wazuh/wazuh-ansible
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-ansible.git synced 2025-12-10 00:38:17 -06:00
Code Issues Packages Projects Releases 105 Wiki Activity

Adapt basic 5.0.0 directory structure and files to new 6.0.0 organization

Browse Source
This commit is contained in:
Jesus Garcia 2025-10-23 11:57:26 -05:00
parent c19f4d8191
commit 77cc6b654b
No known key found for this signature in database
GPG Key ID: 8461CA78326C96C9
103 changed files with 18 additions and 6580 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
.ansible-lint
View File

@ -1,15 +1,13 @@
---
use_default_rules: true
parseable: true
quiet: true
verbosity: 1
# .ansible-lint
# State that naming for now should be a warning
# 106: ansible role name does not conform to pattern [a-z][a-z0-9_]+$
warn_list:
- '106'
profile: production
use_default_rules: true
# This is for false positives
# 504: Do not use 'local_action', use 'delegate_to: localhost'
skip_list:
- '504'
- '504'
- 'ignore-errors'
- 'role-name'
- 'var-naming'

18
.gitignore vendored
View File

@ -1,14 +1,4 @@
*.retry
wazuh-agent.yml
wazuh-elastic_stack-distributed.yml
wazuh-elastic_stack-single.yml
wazuh-elastic.yml
wazuh-kibana.yml
wazuh-manager.yml
*.pyc
.mypy_cache
Pipfile.lock
*.swp
molecule/**/es_certs/
molecule/**/opendistro/
repository_bumper_*.log
roles/vars/artifacts_urls.yml
deployment-config-files/
*.pem
*.ini

428
README.md
View File

@ -34,434 +34,6 @@ These playbooks install and configure Wazuh agent, manager and indexer and dashb
- [Wazuh Ansible documentation](https://documentation.wazuh.com/current/deploying-with-ansible/index.html)
- [Full documentation](http://documentation.wazuh.com)
## Directory structure
├── wazuh-ansible
│ ├── roles
│ │ ├── wazuh
│ │ │ ├── ansible-filebeat-oss
│ │ │ ├── ansible-wazuh-manager
│ │ │ ├── ansible-wazuh-agent
│ │ │ ├── wazuh-dashboard
│ │ │ ├── wazuh-indexer
│ │
│ │ ├── ansible-galaxy
│ │ │ ├── meta
│ ├── playbooks
│ │ ├── wazuh-agent.yml
│ │ ├── wazuh-dashboard.yml
│ │ ├── wazuh-indexer.yml
│ │ ├── wazuh-manager-oss.yml
| | ├── wazuh-production-ready
│ │ ├── wazuh-single.yml
│ ├── README.md
│ ├── VERSION.json
│ ├── CHANGELOG.md
## Example: production-ready distributed environment
### Playbook
The hereunder example playbook uses the `wazuh-ansible` role to provision a production-ready Wazuh environment. The architecture includes 2 Wazuh nodes, 3 Wazuh indexer nodes, and a Wazuh dashboard node.
```yaml
---
# Certificates generation
- hosts: wi1
roles:
- role: ../roles/wazuh/wazuh-indexer
indexer_network_host: "{{ private_ip }}"
indexer_cluster_nodes:
- "{{ hostvars.wi1.private_ip }}"
- "{{ hostvars.wi2.private_ip }}"
- "{{ hostvars.wi3.private_ip }}"
indexer_discovery_nodes:
- "{{ hostvars.wi1.private_ip }}"
- "{{ hostvars.wi2.private_ip }}"
- "{{ hostvars.wi3.private_ip }}"
perform_installation: false
become: no
vars:
indexer_node_master: true
instances:
node1:
name: node-1 # Important: must be equal to indexer_node_name.
ip: "{{ hostvars.wi1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert.
role: indexer
node2:
name: node-2
ip: "{{ hostvars.wi2.private_ip }}"
role: indexer
node3:
name: node-3
ip: "{{ hostvars.wi3.private_ip }}"
role: indexer
node4:
name: node-4
ip: "{{ hostvars.manager.private_ip }}"
role: wazuh
node_type: master
node5:
name: node-5
ip: "{{ hostvars.worker.private_ip }}"
role: wazuh
node_type: worker
node6:
name: node-6
ip: "{{ hostvars.dashboard.private_ip }}"
role: dashboard
tags:
- generate-certs
# Wazuh indexer cluster
- hosts: wi_cluster
strategy: free
roles:
- role: ../roles/wazuh/wazuh-indexer
indexer_network_host: "{{ private_ip }}"
become: yes
become_user: root
vars:
indexer_cluster_nodes:
- "{{ hostvars.wi1.private_ip }}"
- "{{ hostvars.wi2.private_ip }}"
- "{{ hostvars.wi3.private_ip }}"
indexer_discovery_nodes:
- "{{ hostvars.wi1.private_ip }}"
- "{{ hostvars.wi2.private_ip }}"
- "{{ hostvars.wi3.private_ip }}"
indexer_node_master: true
instances:
node1:
name: node-1 # Important: must be equal to indexer_node_name.
ip: "{{ hostvars.wi1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert.
role: indexer
node2:
name: node-2
ip: "{{ hostvars.wi2.private_ip }}"
role: indexer
node3:
name: node-3
ip: "{{ hostvars.wi3.private_ip }}"
role: indexer
node4:
name: node-4
ip: "{{ hostvars.manager.private_ip }}"
role: wazuh
node_type: master
node5:
name: node-5
ip: "{{ hostvars.worker.private_ip }}"
role: wazuh
node_type: worker
node6:
name: node-6
ip: "{{ hostvars.dashboard.private_ip }}"
role: dashboard
# Wazuh cluster
- hosts: manager
roles:
- role: "../roles/wazuh/ansible-wazuh-manager"
- role: "../roles/wazuh/ansible-filebeat-oss"
become: yes
become_user: root
vars:
filebeat_node_name: node-4
wazuh_manager_config:
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
api:
https: 'yes'
cluster:
disable: 'no'
node_name: 'master'
node_type: 'master'
key: 'c98b62a9b6169ac5f67dae55ae4a9088'
nodes:
- "{{ hostvars.manager.private_ip }}"
hidden: 'no'
wazuh_api_users:
- username: custom-user
password: SecretPassword1!
filebeat_output_indexer_hosts:
- "{{ hostvars.wi1.private_ip }}"
- "{{ hostvars.wi2.private_ip }}"
- "{{ hostvars.wi3.private_ip }}"
- hosts: worker
roles:
- role: "../roles/wazuh/ansible-wazuh-manager"
- role: "../roles/wazuh/ansible-filebeat-oss"
become: yes
become_user: root
vars:
filebeat_node_name: node-5
wazuh_manager_config:
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
api:
https: 'yes'
cluster:
disable: 'no'
node_name: 'worker_01'
node_type: 'worker'
key: 'c98b62a9b6169ac5f67dae55ae4a9088'
nodes:
- "{{ hostvars.manager.private_ip }}"
hidden: 'no'
filebeat_output_indexer_hosts:
- "{{ hostvars.wi1.private_ip }}"
- "{{ hostvars.wi2.private_ip }}"
- "{{ hostvars.wi3.private_ip }}"
# Wazuh dashboard node
- hosts: dashboard
roles:
- role: "../roles/wazuh/wazuh-dashboard"
become: yes
become_user: root
vars:
indexer_network_host: "{{ hostvars.wi1.private_ip }}"
dashboard_node_name: node-6
wazuh_api_credentials:
- id: default
url: https://{{ hostvars.manager.private_ip }}
port: 55000
username: custom-user
password: SecretPassword1!
ansible_shell_allow_world_readable_temp: true
```
### Inventory file
- The `ansible_host` variable should contain the `address/FQDN` used to gather facts and provision each node.
- The `private_ip` variable should contain the `address/FQDN` used for the internal cluster communications.
- Whether the environment is located in a local subnet, `ansible_host` and `private_ip` variables should match.
- The ssh credentials used by Ansible during the provision can be specified in this file too. Another option is including them directly on the playbook.
```ini
wi1 ansible_host=<wi1_ec2_public_ip> private_ip=<wi1_ec2_private_ip> indexer_node_name=node-1
wi2 ansible_host=<wi2_ec2_public_ip> private_ip=<wi2_ec2_private_ip> indexer_node_name=node-2
wi3 ansible_host=<wi3_ec2_public_ip> private_ip=<wi3_ec2_private_ip> indexer_node_name=node-3
dashboard ansible_host=<dashboard_node_public_ip> private_ip=<dashboard_ec2_private_ip>
manager ansible_host=<manager_node_public_ip> private_ip=<manager_ec2_private_ip>
worker ansible_host=<worker_node_public_ip> private_ip=<worker_ec2_private_ip>
[wi_cluster]
wi1
wi2
wi3
[all:vars]
ansible_ssh_user=vagrant
ansible_ssh_private_key_file=/path/to/ssh/key.pem
ansible_ssh_extra_args='-o StrictHostKeyChecking=no'
```
### Launching the playbook
```bash
sudo ansible-playbook wazuh-production-ready.yml -i inventory
```
After the playbook execution, the Wazuh UI should be reachable through `https://<dashboard_host>`
## Example: single-host environment
### Playbook
The hereunder example playbook uses the `wazuh-ansible` role to provision a single-host Wazuh environment. This architecture includes all the Wazuh and Opensearch components in a single node.
```yaml
---
# Certificates generation
- hosts: aio
roles:
- role: ../roles/wazuh/wazuh-indexer
perform_installation: false
become: no
#become_user: root
vars:
indexer_node_master: true
instances:
node1:
name: node-1 # Important: must be equal to indexer_node_name.
ip: 127.0.0.1
role: indexer
tags:
- generate-certs
# Single node
- hosts: aio
become: yes
become_user: root
roles:
- role: ../roles/wazuh/wazuh-indexer
- role: ../roles/wazuh/ansible-wazuh-manager
- role: ../roles/wazuh/ansible-filebeat-oss
- role: ../roles/wazuh/wazuh-dashboard
vars:
single_node: true
minimum_master_nodes: 1
indexer_node_master: true
indexer_network_host: 127.0.0.1
filebeat_node_name: node-1
filebeat_output_indexer_hosts:
- 127.0.0.1
instances:
node1:
name: node-1 # Important: must be equal to indexer_node_name.
ip: 127.0.0.1
role: indexer
ansible_shell_allow_world_readable_temp: true
```
### Inventory file
```ini
[aio]
<your server host>
[all:vars]
ansible_ssh_user=vagrant
ansible_ssh_private_key_file=/path/to/ssh/key.pem
ansible_ssh_extra_args='-o StrictHostKeyChecking=no'
```
### Launching the playbook
```bash
sudo ansible-playbook wazuh-single.yml -i inventory
```
After the playbook execution, the Wazuh UI should be reachable through `https://<your server host>`
## Example: Wazuh server cluster (without Filebeat)
### Playbook
The hereunder example playbook uses the `wazuh-ansible` role to provision a Wazuh server cluster without Filebeat. This architecture includes 2 Wazuh servers distributed in two different nodes.
```yaml
---
# Wazuh cluster without Filebeat
- hosts: manager
roles:
- role: "../roles/wazuh/ansible-wazuh-manager"
become: yes
become_user: root
vars:
wazuh_manager_config:
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
api:
https: 'yes'
cluster:
disable: 'no'
node_name: 'master'
node_type: 'master'
key: 'c98b62a9b6169ac5f67dae55ae4a9088'
nodes:
- "{{ hostvars.manager.private_ip }}"
hidden: 'no'
wazuh_api_users:
- username: custom-user
password: SecretPassword1!
- hosts: worker01
roles:
- role: "../roles/wazuh/ansible-wazuh-manager"
become: yes
become_user: root
vars:
wazuh_manager_config:
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
api:
https: 'yes'
cluster:
disable: 'no'
node_name: 'worker_01'
node_type: 'worker'
key: 'c98b62a9b6169ac5f67dae55ae4a9088'
nodes:
- "{{ hostvars.manager.private_ip }}"
hidden: 'no'
```
### Inventory file
```ini
[manager]
<your manager master server host>
[worker01]
<your manager worker01 server host>
[all:vars]
ansible_ssh_user=vagrant
ansible_ssh_private_key_file=/path/to/ssh/key.pem
ansible_ssh_extra_args='-o StrictHostKeyChecking=no'
```
### Adding additional workers
Add the following block at the end of the playbook
```yaml
- hosts: worker02
roles:
- role: "../roles/wazuh/ansible-wazuh-manager"
become: yes
become_user: root
vars:
wazuh_manager_config:
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
api:
https: 'yes'
cluster:
disable: 'no'
node_name: 'worker_02'
node_type: 'worker'
key: 'c98b62a9b6169ac5f67dae55ae4a9088'
nodes:
- "{{ hostvars.manager.private_ip }}"
hidden: 'no'
```
NOTE: `hosts` and `wazuh_manager_config.cluster_node_name` are the only parameters that differ from the `worker01` configuration.
Add the following lines to the inventory file:
```ini
[worker02]
<your manager worker02 server host>
```
### Launching the playbook
```bash
sudo ansible-playbook wazuh-manager-oss-cluster.yml -i inventory
```
## Contribute
If you want to contribute to our repository, please fork our Github repository and submit a pull request.

