afmarulanda/wazuh-ansible-4.9.1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

nueva versión

Browse Source
This commit is contained in:
Andrés Felipe Marulanda Hernández 2024-10-28 10:06:21 -05:00
parent feb29a73eb
commit 65ffbf6321
111 changed files with 8282 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
.ansible-lint Normal file
View File

@ -0,0 +1,15 @@
---
use_default_rules: true
parseable: true
quiet: true
verbosity: 1
# State that naming for now should be a warning
# 106: ansible role name does not conform to pattern [a-z][a-z0-9_]+$
warn_list:
- '106'
# This is for false positives
# 504: Do not use 'local_action', use 'delegate_to: localhost'
skip_list:
- '504'

68
.github/playbooks/aio-wazuh.yml vendored Normal file
View File

@ -0,0 +1,68 @@
- name: Generate certificates prior to converging
hosts: localhost
become: true
become_user: root
roles:
# 1. Check packages
- role: ../../roles/wazuh/check-packages
become: no
delegate_to: localhost
run_once: true
# 2. Generate certificates
- role: ../../roles/wazuh/wazuh-indexer
vars:
generate_certs: true
perform_installation: false
instances:
node1:
name: wazuh-es01 # Important: must be equal to indexer_node_name.
ip: "127.0.0.1" # When unzipping, the node will search for its node name folder to get the cert.
role: indexer
node3:
name: wazuh-mgr01
ip: "127.0.0.1"
role: wazuh
node5:
name: wazuh-dash01
ip: "127.0.0.1"
role: dashboard
pre_tasks:
- name: overview of cert configuration
debug:
var: wazuh_endpoint_list
- name: Converge
hosts: localhost
become: true
become_user: root
roles:
# 1. Wazuh indexer
- role: ../../roles/wazuh/wazuh-indexer
vars:
indexer_node_name: "wazuh-es01"
single_node: true
# 2. Managers
- role: ../../roles/wazuh/ansible-wazuh-manager
- role: ../../roles/wazuh/ansible-filebeat-oss
vars:
filebeat_node_name: "wazuh-mgr01"
filebeat_output_indexer_hosts:
- "localhost:9200"
# 3. Wazuh dashboard
- role: ../../roles/wazuh/wazuh-dashboard
vars:
dashboard_node_name: "wazuh-dash01"
vars:
instances:
node1:
name: wazuh-es01 # Important: must be equal to indexer_node_name.
ip: "127.0.0.1" # When unzipping, the node will search for its node name folder to get the cert.
role: indexer
node3:
name: wazuh-mgr01
ip: "127.0.0.1"
role: wazuh
node5:
name: wazuh-dash01
ip: "127.0.0.1"
role: dashboard

37
.github/playbooks/single-wazuh.yml vendored Normal file
View File

@ -0,0 +1,37 @@
---
- name: ConvergeCerts
hosts: localhost
roles:
- role: ../../roles/wazuh/check-packages
become: no
delegate_to: localhost
run_once: true
- role: ../../roles/wazuh/wazuh-indexer
perform_installation: false
vars:
instances:
node1:
name: node-1 # Important: must be equal to indexer_node_name.
ip: 127.0.0.1
role: indexer
tags:
- generate-certs
- name: ConvergeInstall
hosts: localhost
roles:
# Managers
- role: ../../roles/wazuh/ansible-wazuh-manager
vars:
- role: ../../roles/wazuh/ansible-filebeat-oss
vars:
filebeat_output_indexer_hosts:
- "indexer_centos7:9200"
pre_tasks:
- name: (converge) fix missing packages in cloud images
apt:
name:
- unzip
- gpg-agent
state: present
update_cache: yes
when: ansible_distribution == "Ubuntu"

67
.github/workflows/al_aio.yml vendored Normal file
View File

@ -0,0 +1,67 @@
---
name: AIO-AL-Single-Instance
on: [pull_request, workflow_dispatch, release]
jobs:
start-runner:
name: Start self-hosted EC2 runner
runs-on: ubuntu-latest
outputs:
label: ${{ steps.start-ec2-runner.outputs.label }}
ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }}
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Start EC2 runner
id: start-ec2-runner
uses: machulav/ec2-github-runner@v2
with:
mode: start
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
ec2-image-id: ${{ secrets.AL2_AMI_ID }}
ec2-instance-type: t3a.large
subnet-id: ${{ secrets.SUBNET_ID }}
security-group-id: ${{ secrets.SG_ID }}
aws-resource-tags: > # optional, requires additional permissions
[
{"Key": "Name", "Value": "wazuh-ansible-gh-runner-aio"},
{"Key": "GitHubRepository", "Value": "${{ github.repository }}"},
{"Key": "team", "Value": "CICD"},
{"Key": "termination_date", "Value": "2022-12-31 21:00:00"}
]
install-aio-single-instance:
name: Installs AIO single instance
needs: start-runner # required to start the main job when the runner is ready
runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
- name: Ansible Playbook run Wazuh AIO Single instance
run: ansible-playbook ./.github/playbooks/aio-wazuh.yml
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
stop-runner:
name: Stop self-hosted EC2 runner
needs:
- start-runner # required to get output from the start-runner job
- install-aio-single-instance # required to wait when the main job is done
runs-on: ubuntu-latest
if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Stop EC2 runner
uses: machulav/ec2-github-runner@v2
with:
mode: stop
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
label: ${{ needs.start-runner.outputs.label }}
ec2-instance-id: ${{ needs.start-runner.outputs.ec2-instance-id }}

67
.github/workflows/al_wazuh.yml vendored Normal file
View File

@ -0,0 +1,67 @@
---
name: Wazuh-AL-Single-Instance
on: [pull_request, workflow_dispatch, release]
jobs:
start-runner:
name: Start self-hosted EC2 runner
runs-on: ubuntu-latest
outputs:
label: ${{ steps.start-ec2-runner.outputs.label }}
ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }}
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Start EC2 runner
id: start-ec2-runner
uses: machulav/ec2-github-runner@v2
with:
mode: start
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
ec2-image-id: ${{ secrets.AL2_AMI_ID }}
ec2-instance-type: t3.small
subnet-id: ${{ secrets.SUBNET_ID }}
security-group-id: ${{ secrets.SG_ID }}
aws-resource-tags: > # optional, requires additional permissions
[
{"Key": "Name", "Value": "wazuh-ansible-gh-runner-wazuh"},
{"Key": "GitHubRepository", "Value": "${{ github.repository }}"},
{"Key": "team", "Value": "CICD"},
{"Key": "termination_date", "Value": "2022-12-31 21:00:00"}
]
install-wazuh-single-instance:
name: Installs Wazuh server single instance
needs: start-runner # required to start the main job when the runner is ready
runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
- name: Ansible Playbook run Wazuh Single instance
run: ansible-playbook ./.github/playbooks/single-wazuh.yml
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
stop-runner:
name: Stop self-hosted EC2 runner
needs:
- start-runner # required to get output from the start-runner job
- install-wazuh-single-instance # required to wait when the main job is done
runs-on: ubuntu-latest
if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Stop EC2 runner
uses: machulav/ec2-github-runner@v2
with:
mode: stop
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
label: ${{ needs.start-runner.outputs.label }}
ec2-instance-id: ${{ needs.start-runner.outputs.ec2-instance-id }}

76
.github/workflows/centos_aio.yml vendored Normal file
View File

@ -0,0 +1,76 @@
---
name: AIO-CentOS-Single-Instance
on: [pull_request, workflow_dispatch, release]
jobs:
start-runner:
name: Start self-hosted EC2 runner
runs-on: ubuntu-latest
outputs:
label: ${{ steps.start-ec2-runner.outputs.label }}
ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }}
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Start EC2 runner
id: start-ec2-runner
uses: machulav/ec2-github-runner@v2
with:
mode: start
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
ec2-image-id: ${{ secrets.CENTOS8_AMI_ID }}
ec2-instance-type: t3a.large
subnet-id: ${{ secrets.SUBNET_ID }}
security-group-id: ${{ secrets.SG_ID }}
aws-resource-tags: > # optional, requires additional permissions
[
{"Key": "Name", "Value": "wazuh-ansible-gh-runner-aio"},
{"Key": "GitHubRepository", "Value": "${{ github.repository }}"},
{"Key": "team", "Value": "CICD"},
{"Key": "termination_date", "Value": "2022-12-31 21:00:00"}
]
install-aio-single-instance:
name: Installs AIO single instance
needs: start-runner # required to start the main job when the runner is ready
runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
- name: Hack to get setup-python to work on act. See act issue 251
run: |
if [ ! -f "/etc/lsb-release" ] ; then
echo "DISTRIB_RELEASE=18.04" > /etc/lsb-release
fi
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Ansible Playbook run Wazuh AIO Single instance
run: ansible-playbook ./.github/playbooks/aio-wazuh.yml
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
stop-runner:
name: Stop self-hosted EC2 runner
needs:
- start-runner # required to get output from the start-runner job
- install-aio-single-instance # required to wait when the main job is done
runs-on: ubuntu-latest
if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Stop EC2 runner
uses: machulav/ec2-github-runner@v2
with:
mode: stop
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
label: ${{ needs.start-runner.outputs.label }}
ec2-instance-id: ${{ needs.start-runner.outputs.ec2-instance-id }}

76
.github/workflows/centos_wazuh.yml vendored Normal file
View File

@ -0,0 +1,76 @@
---
name: Wazuh-CentOS-Single-Instance
on: [pull_request, workflow_dispatch, release]
jobs:
start-runner:
name: Start self-hosted EC2 runner
runs-on: ubuntu-latest
outputs:
label: ${{ steps.start-ec2-runner.outputs.label }}
ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }}
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Start EC2 runner
id: start-ec2-runner
uses: machulav/ec2-github-runner@v2
with:
mode: start
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
ec2-image-id: ${{ secrets.CENTOS8_AMI_ID }}
ec2-instance-type: t3.small
subnet-id: ${{ secrets.SUBNET_ID }}
security-group-id: ${{ secrets.SG_ID }}
aws-resource-tags: > # optional, requires additional permissions
[
{"Key": "Name", "Value": "wazuh-ansible-gh-runner-wazuh"},
{"Key": "GitHubRepository", "Value": "${{ github.repository }}"},
{"Key": "team", "Value": "CICD"},
{"Key": "termination_date", "Value": "2022-12-31 21:00:00"}
]
install-wazuh-single-instance:
name: Installs Wazuh server single instance
needs: start-runner # required to start the main job when the runner is ready
runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
- name: Hack to get setup-python to work on act. See act issue 251
run: |
if [ ! -f "/etc/lsb-release" ] ; then
echo "DISTRIB_RELEASE=18.04" > /etc/lsb-release
fi
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Ansible Playbook run Wazuh Single instance
run: ansible-playbook ./.github/playbooks/single-wazuh.yml
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
stop-runner:
name: Stop self-hosted EC2 runner
needs:
- start-runner # required to get output from the start-runner job
- install-wazuh-single-instance # required to wait when the main job is done
runs-on: ubuntu-latest
if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Stop EC2 runner
uses: machulav/ec2-github-runner@v2
with:
mode: stop
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
label: ${{ needs.start-runner.outputs.label }}
ec2-instance-id: ${{ needs.start-runner.outputs.ec2-instance-id }}

76
.github/workflows/ubuntu_aio.yml vendored Normal file
View File

@ -0,0 +1,76 @@
---
name: AIO-Ubuntu-Single-Instance
on: [pull_request, workflow_dispatch, release]
jobs:
start-runner:
name: Start self-hosted EC2 runner
runs-on: ubuntu-latest
outputs:
label: ${{ steps.start-ec2-runner.outputs.label }}
ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }}
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Start EC2 runner
id: start-ec2-runner
uses: machulav/ec2-github-runner@v2
with:
mode: start
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
ec2-image-id: ${{ secrets.UBUNTU2204_AMI_ID }}
ec2-instance-type: t3a.large
subnet-id: ${{ secrets.SUBNET_ID }}
security-group-id: ${{ secrets.SG_ID }}
aws-resource-tags: > # optional, requires additional permissions
[
{"Key": "Name", "Value": "wazuh-ansible-gh-runner-aio"},
{"Key": "GitHubRepository", "Value": "${{ github.repository }}"},
{"Key": "team", "Value": "CICD"},
{"Key": "termination_date", "Value": "2022-12-31 21:00:00"}
]
install-aio-single-instance:
name: Installs AIO single instance
needs: start-runner # required to start the main job when the runner is ready
runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
- name: Hack to get setup-python to work on act. See act issue 251
run: |
if [ ! -f "/etc/lsb-release" ] ; then
echo "DISTRIB_RELEASE=18.04" > /etc/lsb-release
fi
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Ansible Playbook run Wazuh AIO Single instance
run: ansible-playbook ./.github/playbooks/aio-wazuh.yml
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
stop-runner:
name: Stop self-hosted EC2 runner
needs:
- start-runner # required to get output from the start-runner job
- install-aio-single-instance # required to wait when the main job is done
runs-on: ubuntu-latest
if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Stop EC2 runner
uses: machulav/ec2-github-runner@v2
with:
mode: stop
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
label: ${{ needs.start-runner.outputs.label }}
ec2-instance-id: ${{ needs.start-runner.outputs.ec2-instance-id }}

76
.github/workflows/ubuntu_wazuh.yml vendored Normal file
View File

@ -0,0 +1,76 @@
---
name: Wazuh-Ubuntu-Single-Instance
on: [pull_request, workflow_dispatch, release]
jobs:
start-runner:
name: Start self-hosted EC2 runner
runs-on: ubuntu-latest
outputs:
label: ${{ steps.start-ec2-runner.outputs.label }}
ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }}
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Start EC2 runner
id: start-ec2-runner
uses: machulav/ec2-github-runner@v2
with:
mode: start
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
ec2-image-id: ${{ secrets.UBUNTU2204_AMI_ID }}
ec2-instance-type: t3.small
subnet-id: ${{ secrets.SUBNET_ID }}
security-group-id: ${{ secrets.SG_ID }}
aws-resource-tags: > # optional, requires additional permissions
[
{"Key": "Name", "Value": "wazuh-ansible-gh-runner-wazuh"},
{"Key": "GitHubRepository", "Value": "${{ github.repository }}"},
{"Key": "team", "Value": "CICD"},
{"Key": "termination_date", "Value": "2022-12-31 21:00:00"}
]
install-wazuh-single-instance:
name: Installs Wazuh server single instance
needs: start-runner # required to start the main job when the runner is ready
runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
- name: Hack to get setup-python to work on act. See act issue 251
run: |
if [ ! -f "/etc/lsb-release" ] ; then
echo "DISTRIB_RELEASE=18.04" > /etc/lsb-release
fi
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Ansible Playbook run Wazuh Single instance
run: ansible-playbook ./.github/playbooks/single-wazuh.yml
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
stop-runner:
name: Stop self-hosted EC2 runner
needs:
- start-runner # required to get output from the start-runner job
- install-wazuh-single-instance # required to wait when the main job is done
runs-on: ubuntu-latest
if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Stop EC2 runner
uses: machulav/ec2-github-runner@v2
with:
mode: stop
github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
label: ${{ needs.start-runner.outputs.label }}
ec2-instance-id: ${{ needs.start-runner.outputs.ec2-instance-id }}

13
.gitignore vendored Normal file
View File

@ -0,0 +1,13 @@
*.retry
wazuh-agent.yml
wazuh-elastic_stack-distributed.yml
wazuh-elastic_stack-single.yml
wazuh-elastic.yml
wazuh-kibana.yml
wazuh-manager.yml
*.pyc
.mypy_cache
Pipfile.lock
*.swp
molecule/**/es_certs/
molecule/**/opendistro/

33
.yamllint Normal file
View File

@ -0,0 +1,33 @@
---
# Based on ansible-lint config
extends: default
rules:
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
colons:
max-spaces-after: -1
level: error
commas:
max-spaces-after: -1
level: error
comments: disable
comments-indentation: disable
document-start: disable
empty-lines:
max: 3
level: error
hyphens:
level: error
indentation: disable
key-duplicates: enable
line-length: disable
new-line-at-end-of-file: disable
new-lines:
type: unix
trailing-spaces: disable
truthy: disable

