Merge pull request #1 from mjflve/elk-deb-deploy

Elk deploy on Debian/Ubuntu

ansible-role-elasticsearch/defaults/main.yml

@@ -1 +1,7 @@
 ---
+elasticsearch_cluster_name: wazuh
+elasticsearch_node_name: node-1
+elasticsearch_http_port: 9200
+elasticsearch_network_host: 127.0.0.1
+elasticsearch_jvm_xms: 1g
+elk_stack_version: 5.4.0

ansible-role-elasticsearch/tasks/Debian.yml

@@ -0,0 +1,48 @@
+---
+- name: Debian/Ubuntu | apt-transport-https
+  apt:
+    name: apt-transport-https
+    state: present
+    update_cache: yes
+
+- name: Debian/Ubuntu | ca-certificates
+  apt:
+    name: ca-certificates
+    state: present
+
+- name: Debian/Ubuntu | Setting webupd8 repository
+  apt_repository:
+    repo: 'ppa:webupd8team/java'
+    codename: 'xenial'
+    update_cache: yes
+
+- name: Debian/Ubuntu | Accept Oracle Java 8 license
+  debconf:
+    name: oracle-java8-installer
+    question: shared/accepted-oracle-license-v1-1
+    value: true
+    vtype: boolean
+
+- name: Debian/Ubuntu | Oracle Java 8 installer
+  apt:
+    name: oracle-java8-installer
+    state: present
+  tags: install
+
+- name: Debian/Ubuntu | Add Elasticsearch GPG key.
+  apt_key:
+    url: "https://artifacts.elastic.co/GPG-KEY-elasticsearch"
+    state: present
+
+- name: Debian/Ubuntu | Install Elastic repo
+  apt_repository:
+    repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main
+    state: present
+    filename: 'elk_repo'
+    update_cache: yes
+
+- name: Debian/Ubuntu | Install Elasticsarch
+  apt:
+    name: elasticsearch={{ elk_stack_version }}
+    state: present
+  tags: install

ansible-role-elasticsearch/tasks/RMDebian.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Debian/Ubuntu | Removing Elasticsearch repository
+  apt_repository:
+    repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main
+    state: absent

ansible-role-elasticsearch/tasks/RMRedHat.yml

@@ -2,5 +2,5 @@
 # Remove logstash repository
 - name: Remove Elasticsearch repository (and clean up left-over metadata)
   yum_repository:
-    name: logstash
+    name: elk_repo
     state: absent

ansible-role-elasticsearch/tasks/RedHat.yml

@@ -1,27 +1,24 @@
 ---
-- name: download Java RPM
-  shell:
-    "curl -L  -H 'Cookie:oraclelicense=accept-securebackup-cookie' -o /tmp/jdk-8-linux-x64.rpm http://download.oracle.com/otn-pub/java/jdk/8u111-b14/jdk-8u111-linux-x64.rpm"
-  args:
-    creates: "/tmp/jdk-8-linux-x64.rpm"
+- name: RedHat | download Oracle Java RPM
+  get_url:
+    url: http://download.oracle.com/otn-pub/java/jdk/8u131-b11/d54c1d3a095b4ff2b6607d096fa80163/jdk-8u131-linux-x64.rpm
+    dest: /tmp/jdk-8-linux-x64.rpm
+    headers: 'Cookie:oraclelicense=accept-securebackup-cookie'
   register: oracle_java_task_rpm_download
   become: yes
-  tags:
-    - installation
 
-- name: install RPM
+- name: RedHat | Install Oracle Java RPM
   action: "yum name=/tmp/jdk-8-linux-x64.rpm state=present"
   when: not oracle_java_task_rpm_download|skipped
   become: yes
-  tags:
-    - installation
+  tags: install
 
-- name: Add Elasticsearch GPG key.
+- name: RedHat | Add Elasticsearch GPG key
   rpm_key:
     key: https://artifacts.elastic.co/GPG-KEY-elasticsearch
     state: present
 
-- name: RedHat | Install Elasticsearch repo
+- name: RedHat | Install Elastic repo
   yum_repository:
     name: elk_repo
     description: Elastic repository for 5.x packages
@@ -30,7 +27,5 @@
     gpgcheck: yes
 
 - name: RedHat | Install Elasticsarch
-  yum: pkg=elasticsearch-5.3.0
-       state=present
-  tags:
-    - init
+  yum: pkg=elasticsearch-{{ elk_stack_version }} state=present
+  tags: install

ansible-role-elasticsearch/tasks/main.yml

@@ -2,9 +2,8 @@
 - include: RedHat.yml
   when: ansible_os_family == 'RedHat'
 
-- name: 'check parm is null or invalid'
-  fail: msg="This playbook is not compatible with Debian/Ubuntu"
-  when: ansible_os_family == 'Debian'
+- include: Debian.yml
+  when: ansible_os_family == "Debian"
 
 - name: Configure Elasticsearch.
   template:
@@ -14,6 +13,7 @@
     group: elasticsearch
     mode: 0660
   notify: restart elasticsearch
+  tags: configure
 