1
docs/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
book

2
playbooks/ansible.cfg
View File

@ -1,2 +0,0 @@
[defaults]
hash_behaviour=merge

16
playbooks/wazuh-agent.yml
View File

@ -1,16 +0,0 @@
---
- hosts: <your wazuh agents hosts>
become: yes
become_user: root
roles:
- ../roles/wazuh/ansible-wazuh-agent
vars:
wazuh_managers:
- address: <your manager IP>
port: 1514
protocol: tcp
api_port: 55000
api_proto: 'https'
api_user: wazuh
max_retries: 5
retry_interval: 5

6
playbooks/wazuh-dashboard.yml
View File

@ -1,6 +0,0 @@
---
- hosts: wi1
roles:
- role: ../roles/wazuh/wazuh-dashboard
vars:
ansible_shell_allow_world_readable_temp: true

20
playbooks/wazuh-indexer.yml
View File

@ -1,20 +0,0 @@
---
- hosts: wi_cluster
roles:
- role: ../roles/wazuh/wazuh-indexer
vars:
instances: # A certificate will be generated for every node using the name as CN.
node1:
name: node-1
ip: <node-1 IP>
role: indexer
node2:
name: node-2
ip: <node-2 IP>
role: indexer
node3:
name: node-3
ip: <node-3 IP>
role: indexer

50
playbooks/wazuh-manager-oss-cluster.yml
View File

@ -1,50 +0,0 @@
---
# Wazuh cluster without Filebeat
- hosts: manager
roles:
- role: "../roles/wazuh/ansible-wazuh-manager"
become: yes
become_user: root
vars:
wazuh_manager_config:
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
api:
https: 'yes'
cluster:
disable: 'no'
node_name: 'master'
node_type: 'master'
key: 'c98b62a9b6169ac5f67dae55ae4a9088'
nodes:
- "{{ hostvars.manager.private_ip }}"
hidden: 'no'
wazuh_api_users:
- username: custom-user
password: SecretPassword1!
- hosts: worker01
roles:
- role: "../roles/wazuh/ansible-wazuh-manager"
become: yes
become_user: root
vars:
wazuh_manager_config:
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
api:
https: 'yes'
cluster:
disable: 'no'
node_name: 'worker_01'
node_type: 'worker'
key: 'c98b62a9b6169ac5f67dae55ae4a9088'
nodes:
- "{{ hostvars.manager.private_ip }}"
hidden: 'no'

9
playbooks/wazuh-manager-oss.yml
View File

@ -1,9 +0,0 @@
---
- hosts: managers
roles:
- role: ../roles/wazuh/ansible-wazuh-manager
- role: ../roles/wazuh/ansible-filebeat-oss
filebeat_output_indexer_hosts:
- "<indexer-node-1>:9200"
- "<indexer-node-2>:9200"
- "<indexer-node-2>:9200"

176
playbooks/wazuh-production-ready.yml
View File

@ -1,176 +0,0 @@
---
# Certificates generation
- hosts: wi1
roles:
- role: ../roles/wazuh/wazuh-indexer
indexer_network_host: "{{ private_ip }}"
indexer_cluster_nodes:
- "{{ hostvars.wi1.private_ip }}"
- "{{ hostvars.wi2.private_ip }}"
- "{{ hostvars.wi3.private_ip }}"
indexer_discovery_nodes:
- "{{ hostvars.wi1.private_ip }}"
- "{{ hostvars.wi2.private_ip }}"
- "{{ hostvars.wi3.private_ip }}"
perform_installation: false
become: no
vars:
indexer_node_master: true
instances:
node1:
name: node-1 # Important: must be equal to indexer_node_name.
ip: "{{ hostvars.wi1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert.
role: indexer
node2:
name: node-2
ip: "{{ hostvars.wi2.private_ip }}"
role: indexer
node3:
name: node-3
ip: "{{ hostvars.wi3.private_ip }}"
role: indexer
node4:
name: node-4
ip: "{{ hostvars.manager.private_ip }}"
role: wazuh
node_type: master
node5:
name: node-5
ip: "{{ hostvars.worker.private_ip }}"
role: wazuh
node_type: worker
node6:
name: node-6
ip: "{{ hostvars.dashboard.private_ip }}"
role: dashboard
tags:
- generate-certs
# Wazuh indexer cluster
- hosts: wi_cluster
strategy: free
roles:
- role: ../roles/wazuh/wazuh-indexer
indexer_network_host: "{{ private_ip }}"
become: yes
become_user: root
vars:
indexer_cluster_nodes:
- "{{ hostvars.wi1.private_ip }}"
- "{{ hostvars.wi2.private_ip }}"
- "{{ hostvars.wi3.private_ip }}"
indexer_discovery_nodes:
- "{{ hostvars.wi1.private_ip }}"
- "{{ hostvars.wi2.private_ip }}"
- "{{ hostvars.wi3.private_ip }}"
indexer_node_master: true
instances:
node1:
name: node-1 # Important: must be equal to indexer_node_name.
ip: "{{ hostvars.wi1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert.
role: indexer
node2:
name: node-2
ip: "{{ hostvars.wi2.private_ip }}"
role: indexer
node3:
name: node-3
ip: "{{ hostvars.wi3.private_ip }}"
role: indexer
node4:
name: node-4
ip: "{{ hostvars.manager.private_ip }}"
role: wazuh
node_type: master
node5:
name: node-5
ip: "{{ hostvars.worker.private_ip }}"
role: wazuh
node_type: worker
node6:
name: node-6
ip: "{{ hostvars.dashboard.private_ip }}"
role: dashboard
# Wazuh cluster
- hosts: manager
roles:
- role: "../roles/wazuh/ansible-wazuh-manager"
- role: "../roles/wazuh/ansible-filebeat-oss"
become: yes
become_user: root
vars:
filebeat_node_name: node-4
wazuh_manager_config:
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
api:
https: 'yes'
cluster:
disable: 'no'
node_name: 'master'
node_type: 'master'
key: 'c98b62a9b6169ac5f67dae55ae4a9088'
nodes:
- "{{ hostvars.manager.private_ip }}"
hidden: 'no'
wazuh_api_users:
- username: custom-user
password: SecretPassword1!
filebeat_output_indexer_hosts:
- "{{ hostvars.wi1.private_ip }}"
- "{{ hostvars.wi2.private_ip }}"
- "{{ hostvars.wi3.private_ip }}"
- hosts: worker
roles:
- role: "../roles/wazuh/ansible-wazuh-manager"
- role: "../roles/wazuh/ansible-filebeat-oss"
become: yes
become_user: root
vars:
filebeat_node_name: node-5
wazuh_manager_config:
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
api:
https: 'yes'
cluster:
disable: 'no'
node_name: 'worker_01'
node_type: 'worker'
key: 'c98b62a9b6169ac5f67dae55ae4a9088'
nodes:
- "{{ hostvars.manager.private_ip }}"
hidden: 'no'
filebeat_output_indexer_hosts:
- "{{ hostvars.wi1.private_ip }}"
- "{{ hostvars.wi2.private_ip }}"
- "{{ hostvars.wi3.private_ip }}"
# Wazuh dashboard node
- hosts: dashboard
roles:
- role: "../roles/wazuh/wazuh-dashboard"
become: yes
become_user: root
vars:
indexer_network_host: "{{ hostvars.wi1.private_ip }}"
indexer_cluster_nodes:
- "{{ hostvars.wi1.private_ip }}"
- "{{ hostvars.wi2.private_ip }}"
- "{{ hostvars.wi3.private_ip }}"
dashboard_node_name: node-6
wazuh_api_credentials:
- id: default
url: https://{{ hostvars.manager.private_ip }}
port: 55000
username: custom-user
password: SecretPassword1!
ansible_shell_allow_world_readable_temp: true

40
playbooks/wazuh-single.yml
View File

@ -1,40 +0,0 @@
---
# Certificates generation
- hosts: aio
roles:
- role: ../roles/wazuh/wazuh-indexer
perform_installation: false
become: no
#become_user: root
vars:
indexer_node_master: true
instances:
node1:
name: node-1 # Important: must be equal to indexer_node_name.
ip: 127.0.0.1
role: indexer
tags:
- generate-certs
# Single node
- hosts: aio
become: yes
become_user: root
roles:
- role: ../roles/wazuh/wazuh-indexer
- role: ../roles/wazuh/ansible-wazuh-manager
- role: ../roles/wazuh/ansible-filebeat-oss
- role: ../roles/wazuh/wazuh-dashboard
vars:
single_node: true
minimum_master_nodes: 1
indexer_node_master: true
indexer_network_host: 127.0.0.1
filebeat_node_name: node-1
filebeat_output_indexer_hosts:
- 127.0.0.1
instances:
node1:
name: node-1 # Important: must be equal to indexer_node_name.
ip: 127.0.0.1
role: indexer
ansible_shell_allow_world_readable_temp: true

6
requirements.yml Normal file
View File

@ -0,0 +1,6 @@
---
collections:
- name: community.general
- name: community.docker
- name: ansible.windows
- name: community.windows

49
roles/elastic-stack/ansible-kibana/defaults/main.yml
View File

@ -1,49 +0,0 @@
---
kibana_node_name: node-1
elasticsearch_http_port: "9200"
elasticsearch_network_host: "127.0.0.1"
kibana_server_host: "0.0.0.0"
kibana_server_port: "5601"
kibana_conf_path: /etc/kibana
elastic_stack_version: 7.10.2
wazuh_version: 5.0.0
wazuh_app_url: https://packages.wazuh.com/5.x/ui/kibana/wazuh_kibana
elasticrepo:
apt: 'https://artifacts.elastic.co/packages/7.x/apt'
yum: 'https://artifacts.elastic.co/packages/7.x/yum'
gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4'
# API credentials
wazuh_api_credentials:
- id: "default"
url: "https://localhost"
port: 55000
username: "wazuh"
password: "wazuh"
# Xpack Security
kibana_xpack_security: false
kibana_ssl_verification_mode: "full"
elasticsearch_xpack_security_user: elastic
elasticsearch_xpack_security_password: elastic_pass
node_certs_destination: /etc/kibana/certs
# CA Generation
master_certs_path: "{{ playbook_dir }}/es_certs"
generate_CA: true
ca_cert_name: ""
# Nodejs
nodejs:
repo_dict:
debian: "deb"
redhat: "rpm"
repo_url_ext: "nodesource.com/setup_10.x"
#Nodejs NODE_OPTIONS
node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536

57
roles/opendistro/opendistro-kibana/defaults/main.yml
View File

@ -1,57 +0,0 @@
---
# Kibana configuration
elasticsearch_http_port: 9200
elastic_api_protocol: https
kibana_conf_path: /etc/kibana
kibana_node_name: node-1
kibana_server_host: "0.0.0.0"
kibana_server_port: "5601"
kibana_server_name: "kibana"
kibana_max_payload_bytes: 1048576
elastic_stack_version: 7.10.2
wazuh_version: 4.4.1
wazuh_app_url: https://packages.wazuh.com/5.x/ui/kibana/wazuh_kibana
# The OpenDistro package repository
kibana_opendistro_version: 1.13.2-1 # Version includes the - for RedHat family compatibility, replace with = for Debian hosts
package_repos:
yum:
opendistro:
baseurl: 'https://packages.wazuh.com/5.x/yum/'
gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
apt:
opendistro:
baseurl: 'deb https://packages.wazuh.com/5.x/apt/ stable main'
gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
# API credentials
wazuh_api_credentials:
- id: "default"
url: "https://localhost"
port: 55000
username: "wazuh"
password: "wazuh"
# opendistro Security
kibana_opendistro_security: true
kibana_newsfeed_enabled: "false"
kibana_telemetry_optin: "false"
kibana_telemetry_enabled: "false"
opendistro_admin_password: changeme
opendistro_kibana_user: kibanaserver
opendistro_kibana_password: changeme
local_certs_path: "{{ playbook_dir }}/opendistro/certificates"
# Nodejs
nodejs:
repo_dict:
debian: "deb"
redhat: "rpm"
repo_url_ext: "nodesource.com/setup_10.x"
#Nodejs NODE_OPTIONS
node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536

38
roles/wazuh/ansible-filebeat-oss/README.md
View File

@ -1,38 +0,0 @@
Ansible Role: Filebeat for Elastic Stack
------------------------------------
An Ansible Role that installs [Filebeat-oss](https://www.elastic.co/products/beats/filebeat), this can be used in conjunction with [ansible-wazuh-manager](https://github.com/wazuh/wazuh-ansible/ansible-wazuh-server).
Requirements
------------
This role will work on:
* Red Hat
* CentOS
* Fedora
* Debian
* Ubuntu
Role Variables
--------------
Available variables are listed below, along with default values (see `defaults/main.yml`):
```
filebeat_output_indexer_hosts:
- "localhost:9200"
```
License and copyright
---------------------
WAZUH Copyright (C) 2016, Wazuh Inc. (License GPLv3)
### Based on previous work from geerlingguy
- https://github.com/geerlingguy/ansible-role-filebeat
### Modified by Wazuh
The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem.

22
roles/wazuh/ansible-filebeat-oss/defaults/main.yml
View File

@ -1,22 +0,0 @@
---
filebeat_version: 7.10.2
wazuh_template_branch: v5.0.0
filebeat_node_name: node-1
filebeat_output_indexer_hosts:
- "localhost"
filebeat_module_package_name: wazuh-filebeat-0.4.tar.gz
filebeat_module_package_path: /tmp/
filebeat_module_destination: /usr/share/filebeat/module
filebeat_module_folder: /usr/share/filebeat/module/wazuh
indexer_security_user: admin
indexer_security_password: changeme
# Security plugin
filebeat_security: true
filebeat_ssl_dir: /etc/pki/filebeat
# Local path to store the generated certificates (Opensearch security plugin)
local_certs_path: "{{ playbook_dir }}/indexer/certificates"

3
roles/wazuh/ansible-filebeat-oss/handlers/main.yml
View File

@ -1,3 +0,0 @@
---
- name: restart filebeat
service: name=filebeat state=restarted

29
roles/wazuh/ansible-filebeat-oss/meta/main.yml
View File

@ -1,29 +0,0 @@
---
dependencies: []
galaxy_info:
author: Wazuh
description: Installing and maintaining Filebeat-oss.
company: wazuh.com
license: license (GPLv3)
min_ansible_version: 2.0
platforms:
- name: EL
versions:
- 6
- 7
- name: Fedora
versions:
- all
- name: Debian
versions:
- jessie
- name: Ubuntu
versions:
- precise
- trusty
- xenial
galaxy_tags:
- web
- system
- monitoring

33
roles/wazuh/ansible-filebeat-oss/tasks/Debian.yml
View File

@ -1,33 +0,0 @@
---
- name: Debian/Ubuntu | Install apt-transport-https, ca-certificate, acl and gnupg
apt:
name:
- apt-transport-https
- ca-certificates
- acl
- gnupg
state: present
register: filebeat_ca_packages_install
until: filebeat_ca_packages_install is succeeded
- name: Debian/Ubuntu | Download Filebeat apt key.
get_url:
url: "{{ wazuh_repo.gpg }}"
dest: "{{ wazuh_repo.path }}"
- name: Import Filebeat GPG key
command: "gpg --no-default-keyring --keyring gnupg-ring:{{ wazuh_repo.keyring_path }} --import {{ wazuh_repo.path }}"
args:
creates: "{{ wazuh_repo.keyring_path }}"
- name: Set permissions for Filebeat GPG key
file:
path: "{{ wazuh_repo.keyring_path }}"
mode: '0644'
- name: Debian/Ubuntu | Add Filebeat-oss repository.
apt_repository:
repo: "{{ wazuh_repo.apt }}"
state: present
update_cache: true
changed_when: false

6
roles/wazuh/ansible-filebeat-oss/tasks/RMDebian.yml
View File

@ -1,6 +0,0 @@
---
- name: Debian/Ubuntu | Remove Filebeat repository (and clean up left-over metadata)
apt_repository:
repo: "{{ wazuh_repo.apt }}"
state: absent
changed_when: false

6
roles/wazuh/ansible-filebeat-oss/tasks/RMRedHat.yml
View File

@ -1,6 +0,0 @@
---
- name: RedHat/CentOS/Fedora | Remove Filebeat repository (and clean up left-over metadata)
yum_repository:
name: wazuh_repo
state: absent
changed_when: false

9
roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml
View File

@ -1,9 +0,0 @@
---
- name: RedHat/CentOS/Fedora/Amazon Linux | Install Filebeats repo
yum_repository:
name: wazuh_repo
description: Wazuh Repo
baseurl: "{{ wazuh_repo.yum }}"
gpgkey: "{{ wazuh_repo.gpg }}"
gpgcheck: true
changed_when: false

