Merge pull request #446 from wazuh/wazuh_release_3.13.1_7.8.0

Wazuh release 3.13.1 7.8.0

CHANGELOG.md

@@ -1,6 +1,23 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+## [v3.13.1_7.8.0]
+
+### Added
+
+- Update to Wazuh v3.13.1
+- Add support to configure path.repo option in ES. Required for backups/snapshots ([@pescobar](https://github.com/pescobar)) [PR#433](https://github.com/wazuh/wazuh-ansible/pull/433)
+
+### Changed
+
+- Update Opendistro tasks ([@jm404](https://github.com/jm404)) [PR#443](https://github.com/wazuh/wazuh-ansible/pull/443)
+- Provide ansible.cfg with merge hash_behaviour ([@xr09](https://github.com/xr09)) [PR#440](https://github.com/wazuh/wazuh-ansible/pull/440)
+
+### Fixed
+
+- Fixes for wazuh-agent registration ([@pchristos](https://github.com/pchristos)) [PR#406](https://github.com/wazuh/wazuh-ansible/pull/406)
+- Fixes for OpenDistro deployments ([@xr09](https://github.com/xr09)) [PR#445](https://github.com/wazuh/wazuh-ansible/pull/445)
+
 ## [v3.13.0_7.7.1]
 
 ### Added

playbooks/ansible.cfg

@@ -0,0 +1,2 @@
+[defaults]
+hash_behaviour=merge

playbooks/wazuh-agent.yml

@@ -10,6 +10,8 @@
         api_port: 55000
         api_proto: 'http'
         api_user: ansible
+        max_retries: 5
+        retry_interval: 5
     wazuh_agent_authd:
       registration_address: <registration IP>
       enable: true

playbooks/wazuh-opendistro.yml

@@ -2,3 +2,16 @@
 - hosts: es_cluster
   roles:
     - role: ../roles/opendistro/opendistro-elasticsearch
+
+  vars:
+    instances:           # A certificate will be generated for every node using the name as CN.
+      node1:
+        name: node-1
+        ip: <node-1 IP>
+      node2:
+        name: node-2
+        ip: <node-2 IP>
+      node3:
+        name: node-3
+        ip: <node-3 IP>
+

roles/elastic-stack/ansible-elasticsearch/defaults/main.yml

@@ -4,7 +4,7 @@ elasticsearch_http_port: 9200
 elasticsearch_network_host: 127.0.0.1
 elasticsearch_reachable_host: 127.0.0.1
 elasticsearch_jvm_xms: null
-elastic_stack_version: 7.7.0
+elastic_stack_version: 7.8.0
 elasticsearch_lower_disk_requirements: false
 elasticsearch_path_repo: []
 

roles/elastic-stack/ansible-kibana/defaults/main.yml

@@ -5,8 +5,8 @@ elasticsearch_http_port: "9200"
 elasticsearch_network_host: "127.0.0.1"
 kibana_server_host: "0.0.0.0"
 kibana_server_port: "5601"
-elastic_stack_version: 7.7.1
+elastic_stack_version: 7.8.0
-wazuh_version: 3.13.0
+wazuh_version: 3.13.1
 wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp
 
 elasticrepo:
@@ -47,7 +47,7 @@ nodejs:
 
 # Build from sources
 build_from_sources: false
-wazuh_plugin_branch: 3.13-7.7
+wazuh_plugin_branch: 3.13-7.8
 
 #Nodejs NODE_OPTIONS
 node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536

roles/opendistro/opendistro-elasticsearch/defaults/main.yml

@@ -1,15 +1,26 @@
 ---
-# The OpenDistro version
+# Cluster Settings
+es_version: "7.3.2"
+es_major_version: "7.x"
+
 opendistro_version: 1.8.0
+
 elasticsearch_cluster_name: wazuh-cluster
+single_node: true
+opendistro_cluster_name: wazuh
+elasticsearch_node_data: true
+elasticsearch_node_ingest: true
+elasticsearch_lower_disk_requirements: false
+elasticsearch_cluster_nodes:
+  - 127.0.0.1
+elasticsearch_discovery_nodes:
+  - 127.0.0.1
+
+local_certs_path: ./opendistro/certificates
 