778
CHANGELOG.md Normal file
View File

@ -0,0 +1,778 @@
# Change Log
All notable changes to this project will be documented in this file.
## [v4.9.1]
### Added
- Update to [Wazuh v4.9.1](https://github.com/wazuh/wazuh/blob/v4.9.1/CHANGELOG.md#v491)
## [v4.9.0]
### Added
- Update to [Wazuh v4.9.0](https://github.com/wazuh/wazuh/blob/v4.9.0/CHANGELOG.md#v490)
## [v4.8.2]
### Added
- Update to [Wazuh v4.8.2](https://github.com/wazuh/wazuh/blob/v4.8.2/CHANGELOG.md#v482)
## [v4.8.1]
### Added
- Update to [Wazuh v4.8.1](https://github.com/wazuh/wazuh/blob/v4.8.1/CHANGELOG.md#v481)
## [v4.8.0]
### Added
- Update to [Wazuh v4.8.0](https://github.com/wazuh/wazuh/blob/v4.8.0/CHANGELOG.md#v480)
## [v4.7.5]
### Added
- Update to [Wazuh v4.7.5](https://github.com/wazuh/wazuh/blob/v4.7.5/CHANGELOG.md#v475)
## [v4.7.4]
### Added
- Update to [Wazuh v4.7.4](https://github.com/wazuh/wazuh/blob/v4.7.4/CHANGELOG.md#v473)
## [v4.7.3]
### Added
- Update to [Wazuh v4.7.3](https://github.com/wazuh/wazuh/blob/v4.7.3/CHANGELOG.md#v473)
## [v4.7.2]
### Added
- Update to [Wazuh v4.7.2](https://github.com/wazuh/wazuh/blob/v4.7.2/CHANGELOG.md#v472)
## [v4.7.1]
### Added
- Update to [Wazuh v4.7.1](https://github.com/wazuh/wazuh/blob/v4.7.1/CHANGELOG.md#v471)
## [v4.7.0]
### Added
- Update to [Wazuh v4.7.0](https://github.com/wazuh/wazuh/blob/v4.7.0/CHANGELOG.md#v470)
## [v4.6.0]
### Added
- Update to [Wazuh v4.6.0](https://github.com/wazuh/wazuh/blob/v4.6.0/CHANGELOG.md#v460)
## [v4.5.4]
### Added
- Update to [Wazuh v4.5.4](https://github.com/wazuh/wazuh/blob/v4.5.4/CHANGELOG.md#v454)
## [v4.5.3]
### Added
- Update to [Wazuh v4.5.3](https://github.com/wazuh/wazuh/blob/v4.5.3/CHANGELOG.md#v453)
## [v4.5.2]
### Added
- Update to [Wazuh v4.5.2](https://github.com/wazuh/wazuh/blob/v4.5.2/CHANGELOG.md#v452)
## [v4.5.1]
### Added
- Update to [Wazuh v4.5.1](https://github.com/wazuh/wazuh/blob/v4.5.1/CHANGELOG.md#v451)
## [v4.5.0]
### Added
- Update to [Wazuh v4.5.0](https://github.com/wazuh/wazuh/blob/v4.5.0/CHANGELOG.md#v450)
## [v4.4.5]
### Added
- Update to [Wazuh v4.4.5](https://github.com/wazuh/wazuh/blob/v4.4.5/CHANGELOG.md#v445)
## [v4.4.4]
### Added
- Update to [Wazuh v4.4.4](https://github.com/wazuh/wazuh/blob/v4.4.4/CHANGELOG.md#v444)
## [v4.4.3]
### Added
- Update to [Wazuh v4.4.3](https://github.com/wazuh/wazuh/blob/v4.4.3/CHANGELOG.md#v443)
## [v4.4.2]
### Added
- Update to [Wazuh v4.4.2](https://github.com/wazuh/wazuh/blob/v4.4.2/CHANGELOG.md#v442)
## [v4.4.1]
### Added
- Update to [Wazuh v4.4.1](https://github.com/wazuh/wazuh/blob/v4.4.1/CHANGELOG.md#v441)
## [v4.4.0]
### Added
- Update to [Wazuh v4.4.0](https://github.com/wazuh/wazuh/blob/v4.4.0/CHANGELOG.md#v440)
## [v4.3.11]
### Added
- Update to [Wazuh v4.3.11](https://github.com/wazuh/wazuh/blob/v4.3.11/CHANGELOG.md#v4311)
## [v4.3.10]
### Added
- Update to [Wazuh v4.3.10](https://github.com/wazuh/wazuh/blob/v4.3.10/CHANGELOG.md#v4310)
## [v4.3.9]
### Added
- Update to [Wazuh v4.3.9](https://github.com/wazuh/wazuh/blob/v4.3.9/CHANGELOG.md#v439)
## [v4.3.8]
### Added
- Update to [Wazuh v4.3.8](https://github.com/wazuh/wazuh/blob/v4.3.8/CHANGELOG.md#v438)
## [v4.3.7]
### Added
- Update to [Wazuh v4.3.7](https://github.com/wazuh/wazuh/blob/v4.3.7/CHANGELOG.md#v437)
## [v4.3.6]
### Added
- Update to [Wazuh v4.3.6](https://github.com/wazuh/wazuh/blob/v4.3.6/CHANGELOG.md#v436)
## [v4.3.5]
### Added
- Update to [Wazuh v4.3.5](https://github.com/wazuh/wazuh/blob/v4.3.5/CHANGELOG.md#v435)
## [v4.3.4]
### Added
- Update to [Wazuh v4.3.4](https://github.com/wazuh/wazuh/blob/v4.3.4/CHANGELOG.md#v434)
## [v4.3.3]
### Added
- Update to [Wazuh v4.3.3](https://github.com/wazuh/wazuh/blob/v4.3.3/CHANGELOG.md#v433)
## [v4.3.2]
### Added
- Update to [Wazuh v4.3.2](https://github.com/wazuh/wazuh/blob/v4.3.2/CHANGELOG.md#v432)
## [v4.3.1]
### Added
- Update to [Wazuh v4.3.1](https://github.com/wazuh/wazuh/blob/v4.3.1/CHANGELOG.md#v431)
## [v4.3.0]
### Added
- Update to [Wazuh v4.3.0](https://github.com/wazuh/wazuh/blob/v4.3.0/CHANGELOG.md#v430)
## [v4.2.6]
### Added
- Update to [Wazuh v4.2.6](https://github.com/wazuh/wazuh/blob/v4.2.6/CHANGELOG.md#v426)
## [v4.2.5]
### Added
- Update to [Wazuh v4.2.5](https://github.com/wazuh/wazuh/blob/v4.2.5/CHANGELOG.md#v425)
## [v4.2.4]
### Added
- Update to [Wazuh v4.2.4](https://github.com/wazuh/wazuh/blob/v4.2.4/CHANGELOG.md#v424)
## [v4.2.3]
### Added
- Update to [Wazuh v4.2.3](https://github.com/wazuh/wazuh/blob/v4.2.3/CHANGELOG.md#v423)
## [v4.2.2]
### Added
- Update to [Wazuh v4.2.2](https://github.com/wazuh/wazuh/blob/v4.2.2/CHANGELOG.md#v422)
## [v4.2.1]
### Added
- Update to [Wazuh v4.2.1](https://github.com/wazuh/wazuh/blob/v4.2.1/CHANGELOG.md#v421)
## [v4.2.0]
### Added
- Update to [Wazuh v4.2.0](https://github.com/wazuh/wazuh/blob/v4.2.0/CHANGELOG.md#v420)
## [v4.1.4]
### Added
- Update to [Wazuh v4.1.4](https://github.com/wazuh/wazuh/blob/v4.1.4/CHANGELOG.md#v414)
## [v4.1.3]
### Added
- Update to [Wazuh v4.1.3](https://github.com/wazuh/wazuh/blob/v4.1.3/CHANGELOG.md#v413)
## [v4.1.2]
### Added
- Update to [Wazuh v4.1.2](https://github.com/wazuh/wazuh/blob/v4.1.2/CHANGELOG.md#v412)
## [v4.1.1]
### Added
- Update to [Wazuh v4.1.1](https://github.com/wazuh/wazuh/blob/v4.1.1/CHANGELOG.md#v411)
- Apply changes in ossec.conf file
- Modify jvm.options to [v7.10](https://www.elastic.co/guide/en/elasticsearch/reference/7.10/jvm-options.html)
- Change opendistro repository packages (opendistroforelasticsearch, elasticsearch-oss) to Wazuh URL and GPG key
## [v4.0.4]
### Added
- Update to [Wazuh v4.0.4](https://github.com/wazuh/wazuh/blob/v4.0.4/CHANGELOG.md#v404)
- Support for new Wazuh API config options.
- Add localfile labels to agent ossec.conf template ([@dragospe](https://github.com/dragospe)) [PR#521](https://github.com/wazuh/wazuh-ansible/pull/521)
### Changed
- Please notice that default Kibana user in role defaults changed from `kibanaserver` to `admin`. See listed PRs below for details.
### Fixed
- `create_user.py` generates invalid passwords ([@singuliere](https://github.com/singuliere)) [PR#519](https://github.com/wazuh/wazuh-ansible/pull/519)
- Fix invalid Jinja2 syntax in centralized configuration template ([@kravietz](https://github.com/kravietz)) [PR#528](https://github.com/wazuh/wazuh-ansible/pull/528)
- Replace default user for `opendistro-kibana` role ([@zenidd](https://github.com/zenidd)) [PR#529](https://github.com/wazuh/wazuh-ansible/pull/529)
- Remove legacy declarations of `od_node_name` in `opendistro-elasticsearch` ([@neonmei](https://github.com/neonmei), [@dragospe](https://github.com/dragospe)) [PR#530](https://github.com/wazuh/wazuh-ansible/pull/530)
- Add missing variable `elasticsearch_node_master` in `opendistro-elasticsearch` ([@neonmei](https://github.com/neonmei)) [PR#534](https://github.com/wazuh/wazuh-ansible/pull/534)
- Add missing variable `elasticsearch_network_host` in `opendistro-elasticsearch` ([@neonmei](https://github.com/neonmei)) [PR#540](https://github.com/wazuh/wazuh-ansible/pull/540)
## [v4.0.3]
### Added
- Update to Wazuh v4.0.3
### Fixed
- Fix wrong `delegate_to` in task added by PR#488, hotfixed in `v4.0.2` in [PR#511](https://github.com/wazuh/wazuh-ansible/pull/511)
## [v4.0.2]
### Added
- Update to Wazuh v4.0.2
### Changed
- New role variables have been introduced (e.g: `wazuh_agent_api_validate`), see documentation or PRs listed here for details.
- Some variables have been deprecated (e.g: `wazuh_agent_nat`) in favour of other ones, see documentation or PRs listed here for details.
### Fixed
- Fix agent enrollment default value. Fix authd registration. [PR#505](https://github.com/wazuh/wazuh-ansible/issues/505)
- Remove async clause causing agent install timeout on resource-constrained Centos installations [PR#507](https://github.com/wazuh/wazuh-ansible/issues/507)
- Fix REST registration method for agents [PR#509](https://github.com/wazuh/wazuh-ansible/issues/509)
- `authd_pass` and `api_pass` [precedence](https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable) too high, lower to role defaults [PR#488](https://github.com/wazuh/wazuh-ansible/issues/488)
## [v4.0.1]
### Added
- Update to Wazuh v4.0.1
- Allow installing fixed Filebeat-oss version ([@Zenidd](https://github.com/Zenidd)) [PR#486](https://github.com/wazuh/wazuh-ansible/pull/486)
- Feature adapt molecule tests ([@neonmei](https://github.com/neonmei)) [PR#477](https://github.com/wazuh/wazuh-ansible/pull/477)
### Fixed
- Roles/elastic-stack: update jvm.options template per upstream updates ([@neonmei](https://github.com/neonmei)) [PR#501](https://github.com/wazuh/wazuh-ansible/pull/501)
- Improve linting history ([@neonmei](https://github.com/neonmei))
- Fix lint opendistro kibana [PR#497](https://github.com/wazuh/wazuh-ansible/pull/497)
- Feature lint roles configurations [PR#496](https://github.com/wazuh/wazuh-ansible/pull/496)
- Feature lint role wazuh agent [PR#495](https://github.com/wazuh/wazuh-ansible/pull/495)
- Feature lint role filebeat oss [PR#494](https://github.com/wazuh/wazuh-ansible/pull/494)
- Lint role wazuh-manager [PR#493](https://github.com/wazuh/wazuh-ansible/pull/493)
- Feature lint role elasticsearch [PR#492](https://github.com/wazuh/wazuh-ansible/pull/492)
- Feature lint role opendistro-elasticsearch [PR#491](https://github.com/wazuh/wazuh-ansible/pull/491)
- Feature lint remove unused variables [PR#487](https://github.com/wazuh/wazuh-ansible/pull/487)
- Feature agent default vars depth reduction [PR#485](https://github.com/wazuh/wazuh-ansible/pull/485)
- Remove unnecesary nodejs dependency ([@neonmei](https://github.com/neonmei)) [PR#482](https://github.com/wazuh/wazuh-ansible/pull/482)
- Feature manager configuration unnest ([@neonmei](https://github.com/neonmei)) [PR#481](https://github.com/wazuh/wazuh-ansible/pull/481)
- Elastic API check fix ([@Zenidd](https://github.com/Zenidd)) [PR#480](https://github.com/wazuh/wazuh-ansible/pull/480)
- Improve handling of run_once at opendistro-elasticsearch role ([@neonmei](https://github.com/neonmei)) [PR#478](https://github.com/wazuh/wazuh-ansible/pull/478)
## [v4.0.0]
### Added
- Update to Wazuh v4.0.0
- New example playbooks on README ([@Zenidd](https://github.com/Zenidd)) [PR#468](https://github.com/wazuh/wazuh-ansible/pull/468)
### Fixed
- Ensure recursive /usr/share/kibana permissions before installing WUI ([@Zenidd](https://github.com/Zenidd)) [PR#471](https://github.com/wazuh/wazuh-ansible/pull/471)
- Remove vuls integration ([@manuasir](https://github.com/manuasir)) [PR#469](https://github.com/wazuh/wazuh-ansible/pull/469)
## [v3.13.2]
### Added
- Update to Wazuh v3.13.2
- Add kibana extra ssl option ([@xr09](https://github.com/xr09)) [PR#451](https://github.com/wazuh/wazuh-ansible/pull/451)
- Force basic auth ([@xr09](https://github.com/xr09)) [PR#456](https://github.com/wazuh/wazuh-ansible/pull/456)
### Fixed
- Fix check_mode condition ([@manuasir](https://github.com/manuasir)) [PR#452](https://github.com/wazuh/wazuh-ansible/pull/452)
- Fixes for opendistro role ([@xr09](https://github.com/xr09)) [PR#453](https://github.com/wazuh/wazuh-ansible/pull/453)
## [v3.13.1_7.8.0]
### Added
- Update to Wazuh v3.13.1
- Add support to configure path.repo option in ES. Required for backups/snapshots ([@pescobar](https://github.com/pescobar)) [PR#433](https://github.com/wazuh/wazuh-ansible/pull/433)
### Changed
- Update Opendistro tasks ([@jm404](https://github.com/jm404)) [PR#443](https://github.com/wazuh/wazuh-ansible/pull/443)
- Provide ansible.cfg with merge hash_behaviour ([@xr09](https://github.com/xr09)) [PR#440](https://github.com/wazuh/wazuh-ansible/pull/440)
### Fixed
- Fixes for wazuh-agent registration ([@pchristos](https://github.com/pchristos)) [PR#406](https://github.com/wazuh/wazuh-ansible/pull/406)
- Fixes for OpenDistro deployments ([@xr09](https://github.com/xr09)) [PR#445](https://github.com/wazuh/wazuh-ansible/pull/445)
## [v3.13.0_7.7.1]
### Added
- Update to Wazuh v3.13.0
- Open Distro-Kibana and Filebeat-oss roles ([@manuasir](https://github.com/manuasir)) [PR#424](https://github.com/wazuh/wazuh-ansible/pull/424)
### Changed
- Fetch ES template from wazuh/wazuh repository ([@Zenidd](https://github.com/Zenidd)) [PR#435](https://github.com/wazuh/wazuh-ansible/pull/435)
### Fixed
- Use local path while generating xpack certificates ([@xr09](https://github.com/xr09)) [PR#432](https://github.com/wazuh/wazuh-ansible/pull/432)
## [v3.12.3_7.6.2]
### Added
- Update to Wazuh v3.12.2
- AWS S3 block to template ([@limitup](https://github.com/limitup)) [PR#404](https://github.com/wazuh/wazuh-ansible/pull/413)
### Changed
- Update Kibana optimize task parameters and command ([@jm404](https://github.com/jm404)) [PR#404](https://github.com/wazuh/wazuh-ansible/pull/412)
- Update Kibana optimize folder and owner ([@jm404](https://github.com/jm404)) [PR#404](https://github.com/wazuh/wazuh-ansible/pull/410)
## [v3.12.2_7.6.2]
### Added
- Update to Wazuh v3.12.2
### Fixed
- Adjusting Kibana plugin optimization max memory ([@Zenidd](https://github.com/Zenidd)) [PR#404](https://github.com/wazuh/wazuh-ansible/pull/404)
- Removed python-cryptography library tasks ([@Zenidd](https://github.com/Zenidd)) [PR#401](https://github.com/wazuh/wazuh-ansible/pull/401)
- Removed duplicated task block ([@manuasir](https://github.com/manuasir)) [PR#400](https://github.com/wazuh/wazuh-ansible/pull/400)
## [v3.12.0_7.6.1]
### Added
- Update to Wazuh v3.12.0
- Added registration address variable to wazuh-agent playbook ([@Zenidd](https://github.com/Zenidd)) [PR#392](https://github.com/wazuh/wazuh-ansible/pull/392)
### Changed
- Bump NodeJS version to 10.x ([@manuasir](https://github.com/manuasir)) [PR#386](https://github.com/wazuh/wazuh-ansible/pull/386)
- Add flag to enable/disable Windows MD5 check ([@jm404](https://github.com/jm404)) [PR#383](https://github.com/wazuh/wazuh-ansible/pull/383)
- Rule paths are now relative to playbooks. ([@Zenidd ](https://github.com/Zenidd)) [PR#393](https://github.com/wazuh/wazuh-ansible/pull/393)
- Add the option to create agent groups and add an agent to 1 or more group. ([@rshad](https://github.com/rshad)) [PR#361](https://github.com/wazuh/wazuh-ansible/pull/361)
### Fixed
- Removed bad formed XML comments. ([@manuasir](https://github.com/manuasir)) [PR#391](https://github.com/wazuh/wazuh-ansible/pull/391)
- NodeJS node_options variable and Kibana plugin optimization fix. ([@Zenidd](https://github.com/Zenidd)) [PR#385](https://github.com/wazuh/wazuh-ansible/pull/385)
- Restrictive permissions for certificate files. ([@Zenidd](https://github.com/Zenidd)) [PR#382](https://github.com/wazuh/wazuh-ansible/pull/382)
## [v3.11.4_7.6.1]
### Added
- Update to Wazuh v3.11.4
- Support for RHEL/CentOS 8 ([@jm404](https://github.com/jm404)) [PR#377](https://github.com/wazuh/wazuh-ansible/pull/377)
### Changed
- Disabled shared configuration by default ([@jm404](https://github.com/jm404)) [PR#369](https://github.com/wazuh/wazuh-ansible/pull/369)
- Add chdir argument to Wazuh Kibana Plugin installation tasks ([@jm404](https://github.com/jm404)) [PR#375](https://github.com/wazuh/wazuh-ansible/pull/375)
- Adjustments for systems without (direct) internet connection ([@joschneid](https://github.com/joschneid)) [PR#348](https://github.com/wazuh/wazuh-ansible/pull/348)
### Fixed
- Avoid to install Wazuh API in worker nodes ([@manuasir](https://github.com/manuasir)) [PR#371](https://github.com/wazuh/wazuh-ansible/pull/371)
- Conditionals of custom Wazuh packages installation tasks ([@rshad](https://github.com/rshad)) [PR#372](https://github.com/wazuh/wazuh-ansible/pull/372)
- Fix Ansible elastic_stack-distributed template ([@francobep](https://github.com/francobep)) [PR#352](https://github.com/wazuh/wazuh-ansible/pull/352)
- Fix manager API verification ([@Zenidd](https://github.com/Zenidd)) [PR#360](https://github.com/wazuh/wazuh-ansible/pull/360)
## [v3.11.3_7.5.2]
### Added
- Update to Wazuh v3.11.3
### Fixed
- Fix Wazuh Agent configuration file for RHEL 8 ([@xr09](https://github.com/xr09)) [PR#354](https://github.com/wazuh/wazuh-ansible/pull/354)
- Fix default port used in Wazuh Agent playbook ([@jm404](https://github.com/jm404)) [PR#347](https://github.com/wazuh/wazuh-ansible/pull/347)
## [v3.11.2_7.5.1]
### Added
- Update to Wazuh v3.11.2
### Changed
- Update templates for Python 3 compatibility ([@xr09](https://github.com/xr09)) [PR#344](https://github.com/wazuh/wazuh-ansible/pull/344)
## [v3.11.1_7.5.1]
### Added
- Update to Wazuh v3.11.1
## [v3.11.0_7.5.1]
### Added
- Update to Wazuh v3.11.0
- Implemented changes to configure Wazuh API using the `wazuh.yml` file ([@xr09](https://github.com/xr09)) [PR#342](https://github.com/wazuh/wazuh-ansible/pull/342)
- Wazuh Agent registration task now explicitly notify restart ([@jm404](https://github.com/jm404)) [PR#302](https://github.com/wazuh/wazuh-ansible/pull/302)
- Support both IP and DNS when creating elastic cluster ([@xr09](https://github.com/xr09)) [PR#252](https://github.com/wazuh/wazuh-ansible/pull/252)
- Added config tag to the Wazuh Agent's enable task ([@xr09](https://github.com/xr09)) [PR#261](https://github.com/wazuh/wazuh-ansible/pull/261)
- Implement task to configure Elasticsearch user on every cluster node ([@xr09](https://github.com/xr09)) [PR#270](https://github.com/wazuh/wazuh-ansible/pull/270)
- Added SCA to Wazuh Agent and Manager installation ([@jm404](https://github.com/jm404)) [PR#260](https://github.com/wazuh/wazuh-ansible/pull/260)
- Added support for environments with low disk space ([@xr09](https://github.com/xr09)) [PR#281](https://github.com/wazuh/wazuh-ansible/pull/281)
- Add parameters to configure an Elasticsearch coordinating node ([@jm404](https://github.com/jm404)) [PR#292](https://github.com/wazuh/wazuh-ansible/pull/292)
### Changed
- Updated Filebeat and Elasticsearch templates ([@manuasir](https://github.com/manuasir)) [PR#285](https://github.com/wazuh/wazuh-ansible/pull/285)
- Make ossec.conf file more readable by removing trailing whitespaces ([@jm404](https://github.com/jm404)) [PR#286](https://github.com/wazuh/wazuh-ansible/pull/286)
- Wazuh repositories can now be configured to different sources URLs ([@jm404](https://github.com/jm404)) [PR#288](https://github.com/wazuh/wazuh-ansible/pull/288)
- Wazuh App URL is now flexible ([@jm404](https://github.com/jm404)) [PR#304](https://github.com/wazuh/wazuh-ansible/pull/304)
- Agent installation task now does not hardcodes the "-1" sufix ([@jm404](https://github.com/jm404)) [PR#310](https://github.com/wazuh/wazuh-ansible/pull/310)
- Enhanced task importation in Wazuh Manager role and removed deprecated warnings ([@xr09](https://github.com/xr09)) [PR#320](https://github.com/wazuh/wazuh-ansible/pull/320)
- Wazuh API installation task have been upgraded ([@rshad](https://github.com/rshad)) [PR#330](https://github.com/wazuh/wazuh-ansible/pull/330)
- It's now possible to install Wazuh Manager and Agent from sources ([@jm404](https://github.com/jm404)) [PR#329](https://github.com/wazuh/wazuh-ansible/pull/329)
### Fixed
- Ansible upgrade from 6.x to 7.x ([@jm404](https://github.com/jm404)) [PR#252](https://github.com/wazuh/wazuh-ansible/pull/251)
- Wazuh Agent registration using agent name has been fixed ([@jm404](https://github.com/jm404)) [PR#298](https://github.com/wazuh/wazuh-ansible/pull/298)
- Fix Wazuh repository and installation conditionals ([@jm404](https://github.com/jm404)) [PR#299](https://github.com/wazuh/wazuh-ansible/pull/299)
- Fixed Wazuh Agent registration using an Agent's name ([@jm404](https://github.com/jm404)) [PR#334](https://github.com/wazuh/wazuh-ansible/pull/334)
## [v3.11.0_7.3.2]
### Added
- Update to Wazuh v3.11.0
### Changed
- Moved molecule folder to Wazuh QA Repository [manuasir](https://github.com/manuasir) [#120ed16](https://github.com/wazuh/wazuh-ansible/commit/120ed163b6f131315848938beca65c1f1cad7f1b)
- Refactored XPack Security configuration tasks [@jm404](https://github.com/jm404) [#246](https://github.com/wazuh/wazuh-ansible/pull/246)
### Fixed
- Fixed ES bootstrap password configuration [@jm404](https://github.com/jm404) [#b8803de](https://github.com/wazuh/wazuh-ansible/commit/b8803de85fb71edf090b0c076d4fe3684cd7cb36)
## [v3.10.0_7.3.2]
### Added
- Update to Wazuh v3.10.0
### Changed
- Updated Kibana [@jm404](https://github.com/jm404) [#237](https://github.com/wazuh/wazuh-ansible/pull/237)
- Updated agent.conf template [@moodymob](https://github.com/moodymob) [#222](https://github.com/wazuh/wazuh-ansible/pull/222)
- Improved molecule tests [@rshad](https://github.com/rshad) [#223](https://github.com/wazuh/wazuh-ansible/pull/223/files)
- Moved "run_cluster_mode.sh" script to molecule folder [@jm404](https://github.com/jm404) [#a9d2c52](https://github.com/wazuh/wazuh-ansible/commit/a9d2c5201047c273c2c4fead5a54e576111da455)
### Fixed
- Fixed typo in the `agent.conf` template [@joey1a2b3c](https://github.com/joey1a2b3c) [#227](https://github.com/wazuh/wazuh-ansible/pull/227)
- Updated conditionals in tasks to fix Amazon Linux installation [@jm404](https://github.com/jm404) [#229](https://github.com/wazuh/wazuh-ansible/pull/229)
- Fixed Kibana installation in Amazon Linux [@jm404](https://github.com/jm404) [#232](https://github.com/wazuh/wazuh-ansible/pull/232)
- Fixed Windows Agent installation and configuration [@jm404](https://github.com/jm404) [#234](https://github.com/wazuh/wazuh-ansible/pull/234)
### Fixed
- Removed registry key check on Wazuh Agent installation in windows [@jm404](https://github.com/jm404) [#265](https://github.com/wazuh/wazuh-ansible/pull/265)
## [v3.9.5_7.2.1]
### Added
- Update to Wazuh v3.9.5
- Update to Elastic Stack to v7.2.1
## [v3.9.4_7.2.0]
### Added
- Support for registring agents behind NAT [@jheikki100](https://github.com/jheikki100) [#208](https://github.com/wazuh/wazuh-ansible/pull/208)
### Changed
- Default protocol to TCP [@ionphractal](https://github.com/ionphractal) [#204](https://github.com/wazuh/wazuh-ansible/pull/204).
### Fixed
- Fixed network.host is not localhost [@rshad](https://github.com/rshad) [#204](https://github.com/wazuh/wazuh-ansible/pull/212).
## [v3.9.3_7.2.0]
### Added
- Update to Wazuh v3.9.3 ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#))
- Added Versioning Control for Wazuh stack's components installation, so now it's possible to specify which package to install for wazuh-manager, wazuh-agent, Filebeat, Elasticsearch and Kibana. ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#))
- Fixes for Molecule testing issues. Issues such as Ansible-Lint and None-Idempotent tasks. ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#))
- Fixes for Wazuh components installations' related issues. Such issues were related to determined OS distributions such as `Ubuntu Trusty` and `CetOS 6`. ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#))
- Created Ansible playbook and role in order to automate the uninstallation of already installed Wazuh components. ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#))
## [v3.9.2_7.1.1]
### Added
- Update to Wazuh v3.9.2
- Support for Elastic 7
- Ability to deploy an Elasticsearch cluster [#6b95e3](https://github.com/wazuh/wazuh-ansible/commit/6b95e304b6ac4dfec08df5cd0fe29be9cc7dc22c)
## [v3.9.2_6.8.0]
### Added
- Update to Wazuh v3.9.2
## [v3.9.1]
### Added
- Update to Wazuh v3.9.1
- Support for ELK v6.8.0
## [v3.9.0]
### Added
- Update to Wazuh Wazuh v3.9.0 ([manuasir](https://github.com/manuasir) [#177](https://github.com/wazuh/wazuh-ansible/pull/177)).
- Support for Elasticsearch v6.7.1 ([LuisGi91](https://github.com/LuisGi91) [#168](https://github.com/wazuh/wazuh-ansible/pull/168)).
- Added Molecule testing suit ([JJediny](https://github.com/JJediny) [#151](https://github.com/wazuh/wazuh-ansible/pull/151)).
- Added Molecule tests for Wazuh Manager ([dj-wasabi](https://github.com/dj-wasabi) [#169](https://github.com/wazuh/wazuh-ansible/pull/169)).
- Added Molecule tests for Wazuh Agent ([dj-wasabi](https://github.com/dj-wasabi) [#174](https://github.com/wazuh/wazuh-ansible/pull/174)).
### Changed
- Updated network commands ([kravietz](https://github.com/kravietz) [#159](https://github.com/wazuh/wazuh-ansible/pull/159)).
- Enable active response section ([kravietz](https://github.com/kravietz) [#155](https://github.com/wazuh/wazuh-ansible/pull/155)).
### Fixed
- Fix default active response ([LuisGi93](https://github.com/LuisGi93) [#164](https://github.com/wazuh/wazuh-ansible/pull/164)).
- Changing from Oracle Java to OpenJDK ([LuisGi93](https://github.com/LuisGi93) [#173](https://github.com/wazuh/wazuh-ansible/pull/173)).
- Adding alias to agent config file template ([LuisGi93](https://github.com/LuisGi93) [#163](https://github.com/wazuh/wazuh-ansible/pull/163)).
## [v3.8.2]
### Changed
- Update to Wazuh version v3.8.2. ([#150](https://github.com/wazuh/wazuh-ansible/pull/150))
## [v3.8.1]
### Changed
- Update to Wazuh version v3.8.1. ([#148](https://github.com/wazuh/wazuh-ansible/pull/148))
## [v3.8.0]
### Added
- Added custom name for single agent registration ([#117](https://github.com/wazuh/wazuh-ansible/pull/117))
- Adapt ossec.conf file for windows agents ([#118](https://github.com/wazuh/wazuh-ansible/pull/118))
- Added labels to ossec.conf ([#135](https://github.com/wazuh/wazuh-ansible/pull/135))
### Changed
- Changed Windows installation directory ([#116](https://github.com/wazuh/wazuh-ansible/pull/116))
- move redundant tags to the outer block ([#133](https://github.com/wazuh/wazuh-ansible/pull/133))
- Adapt new version (3.8.0-6.5.4) ([#144](https://github.com/wazuh/wazuh-ansible/pull/144))
### Fixed
- Fixed a couple linting issues with yamllint and ansible-review ([#111](https://github.com/wazuh/wazuh-ansible/pull/111))
- Fixes typos: The word credentials doesn't have two consecutive e's ([#130](https://github.com/wazuh/wazuh-ansible/pull/130))
- Fixed multiple remote connection ([#120](https://github.com/wazuh/wazuh-ansible/pull/120))
- Fixed null value for wazuh_manager_fqdn ([#132](https://github.com/wazuh/wazuh-ansible/pull/132))
- Erasing extra spaces in playbooks ([#131](https://github.com/wazuh/wazuh-ansible/pull/131))
- Fixed oracle java cookies ([#143](https://github.com/wazuh/wazuh-ansible/pull/143))
### Removed
- delete useless files from wazuh-manager role ([#137](https://github.com/wazuh/wazuh-ansible/pull/137))
## [v3.7.2]
### Changed
- Adapt configuration to current release ([#106](https://github.com/wazuh/wazuh-ansible/pull/106))
## [v3.7.1]
### Added
- include template local_internal_options.conf. ([#87](https://github.com/wazuh/wazuh-ansible/pull/87))
- Add multiple Elasticsearch IPs for Logstash reports. ([#92](https://github.com/wazuh/wazuh-ansible/pull/92))
### Changed
- Changed windows agent version. ([#89](https://github.com/wazuh/wazuh-ansible/pull/89))
- Updating to Elastic Stack to 6.5.3 and Wazuh 3.7.1. ([#108](https://github.com/wazuh/wazuh-ansible/pull/108))
### Fixed
- Solve the conflict betwwen tha agent configuration and the shared master configuration. Also include monitoring for `/var/log/auth.log`. ([#90](https://github.com/wazuh/wazuh-ansible/pull/90))
- Moved custom_ruleset files. ([#98](https://github.com/wazuh/wazuh-ansible/pull/98))
- Add authlog fix to localfile. ([#99](https://github.com/wazuh/wazuh-ansible/pull/99))
- Exceptions reload systemd. ([#114](https://github.com/wazuh/wazuh-ansible/pull/114))
### Removed
- clean old code for windows agent. ([#86](https://github.com/wazuh/wazuh-ansible/pull/86))
## v3.7.0-3701
### Added
- Amazon Linux deployments are now supported ([#71](https://github.com/wazuh/wazuh-ansible/pull/71)) and for the old repository structure ([#67](https://github.com/wazuh/wazuh-ansible/pull/67))
- Added the option to add rule files and decoders directly over the local rule and decoder directories in /var/ossec/etc ([#81](https://github.com/wazuh/wazuh-ansible/pull/81)).
- Added the necessary variables to configure a new configuration template for the Wazuh API ([#80](https://github.com/wazuh/wazuh-ansible/pull/80)).
- Added the option to verify the shared configuration for agents set in the manager ([#76](https://github.com/wazuh/wazuh-ansible/pull/76)).
- Added the option to configure the active response ([#75](https://github.com/wazuh/wazuh-ansible/pull/75)).
### Changed
- Repository restructure.
- Extended conditions to register a Wazuh agent. Now will register the agent in cases where there is no client.keys or the file exists but this empty ([#79](https://github.com/wazuh/wazuh-ansible/pull/79)).
- Grouping of tasks in a block under the same condition to improve the efficiency of the code ([#74](https://github.com/wazuh/wazuh-ansible/pull/74)).
- Improved efficiency of the Java repository ([#73](https://github.com/wazuh/wazuh-ansible/pull/73)).
### Fixed
- Fix oracle java cookie ([#71](https://github.com/wazuh/wazuh-ansible/pull/71)).
- include the logall_json label in ossec.conf template. This was causing an error when recreating the cdb_lists ([#84](https://github.com/wazuh/wazuh-ansible/pull/84)).
## v3.6.0
Ansible starting point.
Roles:
- Elastic Stack:
- ansible-elasticsearch: This role is prepared to install elasticsearch on the host that runs it.
- ansible-kibana: Using this role we will install Kibana on the host that runs it.
- Wazuh:
- ansible-filebeat: This role is prepared to install filebeat on the host that runs it.
- ansible-wazuh-manager: With this role we will install Wazuh manager and Wazuh API on the host that runs it.
- ansible-wazuh-agent: Using this role we will install Wazuh agent on the host that runs it and is able to register it.

475
LICENSE Normal file
View File

@ -0,0 +1,475 @@
Portions Copyright (C) 2017, Wazuh, Inc.
Based on work Copyright (C) 2003 - 2013 Trend Micro, Inc.
This program is a free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License (version 2) as
published by the FSF - Free Software Foundation.
In addition, certain source files in this program permit linking with the
OpenSSL library (http://www.openssl.org), which otherwise wouldn't be allowed
under the GPL. For purposes of identifying OpenSSL, most source files giving
this permission limit it to versions of OpenSSL having a license identical to
that listed in this file (see section "OpenSSL LICENSE" below). It is not
necessary for the copyright years to match between this file and the OpenSSL
version in question. However, note that because this file is an extension of
the license statements of these source files, this file may not be changed
except with permission from all copyright holders of source files in this
program which reference this file.
Note that this license applies to the source code, as well as
decoders, rules and any other data file included with OSSEC (unless
otherwise specified).
For the purpose of this license, we consider an application to constitute a
"derivative work" or a work based on this program if it does any of the
following (list not exclusive):
* Integrates source code/data files from OSSEC.
* Includes OSSEC copyrighted material.
* Includes/integrates OSSEC into a proprietary executable installer.
* Links to a library or executes a program that does any of the above.
This list is not exclusive, but just a clarification of our interpretation
of derived works. These restrictions only apply if you actually redistribute
OSSEC (or parts of it).
We don't consider these to be added restrictions on top of the GPL,
but just a clarification of how we interpret "derived works" as it
applies to OSSEC. This is similar to the way Linus Torvalds has
announced his interpretation of how "derived works" applies to Linux kernel
modules. Our interpretation refers only to OSSEC - we don't speak
for any other GPL products.
* As a special exception, the copyright holders give
* permission to link the code of portions of this program with the
* OpenSSL library under certain conditions as described in each
* individual source file, and distribute linked combinations
* including the two.
* You must obey the GNU General Public License in all respects
* for all of the code used other than OpenSSL. If you modify
* file(s) with this exception, you may extend this exception to your
* version of the file(s), but you are not obligated to do so. If you
* do not wish to do so, delete this exception statement from your
* version. If you delete this exception statement from all source
* files in the program, then also delete it here.
OSSEC HIDS is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License Version 2 below for more details.
-----------------------------------------------------------------------------
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Lesser General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
-------------------------------------------------------------------------------
OpenSSL License
---------------
LICENSE ISSUES
==============
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of
the OpenSSL License and the original SSLeay license apply to the toolkit.
See below for the actual license texts. Actually both licenses are BSD-style
Open Source licenses. In case of any license issues related to OpenSSL
please contact openssl-core@openssl.org.
OpenSSL License
---------------
/* ====================================================================
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
Original SSLeay License
-----------------------
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the routines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/

45
SECURITY.md Normal file
View File

@ -0,0 +1,45 @@
# Wazuh Open Source Project Security Policy
Version: 2023-06-12
## Introduction
This document outlines the Security Policy for Wazuh's open source projects. It emphasizes our commitment to maintain a secure environment for our users and contributors, and reflects our belief in the power of collaboration to identify and resolve security vulnerabilities.
## Scope
This policy applies to all open source projects developed, maintained, or hosted by Wazuh.
## Reporting Security Vulnerabilities
If you believe you've discovered a potential security vulnerability in one of our open source projects, we strongly encourage you to report it to us responsibly.
Please submit your findings as security advisories under the "Security" tab in the relevant GitHub repository. Alternatively, you may send the details of your findings to [security@wazuh.com](mailto:security@wazuh.com).
## Vulnerability Disclosure Policy
Upon receiving a report of a potential vulnerability, our team will initiate an investigation. If the reported issue is confirmed as a vulnerability, we will take the following steps:
1. Acknowledgment: We will acknowledge the receipt of your vulnerability report and begin our investigation.
2. Validation: We will validate the issue and work on reproducing it in our environment.
3. Remediation: We will work on a fix and thoroughly test it
4. Release & Disclosure: After 90 days from the discovery of the vulnerability, or as soon as a fix is ready and thoroughly tested (whichever comes first), we will release a security update for the affected project. We will also publicly disclose the vulnerability by publishing a CVE (Common Vulnerabilities and Exposures) and acknowledging the discovering party.
5. Exceptions: In order to preserve the security of the Wazuh community at large, we might extend the disclosure period to allow users to patch their deployments.
This 90-day period allows for end-users to update their systems and minimizes the risk of widespread exploitation of the vulnerability.
## Automatic Scanning
We leverage GitHub Actions to perform automated scans of our supply chain. These scans assist us in identifying vulnerabilities and outdated dependencies in a proactive and timely manner.
## Credit
We believe in giving credit where credit is due. If you report a security vulnerability to us, and we determine that it is a valid vulnerability, we will publicly credit you for the discovery when we disclose the vulnerability. If you wish to remain anonymous, please indicate so in your initial report.
We do appreciate and encourage feedback from our community, but currently we do not have a bounty program. We might start bounty programs in the future.
## Compliance with this Policy
We consider the discovery and reporting of security vulnerabilities an important public service. We encourage responsible reporting of any vulnerabilities that may be found in our site or applications.
Furthermore, we will not take legal action against or suspend or terminate access to the site or services of those who discover and report security vulnerabilities in accordance with this policy because of the fact.
We ask that all users and contributors respect this policy and the security of our community's users by disclosing vulnerabilities to us in accordance with this policy.
## Changes to this Security Policy
This policy may be revised from time to time. Each version of the policy will be identified at the top of the page by its effective date.
If you have any questions about this Security Policy, please contact us at [security@wazuh.com](mailto:security@wazuh.com)

2
VERSION Normal file
View File

@ -0,0 +1,2 @@
WAZUH-ANSIBLE_VERSION="v4.9.1"
REVISION="40914"

2
playbooks/ansible.cfg Normal file
View File

@ -0,0 +1,2 @@
[defaults]
hash_behaviour=merge

6
playbooks/wazuh-dashboard.yml Normal file
View File

@ -0,0 +1,6 @@
---
- hosts: wi1
roles:
- role: ../roles/wazuh/wazuh-dashboard
vars:
ansible_shell_allow_world_readable_temp: true

20
playbooks/wazuh-indexer.yml Normal file
View File

@ -0,0 +1,20 @@
---
- hosts: wi_cluster
roles:
- role: ../roles/wazuh/wazuh-indexer
vars:
instances: # A certificate will be generated for every node using the name as CN.
node1:
name: node-1
ip: <node-1 IP>
role: indexer
node2:
name: node-2
ip: <node-2 IP>
role: indexer
node3:
name: node-3
ip: <node-3 IP>
role: indexer

50
playbooks/wazuh-manager-oss-cluster.yml Normal file
View File

@ -0,0 +1,50 @@
---
# Wazuh cluster without Filebeat
- hosts: manager
roles:
- role: "../roles/wazuh/ansible-wazuh-manager"
become: yes
become_user: root
vars:
wazuh_manager_config:
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
api:
https: 'yes'
cluster:
disable: 'no'
node_name: 'master'
node_type: 'master'
key: 'c98b62a9b6169ac5f67dae55ae4a9088'
nodes:
- "{{ hostvars.manager.private_ip }}"
hidden: 'no'
wazuh_api_users:
- username: custom-user
password: SecretPassword1!
- hosts: worker01
roles:
- role: "../roles/wazuh/ansible-wazuh-manager"
become: yes
become_user: root
vars:
wazuh_manager_config:
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
api:
https: 'yes'
cluster:
disable: 'no'
node_name: 'worker_01'
node_type: 'worker'
key: 'c98b62a9b6169ac5f67dae55ae4a9088'
nodes:
- "{{ hostvars.manager.private_ip }}"
hidden: 'no'