22
roles/wazuh/ansible-filebeat-oss/tasks/config.yml
View File

@ -1,22 +0,0 @@
---
- block:
- name: Copy Filebeat configuration.
template:
src: filebeat.yml.j2
dest: "/etc/filebeat/filebeat.yml"
owner: root
group: root
mode: 0400
notify: restart filebeat
- name: Fetch latest Wazuh alerts template
get_url:
url: https://raw.githubusercontent.com/wazuh/wazuh/{{ wazuh_template_branch }}/extensions/elasticsearch/7.x/wazuh-template.json
dest: "/etc/filebeat/wazuh-template.json"
owner: root
group: root
mode: 0400
notify: restart filebeat
tags:
- configure

93
roles/wazuh/ansible-filebeat-oss/tasks/main.yml
View File

@ -1,93 +0,0 @@
---
- include_vars: ../../vars/repo_vars.yml
- include_vars: ../../vars/repo.yml
when: packages_repository == 'production'
- include_vars: ../../vars/repo_pre-release.yml
when: packages_repository == 'pre-release'
- include_vars: ../../vars/repo_staging.yml
when: packages_repository == 'staging'
- include_tasks: RedHat.yml
when: ansible_os_family == 'RedHat'
- include_tasks: Debian.yml
when: ansible_os_family == 'Debian'
- name: Install Filebeat | Redhat
yum:
name: "filebeat-{{ filebeat_version }}"
state: present
lock_timeout: 200
register: install
tags:
- install
- init
when: ansible_os_family == 'RedHat'
- name: Install Filebeat | Debian
apt:
name: "filebeat={{ filebeat_version }}-*"
state: present
register: install
tags:
- install
- init
until: "install is not failed"
retries: 10
delay: 10
when: ansible_os_family == 'Debian'
- name: Checking if Filebeat Module folder file exists
stat:
path: "{{ filebeat_module_folder }}"
register: filebeat_module_folder
- name: Download Filebeat module package
get_url:
url: "{{ filebeat_module_package_url }}/{{ filebeat_module_package_name }}"
dest: "{{ filebeat_module_package_path }}"
when: not filebeat_module_folder.stat.exists
- name: Unpack Filebeat module package
unarchive:
src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
dest: "{{ filebeat_module_destination }}"
remote_src: yes
when: not filebeat_module_folder.stat.exists
- name: Setting 0755 permission for Filebeat module folder
file: dest={{ filebeat_module_folder }} mode=u=rwX,g=rwX,o=rwX recurse=yes
when: not filebeat_module_folder.stat.exists
- name: Checking if Filebeat Module package file exists
stat:
path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
register: filebeat_module_package
when: filebeat_module_package is not defined
- name: Delete Filebeat module package file
file:
state: absent
path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
when: filebeat_module_package.stat.exists
- import_tasks: config.yml
notify: restart filebeat
- include_tasks: security_actions.yml
when: filebeat_security
- name: Ensure Filebeat is started and enabled at boot.
service:
name: filebeat
state: started
enabled: true
- include_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat"
- include_tasks: "RMDebian.yml"
when: ansible_os_family == "Debian"

26
roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml
View File

@ -1,26 +0,0 @@
- block:
- name: Ensure Filebeat SSL key pair directory exists.
file:
path: "{{ filebeat_ssl_dir }}"
state: directory
owner: root
group: root
mode: 500
- name: Copy the certificates from local to the Manager instance
copy:
src: "{{ local_certs_path }}/wazuh-certificates/{{ item }}"
dest: "{{ filebeat_ssl_dir }}"
owner: root
group: root
mode: 400
with_items:
- "{{ filebeat_node_name }}-key.pem"
- "{{ filebeat_node_name }}.pem"
- "root-ca.pem"
tags:
- security
when:
- filebeat_security

42
roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2
View File

@ -1,42 +0,0 @@
# Wazuh - Filebeat configuration file
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false
# Send events directly to Wazuh indexer
output.elasticsearch:
hosts:
{% for item in filebeat_output_indexer_hosts %}
- {{ item }}
{% endfor %}
{% if filebeat_security %}
username: {{ indexer_security_user }}
password: "{{ indexer_security_password }}"
protocol: https
ssl.certificate_authorities:
- {{ filebeat_ssl_dir }}/root-ca.pem
ssl.certificate: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}.pem"
ssl.key: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}-key.pem"
{% endif %}
# Optional. Send events to Logstash instead of Wazuh indexer
#output.logstash.hosts: ["YOUR_LOGSTASH_SERVER_IP:5000"]
logging.metrics.enabled: false
seccomp:
default_action: allow
syscalls:
- action: allow
names:
- rseq

36
roles/wazuh/ansible-filebeat/defaults/main.yml
View File

@ -1,36 +0,0 @@
---
filebeat_version: 7.10.2
wazuh_template_branch: v4.4.1
filebeat_create_config: true
filebeat_node_name: node-1
filebeat_output_elasticsearch_hosts:
- "localhost:9200"
filebeat_module_package_url: https://packages.wazuh.com/5.x/filebeat
filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz
filebeat_module_package_path: /tmp/
filebeat_module_destination: /usr/share/filebeat/module
filebeat_module_folder: /usr/share/filebeat/module/wazuh
# Xpack Security
filebeat_xpack_security: false
elasticsearch_xpack_security_user: elastic
elasticsearch_xpack_security_password: elastic_pass
node_certs_destination: /etc/filebeat/certs
# CA Generation
master_certs_path: "{{ playbook_dir }}/es_certs"
generate_CA: true
ca_cert_name: ""
elasticrepo:
apt: 'https://artifacts.elastic.co/packages/7.x/apt'
yum: 'https://artifacts.elastic.co/packages/7.x/yum'
gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4'

60
roles/wazuh/ansible-wazuh-agent/README.md
View File

@ -1,60 +0,0 @@
Ansible Playbook - Wazuh agent
==============================
This role will install and configure a Wazuh Agent.
OS Requirements
----------------
This role is compatible with:
* Red Hat
* CentOS
* Fedora
* Debian
* Ubuntu
* Windows
* macOS
Role Variables
--------------
* `wazuh_managers`: Collection of Wazuh Managers' IP address, port, and protocol used by the agent
* `wazuh_agent_authd`: Collection with the settings to register an agent using authd.
Playbook example
----------------
The following is an example of how this role can be used:
- hosts: all:!wazuh-manager
roles:
- ansible-wazuh-agent
vars:
wazuh_managers:
- address: 127.0.0.1
port: 1514
protocol: tcp
api_port: 55000
api_proto: 'http'
api_user: 'ansible'
wazuh_agent_authd:
registration_address: 127.0.0.1
enable: true
port: 1515
ssl_agent_ca: null
ssl_auto_negotiate: 'no'
License and copyright
---------------------
WAZUH Copyright (C) 2016, Wazuh Inc. (License GPLv3)
### Based on previous work from dj-wasabi
- https://github.com/dj-wasabi/ansible-ossec-server
### Modified by Wazuh
The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem.

376
roles/wazuh/ansible-wazuh-agent/defaults/main.yml
View File

@ -1,376 +0,0 @@
---
wazuh_agent_version: 5.0.0
# Custom packages installation
wazuh_custom_packages_installation_agent_enabled: false
wazuh_custom_packages_installation_agent_deb_url: ""
wazuh_custom_packages_installation_agent_rpm_url: ""
wazuh_agent_yum_lock_timeout: 30
# We recommend the use of ansible-vault to protect Wazuh, api and authd credentials.
api_pass: wazuh
authd_pass: ''
wazuh_api_reachable_from_agent: yes
wazuh_profile_centos: 'centos, centos7, centos7.6'
wazuh_profile_ubuntu: 'ubuntu, ubuntu18, ubuntu18.04'
wazuh_profile_macos: 'darwin, darwin21, darwin21.1'
wazuh_auto_restart: 'yes'
wazuh_notify_time: '10'
wazuh_time_reconnect: '60'
wazuh_crypto_method: 'aes'
wazuh_winagent_config:
download_dir: C:\
install_dir: C:\Program Files\ossec-agent\
install_dir_x86: C:\Program Files (x86)\ossec-agent\
auth_path: C:\Program Files\ossec-agent\agent-auth.exe
# Adding quotes to auth_path_x86 since win_shell outputs error otherwise
auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe
check_sha512: True
# macOS deployment
wazuh_macos_config:
download_dir: /tmp/
install_dir: /Library/Ossec/
wazuh_dir: "/var/ossec"
# This is deprecated, see: wazuh_agent_address
wazuh_agent_nat: false
##########################################
### Wazuh
##########################################
wazuh_agent_nolog_sensible: yes
wazuh_agent_config_overlay: yes
# This is a middle ground between breaking existing uses of wazuh_agent_nat
# and allow working with agents having several network interfaces
wazuh_agent_address: '{{ "any" if wazuh_agent_nat else ansible_default_ipv4.address }}'
# List of managers. The first one with register variable declared *and* set to true
# is the one used to register the agent. Otherwise, the first one in the list will be used.
wazuh_managers:
- address: 127.0.0.1
port: 1514
protocol: tcp
api_port: 55000
api_proto: https
api_user: wazuh
max_retries: 5
retry_interval: 5
register: yes
## Authentication Method: Enrollment section (4.x)
# For more information see:
# * https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/client.html#enrollment
wazuh_agent_enrollment:
enabled: 'yes'
manager_address: ''
port: 1515
agent_name: ''
groups: ''
agent_address: ''
ssl_ciphers: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH
server_ca_path: ''
agent_certificate_path: ''
agent_key_path: ''
authorization_pass_path: "{{ wazuh_dir }}/etc/authd.pass"
authorization_pass_path_macos: "/etc/authd.pass"
auto_method: 'no'
delay_after_enrollment: 20
use_source_ip: 'no'
## Authentication Method: invoking agent-auth
# For more information see:
# * https://documentation.wazuh.com/current/user-manual/registering/password-authorization-registration.html
wazuh_agent_authd:
registration_address: 127.0.0.1
enable: false
port: 1515
agent_name: null
groups: []
ssl_agent_ca: null
ssl_agent_cert: null
ssl_agent_key: null
ssl_auto_negotiate: 'no'
## Authentication Method: REST API
# For more information see:
# * https://documentation.wazuh.com/current/user-manual/registering/restful-api-registration.html
wazuh_agent_api_validate: yes
## Client buffer
wazuh_agent_client_buffer:
disable: 'no'
queue_size: '5000'
events_per_sec: '500'
## Rootcheck
wazuh_agent_rootcheck:
frequency: 43200
## Wodles
wazuh_agent_openscap:
disable: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
wazuh_agent_cis_cat:
disable: 'yes'
install_java: 'no'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
java_path: 'wodles/java'
java_path_win: '\\server\jre\bin\java.exe'
ciscat_path: 'wodles/ciscat'
ciscat_path_win: 'C:\cis-cat'
wazuh_agent_osquery:
disable: 'yes'
run_daemon: 'yes'
bin_path_win: 'C:\Program Files\osquery\osqueryd'
log_path: '/var/log/osquery/osqueryd.results.log'
log_path_win: 'C:\Program Files\osquery\log\osqueryd.results.log'
config_path: '/etc/osquery/osquery.conf'
config_path_win: 'C:\Program Files\osquery\osquery.conf'
add_labels: 'yes'
wazuh_agent_syscollector:
disable: 'no'
interval: '1h'
scan_on_start: 'yes'
hardware: 'yes'
os: 'yes'
network: 'yes'
packages: 'yes'
ports_no: 'yes'
processes: 'yes'
## SCA
wazuh_agent_sca:
enabled: 'yes'
scan_on_start: 'yes'
interval: '12h'
skip_nfs: 'yes'
day: ''
wday: ''
time: ''
## Syscheck
wazuh_agent_syscheck:
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
win_audit_interval: 60
skip_nfs: 'yes'
skip_dev: 'yes'
skip_proc: 'yes'
skip_sys: 'yes'
process_priority: 10
max_eps: 100
sync_enabled: 'yes'
sync_interval: '5m'
sync_max_interval: '1h'
sync_max_eps: 10
ignore:
- /etc/mtab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
ignore_linux_type:
- '.log$|.swp$'
ignore_win:
- '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: ''
- dirs: /bin,/sbin,/boot
checks: ''
macos_directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: ''
- dirs: /bin,/sbin
checks: ''
win_directories:
- dirs: '%WINDIR%'
checks: 'recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$"'
- dirs: '%WINDIR%\SysNative'
checks: >-
recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|
net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$"
- dirs: '%WINDIR%\SysNative\drivers\etc%'
checks: 'recursion_level="0"'
- dirs: '%WINDIR%\SysNative\wbem'
checks: 'recursion_level="0" restrict="WMIC.exe$"'
- dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0'
checks: 'recursion_level="0" restrict="powershell.exe$"'
- dirs: '%WINDIR%\SysNative'
checks: 'recursion_level="0" restrict="winrm.vbs$"'
- dirs: '%WINDIR%\System32'
checks: >-
recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|
netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$"
- dirs: '%WINDIR%\System32\drivers\etc'
checks: 'recursion_level="0"'
- dirs: '%WINDIR%\System32\wbem'
checks: 'recursion_level="0" restrict="WMIC.exe$"'
- dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0'
checks: 'recursion_level="0" restrict="powershell.exe$"'
- dirs: '%WINDIR%\System32'
checks: 'recursion_level="0" restrict="winrm.vbs$"'
- dirs: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup'
checks: 'realtime="yes"'
windows_registry:
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
- key: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Policies'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Security'
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'
- key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs'
- key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
arch: "both"
- key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'
arch: "both"
windows_registry_ignore:
- key: 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets'
- key: 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users'
- key: '\Enum$'
type: "sregex"
## Localfile
wazuh_agent_localfiles:
debian:
- format: 'syslog'
location: '/var/log/auth.log'
- format: 'syslog'
location: '/var/log/syslog'
- format: 'syslog'
location: '/var/log/dpkg.log'
- format: 'syslog'
location: '/var/log/kern.log'
centos:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'audit'
location: '/var/log/audit/audit.log'
linux:
- format: 'syslog'
location: "{{ wazuh_dir }}/logs/active-responses.log"
- format: 'full_command'
command: 'last -n 20'
frequency: '360'
- format: 'command'
command: df -P
frequency: '360'
- format: 'full_command'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports'
frequency: '360'
macos:
- format: 'full_command'
command: netstat -an | awk '{if ((/^(tcp|udp)/) && ($4 != "*.*") && ($5 == "*.*")) {print $1" "$4" "$5}}' | sort -u
alias: 'netstat listening ports'
frequency: '360'
- format: 'macos'
location: 'macos'
query:
type: 'trace,log,activity'
level: 'info'
value: (process == "sudo") or (process == "sessionlogoutd" and message contains "logout is complete.") or (process == "sshd") or (process == "tccd" and message contains "Update Access Record") or (message contains "SessionAgentNotificationCenter") or (process == "screensharingd" and message contains "Authentication") or (process == "securityd" and eventMessage contains "Session" and subsystem == "com.apple.securityd")
windows:
- format: 'eventlog'
location: 'Application'
- format: 'eventchannel'
location: 'Security'
query: 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]'
- format: 'eventlog'
location: 'System'
- format: 'syslog'
location: 'active-response\active-responses.log'
## Labels
wazuh_agent_labels:
enable: false
list:
- key: Env
value: Production
## Active response
wazuh_agent_active_response:
ar_disabled: 'no'
ca_store: "{{ wazuh_dir }}/etc/wpk_root.pem"
ca_store_win: 'wpk_root.pem'
ca_store_macos: 'etc/wpk_root.pem'
ca_verification: 'yes'
## Logging
wazuh_agent_log_format: 'plain'
# wazuh_agent_config
wazuh_agent_config_defaults:
repo: '{{ wazuh_repo }}'
active_response: '{{ wazuh_agent_active_response }}'
log_format: '{{ wazuh_agent_log_format }}'
client_buffer: '{{ wazuh_agent_client_buffer }}'
syscheck: '{{ wazuh_agent_syscheck }}'
rootcheck: '{{ wazuh_agent_rootcheck }}'
openscap: '{{ wazuh_agent_openscap }}'
osquery: '{{ wazuh_agent_osquery }}'
syscollector: '{{ wazuh_agent_syscollector }}'
sca: '{{ wazuh_agent_sca }}'
cis_cat: '{{ wazuh_agent_cis_cat }}'
localfiles: '{{ wazuh_agent_localfiles }}'
labels: '{{ wazuh_agent_labels }}'
enrollment: '{{ wazuh_agent_enrollment }}'

