From fb34566fbc43b897aa1f02d085df24c968da96d8 Mon Sep 17 00:00:00 2001 From: Miguelangel Freitas Date: Tue, 19 Dec 2017 19:24:52 -0500 Subject: [PATCH] Updating to Wazuh 3 and Elastic Stack 6 --- ansible-role-elasticsearch/defaults/main.yml | 2 +- ansible-role-elasticsearch/tasks/Debian.yml | 2 +- ansible-role-elasticsearch/tasks/RedHat.yml | 4 +- ansible-role-elasticsearch/tasks/main.yml | 35 +- .../templates/alert_sample.json.j2 | 74 ++- .../templates/elasticsearch.yml.j2 | 4 +- .../templates/jvm.options.j2 | 31 +- ...=> wazuh-elastic6-template-alerts.json.j2} | 597 +++++++++-------- ...wazuh-elastic6-template-monitoring.json.j2 | 34 + ansible-role-filebeat/tasks/Debian.yml | 2 +- ansible-role-filebeat/tasks/RedHat.yml | 4 +- ansible-role-filebeat/tasks/main.yml | 4 + ansible-role-kibana/defaults/main.yml | 2 +- ansible-role-kibana/tasks/Debian.yml | 2 +- ansible-role-kibana/tasks/RedHat.yml | 4 +- ansible-role-kibana/tasks/main.yml | 21 +- ansible-role-logstash/defaults/main.yml | 2 +- ansible-role-logstash/tasks/Debian.yml | 2 +- ansible-role-logstash/tasks/RedHat.yml | 4 +- ansible-role-logstash/tasks/config.yml | 8 - ansible-role-logstash/tasks/main.yml | 4 + .../templates/01-wazuh.conf.j2 | 20 +- .../templates/wazuh-elastic5-template.json.j2 | 622 ------------------ ansible-wazuh-agent/defaults/main.yml | 13 +- ansible-wazuh-agent/tasks/Debian.yml | 2 +- ansible-wazuh-agent/tasks/RedHat.yml | 27 +- .../var-ossec-etc-ossec-agent.conf.j2 | 23 +- ansible-wazuh-manager/.kitchen.yml | 21 - ansible-wazuh-manager/defaults/main.yml | 14 + ansible-wazuh-manager/molecule.yml | 85 --- ansible-wazuh-manager/tasks/Debian.yml | 2 +- ansible-wazuh-manager/tasks/RedHat.yml | 72 +- ansible-wazuh-manager/tasks/main.yml | 51 +- .../var-ossec-etc-ossec-server.conf.j2 | 27 +- .../var-ossec-etc-shared-agent.conf.j2 | 2 +- wazuh-elastic.yml | 2 +- wazuh-elastic_stack.yml | 6 +- wazuh-kibana.yml | 2 +- wazuh-logstash.yml | 2 +- wazuh-manager.yml | 2 +- 40 files changed, 644 insertions(+), 1193 deletions(-) rename ansible-role-elasticsearch/templates/{wazuh-elastic5-template.json.j2 => wazuh-elastic6-template-alerts.json.j2} (55%) create mode 100644 ansible-role-elasticsearch/templates/wazuh-elastic6-template-monitoring.json.j2 delete mode 100644 ansible-role-logstash/templates/wazuh-elastic5-template.json.j2 delete mode 100644 ansible-wazuh-manager/.kitchen.yml delete mode 100644 ansible-wazuh-manager/molecule.yml diff --git a/ansible-role-elasticsearch/defaults/main.yml b/ansible-role-elasticsearch/defaults/main.yml index e87453a4..6d9e9e7c 100644 --- a/ansible-role-elasticsearch/defaults/main.yml +++ b/ansible-role-elasticsearch/defaults/main.yml @@ -4,6 +4,6 @@ elasticsearch_node_name: node-1 elasticsearch_http_port: 9200 elasticsearch_network_host: 127.0.0.1 elasticsearch_jvm_xms: null -elastic_stack_version: 5.6.4 +elastic_stack_version: 6.1.0 elasticsearch_shards: 5 elasticsearch_replicas: 1 diff --git a/ansible-role-elasticsearch/tasks/Debian.yml b/ansible-role-elasticsearch/tasks/Debian.yml index 0f603f4a..c0f1603b 100644 --- a/ansible-role-elasticsearch/tasks/Debian.yml +++ b/ansible-role-elasticsearch/tasks/Debian.yml @@ -28,7 +28,7 @@ - name: Debian/Ubuntu | Install Elastic repo apt_repository: - repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main + repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main' state: present filename: 'elastic_repo' diff --git a/ansible-role-elasticsearch/tasks/RedHat.yml b/ansible-role-elasticsearch/tasks/RedHat.yml index 5731544e..7d65b107 100644 --- a/ansible-role-elasticsearch/tasks/RedHat.yml +++ b/ansible-role-elasticsearch/tasks/RedHat.yml @@ -15,8 +15,8 @@ - name: RedHat/CentOS/Fedora | Install Elastic repo yum_repository: name: elastic_repo - description: Elastic repository for 5.x packages - baseurl: https://artifacts.elastic.co/packages/5.x/yum + description: Elastic repository for 6.x packages + baseurl: https://artifacts.elastic.co/packages/6.x/yum gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch gpgcheck: yes diff --git a/ansible-role-elasticsearch/tasks/main.yml b/ansible-role-elasticsearch/tasks/main.yml index b5e4d4be..17e1181f 100644 --- a/ansible-role-elasticsearch/tasks/main.yml +++ b/ansible-role-elasticsearch/tasks/main.yml @@ -25,6 +25,10 @@ notify: restart elasticsearch tags: configure +- name: Reload systemd + systemd: daemon_reload=yes + ignore_errors: yes + - name: Ensure Elasticsearch started and enabled service: name: elasticsearch @@ -37,31 +41,50 @@ - configure - init -- name: Check for Wazuh template +- name: Check for Wazuh Alerts template uri: url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh" method: GET status_code: 200, 404 - register: wazuh_template_exits + register: wazuh_alerts_template_exits tags: init -- name: Installing Wazuh template +- name: Installing Wazuh Alerts template uri: url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh" method: PUT status_code: 200 body_format: json - body: "{{ lookup('template','wazuh-elastic5-template.json.j2') }}" - when: wazuh_template_exits.status != 200 + body: "{{ lookup('template','wazuh-elastic6-template-alerts.json.j2') }}" + when: wazuh_alerts_template_exits.status != 200 tags: init - name: Injecting sample alert uri: - url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/wazuh-alerts-{{ ansible_date_time.date | regex_replace('-', '.') }}/wazuh/sample" + url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/wazuh-alerts-3.x-{{ ansible_date_time.date | regex_replace('-', '.') }}/wazuh/sample" method: PUT status_code: 200, 201 body_format: json body: "{{ lookup('template','alert_sample.json.j2') }}" + when: wazuh_alerts_template_exits.status != 200 + tags: init + +- name: Check for Wazuh Monitoring template + uri: + url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh-agent" + method: GET + status_code: 200, 404 + register: wazuh_monitoring_template_exits + tags: init + +- name: Installing Wazuh Monitoring template + uri: + url: "http://{{elasticsearch_network_host}}:{{elasticsearch_http_port}}/_template/wazuh-agent" + method: PUT + status_code: 200 + body_format: json + body: "{{ lookup('template','wazuh-elastic6-template-monitoring.json.j2') }}" + when: wazuh_monitoring_template_exits.status != 200 tags: init - import_tasks: "RMRedHat.yml" diff --git a/ansible-role-elasticsearch/templates/alert_sample.json.j2 b/ansible-role-elasticsearch/templates/alert_sample.json.j2 index 68cf86d7..a9b1e348 100644 --- a/ansible-role-elasticsearch/templates/alert_sample.json.j2 +++ b/ansible-role-elasticsearch/templates/alert_sample.json.j2 @@ -1,11 +1,7 @@ { "@timestamp": "2015-03-18T15:55:55.000Z", "AlertsFile": "sample", - "title": "sample", "full_log": "sample", - "id": "sample", - "srcuser": "sample", - "srcip": "sample", "location": "sample", "GeoLocation": { "country_name": "sample", @@ -14,34 +10,50 @@ "agent": { "name": "sample" }, - "audit": { - "command": "sample", - "type": "sample", - "egid": "sample", - "euid": "sample", - "exe": "sample", - "gid": "sample", - "uid": "sample", - "directory": { - "name": "sample" - }, - "file": { - "mode": "sample", - "name": "sample" - } - }, - "oscap": { - "check": { - "result": "sample", - "severity": "sample", - "title": "sample" - }, - "scan": { - "id": "sample", - "content": "sample", - "score": 