9
playbooks/wazuh-manager-oss.yml Normal file
View File

@ -0,0 +1,9 @@
---
- hosts: managers
roles:
- role: ../roles/wazuh/ansible-wazuh-manager
- role: ../roles/wazuh/ansible-filebeat-oss
filebeat_output_indexer_hosts:
- "<indexer-node-1>:9200"
- "<indexer-node-2>:9200"
- "<indexer-node-2>:9200"

176
playbooks/wazuh-production-ready.yml Normal file
View File

@ -0,0 +1,176 @@
---
# Certificates generation
- hosts: wi1
roles:
- role: ../roles/wazuh/wazuh-indexer
indexer_network_host: "{{ private_ip }}"
indexer_cluster_nodes:
- "{{ hostvars.wi1.private_ip }}"
- "{{ hostvars.wi2.private_ip }}"
- "{{ hostvars.wi3.private_ip }}"
indexer_discovery_nodes:
- "{{ hostvars.wi1.private_ip }}"
- "{{ hostvars.wi2.private_ip }}"
- "{{ hostvars.wi3.private_ip }}"
perform_installation: false
become: no
vars:
indexer_node_master: true
instances:
node1:
name: node-1 # Important: must be equal to indexer_node_name.
ip: "{{ hostvars.wi1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert.
role: indexer
node2:
name: node-2
ip: "{{ hostvars.wi2.private_ip }}"
role: indexer
node3:
name: node-3
ip: "{{ hostvars.wi3.private_ip }}"
role: indexer
node4:
name: node-4
ip: "{{ hostvars.manager.private_ip }}"
role: wazuh
node_type: master
node5:
name: node-5
ip: "{{ hostvars.worker.private_ip }}"
role: wazuh
node_type: worker
node6:
name: node-6
ip: "{{ hostvars.dashboard.private_ip }}"
role: dashboard
tags:
- generate-certs
# Wazuh indexer cluster
- hosts: wi_cluster
strategy: free
roles:
- role: ../roles/wazuh/wazuh-indexer
indexer_network_host: "{{ private_ip }}"
become: yes
become_user: root
vars:
indexer_cluster_nodes:
- "{{ hostvars.wi1.private_ip }}"
- "{{ hostvars.wi2.private_ip }}"
- "{{ hostvars.wi3.private_ip }}"
indexer_discovery_nodes:
- "{{ hostvars.wi1.private_ip }}"
- "{{ hostvars.wi2.private_ip }}"
- "{{ hostvars.wi3.private_ip }}"
indexer_node_master: true
instances:
node1:
name: node-1 # Important: must be equal to indexer_node_name.
ip: "{{ hostvars.wi1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert.
role: indexer
node2:
name: node-2
ip: "{{ hostvars.wi2.private_ip }}"
role: indexer
node3:
name: node-3
ip: "{{ hostvars.wi3.private_ip }}"
role: indexer
node4:
name: node-4
ip: "{{ hostvars.manager.private_ip }}"
role: wazuh
node_type: master
node5:
name: node-5
ip: "{{ hostvars.worker.private_ip }}"
role: wazuh
node_type: worker
node6:
name: node-6
ip: "{{ hostvars.dashboard.private_ip }}"
role: dashboard
# Wazuh cluster
- hosts: manager
roles:
- role: "../roles/wazuh/ansible-wazuh-manager"
- role: "../roles/wazuh/ansible-filebeat-oss"
filebeat_node_name: node-4
become: yes
become_user: root
vars:
wazuh_manager_config:
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
api:
https: 'yes'
cluster:
disable: 'no'
node_name: 'master'
node_type: 'master'
key: 'c98b62a9b6169ac5f67dae55ae4a9088'
nodes:
- "{{ hostvars.manager.private_ip }}"
hidden: 'no'
wazuh_api_users:
- username: custom-user
password: SecretPassword1!
filebeat_output_indexer_hosts:
- "{{ hostvars.wi1.private_ip }}"
- "{{ hostvars.wi2.private_ip }}"
- "{{ hostvars.wi3.private_ip }}"
- hosts: worker
roles:
- role: "../roles/wazuh/ansible-wazuh-manager"
- role: "../roles/wazuh/ansible-filebeat-oss"
filebeat_node_name: node-5
become: yes
become_user: root
vars:
wazuh_manager_config:
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
api:
https: 'yes'
cluster:
disable: 'no'
node_name: 'worker_01'
node_type: 'worker'
key: 'c98b62a9b6169ac5f67dae55ae4a9088'
nodes:
- "{{ hostvars.manager.private_ip }}"
hidden: 'no'
filebeat_output_indexer_hosts:
- "{{ hostvars.wi1.private_ip }}"
- "{{ hostvars.wi2.private_ip }}"
- "{{ hostvars.wi3.private_ip }}"
# Wazuh dashboard node
- hosts: dashboard
roles:
- role: "../roles/wazuh/wazuh-dashboard"
become: yes
become_user: root
vars:
indexer_network_host: "{{ hostvars.wi1.private_ip }}"
indexer_cluster_nodes:
- "{{ hostvars.wi1.private_ip }}"
- "{{ hostvars.wi2.private_ip }}"
- "{{ hostvars.wi3.private_ip }}"
dashboard_node_name: node-6
wazuh_api_credentials:
- id: default
url: https://{{ hostvars.manager.private_ip }}
port: 55000
username: custom-user
password: SecretPassword1!
ansible_shell_allow_world_readable_temp: true

40
playbooks/wazuh-single.yml Normal file
View File

@ -0,0 +1,40 @@
---
# Certificates generation
- hosts: aio
roles:
- role: ../roles/wazuh/wazuh-indexer
perform_installation: false
become: no
#become_user: root
vars:
indexer_node_master: true
instances:
node1:
name: node-1 # Important: must be equal to indexer_node_name.
ip: 127.0.0.1
role: indexer
tags:
- generate-certs
# Single node
- hosts: aio
become: yes
become_user: root
roles:
- role: ../roles/wazuh/wazuh-indexer
- role: ../roles/wazuh/ansible-wazuh-manager
- role: ../roles/wazuh/ansible-filebeat-oss
- role: ../roles/wazuh/wazuh-dashboard
vars:
single_node: true
minimum_master_nodes: 1
indexer_node_master: true
indexer_network_host: 127.0.0.1
filebeat_node_name: node-1
filebeat_output_indexer_hosts:
- 127.0.0.1
instances:
node1:
name: node-1 # Important: must be equal to indexer_node_name.
ip: 127.0.0.1
role: indexer
ansible_shell_allow_world_readable_temp: true

49
roles/elastic-stack/ansible-kibana/defaults/main.yml Normal file
View File

@ -0,0 +1,49 @@
---
kibana_node_name: node-1
elasticsearch_http_port: "9200"
elasticsearch_network_host: "127.0.0.1"
kibana_server_host: "0.0.0.0"
kibana_server_port: "5601"
kibana_conf_path: /etc/kibana
elastic_stack_version: 7.10.2
wazuh_version: 4.4.1
wazuh_app_url: https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana
elasticrepo:
apt: 'https://artifacts.elastic.co/packages/7.x/apt'
yum: 'https://artifacts.elastic.co/packages/7.x/yum'
gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4'
# API credentials
wazuh_api_credentials:
- id: "default"
url: "https://localhost"
port: 55000
username: "wazuh"
password: "wazuh"
# Xpack Security
kibana_xpack_security: false
kibana_ssl_verification_mode: "full"
elasticsearch_xpack_security_user: elastic
elasticsearch_xpack_security_password: elastic_pass
node_certs_destination: /etc/kibana/certs
# CA Generation
master_certs_path: "{{ playbook_dir }}/es_certs"
generate_CA: true
ca_cert_name: ""
# Nodejs
nodejs:
repo_dict:
debian: "deb"
redhat: "rpm"
repo_url_ext: "nodesource.com/setup_10.x"
#Nodejs NODE_OPTIONS
node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536

57
roles/opendistro/opendistro-kibana/defaults/main.yml Normal file
View File

@ -0,0 +1,57 @@
---
# Kibana configuration
elasticsearch_http_port: 9200
elastic_api_protocol: https
kibana_conf_path: /etc/kibana
kibana_node_name: node-1
kibana_server_host: "0.0.0.0"
kibana_server_port: "5601"
kibana_server_name: "kibana"
kibana_max_payload_bytes: 1048576
elastic_stack_version: 7.10.2
wazuh_version: 4.4.1
wazuh_app_url: https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana
# The OpenDistro package repository
kibana_opendistro_version: 1.13.2-1 # Version includes the - for RedHat family compatibility, replace with = for Debian hosts
package_repos:
yum:
opendistro:
baseurl: 'https://packages.wazuh.com/4.x/yum/'
gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
apt:
opendistro:
baseurl: 'deb https://packages.wazuh.com/4.x/apt/ stable main'
gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
# API credentials
wazuh_api_credentials:
- id: "default"
url: "https://localhost"
port: 55000
username: "wazuh"
password: "wazuh"
# opendistro Security
kibana_opendistro_security: true
kibana_newsfeed_enabled: "false"
kibana_telemetry_optin: "false"
kibana_telemetry_enabled: "false"
opendistro_admin_password: changeme
opendistro_kibana_user: kibanaserver
opendistro_kibana_password: changeme
local_certs_path: "{{ playbook_dir }}/opendistro/certificates"
# Nodejs
nodejs:
repo_dict:
debian: "deb"
redhat: "rpm"
repo_url_ext: "nodesource.com/setup_10.x"
#Nodejs NODE_OPTIONS
node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536

38
roles/wazuh/ansible-filebeat-oss/README.md Normal file
View File

@ -0,0 +1,38 @@
Ansible Role: Filebeat for Elastic Stack
------------------------------------
An Ansible Role that installs [Filebeat-oss](https://www.elastic.co/products/beats/filebeat), this can be used in conjunction with [ansible-wazuh-manager](https://github.com/wazuh/wazuh-ansible/ansible-wazuh-server).
Requirements
------------
This role will work on:
* Red Hat
* CentOS
* Fedora
* Debian
* Ubuntu
Role Variables
--------------
Available variables are listed below, along with default values (see `defaults/main.yml`):
```
filebeat_output_indexer_hosts:
- "localhost:9200"
```
License and copyright
---------------------
WAZUH Copyright (C) 2016, Wazuh Inc. (License GPLv3)
### Based on previous work from geerlingguy
- https://github.com/geerlingguy/ansible-role-filebeat
### Modified by Wazuh
The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem.

29
roles/wazuh/ansible-filebeat-oss/defaults/main.yml Normal file
View File

@ -0,0 +1,29 @@
---
filebeat_version: 7.10.2
wazuh_template_branch: v4.9.1
filebeat_node_name: node-1
filebeat_output_indexer_hosts:
- "localhost"
filebeat_module_package_name: wazuh-filebeat-0.4.tar.gz
filebeat_module_package_path: /tmp/
filebeat_module_destination: /usr/share/filebeat/module
filebeat_module_folder: /usr/share/filebeat/module/wazuh
indexer_security_user: admin
indexer_security_password: changeme
# Security plugin
filebeat_security: true
filebeat_ssl_dir: /etc/pki/filebeat
# Local path to store the generated certificates (Opensearch security plugin)
local_certs_path: "{{ playbook_dir }}/indexer/certificates"
filebeatrepo:
keyring_path: '/usr/share/keyrings/wazuh.gpg'
apt: "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main"
yum: 'https://packages.wazuh.com/4.x/yum/'
gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
path: '/tmp/WAZUH-GPG-KEY'

3
roles/wazuh/ansible-filebeat-oss/handlers/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
- name: restart filebeat
service: name=filebeat state=restarted

29
roles/wazuh/ansible-filebeat-oss/meta/main.yml Normal file
View File

@ -0,0 +1,29 @@
---
dependencies: []
galaxy_info:
author: Wazuh
description: Installing and maintaining Filebeat-oss.
company: wazuh.com
license: license (GPLv3)
min_ansible_version: 2.0
platforms:
- name: EL
versions:
- 6
- 7
- name: Fedora
versions:
- all
- name: Debian
versions:
- jessie
- name: Ubuntu
versions:
- precise
- trusty
- xenial
galaxy_tags:
- web
- system
- monitoring

32
roles/wazuh/ansible-filebeat-oss/tasks/Debian.yml Normal file
View File

@ -0,0 +1,32 @@
---
- name: Debian/Ubuntu | Install apt-transport-https, ca-certificates and acl
apt:
name:
- apt-transport-https
- ca-certificates
- acl
state: present
register: filebeat_ca_packages_install
until: filebeat_ca_packages_install is succeeded
- name: Debian/Ubuntu | Download Filebeat apt key.
get_url:
url: "{{ filebeatrepo.gpg }}"
dest: "{{ filebeatrepo.path }}"
- name: Import Filebeat GPG key
command: "gpg --no-default-keyring --keyring gnupg-ring:{{ filebeatrepo.keyring_path }} --import {{ filebeatrepo.path }}"
args:
creates: "{{ filebeatrepo.keyring_path }}"
- name: Set permissions for Filebeat GPG key
file:
path: "{{ filebeatrepo.keyring_path }}"
mode: '0644'
- name: Debian/Ubuntu | Add Filebeat-oss repository.
apt_repository:
repo: "{{ filebeatrepo.apt }}"
state: present
update_cache: true
changed_when: false

6
roles/wazuh/ansible-filebeat-oss/tasks/RMDebian.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Debian/Ubuntu | Remove Filebeat repository (and clean up left-over metadata)
apt_repository:
repo: "{{ filebeatrepo.apt }}"
state: absent
changed_when: false

6
roles/wazuh/ansible-filebeat-oss/tasks/RMRedHat.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: RedHat/CentOS/Fedora | Remove Filebeat repository (and clean up left-over metadata)
yum_repository:
name: wazuh_repo
state: absent
changed_when: false

9
roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml Normal file
View File

@ -0,0 +1,9 @@
---
- name: RedHat/CentOS/Fedora/Amazon Linux | Install Filebeats repo
yum_repository:
name: wazuh_repo
description: Wazuh Repo
baseurl: "{{ filebeatrepo.yum }}"
gpgkey: "{{ filebeatrepo.gpg }}"
gpgcheck: true
changed_when: false

22
roles/wazuh/ansible-filebeat-oss/tasks/config.yml Normal file
View File

@ -0,0 +1,22 @@
---
- block:
- name: Copy Filebeat configuration.
template:
src: filebeat.yml.j2
dest: "/etc/filebeat/filebeat.yml"
owner: root
group: root
mode: 0400
notify: restart filebeat
- name: Fetch latest Wazuh alerts template
get_url:
url: https://raw.githubusercontent.com/wazuh/wazuh/{{ wazuh_template_branch }}/extensions/elasticsearch/7.x/wazuh-template.json
dest: "/etc/filebeat/wazuh-template.json"
owner: root
group: root
mode: 0400
notify: restart filebeat
tags:
- configure

89
roles/wazuh/ansible-filebeat-oss/tasks/main.yml Normal file
View File

@ -0,0 +1,89 @@
---
- include_vars: ../../vars/repo_vars.yml
- include_vars: ../../vars/repo.yml
when: packages_repository == 'production'
- include_vars: ../../vars/repo_pre-release.yml
when: packages_repository == 'pre-release'
- include_tasks: RedHat.yml
when: ansible_os_family == 'RedHat'
- include_tasks: Debian.yml
when: ansible_os_family == 'Debian'
- name: Install Filebeat | Redhat
yum:
name: "filebeat-{{ filebeat_version }}"
state: present
register: install
tags:
- install
- init
when: ansible_os_family == 'RedHat'
- name: Install Filebeat | Debian
apt:
name: "filebeat={{ filebeat_version }}"
state: present
register: install
tags:
- install
- init
until: "install is not failed"
retries: 10
delay: 10
when: ansible_os_family == 'Debian'
- name: Checking if Filebeat Module folder file exists
stat:
path: "{{ filebeat_module_folder }}"
register: filebeat_module_folder
- name: Download Filebeat module package
get_url:
url: "{{ filebeat_module_package_url }}/{{ filebeat_module_package_name }}"
dest: "{{ filebeat_module_package_path }}"
when: not filebeat_module_folder.stat.exists
- name: Unpack Filebeat module package
unarchive:
src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
dest: "{{ filebeat_module_destination }}"
remote_src: yes
when: not filebeat_module_folder.stat.exists
- name: Setting 0755 permission for Filebeat module folder
file: dest={{ filebeat_module_folder }} mode=u=rwX,g=rwX,o=rwX recurse=yes
when: not filebeat_module_folder.stat.exists
- name: Checking if Filebeat Module package file exists
stat:
path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
register: filebeat_module_package
when: filebeat_module_package is not defined
- name: Delete Filebeat module package file
file:
state: absent
path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
when: filebeat_module_package.stat.exists
- import_tasks: config.yml
notify: restart filebeat
- include_tasks: security_actions.yml
when: filebeat_security
- name: Ensure Filebeat is started and enabled at boot.
service:
name: filebeat
state: started
enabled: true
- include_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat"
- include_tasks: "RMDebian.yml"
when: ansible_os_family == "Debian"

26
roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml Normal file
View File

@ -0,0 +1,26 @@
- block:
- name: Ensure Filebeat SSL key pair directory exists.
file:
path: "{{ filebeat_ssl_dir }}"
state: directory
owner: root
group: root
mode: 500
- name: Copy the certificates from local to the Manager instance
copy:
src: "{{ local_certs_path }}/wazuh-certificates/{{ item }}"
dest: "{{ filebeat_ssl_dir }}"
owner: root
group: root
mode: 400
with_items:
- "{{ filebeat_node_name }}-key.pem"
- "{{ filebeat_node_name }}.pem"
- "root-ca.pem"
tags:
- security
when:
- filebeat_security

42
roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 Normal file
View File

@ -0,0 +1,42 @@
# Wazuh - Filebeat configuration file
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false
# Send events directly to Wazuh indexer
output.elasticsearch:
hosts:
{% for item in filebeat_output_indexer_hosts %}
- {{ item }}
{% endfor %}
{% if filebeat_security %}
username: {{ indexer_security_user }}
password: "{{ indexer_security_password }}"
protocol: https
ssl.certificate_authorities:
- {{ filebeat_ssl_dir }}/root-ca.pem
ssl.certificate: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}.pem"
ssl.key: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}-key.pem"
{% endif %}
# Optional. Send events to Logstash instead of Wazuh indexer
#output.logstash.hosts: ["YOUR_LOGSTASH_SERVER_IP:5000"]
logging.metrics.enabled: false
seccomp:
default_action: allow
syscalls:
- action: allow
names:
- rseq

36
roles/wazuh/ansible-filebeat/defaults/main.yml Normal file
View File

@ -0,0 +1,36 @@
---
filebeat_version: 7.10.2
wazuh_template_branch: v4.4.1
filebeat_create_config: true
filebeat_node_name: node-1
filebeat_output_elasticsearch_hosts:
- "localhost:9200"
filebeat_module_package_url: https://packages.wazuh.com/4.x/filebeat
filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz
filebeat_module_package_path: /tmp/
filebeat_module_destination: /usr/share/filebeat/module
filebeat_module_folder: /usr/share/filebeat/module/wazuh
# Xpack Security
filebeat_xpack_security: false
elasticsearch_xpack_security_user: elastic
elasticsearch_xpack_security_password: elastic_pass
node_certs_destination: /etc/filebeat/certs
# CA Generation
master_certs_path: "{{ playbook_dir }}/es_certs"
generate_CA: true
ca_cert_name: ""
elasticrepo:
apt: 'https://artifacts.elastic.co/packages/7.x/apt'
yum: 'https://artifacts.elastic.co/packages/7.x/yum'
gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4'

60
roles/wazuh/ansible-wazuh-agent/README.md Normal file
View File

@ -0,0 +1,60 @@
Ansible Playbook - Wazuh agent
==============================
This role will install and configure a Wazuh Agent.
OS Requirements
----------------
This role is compatible with:
* Red Hat
* CentOS
* Fedora
* Debian
* Ubuntu
* Windows
* macOS
Role Variables
--------------
* `wazuh_managers`: Collection of Wazuh Managers' IP address, port, and protocol used by the agent
* `wazuh_agent_authd`: Collection with the settings to register an agent using authd.
Playbook example
----------------
The following is an example of how this role can be used:
- hosts: all:!wazuh-manager
roles:
- ansible-wazuh-agent
vars:
wazuh_managers:
- address: 127.0.0.1
port: 1514
protocol: tcp
api_port: 55000
api_proto: 'http'
api_user: 'ansible'
wazuh_agent_authd:
registration_address: 127.0.0.1
enable: true
port: 1515
ssl_agent_ca: null
ssl_auto_negotiate: 'no'
License and copyright
---------------------
WAZUH Copyright (C) 2016, Wazuh Inc. (License GPLv3)
### Based on previous work from dj-wasabi
- https://github.com/dj-wasabi/ansible-ossec-server
### Modified by Wazuh
The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem.

376
roles/wazuh/ansible-wazuh-agent/defaults/main.yml Normal file
View File

@ -0,0 +1,376 @@
---
wazuh_agent_version: 4.9.1
# Custom packages installation
wazuh_custom_packages_installation_agent_enabled: false
wazuh_custom_packages_installation_agent_deb_url: ""
wazuh_custom_packages_installation_agent_rpm_url: ""
wazuh_agent_yum_lock_timeout: 30
# We recommend the use of ansible-vault to protect Wazuh, api, agentless and authd credentials.
api_pass: wazuh
authd_pass: ''
wazuh_api_reachable_from_agent: yes
wazuh_profile_centos: 'centos, centos7, centos7.6'
wazuh_profile_ubuntu: 'ubuntu, ubuntu18, ubuntu18.04'
wazuh_profile_macos: 'darwin, darwin21, darwin21.1'
wazuh_auto_restart: 'yes'
wazuh_notify_time: '10'
wazuh_time_reconnect: '60'
wazuh_crypto_method: 'aes'
wazuh_winagent_config:
download_dir: C:\
install_dir: C:\Program Files\ossec-agent\
install_dir_x86: C:\Program Files (x86)\ossec-agent\
auth_path: C:\Program Files\ossec-agent\agent-auth.exe
# Adding quotes to auth_path_x86 since win_shell outputs error otherwise
auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe
check_sha512: True
# macOS deployment
wazuh_macos_config:
download_dir: /tmp/
install_dir: /Library/Ossec/
wazuh_dir: "/var/ossec"
# This is deprecated, see: wazuh_agent_address
wazuh_agent_nat: false
##########################################
### Wazuh
##########################################
wazuh_agent_nolog_sensible: yes
wazuh_agent_config_overlay: yes
# This is a middle ground between breaking existing uses of wazuh_agent_nat
# and allow working with agents having several network interfaces
wazuh_agent_address: '{{ "any" if wazuh_agent_nat else ansible_default_ipv4.address }}'
# List of managers. The first one with register variable declared *and* set to true
# is the one used to register the agent. Otherwise, the first one in the list will be used.
wazuh_managers:
- address: 127.0.0.1
port: 1514
protocol: tcp
api_port: 55000
api_proto: https
api_user: wazuh
max_retries: 5
retry_interval: 5
register: yes
## Authentication Method: Enrollment section (4.x)
# For more information see:
# * https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/client.html#enrollment
wazuh_agent_enrollment:
enabled: 'yes'
manager_address: ''
port: 1515
agent_name: ''
groups: ''
agent_address: ''
ssl_ciphers: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
server_ca_path: ''
agent_certificate_path: ''
agent_key_path: ''
authorization_pass_path: "{{ wazuh_dir }}/etc/authd.pass"
authorization_pass_path_macos: "/etc/authd.pass"
auto_method: 'no'
delay_after_enrollment: 20
use_source_ip: 'no'
## Authentication Method: invoking agent-auth
# For more information see:
# * https://documentation.wazuh.com/current/user-manual/registering/password-authorization-registration.html
wazuh_agent_authd:
registration_address: 127.0.0.1
enable: false
port: 1515
agent_name: null
groups: []
ssl_agent_ca: null
ssl_agent_cert: null
ssl_agent_key: null
ssl_auto_negotiate: 'no'
## Authentication Method: REST API
# For more information see:
# * https://documentation.wazuh.com/current/user-manual/registering/restful-api-registration.html
wazuh_agent_api_validate: yes
## Client buffer
wazuh_agent_client_buffer:
disable: 'no'
queue_size: '5000'
events_per_sec: '500'
## Rootcheck
wazuh_agent_rootcheck:
frequency: 43200
## Wodles
wazuh_agent_openscap:
disable: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
wazuh_agent_cis_cat:
disable: 'yes'
install_java: 'no'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
java_path: 'wodles/java'
java_path_win: '\\server\jre\bin\java.exe'
ciscat_path: 'wodles/ciscat'
ciscat_path_win: 'C:\cis-cat'
wazuh_agent_osquery:
disable: 'yes'
run_daemon: 'yes'
bin_path_win: 'C:\Program Files\osquery\osqueryd'
log_path: '/var/log/osquery/osqueryd.results.log'
log_path_win: 'C:\Program Files\osquery\log\osqueryd.results.log'
config_path: '/etc/osquery/osquery.conf'
config_path_win: 'C:\Program Files\osquery\osquery.conf'
add_labels: 'yes'
wazuh_agent_syscollector:
disable: 'no'
interval: '1h'
scan_on_start: 'yes'
hardware: 'yes'
os: 'yes'
network: 'yes'
packages: 'yes'
ports_no: 'yes'
processes: 'yes'
## SCA
wazuh_agent_sca:
enabled: 'yes'
scan_on_start: 'yes'
interval: '12h'
skip_nfs: 'yes'
day: ''
wday: ''
time: ''
## Syscheck
wazuh_agent_syscheck:
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
win_audit_interval: 60
skip_nfs: 'yes'
skip_dev: 'yes'
skip_proc: 'yes'
skip_sys: 'yes'
process_priority: 10
max_eps: 100
sync_enabled: 'yes'
sync_interval: '5m'
sync_max_interval: '1h'
sync_max_eps: 10
ignore:
- /etc/mtab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
ignore_linux_type:
- '.log$|.swp$'
ignore_win:
- '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: ''
- dirs: /bin,/sbin,/boot
checks: ''
macos_directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: ''
- dirs: /bin,/sbin
checks: ''
win_directories:
- dirs: '%WINDIR%'
checks: 'recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$"'
- dirs: '%WINDIR%\SysNative'
checks: >-
recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|
net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$"
- dirs: '%WINDIR%\SysNative\drivers\etc%'
checks: 'recursion_level="0"'
- dirs: '%WINDIR%\SysNative\wbem'
checks: 'recursion_level="0" restrict="WMIC.exe$"'
- dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0'
checks: 'recursion_level="0" restrict="powershell.exe$"'
- dirs: '%WINDIR%\SysNative'
checks: 'recursion_level="0" restrict="winrm.vbs$"'
- dirs: '%WINDIR%\System32'
checks: >-
recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|
netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$"
- dirs: '%WINDIR%\System32\drivers\etc'
checks: 'recursion_level="0"'
- dirs: '%WINDIR%\System32\wbem'
checks: 'recursion_level="0" restrict="WMIC.exe$"'
- dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0'
checks: 'recursion_level="0" restrict="powershell.exe$"'
- dirs: '%WINDIR%\System32'
checks: 'recursion_level="0" restrict="winrm.vbs$"'
- dirs: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup'
checks: 'realtime="yes"'
windows_registry:
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Policies'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Security'
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'
- key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs'
- key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'
arch: "both"
windows_registry_ignore:
- key: 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets'
- key: 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users'
- key: '\Enum$'
type: "sregex"
## Localfile
wazuh_agent_localfiles:
debian:
- format: 'syslog'
location: '/var/log/auth.log'
- format: 'syslog'
location: '/var/log/syslog'
- format: 'syslog'
location: '/var/log/dpkg.log'
- format: 'syslog'
location: '/var/log/kern.log'
centos:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'audit'
location: '/var/log/audit/audit.log'
linux:
- format: 'syslog'
location: "{{ wazuh_dir }}/logs/active-responses.log"
- format: 'full_command'
command: 'last -n 20'
frequency: '360'
- format: 'command'
command: df -P
frequency: '360'
- format: 'full_command'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports'
frequency: '360'
macos:
- format: 'full_command'
command: netstat -an | awk '{if ((/^(tcp|udp)/) && ($4 != "*.*") && ($5 == "*.*")) {print $1" "$4" "$5}}' | sort -u
alias: 'netstat listening ports'
frequency: '360'
- format: 'macos'
location: 'macos'
query:
type: 'trace,log,activity'
level: 'info'
value: (process == "sudo") or (process == "sessionlogoutd" and message contains "logout is complete.") or (process == "sshd") or (process == "tccd" and message contains "Update Access Record") or (message contains "SessionAgentNotificationCenter") or (process == "screensharingd" and message contains "Authentication") or (process == "securityd" and eventMessage contains "Session" and subsystem == "com.apple.securityd")
windows:
- format: 'eventlog'
location: 'Application'
- format: 'eventchannel'
location: 'Security'
query: 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]'
- format: 'eventlog'
location: 'System'
- format: 'syslog'
location: 'active-response\active-responses.log'
## Labels
wazuh_agent_labels:
enable: false
list:
- key: Env
value: Production
## Active response
wazuh_agent_active_response:
ar_disabled: 'no'
ca_store: "{{ wazuh_dir }}/etc/wpk_root.pem"
ca_store_win: 'wpk_root.pem'
ca_store_macos: 'etc/wpk_root.pem'
ca_verification: 'yes'
## Logging
wazuh_agent_log_format: 'plain'
# wazuh_agent_config
wazuh_agent_config_defaults:
repo: '{{ wazuh_repo }}'
active_response: '{{ wazuh_agent_active_response }}'
log_format: '{{ wazuh_agent_log_format }}'
client_buffer: '{{ wazuh_agent_client_buffer }}'
syscheck: '{{ wazuh_agent_syscheck }}'
rootcheck: '{{ wazuh_agent_rootcheck }}'
openscap: '{{ wazuh_agent_openscap }}'
osquery: '{{ wazuh_agent_osquery }}'
syscollector: '{{ wazuh_agent_syscollector }}'
sca: '{{ wazuh_agent_sca }}'
cis_cat: '{{ wazuh_agent_cis_cat }}'
localfiles: '{{ wazuh_agent_localfiles }}'
labels: '{{ wazuh_agent_labels }}'
enrollment: '{{ wazuh_agent_enrollment }}'