9
roles/wazuh/ansible-wazuh-agent/handlers/main.yml
View File

@ -1,9 +0,0 @@
---
- name: restart wazuh-agent
service: name=wazuh-agent state=restarted enabled=yes
- name: Windows | Restart Wazuh Agent
win_service: name=WazuhSvc start_mode=auto state=restarted
- name: macOS | Restart Wazuh Agent
command: /Library/Ossec/bin/wazuh-control restart

23
roles/wazuh/ansible-wazuh-agent/meta/main.yml
View File

@ -1,23 +0,0 @@
---
galaxy_info:
author: Wazuh
description: Installing, deploying and configuring Wazuh Agent.
company: wazuh.com
license: license (GPLv3)
min_ansible_version: 2.0
platforms:
- name: EL
versions:
- all
- name: Ubuntu
versions:
- all
- name: Debian
versions:
- all
- name: Fedora
versions:
- all
galaxy_tags:
- monitoring
dependencies: []

122
roles/wazuh/ansible-wazuh-agent/tasks/Debian.yml
View File

@ -1,122 +0,0 @@
---
- name: Update apt-get repo and cache
apt:
update_cache: yes
force_apt_get: yes
cache_valid_time: 3600
- name: Debian/Ubuntu | Install ca-certificates and gnupg
apt:
name:
- ca-certificates
- gnupg
state: present
register: wazuh_agent_ca_package_install
until: wazuh_agent_ca_package_install is succeeded
- name: Debian/Ubuntu | Install apt-transport-https and acl
apt:
name:
- apt-transport-https
- acl
state: present
register: wazuh_agent_ca_package_install
until: wazuh_agent_ca_package_install is succeeded
when: not (ansible_distribution == "Debian" and ansible_distribution_major_version in ['11'])
- name: Debian/Ubuntu | Installing Wazuh repository key (Ubuntu 14)
become: true
shell: |
set -o pipefail
curl -s {{ wazuh_agent_config.repo.gpg }} | apt-key add -
args:
# warn: false
executable: /bin/bash
changed_when: false
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version | int == 14
- not wazuh_custom_packages_installation_agent_enabled
- name: Debian/Ubuntu | Download Wazuh repository key
get_url:
url: "{{ wazuh_agent_config.repo.gpg }}"
dest: "{{ wazuh_agent_config.repo.path }}"
when:
- not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- not wazuh_custom_packages_installation_agent_enabled
- name: Debian/Ubuntu | Import Wazuh GPG key
command: "gpg --no-default-keyring --keyring gnupg-ring:{{ wazuh_agent_config.repo.keyring_path }} --import {{ wazuh_agent_config.repo.path }}"
when:
- not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- not wazuh_custom_packages_installation_agent_enabled
args:
creates: "{{ wazuh_agent_config.repo.keyring_path }}"
- name: Debian/Ubuntu | Set permissions for Wazuh GPG key
file:
path: "{{ wazuh_agent_config.repo.keyring_path }}"
mode: '0644'
when:
- not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- not wazuh_custom_packages_installation_agent_enabled
- name: Debian/Ubuntu | Add Wazuh repositories
apt_repository:
filename: wazuh_repo
repo: "{{ wazuh_agent_config.repo.apt }}"
state: present
update_cache: true
when:
- not wazuh_custom_packages_installation_agent_enabled
- name: Debian/Ubuntu | Set Distribution CIS filename for debian
set_fact:
cis_distribution_filename: cis_debian_linux_rcl.txt
when: ansible_os_family == "Debian"
- name: Debian/Ubuntu | Install OpenJDK-8 repo
apt_repository:
repo: 'ppa:openjdk-r/ppa'
state: present
update_cache: true
when:
- (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- when:
- wazuh_agent_config.cis_cat.disable == 'no'
- wazuh_agent_config.cis_cat.install_java == 'yes'
block:
- name: Debian/Ubuntu | Install OpenJDK 1.8
apt: name=openjdk-8-jre state=present cache_valid_time=3600
tags:
- init
- name: Debian/Ubuntu | Install OpenScap
apt:
name:
- libopenscap8
- xsltproc
state: present
when: wazuh_agent_config.openscap.disable == 'no'
tags:
- init
register: wazuh_agent_OpenScap_package_install
until: wazuh_agent_OpenScap_package_install is succeeded
- name: Debian/Ubuntu | Get OpenScap installed version
shell: "dpkg-query --showformat='${Version}' --show libopenscap8"
register: openscap_version
changed_when: false
when: wazuh_agent_config.openscap.disable == 'no'
tags:
- config
- name: Debian/Ubuntu | Check OpenScap version
shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?"
register: openscap_version_valid
changed_when: false
when: wazuh_agent_config.openscap.disable == 'no'
tags:
- config

258
roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml
View File

@ -1,258 +0,0 @@
---
- include_tasks: "RedHat.yml"
when: ansible_os_family == "RedHat"
- include_tasks: "Debian.yml"
when: ansible_os_family == "Debian"
- include_tasks: "installation_from_custom_packages.yml"
when:
- wazuh_custom_packages_installation_agent_enabled
- name: Linux CentOS/RedHat | Install wazuh-agent
yum:
name: wazuh-agent-{{ wazuh_agent_version }}
state: present
lock_timeout: '{{ wazuh_agent_yum_lock_timeout }}'
when:
- ansible_os_family|lower == "redhat"
- not wazuh_custom_packages_installation_agent_enabled
tags:
- init
- name: Linux Debian | Install wazuh-agent
apt:
name: "wazuh-agent={{ wazuh_agent_version }}-*"
state: present
cache_valid_time: 3600
when:
- ansible_os_family|lower != "redhat"
- not wazuh_custom_packages_installation_agent_enabled
- not ansible_check_mode
tags:
- init
- name: Linux | Check if client.keys exists
stat:
path: "{{ wazuh_dir }}/etc/client.keys"
register: client_keys_file
tags:
- config
- name: Linux | Agent registration via authd
block:
- name: Copy CA root certificate to verify authd
copy:
src: "{{ wazuh_agent_authd.ssl_agent_ca }}"
dest: "{{ wazuh_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}"
mode: 0644
when:
- wazuh_agent_authd.ssl_agent_ca is not none
- name: Copy TLS/SSL certificate for agent verification
copy:
src: "{{ item }}"
dest: "{{ wazuh_dir }}/etc/{{ item | basename }}"
mode: 0644
with_items:
- "{{ wazuh_agent_authd.ssl_agent_cert }}"
- "{{ wazuh_agent_authd.ssl_agent_key }}"
when:
- wazuh_agent_authd.ssl_agent_cert is not none
- wazuh_agent_authd.ssl_agent_key is not none
- name: Linux | Register agent (via authd)
shell: >
{{ wazuh_dir }}/bin/agent-auth
{% if wazuh_agent_authd.agent_name is defined and wazuh_agent_authd.agent_name != None %}
-A {{ wazuh_agent_authd.agent_name }}
{% endif %}
-m {{ wazuh_agent_authd.registration_address }}
-p {{ wazuh_agent_authd.port }}
{% if wazuh_agent_nat %} -I "any" {% endif %}
{% if authd_pass | length > 0 %} -P {{ authd_pass }} {% endif %}
{% if wazuh_agent_authd.ssl_agent_ca is defined and wazuh_agent_authd.ssl_agent_ca != None %}
-v "{{ wazuh_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}"
{% endif %}
{% if wazuh_agent_authd.ssl_agent_cert is defined and wazuh_agent_authd.ssl_agent_cert != None %}
-x "{{ wazuh_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_cert | basename }}"
{% endif %}
{% if wazuh_agent_authd.ssl_agent_key is defined and wazuh_agent_authd.ssl_agent_key != None %}
-k "{{ wazuh_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_key | basename }}"
{% endif %}
{% if wazuh_agent_authd.ssl_auto_negotiate == 'yes' %} -a {% endif %}
{% if wazuh_agent_authd.groups is defined and wazuh_agent_authd.groups | length > 0 %}
-G "{{ wazuh_agent_authd.groups | join(',') }}"
{% endif %}
register: agent_auth_output
notify: restart wazuh-agent
vars:
agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ ansible_hostname }}{% endif %}"
when:
- not client_keys_file.stat.exists or client_keys_file.stat.size == 0
- wazuh_agent_authd.registration_address is not none
- name: Linux | Verify agent registration
shell: echo {{ agent_auth_output }} | grep "Valid key received"
when:
- not client_keys_file.stat.exists or client_keys_file.stat.size == 0
- wazuh_agent_authd.registration_address is not none
when:
- wazuh_agent_authd.enable | bool
- wazuh_agent_config.enrollment.enabled != 'yes'
tags:
- config
- authd
- name: Linux | Agent registration via rest-API
block:
- name: Establish target Wazuh Manager for registration task
set_fact:
target_manager: '{{ manager_primary | length | ternary(manager_primary, manager_fallback) | first }}'
vars:
manager_primary: "{{ wazuh_managers | selectattr('register','true') | list }}"
manager_fallback: "{{ wazuh_managers | list }}"
- name: Linux | Obtain JWT Token
uri:
url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/security/user/authenticate'
method: POST
url_username: '{{ target_manager.api_user }}'
url_password: '{{ api_pass }}'
status_code: 200
return_content: yes
force_basic_auth: yes
validate_certs: '{{ target_manager.validate_certs | default(false) }}'
no_log: '{{ wazuh_agent_nolog_sensible | bool }}'
delegate_to: '{{ inventory_hostname if wazuh_api_reachable_from_agent else "localhost" }}'
changed_when: api_jwt_result.json.error == 0
register: api_jwt_result
become: no
tags:
- config
- api
- name: Linux | Create the agent key via rest-API
uri:
url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/agents'
method: POST
body_format: json
body:
name: '{{ agent_name }}'
ip: '{{ wazuh_agent_address }}'
force_time: 1
headers:
Authorization: 'Bearer {{ jwt_token }}'
status_code: 200
return_content: yes
validate_certs: '{{ target_manager.validate_certs | default(false) }}'
become: no
no_log: '{{ wazuh_agent_nolog_sensible | bool }}'
delegate_to: '{{ inventory_hostname if wazuh_api_reachable_from_agent else "localhost" }}'
changed_when: api_agent_post.json.error == 0
register: api_agent_post
vars:
agent_name: '{{ target_manager.agent_name | default(ansible_hostname) }}'
jwt_token: '{{ api_jwt_result.json.data.token }}'
tags:
- config
- api
- name: Linux | Validate registered agent key matches manager record
uri:
url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/agents/{{ agent_id }}/key'
method: GET
headers:
Authorization: 'Bearer {{ jwt_token }}'
status_code: 200
return_content: yes
validate_certs: '{{ target_manager.validate_certs | default(false) }}'
become: no
no_log: '{{ wazuh_agent_nolog_sensible | bool }}'
delegate_to: '{{ inventory_hostname if wazuh_api_reachable_from_agent else "localhost" }}'
register: api_agent_validation
vars:
agent_id: '{{ api_agent_post.json.data.id }}'
agent_key: '{{ api_agent_post.json.data.key }}'
jwt_token: '{{ api_jwt_result.json.data.token }}'
failed_when: api_agent_validation.json.data.affected_items[0].key != agent_key
when:
- wazuh_agent_api_validate | bool
- api_agent_post.json.error == 0
tags:
- config
- api
when:
- not ( wazuh_agent_authd.enable | bool )
- wazuh_agent_config.enrollment.enabled != 'yes'
- not client_keys_file.stat.exists or client_keys_file.stat.size == 0
tags:
- config
- api
- name: Linux | Agent registration via auto-enrollment
debug:
msg: Agent registration will be performed through enrollment option in templated ossec.conf
when: wazuh_agent_config.enrollment.enabled == 'yes'
- name: Linux | Ensure group "wazuh" exists
ansible.builtin.group:
name: wazuh
state: present
- name: Linux | Installing agent configuration (ossec.conf)
template:
src: var-ossec-etc-ossec-agent.conf.j2
dest: "{{ wazuh_dir }}/etc/ossec.conf"
owner: root
group: wazuh
mode: 0644
notify: restart wazuh-agent
tags:
- init
- config
- name: Linux | Installing local_internal_options.conf
template:
src: var-ossec-etc-local-internal-options.conf.j2
dest: "{{ wazuh_dir }}/etc/local_internal_options.conf"
owner: root
group: wazuh
mode: 0640
notify: restart wazuh-agent
tags:
- init
- config
- name: Create auto-enrollment password file
template:
src: authd_pass.j2
dest: "{{ wazuh_dir }}/etc/authd.pass"
owner: wazuh
group: wazuh
mode: 0640
when:
- wazuh_agent_config.enrollment.enabled == 'yes'
- wazuh_agent_config.enrollment.authorization_pass_path | length > 0
- authd_pass | length > 0
tags:
- config
- name: Linux | Ensure Wazuh Agent service is started and enabled
service:
name: wazuh-agent
enabled: true
state: started
tags: config
- include_tasks: "RMRedHat.yml"
when:
- ansible_os_family == "RedHat"
- include_tasks: "RMDebian.yml"
when:
- ansible_os_family == "Debian"

6
roles/wazuh/ansible-wazuh-agent/tasks/RMDebian.yml
View File

@ -1,6 +0,0 @@
---
- name: Remove Wazuh repository (and clean up left-over metadata)
apt_repository:
repo: "{{ wazuh_agent_config.repo.apt }}"
state: absent
changed_when: false

6
roles/wazuh/ansible-wazuh-agent/tasks/RMRedHat.yml
View File

@ -1,6 +0,0 @@
---
- name: Remove Wazuh repository (and clean up left-over metadata)
yum_repository:
name: wazuh_repo
state: absent
changed_when: false

