.stat.exists == False
+      module: command {{ local_certs_path }}/tools/sgtlstool.sh -c {{ local_certs_path }}/config/tlsconfig.yml -ca -crt -t {{ local_certs_path }}/certs/ -f -o
+    when: not root_ca_file.stat.exists
 
+  - name: Local action | Generate the node & admin certificates using an existing root CA
+    local_action:
+      module: command {{ local_certs_path }}/tools/sgtlstool.sh -c {{ local_certs_path }}/config/tlsconfig.yml -ca -crt -t {{ local_certs_path }}/certs/ -f
+    when: root_ca_file.stat.exists
+  run_once: true
   tags:
   - generate-certs

roles/opendistro/opendistro-kibana/tasks/main.yml

@@ -43,7 +43,8 @@
     block: "{{ lookup('template', 'opendistro_kibana.yml.j2') }}"
     dest: "{{ kibana_conf_path }}/kibana.yml"
     create: true
-    group: root
+    group: kibana
+    owner: kibana
     mode: 0640
     marker: "## {mark} Kibana general settings ##"
   notify: restart kibana

roles/wazuh/filebeat-oss/defaults/main.yml

@@ -0,0 +1,57 @@
+---
+filebeat_version: 7.6.2
+
+filebeat_create_config: true
+
+filebeat_prospectors:
+  - input_type: log
+    paths:
+      - "/var/ossec/logs/alerts/alerts.json"
+    document_type: json
+    json.message_key: log
+    json.keys_under_root: true
+    json.overwrite_keys: true
+
+filebeat_node_name: node-1
+
+filebeat_output_elasticsearch_enabled: false
+filebeat_output_elasticsearch_hosts:
+  - "localhost:9200"
+
+filebeat_enable_logging: true
+filebeat_log_level: debug
+filebeat_log_dir: /var/log/mybeat
+filebeat_log_filename: mybeat.log
+
+filebeat_ssl_dir: /etc/pki/filebeat
+filebeat_ssl_certificate_file: ""
+filebeat_ssl_key_file: ""
+filebeat_ssl_insecure: "false"
+
+filebeat_module_package_url: https://packages.wazuh.com/3.x/filebeat
+filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz
+filebeat_module_package_path: /tmp/
+filebeat_module_destination: /usr/share/filebeat/module
+filebeat_module_folder: /usr/share/filebeat/module/wazuh
+
+# Opendistro Security
+filebeat_opendistro_security: false
+
+elasticsearch_opendistro_security_user: elastic
+elasticsearch_opendistro_security_password: elastic_pass
+
+node_certs_generator : false
+node_certs_source: /usr/share/elasticsearch
+node_certs_destination: /etc/filebeat/certs
+
+
+# CA Generation
+master_certs_path: /es_certs
+generate_CA: true
+ca_cert_name: ""
+
+elasticrepo:
+  apt: 'https://artifacts.elastic.co/packages/oss-7.x/apt'
+  yum: 'https://artifacts.elastic.co/packages/oss-7.x/yum'
+  gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
+  key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4'

roles/wazuh/filebeat-oss/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: restart filebeat
+  service: name=filebeat state=restarted

roles/wazuh/filebeat-oss/meta/main.yml

@@ -0,0 +1,29 @@
+---
+dependencies: []
+
+galaxy_info:
+  author: Wazuh
+  description: Installing and maintaining filebeat server.
+  company: wazuh.com
+  license: license (GPLv3)
+  min_ansible_version: 2.0
+  platforms:
+    - name: EL
+      versions:
+        - 6
+        - 7
+    - name: Fedora
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - jessie
+    - name: Ubuntu
+      versions:
+        - precise
+        - trusty
+        - xenial
+  galaxy_tags:
+    - web
+    - system
+    - monitoring

roles/wazuh/filebeat-oss/tasks/Debian.yml

@@ -0,0 +1,22 @@
+---
+- name: Debian/Ubuntu | Install apt-transport-https and ca-certificates
+  apt:
+    name:
+      - apt-transport-https
+      - ca-certificates
+    state: present
+  register: filebeat_ca_packages_install
+  until: filebeat_ca_packages_install is succeeded
+
+- name: Debian/Ubuntu | Add Elasticsearch apt key.
+  apt_key:
+    url: "{{ elasticrepo.gpg }}"
+    id: "{{ elasticrepo.key_id }}"
+    state: present
+
+- name: Debian/Ubuntu | Add Filebeat repository.
+  apt_repository:
+    repo: "deb {{ elasticrepo.apt }} stable main"
+    state: present
+    update_cache: true
+  changed_when: false