 # Minimum master nodes in cluster, 2 for 3 nodes elasticsearch cluster
 minimum_master_nodes: 2
 
-# Elasticsearch version
-es_version: "7.3.2"
-es_major_version: "7.x"
-
 # Configure hostnames for Elasticsearch nodes
 # Example es1.example.com, es2.example.com
 domain_name: wazuh.com
@@ -34,12 +45,16 @@ es_nodes: |-
 
 # Security password
 opendistro_security_password: admin
+opendistro_custom_user: ""
+opendistro_cusom_user_role: "admin"
+
 # Set JVM memory limits
 opendistro_jvm_xms: null
 
 opendistro_http_port: 9200
 
 certs_gen_tool_version: 1.7
+
 # Url of Search Guard certificates generator tool
 certs_gen_tool_url: "https://releases.floragunn.com/search-guard-tlstool/{{ certs_gen_tool_version }}/search-guard-tlstool-{{ certs_gen_tool_version }}.zip"
 
@@ -51,8 +66,7 @@ elasticrepo:
 
 opendistro_admin_password: changeme
 opendistro_kibana_password: changeme
-# Cluster Settings
-single_node: true
-opendistro_cluster_name: wazuh
 
-local_certs_path: /tmp/opendistro-nodecerts
+# Deployment settings
+generate_certs: true
+perform_installation: true

roles/opendistro/opendistro-elasticsearch/tasks/RedHat.yml

@@ -25,6 +25,21 @@
     yum:
       name: java-11-openjdk-devel
       state: present
+    when:
+      - ansible_distribution != 'Amazon'
+
+  - name: Amazon Linux | Install OpenJDK 11
+    block:
+      - name: Install Amazon extras
+        yum:
+          name: amazon-linux-extras
+          state: present
+
+      - name: Install OpenJDK 11
+        shell: amazon-linux-extras install java-openjdk11 -y
+
+    when:
+      - ansible_distribution == 'Amazon'
 
   - name: RedHat/CentOS/Fedora | Install OpenDistro dependencies
     yum:

roles/opendistro/opendistro-elasticsearch/tasks/local_actions.yml

@@ -1,4 +1,14 @@
 ---
+- name: Check if certificates already exists
+  stat:
+    path: "{{ local_certs_path }}"
+  register: certificates_folder
+  delegate_to: localhost
+  become: no
+  tags:
+    - generate-certs
+
+
 - block:
 
   - name: Local action | Create local temporary directory for certificates generation
@@ -68,5 +78,8 @@
 
   run_once: true
   delegate_to: localhost
+  become: no
   tags:
-  - generate-certs
+    - generate-certs
+  when:
+    - not certificates_folder.stat.exists

roles/opendistro/opendistro-elasticsearch/tasks/main.yml

@@ -1,68 +1,94 @@
 ---
 
 - import_tasks: local_actions.yml
+  when:
+    - generate_certs
 
-- import_tasks: RedHat.yml
+- block:
-  when: ansible_os_family == 'RedHat'
 
-- name: Install OpenDistro
+  - import_tasks: RedHat.yml
-  package:
+    when: ansible_os_family == 'RedHat'
-    name: opendistroforelasticsearch-{{ opendistro_version }}
-    state: present
-  register: install
-  tags: install
 
-- name: Remove elasticsearch configuration file
-  file:
-    path: "{{ opendistro_conf_path }}/elasticsearch.yml"
-    state: absent
-  when: install.changed
-  tags: install
 
-- name: Copy Configuration File
+  - name: Install OpenDistro
-  blockinfile:
+    package:
-    block: "{{ lookup('template', 'elasticsearch.yml.j2') }}"
+      name: opendistroforelasticsearch-{{ opendistro_version }}
-    dest: "{{ opendistro_conf_path }}/elasticsearch.yml"
+      state: present
-    create: true
+    register: install
-    group: elasticsearch
+    tags: install
-    mode: 0640
-    marker: "## {mark} Opendistro general settings ##"
-  when: install.changed
-  tags: install
 
-- import_tasks: security_actions.yml
+  - name: Remove elasticsearch configuration file
+    file:
+      path: "{{ opendistro_conf_path }}/elasticsearch.yml"
+      state: absent
+    when: install.changed
+    tags: install
 