1.55, - "profile": { + "data": { + "title": "sample", + "protocol": "sample", + "action": "sample", + "srcip": "sample", + "dstip": "sample", + "srcport": "sample", + "dstport": "sample", + "srcuser": "sample", + "dstuser": "sample", + "id": "sample", + "status": "sample", + "data": "sample", + "system_name": "sample", + "url": "sample", + "audit": { + "command": "sample", + "type": "sample", + "egid": "sample", + "euid": "sample", + "exe": "sample", + "gid": "sample", + "uid": "sample", + "directory": { + "name": "sample" + }, + "file": { + "mode": "sample", + "name": "sample" + } + }, + "oscap": { + "check": { + "result": "sample", + "severity": "sample", "title": "sample" + }, + "scan": { + "id": "sample", + "content": "sample", + "score": 1.55, + "profile": { + "title": "sample" + } } } }, diff --git a/ansible-role-elasticsearch/templates/elasticsearch.yml.j2 b/ansible-role-elasticsearch/templates/elasticsearch.yml.j2 index e9429686..5b5cb3bd 100644 --- a/ansible-role-elasticsearch/templates/elasticsearch.yml.j2 +++ b/ansible-role-elasticsearch/templates/elasticsearch.yml.j2 @@ -31,11 +31,11 @@ node.name: {{ elasticsearch_node_name }} # # Path to directory where to store the data (separate multiple locations by comma): # -#path.data: /path/to/data +path.data: /var/lib/elasticsearch # # Path to log files: # -#path.logs: /path/to/logs +path.logs: /var/log/elasticsearch # # ----------------------------------- Memory ----------------------------------- # diff --git a/ansible-role-elasticsearch/templates/jvm.options.j2 b/ansible-role-elasticsearch/templates/jvm.options.j2 index 576b9cc3..c43ce401 100644 --- a/ansible-role-elasticsearch/templates/jvm.options.j2 +++ b/ansible-role-elasticsearch/templates/jvm.options.j2 @@ -18,6 +18,9 @@ ## ################################################################ +# Xms represents the initial size of total heap space +# Xmx represents the maximum size of total heap space + # Xms represents the initial size of total heap space # Xmx represents the maximum size of total heap space {% if elasticsearch_jvm_xms is not none %} @@ -50,18 +53,15 @@ ## optimizations -# disable calls to System#gc --XX:+DisableExplicitGC - # pre-touch memory pages used by the JVM during initialization -XX:+AlwaysPreTouch ## basic -# force the server VM (remove on 32-bit client JVMs) +# force the server VM -server -# explicitly set the stack size (reduce to 320k on 32-bit client JVMs) +# explicitly set the stack size -Xss1m # set to headless, just in case @@ -73,8 +73,9 @@ # use our provided JNA always versus the system one -Djna.nosys=true -# use old-style file permissions on JDK9 --Djdk.io.permissionsUseCanonicalPath=true +# turn off a JDK optimization that throws away stack traces for common +# exceptions because stack traces are important for debugging +-XX:-OmitStackTraceInFastThrow # flags to configure Netty -Dio.netty.noUnsafe=true @@ -84,7 +85,6 @@ # log4j 2 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true --Dlog4j.skipJansi=true ## heap dumps @@ -94,7 +94,7 @@ # specify an alternative path for heap dumps # ensure the directory exists and has sufficient space -#-XX:HeapDumpPath=${heap.dump.path} +-XX:HeapDumpPath=/var/lib/elasticsearch ## GC logging @@ -109,10 +109,9 @@ # ensure the directory exists #-Xloggc:${loggc} -# Elasticsearch 5.0.0 will throw an exception on unquoted field names in JSON. -# If documents were already indexed with unquoted fields in a previous version -# of Elasticsearch, some operations may throw errors. -# -# WARNING: This option will be removed in Elasticsearch 6.0.0 and is provided -# only for migration purposes. -#-Delasticsearch.json.allow_unquoted_field_names=true +# By default, the GC log file will not rotate. +# By uncommenting the lines below, the GC log file +# will be rotated every 128MB at most 32 times. +#-XX:+UseGCLogFileRotation +#-XX:NumberOfGCLogFiles=32 +#-XX:GCLogFileSize=128M diff --git a/ansible-role-elasticsearch/templates/wazuh-elastic5-template.json.j2 b/ansible-role-elasticsearch/templates/wazuh-elastic6-template-alerts.json.j2 similarity index 55% rename from ansible-role-elasticsearch/templates/wazuh-elastic5-template.json.j2 rename to ansible-role-elasticsearch/templates/wazuh-elastic6-template-alerts.json.j2 index 10107191..e7c04639 100644 --- a/ansible-role-elasticsearch/templates/wazuh-elastic5-template.json.j2 +++ b/ansible-role-elasticsearch/templates/wazuh-elastic6-template-alerts.json.j2 @@ -1,6 +1,6 @@ { "order": 0, - "template": "wazuh*", + "template": "wazuh-alerts-3.*", "settings": { "index.refresh_interval": "5s", "number_of_shards": {{ elasticsearch_shards }}, @@ -51,9 +51,13 @@ } } }, - "dstuser": { - "type": "keyword", - "doc_values": "true" + "cluster": { + "properties": { + "name": { + "type": "keyword", + "doc_values": "true" + } + } }, "AlertsFile": { "type": "keyword", @@ -302,319 +306,308 @@ } } }, - "srcip": { - "type": "keyword", - "doc_values": "true" - }, - "protocol": { - "type": "keyword", - "doc_values": "true" - }, - "action": { - "type": "keyword", - "doc_values": "true" - }, - "dstip": { - "type": "keyword", - "doc_values": "true" - }, - "dstport": { - "type": "keyword", - "doc_values": "true" - }, - "srcuser": { - "type": "keyword", - "doc_values": "true" + "data": { + "properties": { + "protocol": { + "type": "keyword", + "doc_values": "true" + }, + "action": { + "type": "keyword", + "doc_values": "true" + }, + "srcip": { + "type": "keyword", + "doc_values": "true" + }, + "dstip": { + "type": "keyword", + "doc_values": "true" + }, + "srcport": { + "type": "keyword", + "doc_values": "true" + }, + "dstport": { + "type": "keyword", + "doc_values": "true" + }, + "srcuser": { + "type": "keyword", + "doc_values": "true" + }, + "dstuser": { + "type": "keyword", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "status": { + "type": "keyword", + "doc_values": "true" + }, + "data": { + "type": "keyword", + "doc_values": "true" + }, + "system_name": { + "type": "keyword", + "doc_values": "true" + }, + "url": { + "type": "keyword", + "doc_values": "true" + }, + "oscap": { + "properties": { + "check.title": { + "type": "keyword", + "doc_values": "true" + }, + "check.id": { + "type": "keyword", + "doc_values": "true" + }, + "check.result": { + "type": "keyword", + "doc_values": "true" + }, + "check.severity": { + "type": "keyword", + "doc_values": "true" + }, + "check.description": { + "type": "text" + }, + "check.rationale": { + "type": "text" + }, + "check.references": { + "type": "text" + }, + "check.identifiers": { + "type": "text" + }, + "check.oval.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.content": { + "type": "keyword", + "doc_values": "true" + }, + "scan.benchmark.