 - name: Configure Elasticsearch JVM memmory.
   template:
@@ -23,9 +23,7 @@
     group: elasticsearch
     mode: 0660
   notify: restart elasticsearch
-
-- name: Start Elasticsearch.
-  service: name=elasticsearch state=started enabled=yes
+  tags: configure
 
 - name: Ensure Elasticsearch started and enabled
   service:
@@ -36,3 +34,7 @@
 - name: Remove the correct repository
   include: "RMRedHat.yml"
   when: ansible_os_family == "RedHat"
+
+- name: Remove the correct repository
+  include: "RMDebian.yml"
+  when: ansible_os_family == "Debian"

ansible-role-elasticsearch/vars/main.yml

@@ -1,6 +0,0 @@
----
-elasticsearch_cluster_name: wazuh
-elasticsearch_node_name: node-1
-elasticsearch_http_port: 9200
-elasticsearch_network_host: 192.168.33.182
-elasticsearch_jvm_xms: 1g

ansible-role-filebeat/tasks/RMDebian.yml

@@ -2,5 +2,5 @@
 # Remove ELK REPOSITORY and Wazuh repositories from sources list.
 - name: Remove Filebeat repository (and clean up left-over metadata)
   apt_repository:
-    repo: ddeb https://artifacts.elastic.co/packages/5.x/apt stable main
+    repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main
     state: absent

ansible-role-filebeat/tasks/RMRedHat.yml

@@ -2,5 +2,5 @@
 # Remove repositories
 - name: Remove Filebeat repository (and clean up left-over metadata)
   yum_repository:
-    name: filebeat
+    name: elk_repo
     state: absent

ansible-role-filebeat/tasks/RedHat.yml

@@ -6,7 +6,7 @@
 
 - name: RedHat | Install Filebeats repo
   yum_repository:
-    name: filebeat
+    name: elk_repo
     description: Elastic repository for 5.x packages
     baseurl: https://artifacts.elastic.co/packages/5.x/yum
     gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch

ansible-role-filebeat/tasks/config.yml

@@ -7,12 +7,14 @@
     group: root
     mode: 0644
   notify: restart filebeat
+  tags: configure
 
 - name: Ensure Filebeat SSL key pair directory exists.
   file:
     path: "{{ filebeat_ssl_dir }}"
     state: directory
   when: filebeat_ssl_key_file
+  tags: configure
 
 - name: Copy SSL key and cert for filebeat.
   copy:
@@ -24,3 +26,4 @@
     - "{{ filebeat_ssl_certificate_file }}"
   notify: restart filebeat
   when: filebeat_ssl_key_file and filebeat_ssl_certificate_file
+  tags: configure

ansible-role-filebeat/tasks/main.yml

@@ -1,12 +1,14 @@
 ---
-- include: setup-RedHat.yml
+- include: RedHat.yml
   when: ansible_os_family == 'RedHat'
 
-- include: setup-Debian.yml
+- include: Debian.yml
   when: ansible_os_family == 'Debian'
 
 - name: Install Filebeat.
   package: name=filebeat state=present
+  tags:
+    - install
 
 - include: config.yml
   when: filebeat_create_config

ansible-role-kibana/defaults/main.yml

@@ -1 +1,5 @@
 ---
+elasticsearch_http_port: "9200"
+elasticsearch_network_host: "127.0.0.1"
+kibana_server_host: "0.0.0.0"
+elk_stack_version: 5.4.0

ansible-role-kibana/tasks/Debian.yml

@@ -0,0 +1,18 @@
+---
+- name: Debian/Ubuntu | Add Elasticsearch GPG key
+  apt_key:
+    url: "https://artifacts.elastic.co/GPG-KEY-elasticsearch"
+    state: present
+
+- name: Debian/Ubuntu | Install Elastic repo
+  apt_repository:
+    repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main
+    state: present
+    filename: 'elk_repo'
+    update_cache: yes
+
+- name: Debian/Ubuntu | Install Kibana
+  apt:
+    name: kibana={{ elk_stack_version }}
+    state: present
+  tags: install

ansible-role-kibana/tasks/RMDebian.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Debian/Ubuntu | Removing Elasticsearch repository
+  apt_repository:
+    repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main
+    state: absent

ansible-role-kibana/tasks/RMRedHat.yml

@@ -2,5 +2,5 @@
 # Remove logstash repository
 - name: Remove Elasticsearch repository (and clean up left-over metadata)
   yum_repository:
-    name: logstash
+    name: elk_repo
     state: absent

ansible-role-kibana/tasks/RedHat.yml

@@ -1,10 +1,10 @@
 ---
-- name: Add Elasticsearch GPG key.
+- name: RedHat | Add Elasticsearch GPG key
   rpm_key:
     key: https://artifacts.elastic.co/GPG-KEY-elasticsearch
     state: present
 
-- name: RedHat | Install Kibana repo
+- name: RedHat | Install Elastic repo
   yum_repository:
     name: elk_repo
     description: Elastic repository for 5.x packages
@@ -13,11 +13,5 @@
     gpgcheck: yes
 