9
roles/wazuh/ansible-wazuh-agent/handlers/main.yml Normal file
View File

@ -0,0 +1,9 @@
---
- name: restart wazuh-agent
service: name=wazuh-agent state=restarted enabled=yes
- name: Windows | Restart Wazuh Agent
win_service: name=WazuhSvc start_mode=auto state=restarted
- name: macOS | Restart Wazuh Agent
command: /Library/Ossec/bin/wazuh-control restart

23
roles/wazuh/ansible-wazuh-agent/meta/main.yml Normal file
View File

@ -0,0 +1,23 @@
---
galaxy_info:
author: Wazuh
description: Installing, deploying and configuring Wazuh Agent.
company: wazuh.com
license: license (GPLv3)
min_ansible_version: 2.0
platforms:
- name: EL
versions:
- all
- name: Ubuntu
versions:
- all
- name: Debian
versions:
- all
- name: Fedora
versions:
- all
galaxy_tags:
- monitoring
dependencies: []

122
roles/wazuh/ansible-wazuh-agent/tasks/Debian.yml Normal file
View File

@ -0,0 +1,122 @@
---
- name: Update apt-get repo and cache
apt:
update_cache: yes
force_apt_get: yes
cache_valid_time: 3600
- name: Debian/Ubuntu | Install ca-certificates and gnupg
apt:
name:
- ca-certificates
- gnupg
state: present
register: wazuh_agent_ca_package_install
until: wazuh_agent_ca_package_install is succeeded
- name: Debian/Ubuntu | Install apt-transport-https and acl
apt:
name:
- apt-transport-https
- acl
state: present
register: wazuh_agent_ca_package_install
until: wazuh_agent_ca_package_install is succeeded
when: not (ansible_distribution == "Debian" and ansible_distribution_major_version in ['11'])
- name: Debian/Ubuntu | Installing Wazuh repository key (Ubuntu 14)
become: true
shell: |
set -o pipefail
curl -s {{ wazuh_agent_config.repo.gpg }} | apt-key add -
args:
warn: false
executable: /bin/bash
changed_when: false
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version | int == 14
- not wazuh_custom_packages_installation_agent_enabled
- name: Debian/Ubuntu | Download Wazuh repository key
get_url:
url: "{{ wazuh_agent_config.repo.gpg }}"
dest: "{{ wazuh_agent_config.repo.path }}"
when:
- not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- not wazuh_custom_packages_installation_agent_enabled
- name: Debian/Ubuntu | Import Wazuh GPG key
command: "gpg --no-default-keyring --keyring gnupg-ring:{{ wazuh_agent_config.repo.keyring_path }} --import {{ wazuh_agent_config.repo.path }}"
when:
- not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- not wazuh_custom_packages_installation_agent_enabled
args:
creates: "{{ wazuh_agent_config.repo.keyring_path }}"
- name: Debian/Ubuntu | Set permissions for Wazuh GPG key
file:
path: "{{ wazuh_agent_config.repo.keyring_path }}"
mode: '0644'
when:
- not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- not wazuh_custom_packages_installation_agent_enabled
- name: Debian/Ubuntu | Add Wazuh repositories
apt_repository:
filename: wazuh_repo
repo: "{{ wazuh_agent_config.repo.apt }}"
state: present
update_cache: true
when:
- not wazuh_custom_packages_installation_agent_enabled
- name: Debian/Ubuntu | Set Distribution CIS filename for debian
set_fact:
cis_distribution_filename: cis_debian_linux_rcl.txt
when: ansible_os_family == "Debian"
- name: Debian/Ubuntu | Install OpenJDK-8 repo
apt_repository:
repo: 'ppa:openjdk-r/ppa'
state: present
update_cache: true
when:
- (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- when:
- wazuh_agent_config.cis_cat.disable == 'no'
- wazuh_agent_config.cis_cat.install_java == 'yes'
block:
- name: Debian/Ubuntu | Install OpenJDK 1.8
apt: name=openjdk-8-jre state=present cache_valid_time=3600
tags:
- init
- name: Debian/Ubuntu | Install OpenScap
apt:
name:
- libopenscap8
- xsltproc
state: present
when: wazuh_agent_config.openscap.disable == 'no'
tags:
- init
register: wazuh_agent_OpenScap_package_install
until: wazuh_agent_OpenScap_package_install is succeeded
- name: Debian/Ubuntu | Get OpenScap installed version
shell: "dpkg-query --showformat='${Version}' --show libopenscap8"
register: openscap_version
changed_when: false
when: wazuh_agent_config.openscap.disable == 'no'
tags:
- config
- name: Debian/Ubuntu | Check OpenScap version
shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?"
register: openscap_version_valid
changed_when: false
when: wazuh_agent_config.openscap.disable == 'no'
tags:
- config

271
roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml Normal file
View File

@ -0,0 +1,271 @@
---
- include_tasks: "RedHat.yml"
when: ansible_os_family == "RedHat"
- include_tasks: "Debian.yml"
when: ansible_os_family == "Debian"
- include_tasks: "installation_from_custom_packages.yml"
when:
- wazuh_custom_packages_installation_agent_enabled
- name: Linux CentOS/RedHat | Install wazuh-agent
yum:
name: wazuh-agent-{{ wazuh_agent_version }}
state: present
lock_timeout: '{{ wazuh_agent_yum_lock_timeout }}'
when:
- ansible_os_family|lower == "redhat"
- not wazuh_custom_packages_installation_agent_enabled
tags:
- init
- name: Linux Debian | Install wazuh-agent
apt:
name: "wazuh-agent={{ wazuh_agent_version }}-*"
state: present
cache_valid_time: 3600
when:
- ansible_os_family|lower != "redhat"
- not wazuh_custom_packages_installation_agent_enabled
- not ansible_check_mode
tags:
- init
- name: Linux | Check if client.keys exists
stat:
path: "{{ wazuh_dir }}/etc/client.keys"
register: client_keys_file
tags:
- config
- name: Linux | Agent registration via authd
block:
- name: Copy CA root certificate to verify authd
copy:
src: "{{ wazuh_agent_authd.ssl_agent_ca }}"
dest: "{{ wazuh_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}"
mode: 0644
when:
- wazuh_agent_authd.ssl_agent_ca is not none
- name: Copy TLS/SSL certificate for agent verification
copy:
src: "{{ item }}"
dest: "{{ wazuh_dir }}/etc/{{ item | basename }}"
mode: 0644
with_items:
- "{{ wazuh_agent_authd.ssl_agent_cert }}"
- "{{ wazuh_agent_authd.ssl_agent_key }}"
when:
- wazuh_agent_authd.ssl_agent_cert is not none
- wazuh_agent_authd.ssl_agent_key is not none
- name: Linux | Register agent (via authd)
shell: >
{{ wazuh_dir }}/bin/agent-auth
{% if wazuh_agent_authd.agent_name is defined and wazuh_agent_authd.agent_name != None %}
-A {{ wazuh_agent_authd.agent_name }}
{% endif %}
-m {{ wazuh_agent_authd.registration_address }}
-p {{ wazuh_agent_authd.port }}
{% if wazuh_agent_nat %} -I "any" {% endif %}
{% if authd_pass | length > 0 %} -P {{ authd_pass }} {% endif %}
{% if wazuh_agent_authd.ssl_agent_ca is defined and wazuh_agent_authd.ssl_agent_ca != None %}
-v "{{ wazuh_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}"
{% endif %}
{% if wazuh_agent_authd.ssl_agent_cert is defined and wazuh_agent_authd.ssl_agent_cert != None %}
-x "{{ wazuh_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_cert | basename }}"
{% endif %}
{% if wazuh_agent_authd.ssl_agent_key is defined and wazuh_agent_authd.ssl_agent_key != None %}
-k "{{ wazuh_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_key | basename }}"
{% endif %}
{% if wazuh_agent_authd.ssl_auto_negotiate == 'yes' %} -a {% endif %}
{% if wazuh_agent_authd.groups is defined and wazuh_agent_authd.groups | length > 0 %}
-G "{{ wazuh_agent_authd.groups | join(',') }}"
{% endif %}
register: agent_auth_output
notify: restart wazuh-agent
vars:
agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ ansible_hostname }}{% endif %}"
when:
- not client_keys_file.stat.exists or client_keys_file.stat.size == 0
- wazuh_agent_authd.registration_address is not none
- name: Linux | Verify agent registration
shell: echo {{ agent_auth_output }} | grep "Valid key received"
when:
- not client_keys_file.stat.exists or client_keys_file.stat.size == 0
- wazuh_agent_authd.registration_address is not none
when:
- wazuh_agent_authd.enable | bool
- wazuh_agent_config.enrollment.enabled != 'yes'
tags:
- config
- authd
- name: Linux | Agent registration via rest-API
block:
- name: Establish target Wazuh Manager for registration task
set_fact:
target_manager: '{{ manager_primary | length | ternary(manager_primary, manager_fallback) | first }}'
vars:
manager_primary: "{{ wazuh_managers | selectattr('register','true') | list }}"
manager_fallback: "{{ wazuh_managers | list }}"
- name: Linux | Obtain JWT Token
uri:
url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/security/user/authenticate'
method: POST
url_username: '{{ target_manager.api_user }}'
url_password: '{{ api_pass }}'
status_code: 200
return_content: yes
force_basic_auth: yes
validate_certs: '{{ target_manager.validate_certs | default(false) }}'
no_log: '{{ wazuh_agent_nolog_sensible | bool }}'
delegate_to: '{{ inventory_hostname if wazuh_api_reachable_from_agent else "localhost" }}'
changed_when: api_jwt_result.json.error == 0
register: api_jwt_result
become: no
tags:
- config
- api
- name: Linux | Create the agent key via rest-API
uri:
url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/agents'
method: POST
body_format: json
body:
name: '{{ agent_name }}'
ip: '{{ wazuh_agent_address }}'
force_time: 1
headers:
Authorization: 'Bearer {{ jwt_token }}'
status_code: 200
return_content: yes
validate_certs: '{{ target_manager.validate_certs | default(false) }}'
become: no
no_log: '{{ wazuh_agent_nolog_sensible | bool }}'
delegate_to: '{{ inventory_hostname if wazuh_api_reachable_from_agent else "localhost" }}'
changed_when: api_agent_post.json.error == 0
register: api_agent_post
vars:
agent_name: '{{ target_manager.agent_name | default(ansible_hostname) }}'
jwt_token: '{{ api_jwt_result.json.data.token }}'
tags:
- config
- api
- name: Linux | Validate registered agent key matches manager record
uri:
url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/agents/{{ agent_id }}/key'
method: GET
headers:
Authorization: 'Bearer {{ jwt_token }}'
status_code: 200
return_content: yes
validate_certs: '{{ target_manager.validate_certs | default(false) }}'
become: no
no_log: '{{ wazuh_agent_nolog_sensible | bool }}'
delegate_to: '{{ inventory_hostname if wazuh_api_reachable_from_agent else "localhost" }}'
register: api_agent_validation
vars:
agent_id: '{{ api_agent_post.json.data.id }}'
agent_key: '{{ api_agent_post.json.data.key }}'
jwt_token: '{{ api_jwt_result.json.data.token }}'
failed_when: api_agent_validation.json.data.affected_items[0].key != agent_key
when:
- wazuh_agent_api_validate | bool
- api_agent_post.json.error == 0
tags:
- config
- api
- name: Linux | Import Key (via rest-API)
command: "{{ wazuh_dir }}/bin/manage_agents"
environment:
OSSEC_ACTION: i
OSSEC_AGENT_NAME: '{{ agent_name }}'
OSSEC_AGENT_IP: '{{ wazuh_agent_address }}'
OSSEC_AGENT_ID: '{{ api_agent_post.json.data.id }}'
OSSEC_AGENT_KEY: '{{ api_agent_post.json.data.key }}'
OSSEC_ACTION_CONFIRMED: y
register: manage_agents_output
vars:
agent_name: '{{ target_manager.agent_name | default(ansible_hostname) }}'
notify: restart wazuh-agent
when:
- not ( wazuh_agent_authd.enable | bool )
- wazuh_agent_config.enrollment.enabled != 'yes'
- not client_keys_file.stat.exists or client_keys_file.stat.size == 0
tags:
- config
- api
- name: Linux | Agent registration via auto-enrollment
debug:
msg: Agent registration will be performed through enrollment option in templated ossec.conf
when: wazuh_agent_config.enrollment.enabled == 'yes'
- name: Linux | Ensure group "wazuh" exists
ansible.builtin.group:
name: wazuh
state: present
- name: Linux | Installing agent configuration (ossec.conf)
template:
src: var-ossec-etc-ossec-agent.conf.j2
dest: "{{ wazuh_dir }}/etc/ossec.conf"
owner: root
group: wazuh
mode: 0644
notify: restart wazuh-agent
tags:
- init
- config
- name: Linux | Installing local_internal_options.conf
template:
src: var-ossec-etc-local-internal-options.conf.j2
dest: "{{ wazuh_dir }}/etc/local_internal_options.conf"
owner: root
group: wazuh
mode: 0640
notify: restart wazuh-agent
tags:
- init
- config
- name: Create auto-enrollment password file
template:
src: authd_pass.j2
dest: "{{ wazuh_dir }}/etc/authd.pass"
owner: wazuh
group: wazuh
mode: 0640
when:
- wazuh_agent_config.enrollment.enabled == 'yes'
- wazuh_agent_config.enrollment.authorization_pass_path | length > 0
- authd_pass | length > 0
tags:
- config
- name: Linux | Ensure Wazuh Agent service is started and enabled
service:
name: wazuh-agent
enabled: true
state: started
tags: config
- include_tasks: "RMRedHat.yml"
when:
- ansible_os_family == "RedHat"
- include_tasks: "RMDebian.yml"
when:
- ansible_os_family == "Debian"

6
roles/wazuh/ansible-wazuh-agent/tasks/RMDebian.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Remove Wazuh repository (and clean up left-over metadata)
apt_repository:
repo: "{{ wazuh_agent_config.repo.apt }}"
state: absent
changed_when: false

6
roles/wazuh/ansible-wazuh-agent/tasks/RMRedHat.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Remove Wazuh repository (and clean up left-over metadata)
yum_repository:
name: wazuh_repo
state: absent
changed_when: false

66
roles/wazuh/ansible-wazuh-agent/tasks/RedHat.yml Normal file
View File

@ -0,0 +1,66 @@
---
- name: RedHat/CentOS 5 | Install Wazuh repo
yum_repository:
name: wazuh_repo
description: Wazuh repository
baseurl: "{{ wazuh_agent_config.repo.yum }}5/"
gpgkey: "{{ wazuh_agent_config.repo.gpg }}-5"
gpgcheck: true
changed_when: false
when:
- (ansible_facts['os_family']|lower == 'redhat') and (ansible_distribution|lower != 'amazon')
- (ansible_distribution_major_version|int <= 5)
- not wazuh_custom_packages_installation_agent_enabled
register: repo_v5_installed
- name: RedHat/CentOS/Fedora | Install Wazuh repo
yum_repository:
name: wazuh_repo
description: Wazuh repository
baseurl: "{{ wazuh_agent_config.repo.yum }}"
gpgkey: "{{ wazuh_agent_config.repo.gpg }}"
gpgcheck: true
changed_when: false
when:
- repo_v5_installed is skipped
- not wazuh_custom_packages_installation_agent_enabled
- name: RedHat/CentOS/Fedora | Install OpenJDK 1.8
yum: name=java-1.8.0-openjdk state=present
when:
- wazuh_agent_config.cis_cat.disable == 'no'
- wazuh_agent_config.cis_cat.install_java == 'yes'
tags:
- init
- name: Set Distribution CIS filename for RHEL5
set_fact:
cis_distribution_filename: cis_rhel5_linux_rcl.txt
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "5"
- name: Set Distribution CIS filename for RHEL6
set_fact:
cis_distribution_filename: cis_rhel6_linux_rcl.txt
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "6"
- name: Set Distribution CIS filename for RHEL7
set_fact:
cis_distribution_filename: cis_rhel7_linux_rcl.txt
when:
- ansible_os_family == "RedHat"
- ansible_distribution_major_version == "7"
- name: Set Distribution CIS filename for RHEL7 (Amazon)
set_fact:
cis_distribution_filename: cis_rhel7_linux_rcl.txt
when:
- ansible_distribution == "Amazon"
- ansible_distribution_major_version == "NA"
- name: RedHat/CentOS/RedHat | Install openscap
package: name=openscap-scanner state=present
register: wazuh_agent_openscap_package_install
until: wazuh_agent_openscap_package_install is succeeded
when: wazuh_agent_config.openscap.disable == 'no'
tags:
- init

114
roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml Normal file
View File

@ -0,0 +1,114 @@
---
- name: Windows | Check if Program Files (x86) exists
win_stat:
path: C:\Program Files (x86)
register: check_path
- name: Windows | Set Win Path (x86)
set_fact:
wazuh_agent_win_path: "{{ wazuh_winagent_config.install_dir_x86 }}"
wazuh_agent_win_auth_path: "{{ wazuh_winagent_config.auth_path_x86 }}"
when:
- check_path.stat.exists
- name: Windows | Set Win Path (x64)
set_fact:
wazuh_agent_win_path: "{{ wazuh_winagent_config.install_dir }}"
wazuh_agent_win_auth_path: "{{ wazuh_winagent_config.auth_path }}"
when:
- not check_path.stat.exists
- name: Windows | Check if Wazuh installer is already downloaded
win_stat:
path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}"
register: wazuh_package_downloaded
- name: Windows | Download Wazuh Agent package
win_get_url:
url: "{{ wazuh_winagent_config_url }}"
dest: "{{ wazuh_winagent_config.download_dir }}"
when:
- not wazuh_package_downloaded.stat.exists
- name: Windows | Download SHA512 checksum file
win_get_url:
url: "{{ wazuh_winagent_sha512_url }}"
dest: "{{ wazuh_winagent_config.download_dir }}"
when:
- wazuh_winagent_config.check_sha512
- name: Extract checksum from SHA512 file
win_shell: Get-Content "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}.sha512" | ForEach-Object { $_.Split(' ')[0] }
register: extracted_checksum
when:
- wazuh_winagent_config.check_sha512
- name: Windows | Verify the Wazuh Agent installer
win_stat:
path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}"
get_checksum: true
checksum_algorithm: sha512
register: wazuh_agent_status
failed_when:
- wazuh_agent_status.stat.checksum != extracted_checksum.stdout_lines[0]
when:
- wazuh_winagent_config.check_sha512
- name: Windows | Install Agent if not already installed
win_package:
path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}"
state: present
- name: Windows | Check if client.keys exists
win_stat:
path: "{{ wazuh_agent_win_path }}client.keys"
register: check_windows_key
tags:
- config
- name: Windows | Register agent
win_shell: >
{{ wazuh_agent_win_auth_path }}
-m {{ wazuh_agent_authd.registration_address }}
-p {{ wazuh_agent_authd.port }}
{% if wazuh_agent_authd.agent_name is not none %}-A {{ wazuh_agent_authd.agent_name }} {% endif %}
{% if authd_pass | length > 0 %} -P {{ authd_pass }}{% endif %}
register: agent_auth_output
notify: Windows | Restart Wazuh Agent
when:
- wazuh_agent_authd.enable | bool
- not check_windows_key.stat.exists or check_windows_key.stat.size == 0
- wazuh_agent_authd.registration_address is not none
tags:
- config
- name: Windows | Check if ossec folder is accessible
win_file:
path: "{{ wazuh_agent_win_path }}"
state: directory
- name: Windows | Installing agent configuration (ossec.conf)
template: # noqa 208
src: var-ossec-etc-ossec-agent.conf.j2
dest: "{{ wazuh_agent_win_path }}ossec.conf"
notify: Windows | Restart Wazuh Agent
tags:
- config
- name: Windows | Installing local_internal_options.conf
template:
src: var-ossec-etc-local-internal-options.conf.j2
dest: "{{ wazuh_agent_win_path }}local_internal_options.conf"
notify: Windows | Restart Wazuh Agent
tags:
- config
- name: Windows | Delete downloaded Wazuh agent installer file
win_file:
path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}"
state: absent
- name: Windows | Delete downloaded checksum file
win_file:
path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}.sha512"
state: absent

28
roles/wazuh/ansible-wazuh-agent/tasks/installation_from_custom_packages.yml Normal file
View File

@ -0,0 +1,28 @@
---
- name: Install Wazuh Agent from .deb packages
apt:
deb: "{{ wazuh_custom_packages_installation_agent_deb_url }}"
state: present
when:
- ansible_os_family|lower == "debian"
- wazuh_custom_packages_installation_agent_enabled
- name: Install Wazuh Agent from .rpm packages | yum
yum:
name: "{{ wazuh_custom_packages_installation_agent_rpm_url }}"
state: present
when:
- ansible_os_family|lower == "redhat"
- wazuh_custom_packages_installation_agent_enabled
- not (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8")
- not (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8")
- name: Install Wazuh Agent from .rpm packages | dnf
dnf:
name: "{{ wazuh_custom_packages_installation_agent_rpm_url }}"
state: present
when:
- ansible_os_family|lower == "redhat"
- wazuh_custom_packages_installation_agent_enabled
- (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") or
(ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8")

231
roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml Normal file
View File

@ -0,0 +1,231 @@
---
- name: macOS | Check architecture
command: "/usr/bin/uname -m"
register: uname_result
- name: macOS | Set architecture variable
set_fact:
macos_architecture: "{{ 'arm' if uname_result.stdout == 'arm64' else 'intel' }}"
- name: macOS | Set package name and URL based on architecture
set_fact:
wazuh_macos_package_url: "{{ wazuh_macos_intel_package_url if macos_architecture == 'intel' else wazuh_macos_arm_package_url }}"
wazuh_macos_package_name: "{{ wazuh_macos_intel_package_name if macos_architecture == 'intel' else wazuh_macos_arm_package_name }}"
- name: macOS | Check if Wazuh installer is already downloaded
stat:
path: "{{ wazuh_macos_config.download_dir }}{{ wazuh_macos_package_name }}"
register: wazuh_package_downloaded
- name: macOS | Download Wazuh Agent package
get_url:
url: "{{ wazuh_macos_package_url }}"
dest: "{{ wazuh_macos_config.download_dir }}"
register: download_result
when:
- not wazuh_package_downloaded.stat.exists
- name: macOS | Check if Wazuh Agent is already installed
stat:
path: "{{ wazuh_macos_config.install_dir }}"
register: wazuh_installed
- name: macOS | Install Agent if not already installed
command: "installer -pkg {{ wazuh_macos_config.download_dir }}{{ wazuh_macos_package_name }} -target /"
register: install_result
- name: macOS | Check if client.keys exists
stat:
path: "{{ wazuh_macos_config.install_dir }}/etc/client.keys"
register: client_keys_file
tags:
- config
- name: macOS | Agent registration via authd
block:
- name: macOS | Register agent (via authd)
shell: >
{{ wazuh_macos_config.install_dir }}/bin/agent-auth
{% if wazuh_agent_authd.agent_name is defined and wazuh_agent_authd.agent_name != None %}
-A {{ wazuh_agent_authd.agent_name }}
{% endif %}
-m {{ wazuh_agent_authd.registration_address }}
-p {{ wazuh_agent_authd.port }}
{% if wazuh_agent_nat %} -I "any" {% endif %}
{% if authd_pass | length > 0 %} -P {{ authd_pass }} {% endif %}
{% if wazuh_agent_authd.ssl_auto_negotiate == 'yes' %} -a {% endif %}
{% if wazuh_agent_authd.groups is defined and wazuh_agent_authd.groups | length > 0 %}
-G "{{ wazuh_agent_authd.groups | join(',') }}"
{% endif %}
register: agent_auth_output
notify: macOS | Restart Wazuh Agent
vars:
agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ ansible_hostname }}{% endif %}"
when:
- not client_keys_file.stat.exists or client_keys_file.stat.size == 0
- wazuh_agent_authd.registration_address is not none
- name: macOS | Verify agent registration
shell: >
sh -c "echo '{{ agent_auth_output.stdout }} {{ agent_auth_output.stderr }}' | grep 'Valid key received'"
when:
- not client_keys_file.stat.exists or client_keys_file.stat.size == 0
- wazuh_agent_authd.registration_address is not none
when:
- wazuh_agent_authd.enable | bool
- wazuh_agent_config.enrollment.enabled != 'yes'
tags:
- config
- authd
- name: macOS | Agent registration via rest-API
block:
- name: macOS | Establish target Wazuh Manager for registration task
set_fact:
target_manager: '{{ manager_primary | length | ternary(manager_primary, manager_fallback) | first }}'
vars:
manager_primary: "{{ wazuh_managers | selectattr('register','true') | list }}"
manager_fallback: "{{ wazuh_managers | list }}"
- name: macOS | Obtain JWT Token
uri:
url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/security/user/authenticate'
method: POST
url_username: '{{ target_manager.api_user }}'
url_password: '{{ api_pass }}'
status_code: 200
return_content: yes
force_basic_auth: yes
validate_certs: '{{ target_manager.validate_certs | default(false) }}'
no_log: '{{ wazuh_agent_nolog_sensible | bool }}'
delegate_to: '{{ inventory_hostname if wazuh_api_reachable_from_agent else "localhost" }}'
changed_when: api_jwt_result.json.error == 0
register: api_jwt_result
become: no
tags:
- config
- api
- name: macOS | Create the agent key via rest-API
uri:
url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/agents'
method: POST
body_format: json
body:
name: '{{ agent_name }}'
headers:
Authorization: 'Bearer {{ jwt_token }}'
status_code: 200
return_content: yes
validate_certs: '{{ target_manager.validate_certs | default(false) }}'
become: no
no_log: '{{ wazuh_agent_nolog_sensible | bool }}'
delegate_to: '{{ inventory_hostname if wazuh_api_reachable_from_agent else "localhost" }}'
changed_when: api_agent_post.json.error == 0
register: api_agent_post
vars:
agent_name: '{{ target_manager.agent_name | default(ansible_hostname) }}'
jwt_token: '{{ api_jwt_result.json.data.token }}'
tags:
- config
- api
- name: macOS | Validate registered agent key matches manager record
uri:
url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/agents/{{ agent_id }}/key'
method: GET
headers:
Authorization: 'Bearer {{ jwt_token }}'
status_code: 200
return_content: yes
validate_certs: '{{ target_manager.validate_certs | default(false) }}'
become: no
no_log: '{{ wazuh_agent_nolog_sensible | bool }}'
delegate_to: '{{ inventory_hostname if wazuh_api_reachable_from_agent else "localhost" }}'
register: api_agent_validation
vars:
agent_id: '{{ api_agent_post.json.data.id }}'
agent_key: '{{ api_agent_post.json.data.key }}'
jwt_token: '{{ api_jwt_result.json.data.token }}'
failed_when: api_agent_validation.json.data.affected_items[0].key != agent_key
when:
- wazuh_agent_api_validate | bool
- api_agent_post.json.error == 0
tags:
- config
- api
- name: macOS | Import Key (via rest-API)
command: "{{ wazuh_macos_config.install_dir }}/bin/manage_agents"
environment:
OSSEC_ACTION: i
OSSEC_AGENT_NAME: '{{ agent_name }}'
OSSEC_AGENT_IP: '{{ wazuh_agent_address }}'
OSSEC_AGENT_ID: '{{ api_agent_post.json.data.id }}'
OSSEC_AGENT_KEY: '{{ api_agent_post.json.data.key }}'
OSSEC_ACTION_CONFIRMED: y
register: manage_agents_output
vars:
agent_name: '{{ target_manager.agent_name | default(ansible_hostname) }}'
notify: macOS | Restart Wazuh Agent
when:
- not ( wazuh_agent_authd.enable | bool )
- wazuh_agent_config.enrollment.enabled != 'yes'
- not client_keys_file.stat.exists or client_keys_file.stat.size == 0
tags:
- config
- api
- name: macOS | Agent registration via auto-enrollment
debug:
msg: Agent registration will be performed through enrollment option in templated ossec.conf
when: wazuh_agent_config.enrollment.enabled == 'yes'
- name: macOS | Ensure group "wazuh" exists
ansible.builtin.group:
name: wazuh
state: present
- name: macOS | Installing agent configuration (ossec.conf)
template:
src: var-ossec-etc-ossec-agent.conf.j2
dest: "{{ wazuh_macos_config.install_dir }}/etc/ossec.conf"
owner: root
group: wazuh
mode: 0644
notify: macOS | Restart Wazuh Agent
tags:
- init
- config
- name: macOS | Installing local_internal_options.conf
template:
src: var-ossec-etc-local-internal-options.conf.j2
dest: "{{ wazuh_macos_config.install_dir }}/etc/local_internal_options.conf"
owner: root
group: wazuh
mode: 0640
notify: macOS | Restart Wazuh Agent
tags:
- init
- config
- name: Create auto-enrollment password file
template:
src: authd_pass.j2
dest: "{{ wazuh_macos_config.install_dir }}/etc/authd.pass"
owner: wazuh
group: wazuh
mode: 0640
when:
- wazuh_agent_config.enrollment.enabled == 'yes'
- wazuh_agent_config.enrollment.authorization_pass_path_macos | length > 0
- authd_pass | length > 0
tags:
- config
- name: macOS | Delete downloaded Wazuh agent installer file
file:
path: "{{ wazuh_macos_config.download_dir }}{{ wazuh_macos_package_name }}"
state: absent