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.profile.title": { + "type": "keyword", + "doc_values": "true" + }, + "scan.profile.id": { + "type": "keyword", + "doc_values": "true" + }, + "scan.score": { + "type": "double", + "doc_values": "true" + }, + "scan.return_code": { + "type": "long", + "doc_values": "true" + } + } + }, + "audit": { + "properties": { + "type": { + "type": "keyword", + "doc_values": "true" + }, + "id": { + "type": "keyword", + "doc_values": "true" + }, + "syscall": { + "type": "keyword", + "doc_values": "true" + }, + "exit": { + "type": "keyword", + "doc_values": "true" + }, + "ppid": { + "type": "keyword", + "doc_values": "true" + }, + "pid": { + "type": "keyword", + "doc_values": "true" + }, + "auid": { + "type": "keyword", + "doc_values": "true" + }, + "uid": { + "type": "keyword", + "doc_values": "true" + }, + "gid": { + "type": "keyword", + "doc_values": "true" + }, + "euid": { + "type": "keyword", + "doc_values": "true" + }, + "suid": { + "type": "keyword", + "doc_values": "true" + }, + "fsuid": { + "type": "keyword", + "doc_values": "true" + }, + "egid": { + "type": "keyword", + "doc_values": "true" + }, + "sgid": { + "type": "keyword", + "doc_values": "true" + }, + "fsgid": { + "type": "keyword", + "doc_values": "true" + }, + "tty": { + "type": "keyword", + "doc_values": "true" + }, + "session": { + "type": "keyword", + "doc_values": "true" + }, + "command": { + "type": "keyword", + "doc_values": "true" + }, + "exe": { + "type": "keyword", + "doc_values": "true" + }, + "key": { + "type": "keyword", + "doc_values": "true" + }, + "cwd": { + "type": "keyword", + "doc_values": "true" + }, + "directory.name": { + "type": "keyword", + "doc_values": "true" + }, + "directory.inode": { + "type": "keyword", + "doc_values": "true" + }, + "directory.mode": { + "type": "keyword", + "doc_values": "true" + }, + "file.name": { + "type": "keyword", + "doc_values": "true" + }, + "file.inode": { + "type": "keyword", + "doc_values": "true" + }, + "file.mode": { + "type": "keyword", + "doc_values": "true" + }, + "acct": { + "type": "keyword", + "doc_values": "true" + }, + "dev": { + "type": "keyword", + "doc_values": "true" + }, + "enforcing": { + "type": "keyword", + "doc_values": "true" + }, + "list": { + "type": "keyword", + "doc_values": "true" + }, + "old-auid": { + "type": "keyword", + "doc_values": "true" + }, + "old-ses": { + "type": "keyword", + "doc_values": "true" + }, + "old_enforcing": { + "type": "keyword", + "doc_values": "true" + }, + "old_prom": { + "type": "keyword", + "doc_values": "true" + }, + "op": { + "type": "keyword", + "doc_values": "true" + }, + "prom": { + "type": "keyword", + "doc_values": "true" + }, + "res": { + "type": "keyword", + "doc_values": "true" + }, + "srcip": { + "type": "keyword", + "doc_values": "true" + }, + "subj": { + "type": "keyword", + "doc_values": "true" + }, + "success": { + "type": "keyword", + "doc_values": "true" + } + } + } + } }, "program_name": { "type": "keyword", "doc_values": "true" }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "status": { - "type": "keyword", - "doc_values": "true" - }, "command": { "type": "keyword", "doc_values": "true" }, - "url": { - "type": "keyword", - "doc_values": "true" - }, - "data": { - "type": "keyword", - "doc_values": "true" - }, - "system_name": { - "type": "keyword", - "doc_values": "true" - }, "type": { "type": "text" }, "title": { "type": "keyword", "doc_values": "true" - }, - "oscap": { - "properties": { - "check.title": { - "type": "keyword", - "doc_values": "true" - }, - "check.id": { - "type": "keyword", - "doc_values": "true" - }, - "check.result": { - "type": "keyword", - "doc_values": "true" - }, - "check.severity": { - "type": "keyword", - "doc_values": "true" - }, - "check.description": { - "type": "text" - }, - "check.rationale": { - "type": "text" - }, - "check.references": { - "type": "text" - }, - "check.identifiers": { - "type": "text" - }, - "check.oval.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.content": { - "type": "keyword", - "doc_values": "true" - }, - "scan.benchmark.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.profile.title": { - "type": "keyword", - "doc_values": "true" - }, - "scan.profile.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.score": { - "type": "double", - "doc_values": "true" - }, - "scan.return_code": { - "type": "long", - "doc_values": "true" - } - } - }, - "audit": { - "properties": { - "type": { - "type": "keyword", - "doc_values": "true" - }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "syscall": { - "type": "keyword", - "doc_values": "true" - }, - "exit": { - "type": "keyword", - "doc_values": "true" - }, - "ppid": { - "type": "keyword", - "doc_values": "true" - }, - "pid": { - "type": "keyword", - "doc_values": "true" - }, - "auid": { - "type": "keyword", - "doc_values": "true" - }, - "uid": { - "type": "keyword", - "doc_values": "true" - }, - "gid": { - "type": "keyword", - "doc_values": "true" - }, - "euid": { - "type": "keyword", - "doc_values": "true" - }, - "suid": { - "type": "keyword", - "doc_values": "true" - }, - "fsuid": { - "type": "keyword", - "doc_values": "true" - }, - "egid": { - "type": "keyword", - "doc_values": "true" - }, - "sgid": { - "type": "keyword", - "doc_values": "true" - }, - "fsgid": { - "type": "keyword", - "doc_values": "true" - }, - "tty": { - "type": "keyword", - "doc_values": "true" - }, - "session": { - "type": "keyword", - "doc_values": "true" - }, - "command": { - "type": "keyword", - "doc_values": "true" - }, - "exe": { - "type": "keyword", - "doc_values": "true" - }, - "key": { - "type": "keyword", - "doc_values": "true" - }, - "cwd": { - "type": "keyword", - "doc_values": "true" - }, - "directory.name": { - "type": "keyword", - "doc_values": "true" - }, - "directory.inode": { - "type": "keyword", - "doc_values": "true" - }, - "directory.mode": { - "type": "keyword", - "doc_values": "true" - }, - "file.name": { - "type": "keyword", - "doc_values": "true" - }, - "file.inode": { - "type": "keyword", - "doc_values": "true" - }, - "file.mode": { - "type": "keyword", - "doc_values": "true" - }, - "acct": { - "type": "keyword", - "doc_values": "true" - }, - "dev": { - "type": "keyword", - "doc_values": "true" - }, - "enforcing": { - "type": "keyword", - "doc_values": "true" - }, - "list": { - "type": "keyword", - "doc_values": "true" - }, - "old-auid": { - "type": "keyword", - "doc_values": "true" - }, - "old-ses": { - "type": "keyword", - "doc_values": "true" - }, - "old_enforcing": { - "type": "keyword", - "doc_values": "true" - }, - "old_prom": { - "type": "keyword", - "doc_values": "true" - }, - "op": { - "type": "keyword", - "doc_values": "true" - }, - "prom": { - "type": "keyword", - "doc_values": "true" - }, - "res": { - "type": "keyword", - "doc_values": "true" - }, - "srcip": { - "type": "keyword", - "doc_values": "true" - }, - "subj": { - "type": "keyword", - "doc_values": "true" - }, - "success": { - "type": "keyword", - "doc_values": "true" - } - } - } - } - }, - "agent": { - "properties": { - "@timestamp": { - "type": "date", - "format": "dateOptionalTime" - }, - "status": { - "type": "keyword" - }, - "ip": { - "type": "keyword" - }, - "host": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "id": { - "type": "keyword" } } } diff --git a/ansible-role-elasticsearch/templates/wazuh-elastic6-template-monitoring.json.j2 b/ansible-role-elasticsearch/templates/wazuh-elastic6-template-monitoring.json.j2 new file mode 100644 index 00000000..e67588e4 --- /dev/null +++ b/ansible-role-elasticsearch/templates/wazuh-elastic6-template-monitoring.json.j2 @@ -0,0 +1,34 @@ +{ + "order": 0, + "template": "wazuh-monitoring*", + "settings": { + "index.refresh_interval": "5s", + "number_of_shards": {{ elasticsearch_shards }}, + "number_of_replicas": {{ elasticsearch_replicas }} + }, + "mappings": { + "wazuh-agent": { + "properties": { + "@timestamp": { + "type": "date", + "format": "dateOptionalTime" + }, + "status": { + "type": "keyword" + }, + "ip": { + "type": "keyword" + }, + "host": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "id": { + "type": "keyword" + } + } + } + } +} diff --git a/ansible-role-filebeat/tasks/Debian.yml b/ansible-role-filebeat/tasks/Debian.yml index 1d9c7850..24ae6173 100644 --- a/ansible-role-filebeat/tasks/Debian.yml +++ b/ansible-role-filebeat/tasks/Debian.yml @@ -12,6 +12,6 @@ - name: Debian/Ubuntu | Add Filebeat repository. apt_repository: - repo: 'deb https://artifacts.elastic.co/packages/5.x/apt stable main' + repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main' state: present update_cache: yes diff --git a/ansible-role-filebeat/tasks/RedHat.yml b/ansible-role-filebeat/tasks/RedHat.yml index cd25b4dd..f118293d 100644 --- a/ansible-role-filebeat/tasks/RedHat.yml +++ b/ansible-role-filebeat/tasks/RedHat.yml @@ -2,7 +2,7 @@ - name: RedHat/CentOS/Fedora | Install Filebeats repo yum_repository: name: elastic_repo - description: Elastic repository for 5.x packages - baseurl: https://artifacts.elastic.co/packages/5.x/yum + description: Elastic repository for 6.x packages + baseurl: https://artifacts.elastic.co/packages/6.x/yum gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch gpgcheck: yes diff --git a/ansible-role-filebeat/tasks/main.yml b/ansible-role-filebeat/tasks/main.yml index 5620c3cb..8ae22509 100644 --- a/ansible-role-filebeat/tasks/main.yml +++ b/ansible-role-filebeat/tasks/main.yml @@ -13,6 +13,10 @@ - import_tasks: config.yml when: filebeat_create_config +- name: Reload systemd + systemd: daemon_reload=yes + ignore_errors: yes + - name: Ensure Filebeat is started and enabled at boot. service: name: filebeat diff --git a/ansible-role-kibana/defaults/main.yml b/ansible-role-kibana/defaults/main.yml index 9aefda1d..2921cffa 100644 --- a/ansible-role-kibana/defaults/main.yml +++ b/ansible-role-kibana/defaults/main.yml @@ -3,4 +3,4 @@ elasticsearch_http_port: "9200" elasticsearch_network_host: "127.0.0.1" kibana_server_host: "0.0.0.0" kibana_server_port: "5601" -elastic_stack_version: 5.6.4 +elastic_stack_version: 6.1.0 diff --git a/ansible-role-kibana/tasks/Debian.yml b/ansible-role-kibana/tasks/Debian.yml index ddc4de3b..356bda03 100644 --- a/ansible-role-kibana/tasks/Debian.yml +++ b/ansible-role-kibana/tasks/Debian.yml @@ -12,7 +12,7 @@ - name: Debian/Ubuntu | Install Elastic repo apt_repository: - repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main + repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main' state: present filename: 'elastic_repo' diff --git a/ansible-role-kibana/tasks/RedHat.yml b/ansible-role-kibana/tasks/RedHat.yml index ea529353..daf72af4 100644 --- a/ansible-role-kibana/tasks/RedHat.yml +++ b/ansible-role-kibana/tasks/RedHat.yml @@ -2,8 +2,8 @@ - name: RedHat/CentOS/Fedora | Install Elastic repo yum_repository: name: elastic_repo - description: Elastic repository for 5.x packages - baseurl: https://artifacts.elastic.co/packages/5.x/yum + description: Elastic repository for 6.x packages + baseurl: https://artifacts.elastic.co/packages/6.x/yum gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch gpgcheck: yes diff --git a/ansible-role-kibana/tasks/main.yml b/ansible-role-kibana/tasks/main.yml index e946aba5..546dcd4d 100644 --- a/ansible-role-kibana/tasks/main.yml +++ b/ansible-role-kibana/tasks/main.yml @@ -9,6 +9,10 @@ wait_for: host={{ elasticsearch_network_host }} port={{ elasticsearch_http_port }} delay=3 timeout=300 tags: configure +- name: Reload systemd + systemd: daemon_reload=yes + ignore_errors: yes + - name: Kibana configuration template: src: kibana.yml.j2 @@ -26,18 +30,23 @@ register: wazuh_app_verify tags: install -- name: Upgrading Wazuh-APP - shell: "{{ item }}" +- name: Removing old Wazuh-APP + command: /usr/share/kibana/bin/kibana-plugin remove wazuh + when: wazuh_app_verify.stdout == "0" + tags: install + +- name: Removing bundles + file: path=/usr/share/kibana/optimize/bundles state=absent when: wazuh_app_verify.stdout == "0" - with_items: - - /usr/share/kibana/bin/kibana-plugin remove wazuh - - rm -rf /usr/share/kibana/optimize/bundles tags: install - name: Install Wazuh-APP (can take a while) - shell: "/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-2.1.1_{{ elastic_stack_version }}.zip" + shell: "/usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.0.0_{{ elastic_stack_version }}.zip" + environment: + NODE_OPTIONS: "--max-old-space-size=3072" args: creates: /usr/share/kibana/plugins/wazuh/package.json + when: wazuh_app_verify.stdout == "0" notify: restart kibana tags: install diff --git a/ansible-role-logstash/defaults/main.yml b/ansible-role-logstash/defaults/main.yml index 09bb4b70..42d3f4c3 100644 --- a/ansible-role-logstash/defaults/main.yml +++ b/ansible-role-logstash/defaults/main.yml @@ -6,7 +6,7 @@ elasticsearch_network_host: "127.0.0.1" elasticsearch_http_port: "9200" elasticsearch_shards: 5 elasticsearch_replicas: 1 -elastic_stack_version: 5.6.4 +elastic_stack_version: 6.1.0 logstash_ssl: false logstash_ssl_dir: /etc/pki/logstash diff --git a/ansible-role-logstash/tasks/Debian.yml b/ansible-role-logstash/tasks/Debian.yml index 3bb7976a..3820a764 100644 --- a/ansible-role-logstash/tasks/Debian.yml +++ b/ansible-role-logstash/tasks/Debian.yml @@ -31,7 +31,7 @@ - name: Debian/Ubuntu | Install Elasticsearch repo apt_repository: - repo: deb https://artifacts.elastic.co/packages/5.x/apt stable main + repo: 'deb https://artifacts.elastic.co/packages/6.x/apt stable main' state: present filename: 'elastic_repo' diff --git a/ansible-role-logstash/tasks/RedHat.yml b/ansible-role-logstash/tasks/RedHat.yml index 66374f52..e9958163 100644 --- a/ansible-role-logstash/tasks/RedHat.yml +++ b/ansible-role-logstash/tasks/RedHat.yml @@ -15,8 +15,8 @@ - name: RedHat/CentOS/Fedora | Install Logstash repo yum_repository: name: elastic_repo - description: Elastic repository for 5.x packages - baseurl: https://artifacts.elastic.co/packages/5.x/yum + description: Elastic repository for 6.x packages + baseurl: https://artifacts.elastic.co/packages/6.x/yum gpgkey: https://artifacts.elastic.co/GPG-KEY-elasticsearch gpgcheck: yes diff --git a/ansible-role-logstash/tasks/config.yml b/ansible-role-logstash/tasks/config.yml index 1e14661c..037f0d85 100644 --- a/ansible-role-logstash/tasks/config.yml +++ b/ansible-role-logstash/tasks/config.yml @@ -1,12 +1,4 @@ --- -- name: Logstash template - template: - src: wazuh-elastic5-template.json.j2 - dest: /etc/logstash/wazuh-elastic5-template.json - owner: root - group: root - tags: configure - - name: Ensure Logstash SSL key pair directory exists. file: path: "{{ logstash_ssl_dir }}" diff --git a/ansible-role-logstash/tasks/main.yml b/ansible-role-logstash/tasks/main.yml index ef5715bf..00a0bffb 100644 --- a/ansible-role-logstash/tasks/main.yml +++ b/ansible-role-logstash/tasks/main.yml @@ -8,6 +8,10 @@ - import_tasks: config.yml when: logstash_create_config +- name: Reload systemd + systemd: daemon_reload=yes + ignore_errors: yes + - name: Ensure Logstash started and enabled service: name: logstash diff --git a/ansible-role-logstash/templates/01-wazuh.conf.j2 b/ansible-role-logstash/templates/01-wazuh.conf.j2 index 58c19101..6ed29624 100644 --- a/ansible-role-logstash/templates/01-wazuh.conf.j2 +++ b/ansible-role-logstash/templates/01-wazuh.conf.j2 @@ -25,10 +25,21 @@ input { } } {% endif %} - +filter { + if [data][srcip] { + mutate { + add_field => [ "@src_ip", "%{[data][srcip]}" ] + } + } + if [data][aws][sourceIPAddress] { + mutate { + add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ] + } + } +} filter { geoip { - source => "srcip" + source => "@src_ip" target => "GeoLocation" fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"] } @@ -37,7 +48,7 @@ filter { target => "@timestamp" } mutate { - remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count", "@version", "log", "offset", "type"] + remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type","@src_ip"] } } output { @@ -46,8 +57,5 @@ output { hosts => ["{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}"] index => "wazuh-alerts-%{+YYYY.MM.dd}" document_type => "wazuh" - template => "/etc/logstash/wazuh-elastic5-template.json" - template_name => "wazuh" - template_overwrite => true } } diff --git a/ansible-role-logstash/templates/wazuh-elastic5-template.json.j2 b/ansible-role-logstash/templates/wazuh-elastic5-template.json.j2 deleted file mode 100644 index 10107191..00000000 --- a/ansible-role-logstash/templates/wazuh-elastic5-template.json.j2 +++ /dev/null @@ -1,622 +0,0 @@ -{ - "order": 0, - "template": "wazuh*", - "settings": { - "index.refresh_interval": "5s", - "number_of_shards": {{ elasticsearch_shards }}, - "number_of_replicas": {{ elasticsearch_replicas }} - }, - "mappings": { - "wazuh": { - "dynamic_templates": [ - { - "string_as_keyword": { - "match_mapping_type": "string", - "mapping": { - "type": "keyword", - "doc_values": "true" - } - } - } - ], - "properties": { - "@timestamp": { - "type": "date", - "format": "dateOptionalTime" - }, - "@version": { - "type": "text" - }, - "agent": { - "properties": { - "ip": { - "type": "keyword", - "doc_values": "true" - }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "name": { - "type": "keyword", - "doc_values": "true" - } - } - }, - "manager": { - "properties": { - "name": { - "type": "keyword", - "doc_values": "true" - } - } - }, - "dstuser": { - "type": "keyword", - "doc_values": "true" - }, - "AlertsFile": { - "type": "keyword", - "doc_values": "true" - }, - "full_log": { - "type": "text" - }, - "previous_log": { - "type": "text" - }, - "GeoLocation": { - "properties": { - "area_code": { - "type": "long" - }, - "city_name": { - "type": "keyword", - "doc_values": "true" - }, - "continent_code": { - "type": "text" - }, - "coordinates": { - "type": "double" - }, - "country_code2": { - "type": "text" - }, - "country_code3": { - "type": "text" - }, - "country_name": { - "type": "keyword", - "doc_values": "true" - }, - "dma_code": { - "type": "long" - }, - "ip": { - "type": "keyword", - "doc_values": "true" - }, - "latitude": { - "type": "double" - }, - "location": { - "type": "geo_point" - }, - "longitude": { - "type": "double" - }, - "postal_code": { - "type": "keyword" - }, - "real_region_name": { - "type": "keyword", - "doc_values": "true" - }, - "region_name": { - "type": "keyword", - "doc_values": "true" - }, - "timezone": { - "type": "text" - } - } - }, - "host": { - "type": "keyword", - "doc_values": "true" - }, - "syscheck": { - "properties": { - "path": { - "type": "keyword", - "doc_values": "true" - }, - "sha1_before": { - "type": "keyword", - "doc_values": "true" - }, - "sha1_after": { - "type": "keyword", - "doc_values": "true" - }, - "uid_before": { - "type": "keyword", - "doc_values": "true" - }, - "uid_after": { - "type": "keyword", - "doc_values": "true" - }, - "gid_before": { - "type": "keyword", - "doc_values": "true" - }, - "gid_after": { - "type": "keyword", - "doc_values": "true" - }, - "perm_before": { - "type": "keyword", - "doc_values": "true" - }, - "perm_after": { - "type": "keyword", - "doc_values": "true" - }, - "md5_after": { - "type": "keyword", - "doc_values": "true" - }, - "md5_before": { - "type": "keyword", - "doc_values": "true" - }, - "gname_after": { - "type": "keyword", - "doc_values": "true" - }, - "gname_before": { - "type": "keyword", - "doc_values": "true" - }, - "inode_after": { - "type": "keyword", - "doc_values": "true" - }, - "inode_before": { - "type": "keyword", - "doc_values": "true" - }, - "mtime_after": { - "type": "date", - "format": "dateOptionalTime", - "doc_values": "true" - }, - "mtime_before": { - "type": "date", - "format": "dateOptionalTime", - "doc_values": "true" - }, - "uname_after": { - "type": "keyword", - "doc_values": "true" - }, - "uname_before": { - "type": "keyword", - "doc_values": "true" - }, - "size_before": { - "type": "long", - "doc_values": "true" - }, - "size_after": { - "type": "long", - "doc_values": "true" - }, - "diff": { - "type": "keyword", - "doc_values": "true" - }, - "event": { - "type": "keyword", - "doc_values": "true" - } - } - }, - "location": { - "type": "keyword", - "doc_values": "true" - }, - "message": { - "type": "text" - }, - "offset": { - "type": "keyword" - }, - "rule": { - "properties": { - "description": { - "type": "keyword", - "doc_values": "true" - }, - "groups": { - "type": "keyword", - "doc_values": "true" - }, - "level": { - "type": "long", - "doc_values": "true" - }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "cve": { - "type": "keyword", - "doc_values": "true" - }, - "info": { - "type": "keyword", - "doc_values": "true" - }, - "frequency": { - "type": "long", - "doc_values": "true" - }, - "firedtimes": { - "type": "long", - "doc_values": "true" - }, - "cis": { - "type": "keyword", - "doc_values": "true" - }, - "pci_dss": { - "type": "keyword", - "doc_values": "true" - } - } - }, - "decoder": { - "properties": { - "parent": { - "type": "keyword", - "doc_values": "true" - }, - "name": { - "type": "keyword", - "doc_values": "true" - }, - "ftscomment": { - "type": "keyword", - "doc_values": "true" - }, - "fts": { - "type": "long", - "doc_values": "true" - }, - "accumulate": { - "type": "long", - "doc_values": "true" - } - } - }, - "srcip": { - "type": "keyword", - "doc_values": "true" - }, - "protocol": { - "type": "keyword", - "doc_values": "true" - }, - "action": { - "type": "keyword", - "doc_values": "true" - }, - "dstip": { - "type": "keyword", - "doc_values": "true" - }, - "dstport": { - "type": "keyword", - "doc_values": "true" - }, - "srcuser": { - "type": "keyword", - "doc_values": "true" - }, - "program_name": { - "type": "keyword", - "doc_values": "true" - }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "status": { - "type": "keyword", - "doc_values": "true" - }, - "command": { - "type": "keyword", - "doc_values": "true" - }, - "url": { - "type": "keyword", - "doc_values": "true" - }, - "data": { - "type": "keyword", - "doc_values": "true" - }, - "system_name": { - "type": "keyword", - "doc_values": "true" - }, - "type": { - "type": "text" - }, - "title": { - "type": "keyword", - "doc_values": "true" - }, - "oscap": { - "properties": { - "check.title": { - "type": "keyword", - "doc_values": "true" - }, - "check.id": { - "type": "keyword", - "doc_values": "true" - }, - "check.result": { - "type": "keyword", - "doc_values": "true" - }, - "check.severity": { - "type": "keyword", - "doc_values": "true" - }, - "check.description": { - "type": "text" - }, - "check.rationale": { - "type": "text" - }, - "check.references": { - "type": "text" - }, - "check.identifiers": { - "type": "text" - }, - "check.oval.