roles/wazuh/filebeat-oss/tasks/RMDebian.yml

@@ -0,0 +1,6 @@
+---
+- name: Debian/Ubuntu | Remove Filebeat repository (and clean up left-over metadata)
+  apt_repository:
+    repo: "deb {{ elasticrepo.apt }} stable main"
+    state: absent
+  changed_when: false

roles/wazuh/filebeat-oss/tasks/RMRedHat.yml

@@ -0,0 +1,6 @@
+---
+- name: RedHat/CentOS/Fedora | Remove Filebeat repository (and clean up left-over metadata)
+  yum_repository:
+    name: elastic_repo_7
+    state: absent
+  changed_when: false

roles/wazuh/filebeat-oss/tasks/RedHat.yml

@@ -0,0 +1,9 @@
+---
+- name: RedHat/CentOS/Fedora/Amazon Linux | Install Filebeats repo
+  yum_repository:
+    name: elastic_repo_7
+    description: Elastic repository for 7.x packages
+    baseurl: "{{ elasticrepo.yum }}"
+    gpgkey: "{{ elasticrepo.gpg }}"
+    gpgcheck: true
+  changed_when: false

roles/wazuh/filebeat-oss/tasks/config.yml

@@ -0,0 +1,39 @@
+---
+- name: Copy Filebeat configuration.
+  template:
+    src: filebeat.yml.j2
+    dest: "/etc/filebeat/filebeat.yml"
+    owner: root
+    group: root
+    mode: 0400
+  notify: restart filebeat
+  tags: configure
+
+- name: Copy Elasticsearch template.
+  template:
+    src: elasticsearch.yml.j2
+    dest: "/etc/filebeat/wazuh-template.json"
+    owner: root
+    group: root
+    mode: 0400
+  notify: restart filebeat
+  tags: configure
+
+- name: Ensure Filebeat SSL key pair directory exists.
+  file:
+    path: "{{ filebeat_ssl_dir }}"
+    state: directory
+  when: filebeat_ssl_key_file
+  tags: configure
+
+- name: Copy SSL key and cert for filebeat.
+  copy:
+    src: "{{ item }}"
+    dest: "{{ filebeat_ssl_dir }}/{{ item | basename }}"
+    mode: 0400
+  with_items:
+    - "{{ filebeat_ssl_key_file }}"
+    - "{{ filebeat_ssl_certificate_file }}"
+  notify: restart filebeat
+  when: filebeat_ssl_key_file and filebeat_ssl_certificate_file
+  tags: configure

roles/wazuh/filebeat-oss/tasks/main.yml

@@ -0,0 +1,125 @@
+---
+- include_tasks: RedHat.yml
+  when: ansible_os_family == 'RedHat'
+
+- include_tasks: Debian.yml
+  when: ansible_os_family == 'Debian'
+
+- name: CentOS/RedHat |  Install Filebeat.
+  package: name=filebeat-{{ filebeat_version }} state=present
+  register: filebeat_installing_package
+  until: filebeat_installing_package is succeeded
+  when:
+    - ansible_distribution in ['CentOS','RedHat', 'Amazon']
+  tags:
+    - install
+
+- name: Debian/Ubuntu | Install Filebeat.
+  apt:
+    name: filebeat={{ filebeat_version }}
+    state: present
+    cache_valid_time: 3600
+  register: filebeat_installing_package_debian
+  until: filebeat_installing_package_debian is succeeded
+  when:
+    - not (ansible_distribution in ['CentOS','RedHat', 'Amazon'])
+  tags:
+    - init
+
+- name: Copying node's certificate from master
+  copy:
+    src: "{{ item }}"
+    dest: "{{ node_certs_destination }}/"
+    mode: 0440
+  with_items:
+    - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key"
+    - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt"
+    - "{{ master_certs_path }}/ca/ca.crt"
+  when:
+    - generate_CA
+    - filebeat_opendistro_security
+  tags: opendistro-security
+
+- name: Copying node's certificate from master (Custom CA)
+  copy:
+    src: "{{ item }}"
+    dest: "{{ node_certs_destination }}/"
+    mode: 0440
+  with_items:
+    - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.key"
+    - "{{ master_certs_path }}/{{ filebeat_node_name }}/{{ filebeat_node_name }}.crt"
+    - "{{ master_certs_path }}/ca/{{ ca_cert_name }}"
+  when:
+    - not generate_CA
+    - filebeat_opendistro_security
+  tags: opendistro-security
+
+- name: Ensuring folder & certs permissions
+  file:
+    path: "{{ node_certs_destination }}/"
+    mode: 0774
+    state: directory
+    recurse: yes
+  when:
+    - filebeat_xpack_security
+  tags: xpack-security
+
+- name: Checking if Filebeat Module folder file exists
+  stat:
+    path: "{{ filebeat_module_folder }}"
+  register: filebeat_module_folder
+
+
+- name: Download Filebeat module package
+  get_url:
+    url: "{{ filebeat_module_package_url }}/{{ filebeat_module_package_name }}"
+    dest: "{{ filebeat_module_package_path }}"
+  when: not filebeat_module_folder.stat.exists
+
+- name: Unpakcing Filebeat module package
+  unarchive:
+    src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
+    dest: "{{ filebeat_module_destination }}"
+    remote_src: yes
+  when: not filebeat_module_folder.stat.exists
+
+- name: Setting 0755 permission for Filebeat module folder
+  file: dest={{ filebeat_module_folder }} mode=u=rwX,g=rwX,o=rwX recurse=yes
+  when: not filebeat_module_folder.stat.exists
+
+- name: Checking if Filebeat Module package file exists
+  stat:
+    path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
+  register: filebeat_module_package
+  when: filebeat_module_package is not defined
+
+- name: Delete Filebeat module package file
+  file:
+    state: absent
+    path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
+  when: filebeat_module_package.stat.exists
+
+- import_tasks: config.yml
+  when: filebeat_create_config
+  notify: restart filebeat
+
+- name: Reload systemd
+  systemd: daemon_reload=yes
+  ignore_errors: true
+  when:
+    - not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA")
+    - not (ansible_distribution == "Ubuntu" and ansible_distribution_version is version('15.04', '<'))
+    - not (ansible_distribution == "Debian" and ansible_distribution_version is version('8', '<'))
+    - not (ansible_os_family == "RedHat" and ansible_distribution_version is version('7', '<'))
+
+- name: Ensure Filebeat is started and enabled at boot.
+  service:
+    name: filebeat
+    state: started
+    enabled: true
+
+- include_tasks: "RMRedHat.yml"
+  when: ansible_os_family == "RedHat"
+
+- include_tasks: "RMDebian.yml"
+  when: ansible_os_family == "Debian"