-- name: Configure OpenDistro Elasticsearch JVM memmory.
+  - name: Copy Configuration File
-  template:
+    blockinfile:
-    src: "templates/jvm.options.j2"
+      block: "{{ lookup('template', 'elasticsearch.yml.j2') }}"
-    dest: /etc/elasticsearch/jvm.options
+      dest: "{{ opendistro_conf_path }}/elasticsearch.yml"
-    owner: root
+      create: true
-    group: elasticsearch
+      group: elasticsearch
-    mode: 0644
+      mode: 0640
-    force: yes
+      marker: "## {mark} Opendistro general settings ##"
-  notify: restart elasticsearch
+    when: install.changed
-  tags: install
+    tags: install
 
-- name: Ensure Elasticsearch started and enabled
+  - import_tasks: security_actions.yml
-  service:
-    name: elasticsearch
-    enabled: true
-    state: started
 
-- name: Wait for Elasticsearch API
+  - name: Configure OpenDistro Elasticsearch JVM memmory.
-  uri:
+    template:
-    url: "https://{{ es_nodes.split(',')[0].split('\"')[0] }}:9200/_cluster/health/"
+      src: "templates/jvm.options.j2"
-    user: "admin" # Default OpenDistro user is always "admin"
+      dest: /etc/elasticsearch/jvm.options
-    password: "{{ opendistro_admin_password }}"
+      owner: root
-    validate_certs: no
+      group: elasticsearch
-    status_code: 200,401
+      mode: 0644
-    return_content: yes
+      force: yes
-    timeout: 4
+    notify: restart elasticsearch
-  register: _result
+    tags: install
-  until: (  _result.json is defined) and (_result.json.status == "green")
-  retries: 24
-  delay: 5
-  tags: debug
 
-- import_tasks: "RMRedHat.yml"
+  - name: Ensure Elasticsearch started and enabled
-  when: ansible_os_family == "RedHat"
+    service:
+      name: elasticsearch
+      enabled: true
+      state: started
+
+  - name: Wait for Elasticsearch API
+    uri:
+      url: "https://{{ inventory_hostname }}:{{ opendistro_http_port }}/_cluster/health/"
+      user: "admin" # Default OpenDistro user is always "admin"
+      password: "{{ opendistro_admin_password }}"
+      validate_certs: no
+      status_code: 200,401
+      return_content: yes
+      timeout: 4
+    register: _result
+    until: (  _result.json is defined) and (_result.json.status == "green")
+    retries: 24
+    delay: 5
+    tags: debug
+    when:
+      - hostvars[inventory_hostname]['private_ip'] is not defined or not hostvars[inventory_hostname]['private_ip']
+
+  - name: Wait for Elasticsearch API (Private IP)
+    uri:
+      url: "https://{{ hostvars[inventory_hostname]['private_ip'] }}:{{ opendistro_http_port }}/_cluster/health/"
+      user: "admin" # Default OpenDistro user is always "admin"
+      password: "{{ opendistro_admin_password }}"
+      validate_certs: no
+      status_code: 200,401
+      return_content: yes
+      timeout: 4
+    register: _result
+    until: (  _result.json is defined) and (_result.json.status == "green")
+    retries: 24
+    delay: 5
+    tags: debug
+    when:
+      - hostvars[inventory_hostname]['private_ip'] is defined and  hostvars[inventory_hostname]['private_ip']
+
+  - import_tasks: "RMRedHat.yml"
+    when: ansible_os_family == "RedHat"
+
+  when: perform_installation

roles/opendistro/opendistro-elasticsearch/tasks/security_actions.yml

@@ -9,6 +9,40 @@
       - "{{ opendistro_conf_path }}/esnode.pem"
       - "{{ opendistro_conf_path }}/esnode-key.pem"
 