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.content": { - "type": "keyword", - "doc_values": "true" - }, - "scan.benchmark.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.profile.title": { - "type": "keyword", - "doc_values": "true" - }, - "scan.profile.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.score": { - "type": "double", - "doc_values": "true" - }, - "scan.return_code": { - "type": "long", - "doc_values": "true" - } - } - }, - "audit": { - "properties": { - "type": { - "type": "keyword", - "doc_values": "true" - }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "syscall": { - "type": "keyword", - "doc_values": "true" - }, - "exit": { - "type": "keyword", - "doc_values": "true" - }, - "ppid": { - "type": "keyword", - "doc_values": "true" - }, - "pid": { - "type": "keyword", - "doc_values": "true" - }, - "auid": { - "type": "keyword", - "doc_values": "true" - }, - "uid": { - "type": "keyword", - "doc_values": "true" - }, - "gid": { - "type": "keyword", - "doc_values": "true" - }, - "euid": { - "type": "keyword", - "doc_values": "true" - }, - "suid": { - "type": "keyword", - "doc_values": "true" - }, - "fsuid": { - "type": "keyword", - "doc_values": "true" - }, - "egid": { - "type": "keyword", - "doc_values": "true" - }, - "sgid": { - "type": "keyword", - "doc_values": "true" - }, - "fsgid": { - "type": "keyword", - "doc_values": "true" - }, - "tty": { - "type": "keyword", - "doc_values": "true" - }, - "session": { - "type": "keyword", - "doc_values": "true" - }, - "command": { - "type": "keyword", - "doc_values": "true" - }, - "exe": { - "type": "keyword", - "doc_values": "true" - }, - "key": { - "type": "keyword", - "doc_values": "true" - }, - "cwd": { - "type": "keyword", - "doc_values": "true" - }, - "directory.name": { - "type": "keyword", - "doc_values": "true" - }, - "directory.inode": { - "type": "keyword", - "doc_values": "true" - }, - "directory.mode": { - "type": "keyword", - "doc_values": "true" - }, - "file.name": { - "type": "keyword", - "doc_values": "true" - }, - "file.inode": { - "type": "keyword", - "doc_values": "true" - }, - "file.mode": { - "type": "keyword", - "doc_values": "true" - }, - "acct": { - "type": "keyword", - "doc_values": "true" - }, - "dev": { - "type": "keyword", - "doc_values": "true" - }, - "enforcing": { - "type": "keyword", - "doc_values": "true" - }, - "list": { - "type": "keyword", - "doc_values": "true" - }, - "old-auid": { - "type": "keyword", - "doc_values": "true" - }, - "old-ses": { - "type": "keyword", - "doc_values": "true" - }, - "old_enforcing": { - "type": "keyword", - "doc_values": "true" - }, - "old_prom": { - "type": "keyword", - "doc_values": "true" - }, - "op": { - "type": "keyword", - "doc_values": "true" - }, - "prom": { - "type": "keyword", - "doc_values": "true" - }, - "res": { - "type": "keyword", - "doc_values": "true" - }, - "srcip": { - "type": "keyword", - "doc_values": "true" - }, - "subj": { - "type": "keyword", - "doc_values": "true" - }, - "success": { - "type": "keyword", - "doc_values": "true" - } - } - } - } - }, - "agent": { - "properties": { - "@timestamp": { - "type": "date", - "format": "dateOptionalTime" - }, - "status": { - "type": "keyword" - }, - "ip": { - "type": "keyword" - }, - "host": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "id": { - "type": "keyword" - } - } - } - } -} diff --git a/ansible-wazuh-agent/defaults/main.yml b/ansible-wazuh-agent/defaults/main.yml index bb07ac02..5d65e581 100644 --- a/ansible-wazuh-agent/defaults/main.yml +++ b/ansible-wazuh-agent/defaults/main.yml @@ -1,7 +1,10 @@ --- -wazuh_manager_ip: null +wazuh_managers: + - address: 127.0.0.1 + port: 1514 + protocol: tcp wazuh_profile: null -wazuh_manager_proto: tcp +wazuh_auto_restart: 'yes' wazuh_agent_authd: enable: false port: 1515 @@ -13,10 +16,10 @@ wazuh_notify_time: null wazuh_time_reconnect: null wazuh_winagent_config: install_dir: 'C:\wazuh-agent\' - version: '2.1.1' + version: '3.0.0' revision: '1' - repo: https://packages.wazuh.com/windows/ - md5: fd9a3ce30cd6f9f553a1bc71e74a6c9f + repo: https://packages.wazuh.com/3.x/windows/ + md5: 896dcc5b786fda30db9649dd7a6043c0 wazuh_agent_config: log_format: 'plain' syscheck: diff --git a/ansible-wazuh-agent/tasks/Debian.yml b/ansible-wazuh-agent/tasks/Debian.yml index a11899e6..b59d02d1 100644 --- a/ansible-wazuh-agent/tasks/Debian.yml +++ b/ansible-wazuh-agent/tasks/Debian.yml @@ -10,7 +10,7 @@ - name: Debian/Ubuntu | Add Wazuh repositories apt_repository: - repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main + repo: 'deb https://packages.wazuh.com/3.x/apt/ stable main' state: present update_cache: yes diff --git a/ansible-wazuh-agent/tasks/RedHat.yml b/ansible-wazuh-agent/tasks/RedHat.yml index 6eb304fc..4f030264 100644 --- a/ansible-wazuh-agent/tasks/RedHat.yml +++ b/ansible-wazuh-agent/tasks/RedHat.yml @@ -1,30 +1,23 @@ --- -- name: CentOS | Install Wazuh repository +- name: RedHat/CentOS/Fedora | Install Wazuh repo yum_repository: name: wazuh_repo - description: CentOS-$releasever - Wazuh - baseurl: https://packages.wazuh.com/yum/el/$releasever/$basearch + description: Wazuh repository + baseurl: https://packages.wazuh.com/3.x/yum/ gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH gpgcheck: yes - when: ansible_distribution == 'CentOS' + when: + - ansible_distribution_major_version|int > 5 -- name: Fedora | Install Wazuh repository +- name: RedHat/CentOS 5 | Install Wazuh repo yum_repository: name: wazuh_repo - description: Fedora-$releasever - Wazuh - baseurl: https://packages.wazuh.com/yum/fc/$releasever/$basearch + description: Wazuh repository + baseurl: https://packages.wazuh.com/3.x/yum/5/ gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH gpgcheck: yes - when: ansible_distribution == 'Fedora' - -- name: RedHat | Install Wazuh repository - yum_repository: - name: wazuh_repo - description: CentOS-$releasever - Wazuh - baseurl: https://packages.wazuh.com/yum/rhel/$releasever/$basearch - gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH - gpgcheck: yes - when: ansible_distribution == 'RedHat' + when: + - ansible_distribution_major_version|int < 5 - name: Set Distribution CIS filename for RHEL5 set_fact: diff --git a/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 index d50fd470..cfdad49e 100644 --- a/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 +++ b/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 @@ -7,22 +7,27 @@ - {% if wazuh_manager_ip is not none %} - {{ wazuh_manager_ip }} - {% else %} - SERVER-IP - {% endif %} + + {% for manager in wazuh_managers %} + +
{{ manager.address }}