 - name: RedHat | Install Kibana
-  yum: pkg=kibana-5.3.0
-       state=present
-  tags:
-    - init
-
-- name: Remove the correct repository
-  include: "RMRedHat.yml"
-  when: ansible_os_family == "RedHat"
+  yum: pkg=kibana-{{ elk_stack_version }} state=present
+  tags: install

ansible-role-kibana/tasks/main.yml

@@ -2,12 +2,12 @@
 - include: RedHat.yml
   when: ansible_os_family == 'RedHat'
 
-- name: 'check parm is null or invalid'
-  fail: msg="This playbook is not compatible with Debian/Ubuntu"
+- include: Debian.yml
   when: ansible_os_family == 'Debian'
 
 - name: Make sure Elasticsearch is running before proceeding.
   wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=300
+  tags: configure
 
 - name: Kibana configuration
   template:
@@ -17,18 +17,35 @@
     group: root
     mode: 0664
   notify: restart kibana
+  tags: configure
 
+- name: Checking Wazuh-APP version compatibility
+  shell: grep -E 'version.*{{ elk_stack_version }}' /usr/share/kibana/plugins/wazuh/package.json
+    removes=/usr/share/kibana/plugins/wazuh/package.json
+  register: wazuh_app_notok
+  ignore_errors: yes
+  changed_when: "wazuh_app_notok.rc != 0"
+  tags: install
 
-- name: Verify if Wazuh-APP is installed
-  command: /bin/bash /usr/share/kibana/bin/kibana-plugin list
-  register: kibanainstalled
+- name: Removing Wazuh-APP by compatibility issues
+  shell: /usr/share/kibana/bin/kibana-plugin remove wazuh
+  when: wazuh_app_notok.rc != 0
+  tags: install
 
 - name: Install Wazuh-APP (can take a while)
-  shell: /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-2.0_5.3.0.zip && service kibana restart
-  when: kibanainstalled.stdout.find('wazuh') == -1
+  shell: /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-2.0_{{ elk_stack_version }}.zip
+    creates=/usr/share/kibana/plugins/wazuh/package.json
+  notify: restart kibana
+  tags: install
 
-- name: Ensure Logstash, Kibana and Elasticsearch started and enabled
+- name: Ensure Kibana started and enabled
   service:
     name: kibana
     enabled: yes
     state: started
+
+- include: RMRedHat.yml
+  when: ansible_os_family == 'RedHat'
+
+- include: RMDebian.yml
+  when: ansible_os_family == 'Debian'

ansible-role-kibana/vars/main.yml

@@ -1,5 +0,0 @@
----
-elasticsearch_http_port: "9200"
-elasticsearch_network_host: "192.168.33.182"
-
-kibana_server_host: "0.0.0.0"

ansible-role-logstash/defaults/main.yml

@@ -1 +1,4 @@
 ---
+elasticsearch_network_host: "127.0.0.1"
+elasticsearch_http_port: "9200"
+elk_stack_version: 5.4.0

ansible-role-logstash/tasks/Debian.yml

@@ -0,0 +1,49 @@
+---
+- name: Debian/Ubuntu | apt-transport-https
+  apt:
+    name: apt-transport-https
+    state: present
+    update_cache: yes
+
+- name: Debian/Ubuntu | ca-certificates
+  apt:
+    name: ca-certificates
+    state: present
+
+- name: Debian/Ubuntu | Setting webupd8 repository
+  apt_repository:
+    repo: 'ppa:webupd8team/java'
+    codename: 'xenial'
+    update_cache: yes
+
+- name: Debian/Ubuntu | Accept Oracle Java 8 license
+  debconf:
+    name: oracle-java8-installer
+    question: shared/accepted-oracle-license-v1-1
+    value: true
+    vtype: boolean
+
+- name: Debian/Ubuntu | Oracle Java 8 installer
+  apt:
+    name: oracle-java8-installer
+    update_cache: yes
+    state: present
+  tags: install
+
+- name: Debian/Ubuntu | Add Elasticsearch GPG key
+  apt_key:
+    url: "https://artifacts.elastic.co/GPG-KEY-elasticsearch"
+    state: present
+
+- name: Debian/Ubuntu | Install Elasticsearch repo
+  apt_repository:
+    repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main
+    state: present
+    filename: 'elk_repo'
+    update_cache: yes
+
+- name: Debian/Ubuntu | Install Logstash
+  apt:
+    name: logstash=1:{{ elk_stack_version }}-1
+    state: present
+  tags: install

ansible-role-logstash/tasks/RMDebian.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Debian/Ubuntu | Removing Elasticsearch repository
+  apt_repository:
+    repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main
+    state: absent

ansible-role-logstash/tasks/RMRedHat.yml

@@ -1,6 +1,6 @@
 ---
 # Remove logstash repository
-- name: Remove logstash repository (and clean up left-over metadata)
+- name: RedHat | Remove logstash repository (and clean up left-over metadata)
   yum_repository:
-    name: logstash
+    name: elk_repo
     state: absent

ansible-role-logstash/tasks/RedHat.yml

@@ -1,36 +1,30 @@
 ---
-- name: download Java RPM
-  shell:
-    "curl -L  -H 'Cookie:oraclelicense=accept-securebackup-cookie' -o /tmp/jdk-8-linux-x64.rpm http://download.oracle.com/otn-pub/java/jdk/8u111-b14/jdk-8u111-linux-x64.rpm"
-  args:
-    creates: "/tmp/jdk-8-linux-x64.rpm"
+- name: RedHat | Download Java RPM
+  get_url:
+    url: http://download.oracle.com/otn-pub/java/jdk/8u131-b11/d54c1d3a095b4ff2b6607d096fa80163/jdk-8u131-linux-x64.rpm
+    dest: /tmp/jdk-8-linux-x64.rpm
+    headers: 'Cookie:oraclelicense=accept-securebackup-cookie'
   register: oracle_java_task_rpm_download
   become: yes
-  tags:
-    - installation
 