+
+  - name: Configure node name
+    block:
+      - name: Setting node name (Elasticsearch)
+        set_fact:
+          od_node_name: "{{ elasticsearch_node_name }}"
+        when:
+          elasticsearch_node_name is defined and kibana_node_name is not defined
+
+      - name: Setting node name (Kibana)
+        set_fact:
+          od_node_name: "{{ kibana_node_name }}"
+        when:
+          kibana_node_name is defined
+
+      - name: Setting node name (Filebeat)
+        set_fact:
+          od_node_name: "{{ kibana_node_name }}"
+        when:
+          filebeat_node_name is defined
+
+  - name: Configure IP (Private address)
+    set_fact:
+      target_address: "{{ hostvars[inventory_hostname]['private_ip'] }}"
+    when:
+      - hostvars[inventory_hostname]['private_ip'] is defined
+
+  - name: Configure IP (Public address)
+    set_fact:
+      target_address: "{{ inventory_hostname }}"
+    when:
+      - hostvars[inventory_hostname]['private_ip'] is not defined
+
+
   - name: Copy the node & admin certificates to Elasticsearch cluster
     copy:
       src: "{{ local_certs_path }}/certs/{{ item }}"
@@ -17,17 +51,17 @@
     with_items:
       - root-ca.pem
       - root-ca.key
-      - "{{ inventory_hostname }}.key"
+      - "{{ od_node_name }}.key"
-      - "{{ inventory_hostname }}.pem"
+      - "{{ od_node_name }}.pem"
-      - "{{ inventory_hostname }}_http.key"
+      - "{{ od_node_name }}_http.key"
-      - "{{ inventory_hostname }}_http.pem"
+      - "{{ od_node_name }}_http.pem"
-      - "{{ inventory_hostname }}_elasticsearch_config_snippet.yml"
+      - "{{ od_node_name }}_elasticsearch_config_snippet.yml"
       - admin.key
       - admin.pem
 
   - name: Copy the OpenDistro security configuration file to cluster
     blockinfile:
-      block: "{{ lookup('file', '{{ local_certs_path }}/certs/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}"
+      block: "{{ lookup('file', '{{ local_certs_path }}/certs/{{ od_node_name }}_elasticsearch_config_snippet.yml') }}"
       dest: "{{ opendistro_conf_path }}/elasticsearch.yml"
       insertafter: EOF
       marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##"
@@ -51,10 +85,30 @@
       mode: 0644
     run_once: true
 
+  - name: Hashing the custom admin password
+    command: "{{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }}"
+    register: opendistro_admin_password_hashed
+    run_once: true
+
+  - name: Filtering hash result in case java path is not defined
+    set_fact:
+      opendistro_admin_password_hashed_filtered: "{{ opendistro_admin_password_hashed.stdout_lines[1] }}"
+    when:
+      - opendistro_admin_password_hashed.stdout_lines[1] is defined
+    run_once: true
+
+  - name: Setting admin hash result
+    set_fact:
+      opendistro_admin_password_hashed_filtered: "{{ opendistro_admin_password_hashed.stdout_lines[0] }}"
+    when:
+      - opendistro_admin_password_hashed.stdout_lines[1] is not defined
+    run_once: true
+
   - name: Set the Admin user password
-    shell: >
+    replace:
-      sed -i 's,{{ opendistro_admin_password }},'$(sh {{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }} | tail -1)','
+      path: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
-      {{ opendistro_sec_plugin_conf_path }}/internal_users.yml
+      regexp: '(?<=admin:\n  hash: )(.*)(?=)'
+      replace: "\"{{ opendistro_admin_password_hashed_filtered }}\""
     run_once: true
 
   - name: Set the kibanaserver role/user pasword
@@ -71,9 +125,28 @@
       -key {{ opendistro_conf_path }}/admin.key
       -cd {{ opendistro_sec_plugin_conf_path }}/
       -nhnv -icl
-      -h {{ hostvars[inventory_hostname]['ip'] }}
+      -h {{ target_address }}
     run_once: true
 
+  - name: Create custom user
+    uri:
+      url: "https://{{ target_address }}:{{ opendistro_http_port }}/_opendistro/_security/api/internalusers/{{ opendistro_custom_user }}"
+      method: PUT
+      user: "admin" # Default OpenDistro user is always "admin"
+      password: "{{ opendistro_admin_password }}"
+      body: |
+        {
+          "password": "{{ opendistro_admin_password }}",
+          "backend_roles": ["{{ opendistro_custom_user_role }}"]
+        }
+      body_format: json
+      validate_certs: no
+      status_code: 200,201,401
+      return_content: yes
+      timeout: 4
+    when:
+      - opendistro_custom_user is defined
+
   tags:
     - security
   when: install.changed

roles/opendistro/opendistro-elasticsearch/templates/elasticsearch.yml.j2

@@ -1,18 +1,36 @@
-cluster.name: "{{ opendistro_cluster_name }}"
+cluster.name: {{ elasticsearch_cluster_name }}
-
+node.name: {{ elasticsearch_node_name }}
-node.name: "{{ inventory_hostname }}"
-
 path.data: /var/lib/elasticsearch
-
 path.logs: /var/log/elasticsearch
+network.host: {{ elasticsearch_network_host }}
 