+ {% if manager.port is defined %} + {{ manager.port }} + {% endif %} + {% if manager.protocol is defined %} + {{ manager.protocol }} + {% endif %} + + {% endfor %} + {% if wazuh_profile is not none %} {{ wazuh_profile }} {% endif %} - {{ wazuh_manager_proto }} - {% if wazuh_manager_port is defined %} - {{ wazuh_manager_port }} - {% endif %} {% if wazuh_notify_time is not none and wazuh_time_reconnect is not none %} {{ wazuh_notify_time }} {{ wazuh_time_reconnect }} {% endif %} + {{ wazuh_auto_restart }} diff --git a/ansible-wazuh-manager/.kitchen.yml b/ansible-wazuh-manager/.kitchen.yml deleted file mode 100644 index 8d73eb67..00000000 --- a/ansible-wazuh-manager/.kitchen.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -driver: - name: vagrant - provision_command: sed -i '/tsflags=nodocs/d' /etc/yum.conf - -provisioner: - name: ansible_playbook - ansible_yum_repo: "http://mirror.logol.ru/epel/6/x86_64/epel-release-6-8.noarch.rpm" - hosts: localhost - require_chef_for_busser: false - require_ruby_for_busser: true - -platforms: - - name: centos-7.2 - - name: ubuntu-14.04 - -verifier: - ruby_bindir: '/usr/bin' - -suites: - - name: default diff --git a/ansible-wazuh-manager/defaults/main.yml b/ansible-wazuh-manager/defaults/main.yml index f38c3fc6..2a14332d 100644 --- a/ansible-wazuh-manager/defaults/main.yml +++ b/ansible-wazuh-manager/defaults/main.yml @@ -6,6 +6,20 @@ wazuh_manager_config: alerts_log: 'yes' logall: 'no' log_format: 'plain' + cluster: + disable: 'no' + name: 'wazuh' + node_name: 'manager_01' + node_type: 'master' + key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa' + interval: '2m' + port: '1516' + bind_addr: '0.0.0.0' + nodes: + - '172.17.0.2' + - '172.17.0.3' + - '172.17.0.4' + hidden: 'no' connection: - type: 'secure' port: '1514' diff --git a/ansible-wazuh-manager/molecule.yml b/ansible-wazuh-manager/molecule.yml deleted file mode 100644 index daf30bad..00000000 --- a/ansible-wazuh-manager/molecule.yml +++ /dev/null @@ -1,85 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: docker - -ansible: - group_vars: - ossec: - ossec_server_config: - mail_to: - - me@example.com - mail_smtp_server: localhost - mail_from: ossec@example.com - frequency_check: 72000 - ignore_files: - - /etc/mtab - - /etc/mnttab - - /etc/hosts.deny - directories: - - check_all: 'yes' - dirs: /etc,/usr/bin,/usr/sbin - - check_all: 'yes' - dirs: /bin,/sbin - localfiles: - - format: 'syslog' - location: '/var/log/messages' - - format: 'syslog' - location: '/var/log/secure' - globals: - - '127.0.0.1' - - '192.168.2.1' - connection: 'secure' - log_level: 1 - email_level: 7 - commands: - - name: 'host-deny' - executable: 'host-deny.sh' - expect: 'srcip' - timeout_allowed: 'yes' - active_responses: - - command: 'host-deny' - location: 'local' - level: 6 - timeout: 600 - localfiles: - - format: 'syslog' - location: '/var/log/messages' - ossec_agent_configs: - - type: os - type_value: linux - frequency_check: 79200 - ignore_files: - - /etc/mtab - - /etc/mnttab - localfiles: - - format: 'syslog' - location: '/var/log/messages' - directories: - - check_all: yes - dirs: /etc,/usr/bin,/usr/sbin - -docker: - containers: - - name: ansible-ossec-server-centos - ansible_groups: - - ossec - image: milcom/centos7-systemd - image_version: latest - privileged: True - - name: ansible-ossec-server-debian - ansible_groups: - - ossec - image: maint/debian-systemd - image_version: latest - privileged: True -# - name: ansible-ossec-server-ubuntu -# ansible_groups: -# - ossec -# image: rastasheep/ubuntu-sshd -# image_version: 16.04 -# privileged: True - -verifier: - name: testinfra diff --git a/ansible-wazuh-manager/tasks/Debian.yml b/ansible-wazuh-manager/tasks/Debian.yml index b051acd3..30db4128 100644 --- a/ansible-wazuh-manager/tasks/Debian.yml +++ b/ansible-wazuh-manager/tasks/Debian.yml @@ -10,7 +10,7 @@ - name: Debian/Ubuntu | Add Wazuh repositories apt_repository: - repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main + repo: 'deb https://packages.wazuh.com/3.x/apt/ stable main' state: present update_cache: yes diff --git a/ansible-wazuh-manager/tasks/RedHat.yml b/ansible-wazuh-manager/tasks/RedHat.yml index 68c1f93f..6ff3448f 100644 --- a/ansible-wazuh-manager/tasks/RedHat.yml +++ b/ansible-wazuh-manager/tasks/RedHat.yml @@ -6,7 +6,8 @@ baseurl: https://rpm.nodesource.com/pub_6.x/el/{{ansible_distribution_major_version}}/x86_64 gpgkey: https://rpm.nodesource.com/pub/el/NODESOURCE-GPG-SIGNING-KEY-EL gpgcheck: yes - when: ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' + when: + - ansible_distribution_major_version|int > 5 - name: Fedora | Install Nodejs repo yum_repository: @@ -17,49 +18,78 @@ gpgcheck: yes when: ansible_distribution == 'Fedora' -- name: CentOS | Install Wazuh repo +- name: RedHat/CentOS/Fedora | Install Wazuh repo yum_repository: name: wazuh_repo - description: CentOS-$releasever - Wazuh - baseurl: https://packages.wazuh.com/yum/el/$releasever/$basearch + description: Wazuh repository + baseurl: https://packages.wazuh.com/3.x/yum/ gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH gpgcheck: yes - when: ansible_distribution == 'CentOS' + when: + - ansible_distribution_major_version|int > 5 -- name: Fedora | Install Wazuh repo +- name: RedHat/CentOS 5 | Install Wazuh repo yum_repository: name: wazuh_repo - description: Fedora-$releasever - Wazuh - baseurl: https://packages.wazuh.com/yum/fc/$releasever/$basearch + description: Wazuh repository + baseurl: https://packages.wazuh.com/3.x/yum/5/ gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH gpgcheck: yes - when: ansible_distribution == 'Fedora' - -- name: RedHat | Install Wazuh repo - yum_repository: - name: wazuh_repo - description: CentOS-$releasever - Wazuh - baseurl: https://packages.wazuh.com/yum/rhel/$releasever/$basearch - gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH - gpgcheck: yes - when: ansible_distribution == 'RedHat' + when: + - ansible_distribution_major_version|int < 6 - name: RedHat/CentOS/Fedora | Install openscap package: name=openscap-scanner state=present tags: - init +- name: CentOS 6 | Install Software Collections (SCL) Repository + package: name=centos-release-scl state=present + when: + - ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6' + - wazuh_manager_config.cluster.disable != 'yes' + +- name: RedHat 6 | Enabling Red Hat Software Collections (RHSCL) + command: yum-config-manager --enable {{ item }} + with_items: + - rhui-REGION-rhel-server-rhscl + - rhel-server-rhscl-6-rpms + when: + - ansible_distribution == 'RedHat' and ansible_distribution_major_version == '6' + - wazuh_manager_config.cluster.disable != 'yes' + +- name: CentOS/RedHat 6 | Install Python 2.7 + package: name=python27 state=present + when: + - ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6' + - wazuh_manager_config.cluster.disable != 'yes' + +- name: CentOS/RedHat 6 | Install python-cryptography module + shell: pip2.7 install cryptography + environment: + PATH: "/opt/rh/python27/root/usr/bin:{{ ansible_env.PATH }}" + LD_LIBRARY_PATH: "/opt/rh/python27/root/usr/lib64:/opt/rh/python27/root/usr/lib" + when: + - ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6' + - wazuh_manager_config.cluster.disable != 'yes' + +- name: RedHat/CentOS/Fedora | Install python-cryptography module + package: name=python-cryptography state=present + when: + - not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat') and ansible_distribution_major_version == '6' ) + - wazuh_manager_config.cluster.disable != 'yes' + - name: Set Distribution CIS filename for RHEL5/CentOS-5 set_fact: cis_distribution_filename: cis_rhel5_linux_rcl.txt - when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "5" + when: ansible_os_family == "RedHat" and ansible_distribution_major_version == '5' - name: Set Distribution CIS filename for RHEL6/CentOS-6 set_fact: cis_distribution_filename: cis_rhel6_linux_rcl.txt - when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "6" + when: ansible_os_family == "RedHat" and