66
roles/wazuh/ansible-wazuh-agent/tasks/RedHat.yml
View File

@ -1,66 +0,0 @@
---
- name: RedHat/CentOS 5 | Install Wazuh repo
yum_repository:
name: wazuh_repo
description: Wazuh repository
baseurl: "{{ wazuh_agent_config.repo.yum }}5/"
gpgkey: "{{ wazuh_agent_config.repo.gpg }}-5"
gpgcheck: true
changed_when: false
when:
- (ansible_facts['os_family']|lower == 'redhat') and (ansible_distribution|lower != 'amazon')
- (ansible_distribution_major_version|int <= 5)
- not wazuh_custom_packages_installation_agent_enabled
register: repo_v5_installed
- name: RedHat/CentOS/Fedora | Install Wazuh repo
yum_repository:
name: wazuh_repo
description: Wazuh repository
baseurl: "{{ wazuh_agent_config.repo.yum }}"
gpgkey: "{{ wazuh_agent_config.repo.gpg }}"
gpgcheck: true
changed_when: false
when:
- repo_v5_installed is skipped
- not wazuh_custom_packages_installation_agent_enabled
- name: RedHat/CentOS/Fedora | Install OpenJDK 1.8
yum: name=java-1.8.0-openjdk state=present
when:
- wazuh_agent_config.cis_cat.disable == 'no'
- wazuh_agent_config.cis_cat.install_java == 'yes'
tags:
- init
- name: Set Distribution CIS filename for RHEL5
set_fact:
cis_distribution_filename: cis_rhel5_linux_rcl.txt
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "5"
- name: Set Distribution CIS filename for RHEL6
set_fact:
cis_distribution_filename: cis_rhel6_linux_rcl.txt
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "6"
- name: Set Distribution CIS filename for RHEL7
set_fact:
cis_distribution_filename: cis_rhel7_linux_rcl.txt
when:
- ansible_os_family == "RedHat"
- ansible_distribution_major_version == "7"
- name: Set Distribution CIS filename for RHEL7 (Amazon)
set_fact:
cis_distribution_filename: cis_rhel7_linux_rcl.txt
when:
- ansible_distribution == "Amazon"
- ansible_distribution_major_version == "NA"
- name: RedHat/CentOS/RedHat | Install openscap
package: name=openscap-scanner state=present
register: wazuh_agent_openscap_package_install
until: wazuh_agent_openscap_package_install is succeeded
when: wazuh_agent_config.openscap.disable == 'no'
tags:
- init

114
roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml
View File

@ -1,114 +0,0 @@
---
- name: Windows | Check if Program Files (x86) exists
win_stat:
path: C:\Program Files (x86)
register: check_path
- name: Windows | Set Win Path (x86)
set_fact:
wazuh_agent_win_path: "{{ wazuh_winagent_config.install_dir_x86 }}"
wazuh_agent_win_auth_path: "{{ wazuh_winagent_config.auth_path_x86 }}"
when:
- check_path.stat.exists
- name: Windows | Set Win Path (x64)
set_fact:
wazuh_agent_win_path: "{{ wazuh_winagent_config.install_dir }}"
wazuh_agent_win_auth_path: "{{ wazuh_winagent_config.auth_path }}"
when:
- not check_path.stat.exists
- name: Windows | Check if Wazuh installer is already downloaded
win_stat:
path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}"
register: wazuh_package_downloaded
- name: Windows | Download Wazuh Agent package
win_get_url:
url: "{{ wazuh_winagent_config_url }}"
dest: "{{ wazuh_winagent_config.download_dir }}"
when:
- not wazuh_package_downloaded.stat.exists
- name: Windows | Download SHA512 checksum file
win_get_url:
url: "{{ wazuh_winagent_sha512_url }}"
dest: "{{ wazuh_winagent_config.download_dir }}"
when:
- wazuh_winagent_config.check_sha512
- name: Extract checksum from SHA512 file
win_shell: Get-Content "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}.sha512" | ForEach-Object { $_.Split(' ')[0] }
register: extracted_checksum
when:
- wazuh_winagent_config.check_sha512
- name: Windows | Verify the Wazuh Agent installer
win_stat:
path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}"
get_checksum: true
checksum_algorithm: sha512
register: wazuh_agent_status
failed_when:
- wazuh_agent_status.stat.checksum != extracted_checksum.stdout_lines[0]
when:
- wazuh_winagent_config.check_sha512
- name: Windows | Install Agent if not already installed
win_package:
path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}"
state: present
- name: Windows | Check if client.keys exists
win_stat:
path: "{{ wazuh_agent_win_path }}client.keys"
register: check_windows_key
tags:
- config
- name: Windows | Register agent
win_shell: >
{{ wazuh_agent_win_auth_path }}
-m {{ wazuh_agent_authd.registration_address }}
-p {{ wazuh_agent_authd.port }}
{% if wazuh_agent_authd.agent_name is not none %}-A {{ wazuh_agent_authd.agent_name }} {% endif %}
{% if authd_pass | length > 0 %} -P {{ authd_pass }}{% endif %}
register: agent_auth_output
notify: Windows | Restart Wazuh Agent
when:
- wazuh_agent_authd.enable | bool
- not check_windows_key.stat.exists or check_windows_key.stat.size == 0
- wazuh_agent_authd.registration_address is not none
tags:
- config
- name: Windows | Check if ossec folder is accessible
win_file:
path: "{{ wazuh_agent_win_path }}"
state: directory
- name: Windows | Installing agent configuration (ossec.conf)
template: # noqa 208
src: var-ossec-etc-ossec-agent.conf.j2
dest: "{{ wazuh_agent_win_path }}ossec.conf"
notify: Windows | Restart Wazuh Agent
tags:
- config
- name: Windows | Installing local_internal_options.conf
template:
src: var-ossec-etc-local-internal-options.conf.j2
dest: "{{ wazuh_agent_win_path }}local_internal_options.conf"
notify: Windows | Restart Wazuh Agent
tags:
- config
- name: Windows | Delete downloaded Wazuh agent installer file
win_file:
path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}"
state: absent
- name: Windows | Delete downloaded checksum file
win_file:
path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}.sha512"
state: absent

29
roles/wazuh/ansible-wazuh-agent/tasks/installation_from_custom_packages.yml
View File

@ -1,29 +0,0 @@
---
- name: Install Wazuh Agent from .deb packages
apt:
deb: "{{ wazuh_custom_packages_installation_agent_deb_url }}"
state: present
when:
- ansible_os_family|lower == "debian"
- wazuh_custom_packages_installation_agent_enabled
- name: Install Wazuh Agent from .rpm packages | yum
yum:
name: "{{ wazuh_custom_packages_installation_agent_rpm_url }}"
state: present
lock_timeout: 200
when:
- ansible_os_family|lower == "redhat"
- wazuh_custom_packages_installation_agent_enabled
- not (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8")
- not (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8")
- name: Install Wazuh Agent from .rpm packages | dnf
dnf:
name: "{{ wazuh_custom_packages_installation_agent_rpm_url }}"
state: present
when:
- ansible_os_family|lower == "redhat"
- wazuh_custom_packages_installation_agent_enabled
- (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") or
(ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8")

218
roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml
View File

@ -1,218 +0,0 @@
---
- name: macOS | Check architecture
command: "/usr/bin/uname -m"
register: uname_result
- name: macOS | Set architecture variable
set_fact:
macos_architecture: "{{ 'arm' if uname_result.stdout == 'arm64' else 'intel' }}"
- name: macOS | Set package name and URL based on architecture
set_fact:
wazuh_macos_package_url: "{{ wazuh_macos_intel_package_url if macos_architecture == 'intel' else wazuh_macos_arm_package_url }}"
wazuh_macos_package_name: "{{ wazuh_macos_intel_package_name if macos_architecture == 'intel' else wazuh_macos_arm_package_name }}"
- name: macOS | Check if Wazuh installer is already downloaded
stat:
path: "{{ wazuh_macos_config.download_dir }}{{ wazuh_macos_package_name }}"
register: wazuh_package_downloaded
- name: macOS | Download Wazuh Agent package
get_url:
url: "{{ wazuh_macos_package_url }}"
dest: "{{ wazuh_macos_config.download_dir }}"
register: download_result
when:
- not wazuh_package_downloaded.stat.exists
- name: macOS | Check if Wazuh Agent is already installed
stat:
path: "{{ wazuh_macos_config.install_dir }}"
register: wazuh_installed
- name: macOS | Install Agent if not already installed
command: "installer -pkg {{ wazuh_macos_config.download_dir }}{{ wazuh_macos_package_name }} -target /"
register: install_result
- name: macOS | Check if client.keys exists
stat:
path: "{{ wazuh_macos_config.install_dir }}/etc/client.keys"
register: client_keys_file
tags:
- config
- name: macOS | Agent registration via authd
block:
- name: macOS | Register agent (via authd)
shell: >
{{ wazuh_macos_config.install_dir }}/bin/agent-auth
{% if wazuh_agent_authd.agent_name is defined and wazuh_agent_authd.agent_name != None %}
-A {{ wazuh_agent_authd.agent_name }}
{% endif %}
-m {{ wazuh_agent_authd.registration_address }}
-p {{ wazuh_agent_authd.port }}
{% if wazuh_agent_nat %} -I "any" {% endif %}
{% if authd_pass | length > 0 %} -P {{ authd_pass }} {% endif %}
{% if wazuh_agent_authd.ssl_auto_negotiate == 'yes' %} -a {% endif %}
{% if wazuh_agent_authd.groups is defined and wazuh_agent_authd.groups | length > 0 %}
-G "{{ wazuh_agent_authd.groups | join(',') }}"
{% endif %}
register: agent_auth_output
notify: macOS | Restart Wazuh Agent
vars:
agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ ansible_hostname }}{% endif %}"
when:
- not client_keys_file.stat.exists or client_keys_file.stat.size == 0
- wazuh_agent_authd.registration_address is not none
- name: macOS | Verify agent registration
shell: >
sh -c "echo '{{ agent_auth_output.stdout }} {{ agent_auth_output.stderr }}' | grep 'Valid key received'"
when:
- not client_keys_file.stat.exists or client_keys_file.stat.size == 0
- wazuh_agent_authd.registration_address is not none
when:
- wazuh_agent_authd.enable | bool
- wazuh_agent_config.enrollment.enabled != 'yes'
tags:
- config
- authd
- name: macOS | Agent registration via rest-API
block:
- name: macOS | Establish target Wazuh Manager for registration task
set_fact:
target_manager: '{{ manager_primary | length | ternary(manager_primary, manager_fallback) | first }}'
vars:
manager_primary: "{{ wazuh_managers | selectattr('register','true') | list }}"
manager_fallback: "{{ wazuh_managers | list }}"
- name: macOS | Obtain JWT Token
uri:
url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/security/user/authenticate'
method: POST
url_username: '{{ target_manager.api_user }}'
url_password: '{{ api_pass }}'
status_code: 200
return_content: yes
force_basic_auth: yes
validate_certs: '{{ target_manager.validate_certs | default(false) }}'
no_log: '{{ wazuh_agent_nolog_sensible | bool }}'
delegate_to: '{{ inventory_hostname if wazuh_api_reachable_from_agent else "localhost" }}'
changed_when: api_jwt_result.json.error == 0
register: api_jwt_result
become: no
tags:
- config
- api
- name: macOS | Create the agent key via rest-API
uri:
url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/agents'
method: POST
body_format: json
body:
name: '{{ agent_name }}'
headers:
Authorization: 'Bearer {{ jwt_token }}'
status_code: 200
return_content: yes
validate_certs: '{{ target_manager.validate_certs | default(false) }}'
become: no
no_log: '{{ wazuh_agent_nolog_sensible | bool }}'
delegate_to: '{{ inventory_hostname if wazuh_api_reachable_from_agent else "localhost" }}'
changed_when: api_agent_post.json.error == 0
register: api_agent_post
vars:
agent_name: '{{ target_manager.agent_name | default(ansible_hostname) }}'
jwt_token: '{{ api_jwt_result.json.data.token }}'
tags:
- config
- api
- name: macOS | Validate registered agent key matches manager record
uri:
url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/agents/{{ agent_id }}/key'
method: GET
headers:
Authorization: 'Bearer {{ jwt_token }}'
status_code: 200
return_content: yes
validate_certs: '{{ target_manager.validate_certs | default(false) }}'
become: no
no_log: '{{ wazuh_agent_nolog_sensible | bool }}'
delegate_to: '{{ inventory_hostname if wazuh_api_reachable_from_agent else "localhost" }}'
register: api_agent_validation
vars:
agent_id: '{{ api_agent_post.json.data.id }}'
agent_key: '{{ api_agent_post.json.data.key }}'
jwt_token: '{{ api_jwt_result.json.data.token }}'
failed_when: api_agent_validation.json.data.affected_items[0].key != agent_key
when:
- wazuh_agent_api_validate | bool
- api_agent_post.json.error == 0
tags:
- config
- api
when:
- not ( wazuh_agent_authd.enable | bool )
- wazuh_agent_config.enrollment.enabled != 'yes'
- not client_keys_file.stat.exists or client_keys_file.stat.size == 0
tags:
- config
- api
- name: macOS | Agent registration via auto-enrollment
debug:
msg: Agent registration will be performed through enrollment option in templated ossec.conf
when: wazuh_agent_config.enrollment.enabled == 'yes'
- name: macOS | Ensure group "wazuh" exists
ansible.builtin.group:
name: wazuh
state: present
- name: macOS | Installing agent configuration (ossec.conf)
template:
src: var-ossec-etc-ossec-agent.conf.j2
dest: "{{ wazuh_macos_config.install_dir }}/etc/ossec.conf"
owner: root
group: wazuh
mode: 0644
notify: macOS | Restart Wazuh Agent
tags:
- init
- config
- name: macOS | Installing local_internal_options.conf
template:
src: var-ossec-etc-local-internal-options.conf.j2
dest: "{{ wazuh_macos_config.install_dir }}/etc/local_internal_options.conf"
owner: root
group: wazuh
mode: 0640
notify: macOS | Restart Wazuh Agent
tags:
- init
- config
- name: Create auto-enrollment password file
template:
src: authd_pass.j2
dest: "{{ wazuh_macos_config.install_dir }}/etc/authd.pass"
owner: wazuh
group: wazuh
mode: 0640
when:
- wazuh_agent_config.enrollment.enabled == 'yes'
- wazuh_agent_config.enrollment.authorization_pass_path_macos | length > 0
- authd_pass | length > 0
tags:
- config
- name: macOS | Delete downloaded Wazuh agent installer file
file:
path: "{{ wazuh_macos_config.download_dir }}{{ wazuh_macos_package_name }}"
state: absent

28
roles/wazuh/ansible-wazuh-agent/tasks/main.yml
View File

@ -1,28 +0,0 @@
---
- include_vars: ../../vars/repo_vars.yml
- include_vars: ../../vars/repo.yml
when: packages_repository == 'production'
- include_vars: ../../vars/repo_pre-release.yml
when: packages_repository == 'pre-release'
- include_vars: ../../vars/repo_staging.yml
when: packages_repository == 'staging'
- name: Overlay wazuh_agent_config on top of defaults
set_fact:
wazuh_agent_config: '{{ wazuh_agent_config_defaults | combine(config_layer, recursive=True) }}'
vars:
config_layer: '{{ wazuh_agent_config | default({}) }}'
when: wazuh_agent_config_overlay | bool
- include_tasks: "Windows.yml"
when: ansible_os_family == "Windows"
- include_tasks: "Linux.yml"
when: ansible_system == "Linux"
- include_tasks: "macOS.yml"
when: ansible_system == "Darwin"