-network.host: "{{ hostvars[inventory_hostname]['ip'] }}"
+node.master: {{ elasticsearch_node_master|lower }}
 
-http.port: "{{ opendistro_http_port }}"
+cluster.initial_master_nodes:
+{% for item in elasticsearch_cluster_nodes %}
+  - {{ item }}
+{% endfor %}
 
-discovery.seed_hosts: ["{{ es_nodes }}"]
+discovery.seed_hosts:
+{% for item in elasticsearch_discovery_nodes %}
+  - {{ item }}
+{% endfor %}
 
-cluster.initial_master_nodes: ["{{ es_nodes }}"]
+{% if elasticsearch_node_data|lower == 'false' %}
+node.data: false
+{% endif %}
+
+{% if elasticsearch_node_ingest|lower == 'false' %}
+node.ingest: false
+{% endif %}
+
+
+{% if elasticsearch_lower_disk_requirements %}
+cluster.routing.allocation.disk.threshold_enabled: true
+cluster.routing.allocation.disk.watermark.flood_stage: 200mb
+cluster.routing.allocation.disk.watermark.low: 500mb
+cluster.routing.allocation.disk.watermark.high: 300mb
+{% endif %}
 
 discovery.zen.minimum_master_nodes: "{{ minimum_master_nodes }}"
 opendistro_security.allow_default_init_securityindex: true

roles/opendistro/opendistro-elasticsearch/templates/tlsconfig.yml.j2

@@ -24,28 +24,14 @@ defaults:
 # Specify the nodes of your ES cluster here
 #
 nodes:
-{% for item in groups['es_cluster'] %}
+{% for (key,value) in instances.items() %}
-  - name: {{ item }}
+{% if (value.ip is defined and value.ip | length > 0) %}
-    dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
+  - name: {{ value.name }}
-    dns: {{ item }}.{{ domain_name }}
+    dn: CN={{ value.name }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
-    ip: {{ hostvars[item]['ip'] }}
+    dns: {{ value.name }}.{{ domain_name }}
-{% endfor %}
+    ip: {{ value.ip }}
-{% if groups['kibana'] is defined and groups['kibana']|length > 0 %}
-{% for item in groups['kibana'] %}
-  - name: {{ item }}
-    dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
-    dns: {{ item }}.{{ domain_name }}
-    ip: {{ hostvars[item]['ip'] }}
-{% endfor %}
 {% endif %}
-{% if groups['managers'] is defined and groups['managers']|length > 0 %}
-{% for item in groups['managers'] %}
-  - name: {{ item }}
-    dn: CN={{ item }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
-    dns: {{ item }}.{{ domain_name }}
-    ip: {{ hostvars[item]['ip'] }}
 {% endfor %}
-{% endif %}
 ###
 ### Clients
 ###

roles/opendistro/opendistro-kibana/defaults/main.yml

@@ -1,5 +1,6 @@
 ---
 
+# Kibana configuration
 elasticsearch_http_port: 9200
 elasticsearch_nodes: |-
         {% for item in groups['es_cluster'] -%}
@@ -8,15 +9,18 @@ elasticsearch_nodes: |-
 elasticsearch_network_host: 172.16.0.161
 elastic_api_protocol: https
 kibana_conf_path: /etc/kibana
+kibana_node_name: node-1
 kibana_server_host: "0.0.0.0"
 kibana_server_port: "5601"
 kibana_server_name: "kibana"
 kibana_max_payload_bytes: 1048576
-elastic_stack_version: 7.7.1
+elastic_stack_version: 7.8.0
-wazuh_version: 3.13.0
+wazuh_version: 3.13.1
 wazuh_app_url: https://packages.wazuh.com/wazuhapp/wazuhapp
 
 # The OpenDistro package repository
+kibana_opendistro_version: -1.8.0-1 # Version includes the - for RedHat family compatibility, replace with = for Debian hosts
+
 package_repos:
   yum:
     opendistro:
@@ -45,7 +49,7 @@ opendistro_security_user: elastic
 opendistro_admin_password: changeme
 opendistro_kibana_user: kibanaserver
 opendistro_kibana_password: changeme
-local_certs_path: /tmp/opendistro-nodecerts
+local_certs_path: ./opendistro/certificates
 