-- name: install RPM
+- name: RedHat | Install Oracle Java RPM
   action: "yum name=/tmp/jdk-8-linux-x64.rpm state=present"
   when: not oracle_java_task_rpm_download|skipped
   become: yes
-  tags:
-    - installation
 
-- name: Add Elasticsearch GPG key.
+- name: RedHat | Add Elasticsearch GPG key.
   rpm_key:
     key: https://artifacts.elastic.co/GPG-KEY-elasticsearch
     state: present
 
 - name: RedHat | Install Logstash repo
   yum_repository:
-    name: logstash
+    name: elk_repo
     description: Elastic repository for 5.x packages
     baseurl: https://artifacts.elastic.co/packages/5.x/yum
     gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch
     gpgcheck: yes
 
 - name: RedHat | Install Logstash
-  yum: pkg=logstash-5.3.0
-       state=present
-  tags:
-    - init
+  yum: pkg=logstash-{{ elk_stack_version }} state=present
+  tags: install

ansible-role-logstash/tasks/main.yml

@@ -2,9 +2,8 @@
 - include: RedHat.yml
   when: ansible_os_family == 'RedHat'
 
-- name: 'check parm is null or invalid'
-  fail: msg="This playbook is not compatible with Debian/Ubuntu"
-  when: ansible_os_family == 'Debian'
+- include: Debian.yml
+  when: ansible_os_family == "Debian"
 
 - name: Logstash configuration
   template:
@@ -13,6 +12,7 @@
     owner: root
     group: root
   notify: restart logstash
+  tags: configure
 
 - name: Logstash template
   template:
@@ -21,7 +21,7 @@
     owner: root
     group: root
   notify: restart logstash
-
+  tags: configure
 
 - name: Ensure Logstash started and enabled
   service:
@@ -32,3 +32,7 @@
 - name: Remove the correct repository
   include: "RMRedHat.yml"
   when: ansible_os_family == "RedHat"
+
+- name: Remove the correct repository
+  include: "RMDebian.yml"
+  when: ansible_os_family == "Debian"

ansible-role-logstash/vars/main.yml

@@ -1,3 +0,0 @@
----
-elasticsearch_network_host: "192.168.33.182"
-elasticsearch_http_port: "9200"

ansible-wazuh-agent/defaults/main.yml

@@ -1,6 +1,45 @@
 ---
-# defaults file for ossec-agent
-
 ossec_server_ip: 127.0.0.1
 ossec_server_name: ""
 ossec_managed_server: true
+ossec_agent_config:
+  frequency_check: 43200
+  syscheck_scan_on_start: 'yes'
+  ignore_files:
+    - /etc/mtab
+    - /etc/mnttab
+    - /etc/hosts.deny
+    - /etc/mail/statistics
+    - /etc/random-seed
+    - /etc/random.seed
+    - /etc/adjtime
+    - /etc/httpd/logs
+    - /etc/utmpx
+    - /etc/wtmpx
+    - /etc/cups/certs
+    - /etc/dumpdates
+    - /etc/svc/volatile
+  no_diff:
+    - /etc/ssl/private.key
+  directories:
+    - check_all: 'yes'
+      dirs: /etc,/usr/bin,/usr/sbin
+    - check_all: 'yes'
+      dirs: /bin,/sbin
+  localfiles:
+    - format: 'syslog'
+      location: '/var/log/messages'
+    - format: 'syslog'
+      location: '/var/log/secure'
+    - format: 'command'
+      command: 'df -P'
+      frequency: '360'
+    - format: 'full_command'
+      command: 'netstat -tln | grep -v 127.0.0.1 | sort'
+      frequency: '360'
+    - format: 'full_command'
+      command: 'last -n 20'
+      frequency: '360'
+  globals:
+    - '127.0.0.1'
+    - '192.168.2.1'

ansible-wazuh-agent/tasks/Debian.yml

@@ -15,11 +15,7 @@
   apt_repository:
     repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main
     state: present
-  register: wazuh_repo
-
-- name: Update apt cache if repo was added.
-  apt: update_cache=yes
-  when: wazuh_repo.changed
+    update_cache: yes
   
