diff --git a/CHANGELOG.md b/CHANGELOG.md index 06255568..1ba466ff 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,23 @@ # Change Log All notable changes to this project will be documented in this file. +## [v3.13.1_7.8.0] + +### Added + +- Update to Wazuh v3.13.1 +- Add support to configure path.repo option in ES. Required for backups/snapshots ([@pescobar](https://github.com/pescobar)) [PR#433](https://github.com/wazuh/wazuh-ansible/pull/433) + +### Changed + +- Update Opendistro tasks ([@jm404](https://github.com/jm404)) [PR#443](https://github.com/wazuh/wazuh-ansible/pull/443) +- Provide ansible.cfg with merge hash_behaviour ([@xr09](https://github.com/xr09)) [PR#440](https://github.com/wazuh/wazuh-ansible/pull/440) + +### Fixed + +- Fixes for wazuh-agent registration ([@pchristos](https://github.com/pchristos)) [PR#406](https://github.com/wazuh/wazuh-ansible/pull/406) +- Fixes for OpenDistro deployments ([@xr09](https://github.com/xr09)) [PR#445](https://github.com/wazuh/wazuh-ansible/pull/445) + ## [v3.13.0_7.7.1] ### Added diff --git a/playbooks/ansible.cfg b/playbooks/ansible.cfg new file mode 100644 index 00000000..e153953a --- /dev/null +++ b/playbooks/ansible.cfg @@ -0,0 +1,2 @@ +[defaults] +hash_behaviour=merge diff --git a/playbooks/wazuh-agent.yml b/playbooks/wazuh-agent.yml index 806b07c0..d7cbb7a7 100644 --- a/playbooks/wazuh-agent.yml +++ b/playbooks/wazuh-agent.yml @@ -10,6 +10,8 @@ api_port: 55000 api_proto: 'http' api_user: ansible + max_retries: 5 + retry_interval: 5 wazuh_agent_authd: registration_address: enable: true diff --git a/playbooks/wazuh-opendistro.yml b/playbooks/wazuh-opendistro.yml index 271dfa5b..63b54eb2 100644 --- a/playbooks/wazuh-opendistro.yml +++ b/playbooks/wazuh-opendistro.yml @@ -2,3 +2,16 @@ - hosts: es_cluster roles: - role: ../roles/opendistro/opendistro-elasticsearch + + vars: + instances: # A certificate will be generated for every node using the name as CN. + node1: + name: node-1 + ip: + node2: + name: node-2 + ip: + node3: + name: node-3 + ip: + diff --git a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml index 13b3fa53..c550bdb0 100644 --- a/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml +++ b/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml @@ -4,7 +4,7 @@ elasticsearch_http_port: 9200 elasticsearch_network_host: 127.0.0.1 elasticsearch_reachable_host: 127.0.0.1 elasticsearch_jvm_xms: null -elastic_stack_version: 7.7.0 +elastic_stack_version: 7.8.0 elasticsearch_lower_disk_requirements: false elasticsearch_path_repo: [] diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml index 3faf5de3..74ecea43 100644 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -5,8 +5,8 @@ elasticsearch_http_port: "9200" elasticsearch_network_host: "127.0.0.1" kibana_server_host: "0.0.0.0" kibana_server_port: "5601" -elastic_stack_version: 7.7.1 -wazuh_version: 3.13.0 +elastic_stack_version: 7.8.0 +wazuh_version: 3.13.1 wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp elasticrepo: @@ -47,7 +47,7 @@ nodejs: # Build from sources build_from_sources: false -wazuh_plugin_branch: 3.13-7.7 +wazuh_plugin_branch: 3.13-7.8 #Nodejs NODE_OPTIONS node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536 diff --git a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml index aa683033..29d3ad46 100644 --- a/roles/opendistro/opendistro-elasticsearch/defaults/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/defaults/main.yml @@ -1,15 +1,26 @@ --- -# The OpenDistro version +# Cluster Settings +es_version: "7.3.2" +es_major_version: "7.x" + opendistro_version: 1.8.0 + elasticsearch_cluster_name: wazuh-cluster +single_node: true +opendistro_cluster_name: wazuh +elasticsearch_node_data: true +elasticsearch_node_ingest: true +elasticsearch_lower_disk_requirements: false +elasticsearch_cluster_nodes: + - 127.0.0.1 +elasticsearch_discovery_nodes: + - 127.0.0.1 + +local_certs_path: ./opendistro/certificates # Minimum master nodes in cluster, 2 for 3 