28
roles/wazuh/ansible-wazuh-agent/tasks/main.yml Normal file
View File

@ -0,0 +1,28 @@
---
- include_vars: ../../vars/repo_vars.yml
- include_vars: ../../vars/repo.yml
when: packages_repository == 'production'
- include_vars: ../../vars/repo_pre-release.yml
when: packages_repository == 'pre-release'
- include_vars: ../../vars/repo_staging.yml
when: packages_repository == 'staging'
- name: Overlay wazuh_agent_config on top of defaults
set_fact:
wazuh_agent_config: '{{ wazuh_agent_config_defaults | combine(config_layer, recursive=True) }}'
vars:
config_layer: '{{ wazuh_agent_config | default({}) }}'
when: wazuh_agent_config_overlay | bool
- include_tasks: "Windows.yml"
when: ansible_os_family == "Windows"
- include_tasks: "Linux.yml"
when: ansible_system == "Linux"
- include_tasks: "macOS.yml"
when: ansible_system == "Darwin"

1
roles/wazuh/ansible-wazuh-agent/templates/authd_pass.j2 Normal file
View File

@ -0,0 +1 @@
{{ authd_pass }}

16
roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-local-internal-options.conf.j2 Normal file
View File

@ -0,0 +1,16 @@
# local_internal_options.conf
#
# This file should be handled with care. It contains
# run time modifications that can affect the use
# of OSSEC. Only change it if you know what you
# are doing. Look first at ossec.conf
# for most of the things you want to change.
#
# This file will not be overwritten during upgrades.
# This is the template of Ansible for the file local_internal_options.conf
# In this file you could include the configuration settings for your agents
# Logcollector - If it should accept remote commands from the manager
logcollector.remote_commands=1

500
roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 Normal file
View File

@ -0,0 +1,500 @@
#jinja2: lstrip_blocks: True
<!-- {{ ansible_managed }} -->
<!--
Wazuh - Agent
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->
<ossec_config>
<client>
{% for manager in wazuh_managers %}
<server>
<address>{{ manager.address }}</address>
{% if manager.port is defined %}
<port>{{ manager.port }}</port>
{% endif %}
{% if manager.protocol is defined %}
<protocol>{{ manager.protocol }}</protocol>
{% endif %}
{% if manager.max_retries is defined and manager.retry_interval is defined %}
<max_retries>{{ manager.max_retries }}</max_retries>
<retry_interval>{{ manager.retry_interval }}</retry_interval>
{% endif %}
</server>
{% endfor %}
{% if wazuh_profile_centos is not none or wazuh_profile_ubuntu is not none %}
{% if ansible_distribution == 'CentOS' %}
<config-profile>{{ wazuh_profile_centos }}</config-profile>
{% elif ansible_distribution == "Ubuntu" %}
<config-profile>{{ wazuh_profile_ubuntu }}</config-profile>
{% endif %}
{% endif %}
{% if ansible_system == "Darwin" %}
<config-profile>{{ wazuh_profile_macos }}</config-profile>
{% endif %}
{% if wazuh_notify_time is not none and wazuh_time_reconnect is not none %}
<notify_time>{{ wazuh_notify_time }}</notify_time>
<time-reconnect>{{ wazuh_time_reconnect }}</time-reconnect>
{% endif %}
<auto_restart>{{ wazuh_auto_restart }}</auto_restart>
<crypto_method>{{ wazuh_crypto_method }}</crypto_method>
{% if wazuh_agent_config.enrollment.enabled == 'yes' %}
<enrollment>
<enabled>{{ wazuh_agent_config.enrollment.enabled }}</enabled>
{% if wazuh_agent_config.enrollment.manager_address | length > 0 %}
<manager_address>{{ wazuh_agent_config.enrollment.manager_address }}</manager_address>
{% endif %}
{% if wazuh_agent_config.enrollment.agent_name | length > 0 %}
<agent_name>{{ wazuh_agent_config.enrollment.agent_name }}</agent_name>
{% endif %}
{% if wazuh_agent_config.enrollment.port is defined > 0 %}
<port>{{ wazuh_agent_config.enrollment.port }}</port>
{% endif %}
{% if wazuh_agent_config.enrollment.groups | length > 0 %}
<groups>{{ wazuh_agent_config.enrollment.groups }}</groups>
{% endif %}
{% if wazuh_agent_config.enrollment.agent_address | length > 0 %}
<agent_address>{{ wazuh_agent_config.enrollment.agent_address }}</agent_address>
{% endif %}
{% if wazuh_agent_config.enrollment.server_ca_path | length > 0 %}
<server_ca_path>{{ wazuh_agent_config.enrollment.server_ca_path }}</server_ca_path>
{% endif %}
{% if wazuh_agent_config.enrollment.agent_certificate_path | length > 0 %}
<agent_certificate_path>{{ wazuh_agent_config.enrollment.agent_certificate_path }}</agent_certificate_path>
{% endif %}
{% if wazuh_agent_config.enrollment.agent_key_path | length > 0 %}
<agent_key_path>{{ wazuh_agent_config.enrollment.agent_key_path }}</agent_key_path>
{% endif %}
{% if wazuh_agent_config.enrollment.authorization_pass_path | length > 0 and ansible_system != "Darwin" %}
<authorization_pass_path>{{ wazuh_agent_config.enrollment.authorization_pass_path }}</authorization_pass_path>
{% else %}
<authorization_pass_path>{{ wazuh_agent_config.enrollment.authorization_pass_path_macos }}</authorization_pass_path>
{% endif %}
{% if wazuh_agent_config.enrollment.auto_method | length > 0 %}
<auto_method>{{ wazuh_agent_config.enrollment.auto_method }}</auto_method>
{% endif %}
{% if wazuh_agent_config.enrollment.delay_after_enrollment is defined > 0 %}
<delay_after_enrollment>{{ wazuh_agent_config.enrollment.delay_after_enrollment }}</delay_after_enrollment>
{% endif %}
{% if wazuh_agent_config.enrollment.use_source_ip | length > 0 %}
<use_source_ip>{{ wazuh_agent_config.enrollment.use_source_ip }}</use_source_ip>
{% endif %}
</enrollment>
{% endif %}
</client>
<client_buffer>
<!-- Agent buffer options -->
<disabled>{{ wazuh_agent_config.client_buffer.disable }}</disabled>
<queue_size>{{ wazuh_agent_config.client_buffer.queue_size }}</queue_size>
<events_per_second>{{ wazuh_agent_config.client_buffer.events_per_sec }}</events_per_second>
</client_buffer>
{% if wazuh_agent_config.rootcheck is defined %}
<rootcheck>
<disabled>no</disabled>
{% if ansible_system == "Linux" or ansible_system == "Darwin" %}
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>{{ wazuh_agent_config.rootcheck.frequency }}</frequency>
{% if ansible_system == "Darwin" %}
<rootkit_files>etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/shared/rootkit_trojans.txt</rootkit_trojans>
{% else %}
<rootkit_files>{{ wazuh_dir }}/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>{{ wazuh_dir }}/etc/shared/rootkit_trojans.txt</rootkit_trojans>
{% endif %}
<skip_nfs>yes</skip_nfs>
{% endif %}
{% if ansible_os_family == "Windows" %}
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
{% endif %}
</rootcheck>
{% endif %}
{% if ansible_system == "Linux" and wazuh_agent_config.openscap.disable == 'no' %}
<wodle name="open-scap">
<disabled>{{ wazuh_agent_config.openscap.disable }}</disabled>
<timeout>{{ wazuh_agent_config.openscap.timeout }}</timeout>
<interval>{{ wazuh_agent_config.openscap.interval }}</interval>
<scan-on-start>{{ wazuh_agent_config.openscap.scan_on_start }}</scan-on-start>
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'xenial' %}
<content type="xccdf" path="ssg-ubuntu-1604-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% elif ansible_distribution == 'Debian' %}
{% if ansible_distribution_release == 'jessie' %}
{% if openscap_version_valid.stdout == "0" %}
<content type="xccdf" path="ssg-debian-8-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
<content type="oval" path="cve-debian-8-oval.xml"/>
{% endif %}
{% elif ansible_distribution_release == 'stretch' %}
<content type="oval" path="cve-debian-9-oval.xml"/>
{% endif %}
{% elif ansible_distribution == 'CentOS' %}
{% if ansible_distribution_major_version == '8' %}
{# Policy not available #}
{% elif ansible_distribution_major_version == '7' %}
<content type="xccdf" path="ssg-centos-7-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% elif ansible_distribution_major_version == '6' %}
<content type="xccdf" path="ssg-centos-6-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% endif %}
{% elif ansible_distribution == 'RedHat' %}
{% if ansible_distribution_major_version == '8' %}
{# Policy not available #}
{% elif ansible_distribution_major_version == '7' %}
<content type="xccdf" path="ssg-rhel-7-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% elif ansible_distribution_major_version == '6' %}
<content type="xccdf" path="ssg-rhel-6-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% endif %}
{% if ansible_distribution_major_version == '7' %}
<content type="oval" path="cve-redhat-7-ds.xml"/>
{% elif ansible_distribution_major_version == '6' %}
<content type="oval" path="cve-redhat-6-ds.xml"/>
{% endif %}
{% elif ansible_distribution == 'Fedora' %}
<content type="xccdf" path="ssg-fedora-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% endif %}
</wodle>
{% endif %}
{% if ansible_system != "Darwin" %}
<wodle name="cis-cat">
<disabled>{{ wazuh_agent_config.cis_cat.disable }}</disabled>
<timeout>{{ wazuh_agent_config.cis_cat.timeout }}</timeout>
<interval>{{ wazuh_agent_config.cis_cat.interval }}</interval>
<scan-on-start>{{ wazuh_agent_config.cis_cat.scan_on_start }}</scan-on-start>
{% if wazuh_agent_config.cis_cat.install_java == 'yes' and ansible_system == "Linux" %}
<java_path>/usr/bin</java_path>
{% elif ansible_os_family == "Windows" %}
<java_path>{{ wazuh_agent_config.cis_cat.java_path_win }}</java_path>
{% else %}
<java_path>{{ wazuh_agent_config.cis_cat.java_path }}</java_path>
{% endif %}
<ciscat_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.cis_cat.ciscat_path_win }}{% else %}{{ wazuh_agent_config.cis_cat.ciscat_path }}{% endif %}</ciscat_path>
</wodle>
{% endif %}
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>{{ wazuh_agent_config.osquery.disable }}</disabled>
<run_daemon>{{ wazuh_agent_config.osquery.run_daemon }}</run_daemon>
{% if ansible_os_family == "Windows" %}
<bin_path>{{ wazuh_agent_config.osquery.bin_path_win }}</bin_path>
{% endif %}
<log_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.osquery.log_path_win }}{% else %}{{ wazuh_agent_config.osquery.log_path }}{% endif %}</log_path>
<config_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.osquery.config_path_win }}{% else %}{{ wazuh_agent_config.osquery.config_path }}{% endif %}</config_path>
<add_labels>{{ wazuh_agent_config.osquery.add_labels }}</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>{{ wazuh_agent_config.syscollector.disable }}</disabled>
<interval>{{ wazuh_agent_config.syscollector.interval }}</interval>
<scan_on_start>{{ wazuh_agent_config.syscollector.scan_on_start }}</scan_on_start>
<hardware>{{ wazuh_agent_config.syscollector.hardware }}</hardware>
<os>{{ wazuh_agent_config.syscollector.os }}</os>
<network>{{ wazuh_agent_config.syscollector.network }}</network>
<packages>{{ wazuh_agent_config.syscollector.packages }}</packages>
<ports all="no">{{ wazuh_agent_config.syscollector.ports_no }}</ports>
<processes>{{ wazuh_agent_config.syscollector.processes }}</processes>
</wodle>
<sca>
{% if wazuh_agent_config.sca.enabled | length > 0 %}
<enabled>{{ wazuh_agent_config.sca.enabled }}</enabled>
{% endif %}
{% if wazuh_agent_config.sca.scan_on_start | length > 0 %}
<scan_on_start>{{ wazuh_agent_config.sca.scan_on_start }}</scan_on_start>
{% endif %}
{% if wazuh_agent_config.sca.interval | length > 0 %}
<interval>{{ wazuh_agent_config.sca.interval }}</interval>
{% endif %}
{% if wazuh_agent_config.sca.skip_nfs | length > 0 %}
<skip_nfs>yes</skip_nfs>
{% endif %}
{% if wazuh_agent_config.sca.day | length > 0 %}
<day>{{ wazuh_agent_config.sca.day }}</day>
{% endif %}
{% if wazuh_agent_config.sca.wday | length > 0 %}
<wday>{{ wazuh_agent_config.sca.wday }}</wday>
{% endif %}
{% if wazuh_agent_config.sca.time | length > 0 %}
<time>{{ wazuh_agent_config.sca.time }}</time>
{% endif %}
</sca>
<!-- Directories to check (perform all possible verifications) -->
{% if wazuh_agent_config.syscheck is defined %}
<syscheck>
<disabled>no</disabled>
<frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency>
{% if ansible_system == "Linux" or ansible_system == "Darwin" %}
<scan_on_start>{{ wazuh_agent_config.syscheck.scan_on_start }}</scan_on_start>
<!-- Directories to check (perform all possible verifications) -->
{% if wazuh_agent_config.syscheck.directories is defined and ansible_system == "Linux" %}
{% for directory in wazuh_agent_config.syscheck.directories %}
<directories {{ directory.checks }}>{{ directory.dirs }}</directories>
{% endfor %}
{% elif ansible_system == "Darwin" %}
{% for directory in wazuh_agent_config.syscheck.macos_directories %}
<directories {{ directory.checks }}>{{ directory.dirs }}</directories>
{% endfor %}
{% endif %}
{% endif %}
<!-- Directories to check (perform all possible verifications) -->
{% if wazuh_agent_config.syscheck.win_directories is defined and ansible_os_family == "Windows" %}
{% for directory in wazuh_agent_config.syscheck.win_directories %}
<directories {{ directory.checks }}>{{ directory.dirs }}</directories>
{% endfor %}
{% endif %}
<!-- Files/directories to ignore -->
{% if wazuh_agent_config.syscheck.ignore is defined and (ansible_system == "Linux" or ansible_system == "Darwin") %}
{% for ignore in wazuh_agent_config.syscheck.ignore %}
<ignore>{{ ignore }}</ignore>
{% endfor %}
{% endif %}
<!-- File types to ignore -->
{% if wazuh_agent_config.syscheck.ignore_linux_type is defined %}
{% for ignore in wazuh_agent_config.syscheck.ignore_linux_type %}
<ignore type="sregex">{{ ignore }}</ignore>
{% endfor %}
{% endif %}
{% if wazuh_agent_config.syscheck.ignore is defined and ansible_os_family == "Windows" %}
{% for ignore in wazuh_agent_config.syscheck.ignore_win %}
<ignore type="sregex">{{ ignore }}</ignore>
{% endfor %}
{% endif %}
{% if ansible_system == "Linux" or ansible_system == "Darwin" %}
<!-- Files no diff -->
{% for no_diff in wazuh_agent_config.syscheck.no_diff %}
<nodiff>{{ no_diff }}</nodiff>
{% endfor %}
<skip_nfs>{{ wazuh_agent_config.syscheck.skip_nfs }}</skip_nfs>
<skip_dev>{{ wazuh_agent_config.syscheck.skip_dev }}</skip_dev>
<skip_proc>{{ wazuh_agent_config.syscheck.skip_proc }}</skip_proc>
<skip_sys>{{ wazuh_agent_config.syscheck.skip_sys }}</skip_sys>
{% endif %}
{% if ansible_os_family == "Windows" %}
{% for registry_key in wazuh_agent_config.syscheck.windows_registry %}
{% if registry_key.arch is defined %}
<windows_registry arch="{{ registry_key.arch }}">{{ registry_key.key }}</windows_registry>
{% else %}
<windows_registry>{{ registry_key.key }}</windows_registry>
{% endif %}
{% endfor %}
{% endif %}
{% if ansible_os_family == "Windows" %}
{% for registry_key in wazuh_agent_config.syscheck.windows_registry_ignore %}
{% if registry_key.type is defined %}
<registry_ignore type="{{ registry_key.type }}">{{ registry_key.key }}</registry_ignore>
{% else %}
<registry_ignore>{{ registry_key.key }}</registry_ignore>
{% endif %}
{% endfor %}
{% endif %}
{% if ansible_os_family == "Windows" %}
<!-- Frequency for ACL checking (seconds) -->
<windows_audit_interval>{{ wazuh_agent_config.syscheck.win_audit_interval }}</windows_audit_interval>
{% endif %}
<!-- Nice value for Syscheck module -->
<process_priority>{{ wazuh_agent_config.syscheck.process_priority }}</process_priority>
<!-- Maximum output throughput -->
<max_eps>{{ wazuh_agent_config.syscheck.max_eps }}</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>{{ wazuh_agent_config.syscheck.sync_enabled }}</enabled>
<interval>{{ wazuh_agent_config.syscheck.sync_interval }}</interval>
<max_interval>{{ wazuh_agent_config.syscheck.sync_max_interval }}</max_interval>
<max_eps>{{ wazuh_agent_config.syscheck.sync_max_eps }}</max_eps>
</synchronization>
</syscheck>
{% endif %}
<!-- Files to monitor (localfiles) -->
{% if ansible_system == "Linux" %}
{% for localfile in wazuh_agent_config.localfiles.linux %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% else %}
<location>{{ localfile.location }}</location>
{% if localfile.format == 'json' %}
{% for label in localfile.label %}
<label key="{{ label.key }}">{{ label.value }}</label>
{% endfor %}
{% endif %}
{% endif %}
</localfile>
{% endfor %}
<localfile>
<log_format>journald</log_format>
<location>journald</location>
</localfile>
{% endif %}
{% if ansible_system == "Darwin" %}
{% for localfile in wazuh_agent_config.localfiles.macos %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% else %}
<location>{{ localfile.location }}</location>
{% if localfile.format == 'macos' %}
<query type="{{ localfile.query.type }}" level="{{ localfile.query.level }}">{{ localfile.query.value }}</query>
{% endif %}
{% endif %}
</localfile>
{% endfor %}
{% endif %}
{% if ansible_os_family == "Debian" %}
{% for localfile in wazuh_agent_config.localfiles.debian %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% else %}
<location>{{ localfile.location }}</location>
{% if localfile.format == 'json' %}
{% for label in localfile.label %}
<label key="{{ label.key }}">{{ label.value }}</label>
{% endfor %}
{% endif %}
{% endif %}
</localfile>
{% endfor %}
{% endif %}
{% if ansible_os_family == "RedHat" %}
{% for localfile in wazuh_agent_config.localfiles.centos %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% else %}
<location>{{ localfile.location }}</location>
{% if localfile.format == 'json' %}
{% for label in localfile.label %}
<label key="{{ label.key }}">{{ label.value }}</label>
{% endfor %}
{% endif %}
{% endif %}
</localfile>
{% endfor %}
{% endif %}
{% if ansible_os_family == "Windows" %}
{% for localfile in wazuh_agent_config.localfiles.windows %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'eventchannel' %}
<location>{{ localfile.location }}</location>
<query>{{ localfile.query}}</query>
{% else %}
<location>{{ localfile.location }}</location>
{% if localfile.format == 'json' %}
{% for label in localfile.label %}
<label key="{{ label.key }}">{{ label.value }}</label>
{% endfor %}
{% endif %}
{% endif %}
</localfile>
{% endfor %}
{% endif %}
{% if wazuh_agent_config.labels.enable == true %}
<labels>
{% for label in wazuh_agent_config.labels.list %}
<label key="{{ label.key }}"{% if label.hidden is defined %} hidden="{{ label.hidden }}"{% endif %}>{{ label.value }}</label>
{% endfor %}
</labels>
{% endif %}
<active-response>
<disabled>{{ wazuh_agent_config.active_response.ar_disabled|default('no') }}</disabled>
<ca_store>
{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.active_response.ca_store_win }}
{% else %}
{% if ansible_system == "Darwin" %}{{ wazuh_agent_config.active_response.ca_store_macos }}
{% else %}
{{ wazuh_agent_config.active_response.ca_store }}
{% endif %}
{% endif %}
</ca_store>
<ca_verification>{{ wazuh_agent_config.active_response.ca_verification }}</ca_verification>
</active-response>
<logging>
<log_format>{{ wazuh_agent_config.log_format }}</log_format>
</logging>
</ossec_config>

229
roles/wazuh/ansible-wazuh-manager/README.md Normal file
View File

@ -0,0 +1,229 @@
Ansible Playbook - Wazuh manager
================================
This role will install the Wazuh manager on a host.
Requirements
------------
This role will work on:
* Red Hat
* CentOS
* Fedora
* Debian
* Ubuntu
Role Variables
--------------
This role has some variables which you can or need to override.
```
wazuh_manager_fqdn: ~
wazuh_manager_config: []
shared_agent_config: []
```
Vault variables
----------------
### vars/agentless_creds.yml
This file has the agenless credentials.
```
---
agentless_creds:
- type: ssh_integrity_check_linux
frequency: 3600
host: root@example.net
state: periodic
arguments: '/bin /etc/ /sbin'
passwd: qwerty
```
### vars/wazuh_api_creds.yml
This file has user and password created in httpasswd format.
```
---
wazuh_api_user:
- "foo:$apr1$/axqZYWQ$Xo/nz/IG3PdwV82EnfYKh/"
```
### vars/authd_pass.yml
This file has the password to be used for the authd daemon.
```
---
authd_pass: foobar
```
Default config
--------------
### defaults/main.yml
```
---
wazuh_manager_fqdn: "wazuh-server"
wazuh_manager_config:
json_output: 'yes'
alerts_log: 'yes'
logall: 'no'
authd:
enable: false
email_notification: no
mail_to:
- admin@example.net
mail_smtp_server: localhost
mail_from: wazuh-server@example.com
syscheck:
frequency: 43200
scan_on_start: 'yes'
ignore:
- /etc/mtab
- /etc/mnttab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: 'check_all="yes"'
- dirs: /bin,/sbin
checks: 'check_all="yes"'
rootcheck:
frequency: 43200
openscap:
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
log_level: 1
email_level: 12
localfiles:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'command'
command: 'df -P'
frequency: '360'
- format: 'full_command'
command: 'netstat -tln | grep -v 127.0.0.1 | sort'
frequency: '360'
- format: 'full_command'
command: 'last -n 20'
frequency: '360'
globals:
- '127.0.0.1'
- '192.168.2.1'
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
commands:
- name: 'disable-account'
executable: 'disable-account.sh'
expect: 'user'
timeout_allowed: 'yes'
- name: 'restart-ossec'
executable: 'restart-ossec.sh'
expect: ''
timeout_allowed: 'no'
- name: 'firewall-drop'
executable: 'firewall-drop.sh'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'host-deny'
executable: 'host-deny.sh'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'route-null'
executable: 'route-null.sh'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'win_route-null'
executable: 'route-null.cmd'
expect: 'srcip'
timeout_allowed: 'yes'
active_responses:
- command: 'host-deny'
location: 'local'
level: 6
timeout: 600
shared_agent_config:
- type: os
type_value: linux
frequency_check: 79200
ignore_files:
- /etc/mtab
- /etc/mnttab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/svc/volatile
directories:
- check_all: yes
dirs: /etc,/usr/bin,/usr/sbin
- check_all: yes
dirs: /bin,/sbin
localfiles:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'apache'
location: '/var/log/httpd/error_log'
- format: 'apache'
location: '/var/log/httpd/access_log'
- format: 'apache'
location: '/var/ossec/logs/active-responses.log'
```
#### Custom variables:
You can create a YAML file and change the default variables for this role, to later using it with `-e` option in `ansible-playbooks`, for example:
```
---
wazuh_manager_fqdn: "wazuh-server"
wazuh_manager_config:
email_notification: yes
mail_to:
- myadmin@mydomain.com
mail_smtp_server: mysmtp.mydomain.com
```
Dependencies
------------
No dependencies.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: wazuh-server.example.com
roles:
- { role: ansible-wazuh-server }
License and copyright
---------------------
WAZUH Copyright (C) 2016, Wazuh Inc. (License GPLv3)
### Based on previous work from dj-wasabi
- https://github.com/dj-wasabi/ansible-ossec-server
### Modified by Wazuh
The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem.