roles/wazuh/filebeat-oss/tasks/security_actions.yml

@@ -0,0 +1,11 @@
+- block:
+
+  - name: Copy certificates and root-ca to Filebeat
+    copy:
+      src: "{{ local_certs_path }}/config/{{ item }}"
+      dest: /etc/filebeat/
+      mode: 0644
+    with_items:
+      - root-ca.pem
+      - "{{ inventory_hostname }}.key"
+      - "{{ inventory_hostname }}.pem"

roles/wazuh/filebeat-oss/templates/filebeat.yml.j2

@@ -0,0 +1,39 @@
+# Wazuh - Filebeat configuration file
+
+# Wazuh - Filebeat configuration file
+filebeat.modules:
+  - module: wazuh
+    alerts:
+      enabled: true
+    archives:
+      enabled: false
+
+setup.template.json.enabled: true
+setup.template.json.path: '/etc/filebeat/wazuh-template.json'
+setup.template.json.name: 'wazuh'
+setup.template.overwrite: true
+setup.ilm.enabled: false
+
+
+# Send events directly to Elasticsearch
+output.elasticsearch:
+  hosts: {{ filebeat_output_elasticsearch_hosts | to_json }}
+
+{% if filebeat_opendistro_security %}
+  username: {{ elasticsearch_opendistro_security_user }}
+  password: {{ elasticsearch_opendistro_security_password }}
+  protocol: https
+{% if generate_CA == true %}
+  ssl.certificate_authorities: 
+    - {{node_certs_destination}}/ca.crt
+{% elif generate_CA == false %}
+  ssl.certificate_authorities:
+    - {{node_certs_destination}}/{{ca_cert_name}}
+{% endif %}
+
+  ssl.certificate: "{{node_certs_destination}}/{{ filebeat_node_name }}.crt" 
+  ssl.key: "{{node_certs_destination}}/{{ filebeat_node_name }}.key"
+{% endif %}
+
+# Optional. Send events to Logstash instead of Elasticsearch
+#output.logstash.hosts: ["YOUR_LOGSTASH_SERVER_IP:5000"]

roles/wazuh/filebeat-oss/tests/requirements.yml

@@ -0,0 +1,3 @@
+---
+- src: geerlingguy.java
+- src: geerlingguy.elasticsearch

roles/wazuh/filebeat-oss/tests/test.yml

@@ -0,0 +1,20 @@
+---
+- hosts: all
+
+  pre_tasks:
+    - name: Update apt cache.
+      apt:
+        cache_valid_time: 600
+      when: ansible_os_family == 'Debian'
+
+    - name: Install test dependencies (RedHat).
+      package: name=which state=present
+      when: ansible_os_family == 'RedHat'
+
+    - name: Install test dependencies.
+      package: name=curl state=present
+
+  roles:
+    - geerlingguy.java
+    - geerlingguy.elasticsearch
+    - role_under_test