 # Nodejs
 nodejs:
@@ -56,7 +60,7 @@ nodejs:
 
 # Build from sources
 build_from_sources: false
-wazuh_plugin_branch: 3.13-7.7
+wazuh_plugin_branch: 3.13-7.8
 
 #Nodejs NODE_OPTIONS
 node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536

roles/opendistro/opendistro-kibana/tasks/main.yml

@@ -23,7 +23,7 @@
 
 - name: Install Kibana
   package:
-    name: opendistroforelasticsearch-kibana
+    name: "opendistroforelasticsearch-kibana{{ kibana_opendistro_version }}"
     state: present
   register: install
   tags: install
@@ -75,7 +75,7 @@
     - not build_from_sources
 
 - name: Kibana optimization (can take a while)
-  shell: /usr/share/kibana/node/bin/node {{ node_options }} /usr/share/kibana/src/cli --optimize
+  shell: /usr/share/kibana/node/bin/node {{ node_options }} /usr/share/kibana/src/cli --optimize -c {{ kibana_conf_path }}/kibana.yml
   args:
     executable: /bin/bash
   become: yes

roles/opendistro/opendistro-kibana/tasks/security_actions.yml

@@ -6,8 +6,9 @@
       dest: /usr/share/kibana
       mode: 0644
     with_items:
-      - "{{ inventory_hostname }}_http.key"
+      - "root-ca.pem"
-      - "{{ inventory_hostname }}_http.pem"
+      - "{{ kibana_node_name }}_http.key"
+      - "{{ kibana_node_name }}_http.pem"
   tags:
   - security
   when: install.changed

roles/opendistro/opendistro-kibana/templates/opendistro_kibana.yml.j2

@@ -10,27 +10,25 @@ server.host: {{ kibana_server_host }}
 
 
 {% if kibana_opendistro_security %}
+
 elasticsearch.hosts: "https://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}"
+elasticsearch.username: {{ opendistro_kibana_user }}
+elasticsearch.password: {{ opendistro_kibana_password }}
+server.ssl.enabled: true
+server.ssl.certificate: "/usr/share/kibana/{{ kibana_node_name }}_http.pem"
+server.ssl.key: "/usr/share/kibana/{{ kibana_node_name }}_http.key"
+elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/root-ca.pem"]
+elasticsearch.ssl.verificationMode: full
+
 {% else %}
 elasticsearch.hosts: "http://{{ elasticsearch_network_host }}:{{ elasticsearch_http_port }}"
 {% endif %}
 
-elasticsearch.username: {{ opendistro_kibana_user }}
-elasticsearch.password: {{ opendistro_kibana_password }}
-elasticsearch.ssl.verificationMode: none
-
 elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
 opendistro_security.multitenancy.enabled: false # FIXME: should be enabled starting with Wazuh App v3.13
 opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
 opendistro_security.readonly_mode.roles: ["kibana_read_only"]
 
-# OpenDistro Security
-{% if kibana_opendistro_security %}
-server.ssl.enabled: true
-server.ssl.certificate: "/usr/share/kibana/{{ inventory_hostname }}_http.pem"
-server.ssl.key: "/usr/share/kibana//{{ inventory_hostname }}_http.key"
-{% endif %}
-
 newsfeed.enabled: {{ kibana_newsfeed_enabled }}
 telemetry.optIn: {{ kibana_telemetry_optin }}
 telemetry.enabled: {{ kibana_telemetry_enabled }}

roles/wazuh/ansible-filebeat-oss/defaults/main.yml

@@ -1,7 +1,7 @@
 ---
-filebeat_version: 7.7.0
+filebeat_version: 7.8.0
 
-wazuh_template_branch: v3.13.0
+wazuh_template_branch: v3.13.1
 
 filebeat_create_config: true
 
@@ -23,7 +23,7 @@ filebeat_security_password: changeme
 filebeat_ssl_dir: /etc/pki/filebeat
 
 # Local path to store the generated certificates (OpenDistro security plugin)
-local_certs_path: /tmp/opendistro-nodecerts
+local_certs_path: ./opendistro/certificates
 
 elasticrepo:
   apt: 'https://artifacts.elastic.co/packages/oss-7.x/apt'

roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml

@@ -11,8 +11,8 @@
       dest: "{{ filebeat_ssl_dir }}"
       mode: 0644
     with_items:
-      - "{{ inventory_hostname }}.key"
+      - "{{ filebeat_node_name }}.key"
-      - "{{ inventory_hostname }}.pem"
+      - "{{ filebeat_node_name }}.pem"
       - "root-ca.pem"
 