 - name: Set Distribution CIS filename for debian
   set_fact:

ansible-wazuh-agent/vars/main.yml

@@ -1,43 +0,0 @@
----
-# vars file for ossec-agent
-ossec_agent_config:
-  frequency_check: 43200
-  syscheck_scan_on_start: 'yes'
-  ignore_files:
-    - /etc/mtab
-    - /etc/mnttab
-    - /etc/hosts.deny
-    - /etc/mail/statistics
-    - /etc/random-seed
-    - /etc/random.seed
-    - /etc/adjtime
-    - /etc/httpd/logs
-    - /etc/utmpx
-    - /etc/wtmpx
-    - /etc/cups/certs
-    - /etc/dumpdates
-    - /etc/svc/volatile
-  no_diff:
-    - /etc/ssl/private.key
-  directories:
-    - check_all: 'yes'
-      dirs: /etc,/usr/bin,/usr/sbin
-    - check_all: 'yes'
-      dirs: /bin,/sbin
-  localfiles:
-    - format: 'syslog'
-      location: '/var/log/messages'
-    - format: 'syslog'
-      location: '/var/log/secure'
-    - format: 'command'
-      command: 'df -P'
-      frequency: '360'
-    - format: 'full_command'
-      command: 'netstat -tln | grep -v 127.0.0.1 | sort'
-      frequency: '360'
-    - format: 'full_command'
-      command: 'last -n 20'
-      frequency: '360'
-  globals:
-    - '127.0.0.1'
-    - '192.168.2.1'

ansible-wazuh-server/defaults/main.yml

@@ -1,6 +1,114 @@
 ---
-# defaults file for ossec-server
-#
-ossec_server_config: []
-ossec_agent_configs: []
 ossec_server_fqdn: "ossec-server"
+
+ossec_server_config:
+  email_notification: no
+  mail_to:
+    - admin@example.net
+  mail_smtp_server: localhost
+  mail_from: ossec@example.com
+  frequency_check: 43200
+  syscheck_scan_on_start: 'yes'
+  log_level: 1
+  email_level: 12
+  ignore_files:
+    - /etc/mtab
+    - /etc/mnttab
+    - /etc/hosts.deny
+    - /etc/mail/statistics
+    - /etc/random-seed
+    - /etc/random.seed
+    - /etc/adjtime
+    - /etc/httpd/logs
+    - /etc/utmpx
+    - /etc/wtmpx
+    - /etc/cups/certs
+    - /etc/dumpdates
+    - /etc/svc/volatile
+  no_diff:
+    - /etc/ssl/private.key
+  directories:
+    - check_all: 'yes'
+      dirs: /etc,/usr/bin,/usr/sbin
+    - check_all: 'yes'
+      dirs: /bin,/sbin
+  localfiles:
+    - format: 'syslog'
+      location: '/var/log/messages'
+    - format: 'syslog'
+      location: '/var/log/secure'
+    - format: 'command'
+      command: 'df -P'
+      frequency: '360'
+    - format: 'full_command'
+      command: 'netstat -tln | grep -v 127.0.0.1 | sort'
+      frequency: '360'
+    - format: 'full_command'
+      command: 'last -n 20'
+      frequency: '360'
+  globals:
+    - '127.0.0.1'
+    - '192.168.2.1'
+  connection:
+    - type: 'secure'
+      port: '1514'
+      protocol: 'tcp'
+  commands:
+    - name: 'disable-account'
+      executable: 'disable-account.sh'
+      expect: 'user'
+      timeout_allowed: 'yes'
+    - name: 'restart-ossec'
+      executable: 'restart-ossec.sh'
+      expect: ''
+      timeout_allowed: 'no'
+    - name: 'firewall-drop'
+      executable: 'firewall-drop.sh'
+      expect: 'srcip'
+      timeout_allowed: 'yes'
+    - name: 'host-deny'
+      executable: 'host-deny.sh'
+      expect: 'srcip'
+      timeout_allowed: 'yes'
+    - name: 'route-null'
+      executable: 'route-null.sh'
+      expect: 'srcip'
+      timeout_allowed: 'yes'
+    - name: 'win_route-null'
+      executable: 'route-null.cmd'
+      expect: 'srcip'
+      timeout_allowed: 'yes'
+  active_responses:
+    - command: 'host-deny'
+      location: 'local'
+      level: 6
+      timeout: 600
+
+ossec_agent_configs:
+  - type: os
+    type_value: linux
+    frequency_check: 79200
+    ignore_files:
+      - /etc/mtab
+      - /etc/mnttab
+      - /etc/hosts.deny
+      - /etc/mail/statistics
+      - /etc/svc/volatile
+    directories:
+      - check_all: yes
+        dirs: /etc,/usr/bin,/usr/sbin
+      - check_all: yes
+        dirs: /bin,/sbin
+    localfiles:
+      - format: 'syslog'
+        location: '/var/log/messages'
+      - format: 'syslog'
+        location: '/var/log/secure'
+      - format: 'syslog'
+        location: '/var/log/maillog'
+      - format: 'apache'
+        location: '/var/log/httpd/error_log'
+      - format: 'apache'
+        location: '/var/log/httpd/access_log'
+      - format: 'apache'
+        location: '/var/ossec/logs/active-responses.log'

ansible-wazuh-server/tasks/Debian.yml

@@ -3,34 +3,24 @@
   apt: pkg=apt-transport-https
        state=present
        update_cache=yes
-       cache_valid_time=3600
 