466
roles/wazuh/ansible-wazuh-manager/defaults/main.yml Normal file
View File

@ -0,0 +1,466 @@
---
wazuh_manager_version: 4.9.1
wazuh_manager_fqdn: "wazuh-server"
wazuh_manager_package_state: present
# Custom packages installation
wazuh_custom_packages_installation_manager_enabled: false
wazuh_custom_packages_installation_manager_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/"
wazuh_custom_packages_installation_manager_rpm_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/"
wazuh_dir: "/var/ossec"
##########################################
### Wazuh-OSSEC
##########################################
# groups to create
agent_groups: []
## Global
wazuh_manager_json_output: 'yes'
wazuh_manager_alerts_log: 'yes'
wazuh_manager_logall: 'no'
wazuh_manager_logall_json: 'no'
wazuh_manager_email_notification: 'no'
wazuh_manager_mailto:
- 'admin@example.net'
wazuh_manager_email_smtp_server: smtp.example.wazuh.com
wazuh_manager_email_from: wazuh@example.wazuh.com
wazuh_manager_email_maxperhour: 12
wazuh_manager_email_queue_size: 131072
wazuh_manager_email_log_source: 'alerts.log'
wazuh_manager_globals:
- '127.0.0.1'
- '^localhost.localdomain$'
- '127.0.0.53'
wazuh_manager_agent_disconnection_time: '20s'
wazuh_manager_agents_disconnection_alert_time: '100s'
## Alerts
wazuh_manager_log_level: 3
wazuh_manager_email_level: 12
## Logging
wazuh_manager_log_format: 'plain'
## Email alerts
wazuh_manager_extra_emails:
- enable: false
mail_to: 'recipient@example.wazuh.com'
format: full
level: 7
event_location: null
group: null
do_not_delay: false
do_not_group: false
rule_id: null
## Remote
wazuh_manager_connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
## Reports
wazuh_manager_reports:
- enable: false
category: 'syscheck'
title: 'Daily report: File changes'
email_to: 'recipient@example.wazuh.com'
location: null
group: null
rule: null
level: null
srcip: null
user: null
showlogs: null
## Woodles
wazuh_manager_rootcheck:
frequency: 43200
wazuh_manager_openscap:
disable: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
wazuh_manager_ciscat:
disable: 'yes'
install_java: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
ciscat_path: 'wodles/ciscat'
wazuh_manager_osquery:
disable: 'yes'
run_daemon: 'yes'
log_path: '/var/log/osquery/osqueryd.results.log'
config_path: '/etc/osquery/osquery.conf'
ad_labels: 'yes'
wazuh_manager_syscollector:
disable: 'no'
interval: '1h'
scan_on_start: 'yes'
hardware: 'yes'
os: 'yes'
network: 'yes'
packages: 'yes'
ports_no: 'yes'
processes: 'yes'
wazuh_manager_monitor_aws:
disabled: 'yes'
interval: '10m'
run_on_start: 'yes'
skip_on_error: 'yes'
s3:
- name: null
bucket_type: null
path: null
only_logs_after: null
access_key: null
secret_key: null
## SCA
wazuh_manager_sca:
enabled: 'yes'
scan_on_start: 'yes'
interval: '12h'
skip_nfs: 'yes'
day: ''
wday: ''
time: ''
## Vulnerability Detector
filebeat_node_name: node-1
filebeat_output_indexer_hosts:
- "localhost"
filebeat_output_indexer_port: 9200
indexer_security_user: admin
indexer_security_password: changeme
filebeat_ssl_dir: /etc/pki/filebeat
wazuh_manager_vulnerability_detection:
enabled: 'yes'
index_status: 'yes'
feed_update_interval: '60m'
wazuh_manager_indexer:
enabled: 'yes'
hosts: "{{ filebeat_output_indexer_hosts }}"
## Syscheck
wazuh_manager_syscheck:
disable: 'no'
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
ignore:
- /etc/mtab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
ignore_linux_type:
- '.log$|.swp$'
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: ''
- dirs: /bin,/sbin,/boot
checks: ''
auto_ignore_frequency:
frequency: 'frequency="10"'
timeframe: 'timeframe="3600"'
value: 'no'
skip_nfs: 'yes'
skip_dev: 'yes'
skip_proc: 'yes'
skip_sys: 'yes'
process_priority: 10
max_eps: 100
sync_enabled: 'yes'
sync_interval: '5m'
sync_max_interval: '1h'
sync_max_eps: 10
## Command
wazuh_manager_commands:
- name: 'disable-account'
executable: 'disable-account'
timeout_allowed: 'yes'
- name: 'restart-wazuh'
executable: 'restart-wazuh'
- name: 'firewall-drop'
executable: 'firewall-drop'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'host-deny'
executable: 'host-deny'
timeout_allowed: 'yes'
- name: 'route-null'
executable: 'route-null'
timeout_allowed: 'yes'
- name: 'win_route-null'
executable: 'route-null.exe'
timeout_allowed: 'yes'
- name: 'netsh'
executable: 'netsh.exe'
timeout_allowed: 'yes'
## Localfile
wazuh_manager_localfiles:
common:
- format: 'command'
command: df -P
frequency: '360'
- format: 'full_command'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports'
frequency: '360'
- format: 'full_command'
command: 'last -n 20'
frequency: '360'
- format: 'syslog'
location: "{{ wazuh_dir }}/logs/active-responses.log"
debian:
- format: 'syslog'
location: '/var/log/auth.log'
- format: 'syslog'
location: '/var/log/syslog'
- format: 'syslog'
location: '/var/log/dpkg.log'
- format: 'syslog'
location: '/var/log/kern.log'
centos:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'audit'
location: '/var/log/audit/audit.log'
## Syslog outputs
wazuh_manager_syslog_outputs:
- server: null
port: null
format: null
## Integrations
wazuh_manager_integrations:
# slack
- name: null
hook_url: '<hook_url>'
alert_level: 10
alert_format: 'json'
rule_id: null
# pagerduty
- name: null
api_key: '<api_key>'
alert_level: 12
## Labels
wazuh_manager_labels:
enable: false
list:
- key: Env
value: Production
## Ruleset
wazuh_manager_ruleset:
rules_path: 'custom_ruleset/rules/'
decoders_path: 'custom_ruleset/decoders/'
cdb_lists:
- 'audit-keys'
- 'security-eventchannel'
- 'amazon/aws-eventnames'
wazuh_manager_rule_exclude:
- '0215-policy_rules.xml'
## Auth
wazuh_manager_authd:
enable: true
port: 1515
use_source_ip: 'no'
force:
enabled: 'yes'
key_mismatch: 'yes'
disconnected_time: '1h'
after_registration_time: '1h'
purge: 'yes'
use_password: 'no'
ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH'
ssl_agent_ca: null
ssl_verify_host: 'no'
ssl_manager_cert: 'sslmanager.cert'
ssl_manager_key: 'sslmanager.key'
ssl_auto_negotiate: 'no'
## Cluster
wazuh_manager_cluster:
disable: 'yes'
name: 'wazuh'
node_name: 'manager_01'
node_type: 'master'
key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa'
port: '1516'
bind_addr: '0.0.0.0'
nodes:
- 'manager'
hidden: 'no'
## Wazuh API setup
wazuh_manager_api:
bind_addr: 0.0.0.0
port: 55000
behind_proxy_server: no
https: yes
https_key: "api/configuration/ssl/server.key"
https_cert: "api/configuration/ssl/server.crt"
https_use_ca: False
https_ca: "api/configuration/ssl/ca.crt"
logging_level: "info"
logging_path: "logs/api.log"
cors: no
cors_source_route: "*"
cors_expose_headers: "*"
cors_allow_headers: "*"
cors_allow_credentials: no
cache: yes
cache_time: 0.750
access_max_login_attempts: 5
access_block_time: 300
access_max_request_per_minute: 300
drop_privileges: yes
experimental_features: no
remote_commands_localfile: yes
remote_commands_localfile_exceptions: []
remote_commands_wodle: yes
remote_commands_wodle_exceptions: []
# wazuh_api_users:
# - username: custom-user
# password: .S3cur3Pa55w0rd*- # Must comply with requirements (8+ length, uppercase, lowercase, specials chars)
# NOTE: As wazuh_manager_config is built dynamically per playbooks and ansible.cfg provided in the repo,
# we should also cover the case for partial settings in inventory variables overlayed on top of role's
# defaults with merge hash_behaviour. If you do a full replace instead of the hash_behaviour, set this to false.
#
# Please do notice this behaviour is deprecated in 2.13 and role will move away from it in future versions:
# https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-hash-behaviour
#
wazuh_manager_config_overlay: true
## Other/Wrappers
wazuh_manager_config_defaults:
repo: '{{ wazuh_repo }}'
json_output: '{{ wazuh_manager_json_output }}'
alerts_log: '{{ wazuh_manager_alerts_log }}'
logall: '{{ wazuh_manager_logall }}'
logall_json: '{{ wazuh_manager_logall_json }}'
log_format: '{{ wazuh_manager_log_format }}'
api: '{{ wazuh_manager_api }}'
cluster: '{{ wazuh_manager_cluster }}'
connection: '{{ wazuh_manager_connection }}'
authd: '{{ wazuh_manager_authd }}'
email_notification: '{{ wazuh_manager_email_notification }}'
mail_to: '{{ wazuh_manager_mailto }}'
mail_smtp_server: '{{ wazuh_manager_email_smtp_server }}'
mail_from: '{{ wazuh_manager_email_from }}'
mail_maxperhour: '{{ wazuh_manager_email_maxperhour }}'
mail_queue_size: '{{ wazuh_manager_email_queue_size }}'
email_log_source: '{{ wazuh_manager_email_log_source }}'
extra_emails: '{{ wazuh_manager_extra_emails }}'
reports: '{{ wazuh_manager_reports}}'
syscheck: '{{ wazuh_manager_syscheck }}'
rootcheck: '{{ wazuh_manager_rootcheck }}'
openscap: '{{ wazuh_manager_openscap }}'
cis_cat: '{{ wazuh_manager_ciscat }}'
osquery: '{{ wazuh_manager_osquery }}'
syscollector: '{{ wazuh_manager_syscollector }}'
sca: '{{ wazuh_manager_sca }}'
vulnerability_detection: '{{ wazuh_manager_vulnerability_detection }}'
indexer: '{{ wazuh_manager_indexer }}'
log_level: '{{ wazuh_manager_log_level }}'
email_level: '{{ wazuh_manager_email_level }}'
localfiles: '{{ wazuh_manager_localfiles }}'
globals: '{{ wazuh_manager_globals }}'
commands: '{{ wazuh_manager_commands }}'
ruleset: '{{ wazuh_manager_ruleset }}'
rule_exclude: '{{ wazuh_manager_rule_exclude }}'
syslog_outputs: '{{ wazuh_manager_syslog_outputs }}'
integrations: '{{ wazuh_manager_integrations }}'
monitor_aws: '{{ wazuh_manager_monitor_aws }}'
labels: '{{ wazuh_manager_labels }}'
agents_disconnection_time: '{{ wazuh_manager_agent_disconnection_time }}'
agents_disconnection_alert_time: '{{ wazuh_manager_agents_disconnection_alert_time }}'
# shared-agent.conf
# shared_agent_config:
# - type: os
# type_value: Linux
# syscheck:
# frequency: 43200
# scan_on_start: 'yes'
# ignore:
# - /etc/mtab
# - /etc/mnttab
# - /etc/hosts.deny
# - /etc/mail/statistics
# - /etc/svc/volatile
# no_diff:
# - /etc/ssl/private.key
# rootcheck:
# frequency: 43200
# cis_distribution_filename: null
# localfiles:
# - format: 'syslog'
# location: '/var/log/messages'
# - format: 'syslog'
# location: '/var/log/secure'
# - format: 'syslog'
# location: '/var/log/maillog'
# - format: 'apache'
# location: '/var/log/httpd/error_log'
# - format: 'apache'
# location: '/var/log/httpd/access_log'
# - format: 'apache'
# location: "{{ wazuh_dir }}/logs/active-responses.log"
# - type: os
# type_value: Windows
# syscheck:
# frequency: 43200
# scan_on_start: 'yes'
# auto_ignore: 'no'
# windows_registry:
# - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
# arch: 'both'
# - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
# localfiles:
# - location: 'Security'
# format: 'eventchannel'
# - location: 'System'
# format: 'eventlog'

102
roles/wazuh/ansible-wazuh-manager/files/create_user.py Normal file
View File

@ -0,0 +1,102 @@
import logging
import sys
import json
import random
import string
import os
# Set framework path
sys.path.append(os.path.dirname(sys.argv[0]) + "/../framework")
USER_FILE_PATH = "/var/ossec/api/configuration/admin.json"
SPECIAL_CHARS = "@$!%*?&-_"
try:
from wazuh.rbac.orm import check_database_integrity
from wazuh.security import (
create_user,
get_users,
get_roles,
set_user_role,
update_user,
)
except Exception as e:
logging.error("No module 'wazuh' found.")
sys.exit(1)
def read_user_file(path=USER_FILE_PATH):
with open(path) as user_file:
data = json.load(user_file)
return data["username"], data["password"]
def db_users():
users_result = get_users()
return {user["username"]: user["id"] for user in users_result.affected_items}
def db_roles():
roles_result = get_roles()
return {role["name"]: role["id"] for role in roles_result.affected_items}
def disable_user(uid):
random_pass = "".join(
random.choices(
string.ascii_uppercase
+ string.ascii_lowercase
+ string.digits
+ SPECIAL_CHARS,
k=8,
)
)
# assure there must be at least one character from each group
random_pass = random_pass + ''.join([random.choice(chars) for chars in [string.ascii_lowercase, string.digits, string.ascii_uppercase, SPECIAL_CHARS]])
random_pass = ''.join(random.sample(random_pass,len(random_pass)))
update_user(
user_id=[
str(uid),
],
password=random_pass,
)
if __name__ == "__main__":
if not os.path.exists(USER_FILE_PATH):
# abort if no user file detected
sys.exit(0)
username, password = read_user_file()
# create RBAC database
check_database_integrity()
initial_users = db_users()
if username not in initial_users:
# create a new user
create_user(username=username, password=password)
users = db_users()
uid = users[username]
roles = db_roles()
rid = roles["administrator"]
set_user_role(
user_id=[
str(uid),
],
role_ids=[
str(rid),
],
)
else:
# modify an existing user ("wazuh" or "wazuh-wui")
uid = initial_users[username]
update_user(
user_id=[
str(uid),
],
password=password,
)
# disable unused default users
#for def_user in ['wazuh', 'wazuh-wui']:
# if def_user != username:
# disable_user(initial_users[def_user])

25
roles/wazuh/ansible-wazuh-manager/files/custom_ruleset/decoders/sample_custom_decoders.xml Normal file
View File

@ -0,0 +1,25 @@
<!-- Local Decoders -->
<!-- Modify it at your will. -->
<!--
- Allowed static fields:
- location - where the log came from (only on FTS)
- srcuser - extracts the source username
- dstuser - extracts the destination (target) username
- user - an alias to dstuser (only one of the two can be used)
- srcip - source ip
- dstip - dst ip
- srcport - source port
- dstport - destination port
- protocol - protocol
- id - event id
- url - url of the event
- action - event action (deny, drop, accept, etc)
- status - event status (success, failure, etc)
- extra_data - Any extra data
-->
<decoder name="sample_custom_decoder">
<program_name>sample_custom_decoder</program_name>
</decoder>

18
roles/wazuh/ansible-wazuh-manager/files/custom_ruleset/rules/sample_custom_rules.xml Normal file
View File

@ -0,0 +1,18 @@
<!-- Local rules -->
<!-- Modify it at your will. -->
<!-- Example -->
<group name="local,syslog,sshd,">
<!--
Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
-->
<rule id="200001" level="5">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
<description>sshd: authentication failed from IP 1.1.1.1.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
</group>

12
roles/wazuh/ansible-wazuh-manager/handlers/main.yml Normal file
View File

@ -0,0 +1,12 @@
---
- name: restart wazuh-manager
service:
name: wazuh-manager
state: restarted
enabled: true
- name: restart wazuh-api
service:
name: wazuh-api
state: restarted
enabled: true

23
roles/wazuh/ansible-wazuh-manager/meta/main.yml Normal file
View File

@ -0,0 +1,23 @@
---
galaxy_info:
author: Wazuh
description: Installing, deploying and configuring Wazuh Manager.
company: wazuh.com
license: license (GPLv3)
min_ansible_version: 2.0
platforms:
- name: EL
versions:
- all
- name: Ubuntu
versions:
- all
- name: Debian
versions:
- all
- name: Fedora
versions:
- all
galaxy_tags:
- monitoring
dependencies: []

125
roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml Normal file
View File

@ -0,0 +1,125 @@
---
- name: Debian/Ubuntu | Install apt-transport-https, ca-certificates and acl
apt:
name:
- apt-transport-https
- ca-certificates
- gnupg
- acl
state: present
cache_valid_time: 3600
install_recommends: false
register: wazuh_manager_https_packages_installed
until: wazuh_manager_https_packages_installed is succeeded
- name: Debian/Ubuntu | Installing Wazuh repository key (Ubuntu 14)
become: true
shell: |
set -o pipefail
curl -s {{ wazuh_manager_config.repo.gpg }} | apt-key add -
args:
warn: false
executable: /bin/bash
changed_when: false
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version | int == 14
- not wazuh_custom_packages_installation_manager_enabled
- name: Debian/Ubuntu | Download Wazuh repository key
get_url:
url: "{{ wazuh_manager_config.repo.gpg }}"
dest: "{{ wazuh_manager_config.repo.path }}"
when:
- not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- not wazuh_custom_packages_installation_manager_enabled
- name: Debian/Ubuntu | Import Wazuh GPG key
command: "gpg --no-default-keyring --keyring gnupg-ring:{{ wazuh_manager_config.repo.keyring_path }} --import {{ wazuh_manager_config.repo.path }}"
when:
- not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- not wazuh_custom_packages_installation_manager_enabled
args:
creates: "{{ wazuh_manager_config.repo.keyring_path }}"
- name: Debian/Ubuntu | Set permissions for Wazuh GPG key
file:
path: "{{ wazuh_manager_config.repo.keyring_path }}"
mode: '0644'
when:
- not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- not wazuh_custom_packages_installation_manager_enabled
- name: Debian/Ubuntu | Add Wazuh repositories
apt_repository:
filename: wazuh_repo
repo: "{{ wazuh_manager_config.repo.apt }}"
state: present
update_cache: true
changed_when: false
when:
- not wazuh_custom_packages_installation_manager_enabled
- name: Debian/Ubuntu | Set Distribution CIS filename for Debian/Ubuntu
set_fact:
cis_distribution_filename: cis_debian_linux_rcl.txt
- name: Debian/Ubuntu | Install OpenJDK-8 repo
apt_repository:
repo: 'ppa:openjdk-r/ppa'
state: present
update_cache: true
when:
- (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- when:
- wazuh_manager_config.cis_cat.disable == 'no'
- wazuh_manager_config.cis_cat.install_java == 'yes'
block:
- name: Debian/Ubuntu | Install OpenJDK 1.8
apt: name=openjdk-8-jre state=present cache_valid_time=3600
tags:
- init
- name: Debian/Ubuntu | Install OpenScap
apt:
name:
- libopenscap8
- xsltproc
state: present
cache_valid_time: 3600
install_recommends: false
register: wazuh_manager_openscap_installed
until: wazuh_manager_openscap_installed is succeeded
when: wazuh_manager_config.openscap.disable == 'no'
tags:
- init
- name: Debian/Ubuntu | Get OpenScap installed version
shell: "dpkg-query --showformat='${Version}' --show libopenscap8"
when: wazuh_manager_config.openscap.disable == 'no'
register: openscap_version
changed_when: false
tags:
- config
- name: Debian/Ubuntu | Check OpenScap version
shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?"
when: wazuh_manager_config.openscap.disable == 'no'
register: openscap_version_valid
changed_when: false
tags:
- config
- name: Debian/Ubuntu | Install wazuh-manager
apt:
name:
- "wazuh-manager={{ wazuh_manager_version }}-*"
state: present
tags: init
when:
- not wazuh_custom_packages_installation_manager_enabled
- include_tasks: "installation_from_custom_packages.yml"
when:
- wazuh_custom_packages_installation_manager_enabled

131
roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml Normal file
View File

@ -0,0 +1,131 @@
---
- name: RedHat/CentOS 5 | Install Wazuh repo
yum_repository:
name: wazuh_repo
description: Wazuh repository
baseurl: "{{ wazuh_manager_config.repo.yum }}5/"
gpgkey: "{{ wazuh_manager_config.repo.gpg }}-5"
gpgcheck: true
changed_when: false
when:
- (ansible_os_family|lower == 'redhat') and (ansible_distribution|lower != 'amazon')
- (ansible_distribution_major_version|int <= 5)
- not wazuh_custom_packages_installation_manager_enabled
register: repo_v5_manager_installed
- name: RedHat/CentOS/Fedora | Install Wazuh repo
yum_repository:
name: wazuh_repo
description: Wazuh repository
baseurl: "{{ wazuh_manager_config.repo.yum }}"
gpgkey: "{{ wazuh_manager_config.repo.gpg }}"
gpgcheck: true
changed_when: false
when:
- repo_v5_manager_installed is skipped
- not wazuh_custom_packages_installation_manager_enabled
- name: RedHat/CentOS/Fedora | Install openscap
package: name={{ item }} state=present
with_items:
- openscap-scanner
register: wazuh_manager_openscp_packages_installed
until: wazuh_manager_openscp_packages_installed is succeeded
tags:
- init
when: not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") and
not (ansible_distribution == "CentOS" and ansible_distribution_major_version == "8")
- name: CentOS 6 | Install Software Collections (SCL) Repository
package: name=centos-release-scl state=present
register: wazuh_manager_scl_packages_installed
until: wazuh_manager_scl_packages_installed is succeeded
when:
- ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes'
- name: RedHat 6 | Enabling Red Hat Software Collections (RHSCL)
command: yum-config-manager --enable {{ item }}
with_items:
- rhui-REGION-rhel-server-rhscl
- rhel-server-rhscl-6-rpms
when:
- ansible_distribution == 'RedHat' and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes'
- name: CentOS/RedHat 6 | Install Python 2.7
package: name=python27 state=present
register: wazuh_manager_python_package_installed
until: wazuh_manager_python_package_installed is succeeded
when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes'
- name: RedHat/CentOS/Fedora | Install OpenJDK 1.8
yum: name=java-1.8.0-openjdk state=present
when:
- wazuh_manager_config.cis_cat.disable == 'no'
- wazuh_manager_config.cis_cat.install_java == 'yes'
tags:
- init
- name: Set Distribution CIS filename for RHEL5/CentOS-5
set_fact:
cis_distribution_filename: cis_rhel5_linux_rcl.txt
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == '5'
- name: Set Distribution CIS filename for RHEL6/CentOS-6
set_fact:
cis_distribution_filename: cis_rhel6_linux_rcl.txt
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == '6'
- name: Set Distribution CIS filename for RHEL7/CentOS-7
set_fact:
cis_distribution_filename: cis_rhel7_linux_rcl.txt
when:
- ansible_os_family == "RedHat" and ansible_distribution_major_version == '7'
- name: Set Distribution CIS filename for RHEL7/CentOS-7 (Amazon)
set_fact:
cis_distribution_filename: cis_rhel7_linux_rcl.txt
when:
- ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA"
- name: CentOS/RedHat/Amazon | Install wazuh-manager
package:
name: "wazuh-manager-{{ wazuh_manager_version }}"
state: "{{ wazuh_manager_package_state }}"
register: wazuh_manager_main_packages_installed
until: wazuh_manager_main_packages_installed is succeeded
when:
- ansible_os_family|lower == "redhat"
- not wazuh_custom_packages_installation_manager_enabled
tags:
- init
- include_tasks: "../tasks/installation_from_custom_packages.yml"
when:
- wazuh_custom_packages_installation_manager_enabled
- name: CentOS/RedHat 6 | Enabling python2.7 and sqlite3
replace:
path: /etc/init.d/wazuh-manager
regexp: 'echo -n "Starting Wazuh-manager: "'
replace: "echo -n \"Starting Wazuh-manager (EL6): \"; source /opt/rh/python27/enable; export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:{{ wazuh_dir }}/framework/lib"
when:
- ansible_distribution in ['CentOS', 'RedHat', 'Amazon'] and ansible_distribution_major_version|int == 6
- wazuh_manager_config.cluster.disable != 'yes'
- name: Install expect (EL5)
package:
name: "{{ item }}"
state: "{{ wazuh_manager_package_state }}"
with_items:
- expect
register: wazuh_manager_main_packages_installed
until: wazuh_manager_main_packages_installed is succeeded
when:
- ansible_os_family|lower == "RedHat"
- ansible_distribution_major_version|int < 6
tags:
- init

40
roles/wazuh/ansible-wazuh-manager/tasks/install_cmake.yml Normal file
View File

@ -0,0 +1,40 @@
---
# Vars
# cmake_download_url: http://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz
# cmake_version: 3.18.3
#
- name: Include CMake install vars
include_vars: install_cmake.yml
- name: Download CMake sources
get_url:
url: "{{ cmake_download_url }}"
dest: "/tmp/cmake-{{ cmake_version }}.tar.gz"
register: cmake_download
- name: Unpack CMake
unarchive:
copy: no
dest: /tmp/
src: "{{ cmake_download.dest }}"
when: cmake_download.changed
register: cmake_unpack
- name: Configure CMake
command: "./bootstrap"
args:
chdir: "/tmp/cmake-{{ cmake_version }}"
when: cmake_unpack.changed
register: cmake_configure
- name: Install CMake
shell: make && make install
args:
chdir: "/tmp/cmake-{{ cmake_version }}"
when: cmake_configure.changed
- name: Delete installation files
file:
state: absent
path: "/tmp/cmake-{{ cmake_version }}"

31
roles/wazuh/ansible-wazuh-manager/tasks/installation_from_custom_packages.yml Normal file
View File

@ -0,0 +1,31 @@
---
- block:
- name: Install Wazuh Manager from .deb packages
apt:
deb: "{{ wazuh_custom_packages_installation_manager_deb_url }}"
state: present
when:
- wazuh_custom_packages_installation_manager_enabled
when:
- ansible_os_family|lower == "debian"
- block:
- name: Install Wazuh Manager from .rpm packages | yum
yum:
name: "{{ wazuh_custom_packages_installation_manager_rpm_url }}"
state: present
when:
- wazuh_custom_packages_installation_manager_enabled
- not (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8")
- not (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8")
- name: Install Wazuh Manager from .rpm packages | dnf
dnf:
name: "{{ wazuh_custom_packages_installation_manager_rpm_url }}"
state: present
when:
- wazuh_custom_packages_installation_manager_enabled
- (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") or
(ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8")
when:
- ansible_os_family|lower == "redhat"

380
roles/wazuh/ansible-wazuh-manager/tasks/main.yml Normal file
View File

@ -0,0 +1,380 @@
---
- name: "Install dependencies"
block:
- name: "Install common dependencies"
package:
name:
- unzip
- openssl
- tar
state: present
register: package_status
until: "package_status is not failed"
retries: 10
delay: 10
- name: "Install curl"
package:
name: curl
state: present
when: ansible_distribution != "Amazon" and ansible_distribution_version != "2023"
register: package_status
until: "package_status is not failed"
retries: 10
delay: 10
- name: "Install curl minimal in AL2023"
package:
name: curl-minimal
state: present
when: ansible_distribution == "Amazon" and ansible_distribution_version == "2023"
register: package_status
until: "package_status is not failed"
retries: 10
delay: 10
- include_vars: ../../vars/repo_vars.yml
- include_vars: ../../vars/repo.yml
when: packages_repository == 'production'
- include_vars: ../../vars/repo_pre-release.yml
when: packages_repository == 'pre-release'
- include_vars: ../../vars/repo_staging.yml
when: packages_repository == 'staging'
- name: Overlay wazuh_manager_config on top of defaults
set_fact:
wazuh_manager_config: '{{ wazuh_manager_config_defaults | combine(config_layer, recursive=True) }}'
vars:
config_layer: '{{ wazuh_manager_config | default({}) }}'
when: wazuh_manager_config_overlay | bool
- include_tasks: "RedHat.yml"
when: (ansible_os_family == "RedHat" and ansible_distribution_major_version|int > 5) or (ansible_os_family == "RedHat" and ansible_distribution == "Amazon")
- include_tasks: "Debian.yml"
when: ansible_os_family == "Debian"
- name: Generate the wazuh-keystore (username)
shell: >
/var/ossec/bin/wazuh-keystore -f indexer -k username -v {{ indexer_security_user }}
notify: restart wazuh-manager
tags:
- init
- config
- name: Generate the wazuh-keystore (password)
shell: >
/var/ossec/bin/wazuh-keystore -f indexer -k password -v {{ indexer_security_password }}
notify: restart wazuh-manager
tags:
- init
- config
- name: Install expect
package:
name: expect
state: "{{ wazuh_manager_package_state }}"
when:
- not (ansible_os_family|lower == "redhat" and ansible_distribution_major_version|int < 6) and
not (ansible_distribution|lower == "centos" and ansible_distribution_major_version|int == 8)
tags: init
- name: Generate SSL files for authd
command: "openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:1825 -keyout sslmanager.key -out sslmanager.cert -subj /CN={{ wazuh_manager_fqdn }}/"
args:
creates: sslmanager.cert
chdir: "{{ wazuh_dir }}/etc/"
tags:
- config
when: wazuh_manager_config.authd.ssl_agent_ca is not none
- name: Copy CA, SSL key and cert for authd
copy:
src: "{{ item }}"
dest: "{{ wazuh_dir }}/etc/{{ item }}"
mode: 0644
with_items:
- "{{ wazuh_manager_config.authd.ssl_agent_ca }}"
- "{{ wazuh_manager_config.authd.ssl_manager_cert }}"
- "{{ wazuh_manager_config.authd.ssl_manager_key }}"
tags:
- config
when: wazuh_manager_config.authd.ssl_agent_ca is not none
- name: Verifying for old init authd service
stat: path=/etc/init.d/ossec-authd
register: old_authd_service
tags:
- config
- name: Verifying for old systemd authd service
stat: path=/lib/systemd/system/ossec-authd.service
register: old_authd_service
tags:
- config
- name: Ensure ossec-authd service is disabled
service: name=ossec-authd enabled=no state=stopped
when: old_authd_service.stat.exists
tags:
- config
- name: Removing old init authd services
file: path="{{ item }}" state=absent
with_items:
- "/etc/init.d/ossec-authd"
- "/lib/systemd/system/ossec-authd.service"
when: old_authd_service.stat.exists
tags:
- config
- name: Installing the local_rules.xml (default local_rules.xml)
template: src=var-ossec-rules-local_rules.xml.j2
dest="{{ wazuh_dir }}/etc/rules/local_rules.xml"
owner=wazuh
group=wazuh
mode=0660
notify: restart wazuh-manager
tags:
- init
- config
- rules
- name: Adding local rules files
copy: src="{{ wazuh_manager_config.ruleset.rules_path }}"
dest="{{ wazuh_dir }}/etc/rules/"
owner=wazuh
group=wazuh
mode=0660
notify: restart wazuh-manager
tags:
- init
- config
- rules
- name: Installing the local_decoder.xml
template: src=var-ossec-rules-local_decoder.xml.j2
dest="{{ wazuh_dir }}/etc/decoders/local_decoder.xml"
owner=wazuh
group=wazuh
mode=0660
notify: restart wazuh-manager
tags:
- init
- config
- rules
- name: Adding local decoders files
copy: src="{{ wazuh_manager_config.ruleset.decoders_path }}"
dest="{{ wazuh_dir }}/etc/decoders/"
owner=wazuh
group=wazuh
mode=0660
notify: restart wazuh-manager
tags:
- init
- config
- rules
- name: Configure the shared-agent.conf
template:
src: var-ossec-etc-shared-agent.conf.j2
dest: "{{ wazuh_dir }}/etc/shared/default/agent.conf"
owner: wazuh
group: wazuh
mode: 0660
validate: "{{ wazuh_dir }}/bin/verify-agent-conf -f %s"
notify: restart wazuh-manager
tags:
- init
- config
when:
- shared_agent_config is defined
- name: Installing the local_internal_options.conf
template: src=var-ossec-etc-local-internal-options.conf.j2
dest="{{ wazuh_dir }}/etc/local_internal_options.conf"
owner=root
group=wazuh
mode=0640
notify: restart wazuh-manager
tags:
- init
- config
- name: Retrieving Agentless Credentials
include_vars: agentless_creds.yml
tags:
- config
- name: Retrieving authd Credentials
include_vars: authd_pass.yml
tags:
- config
- name: Check if syslog output is enabled
set_fact: syslog_output=true
when: item.server is not none
with_items:
- "{{ wazuh_manager_config.syslog_outputs }}"
tags:
- config
- name: Check if client-syslog is enabled
shell: |
set -o pipefail
"grep -c 'ossec-csyslogd' {{ wazuh_dir }}/bin/.process_list | xargs echo"
args:
removes: "{{ wazuh_dir }}/bin/.process_list"
executable: /bin/bash
changed_when: false
check_mode: false
register: csyslog_enabled
tags:
- config
- name: Enable client-syslog
command: "{{ wazuh_dir }}/bin/wazuh-control enable client-syslog"
notify: restart wazuh-manager
when:
- csyslog_enabled.stdout == '0' or "skipped" in csyslog_enabled.stdout
- syslog_output is defined and syslog_output
tags:
- config
- name: Check if ossec-agentlessd is enabled
shell: |
set -o pipefail
"grep -c 'ossec-agentlessd' {{ wazuh_dir }}/bin/.process_list | xargs echo"
args:
removes: "{{ wazuh_dir }}/bin/.process_list"
executable: /bin/bash
changed_when: false
check_mode: false
register: agentlessd_enabled
tags:
- config
- name: Enable ossec-agentlessd
command: "{{ wazuh_dir }}/bin/wazuh-control enable agentless"
notify: restart wazuh-manager
when:
- agentlessd_enabled.stdout == '0' or "skipped" in agentlessd_enabled.stdout
- agentless_creds is defined
tags:
- config
- name: Checking alert log output settings
fail: msg="Please enable json_output or alerts_log options."
when:
- wazuh_manager_config.json_output == 'no'
- wazuh_manager_config.alerts_log == 'no'
tags:
- init
- config
- name: Configure ossec.conf
template:
src: var-ossec-etc-ossec-server.conf.j2
dest: "{{ wazuh_dir }}/etc/ossec.conf"
owner: root
group: wazuh
mode: 0644
notify: restart wazuh-manager
tags:
- init
- config
- name: Ossec-authd password
template:
src: authd_pass.j2
dest: "{{ wazuh_dir }}/etc/authd.pass"
owner: wazuh
group: wazuh
mode: 0640
no_log: true
notify: restart wazuh-manager
when:
- wazuh_manager_config.authd.use_password is defined
- wazuh_manager_config.authd.use_password == 'yes'
tags:
- config
- name: Create custom API user
block:
- name: Copy create_user script
copy:
src: create_user.py
dest: "{{ wazuh_dir }}/framework/scripts/create_user.py"
owner: root
group: wazuh
mode: 0644
- name: Create admin.json
template:
src: templates/admin.json.j2
dest: "{{ wazuh_dir }}/api/configuration/admin.json"
owner: wazuh
group: wazuh
mode: 0644
no_log: true
- name: Execute create_user script
script:
chdir: "{{ wazuh_dir }}/framework/scripts/"
cmd: create_user.py --username "{{ item.username }}" --password "{{ item.password }}"
executable: "{{ wazuh_dir }}/framework/python/bin/python3"
with_items:
- "{{ wazuh_api_users }}"
- name: Delete create_user script
file:
path: "{{ wazuh_dir }}/framework/scripts/create_user.py"
state: absent
tags:
- config_api_users
when:
- wazuh_api_users is defined
- wazuh_manager_config.cluster.node_type == "master"
- name: Agentless Hosts & Passwd
template:
src: agentless.j2
dest: "{{ wazuh_dir }}/agentless/.passlist_tmp"
owner: root
group: root
mode: 0644
no_log: true
when: agentless_creds is defined
tags:
- config
- name: Encode the secret
shell: "/usr/bin/base64 {{ wazuh_dir }}/agentless/.passlist_tmp > {{ wazuh_dir }}/agentless/.passlist && rm {{ wazuh_dir }}/agentless/.passlist_tmp"
when: agentless_creds is defined
tags:
- config
- name: Ensure Wazuh Manager service is started and enabled.
service:
name: "wazuh-manager"
enabled: true
state: started
tags:
- config
- name: Create agent groups
command: "{{ wazuh_dir }}/bin/agent_groups -a -g {{ item }} -q"
with_items:
- "{{ agent_groups }}"
when:
- ( agent_groups is defined) and ( agent_groups|length > 0)
tags: molecule-idempotence-notest
- name: Run uninstall tasks
include_tasks: uninstall.yml