   - name: Ensuring folder & certs permissions

roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2

@@ -24,8 +24,8 @@ output.elasticsearch:
   protocol: https
   ssl.certificate_authorities:
     - {{ filebeat_ssl_dir }}/root-ca.pem
-  ssl.certificate: "{{ filebeat_ssl_dir }}/{{ inventory_hostname }}.pem"
+  ssl.certificate: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}.pem"
-  ssl.key: "{{ filebeat_ssl_dir }}/{{ inventory_hostname }}.key"
+  ssl.key: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}.key"
 {% endif %}
 
 # Optional. Send events to Logstash instead of Elasticsearch

roles/wazuh/ansible-filebeat/defaults/main.yml

@@ -1,7 +1,7 @@
 ---
-filebeat_version: 7.7.0
+filebeat_version: 7.8.0
 
-wazuh_template_branch: v3.13.0
+wazuh_template_branch: v3.13.1
 
 filebeat_create_config: true
 

roles/wazuh/ansible-wazuh-agent/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-wazuh_agent_version: 3.13.0-1
+wazuh_agent_version: 3.13.1-1
 
 
 # Custom packages installation
@@ -12,7 +12,7 @@ wazuh_custom_packages_installation_agent_rpm_url: ""
 
 wazuh_agent_sources_installation:
   enabled: false
-  branch: "v3.13.0"
+  branch: "v3.13.1"
   user_language: "y"
   user_no_stop: "y"
   user_install_type: "agent"
@@ -65,8 +65,8 @@ wazuh_winagent_config:
   auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe
   check_md5: True
   md5: d0f13c0c417c74ccbad7b45f66518513
-wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.13.0-1.msi
+wazuh_winagent_config_url: https://packages.wazuh.com/3.x/windows/wazuh-agent-3.13.1-1.msi
-wazuh_winagent_package_name: wazuh-agent-3.13.0-1.msi
+wazuh_winagent_package_name: wazuh-agent-3.13.1-1.msi
 wazuh_agent_config:
   repo:
     apt: 'deb https://packages.wazuh.com/3.x/apt/ stable main'

roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml

@@ -64,7 +64,7 @@
     {{ wazuh_agent_win_auth_path }}
     -m {{ wazuh_agent_authd.registration_address }}
     -p {{ wazuh_agent_authd.port }}
-    {% if wazuh_agent_authd.agent_name is defined %}-A {{ wazuh_agent_authd.agent_name }} {% endif %}
+    {% if wazuh_agent_authd.agent_name is not none %}-A {{ wazuh_agent_authd.agent_name }} {% endif %}
     {% if authd_pass is defined %} -P {{ authd_pass }}{% endif %}
   register: agent_auth_output
   notify: Windows | Restart Wazuh Agent

roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2

@@ -16,6 +16,8 @@
       {% endif %}
       {% if manager.protocol is defined %}
       <protocol>{{ manager.protocol }}</protocol>
+      <max_retries>{{ manager.max_retries }}</max_retries>
+      <retry_interval>{{ manager.retry_interval }}</retry_interval>
       {% endif %}
     </server>
     {% endfor %}

roles/wazuh/ansible-wazuh-manager/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-wazuh_manager_version: 3.13.0-1
+wazuh_manager_version: 3.13.1-1
 
 wazuh_manager_fqdn: "wazuh-server"
 wazuh_manager_package_state: present
@@ -15,7 +15,7 @@ wazuh_custom_packages_installation_api_rpm_url: "https://s3-us-west-1.amazonaws.
 # Sources installation
 wazuh_manager_sources_installation:
   enabled: false
-  branch: "v3.13.0"
+  branch: "v3.13.1"
   user_language: "en"
   user_no_stop: "y"
   user_install_type: "server"
@@ -40,7 +40,7 @@ wazuh_manager_sources_installation:
 
 wazuh_api_sources_installation:
   enabled: false
-  branch: "v3.13.0"
+  branch: "v3.13.1"
   update: "y"
   remove: "y"
   directory: null