nodes elasticsearch cluster minimum_master_nodes: 2 -# Elasticsearch version -es_version: "7.3.2" -es_major_version: "7.x" - # Configure hostnames for Elasticsearch nodes # Example es1.example.com, es2.example.com domain_name: wazuh.com @@ -34,12 +45,16 @@ es_nodes: |- # Security password opendistro_security_password: admin +opendistro_custom_user: "" +opendistro_cusom_user_role: "admin" + # Set JVM memory limits opendistro_jvm_xms: null opendistro_http_port: 9200 certs_gen_tool_version: 1.7 + # Url of Search Guard certificates generator tool certs_gen_tool_url: "https://releases.floragunn.com/search-guard-tlstool/{{ certs_gen_tool_version }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip" @@ -51,8 +66,7 @@ elasticrepo: opendistro_admin_password: changeme opendistro_kibana_password: changeme -# Cluster Settings -single_node: true -opendistro_cluster_name: wazuh -local_certs_path: /tmp/opendistro-nodecerts \ No newline at end of file +# Deployment settings +generate_certs: true +perform_installation: true \ No newline at end of file diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml index f018c9f7..402cf3c3 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml @@ -25,6 +25,21 @@ yum: name: java-11-openjdk-devel state: present + when: + - ansible_distribution != 'Amazon' + + - name: Amazon Linux | Install OpenJDK 11 + block: + - name: Install Amazon extras + yum: + name: amazon-linux-extras + state: present + + - name: Install OpenJDK 11 + shell: amazon-linux-extras install java-openjdk11 -y + + when: + - ansible_distribution == 'Amazon' - name: RedHat/CentOS/Fedora | Install OpenDistro dependencies yum: diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml index 6885276d..3c89e6ab 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml @@ -1,4 +1,14 @@ --- +- name: Check if certificates already exists + stat: + path: "{{ local_certs_path }}" + register: certificates_folder + delegate_to: localhost + become: no + tags: + - generate-certs + + - block: - name: Local action | Create local temporary directory for certificates generation @@ -68,5 +78,8 @@ run_once: true delegate_to: localhost + become: no tags: - - generate-certs \ No newline at end of file + - generate-certs + when: + - not certificates_folder.stat.exists diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml index 9df1e01c..7c5b3262 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/main.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/main.yml @@ -1,68 +1,94 @@ --- - import_tasks: local_actions.yml + when: + - generate_certs -- import_tasks: RedHat.yml - when: ansible_os_family == 'RedHat' +- block: -- name: Install OpenDistro - package: - name: opendistroforelasticsearch-{{ opendistro_version }} - state: present - register: install - tags: install + - import_tasks: RedHat.yml + when: ansible_os_family == 'RedHat' -- name: Remove elasticsearch configuration file - file: - path: "{{ opendistro_conf_path }}/elasticsearch.yml" - state: absent - when: install.changed - tags: install -- name: Copy Configuration File - blockinfile: - block: "{{ lookup('template', 'elasticsearch.yml.j2') }}" - dest: "{{ opendistro_conf_path }}/elasticsearch.yml" - create: true - group: elasticsearch - mode: 0640 - marker: "## {mark} Opendistro general settings ##" - when: install.changed - tags: install + - name: Install OpenDistro + package: + name: opendistroforelasticsearch-{{ opendistro_version }} + state: present + register: install + tags: install -- import_tasks: security_actions.yml + - name: Remove elasticsearch configuration file + file: + path: "{{ opendistro_conf_path }}/elasticsearch.yml" + state: absent + when: install.changed + tags: install -- name: Configure OpenDistro Elasticsearch JVM memmory. - template: - src: "templates/jvm.options.j2" - dest: /etc/elasticsearch/jvm.options - owner: root - group: elasticsearch - mode: 0644 - force: yes - notify: restart elasticsearch - tags: install + - name: Copy Configuration File + blockinfile: + block: "{{ lookup('template', 'elasticsearch.yml.j2') }}" + dest: "{{ opendistro_conf_path }}/elasticsearch.yml" + create: true + group: elasticsearch + mode: 0640 + marker: "## {mark} Opendistro general settings ##" + when: install.changed + tags: install -- name: Ensure Elasticsearch started and enabled - service: - name: elasticsearch - enabled: true - state: started + - import_tasks: security_actions.yml -- name: Wait for Elasticsearch API - uri: - url: "https://{{ es_nodes.split(',')[0].split('\"')[0] }}:9200/_cluster/health/" - user: "admin" # Default OpenDistro user is always "admin" - password: "{{ opendistro_admin_password }}" - validate_certs: no - status_code: 200,401 - return_content: yes - timeout: 4 - register: _result - until: ( _result.json is defined) and (_result.json.status == "green") - retries: 24 - delay: 5 - tags: debug + - name: Configure OpenDistro Elasticsearch JVM memmory. + template: + src: "templates/jvm.options.j2" + dest: /etc/elasticsearch/jvm.options + owner: root + group: elasticsearch + mode: 0644 + force: yes + notify: restart elasticsearch + tags: install -- import_tasks: "RMRedHat.yml" - when: ansible_os_family == "RedHat" \ No newline at end of file + - name: Ensure Elasticsearch started and enabled + service: + name: elasticsearch + enabled: true + state: started + + - name: Wait for Elasticsearch API + uri: + url: "https://{{ inventory_hostname }}:{{ opendistro_http_port }}/_cluster/health/" + user: "admin" # Default OpenDistro user is always "admin" + password: "{{ opendistro_admin_password }}" + validate_certs: no + status_code: 200,401 + return_content: yes + timeout: 4 + register: _result + until: ( _result.json is defined) and (_result.json.status == "green") + retries: 24 + delay: 5 + tags: debug + when: + - hostvars[inventory_hostname]['private_ip'] is not defined or not hostvars[inventory_hostname]['private_ip'] + + - name: Wait for Elasticsearch API (Private IP) + uri: + url: "https://{{ hostvars[inventory_hostname]['private_ip'] }}:{{ opendistro_http_port }}/_cluster/health/" + user: "admin" # Default OpenDistro user is always "admin" + password: "{{ opendistro_admin_password }}" + validate_certs: no + status_code: 200,401 + return_content: yes + timeout: 4 + register: _result + until: ( _result.json is defined) and (_result.json.status == "green") + retries: 24 + delay: 5 + tags: debug + when: + - hostvars[inventory_hostname]['private_ip'] is defined and hostvars[inventory_hostname]['private_ip'] + + - import_tasks: "RMRedHat.yml" + when: ansible_os_family == "RedHat" + + when: perform_installation diff --git a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml index ea48874e..9e6fadb6 100644 --- a/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml +++ b/roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml @@ -9,6 +9,40 @@ - "{{ opendistro_conf_path }}/esnode.pem" - "{{ opendistro_conf_path }}/esnode-key.pem" + + - name: Configure node name + block: + - name: Setting node name (Elasticsearch) + set_fact: + od_node_name: "{{ elasticsearch_node_name }}" + when: + elasticsearch_node_name is defined and kibana_node_name is not defined + + - name: Setting node name (Kibana) + set_fact: + od_node_name: "{{ kibana_node_name }}" + when: + kibana_node_name is defined + + - name: Setting node name (Filebeat) + set_fact: + od_node_name: "{{ kibana_node_name }}" + when: + filebeat_node_name is defined + + - name: Configure IP (Private address) + set_fact: + target_address: "{{ hostvars[inventory_hostname]['private_ip'] }}" + when: + - hostvars[inventory_hostname]['private_ip'] is defined + + - name: Configure IP (Public address) + set_fact: + target_address: "{{ inventory_hostname }}" + when: + - hostvars[inventory_hostname]['private_ip'] is not defined + + - name: Copy the node & admin certificates to Elasticsearch cluster copy: src: "{{ local_certs_path }}/certs/{{ item }}" @@ -17,17 +51,17 @@ with_items: - root-ca.pem - root-ca.key - - "{{ inventory_hostname }}.key" - - "{{ inventory_hostname }}.pem" - - "{{ inventory_hostname }}_http.key" - - "{{ inventory_hostname }}_http.pem" - - "{{ inventory_hostname }}_elasticsearch_config_snippet.yml" + - "{{ od_node_name }}.key" + - "{{ od_node_name }}.pem" + - "{{ od_node_name }}_http.key" + - "{{ od_node_name }}_http.pem" + - "{{ od_node_name }}_elasticsearch_config_snippet.yml" - admin.key - admin.pem - name: Copy the OpenDistro security configuration file to cluster blockinfile: - block: "{{ lookup('file', '{{ local_certs_path }}/certs/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}" + block: "{{ lookup('file', '{{ local_certs_path }}/certs/{{ od_node_name }}_elasticsearch_config_snippet.yml') }}" dest: "{{ opendistro_conf_path }}/elasticsearch.yml" insertafter: EOF marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##" @@ -51,10 +85,30 @@ mode: 0644 run_once: true + - name: Hashing the custom admin password + command: "{{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }}" + register: opendistro_admin_password_hashed + run_once: true + + - name: Filtering hash result in case java path is not defined + set_fact: + opendistro_admin_password_hashed_filtered: "{{ opendistro_admin_password_hashed.stdout_lines[1] }}" + when: + - opendistro_admin_password_hashed.stdout_lines[1] is defined + run_once: true + + - name: Setting admin hash result + set_fact: + opendistro_admin_password_hashed_filtered: "{{ opendistro_admin_password_hashed.stdout_lines[0] }}" + when: + - opendistro_admin_password_hashed.stdout_lines[1] is not defined + run_once: true + - name: Set the Admin user password - shell: > - sed -i 's,{{ opendistro_admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }} | tail -1)',' - {{ opendistro_sec_plugin_conf_path }}/internal_users.yml + replace: + path: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml" + regexp: '(?<=admin:\n hash: )(.*)(?=)' + replace: "\"{{ opendistro_admin_password_hashed_filtered }}\"" run_once: true - name: Set the kibanaserver role/user pasword @@ -71,9 +125,28 @@ -key {{ opendistro_conf_path }}/admin.key -cd {{ opendistro_sec_plugin_conf_path }}/ -nhnv -icl - -h {{ hostvars[inventory_hostname]['ip'] }} + -h {{ target_address }} run_once: true + - name: Create custom user + uri: + url: "https://{{ target_address }}:{{ opendistro_http_port }}/_opendistro/_security/api/internalusers/{{ opendistro_custom_user }}" + method: PUT + user: "admin" # Default OpenDistro user is always "admin" + password: "{{ opendistro_admin_password }}" + body: | + { + "password": "{{ opendistro_admin_password }}", + "backend_roles": ["{{ opendistro_custom_user_role }}"] + } + body_format: json + validate_certs: no + status_code: 200,201,401 + return_content: yes + timeout: 4 + when: + - opendistro_custom_user is defined + tags: - security - when: install.changed \ No newline at end of file + when: install.changed diff --git a/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 index 58a8ece2..fa98feea 100644 --- a/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 +++ b/roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2 @@ -1,18 +1,36 @@ -cluster.name: "{{ opendistro_cluster_name }}" - -node.name: "{{ inventory_hostname }}" - +cluster.name: {{ elasticsearch_cluster_name }} +node.name: {{ elasticsearch_node_name }} path.data: /var/lib/elasticsearch - path.logs: /var/log/elasticsearch +network.host: {{ elasticsearch_network_host }} -network.host: "{{ hostvars[inventory_hostname]['ip'] }}" +node.master: {{ elasticsearch_node_master|lower }} -http.port: "{{ opendistro_http_port }}" +cluster.initial_master_nodes: +{% for item in elasticsearch_cluster_nodes %} + - {{ item }} +{% endfor %} -discovery.seed_hosts: ["{{ es_nodes }}"] +discovery.seed_hosts: +{% for item in elasticsearch_discovery_nodes %} + - {{ item }} +{% endfor %} -cluster.initial_master_nodes: ["{{ es_nodes }}"] +{% if elasticsearch_node_data|lower == 'false' %} +node.data: false +{% endif %} + +{% if