1
roles/wazuh/ansible-wazuh-agent/templates/authd_pass.j2
View File

@ -1 +0,0 @@
{{ authd_pass }}

16
roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-local-internal-options.conf.j2
View File

@ -1,16 +0,0 @@
# local_internal_options.conf
#
# This file should be handled with care. It contains
# run time modifications that can affect the use
# of OSSEC. Only change it if you know what you
# are doing. Look first at ossec.conf
# for most of the things you want to change.
#
# This file will not be overwritten during upgrades.
# This is the template of Ansible for the file local_internal_options.conf
# In this file you could include the configuration settings for your agents
# Logcollector - If it should accept remote commands from the manager
logcollector.remote_commands=1

492
roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2
View File

@ -1,492 +0,0 @@
#jinja2: lstrip_blocks: True
<!-- {{ ansible_managed }} -->
<!--
Wazuh - Agent
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->
<ossec_config>
<client>
{% for manager in wazuh_managers %}
<server>
<address>{{ manager.address }}</address>
{% if manager.port is defined %}
<port>{{ manager.port }}</port>
{% endif %}
{% if manager.protocol is defined %}
<protocol>{{ manager.protocol }}</protocol>
{% endif %}
{% if manager.max_retries is defined and manager.retry_interval is defined %}
<max_retries>{{ manager.max_retries }}</max_retries>
<retry_interval>{{ manager.retry_interval }}</retry_interval>
{% endif %}
</server>
{% endfor %}
{% if wazuh_profile_centos is not none or wazuh_profile_ubuntu is not none %}
{% if ansible_distribution == 'CentOS' %}
<config-profile>{{ wazuh_profile_centos }}</config-profile>
{% elif ansible_distribution == "Ubuntu" %}
<config-profile>{{ wazuh_profile_ubuntu }}</config-profile>
{% endif %}
{% endif %}
{% if ansible_system == "Darwin" %}
<config-profile>{{ wazuh_profile_macos }}</config-profile>
{% endif %}
{% if wazuh_notify_time is not none and wazuh_time_reconnect is not none %}
<notify_time>{{ wazuh_notify_time }}</notify_time>
<time-reconnect>{{ wazuh_time_reconnect }}</time-reconnect>
{% endif %}
<auto_restart>{{ wazuh_auto_restart }}</auto_restart>
<crypto_method>{{ wazuh_crypto_method }}</crypto_method>
{% if wazuh_agent_config.enrollment.enabled == 'yes' %}
<enrollment>
<enabled>{{ wazuh_agent_config.enrollment.enabled }}</enabled>
{% if wazuh_agent_config.enrollment.manager_address | length > 0 %}
<manager_address>{{ wazuh_agent_config.enrollment.manager_address }}</manager_address>
{% endif %}
{% if wazuh_agent_config.enrollment.agent_name | length > 0 %}
<agent_name>{{ wazuh_agent_config.enrollment.agent_name }}</agent_name>
{% endif %}
{% if wazuh_agent_config.enrollment.port is defined > 0 %}
<port>{{ wazuh_agent_config.enrollment.port }}</port>
{% endif %}
{% if wazuh_agent_config.enrollment.groups | length > 0 %}
<groups>{{ wazuh_agent_config.enrollment.groups }}</groups>
{% endif %}
{% if wazuh_agent_config.enrollment.agent_address | length > 0 %}
<agent_address>{{ wazuh_agent_config.enrollment.agent_address }}</agent_address>
{% endif %}
{% if wazuh_agent_config.enrollment.server_ca_path | length > 0 %}
<server_ca_path>{{ wazuh_agent_config.enrollment.server_ca_path }}</server_ca_path>
{% endif %}
{% if wazuh_agent_config.enrollment.agent_certificate_path | length > 0 %}
<agent_certificate_path>{{ wazuh_agent_config.enrollment.agent_certificate_path }}</agent_certificate_path>
{% endif %}
{% if wazuh_agent_config.enrollment.agent_key_path | length > 0 %}
<agent_key_path>{{ wazuh_agent_config.enrollment.agent_key_path }}</agent_key_path>
{% endif %}
{% if wazuh_agent_config.enrollment.authorization_pass_path | length > 0 and ansible_system != "Darwin" %}
<authorization_pass_path>{{ wazuh_agent_config.enrollment.authorization_pass_path }}</authorization_pass_path>
{% else %}
<authorization_pass_path>{{ wazuh_agent_config.enrollment.authorization_pass_path_macos }}</authorization_pass_path>
{% endif %}
{% if wazuh_agent_config.enrollment.auto_method | length > 0 %}
<auto_method>{{ wazuh_agent_config.enrollment.auto_method }}</auto_method>
{% endif %}
{% if wazuh_agent_config.enrollment.delay_after_enrollment is defined > 0 %}
<delay_after_enrollment>{{ wazuh_agent_config.enrollment.delay_after_enrollment }}</delay_after_enrollment>
{% endif %}
{% if wazuh_agent_config.enrollment.use_source_ip | length > 0 %}
<use_source_ip>{{ wazuh_agent_config.enrollment.use_source_ip }}</use_source_ip>
{% endif %}
</enrollment>
{% endif %}
</client>
<client_buffer>
<!-- Agent buffer options -->
<disabled>{{ wazuh_agent_config.client_buffer.disable }}</disabled>
<queue_size>{{ wazuh_agent_config.client_buffer.queue_size }}</queue_size>
<events_per_second>{{ wazuh_agent_config.client_buffer.events_per_sec }}</events_per_second>
</client_buffer>
{% if wazuh_agent_config.rootcheck is defined %}
<rootcheck>
<disabled>no</disabled>
{% if ansible_system == "Linux" or ansible_system == "Darwin" %}
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>{{ wazuh_agent_config.rootcheck.frequency }}</frequency>
{% if ansible_system == "Darwin" %}
<rootkit_files>etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/shared/rootkit_trojans.txt</rootkit_trojans>
{% else %}
<rootkit_files>{{ wazuh_dir }}/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>{{ wazuh_dir }}/etc/shared/rootkit_trojans.txt</rootkit_trojans>
{% endif %}
<skip_nfs>yes</skip_nfs>
{% endif %}
{% if ansible_os_family == "Windows" %}
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
{% endif %}
</rootcheck>
{% endif %}
{% if ansible_system == "Linux" and wazuh_agent_config.openscap.disable == 'no' %}
<wodle name="open-scap">
<disabled>{{ wazuh_agent_config.openscap.disable }}</disabled>
<timeout>{{ wazuh_agent_config.openscap.timeout }}</timeout>
<interval>{{ wazuh_agent_config.openscap.interval }}</interval>
<scan-on-start>{{ wazuh_agent_config.openscap.scan_on_start }}</scan-on-start>
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'xenial' %}
<content type="xccdf" path="ssg-ubuntu-1604-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% elif ansible_distribution == 'Debian' %}
{% if ansible_distribution_release == 'jessie' %}
{% if openscap_version_valid.stdout == "0" %}
<content type="xccdf" path="ssg-debian-8-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
<content type="oval" path="cve-debian-8-oval.xml"/>
{% endif %}
{% elif ansible_distribution_release == 'stretch' %}
<content type="oval" path="cve-debian-9-oval.xml"/>
{% endif %}
{% elif ansible_distribution == 'CentOS' %}
{% if ansible_distribution_major_version == '8' %}
{# Policy not available #}
{% elif ansible_distribution_major_version == '7' %}
<content type="xccdf" path="ssg-centos-7-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% elif ansible_distribution_major_version == '6' %}
<content type="xccdf" path="ssg-centos-6-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% endif %}
{% elif ansible_distribution == 'RedHat' %}
{% if ansible_distribution_major_version == '8' %}
{# Policy not available #}
{% elif ansible_distribution_major_version == '7' %}
<content type="xccdf" path="ssg-rhel-7-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% elif ansible_distribution_major_version == '6' %}
<content type="xccdf" path="ssg-rhel-6-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% endif %}
{% if ansible_distribution_major_version == '7' %}
<content type="oval" path="cve-redhat-7-ds.xml"/>
{% elif ansible_distribution_major_version == '6' %}
<content type="oval" path="cve-redhat-6-ds.xml"/>
{% endif %}
{% elif ansible_distribution == 'Fedora' %}
<content type="xccdf" path="ssg-fedora-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% endif %}
</wodle>
{% endif %}
{% if ansible_system != "Darwin" %}
<wodle name="cis-cat">
<disabled>{{ wazuh_agent_config.cis_cat.disable }}</disabled>
<timeout>{{ wazuh_agent_config.cis_cat.timeout }}</timeout>
<interval>{{ wazuh_agent_config.cis_cat.interval }}</interval>
<scan-on-start>{{ wazuh_agent_config.cis_cat.scan_on_start }}</scan-on-start>
{% if wazuh_agent_config.cis_cat.install_java == 'yes' and ansible_system == "Linux" %}
<java_path>/usr/bin</java_path>
{% elif ansible_os_family == "Windows" %}
<java_path>{{ wazuh_agent_config.cis_cat.java_path_win }}</java_path>
{% else %}
<java_path>{{ wazuh_agent_config.cis_cat.java_path }}</java_path>
{% endif %}
<ciscat_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.cis_cat.ciscat_path_win }}{% else %}{{ wazuh_agent_config.cis_cat.ciscat_path }}{% endif %}</ciscat_path>
</wodle>
{% endif %}
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>{{ wazuh_agent_config.osquery.disable }}</disabled>
<run_daemon>{{ wazuh_agent_config.osquery.run_daemon }}</run_daemon>
{% if ansible_os_family == "Windows" %}
<bin_path>{{ wazuh_agent_config.osquery.bin_path_win }}</bin_path>
{% endif %}
<log_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.osquery.log_path_win }}{% else %}{{ wazuh_agent_config.osquery.log_path }}{% endif %}</log_path>
<config_path>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.osquery.config_path_win }}{% else %}{{ wazuh_agent_config.osquery.config_path }}{% endif %}</config_path>
<add_labels>{{ wazuh_agent_config.osquery.add_labels }}</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>{{ wazuh_agent_config.syscollector.disable }}</disabled>
<interval>{{ wazuh_agent_config.syscollector.interval }}</interval>
<scan_on_start>{{ wazuh_agent_config.syscollector.scan_on_start }}</scan_on_start>
<hardware>{{ wazuh_agent_config.syscollector.hardware }}</hardware>
<os>{{ wazuh_agent_config.syscollector.os }}</os>
<network>{{ wazuh_agent_config.syscollector.network }}</network>
<packages>{{ wazuh_agent_config.syscollector.packages }}</packages>
<ports all="yes">{{ wazuh_agent_config.syscollector.ports_no }}</ports>
<processes>{{ wazuh_agent_config.syscollector.processes }}</processes>
</wodle>
<sca>
{% if wazuh_agent_config.sca.enabled | length > 0 %}
<enabled>{{ wazuh_agent_config.sca.enabled }}</enabled>
{% endif %}
{% if wazuh_agent_config.sca.scan_on_start | length > 0 %}
<scan_on_start>{{ wazuh_agent_config.sca.scan_on_start }}</scan_on_start>
{% endif %}
{% if wazuh_agent_config.sca.interval | length > 0 %}
<interval>{{ wazuh_agent_config.sca.interval }}</interval>
{% endif %}
{% if wazuh_agent_config.sca.skip_nfs | length > 0 %}
<skip_nfs>yes</skip_nfs>
{% endif %}
{% if wazuh_agent_config.sca.day | length > 0 %}
<day>{{ wazuh_agent_config.sca.day }}</day>
{% endif %}
{% if wazuh_agent_config.sca.wday | length > 0 %}
<wday>{{ wazuh_agent_config.sca.wday }}</wday>
{% endif %}
{% if wazuh_agent_config.sca.time | length > 0 %}
<time>{{ wazuh_agent_config.sca.time }}</time>
{% endif %}
</sca>
<!-- Directories to check (perform all possible verifications) -->
{% if wazuh_agent_config.syscheck is defined %}
<syscheck>
<disabled>no</disabled>
<frequency>{{ wazuh_agent_config.syscheck.frequency }}</frequency>
{% if ansible_system == "Linux" or ansible_system == "Darwin" %}
<scan_on_start>{{ wazuh_agent_config.syscheck.scan_on_start }}</scan_on_start>
<!-- Directories to check (perform all possible verifications) -->
{% if wazuh_agent_config.syscheck.directories is defined and ansible_system == "Linux" %}
{% for directory in wazuh_agent_config.syscheck.directories %}
<directories {{ directory.checks }}>{{ directory.dirs }}</directories>
{% endfor %}
{% elif ansible_system == "Darwin" %}
{% for directory in wazuh_agent_config.syscheck.macos_directories %}
<directories {{ directory.checks }}>{{ directory.dirs }}</directories>
{% endfor %}
{% endif %}
{% endif %}
<!-- Directories to check (perform all possible verifications) -->
{% if wazuh_agent_config.syscheck.win_directories is defined and ansible_os_family == "Windows" %}
{% for directory in wazuh_agent_config.syscheck.win_directories %}
<directories {{ directory.checks }}>{{ directory.dirs }}</directories>
{% endfor %}
{% endif %}
<!-- Files/directories to ignore -->
{% if wazuh_agent_config.syscheck.ignore is defined and (ansible_system == "Linux" or ansible_system == "Darwin") %}
{% for ignore in wazuh_agent_config.syscheck.ignore %}
<ignore>{{ ignore }}</ignore>
{% endfor %}
{% endif %}
<!-- File types to ignore -->
{% if wazuh_agent_config.syscheck.ignore_linux_type is defined %}
{% for ignore in wazuh_agent_config.syscheck.ignore_linux_type %}
<ignore type="sregex">{{ ignore }}</ignore>
{% endfor %}
{% endif %}
{% if wazuh_agent_config.syscheck.ignore is defined and ansible_os_family == "Windows" %}
{% for ignore in wazuh_agent_config.syscheck.ignore_win %}
<ignore type="sregex">{{ ignore }}</ignore>
{% endfor %}
{% endif %}
{% if ansible_system == "Linux" or ansible_system == "Darwin" %}
<!-- Files no diff -->
{% for no_diff in wazuh_agent_config.syscheck.no_diff %}
<nodiff>{{ no_diff }}</nodiff>
{% endfor %}
<skip_nfs>{{ wazuh_agent_config.syscheck.skip_nfs }}</skip_nfs>
<skip_dev>{{ wazuh_agent_config.syscheck.skip_dev }}</skip_dev>
<skip_proc>{{ wazuh_agent_config.syscheck.skip_proc }}</skip_proc>
<skip_sys>{{ wazuh_agent_config.syscheck.skip_sys }}</skip_sys>
{% endif %}
{% if ansible_os_family == "Windows" %}
{% for registry_key in wazuh_agent_config.syscheck.windows_registry %}
{% if registry_key.arch is defined %}
<windows_registry arch="{{ registry_key.arch }}">{{ registry_key.key }}</windows_registry>
{% else %}
<windows_registry>{{ registry_key.key }}</windows_registry>
{% endif %}
{% endfor %}
{% endif %}
{% if ansible_os_family == "Windows" %}
{% for registry_key in wazuh_agent_config.syscheck.windows_registry_ignore %}
{% if registry_key.type is defined %}
<registry_ignore type="{{ registry_key.type }}">{{ registry_key.key }}</registry_ignore>
{% else %}
<registry_ignore>{{ registry_key.key }}</registry_ignore>
{% endif %}
{% endfor %}
{% endif %}
{% if ansible_os_family == "Windows" %}
<!-- Frequency for ACL checking (seconds) -->
<windows_audit_interval>{{ wazuh_agent_config.syscheck.win_audit_interval }}</windows_audit_interval>
{% endif %}
<!-- Nice value for Syscheck module -->
<process_priority>{{ wazuh_agent_config.syscheck.process_priority }}</process_priority>
<!-- Maximum output throughput -->
<max_eps>{{ wazuh_agent_config.syscheck.max_eps }}</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>{{ wazuh_agent_config.syscheck.sync_enabled }}</enabled>
<interval>{{ wazuh_agent_config.syscheck.sync_interval }}</interval>
<max_interval>{{ wazuh_agent_config.syscheck.sync_max_interval }}</max_interval>
<max_eps>{{ wazuh_agent_config.syscheck.sync_max_eps }}</max_eps>
</synchronization>
</syscheck>
{% endif %}
<!-- Files to monitor (localfiles) -->
{% if ansible_system == "Linux" %}
{% for localfile in wazuh_agent_config.localfiles.linux %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% else %}
<location>{{ localfile.location }}</location>
{% if localfile.format == 'json' %}
{% for label in localfile.label %}
<label key="{{ label.key }}">{{ label.value }}</label>
{% endfor %}
{% endif %}
{% endif %}
</localfile>
{% endfor %}
<localfile>
<log_format>journald</log_format>
<location>journald</location>
</localfile>
{% endif %}
{% if ansible_system == "Darwin" %}
{% for localfile in wazuh_agent_config.localfiles.macos %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% else %}
<location>{{ localfile.location }}</location>
{% if localfile.format == 'macos' %}
<query type="{{ localfile.query.type }}" level="{{ localfile.query.level }}">{{ localfile.query.value }}</query>
{% endif %}
{% endif %}
</localfile>
{% endfor %}
{% endif %}
{% if ansible_os_family == "Debian" %}
{% for localfile in wazuh_agent_config.localfiles.debian %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% else %}
<location>{{ localfile.location }}</location>
{% if localfile.format == 'json' %}
{% for label in localfile.label %}
<label key="{{ label.key }}">{{ label.value }}</label>
{% endfor %}
{% endif %}
{% endif %}
</localfile>
{% endfor %}
{% endif %}
{% if ansible_os_family == "RedHat" %}
{% for localfile in wazuh_agent_config.localfiles.centos %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
<frequency>{{ localfile.frequency }}</frequency>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% else %}
<location>{{ localfile.location }}</location>
{% if localfile.format == 'json' %}
{% for label in localfile.label %}
<label key="{{ label.key }}">{{ label.value }}</label>
{% endfor %}
{% endif %}
{% endif %}
</localfile>
{% endfor %}
{% endif %}
{% if ansible_os_family == "Windows" %}
{% for localfile in wazuh_agent_config.localfiles.windows %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'eventchannel' %}
<location>{{ localfile.location }}</location>
<query>{{ localfile.query}}</query>
{% else %}
<location>{{ localfile.location }}</location>
{% if localfile.format == 'json' %}
{% for label in localfile.label %}
<label key="{{ label.key }}">{{ label.value }}</label>
{% endfor %}
{% endif %}
{% endif %}
</localfile>
{% endfor %}
{% endif %}
{% if wazuh_agent_config.labels.enable == true %}
<labels>
{% for label in wazuh_agent_config.labels.list %}
<label key="{{ label.key }}"{% if label.hidden is defined %} hidden="{{ label.hidden }}"{% endif %}>{{ label.value }}</label>
{% endfor %}
</labels>
{% endif %}
<active-response>
<disabled>{{ wazuh_agent_config.active_response.ar_disabled|default('no') }}</disabled>
<ca_store>{% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.active_response.ca_store_win }}{% elif ansible_system == "Darwin" %}{{ wazuh_agent_config.active_response.ca_store_macos }}{% else %}{{ wazuh_agent_config.active_response.ca_store }}{% endif %}</ca_store>
<ca_verification>{{ wazuh_agent_config.active_response.ca_verification }}</ca_verification>
</active-response>
<logging>
<log_format>{{ wazuh_agent_config.log_format }}</log_format>
</logging>
</ossec_config>