ansible_distribution_major_version == '6' - name: Set Distribution CIS filename for RHEL7/CentOS-7 set_fact: cis_distribution_filename: cis_rhel7_linux_rcl.txt - when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "7" + when: ansible_os_family == "RedHat" and ansible_distribution_major_version == '7' diff --git a/ansible-wazuh-manager/tasks/main.yml b/ansible-wazuh-manager/tasks/main.yml index 250de368..b82d00ea 100644 --- a/ansible-wazuh-manager/tasks/main.yml +++ b/ansible-wazuh-manager/tasks/main.yml @@ -1,6 +1,6 @@ --- - import_tasks: "RedHat.yml" - when: ansible_os_family == "RedHat" + when: ansible_os_family == "RedHat" and ansible_distribution_major_version|int > 5 - import_tasks: "Debian.yml" when: ansible_os_family == "Debian" @@ -11,6 +11,27 @@ - wazuh-manager - wazuh-api - expect + when: + - not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 ) + tags: + - init + +- name: CentOS/RedHat 6 | Enabling python2.7 and sqlite3 + replace: + path: /etc/init.d/wazuh-manager + regexp: 'echo -n "Starting Wazuh-manager: "' + replace: 'echo -n "Starting Wazuh-manager (EL6): "; source /opt/rh/python27/enable; export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/var/ossec/framework/lib' + when: + - ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6' + - wazuh_manager_config.cluster.disable != 'yes' + +- name: Install wazuh-manager and expect (EL5) + package: pkg={{ item }} state=latest + with_items: + - wazuh-manager + - expect + when: + - ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 tags: - init @@ -89,7 +110,7 @@ - name: Configure the shared-agent.conf template: src=var-ossec-etc-shared-agent.conf.j2 - dest=/var/ossec/etc/shared/agent.conf + dest=/var/ossec/etc/shared/default/agent.conf owner=ossec group=ossec mode=0640 @@ -108,8 +129,10 @@ tags: - config -- name: Retrieving Wazuh-api User Credentials +- name: Retrieving Wazuh-API User Credentials include_vars: wazuh_api_creds.yml + when: + - not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 ) tags: - config @@ -215,7 +238,7 @@ tags: - config -- name: Wazuh-api User +- name: Wazuh-API User template: src: api_user.j2 dest: "/var/ossec/api/configuration/auth/user" @@ -224,7 +247,9 @@ mode: 0750 no_log: true notify: restart wazuh-api - when: wazuh_api_user is defined + when: + - wazuh_api_user is defined + - not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 ) tags: - config @@ -263,7 +288,7 @@ tags: - config -- name: Ensure Wazuh Manager, wazuh api service is started and enabled +- name: Ensure Wazuh Manager, wazuh API service is started and enabled service: name: "{{ item }}" enabled: yes @@ -273,6 +298,20 @@ - wazuh-api tags: - config + environment: + LD_LIBRARY_PATH: "$LD_LIBRARY_PATH:/var/ossec/framework/lib" + when: + - not (( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 ) + +- name: Ensure Wazuh Manager is started and enabled (EL5) + service: + name: wazuh-manager + enabled: yes + state: started + tags: + - config + when: + - ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version|int < 6 - import_tasks: "RMRedHat.yml" when: ansible_os_family == "RedHat" diff --git a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 index 98d13b2a..52925583 100644 --- a/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 +++ b/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 @@ -22,6 +22,23 @@ {{ wazuh_manager_config.mail_from }} + + {{ wazuh_manager_config.cluster.disable }} + {{ wazuh_manager_config.cluster.name }} + {{ wazuh_manager_config.cluster.node_name }} + {{ wazuh_manager_config.cluster.node_type }} + {{ wazuh_manager_config.cluster.key }} + {{ wazuh_manager_config.cluster.interval }} + {{ wazuh_manager_config.cluster.port }} + {{ wazuh_manager_config.cluster.bind_addr }} + + {% for node in wazuh_manager_config.cluster.nodes %} + {{ node }} + {% endfor %} + + {{ wazuh_manager_config.cluster.hidden }} + + {{ wazuh_manager_config.log_format }} @@ -120,12 +137,12 @@ {{ wazuh_manager_config.rootcheck.frequency }} - /var/ossec/etc/shared/rootkit_files.txt - /var/ossec/etc/shared/rootkit_trojans.txt - /var/ossec/etc/shared/system_audit_rcl.txt - /var/ossec/etc/shared/system_audit_ssh.txt + /var/ossec/etc/shared/default/rootkit_files.txt + /var/ossec/etc/shared/default/rootkit_trojans.txt + /var/ossec/etc/shared/default/system_audit_rcl.txt + /var/ossec/etc/shared/default/system_audit_ssh.txt {% if cis_distribution_filename is defined %} - /var/ossec/etc/shared/{{ cis_distribution_filename }} + /var/ossec/etc/shared/default/{{ cis_distribution_filename }} {% endif %} yes diff --git a/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 b/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 index 9d52c8e2..48c617d2 100644 --- a/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 +++ b/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 @@ -69,7 +69,7 @@ {{ agent_config.rootcheck.frequency }} {% if agent_config.rootcheck.cis_distribution_filename is not none %} - /var/ossec/etc/shared/{{ agent_config.rootcheck.cis_distribution_filename }} + /var/ossec/etc/shared/default/{{ agent_config.rootcheck.cis_distribution_filename }} {% endif %} yes diff --git a/wazuh-elastic.yml b/wazuh-elastic.yml index 34179cf3..b2a06b3b 100644 --- a/wazuh-elastic.yml +++ b/wazuh-elastic.yml @@ -1,3 +1,3 @@ - hosts: elasticsearch roles: - - { role: ansible-role-elasticsearch, elasticsearch_network_host: '192.168.33.182' } + - { role: ansible-role-elasticsearch, elasticsearch_network_host: '192.168.33.182' } diff --git a/wazuh-elastic_stack.yml b/wazuh-elastic_stack.yml index a6b52d62..72c49afd 100644 --- a/wazuh-elastic_stack.yml +++ b/wazuh-elastic_stack.yml @@ -4,6 +4,6 @@ - { role: ansible-role-filebeat, filebeat_output_logstash_hosts: '192.168.212.185:5000' } - hosts: elastic_stack roles: - - { role: ansible-role-elasticsearch, elasticsearch_network_host: 'localhost' } - - { role: ansible-role-logstash, logstash_input_beats: true, elasticsearch_network_host: 'localhost' } - - { role: ansible-role-kibana, elasticsearch_network_host: 'localhost' } + - { role: ansible-role-elasticsearch, elasticsearch_network_host: 'localhost' } + - { role: ansible-role-logstash, logstash_input_beats: true, elasticsearch_network_host: 'localhost' } + - { role: ansible-role-kibana, elasticsearch_network_host: 'localhost' } diff --git a/wazuh-kibana.yml b/wazuh-kibana.yml index d8d8c881..8716efb6 100644 --- a/wazuh-kibana.yml +++ b/wazuh-kibana.yml @@ -1,3 +1,3 @@ - hosts: kibana roles: - - { role: ansible-role-kibana, elasticsearch_network_host: '192.168.33.182' } + - { role: ansible-role-kibana, elasticsearch_network_host: '192.168.33.182' } diff --git a/wazuh-logstash.yml b/wazuh-logstash.yml index 74f94c94..23f13c7f 100644 --- a/wazuh-logstash.yml +++ b/wazuh-logstash.yml @@ -1,3 +1,3 @@ - hosts: logstash roles: - - { role: ansible-role-logstash, elasticsearch_network_host: 'localhost' } + - { role: ansible-role-logstash, elasticsearch_network_host: 'localhost' } diff --git a/wazuh-manager.yml b/wazuh-manager.yml index 4abeb625..831e8294 100644 --- a/wazuh-manager.yml +++ b/wazuh-manager.yml @@ -1,4 +1,4 @@ - hosts: wazuh-manager roles: - role: ansible-wazuh-manager - - { role: ansible-role-filebeat, filebeat_output_logstash_hosts: '192.168.33.169:5000' } + - { role: ansible-role-filebeat, filebeat_output_logstash_hosts: '192.168.33.169:5000' }