afmarulanda/wazuh-ansible-4.8.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4bccd0f970
wazuh-ansible-4.8.1/roles/opensearch/wazuh-indexer/tasks/security_actions.yml
Gonzalo Acuña 4bccd0f970
Add sleep before securityadmin
2022-02-15 12:10:24 -03:00

139 lines
4.6 KiB
YAML
Raw Blame History

#- name: Remove demo certs
# ## 732 will not be needed
# file:
# path: "{{ item }}"
# state: absent
# with_items:
# - "{{ indexer_conf_path }}/kirk.pem"
# - "{{ indexer_conf_path }}/kirk-key.pem"
# - "{{ indexer_conf_path }}/esnode.pem"
# - "{{ indexer_conf_path }}/esnode-key.pem"
- name: Configure IP (Private address)
set_fact:
target_address: "{{ hostvars[inventory_hostname]['private_ip'] if not single_node else indexer_network_host }}"
when:
- hostvars[inventory_hostname]['private_ip'] is defined
- name: Configure IP (Public address)
set_fact:
target_address: "{{ inventory_hostname if not single_node else indexer_network_host }}"
when:
- hostvars[inventory_hostname]['private_ip'] is not defined
- name: Copy the node & admin certificates to Wazuh-Indexer cluster
copy:
src: "{{ local_certs_path }}/certs/{{ item }}"
dest: "{{ indexer_conf_path }}/certs/"
mode: 0644
become: yes
with_items:
- root-ca.pem
- root-ca.key
- "{{ indexer_node_name }}-key.pem"
- "{{ indexer_node_name }}.pem"
#- "{{ indexer_node_name }}_http.key"
#- "{{ indexer_node_name }}_http.pem"
#- "{{ indexer_node_name }}_elasticsearch_config_snippet.yml"
- admin-key.pem
- admin.pem
#- name: Copy the OpenDistro security configuration file to cluster
# blockinfile:
# block: "{{ lookup('file', snippet_path ) }}"
# dest: "{{ indexer_conf_path }}/elasticsearch.yml"
# insertafter: EOF
# marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##"
# vars:
# snippet_path: '{{ local_certs_path }}/certs/{{ indexer_node_name }}_elasticsearch_config_snippet.yml'
#- name: Prepare the OpenDistro security configuration file
# replace:
# path: "{{ indexer_conf_path }}/elasticsearch.yml"
# regexp: 'searchguard'
# replace: 'opendistro_security'
# tags: local
- name: Restart Wazuh-Indexer with security configuration
systemd:
name: wazuh-indexer
state: restarted
- name: Copy the Opensearch security internal users template
template:
src: "templates/internal_users.yml.j2"
dest: "{{ indexer_sec_plugin_conf_path }}/internal_users.yml"
mode: 0644
run_once: true
- name: Hashing the custom admin password
command: "{{ indexer_sec_plugin_tools_path }}/hash.sh -p {{ indexer_admin_password }}" # noqa 301
register: indexer_admin_password_hashed
#no_log: '{{ indexer_nolog_sensible | bool }}'
run_once: true
- name: Set the Admin user password
replace:
path: "{{ indexer_sec_plugin_conf_path }}/internal_users.yml"
regexp: '(?<=admin:\n hash: )(.*)(?=)'
replace: "{{ indexer_password_hash | quote }}"
vars:
indexer_password_hash: "{{ indexer_admin_password_hashed.stdout_lines | last }}"
run_once: true
# this can also be achieved with password_hash, but it requires dependencies on the controller
- name: Hash the kibanaserver role/user pasword
command: "{{ indexer_sec_plugin_tools_path }}/hash.sh -p {{ dashboard_password }}" # noqa 301
register: indexer_kibanaserver_password_hashed
no_log: '{{ indexer_nolog_sensible | bool }}'
run_once: true
- name: Set the kibanaserver user password
replace:
path: "{{ indexer_sec_plugin_conf_path }}/internal_users.yml"
regexp: '(?<=kibanaserver:\n hash: )(.*)(?=)'
replace: "{{ indexer_password_hash | quote }}"
vars:
indexer_password_hash: "{{ indexer_kibanaserver_password_hashed.stdout_lines | last }}"
run_once: true
- name: Pause for 2 minute
pause:
minutes: 2
- name: Initialize the Opensearch security index in Wazuh-Indexer
command: >
sudo -u wazuh-indexer OPENSEARCH_PATH_CONF={{ indexer_conf_path }}
JAVA_HOME=/usr/share/wazuh-indexer/jdk
{{ indexer_sec_plugin_tools_path }}/securityadmin.sh
-cd {{ indexer_sec_plugin_conf_path }}/
-icl -p 9800 -cd {{ indexer_sec_plugin_conf_path }}/
-nhnv
-cacert {{ indexer_conf_path }}/certs/root-ca.pem
-cert {{ indexer_conf_path }}/certs/admin.pem
-key {{ indexer_conf_path }}/certs/admin-key.pem
-h {{ target_address }}
run_once: true # noqa 301
- name: Create custom user
uri:
url: "https://{{ target_address }}:{{ indexer_http_port }}/_plugins/_security/api/internalusers/{{ indexer_custom_user }}"
method: PUT
user: "admin" # Default Indexer user is always "admin"
password: "{{ indexer_admin_password }}"
body: |
{
"password": "{{ indexer_admin_password }}",
"backend_roles": ["{{ indexer_custom_user_role }}"]
}
body_format: json
validate_certs: no
status_code: 200,201,401
return_content: yes
timeout: 4
when:
- indexer_custom_user is defined and indexer_custom_user
Reference in New Issue View Git Blame Copy Permalink