 - name: Debian/Ubuntu | Installing Wazuh repository key
   apt_key: url=https://packages.wazuh.com/key/GPG-KEY-WAZUH
 
-- name: Add Wazuh epositories.
+- name: Add Wazuh repositories.
   apt_repository:
     repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main
     state: present
-  register: wazuh_repo
+    update_cache: yes
 
 - name: Debian/Ubuntu | Installing NodeJS repository key
   apt_key: url=https://deb.nodesource.com/gpgkey/nodesource.gpg.key
 
 - name: Add NodeSource repositories for Node.js.
   apt_repository:
-    repo: "{{ item }}"
+    repo: deb https://deb.nodesource.com/node_6.x {{ ansible_distribution_release }} main
     state: present
-  with_items:
-    - deb https://deb.nodesource.com/node_6.x {{ ansible_distribution_release }} main
-    - deb-src https://deb.nodesource.com/node_6.x {{ ansible_distribution_release }} main
-  register: node_repo
-
-- name: Update apt cache if repo was added.
-  apt: update_cache=yes
-  when:
-    - node_repo.changed
-    - wazuh_repo.changed
+    update_cache: yes
 
 - name: Debian/Ubuntu | Install wazuh-manager
   apt: pkg={{ item }}
@@ -40,6 +30,7 @@
   with_items:
     - wazuh-manager
     - wazuh-api
+    - expect
   tags:
     - init
 

ansible-wazuh-server/tasks/RMDebian.yml

@@ -7,13 +7,5 @@
 
 - name: Remove Nodejs repository.
   apt_repository:
-    repo: deb-src https://deb.nodesource.com/node_6.x {{ ansible_distribution_release }} main
-      - deb https://deb.nodesource.com/node_6.x {{ ansible_distribution_release }} main
-      - deb-src https://deb.nodesource.com/node_6.x {{ ansible_distribution_release }} main
-      - deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main
-    state: absent
-
-- name: Remove Nodejs repository.
-  apt_repository:
-    repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main
+    repo: deb https://deb.nodesource.com/node_6.x {{ ansible_distribution_release }} main
     state: absent

ansible-wazuh-server/tasks/RedHat.yml

@@ -33,6 +33,7 @@
   with_items:
     - wazuh-manager
     - wazuh-api
+    - expect
   tags:
     - init
 

ansible-wazuh-server/tasks/main.yml

@@ -8,7 +8,6 @@
   include: "Debian.yml"
   when: ansible_os_family == "Debian"
 
-
 - name: Generate SSL files
   command: "openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:1825 -keyout sslmanager.key -out sslmanager.cert -subj /CN={{ossec_server_fqdn}}/"
   args:
@@ -70,7 +69,7 @@
   register: agentless_running
   changed_when: False
 
-- name: Enable client-syslog if not running and ossec_server_config.syslog_outputs is given
+- name: Enable ossec-agentlessd
   command: /var/ossec/bin/ossec-control enable agentless
   when: agentless_running.stdout == '0' and ossec_server_config.agentless is defined
 
@@ -78,6 +77,12 @@
   command: /var/ossec/bin/ossec-control start agentless
   when: agentless_running.stdout == '0' and ossec_server_config.agentless is defined
 
+- name: Retrieving Agentless Credentials
+  include_vars: agentless_creeds.yml
+
+- name: Retrieving Wazuh-api User Credentials
+  include_vars: wazuh_api_creds.yml
+
 - name: Configure ossec.conf
   template: src=var-ossec-etc-ossec-server.conf.j2
             dest=/var/ossec/etc/ossec.conf
@@ -109,10 +114,6 @@
     - init
     - config
 
-- name: Import api_user secret variable file
-  include_vars: "api_user.yml"
-  no_log: true
-
 - name: Wazuh-api User
   template:
     src: api_user.j2
@@ -122,12 +123,9 @@
     mode: 0750
   no_log: true
   notify: restart wazuh-api
+  when: wazuh_api_user is defined
 
-- name: Import agentless secret variable file
-  include_vars: "agentless.yml"
-  no_log: true
-
-- name: Agentless Credentials
+- name: Agentless Hosts & Passwd
   template:
     src: agentless.j2
     dest: "/var/ossec/agentless/.passlist_tmp"
@@ -135,11 +133,11 @@
     group: root
     mode: 0644
   no_log: true
-  when: agentless_passlist is defined
+  when: agentless_creeds is defined
 
 - name: Encode the secret
   shell: /usr/bin/base64 /var/ossec/agentless/.passlist_tmp > /var/ossec/agentless/.passlist && rm /var/ossec/agentless/.passlist_tmp
-  when: agentless_passlist is defined
+  when: agentless_creeds is defined
 