216
roles/wazuh/ansible-wazuh-manager/README.md
View File

@ -1,216 +0,0 @@
Ansible Playbook - Wazuh manager
================================
This role will install the Wazuh manager on a host.
Requirements
------------
This role will work on:
* Red Hat
* CentOS
* Fedora
* Debian
* Ubuntu
Role Variables
--------------
This role has some variables which you can or need to override.
```
wazuh_manager_fqdn: ~
wazuh_manager_config: []
shared_agent_config: []
```
Vault variables
----------------
### vars/wazuh_api_creds.yml
This file has user and password created in httpasswd format.
```
---
wazuh_api_user:
- "foo:$apr1$/axqZYWQ$Xo/nz/IG3PdwV82EnfYKh/"
```
### vars/authd_pass.yml
This file has the password to be used for the authd daemon.
```
---
authd_pass: foobar
```
Default config
--------------
### defaults/main.yml
```
---
wazuh_manager_fqdn: "wazuh-server"
wazuh_manager_config:
json_output: 'yes'
alerts_log: 'yes'
logall: 'no'
authd:
enable: false
email_notification: no
mail_to:
- admin@example.net
mail_smtp_server: localhost
mail_from: wazuh-server@example.com
syscheck:
frequency: 43200
scan_on_start: 'yes'
ignore:
- /etc/mtab
- /etc/mnttab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: 'check_all="yes"'
- dirs: /bin,/sbin
checks: 'check_all="yes"'
rootcheck:
frequency: 43200
openscap:
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
log_level: 1
email_level: 12
localfiles:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'command'
command: 'df -P'
frequency: '360'
- format: 'full_command'
command: 'netstat -tln | grep -v 127.0.0.1 | sort'
frequency: '360'
- format: 'full_command'
command: 'last -n 20'
frequency: '360'
globals:
- '127.0.0.1'
- '192.168.2.1'
connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
commands:
- name: 'disable-account'
executable: 'disable-account.sh'
expect: 'user'
timeout_allowed: 'yes'
- name: 'restart-ossec'
executable: 'restart-ossec.sh'
expect: ''
timeout_allowed: 'no'
- name: 'firewall-drop'
executable: 'firewall-drop.sh'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'host-deny'
executable: 'host-deny.sh'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'route-null'
executable: 'route-null.sh'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'win_route-null'
executable: 'route-null.cmd'
expect: 'srcip'
timeout_allowed: 'yes'
active_responses:
- command: 'host-deny'
location: 'local'
level: 6
timeout: 600
shared_agent_config:
- type: os
type_value: linux
frequency_check: 79200
ignore_files:
- /etc/mtab
- /etc/mnttab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/svc/volatile
directories:
- check_all: yes
dirs: /etc,/usr/bin,/usr/sbin
- check_all: yes
dirs: /bin,/sbin
localfiles:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'apache'
location: '/var/log/httpd/error_log'
- format: 'apache'
location: '/var/log/httpd/access_log'
- format: 'apache'
location: '/var/ossec/logs/active-responses.log'
```
#### Custom variables:
You can create a YAML file and change the default variables for this role, to later using it with `-e` option in `ansible-playbooks`, for example:
```
---
wazuh_manager_fqdn: "wazuh-server"
wazuh_manager_config:
email_notification: yes
mail_to:
- myadmin@mydomain.com
mail_smtp_server: mysmtp.mydomain.com
```
Dependencies
------------
No dependencies.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: wazuh-server.example.com
roles:
- { role: ansible-wazuh-server }
License and copyright
---------------------
WAZUH Copyright (C) 2016, Wazuh Inc. (License GPLv3)
### Based on previous work from dj-wasabi
- https://github.com/dj-wasabi/ansible-ossec-server
### Modified by Wazuh
The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem.

431
roles/wazuh/ansible-wazuh-manager/defaults/main.yml
View File

@ -1,431 +0,0 @@
---
wazuh_manager_version: 5.0.0
wazuh_manager_fqdn: "wazuh-server"
wazuh_manager_package_state: present
# Custom packages installation
wazuh_custom_packages_installation_manager_enabled: false
wazuh_custom_packages_installation_manager_deb_url: "https://packages-dev.wazuh.com/"
wazuh_custom_packages_installation_manager_rpm_url: "https://packages-dev.wazuh.com/"
wazuh_dir: "/var/ossec"
##########################################
### Wazuh-OSSEC
##########################################
# groups to create
agent_groups: []
## Global
wazuh_manager_json_output: 'yes'
wazuh_manager_alerts_log: 'yes'
wazuh_manager_logall: 'no'
wazuh_manager_logall_json: 'no'
wazuh_manager_email_notification: 'no'
wazuh_manager_mailto:
- 'admin@example.net'
wazuh_manager_email_smtp_server: smtp.example.wazuh.com
wazuh_manager_email_from: wazuh@example.wazuh.com
wazuh_manager_email_maxperhour: 12
wazuh_manager_email_queue_size: 131072
wazuh_manager_email_log_source: 'alerts.log'
wazuh_manager_globals:
- '127.0.0.1'
- '^localhost.localdomain$'
- '127.0.0.53'
wazuh_manager_agent_disconnection_time: '20s'
wazuh_manager_agents_disconnection_alert_time: '100s'
## Alerts
wazuh_manager_log_level: 3
wazuh_manager_email_level: 12
## Logging
wazuh_manager_log_format: 'plain'
## Email alerts
wazuh_manager_extra_emails:
- enable: false
mail_to: 'recipient@example.wazuh.com'
format: full
level: 7
event_location: null
group: null
do_not_delay: false
do_not_group: false
rule_id: null
## Remote
wazuh_manager_connection:
- type: 'secure'
port: '1514'
protocol: 'tcp'
queue_size: 131072
## Woodles
wazuh_manager_rootcheck:
frequency: 43200
wazuh_manager_openscap:
disable: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
wazuh_manager_ciscat:
disable: 'yes'
install_java: 'yes'
timeout: 1800
interval: '1d'
scan_on_start: 'yes'
java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin'
ciscat_path: 'wodles/ciscat'
wazuh_manager_osquery:
disable: 'yes'
run_daemon: 'yes'
log_path: '/var/log/osquery/osqueryd.results.log'
config_path: '/etc/osquery/osquery.conf'
ad_labels: 'yes'
wazuh_manager_syscollector:
disable: 'no'
interval: '1h'
scan_on_start: 'yes'
hardware: 'yes'
os: 'yes'
network: 'yes'
packages: 'yes'
ports_no: 'yes'
processes: 'yes'
wazuh_manager_monitor_aws:
disabled: 'yes'
interval: '10m'
run_on_start: 'yes'
skip_on_error: 'yes'
s3:
- name: null
bucket_type: null
path: null
only_logs_after: null
access_key: null
secret_key: null
## SCA
wazuh_manager_sca:
enabled: 'yes'
scan_on_start: 'yes'
interval: '12h'
skip_nfs: 'yes'
day: ''
wday: ''
time: ''
## Vulnerability Detector
filebeat_node_name: node-1
filebeat_output_indexer_hosts:
- "localhost"
filebeat_output_indexer_port: 9200
indexer_security_user: admin
indexer_security_password: changeme
filebeat_ssl_dir: /etc/pki/filebeat
wazuh_manager_vulnerability_detection:
enabled: 'yes'
index_status: 'yes'
feed_update_interval: '60m'
wazuh_manager_indexer:
enabled: 'yes'
hosts: "{{ filebeat_output_indexer_hosts }}"
## Syscheck
wazuh_manager_syscheck:
disable: 'no'
frequency: 43200
scan_on_start: 'yes'
auto_ignore: 'no'
ignore:
- /etc/mtab
- /etc/hosts.deny
- /etc/mail/statistics
- /etc/random-seed
- /etc/random.seed
- /etc/adjtime
- /etc/httpd/logs
- /etc/utmpx
- /etc/wtmpx
- /etc/cups/certs
- /etc/dumpdates
- /etc/svc/volatile
ignore_linux_type:
- '.log$|.swp$'
no_diff:
- /etc/ssl/private.key
directories:
- dirs: /etc,/usr/bin,/usr/sbin
checks: ''
- dirs: /bin,/sbin,/boot
checks: ''
auto_ignore_frequency:
frequency: 'frequency="10"'
timeframe: 'timeframe="3600"'
value: 'no'
skip_nfs: 'yes'
skip_dev: 'yes'
skip_proc: 'yes'
skip_sys: 'yes'
process_priority: 10
max_eps: 100
sync_enabled: 'yes'
sync_interval: '5m'
sync_max_interval: '1h'
sync_max_eps: 10
## Command
wazuh_manager_commands:
- name: 'disable-account'
executable: 'disable-account'
timeout_allowed: 'yes'
- name: 'restart-wazuh'
executable: 'restart-wazuh'
- name: 'firewall-drop'
executable: 'firewall-drop'
expect: 'srcip'
timeout_allowed: 'yes'
- name: 'host-deny'
executable: 'host-deny'
timeout_allowed: 'yes'
- name: 'route-null'
executable: 'route-null'
timeout_allowed: 'yes'
- name: 'win_route-null'
executable: 'route-null.exe'
timeout_allowed: 'yes'
- name: 'netsh'
executable: 'netsh.exe'
timeout_allowed: 'yes'
## Localfile
wazuh_manager_localfiles:
common:
- format: 'command'
command: df -P
frequency: '360'
- format: 'full_command'
command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d
alias: 'netstat listening ports'
frequency: '360'
- format: 'full_command'
command: 'last -n 20'
frequency: '360'
- format: 'syslog'
location: "{{ wazuh_dir }}/logs/active-responses.log"
debian:
- format: 'syslog'
location: '/var/log/auth.log'
- format: 'syslog'
location: '/var/log/syslog'
- format: 'syslog'
location: '/var/log/dpkg.log'
- format: 'syslog'
location: '/var/log/kern.log'
centos:
- format: 'syslog'
location: '/var/log/messages'
- format: 'syslog'
location: '/var/log/secure'
- format: 'syslog'
location: '/var/log/maillog'
- format: 'audit'
location: '/var/log/audit/audit.log'
## Labels
wazuh_manager_labels:
enable: false
list:
- key: Env
value: Production
## Ruleset
wazuh_manager_ruleset:
rules_path: 'custom_ruleset/rules/'
decoders_path: 'custom_ruleset/decoders/'
cdb_lists:
- 'audit-keys'
- 'security-eventchannel'
- 'amazon/aws-eventnames'
- 'malicious-ioc/malicious-ip'
- 'malicious-ioc/malicious-domains'
- 'malicious-ioc/malware-hashes'
wazuh_manager_rule_exclude:
- '0215-policy_rules.xml'
## Auth
wazuh_manager_authd:
enable: true
port: 1515
use_source_ip: 'no'
force:
enabled: 'yes'
key_mismatch: 'yes'
disconnected_time: '1h'
after_registration_time: '1h'
purge: 'yes'
use_password: 'no'
ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH'
ssl_agent_ca: null
ssl_verify_host: 'no'
ssl_manager_cert: 'sslmanager.cert'
ssl_manager_key: 'sslmanager.key'
ssl_auto_negotiate: 'no'
## Cluster
wazuh_manager_cluster:
disable: 'yes'
name: 'wazuh'
node_name: 'manager_01'
node_type: 'master'
key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa'
port: '1516'
bind_addr: '0.0.0.0'
nodes:
- 'manager'
hidden: 'no'
## Wazuh API setup
wazuh_manager_api:
bind_addr: 0.0.0.0
port: 55000
behind_proxy_server: no
https: yes
https_key: "api/configuration/ssl/server.key"
https_cert: "api/configuration/ssl/server.crt"
https_use_ca: False
https_ca: "api/configuration/ssl/ca.crt"
logging_level: "info"
logging_path: "logs/api.log"
cors: no
cors_source_route: "*"
cors_expose_headers: "*"
cors_allow_headers: "*"
cors_allow_credentials: no
cache: yes
cache_time: 0.750
access_max_login_attempts: 5
access_block_time: 300
access_max_request_per_minute: 300
drop_privileges: yes
experimental_features: no
remote_commands_localfile: yes
remote_commands_localfile_exceptions: []
remote_commands_wodle: yes
remote_commands_wodle_exceptions: []
# wazuh_api_users:
# - username: custom-user
# password: .S3cur3Pa55w0rd*- # Must comply with requirements (8+ length, uppercase, lowercase, specials chars)
# NOTE: As wazuh_manager_config is built dynamically per playbooks and ansible.cfg provided in the repo,
# we should also cover the case for partial settings in inventory variables overlayed on top of role's
# defaults with merge hash_behaviour. If you do a full replace instead of the hash_behaviour, set this to false.
#
# Please do notice this behaviour is deprecated in 2.13 and role will move away from it in future versions:
# https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-hash-behaviour
#
wazuh_manager_config_overlay: true
## Other/Wrappers
wazuh_manager_config_defaults:
repo: '{{ wazuh_repo }}'
json_output: '{{ wazuh_manager_json_output }}'
alerts_log: '{{ wazuh_manager_alerts_log }}'
logall: '{{ wazuh_manager_logall }}'
logall_json: '{{ wazuh_manager_logall_json }}'
log_format: '{{ wazuh_manager_log_format }}'
api: '{{ wazuh_manager_api }}'
cluster: '{{ wazuh_manager_cluster }}'
connection: '{{ wazuh_manager_connection }}'
authd: '{{ wazuh_manager_authd }}'
email_notification: '{{ wazuh_manager_email_notification }}'
mail_to: '{{ wazuh_manager_mailto }}'
mail_smtp_server: '{{ wazuh_manager_email_smtp_server }}'
mail_from: '{{ wazuh_manager_email_from }}'
mail_maxperhour: '{{ wazuh_manager_email_maxperhour }}'
mail_queue_size: '{{ wazuh_manager_email_queue_size }}'
email_log_source: '{{ wazuh_manager_email_log_source }}'
extra_emails: '{{ wazuh_manager_extra_emails }}'
syscheck: '{{ wazuh_manager_syscheck }}'
rootcheck: '{{ wazuh_manager_rootcheck }}'
openscap: '{{ wazuh_manager_openscap }}'
cis_cat: '{{ wazuh_manager_ciscat }}'
osquery: '{{ wazuh_manager_osquery }}'
syscollector: '{{ wazuh_manager_syscollector }}'
sca: '{{ wazuh_manager_sca }}'
vulnerability_detection: '{{ wazuh_manager_vulnerability_detection }}'
indexer: '{{ wazuh_manager_indexer }}'
localfiles: '{{ wazuh_manager_localfiles }}'
globals: '{{ wazuh_manager_globals }}'
commands: '{{ wazuh_manager_commands }}'
ruleset: '{{ wazuh_manager_ruleset }}'
rule_exclude: '{{ wazuh_manager_rule_exclude }}'
monitor_aws: '{{ wazuh_manager_monitor_aws }}'
labels: '{{ wazuh_manager_labels }}'
agents_disconnection_time: '{{ wazuh_manager_agent_disconnection_time }}'
agents_disconnection_alert_time: '{{ wazuh_manager_agents_disconnection_alert_time }}'
# shared-agent.conf
# shared_agent_config:
# - type: os
# type_value: Linux
# syscheck:
# frequency: 43200
# scan_on_start: 'yes'
# ignore:
# - /etc/mtab
# - /etc/mnttab
# - /etc/hosts.deny
# - /etc/mail/statistics
# - /etc/svc/volatile
# no_diff:
# - /etc/ssl/private.key
# rootcheck:
# frequency: 43200
# cis_distribution_filename: null
# localfiles:
# - format: 'syslog'
# location: '/var/log/messages'
# - format: 'syslog'
# location: '/var/log/secure'
# - format: 'syslog'
# location: '/var/log/maillog'
# - format: 'apache'
# location: '/var/log/httpd/error_log'
# - format: 'apache'
# location: '/var/log/httpd/access_log'
# - format: 'apache'
# location: "{{ wazuh_dir }}/logs/active-responses.log"
# - type: os
# type_value: Windows
# syscheck:
# frequency: 43200
# scan_on_start: 'yes'
# auto_ignore: 'no'
# windows_registry:
# - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'
# arch: 'both'
# - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'
# localfiles:
# - location: 'Security'
# format: 'eventchannel'
# - location: 'System'
# format: 'eventlog'