15
roles/wazuh/ansible-wazuh-manager/tasks/uninstall.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: Debian/Ubuntu | Remove Wazuh repository.
apt_repository:
repo: "{{ wazuh_manager_config.repo.apt }}"
state: absent
changed_when: false
when: ansible_os_family == "Debian"
- name: RedHat/CentOS/Fedora | Remove Wazuh repository (and clean up left-over metadata)
yum_repository:
name: wazuh_repo
state: absent
changed_when: false
when: ansible_os_family == "RedHat" or ansible_os_family == "Amazon"

4
roles/wazuh/ansible-wazuh-manager/templates/admin.json.j2 Normal file
View File

@ -0,0 +1,4 @@
{% for api in wazuh_api_users %}
{"username":"{{ api['username'] }}", "password": "{{ api['password'] }}"}
{% endfor %}

3
roles/wazuh/ansible-wazuh-manager/templates/agentless.j2 Normal file
View File

@ -0,0 +1,3 @@
{% for agentless in agentless_creds %}
{{ agentless.host }}|{{ agentless.passwd }}
{% endfor %}

1
roles/wazuh/ansible-wazuh-manager/templates/authd_pass.j2 Normal file
View File

@ -0,0 +1 @@
{{ authd_pass }}

1
roles/wazuh/ansible-wazuh-manager/templates/cdb_lists.j2 Normal file
View File

@ -0,0 +1 @@
{{ item.content }}

12
roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-local-internal-options.conf.j2 Normal file
View File

@ -0,0 +1,12 @@
# local_internal_options.conf
#
# This file should be handled with care. It contains
# run time modifications that can affect the use
# of OSSEC. Only change it if you know what you
# are doing. Look first at ossec.conf
# for most of the things you want to change.
#
# This file will not be overwritten during upgrades.
# This is the template of Ansible for the file local_internal_options.conf
# In this file you could include the configuration settings for your manager

681
roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 Normal file
View File

@ -0,0 +1,681 @@
#jinja2: lstrip_blocks: True
<!--
Wazuh - Manager - Default configuration
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->
<ossec_config>
<global>
<jsonout_output>{{ wazuh_manager_config.json_output }}</jsonout_output>
<alerts_log>{{ wazuh_manager_config.alerts_log }}</alerts_log>
<logall>{{ wazuh_manager_config.logall }}</logall>
<logall_json>{{ wazuh_manager_config.logall_json }}</logall_json>
<email_notification>{{ wazuh_manager_config.email_notification }}</email_notification>
{% for to in wazuh_manager_config.mail_to %}
<email_to>{{ to }}</email_to>
{% endfor %}
<smtp_server>{{ wazuh_manager_config.mail_smtp_server }}</smtp_server>
<email_from>{{ wazuh_manager_config.mail_from }}</email_from>
<email_maxperhour>{{ wazuh_manager_config.mail_maxperhour }}</email_maxperhour>
<email_log_source>{{ wazuh_manager_config.email_log_source }}</email_log_source>
<agents_disconnection_time>{{ wazuh_manager_config.agents_disconnection_time }}</agents_disconnection_time>
<agents_disconnection_alert_time>{{ wazuh_manager_config.agents_disconnection_alert_time }}</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>{{ wazuh_manager_config.log_level }}</log_alert_level>
<email_alert_level>{{ wazuh_manager_config.email_level }}</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>{{ wazuh_manager_config.log_format }}</log_format>
</logging>
{% if wazuh_manager_config.extra_emails is defined %}
{% for mail in wazuh_manager_config.extra_emails %}
{% if mail.enable == true %}
<email_alerts>
<email_to>{{ mail.mail_to }}</email_to>
{% if mail.format is not none %}
<format>{{ mail.format }}</format>
{% endif %}
{% if mail.level is not none %}
<level>{{ mail.level }}</level>
{% endif %}
{% if mail.event_location is not none %}
<event_location>{{ mail.event_location }}</event_location>
{% endif %}
{% if mail.group is not none %}
<group>{{ mail.group }}</group>
{% endif %}
{% if mail.do_not_delay is not none and mail.do_not_delay == true %}
<do_not_delay />
{% endif %}
{% if mail.do_not_group is not none and mail.do_not_group == true %}
<do_not_group />
{% endif %}
{% if mail.rule_id is not none %}
<rule_id>{{ mail.rule_id }}</rule_id>
{% endif %}
</email_alerts>
{% endif %}
{% endfor %}
{% endif %}
{% for connection in wazuh_manager_config.connection %}
<remote>
<connection>{{ connection.type }}</connection>
{% if connection.port is defined %}
<port>{{ connection.port }}</port>
{% endif %}
{% if connection.protocol is defined %}
<protocol>{{ connection.protocol }}</protocol>
{% endif %}
{% if connection.allowed_ips is defined %}
{% for allowed_ip in connection.allowed_ips %}
<allowed-ips>{{ allowed_ip }}</allowed-ips>
{% endfor %}
{% endif %}
{% if connection.denied_ips is defined %}
{% for denied_ip in connection.denied_ips %}
<denied-ips>{{ denied_ip }}</denied-ips>
{% endfor %}
{% endif %}
{% if connection.local_ip is defined %}
<local_ip>{{ connection.local_ip }}</local_ip>
{% endif %}
{% if connection.ipv6 is defined %}
<ipv6>{{ connection.ipv6 }}</ipv6>
{% endif %}
{% if connection.queue_size is defined %}
<queue_size>{{connection.queue_size}}</queue_size>
{% endif %}
</remote>
{% endfor %}
{% if wazuh_manager_config.reports is defined %}
{% for report in wazuh_manager_config.reports %}
{% if report.enable == true %}
<reports>
<category>{{ report.category }}</category>
<title>{{ report.title }}</title>
<email_to>{{ report.email_to }}</email_to>
{% if report.location is not none %}<location>{{ report.location }}</location>{% endif %}
{% if report.group is not none %}<group>{{ report.group }}</group>{% endif %}
{% if report.rule is not none %}<rule>{{ report.rule }}</rule>{% endif %}
{% if report.level is not none %}<level>{{ report.level }}</level>{% endif %}
{% if report.srcip is not none %}<srcip>{{ report.srcip }}</srcip>{% endif %}
{% if report.user is not none %}<user>{{ report.user }}</user>{% endif %}
{% if report.showlogs is not none %}<showlogs>{{ report.showlogs }}</showlogs>{% endif %}
</reports>
{% endif %}
{% endfor %}
{% endif %}
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>{{ wazuh_manager_config.rootcheck.frequency }}</frequency>
<rootkit_files>{{ wazuh_dir }}/etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>{{ wazuh_dir }}/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>
{% if ansible_system == "Linux" and wazuh_manager_config.openscap.disable == 'no' %}
<wodle name="open-scap">
<disabled>no</disabled>
<timeout>{{ wazuh_manager_config.openscap.timeout }}</timeout>
<interval>{{ wazuh_manager_config.openscap.interval }}</interval>
<scan-on-start>{{ wazuh_manager_config.openscap.scan_on_start }}</scan-on-start>
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'xenial' %}
<content type="xccdf" path="ssg-ubuntu-1604-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% elif ansible_distribution == 'Debian' %}
{% if ansible_distribution_release == 'jessie' %}
{% if openscap_version_valid.stdout == "0" %}
<content type="xccdf" path="ssg-debian-8-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
<content type="oval" path="cve-debian-8-oval.xml"/>
{% endif %}
{% elif ansible_distribution_release == 'stretch' %}
<content type="oval" path="cve-debian-9-oval.xml"/>
{% endif %}
{% elif ansible_distribution == 'CentOS' %}
{% if ansible_distribution_major_version == '8' %}
{# Policy not available #}
{% elif ansible_distribution_major_version == '7' %}
<content type="xccdf" path="ssg-centos-7-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% elif ansible_distribution_major_version == '6' %}
<content type="xccdf" path="ssg-centos-6-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% endif %}
{% elif ansible_distribution == 'RedHat' %}
{% if ansible_distribution_major_version == '8' %}
{# Policy not available #}
{% elif ansible_distribution_major_version == '7' %}
<content type="xccdf" path="ssg-rhel-7-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% elif ansible_distribution_major_version == '6' %}
<content type="xccdf" path="ssg-rhel-6-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% endif %}
{% if ansible_distribution_major_version == '7' %}
<content type="oval" path="cve-redhat-7-ds.xml"/>
{% elif ansible_distribution_major_version == '6' %}
<content type="oval" path="cve-redhat-6-ds.xml"/>
{% endif %}
{% elif ansible_distribution == 'Fedora' %}
<content type="xccdf" path="ssg-fedora-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% endif %}
</wodle>
{% endif %}
<wodle name="cis-cat">
<disabled>{{ wazuh_manager_config.cis_cat.disable}}</disabled>
<timeout>{{ wazuh_manager_config.cis_cat.timeout }}</timeout>
<interval>{{ wazuh_manager_config.cis_cat.interval }}</interval>
<scan-on-start>{{ wazuh_manager_config.cis_cat.scan_on_start }}</scan-on-start>
{% if wazuh_manager_config.cis_cat.install_java == 'yes' %}
<java_path>wodles/java</java_path>
{% else %}
<java_path>{{ wazuh_manager_config.cis_cat.java_path }}</java_path>
{% endif %}
<ciscat_path>{{ wazuh_manager_config.cis_cat.ciscat_path }}</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>{{ wazuh_manager_config.osquery.disable }}</disabled>
<run_daemon>{{ wazuh_manager_config.osquery.run_daemon }}</run_daemon>
<log_path>{{ wazuh_manager_config.osquery.log_path }}</log_path>
<config_path>{{ wazuh_manager_config.osquery.config_path }}</config_path>
<add_labels>{{ wazuh_manager_config.osquery.ad_labels }}</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>{{ wazuh_manager_config.syscollector.disable }}</disabled>
<interval>{{ wazuh_manager_config.syscollector.interval }}</interval>
<scan_on_start>{{ wazuh_manager_config.syscollector.scan_on_start }}</scan_on_start>
<hardware>{{ wazuh_manager_config.syscollector.hardware }}</hardware>
<os>{{ wazuh_manager_config.syscollector.os }}</os>
<network>{{ wazuh_manager_config.syscollector.network }}</network>
<packages>{{ wazuh_manager_config.syscollector.packages }}</packages>
<ports all="no">{{ wazuh_manager_config.syscollector.ports_no }}</ports>
<processes>{{ wazuh_manager_config.syscollector.processes }}</processes>
</wodle>
<sca>
{% if wazuh_manager_config.sca.enabled | length > 0 %}
<enabled>{{ wazuh_manager_config.sca.enabled }}</enabled>
{% endif %}
{% if wazuh_manager_config.sca.scan_on_start | length > 0 %}
<scan_on_start>{{ wazuh_manager_config.sca.scan_on_start }}</scan_on_start>
{% endif %}
{% if wazuh_manager_config.sca.interval | length > 0 %}
<interval>{{ wazuh_manager_config.sca.interval }}</interval>
{% endif %}
{% if wazuh_manager_config.sca.skip_nfs | length > 0 %}
<skip_nfs>yes</skip_nfs>
{% endif %}
{% if wazuh_manager_config.sca.day | length > 0 %}
<day>{{ wazuh_manager_config.sca.day }}</day>
{% endif %}
{% if wazuh_manager_config.sca.wday | length > 0 %}
<wday>{{ wazuh_manager_config.sca.wday }}</wday>
{% endif %}
{% if wazuh_manager_config.sca.time | length > 0 %}
<time>{{ wazuh_manager_config.sca.time }}</time>
{% endif %}
</sca>
<vulnerability-detection>
<enabled>{{ wazuh_manager_config.vulnerability_detection.enabled }}</enabled>
<index-status>{{ wazuh_manager_config.vulnerability_detection.index_status }}</index-status>
<feed-update-interval>{{ wazuh_manager_config.vulnerability_detection.feed_update_interval }}</feed-update-interval>
</vulnerability-detection>
<indexer>
<enabled>{% if wazuh_manager_config.vulnerability_detection.enabled == 'yes' or wazuh_manager_config.indexer.enabled == 'yes' %}yes{% else %}no{% endif %}</enabled>
<hosts>
{% for item in wazuh_manager_config.indexer.hosts %}
<host>https://{{ item }}:{{ filebeat_output_indexer_port }}</host>
{% endfor %}
</hosts>
<ssl>
<certificate_authorities>
<ca>{{ filebeat_ssl_dir }}/root-ca.pem</ca>
</certificate_authorities>
<certificate>{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}.pem</certificate>
<key>{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}-key.pem</key>
</ssl>
</indexer>
<!-- File integrity monitoring -->
<syscheck>
<disabled>{{ wazuh_manager_config.syscheck.disable }}</disabled>
<frequency>{{ wazuh_manager_config.syscheck.frequency }}</frequency>
<scan_on_start>{{ wazuh_manager_config.syscheck.scan_on_start }}</scan_on_start>
<!-- Do not ignore files that change more than 'frequency' times -->
{% if wazuh_manager_config.syscheck.auto_ignore_frequency is defined %}
<auto_ignore {{ wazuh_manager_config.syscheck.auto_ignore_frequency.frequency }} {{ wazuh_manager_config.syscheck.auto_ignore_frequency.timeframe }}>{{wazuh_manager_config.syscheck.auto_ignore_frequency.value }}</auto_ignore>
{% endif %}
<!-- Directories to check (perform all possible verifications) -->
{% if wazuh_manager_config.syscheck.directories is defined %}
{% for directory in wazuh_manager_config.syscheck.directories %}
<directories {{ directory.checks }}>{{ directory.dirs }}</directories>
{% endfor %}
{% endif %}
<!-- Files/directories to ignore -->
{% if wazuh_manager_config.syscheck.ignore is defined %}
{% for ignore in wazuh_manager_config.syscheck.ignore %}
<ignore>{{ ignore }}</ignore>
{% endfor %}
{% endif %}
<!-- File types to ignore -->
{% if wazuh_manager_config.syscheck.ignore_linux_type is defined %}
{% for ignore in wazuh_manager_config.syscheck.ignore_linux_type %}
<ignore type="sregex">{{ ignore }}</ignore>
{% endfor %}
{% endif %}
<!-- Files no diff -->
{% for no_diff in wazuh_manager_config.syscheck.no_diff %}
<nodiff>{{ no_diff }}</nodiff>
{% endfor %}
{% if wazuh_manager_config.syscheck.skip_nfs is defined %}
<skip_nfs>{{ wazuh_manager_config.syscheck.skip_nfs }}</skip_nfs>
{% endif %}
{% if wazuh_manager_config.syscheck.skip_dev is defined %}
<skip_dev>{{ wazuh_manager_config.syscheck.skip_dev }}</skip_dev>
{% endif %}
{% if wazuh_manager_config.syscheck.skip_proc is defined %}
<skip_proc>{{ wazuh_manager_config.syscheck.skip_proc }}</skip_proc>
{% endif %}
{% if wazuh_manager_config.syscheck.skip_sys is defined %}
<skip_sys>{{ wazuh_manager_config.syscheck.skip_sys }}</skip_sys>
{% endif %}
<!-- Nice value for Syscheck module -->
<process_priority>{{ wazuh_manager_config.syscheck.process_priority }}</process_priority>
<!-- Maximum output throughput -->
<max_eps>{{ wazuh_manager_config.syscheck.max_eps }}</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>{{ wazuh_manager_config.syscheck.sync_enabled }}</enabled>
<interval>{{ wazuh_manager_config.syscheck.sync_interval }}</interval>
<max_interval>{{ wazuh_manager_config.syscheck.sync_max_interval }}</max_interval>
<max_eps>{{ wazuh_manager_config.syscheck.sync_max_eps }}</max_eps>
</synchronization>
</syscheck>
<global>
{% for white_list in wazuh_manager_config.globals %}
<white_list>{{ white_list }}</white_list>
{% endfor %}
</global>
{% for command in wazuh_manager_config.commands %}
<command>
<name>{{ command.name }}</name>
<executable>{{ command.executable }}</executable>
{% if command.timeout_allowed is defined %}
<timeout_allowed>{{ command.timeout_allowed }}</timeout_allowed>
{% endif %}
</command>
{% endfor %}
{% if agentless_creds is defined %}
{% for agentless in agentless_creds %}
<agentless>
<type>{{ agentless.type }}</type>
<frequency>{{ agentless.frequency }}</frequency>
<host>{{ agentless.host }}</host>
<state>{{ agentless.state }}</state>
{% if agentless.arguments is defined %}
<arguments>{{ agentless.arguments }}</arguments>
{% endif %}
</agentless>
{% endfor %}
{% endif -%}
{% if wazuh_manager_config.active_responses is defined %}
{% for response in wazuh_manager_config.active_responses %}
<active-response>
<disabled>{% if response.disabled is defined %}{{ response.disabled }}{% else %}no{% endif %}</disabled>
{%if response.command is defined %}<command>{{ response.command }}</command>{% endif %}
{%if response.location is defined %}<location>{{ response.location }}</location>{% endif %}
{%if response.agent_id is defined %}<agent_id>{{ response.agent_id }}</agent_id>{% endif %}
{%if response.level is defined %}<level>{{ response.level }}</level>{% endif %}
{%if response.rules_group is defined %}<rules_group>{{ response.rules_group }}</rules_group>{% endif %}
{%if response.rules_id is defined %}<rules_id>{{ response.rules_id }}</rules_id>{% endif %}
{%if response.timeout is defined %}<timeout>{{ response.timeout }}</timeout>{% endif %}
{%if response.repeated_offenders is defined %}<repeated_offenders>{{ response.repeated_offenders }}</repeated_offenders>{% endif %}
</active-response>
{% endfor %}
{% endif -%}
<!-- Files to monitor (localfiles) -->
{% for localfile in wazuh_manager_config.localfiles.common %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% if localfile.frequency is defined %}
<frequency>{{ localfile.frequency }}</frequency>
{% endif %}
{% else %}
<location>{{ localfile.location }}</location>
{% if localfile.format == 'eventchannel' %}
{% if localfile.only_future_events is defined %}
<only-future-events>{{ localfile.only_future_events }}</only_future_events>
{% endif %}
{% if localfile.query is defined %}
<query>{{ localfile.query }}</query>
{% endif %}
{% endif %}
{% endif %}
{% if localfile.format == 'json' and localfile.labels is defined %}
{% for key, value in localfile.labels.items() %}
<label key="{{ key }}">{{ value }}</label>
{% endfor %}
{% endif %}
{% if localfile.target is defined %}
<target>{{ localfile.target }}</target>
{% endif %}
{% if localfile.out_format is defined %}
<out_format>{{ localfile.out_format }}</out_format>
{% endif %}
</localfile>
{% endfor %}
{% if ansible_os_family == "Debian" %}
{% for localfile in wazuh_manager_config.localfiles.debian %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% if localfile.frequency is defined %}
<frequency>{{ localfile.frequency }}</frequency>
{% endif %}
{% else %}
<location>{{ localfile.location }}</location>
{% if localfile.format == 'eventchannel' %}
{% if localfile.only_future_events is defined %}
<only-future-events>{{ localfile.only_future_events }}</only_future_events>
{% endif %}
{% if localfile.query is defined %}
<query>{{ localfile.query }}</query>
{% endif %}
{% endif %}
{% endif %}
{% if localfile.format == 'json' and localfile.labels is defined %}
{% for key, value in localfile.labels.items() %}
<label key="{{ key }}">{{ value }}</label>
{% endfor %}
{% endif %}
{% if localfile.target is defined %}
<target>{{ localfile.target }}</target>
{% endif %}
{% if localfile.out_format is defined %}
<out_format>{{ localfile.out_format }}</out_format>
{% endif %}
</localfile>
{% endfor %}
{% endif -%}
{% if ansible_os_family == "RedHat" %}
{% for localfile in wazuh_manager_config.localfiles.centos %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% if localfile.frequency is defined %}
<frequency>{{ localfile.frequency }}</frequency>
{% endif %}
{% else %}
<location>{{ localfile.location }}</location>
{% if localfile.format == 'eventchannel' %}
{% if localfile.only_future_events is defined %}
<only-future-events>{{ localfile.only_future_events }}</only_future_events>
{% endif %}
{% if localfile.query is defined %}
<query>{{ localfile.query }}</query>
{% endif %}
{% endif %}
{% endif %}
{% if localfile.format == 'json' and localfile.labels is defined %}
{% for key, value in localfile.labels.items() %}
<label key="{{ key }}">{{ value }}</label>
{% endfor %}
{% endif %}
{% if localfile.target is defined %}
<target>{{ localfile.target }}</target>
{% endif %}
{% if localfile.out_format is defined %}
<out_format>{{ localfile.out_format }}</out_format>
{% endif %}
</localfile>
{% endfor %}
{% endif -%}
{% if wazuh_manager_config.syslog_outputs is defined %}
{% for syslog_output in wazuh_manager_config.syslog_outputs %}
{% if syslog_output.server is not none %}
<syslog_output>
<server>{{ syslog_output.server }}</server>
<port>{{ syslog_output.port }}</port>
<format>{{ syslog_output.format }}</format>
</syslog_output>
{% endif %}
{% endfor %}
{% endif %}
{% if wazuh_manager_config.integrations is defined %}
{% for integration in wazuh_manager_config.integrations %}
{% if integration.name is not none %}
<!-- Integration with {{ integration.name }} -->
<integration>
<name>{{ integration.name }}</name>
{% if integration.hook_url is defined %}
<hook_url>{{ integration.hook_url }}</hook_url>
{% endif %}
{% if integration.api_key is defined %}
<api_key>{{ integration.api_key }}</api_key>
{% endif %}
{% if integration.alert_format is defined %}
<alert_format>{{ integration.alert_format }}</alert_format>
{% endif %}
{% if integration.alert_level is defined %}
<level>{{ integration.alert_level }}</level>
{% endif %}
{% if integration.rule_id is defined %}
<rule_id>{{ integration.rule_id }}</rule_id>
{% endif %}
</integration>
{% endif %}
{% endfor %}
{% endif %}
{% if monitor_aws is defined and monitor_aws.disabled == "no" %}
<!-- S3 -->
<wodle name="aws-s3">
<disabled>{{ monitor_aws.disabled }}</disabled>
<interval>{{ monitor_aws.interval }}</interval>
<run_on_start>{{ monitor_aws.run_on_start }}</run_on_start>
<skip_on_error>{{ monitor_aws.skip_on_error }}</skip_on_error>
{% for bucket in monitor_aws.s3 %}
<bucket type="{{ bucket.bucket_type }}">
<name>{{ bucket.name }}</name>
{% if bucket.path is defined %}
<path>{{ bucket.path }}</path>
{% endif %}
{% if bucket.only_logs_after is defined %}
<only_logs_after>{{ bucket.only_logs_after }}</only_logs_after>
{% endif %}
<access_key>{{ bucket.access_key }}</access_key>
<secret_key>{{ bucket.secret_key }}</secret_key>
</bucket>
{% endfor %}
</wodle>
{% endif %}
{% if wazuh_manager_config.labels.enable == true %}
<labels>
{% for label in wazuh_manager_config.labels.list %}
<label key="{{ label.key }}"{% if label.hidden is defined %} hidden="{{ label.hidden }}"{% endif %}>{{ label.value }}</label>
{% endfor %}
</labels>
{% endif %}
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
{% if wazuh_manager_config.rule_exclude is defined %}
{% for rule in wazuh_manager_config.rule_exclude %}
<rule_exclude>{{ rule }}</rule_exclude>
{% endfor %}
{% endif %}
{% if wazuh_manager_config.ruleset.cdb_lists is defined %}
{% for list in wazuh_manager_config.ruleset.cdb_lists %}
<list>etc/lists/{{ list }}</list>
{% endfor %}
{% endif %}
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
{% if wazuh_manager_config.authd.enable == true %}
<auth>
<disabled>no</disabled>
{% if wazuh_manager_config.authd.port is not none %}
<port>{{wazuh_manager_config.authd.port}}</port>
{% else %}
<port>1515</port>
{% endif %}
{% if wazuh_manager_config.authd.use_source_ip is not none %}
<use_source_ip>{{wazuh_manager_config.authd.use_source_ip}}</use_source_ip>
{% endif %}
<force>
{% if wazuh_manager_config.authd.force.enabled is not none %}
<enabled>{{wazuh_manager_config.authd.force.enabled}}</enabled>
{% else %}
<enabledport>yes</enabled>
{% endif %}
{% if wazuh_manager_config.authd.force.key_mismatch is not none %}
<key_mismatch>{{wazuh_manager_config.authd.force.key_mismatch}}</key_mismatch>
{% else %}
<key_mismatch>yes</key_mismatch>
{% endif %}
{% if wazuh_manager_config.authd.force.disconnected_time is not none %}
<disconnected_time enabled="yes">{{wazuh_manager_config.authd.force.disconnected_time}}</disconnected_time>
{% else %}
<disconnected_time enabled="yes">1h</disconnected_time>
{% endif %}
{% if wazuh_manager_config.authd.force.after_registration_time is not none %}
<after_registration_time>{{wazuh_manager_config.authd.force.after_registration_time}}</after_registration_time>
{% else %}
<after_registration_time>1h</after_registration_time>
{% endif %}
</force>
{% if wazuh_manager_config.authd.purge is not none %}
<purge>{{wazuh_manager_config.authd.purge}}</purge>
{% endif %}
{% if wazuh_manager_config.authd.use_password is not none %}
<use_password>{{wazuh_manager_config.authd.use_password}}</use_password>
{% endif %}
{% if wazuh_manager_config.authd.ciphers is not none %}
<ciphers>{{wazuh_manager_config.authd.ciphers}}</ciphers>
{% endif %}
{% if wazuh_manager_config.authd.ssl_agent_ca is not none %}
<ssl_agent_ca>{{ wazuh_dir }}/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}}</ssl_agent_ca>
{% endif %}
{% if wazuh_manager_config.authd.ssl_verify_host is not none %}
<ssl_verify_host>{{wazuh_manager_config.authd.ssl_verify_host}}</ssl_verify_host>
{% endif %}
{% if wazuh_manager_config.authd.ssl_manager_cert is not none %}
<ssl_manager_cert>{{ wazuh_dir }}/etc/{{wazuh_manager_config.authd.ssl_manager_cert | basename}}</ssl_manager_cert>
{% endif %}
{% if wazuh_manager_config.authd.ssl_manager_key is not none %}
<ssl_manager_key>{{ wazuh_dir }}/etc/{{wazuh_manager_config.authd.ssl_manager_key | basename}}</ssl_manager_key>
{% endif %}
{% if wazuh_manager_config.authd.ssl_auto_negotiate is not none %}
<ssl_auto_negotiate>{{wazuh_manager_config.authd.ssl_auto_negotiate}}</ssl_auto_negotiate>
{% endif %}
</auth>
{% endif %}
<cluster>
<disabled>{{ wazuh_manager_config.cluster.disable }}</disabled>
<name>{{ wazuh_manager_config.cluster.name }}</name>
<node_name>{{ wazuh_manager_config.cluster.node_name }}</node_name>
<node_type>{{ wazuh_manager_config.cluster.node_type }}</node_type>
<key>{{ wazuh_manager_config.cluster.key }}</key>
{% if wazuh_manager_config.cluster.interval is defined %}
<interval>{{ wazuh_manager_config.cluster.interval }}</interval>
{% endif %}
<port>{{ wazuh_manager_config.cluster.port }}</port>
<bind_addr>{{ wazuh_manager_config.cluster.bind_addr }}</bind_addr>
<nodes>
{% for node in wazuh_manager_config.cluster.nodes %}
<node>{{ node }}</node>
{% endfor %}
</nodes>
<hidden>{{ wazuh_manager_config.cluster.hidden }}</hidden>
</cluster>
</ossec_config>