 - name: Ensure Wazuh Manager, wazuh api and ossec-authd service is started and enabled
   service:

ansible-wazuh-server/templates/agentless.j2

@@ -1,3 +1,3 @@
-{% for agentless in agentless_passlist %}
+{% for agentless in agentless_creeds %}
 {{ agentless.host }}|{{ agentless.passwd }}
 {% endfor %}

ansible-wazuh-server/templates/api_user.j2

@@ -1,3 +1,3 @@
-{% for user in api_user %}
+{% for user in wazuh_api_user %}
 {{ user }}
 {% endfor %}

ansible-wazuh-server/templates/var-ossec-etc-ossec-server.conf.j2

@@ -8,11 +8,11 @@
   <global>
     <jsonout_output>yes</jsonout_output>
     <alerts_log>yes</alerts_log>
-    {% if ossec_server_config.email_notification is not defined or ossec_server_config.email_notification | lower == "yes" %}
+    {% if ossec_server_config.email_notification | lower == "yes" %}
     <email_notification>yes</email_notification>
-{% for to in ossec_server_config.mail_to %}
+    {% for to in ossec_server_config.mail_to %}
     <email_to>{{ to }}</email_to>
-{% endfor %}
+    {% endfor %}
     <smtp_server>{{ ossec_server_config.mail_smtp_server }}</smtp_server>
     <email_from>{{ ossec_server_config.mail_from }}</email_from>
     {% else %}
@@ -147,8 +147,8 @@
 </wodle>
 {% endif %}
 
-{% if ossec_server_config.agentless is defined %}
-{% for agentless in ossec_server_config.agentless %}
+{% if agentless_creeds is defined %}
+{% for agentless in agentless_creeds %}
   <agentless>
     <type>{{ agentless.type }}</type>
     <frequency>{{ agentless.frequency }}</frequency>

ansible-wazuh-server/templates/var-ossec-rules-local_rules.xml.j2

@@ -1,65 +1,18 @@
-<!-- @(#) $Id: ./etc/rules/local_rules.xml, 2011/09/08 dcid Exp $
-
-  -  Example of local rules for OSSEC.
-  -
-  -  Copyright (C) 2009 Trend Micro Inc.
-  -  All rights reserved.
-  -
-  -  This program is a free software; you can redistribute it
-  -  and/or modify it under the terms of the GNU General Public
-  -  License (version 2) as published by the FSF - Free Software
-  -  Foundation.
-  -
-  -  License details: http://www.ossec.net/en/licensing.html
-  -->
-
+<!-- Local rules -->
 
 <!-- Modify it at your will. -->
 
-<group name="local,syslog,">
+<!-- Example -->
+<group name="local,syslog,sshd,">
 
-
-<rule id="5703" level="10" frequency="10" timeframe="360" overwrite="yes">
-  <if_matched_sid>5702</if_matched_sid>
-  <description>sshd: Possible breakin attempt </description>
-  <description>(high number of reverse lookup errors).</description>
-  <group>pci_dss_11.4,</group>
-</rule>
-
-  <!-- Note that rule id 5711 is defined at the ssh_rules file
-    -  as a ssh failed login. This is just an example
-    -  since ip 1.1.1.1 shouldn't be used anywhere.
-    -  Level 0 means ignore.
+  <!--
+  Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
   -->
-  <rule id="100001" level="0">
-    <if_sid>5711</if_sid>
+  <rule id="100001" level="5">
+    <if_sid>5716</if_sid>
     <srcip>1.1.1.1</srcip>
-    <description>Example of rule that will ignore sshd </description>
-    <description>failed logins from IP 1.1.1.1.</description>
+    <description>sshd: authentication failed from IP 1.1.1.1.</description>
+    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
   </rule>
 
-
-  <!-- This example will ignore ssh failed logins for the user name XYZABC.
-    -->
-  <!--
-  <rule id="100020" level="0" >
-    <if_sid>5711</if_sid>
-    <user>XYZABC</user>
-    <description>Example of rule that will ignore sshd </description>
-    <description>failed logins for user XYZABC.</description>
-  </rule>
-  -->
-
-
-  <!-- Specify here a list of rules to ignore. -->
-  <!--
-  <rule id="100030" level="0">
-    <if_sid>12345, 23456, xyz, abc</if_sid>
-    <description>List of rules to be ignored.</description>
-  </rule>
-  -->
-
-</group> <!-- SYSLOG,LOCAL -->
-
-
-<!-- EOF -->
+</group>

ansible-wazuh-server/vars/agentless.yml

@@ -1,11 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-65316634333362393962623133616234373639323463366332336331373337313066393962333231
-3931646633633136653736666533346562353435336333360a306161343039363533623766393264
-30323539616462636238393861386463366434636333323361623035393038663263633964353335
-3432363337386631630a313835643062363666356464663130353533386234383430356633303037
-61653338636435626464353031333865646165663635303030396131366565303439353039303831
-37636462383933306138663130353966666162356435323862376635333635303931333765663335
-38336634396236336239636330626638303865373565653262616563613336353838303931316464
-37666634633131343537396565376265633064353835656639303962643735376564623935356466
-66623837356137326635613132383834663436366635396234333965393338383565393938393331
-3062373862333862323138373637653531373262346139323732

ansible-wazuh-server/vars/agentless_creeds.yml

@@ -0,0 +1,8 @@
+# Be sure you encrypt this file with ansible-vault.
+# agentless_creeds:
+# - type: ssh_integrity_check_linux
+#   frequency: 3600
+#   host: root@example.net
+#   state: periodic
+#   arguments: '/bin /etc/ /sbin'
+#   passwd: qwerty