elasticsearch_node_ingest|lower == 'false' %} +node.ingest: false +{% endif %} + + +{% if elasticsearch_lower_disk_requirements %} +cluster.routing.allocation.disk.threshold_enabled: true +cluster.routing.allocation.disk.watermark.flood_stage: 200mb +cluster.routing.allocation.disk.watermark.low: 500mb +cluster.routing.allocation.disk.watermark.high: 300mb +{% endif %} discovery.zen.minimum_master_nodes: "{{ minimum_master_nodes }}" opendistro_security.allow_default_init_securityindex: true diff --git a/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 b/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 index 0f7671e2..67ab5470 100644 --- a/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 +++ b/roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2 @@ -24,28 +24,14 @@ defaults: # Specify the nodes of your ES cluster here # nodes: -{% for item in groups['es_cluster'] %} - - name: {{ item }} - dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} - dns: {{ item }}.{{ domain_name }} - ip: {{ hostvars[item]['ip'] }} -{% endfor %} -{% if groups['kibana'] is defined and groups['kibana']|length > 0 %} -{% for item in groups['kibana'] %} - - name: {{ item }} - dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} - dns: {{ item }}.{{ domain_name }} - ip: {{ hostvars[item]['ip'] }} -{% endfor %} +{% for (key,value) in instances.items() %} +{% if (value.ip is defined and value.ip | length > 0) %} + - name: {{ value.name }} + dn: CN={{ value.name }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} + dns: {{ value.name }}.{{ domain_name }} + ip: {{ value.ip }} {% endif %} -{% if groups['managers'] is defined and groups['managers']|length > 0 %} -{% for item in groups['managers'] %} - - name: {{ item }} - dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} - dns: {{ item }}.{{ domain_name }} - ip: {{ hostvars[item]['ip'] }} {% endfor %} -{% endif %} ### ### Clients ### diff --git a/roles/opendistro/opendistro-kibana/defaults/main.yml b/roles/opendistro/opendistro-kibana/defaults/main.yml index 98c70a2d..2dd687bb 100644 --- a/roles/opendistro/opendistro-kibana/defaults/main.yml +++ b/roles/opendistro/opendistro-kibana/defaults/main.yml @@ -1,5 +1,6 @@ --- +# Kibana configuration elasticsearch_http_port: 9200 elasticsearch_nodes: |- {% for item in groups['es_cluster'] -%} @@ -8,15 +9,18 @@ elasticsearch_nodes: |- elasticsearch_network_host: 172.16.0.161 elastic_api_protocol: https kibana_conf_path: /etc/kibana +kibana_node_name: node-1 kibana_server_host: "0.0.0.0" kibana_server_port: "5601" kibana_server_name: "kibana" kibana_max_payload_bytes: 1048576 -elastic_stack_version: 7.7.1 -wazuh_version: 3.13.0 +elastic_stack_version: 7.8.0 +wazuh_version: 3.13.1 wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp # The OpenDistro package repository +kibana_opendistro_version: -1.8.0-1 # Version includes the - for RedHat family compatibility, replace with = for Debian hosts + package_repos: yum: opendistro: @@ -45,7 +49,7 @@ opendistro_security_user: elastic opendistro_admin_password: changeme opendistro_kibana_user: kibanaserver opendistro_kibana_password: changeme -local_certs_path: /tmp/opendistro-nodecerts +local_certs_path: ./opendistro/certificates # Nodejs nodejs: @@ -56,7 +60,7 @@ nodejs: # Build from sources build_from_sources: false -wazuh_plugin_branch: 3.13-7.7 +wazuh_plugin_branch: 3.13-7.8 #Nodejs NODE_OPTIONS node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536 diff --git a/roles/opendistro/opendistro-kibana/tasks/main.yml b/roles/opendistro/opendistro-kibana/tasks/main.yml old mode 100644 new mode 100755 index 013648db..006b7cd7 --- a/roles/opendistro/opendistro-kibana/tasks/main.yml +++ b/roles/opendistro/opendistro-kibana/tasks/main.yml @@ -23,7 +23,7 @@ - name: Install Kibana package: - name: opendistroforelasticsearch-kibana + name: "opendistroforelasticsearch-kibana{{ kibana_opendistro_version }}" state: present register: install tags: install @@ -75,7 +75,7 @@ - not