106
roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 Normal file
View File

@ -0,0 +1,106 @@
#jinja2: trim_blocks: False
{% if shared_agent_config is defined %}
{% for agent_config in shared_agent_config %}
<agent_config {{ agent_config.type }}="{{ agent_config.type_value }}">
{% if agent_config.syscheck is defined %}
<syscheck>
{% if agent_config.syscheck.auto_ignore is defined %}
<auto_ignore>{{ agent_config.syscheck.auto_ignore }}</auto_ignore>
{% endif %}
<frequency>{{ agent_config.syscheck.frequency }}</frequency>
<scan_on_start>{{ agent_config.syscheck.scan_on_start }}</scan_on_start>
<!-- Directories to check (perform all possible verifications) -->
{% if agent_config.syscheck.directories is defined %}
{% for directory in agent_config.syscheck.directories %}
<directories {{ directory.checks }}>{{ directory.dirs }}</directories>
{% endfor %}
{% endif %}
<!-- Files/directories to ignore -->
{% if agent_config.syscheck.ignore is defined %}
{% for ignore in agent_config.syscheck.ignore %}
<ignore>{{ ignore }}</ignore>
{% endfor %}
{% endif %}
<!-- Files no diff -->
{% if agent_config.syscheck.no_diff is defined %}
{% for no_diff in agent_config.syscheck.no_diff %}
<nodiff>{{ no_diff }}</nodiff>
{% endfor %}
{% endif %}
{% if agent_config.syscheck.windows_registry is defined %}
{% for registry_key in agent_config.syscheck.windows_registry %}
{% if registry_key.arch is defined %}
<windows_registry arch="{{ registry_key.arch }}">{{ registry_key.key }}</windows_registry>
{% else %}
<windows_registry>{{ registry_key.key }}</windows_registry>
{% endif %}
{% endfor %}
{% endif %}
</syscheck>
{% endif %}
{% if agent_config.localfiles is defined %}
{% for localfile in agent_config.localfiles %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% if localfile.frequency is defined %}
<frequency>{{ localfile.frequency }}</frequency>
{% endif %}
{% else %}
<location>{{ localfile.location }}</location>
{% if localfile.format == 'eventchannel' %}
{% if localfile.only_future_events is defined %}
<only-future-events>{{ localfile.only_future_events }}</only_future_events>
{% endif %}
{% if localfile.query is defined %}
<query>{{ localfile.query }}</query>
{% endif %}
{% endif %}
{% endif %}
{% if localfile.format == 'json' and localfile.labels is defined %}
{% for item in localfile.labels %}
<label key="{{ item.key }}">{{ item.value }}</label>
{% endfor %}
{% endif %}
{% if localfile.target is defined %}
<target>{{ localfile.target }}</target>
{% endif %}
{% if localfile.out_format is defined %}
<out_format>{{ localfile.out_format }}</out_format>
{% endif %}
</localfile>
{% endfor %}
{% endif %}
{% if agent_config.rootcheck is defined %}
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>{{ agent_config.rootcheck.frequency }}</frequency>
{% if agent_config.rootcheck.cis_distribution_filename is not none %}
<system_audit>{{ wazuh_dir }}/etc/shared/default/{{ agent_config.rootcheck.cis_distribution_filename }}</system_audit>
{% endif %}
<skip_nfs>yes</skip_nfs>
</rootcheck>
{% endif %}
</agent_config>
{% endfor %}
{% endif %}

25
roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_decoder.xml.j2 Normal file
View File

@ -0,0 +1,25 @@
<!-- Local Decoders -->
<!-- Modify it at your will. -->
<!--
- Allowed static fields:
- location - where the log came from (only on FTS)
- srcuser - extracts the source username
- dstuser - extracts the destination (target) username
- user - an alias to dstuser (only one of the two can be used)
- srcip - source ip
- dstip - dst ip
- srcport - source port
- dstport - destination port
- protocol - protocol
- id - event id
- url - url of the event
- action - event action (deny, drop, accept, etc)
- status - event status (success, failure, etc)
- extra_data - Any extra data
-->
<decoder name="local_decoder_example">
<program_name>local_decoder_example</program_name>
</decoder>

19
roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2 Normal file
View File

@ -0,0 +1,19 @@
<!-- Local rules -->
<!-- Modify it at your will. -->
<!-- Copyright (C) 2016, Wazuh Inc. -->
<!-- Example -->
<group name="local,syslog,sshd,">
<!--
Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
-->
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
<description>sshd: authentication failed from IP 1.1.1.1.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
</group>

8
roles/wazuh/ansible-wazuh-manager/vars/agentless_creds.yml Normal file
View File

@ -0,0 +1,8 @@
---
# agentless_creds:
# - type: ssh_integrity_check_linux
# frequency: 3600
# host: root@example.net
# state: periodic
# arguments: '/bin /etc/ /sbin'
# passwd: qwerty

2
roles/wazuh/ansible-wazuh-manager/vars/authd_pass.yml Normal file
View File

@ -0,0 +1,2 @@
---
# authd_pass: foobar

4
roles/wazuh/ansible-wazuh-manager/vars/install_cmake.yml Normal file
View File

@ -0,0 +1,4 @@
# Install cmake vars
cmake_version: 3.18.3
cmake_download_url: "http://packages.wazuh.com/utils/cmake/cmake-{{ cmake_version }}.tar.gz"

2
roles/wazuh/check-packages/defaults/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
wazuh_version: 4.9.1

6
roles/wazuh/check-packages/files/packages_uri.txt Normal file
View File

@ -0,0 +1,6 @@
yum/wazuh-manager-VERSION-1.x86_64.rpm
apt/pool/main/w/wazuh-manager/wazuh-manager_VERSION-1_amd64.deb
yum/wazuh-dashboard-VERSION-1.x86_64.rpm
yum/wazuh-indexer-VERSION-1.x86_64.rpm
apt/pool/main/w/wazuh-agent/wazuh-agent_VERSION-1_amd64.deb
yum/wazuh-agent-VERSION-1.x86_64.rpm

80
roles/wazuh/check-packages/scripts/check_packages.sh Executable file
View File

@ -0,0 +1,80 @@
#!/bin/bash
VERSION=$1
#echo $VERSION
## Replace VERSION with $VERSION in packages_uri.txt and save it as packages_uri_new.txt
sed 's,VERSION,'$VERSION',g' ../files/packages_uri.txt > ../files/packages_uri_new.txt
checkPackages(){
## Set S3 Bucket URL
if [ $1 == "production" ]; then
echo "production"
PACKAGES_URL=https://packages.wazuh.com/4.x/
elif [ $1 == "pre-release" ]; then
echo "pre-release"
PACKAGES_URL=https://packages-dev.wazuh.com/pre-release/
elif [ $1 == "staging" ]; then
echo "staging"
PACKAGES_URL=https://packages-dev.wazuh.com/staging/
CHECK_WIN_PACKAGE=$(grep windows ../files/packages_uri_new.txt)
echo $CHECK_WIN_PACKAGE
if [ -n "$CHECK_WIN_PACKAGE" ]; then
WIN_AGENT_NAME=$(aws s3 ls s3://packages-dev.wazuh.com/staging/windows/wazuh-agent-$VERSION --region=us-west-1 | tail -1 | awk '{printf $4}')
if [ -z $WIN_AGENT_NAME ]; then
echo "Windows agent package for version " $VERSION " does not exist in the staging repository"
exit 1
fi
WIN_AGENT_URI="windows/"$WIN_AGENT_NAME
echo $PACKAGES_URL$WIN_AGENT_URI "check"
sed -i 's,windows/.*,'$WIN_AGENT_URI',g' ../files/packages_uri_new.txt
sed -i 's,wazuh_winagent_config_url.*,wazuh_winagent_config_url: \"'$PACKAGES_URL$WIN_AGENT_URI'\",g' ../../vars/repo_staging.yml
sed -i 's,wazuh_winagent_package_name.*,wazuh_winagent_package_name: \"'$WIN_AGENT_NAME'\",g' ../../vars/repo_staging.yml
fi
fi
## Set EXISTS to 0 (true)
EXISTS=0
## Loop through the packages_uri_new.txt file
while IFS= read -r URI
do
echo "$URI"
## Check if the package exists
PACKAGE=$(curl --silent -I $PACKAGES_URL$URI | grep -E "^HTTP" | awk '{print $2}')
## If it does not exist set EXISTS to 1 (false)
if [ "$PACKAGE" != "200" ]; then
EXISTS=1
#echo $PACKAGES_URL$URI "does not exist"
return $EXISTS
fi
done < ../files/packages_uri_new.txt
return $EXISTS
}
replaceVars(){
sed -i "s|packages_repository:.*|packages_repository: $1|g" ../../vars/repo_vars.yml
}
## Call the checkPackages function for each repository
if checkPackages "production"; then
echo "production"
replaceVars "production"
exit 0
elif checkPackages "pre-release"; then
echo "pre-release"
replaceVars "pre-release"
exit 0
elif checkPackages "production"; then
echo "production"
replaceVars "production"
exit 0
elif checkPackages "staging"; then
echo "staging"
replaceVars "staging"
exit 0
else
echo "Failed"
exit 1
fi

11
roles/wazuh/check-packages/tasks/main.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: Check packages
shell: |
./check_packages.sh {{ wazuh_version }}
args:
warn: false
executable: /bin/bash
chdir: "{{ role_path }}/scripts/"
delegate_to: localhost
become: no

20
roles/wazuh/vars/repo.yml Normal file
View File

@ -0,0 +1,20 @@
wazuh_repo:
keyring_path: '/usr/share/keyrings/wazuh.gpg'
apt: 'deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main'
yum: 'https://packages.wazuh.com/4.x/yum/'
gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
path: '/tmp/WAZUH-GPG-KEY'
wazuh_winagent_config_url: "https://packages.wazuh.com/4.x/windows/wazuh-agent-{{ wazuh_agent_version }}-1.msi"
wazuh_winagent_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.msi"
wazuh_winagent_sha512_url: "https://packages.wazuh.com/4.x/checksums/wazuh/{{ wazuh_agent_version }}/wazuh-agent-{{ wazuh_agent_version }}-1.msi.sha512"
filebeat_module_package_url: https://packages.wazuh.com/4.x/filebeat
wazuh_macos_intel_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.intel64.pkg"
wazuh_macos_arm_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.arm64.pkg"
wazuh_macos_intel_package_url: "https://packages.wazuh.com/4.x/macos/{{ wazuh_macos_intel_package_name }}"
wazuh_macos_arm_package_url: "https://packages.wazuh.com/4.x/macos/{{ wazuh_macos_arm_package_name }}"
certs_gen_tool_version: 4.9
# Url of certificates generator tool
certs_gen_tool_url: "https://packages.wazuh.com/{{ certs_gen_tool_version }}/wazuh-certs-tool.sh"

20
roles/wazuh/vars/repo_pre-release.yml Normal file
View File

@ -0,0 +1,20 @@
wazuh_repo:
keyring_path: '/usr/share/keyrings/wazuh.gpg'
apt: 'deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main'
yum: 'https://packages-dev.wazuh.com/pre-release/yum/'
gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH'
path: '/tmp/WAZUH-GPG-KEY'
wazuh_winagent_config_url: "https://packages-dev.wazuh.com/pre-release/windows/wazuh-agent-{{ wazuh_agent_version }}-1.msi"
wazuh_winagent_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.msi"
wazuh_winagent_sha512_url: "https://packages-dev.wazuh.com/pre-release/checksums/wazuh/{{ wazuh_agent_version }}/wazuh-agent-{{ wazuh_agent_version }}-1.msi.sha512"
filebeat_module_package_url: https://packages-dev.wazuh.com/pre-release/filebeat
wazuh_macos_intel_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.intel64.pkg"
wazuh_macos_arm_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.arm64.pkg"
wazuh_macos_intel_package_url: "https://packages-dev.wazuh.com/pre-release/{{ wazuh_macos_intel_package_name }}"
wazuh_macos_arm_package_url: "https://packages-dev.wazuh.com/pre-release/macos/{{ wazuh_macos_arm_package_name }}"
certs_gen_tool_version: 4.9
# Url of certificates generator tool
certs_gen_tool_url: "https://packages-dev.wazuh.com/{{ certs_gen_tool_version }}/wazuh-certs-tool.sh"

21
roles/wazuh/vars/repo_staging.yml Normal file
View File

@ -0,0 +1,21 @@
wazuh_repo:
keyring_path: '/usr/share/keyrings/wazuh.gpg'
apt: 'deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/staging/apt/ unstable main'
yum: 'https://packages-dev.wazuh.com/staging/yum/'
gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH'
path: '/tmp/WAZUH-GPG-KEY'
wazuh_winagent_config_url: "https://packages-dev.wazuh.com/staging/windows/wazuh-agent-{{ wazuh_agent_version }}-1.msi"
wazuh_winagent_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.msi"
wazuh_winagent_sha512_url: "https://packages-dev.wazuh.com/staging/checksums/wazuh/{{ wazuh_agent_version }}/wazuh-agent-{{ wazuh_agent_version }}-1.msi.sha512"
check_sha512: False
filebeat_module_package_url: https://packages-dev.wazuh.com/staging/filebeat
wazuh_macos_intel_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.intel64.pkg"
wazuh_macos_arm_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.arm64.pkg"
wazuh_macos_intel_package_url: "https://packages-dev.wazuh.com/staging/macos/{{ wazuh_macos_intel_package_name }}"
wazuh_macos_arm_package_url: "https://packages-dev.wazuh.com/staging/macos/{{ wazuh_macos_arm_package_name }}"
certs_gen_tool_version: 4.9
# Url of certificates generator tool
certs_gen_tool_url: "https://packages-dev.wazuh.com/{{ certs_gen_tool_version }}/wazuh-certs-tool.sh"

1
roles/wazuh/vars/repo_vars.yml Normal file
View File

@ -0,0 +1 @@
packages_repository: production

31
roles/wazuh/wazuh-dashboard/defaults/main.yml Normal file
View File

@ -0,0 +1,31 @@
---
# Dashboard configuration
indexer_http_port: 9200
indexer_api_protocol: https
dashboard_conf_path: /etc/wazuh-dashboard/
dashboard_node_name: node-1
dashboard_server_host: "0.0.0.0"
dashboard_server_port: "443"
dashboard_server_name: "dashboard"
wazuh_version: 4.9.1
indexer_cluster_nodes:
- 127.0.0.1
# The Wazuh dashboard package repository
dashboard_version: "4.9.1"
# API credentials
wazuh_api_credentials:
- id: "default"
url: "https://127.0.0.1"
port: 55000
username: "wazuh"
password: "wazuh"
# Dashboard Security
dashboard_security: true
indexer_admin_password: changeme
dashboard_user: kibanaserver
dashboard_password: changeme
local_certs_path: "{{ playbook_dir }}/indexer/certificates"

3
roles/wazuh/wazuh-dashboard/handlers/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
- name: restart wazuh-dashboard
service: name=wazuh-dashboard state=restarted

34
roles/wazuh/wazuh-dashboard/tasks/Debian.yml Normal file
View File

@ -0,0 +1,34 @@
---
- block:
- include_vars: debian.yml
- name: Download apt repository signing key
get_url:
url: "{{ wazuh_repo.gpg }}"
dest: "{{ wazuh_repo.path }}"
- name: Import Wazuh repository GPG key
command: "gpg --no-default-keyring --keyring gnupg-ring:{{ wazuh_repo.keyring_path }} --import {{ wazuh_repo.path }}"
args:
creates: "{{ wazuh_repo.keyring_path }}"
- name: Set permissions for Wazuh repository GPG key
file:
path: "{{ wazuh_repo.keyring_path }}"
mode: '0644'
- name: Debian systems | Add Wazuh dashboard repo
apt_repository:
repo: "{{ wazuh_repo.apt }}"
state: present
update_cache: yes
- name: Install Wazuh dashboard
apt:
name: "wazuh-dashboard={{ dashboard_version }}-*"
state: present
update_cache: yes
register: install
tags:
- install

6
roles/wazuh/wazuh-dashboard/tasks/RMRedHat.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Remove Wazuh dashboard repository (and clean up left-over metadata)
yum_repository:
name: wazuh_repo
state: absent
changed_when: false

20
roles/wazuh/wazuh-dashboard/tasks/RedHat.yml Normal file
View File

@ -0,0 +1,20 @@
---
- block:
- name: RedHat/CentOS/Fedora | Add Wazuh dashboard repo
yum_repository:
name: wazuh_repo
description: Wazuh yum repository
baseurl: "{{ wazuh_repo.yum }}"
gpgkey: "{{ wazuh_repo.gpg }}"
gpgcheck: true
- name: Install Wazuh dashboard
package:
name: "wazuh-dashboard-{{ dashboard_version }}"
state: present
update_cache: yes
register: install
tags:
- install

99
roles/wazuh/wazuh-dashboard/tasks/main.yml Executable file
View File

@ -0,0 +1,99 @@
---
- include_vars: ../../vars/repo_vars.yml
- include_vars: ../../vars/repo.yml
when: packages_repository == 'production'
- include_vars: ../../vars/repo_pre-release.yml
when: packages_repository == 'pre-release'
- include_vars: ../../vars/repo_staging.yml
when: packages_repository == 'staging'
- import_tasks: RedHat.yml
when: ansible_os_family == 'RedHat'
- import_tasks: Debian.yml
when: ansible_os_family == 'Debian'
- name: Remove Dashboard configuration file
file:
# noqa 503
path: "{{ dashboard_conf_path }}/opensearch_dashboards.yml"
state: absent
tags: install
- import_tasks: security_actions.yml
- name: Copy Configuration File
template:
src: "templates/opensearch_dashboards.yml.j2"
dest: "{{ dashboard_conf_path }}/opensearch_dashboards.yml"
group: wazuh-dashboard
owner: wazuh-dashboard
mode: 0640
force: yes
notify: restart wazuh-dashboard
tags:
- install
- configure
- name: Ensuring Wazuh dashboard directory owner
file:
# noqa 208
path: "/usr/share/wazuh-dashboard"
state: directory
owner: wazuh-dashboard
group: wazuh-dashboard
recurse: yes
- name: Wait for Wazuh-Indexer port
wait_for: host={{ indexer_network_host }} port={{ indexer_http_port }}
- name: Select correct API protocol
set_fact:
indexer_api_protocol: "{% if dashboard_security is defined and dashboard_security %}https{% else %}http{% endif %}"
- name: Attempting to delete legacy Wazuh index if exists
uri:
url: "{{ indexer_api_protocol }}://{{ indexer_network_host }}:{{ indexer_http_port }}/.wazuh"
method: DELETE
user: "admin"
password: "{{ indexer_admin_password }}"
validate_certs: no
status_code: 200, 404
- name: Create Wazuh Plugin config directory
file:
path: /usr/share/wazuh-dashboard/data/wazuh/config/
state: directory
recurse: yes
owner: wazuh-dashboard
group: wazuh-dashboard
mode: 0751
changed_when: False
- name: Configure Wazuh Dashboard Plugin
template:
src: wazuh.yml.j2
dest: /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
owner: wazuh-dashboard
group: wazuh-dashboard
mode: 0751
changed_when: False
- name: Configure opensearch.password in opensearch_dashboards.keystore
shell: >-
echo '{{ dashboard_password }}' | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add -f --stdin opensearch.password
args:
executable: /bin/bash
become: yes
- name: Ensure Wazuh dashboard started and enabled
service:
name: wazuh-dashboard
enabled: true
state: started
- import_tasks: RMRedHat.yml
when: ansible_os_family == 'RedHat'

23
roles/wazuh/wazuh-dashboard/tasks/security_actions.yml Normal file
View File

@ -0,0 +1,23 @@
- block:
- name: Ensure Dashboard certificates directory permissions.
file:
path: "/etc/wazuh-dashboard/certs/"
state: directory
owner: wazuh-dashboard
group: wazuh-dashboard
mode: 500
- name: Copy the certificates from local to the Wazuh dashboard instance
copy:
src: "{{ local_certs_path }}/wazuh-certificates/{{ item }}"
dest: /etc/wazuh-dashboard/certs/
owner: wazuh-dashboard
group: wazuh-dashboard
mode: 0400
with_items:
- "root-ca.pem"
- "{{ dashboard_node_name }}-key.pem"
- "{{ dashboard_node_name }}.pem"
tags:
- security

15
roles/wazuh/wazuh-dashboard/templates/opensearch_dashboards.yml.j2 Normal file
View File

@ -0,0 +1,15 @@
server.host: {{ dashboard_server_host }}
server.port: {{ dashboard_server_port }}
opensearch.hosts:
{% for item in indexer_cluster_nodes %}
- https://{{ item }}:{{ indexer_http_port }}
{% endfor %}
opensearch.ssl.verificationMode: certificate
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/etc/wazuh-dashboard/certs/{{ dashboard_node_name }}-key.pem"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/{{ dashboard_node_name }}.pem"
opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wz-home

134
roles/wazuh/wazuh-dashboard/templates/wazuh.yml.j2 Normal file
View File

@ -0,0 +1,134 @@
---
#
# Wazuh app - App configuration file
# Copyright (C) 2016, Wazuh Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Find more information about this on the LICENSE file.
#
# ======================== Wazuh app configuration file ========================
#
# Please check the documentation for more information on configuration options:
# https://documentation.wazuh.com/current/installation-guide/index.html
#
# Also, you can check our repository:
# https://github.com/wazuh/wazuh-dashboard-plugins
#
# ------------------------------- Index patterns -------------------------------
#
# Default index pattern to use.
#pattern: wazuh-alerts-4.x-*
#
# ----------------------------------- Checks -----------------------------------
#
# Defines which checks must to be consider by the healthcheck
# step once the Wazuh app starts. Values must to be true or false.
#checks.pattern : true
#checks.template: true
#checks.api : true
#checks.setup : true
#
# --------------------------------- Extensions ---------------------------------
#
# Defines which extensions should be activated when you add a new API entry.
# You can change them after Wazuh app starts.
# Values must to be true or false.
#extensions.pci : true
#extensions.gdpr : true
#extensions.hipaa : true
#extensions.nist : true
#extensions.audit : true
#extensions.oscap : false
#extensions.ciscat : false
#extensions.aws : false
#extensions.virustotal: false
#extensions.osquery : false
#extensions.docker : false
#
# ---------------------------------- Time out ----------------------------------
#
# Defines maximum timeout to be used on the Wazuh app requests.
# It will be ignored if it is bellow 1500.
# It means milliseconds before we consider a request as failed.
# Default: 20000
#timeout: 20000
#
# ------------------------------ Advanced indices ------------------------------
#
# Configure .wazuh indices shards and replicas.
#wazuh.shards : 1
#wazuh.replicas : 0
#
# --------------------------- Index pattern selector ---------------------------
#
# Defines if the user is allowed to change the selected
# index pattern directly from the Wazuh app top menu.
# Default: true
#ip.selector: true
#
# List of index patterns to be ignored
#ip.ignore: []
#
# -------------------------------- X-Pack RBAC ---------------------------------
#
# Custom setting to enable/disable built-in X-Pack RBAC security capabilities.
# Default: enabled
#xpack.rbac.enabled: true
#
# ------------------------------ wazuh-monitoring ------------------------------
#
# Custom setting to enable/disable wazuh-monitoring indices.
# Values: true, false, worker
# If worker is given as value, the app will show the Agents status
# visualization but won't insert data on wazuh-monitoring indices.
# Default: true
#wazuh.monitoring.enabled: true
#
# Custom setting to set the frequency for wazuh-monitoring indices cron task.
# Default: 900 (s)
#wazuh.monitoring.frequency: 900
#
# Configure wazuh-monitoring-4.x-* indices shards and replicas.
#wazuh.monitoring.shards: 2
#wazuh.monitoring.replicas: 0
#
# Configure wazuh-monitoring-4.x-* indices custom creation interval.
# Values: h (hourly), d (daily), w (weekly), m (monthly)
# Default: d
#wazuh.monitoring.creation: d
#
# Default index pattern to use for Wazuh monitoring
#wazuh.monitoring.pattern: wazuh-monitoring-4.x-*
#
#
# ------------------------------- App privileges --------------------------------
#admin: true
#
# ------------------------------- App logging level -----------------------------
# Set the logging level for the Wazuh App log files.
# Default value: info
# Allowed values: info, debug
#logs.level: info
#
#-------------------------------- API entries -----------------------------------
#The following configuration is the default structure to define an API entry.
#
#hosts:
# - <id>:
# url: http(s)://<url>
# port: <port>
# user: <user>
# password: <password>
hosts:
{% for api in wazuh_api_credentials %}
- {{ api['id'] }}:
url: {{ api['url'] }}
port: {{ api['port'] }}
username: {{ api['username'] }}
password: "{{ api['password'] }}"
{% endfor %}

2
roles/wazuh/wazuh-dashboard/vars/debian.yml Normal file
View File

@ -0,0 +1,2 @@
---
dashboard_version: 4.9.1

50
roles/wazuh/wazuh-indexer/defaults/main.yml Normal file
View File

@ -0,0 +1,50 @@
---
# Cluster Settings
indexer_version: 4.9.1
single_node: false
indexer_node_name: node-1
indexer_cluster_name: wazuh
indexer_network_host: '0.0.0.0'
indexer_node_master: true
indexer_node_data: true
indexer_node_ingest: true
indexer_start_timeout: 90
indexer_cluster_nodes:
- 127.0.0.1
indexer_discovery_nodes:
- 127.0.0.1
local_certs_path: "{{ playbook_dir }}/indexer/certificates"
# Minimum master nodes in cluster, 2 for 3 nodes Wazuh indexer cluster
minimum_master_nodes: 2
# Configure hostnames for Wazuh indexer nodes
# Example es1.example.com, es2.example.com
domain_name: wazuh.com
indexer_sec_plugin_conf_path: /etc/wazuh-indexer/opensearch-security
indexer_sec_plugin_tools_path: /usr/share/wazuh-indexer/plugins/opensearch-security/tools
indexer_conf_path: /etc/wazuh-indexer
indexer_index_path: /var/lib/wazuh-indexer/
# Security password
indexer_custom_user: ""
indexer_custom_user_role: "admin"
# Set JVM memory limits
indexer_jvm_xms: null
indexer_http_port: 9200
indexer_admin_password: changeme
dashboard_password: changeme
# Deployment settings
generate_certs: true
perform_installation: true
indexer_nolog_sensible: true

5
roles/wazuh/wazuh-indexer/handlers/main.yml Normal file
View File

@ -0,0 +1,5 @@
---
- name: restart wazuh-indexer
service:
name: wazuh-indexer
state: restarted

24
roles/wazuh/wazuh-indexer/meta/main.yml Normal file
View File

@ -0,0 +1,24 @@
---
galaxy_info:
author: Wazuh
description: Installing and maintaining Wazuh indexer.
company: wazuh.com
license: license (GPLv3)
min_ansible_version: 2.0
platforms:
- name: EL
versions:
- all
- name: Ubuntu
versions:
- all
- name: Debian
versions:
- all
- name: Fedora
versions:
- all
galaxy_tags:
- web
- system
- monitoring

48
roles/wazuh/wazuh-indexer/tasks/Debian.yml Normal file
View File

@ -0,0 +1,48 @@
---
- name: Update cache
apt:
update_cache: yes
- name: Debian 9 (Stretch)
when: (ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_major_version'] == "9")
block:
- name: Install Wazuh indexer dependencies
apt:
name: [
'unzip', 'wget', 'curl', 'apt-transport-https', software-properties-common
]
state: present
- name: Add Wazuh indexer repository
block:
- name: Add apt repository signing key
get_url:
url: "{{ wazuh_repo.gpg }}"
dest: "{{ wazuh_repo.path }}"
- name: Import Wazuh repository GPG key
command: "gpg --no-default-keyring --keyring gnupg-ring:{{ wazuh_repo.keyring_path }} --import {{ wazuh_repo.path }}"
args:
creates: "{{ wazuh_repo.keyring_path }}"
- name: Set permissions for Wazuh repository GPG key
file:
path: "{{ wazuh_repo.keyring_path }}"
mode: '0644'
- name: Add Wazuh indexer repository
apt_repository:
repo: "{{ wazuh_repo.apt }}"
state: present
filename: 'wazuh-indexer'
update_cache: yes
- name: Install Wazuh indexer
apt:
name: wazuh-indexer={{ indexer_version }}-1
state: present
register: install
tags: install

Some files were not shown because too many files have changed in this diff Show More