ansible-wazuh-server/vars/api_user.yml

@@ -1,11 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-30626565633363656662393332653964653565376238633538323230333934613934323231343262
-6130313831653766333463653765643336313864373934620a646139336334346165346163633262
-36333031313434623439663839323036323533623235653536376534636137636334396233636236
-6238653531316136620a633361333130313335393333313861316233623037306131653733623661
-37363163346361366631623530323166373861623366633633396164326331376664666665646236
-64333738326538303063653266623930613130383637663864336664646361663935343231383965
-34303734333031373161376435373538613262373037386430333933383639323965356336383563
-34666431343136376132633632393938653965613236396333626430643538353533313131353338
-37373138396435623230306262303934396164303238346563363230663032316334613262336235
-3235313265333561366130393966643632333735623761643261

ansible-wazuh-server/vars/main.yml

@@ -1,125 +0,0 @@
-ossec_server_config:
-  mail_to:
-    - victor@wazuh.com
-  mail_smtp_server: localhost
-  mail_from: ossec@example.com
-  frequency_check: 43200
-  syscheck_scan_on_start: 'yes'
-  ignore_files:
-    - /etc/mtab
-    - /etc/mnttab
-    - /etc/hosts.deny
-    - /etc/mail/statistics
-    - /etc/random-seed
-    - /etc/random.seed
-    - /etc/adjtime
-    - /etc/httpd/logs
-    - /etc/utmpx
-    - /etc/wtmpx
-    - /etc/cups/certs
-    - /etc/dumpdates
-    - /etc/svc/volatile
-  no_diff:
-    - /etc/ssl/private.key
-  directories:
-    - check_all: 'yes'
-      dirs: /etc,/usr/bin,/usr/sbin
-    - check_all: 'yes'
-      dirs: /bin,/sbin
-  agentless:
-    - type: ssh_integrity_check_linux
-      frequency: 36000
-      host: root@example.net
-      state: periodic
-      arguments: '/bin /etc/ /sbin'
-    - type: ssh_integrity_check_linux
-      frequency: 36000
-      host: root@example.net
-      state: periodic
-      arguments: '/bin /etc/ /sbin'
-    - type: ssh_integrity_check_linux
-      frequency: 36000
-      host: root@example.net
-      state: periodic
-  localfiles:
-    - format: 'syslog'
-      location: '/var/log/messages'
-    - format: 'syslog'
-      location: '/var/log/secure'
-    - format: 'command'
-      command: 'df -P'
-      frequency: '360'
-    - format: 'full_command'
-      command: 'netstat -tln | grep -v 127.0.0.1 | sort'
-      frequency: '360'
-    - format: 'full_command'
-      command: 'last -n 20'
-      frequency: '360'
-  globals:
-    - '127.0.0.1'
-    - '192.168.2.1'
-  connection:
-    - type: 'secure'
-      port: '1514'
-      protocol: 'tcp'
-  log_level: 1
-  email_level: 12
-  commands:
-    - name: 'disable-account'
-      executable: 'disable-account.sh'
-      expect: 'user'
-      timeout_allowed: 'yes'
-    - name: 'restart-ossec'
-      executable: 'restart-ossec.sh'
-      expect: ''
-      timeout_allowed: 'no'
-    - name: 'firewall-drop'
-      executable: 'firewall-drop.sh'
-      expect: 'srcip'
-      timeout_allowed: 'yes'
-    - name: 'host-deny'
-      executable: 'host-deny.sh'
-      expect: 'srcip'
-      timeout_allowed: 'yes'
-    - name: 'route-null'
-      executable: 'route-null.sh'
-      expect: 'srcip'
-      timeout_allowed: 'yes'
-    - name: 'win_route-null'
-      executable: 'route-null.cmd'
-      expect: 'srcip'
-      timeout_allowed: 'yes'
-  active_responses:
-    - command: 'host-deny'
-      location: 'local'
-      level: 6
-      timeout: 600
-
-ossec_agent_configs:
-  - type: os
-    type_value: linux
-    frequency_check: 79200
-    ignore_files:
-      - /etc/mtab
-      - /etc/mnttab
-      - /etc/hosts.deny
-      - /etc/mail/statistics
-      - /etc/svc/volatile
-    directories:
-      - check_all: yes
-        dirs: /etc,/usr/bin,/usr/sbin
-      - check_all: yes
-        dirs: /bin,/sbin
-    localfiles:
-      - format: 'syslog'
-        location: '/var/log/messages'
-      - format: 'syslog'
-        location: '/var/log/secure'
-      - format: 'syslog'
-        location: '/var/log/maillog'
-      - format: 'apache'
-        location: '/var/log/httpd/error_log'
-      - format: 'apache'
-        location: '/var/log/httpd/access_log'
-      - format: 'apache'
-        location: '/var/ossec/logs/active-responses.log'

ansible-wazuh-server/vars/wazuh_api_creds.yml

@@ -0,0 +1,3 @@
+# Be sure you encrypt this file with ansible-vault
+wazuh_api_user:
+  - foo:$apr1$/axqZYWQ$Xo/nz/IG3PdwV82EnfYKh/