build_from_sources - name: Kibana optimization (can take a while) - shell: /usr/share/kibana/node/bin/node {{ node_options }} /usr/share/kibana/src/cli --optimize + shell: /usr/share/kibana/node/bin/node {{ node_options }} /usr/share/kibana/src/cli --optimize -c {{ kibana_conf_path }}/kibana.yml args: executable: /bin/bash become: yes @@ -130,4 +130,4 @@ state: started - import_tasks: RMRedHat.yml - when: ansible_os_family == 'RedHat' \ No newline at end of file + when: ansible_os_family == 'RedHat' diff --git a/roles/opendistro/opendistro-kibana/tasks/security_actions.yml b/roles/opendistro/opendistro-kibana/tasks/security_actions.yml index be63c9ea..d5b784cf 100644 --- a/roles/opendistro/opendistro-kibana/tasks/security_actions.yml +++ b/roles/opendistro/opendistro-kibana/tasks/security_actions.yml @@ -6,8 +6,9 @@ dest: /usr/share/kibana mode: 0644 with_items: - - "{{ inventory_hostname }}_http.key" - - "{{ inventory_hostname }}_http.pem" + - "root-ca.pem" + - "{{ kibana_node_name }}_http.key" + - "{{ kibana_node_name }}_http.pem" tags: - security when: install.changed \ No newline at end of file diff --git a/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 b/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 index 40dd9d6c..bc166988 100644 --- a/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 +++ b/roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2 @@ -10,27 +10,25 @@ server.host: {{ kibana_server_host }} {% if kibana_opendistro_security %} + elasticsearch.hosts: "https://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" +elasticsearch.username: {{ opendistro_kibana_user }} +elasticsearch.password: {{ opendistro_kibana_password }} +server.ssl.enabled: true +server.ssl.certificate: "/usr/share/kibana/{{ kibana_node_name }}_http.pem" +server.ssl.key: "/usr/share/kibana/{{ kibana_node_name }}_http.key" +elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/root-ca.pem"] +elasticsearch.ssl.verificationMode: full + {% else %} elasticsearch.hosts: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}" {% endif %} -elasticsearch.username: {{ opendistro_kibana_user }} -elasticsearch.password: {{ opendistro_kibana_password }} -elasticsearch.ssl.verificationMode: none - elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"] opendistro_security.multitenancy.enabled: false # FIXME: should be enabled starting with Wazuh App v3.13 opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"] opendistro_security.readonly_mode.roles: ["kibana_read_only"] -# OpenDistro Security -{% if kibana_opendistro_security %} -server.ssl.enabled: true -server.ssl.certificate: "/usr/share/kibana/{{ inventory_hostname }}_http.pem" -server.ssl.key: "/usr/share/kibana//{{ inventory_hostname }}_http.key" -{% endif %} - newsfeed.enabled: {{ kibana_newsfeed_enabled }} telemetry.optIn: {{ kibana_telemetry_optin }} telemetry.enabled: {{ kibana_telemetry_enabled }} diff --git a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml index 4159dc9a..1ef027e7 100644 --- a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml @@ -1,7 +1,7 @@ --- -filebeat_version: 7.7.0 +filebeat_version: 7.8.0 -wazuh_template_branch: v3.13.0 +wazuh_template_branch: v3.13.1 filebeat_create_config: true @@ -23,7 +23,7 @@ filebeat_security_password: changeme filebeat_ssl_dir: /etc/pki/filebeat # Local path to store the generated certificates (OpenDistro security plugin) -local_certs_path: /tmp/opendistro-nodecerts +local_certs_path: ./opendistro/certificates elasticrepo: apt: 'https://artifacts.elastic.co/packages/oss-7.x/apt' diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml b/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml index dfea91ee..95503159 100644 --- a/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml +++ b/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml @@ -11,8 +11,8 @@ dest: "{{ filebeat_ssl_dir }}" mode: 0644 with_items: - - "{{ inventory_hostname }}.key" - - "{{ inventory_hostname }}.pem" + - "{{ filebeat_node_name }}.key" + - "{{ filebeat_node_name }}.pem" - "root-ca.pem" - name: Ensuring folder & certs permissions diff --git a/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 b/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 index 67a99347..c918ccda 100644 --- a/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 +++ b/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 @@ -24,8 +24,8 @@ output.elasticsearch: protocol: https ssl.certificate_authorities: - {{ filebeat_ssl_dir }}/root-ca.pem - ssl.certificate: "{{ filebeat_ssl_dir }}/{{ inventory_hostname }}.pem" - ssl.key: "{{ filebeat_ssl_dir }}/{{ inventory_hostname }}.key" + ssl.certificate: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}.pem" + ssl.key: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}.key" {% endif %} # Optional. Send events to Logstash instead of Elasticsearch diff --git a/roles/wazuh/ansible-filebeat/defaults/main.yml b/roles/wazuh/ansible-filebeat/defaults/main.yml index c105205e..d9599520 100644 --- a/roles/wazuh/ansible-filebeat/defaults/main.yml +++ b/roles/wazuh/ansible-filebeat/defaults/main.yml @@ -1,7 +1,7 @@ --- -filebeat_version: 7.7.0 +filebeat_version: 7.8.0 -wazuh_template_branch: v3.13.0 +wazuh_template_branch: v3.13.1 filebeat_create_config: true diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml index 180d546d..bd28b195 100644 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -1,5 +1,5 @@ --- -wazuh_agent_version: 3.13.0-1 +wazuh_agent_version: 3.13.1-1 # Custom packages installation @@ -12,7 +12,7 @@ wazuh_custom_packages_installation_agent_rpm_url: "" wazuh_agent_sources_installation: enabled: false - branch: "v3.13.0" + branch: "v3.13.1" user_language: "y" user_no_stop: "y" user_install_type: "agent" @@ -65,8 +65,8 @@ wazuh_winagent_config: auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe check_md5: True md5: d0f13c0c417c74ccbad7b45f66518513 -wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.13.0-1.msi -wazuh_winagent_package_name: wazuh-agent-3.13.0-1.msi +wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.13.1-1.msi +wazuh_winagent_package_name: wazuh-agent-3.13.1-1.msi wazuh_agent_config: repo: apt: 'deb https://packages.wazuh.com/3.x/apt/ stable main' diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml index 38b4e8ac..e21baaaa 100644 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml @@ -64,7 +64,7 @@ {{ wazuh_agent_win_auth_path }} -m {{ wazuh_agent_authd.registration_address }} -p {{ wazuh_agent_authd.port }} - {% if wazuh_agent_authd.agent_name is defined %}-A {{ wazuh_agent_authd.agent_name }} {% endif %} + {% if wazuh_agent_authd.agent_name is not none %}-A {{ wazuh_agent_authd.agent_name }} {% endif %} {% if authd_pass is defined %} -P {{ authd_pass }}{% endif %} register: agent_auth_output notify: Windows | Restart Wazuh Agent diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 index d8522158..f4cee16d 100644 --- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 +++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 @@ -16,6 +16,8 @@ {% endif %} {% if manager.protocol is defined %} {{ manager.protocol }} + {{ manager.max_retries }} + {{ manager.retry_interval }} {% endif %} {% endfor %} diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml index 7bd4846a..e6f86739 100644 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -1,5 +1,5 @@ --- -wazuh_manager_version: 3.13.0-1 +wazuh_manager_version: 3.13.1-1 wazuh_manager_fqdn: "wazuh-server" wazuh_manager_package_state: present @@ -15,7 +15,7 @@ wazuh_custom_packages_installation_api_rpm_url: "https://s3-us-west-1.amazonaws. # Sources installation wazuh_manager_sources_installation: enabled: false - branch: "v3.13.0" + branch: "v3.13.1" user_language: "en" user_no_stop: "y" user_install_type: "server" @@ -40,7 +40,7 @@ wazuh_manager_sources_installation: wazuh_api_sources_installation: enabled: false - branch: "v3.13.0" + branch: "v3.13.1" update: "y" remove: "y" directory: null