102
roles/wazuh/ansible-wazuh-manager/files/create_user.py
View File

@ -1,102 +0,0 @@
import logging
import sys
import json
import random
import string
import os
# Set framework path
sys.path.append(os.path.dirname(sys.argv[0]) + "/../framework")
USER_FILE_PATH = "/var/ossec/api/configuration/admin.json"
SPECIAL_CHARS = "@$!%*?&-_"
try:
from wazuh.rbac.orm import check_database_integrity
from wazuh.security import (
create_user,
get_users,
get_roles,
set_user_role,
update_user,
)
except Exception as e:
logging.error("No module 'wazuh' found.")
sys.exit(1)
def read_user_file(path=USER_FILE_PATH):
with open(path) as user_file:
data = json.load(user_file)
return data["username"], data["password"]
def db_users():
users_result = get_users()
return {user["username"]: user["id"] for user in users_result.affected_items}
def db_roles():
roles_result = get_roles()
return {role["name"]: role["id"] for role in roles_result.affected_items}
def disable_user(uid):
random_pass = "".join(
random.choices(
string.ascii_uppercase
+ string.ascii_lowercase
+ string.digits
+ SPECIAL_CHARS,
k=8,
)
)
# assure there must be at least one character from each group
random_pass = random_pass + ''.join([random.choice(chars) for chars in [string.ascii_lowercase, string.digits, string.ascii_uppercase, SPECIAL_CHARS]])
random_pass = ''.join(random.sample(random_pass,len(random_pass)))
update_user(
user_id=[
str(uid),
],
password=random_pass,
)
if __name__ == "__main__":
if not os.path.exists(USER_FILE_PATH):
# abort if no user file detected
sys.exit(0)
username, password = read_user_file()
# create RBAC database
check_database_integrity()
initial_users = db_users()
if username not in initial_users:
# create a new user
create_user(username=username, password=password)
users = db_users()
uid = users[username]
roles = db_roles()
rid = roles["administrator"]
set_user_role(
user_id=[
str(uid),
],
role_ids=[
str(rid),
],
)
else:
# modify an existing user ("wazuh" or "wazuh-wui")
uid = initial_users[username]
update_user(
user_id=[
str(uid),
],
password=password,
)
# disable unused default users
#for def_user in ['wazuh', 'wazuh-wui']:
# if def_user != username:
# disable_user(initial_users[def_user])

25
roles/wazuh/ansible-wazuh-manager/files/custom_ruleset/decoders/sample_custom_decoders.xml
View File

@ -1,25 +0,0 @@
<!-- Local Decoders -->
<!-- Modify it at your will. -->
<!--
- Allowed static fields:
- location - where the log came from (only on FTS)
- srcuser - extracts the source username
- dstuser - extracts the destination (target) username
- user - an alias to dstuser (only one of the two can be used)
- srcip - source ip
- dstip - dst ip
- srcport - source port
- dstport - destination port
- protocol - protocol
- id - event id
- url - url of the event
- action - event action (deny, drop, accept, etc)
- status - event status (success, failure, etc)
- extra_data - Any extra data
-->
<decoder name="sample_custom_decoder">
<program_name>sample_custom_decoder</program_name>
</decoder>

18
roles/wazuh/ansible-wazuh-manager/files/custom_ruleset/rules/sample_custom_rules.xml
View File

@ -1,18 +0,0 @@
<!-- Local rules -->
<!-- Modify it at your will. -->
<!-- Example -->
<group name="local,syslog,sshd,">
<!--
Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
-->
<rule id="200001" level="5">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
<description>sshd: authentication failed from IP 1.1.1.1.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
</group>

12
roles/wazuh/ansible-wazuh-manager/handlers/main.yml
View File

@ -1,12 +0,0 @@
---
- name: restart wazuh-manager
service:
name: wazuh-manager
state: restarted
enabled: true
- name: restart wazuh-api
service:
name: wazuh-api
state: restarted
enabled: true

23
roles/wazuh/ansible-wazuh-manager/meta/main.yml
View File

@ -1,23 +0,0 @@
---
galaxy_info:
author: Wazuh
description: Installing, deploying and configuring Wazuh Manager.
company: wazuh.com
license: license (GPLv3)
min_ansible_version: 2.0
platforms:
- name: EL
versions:
- all
- name: Ubuntu
versions:
- all
- name: Debian
versions:
- all
- name: Fedora
versions:
- all
galaxy_tags:
- monitoring
dependencies: []

125
roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml
View File

@ -1,125 +0,0 @@
---
- name: Debian/Ubuntu | Install apt-transport-https, ca-certificates and acl
apt:
name:
- apt-transport-https
- ca-certificates
- gnupg
- acl
state: present
cache_valid_time: 3600
install_recommends: false
register: wazuh_manager_https_packages_installed
until: wazuh_manager_https_packages_installed is succeeded
- name: Debian/Ubuntu | Installing Wazuh repository key (Ubuntu 14)
become: true
shell: |
set -o pipefail
curl -s {{ wazuh_manager_config.repo.gpg }} | apt-key add -
args:
# warn: false
executable: /bin/bash
changed_when: false
when:
- ansible_distribution == "Ubuntu"
- ansible_distribution_major_version | int == 14
- not wazuh_custom_packages_installation_manager_enabled
- name: Debian/Ubuntu | Download Wazuh repository key
get_url:
url: "{{ wazuh_manager_config.repo.gpg }}"
dest: "{{ wazuh_manager_config.repo.path }}"
when:
- not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- not wazuh_custom_packages_installation_manager_enabled
- name: Debian/Ubuntu | Import Wazuh GPG key
command: "gpg --no-default-keyring --keyring gnupg-ring:{{ wazuh_manager_config.repo.keyring_path }} --import {{ wazuh_manager_config.repo.path }}"
when:
- not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- not wazuh_custom_packages_installation_manager_enabled
args:
creates: "{{ wazuh_manager_config.repo.keyring_path }}"
- name: Debian/Ubuntu | Set permissions for Wazuh GPG key
file:
path: "{{ wazuh_manager_config.repo.keyring_path }}"
mode: '0644'
when:
- not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- not wazuh_custom_packages_installation_manager_enabled
- name: Debian/Ubuntu | Add Wazuh repositories
apt_repository:
filename: wazuh_repo
repo: "{{ wazuh_manager_config.repo.apt }}"
state: present
update_cache: true
changed_when: false
when:
- not wazuh_custom_packages_installation_manager_enabled
- name: Debian/Ubuntu | Set Distribution CIS filename for Debian/Ubuntu
set_fact:
cis_distribution_filename: cis_debian_linux_rcl.txt
- name: Debian/Ubuntu | Install OpenJDK-8 repo
apt_repository:
repo: 'ppa:openjdk-r/ppa'
state: present
update_cache: true
when:
- (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14)
- when:
- wazuh_manager_config.cis_cat.disable == 'no'
- wazuh_manager_config.cis_cat.install_java == 'yes'
block:
- name: Debian/Ubuntu | Install OpenJDK 1.8
apt: name=openjdk-8-jre state=present cache_valid_time=3600
tags:
- init
- name: Debian/Ubuntu | Install OpenScap
apt:
name:
- libopenscap8
- xsltproc
state: present
cache_valid_time: 3600
install_recommends: false
register: wazuh_manager_openscap_installed
until: wazuh_manager_openscap_installed is succeeded
when: wazuh_manager_config.openscap.disable == 'no'
tags:
- init
- name: Debian/Ubuntu | Get OpenScap installed version
shell: "dpkg-query --showformat='${Version}' --show libopenscap8"
when: wazuh_manager_config.openscap.disable == 'no'
register: openscap_version
changed_when: false
tags:
- config
- name: Debian/Ubuntu | Check OpenScap version
shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?"
when: wazuh_manager_config.openscap.disable == 'no'
register: openscap_version_valid
changed_when: false
tags:
- config
- name: Debian/Ubuntu | Install wazuh-manager
apt:
name:
- "wazuh-manager={{ wazuh_manager_version }}-*"
state: present
tags: init
when:
- not wazuh_custom_packages_installation_manager_enabled
- include_tasks: "installation_from_custom_packages.yml"
when:
- wazuh_custom_packages_installation_manager_enabled

134
roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml
View File

@ -1,134 +0,0 @@
---
- name: RedHat/CentOS 5 | Install Wazuh repo
yum_repository:
name: wazuh_repo
description: Wazuh repository
baseurl: "{{ wazuh_manager_config.repo.yum }}5/"
gpgkey: "{{ wazuh_manager_config.repo.gpg }}-5"
gpgcheck: true
changed_when: false
when:
- (ansible_os_family|lower == 'redhat') and (ansible_distribution|lower != 'amazon')
- (ansible_distribution_major_version|int <= 5)
- not wazuh_custom_packages_installation_manager_enabled
register: repo_v5_manager_installed
- name: RedHat/CentOS/Fedora | Install Wazuh repo
yum_repository:
name: wazuh_repo
description: Wazuh repository
baseurl: "{{ wazuh_manager_config.repo.yum }}"
gpgkey: "{{ wazuh_manager_config.repo.gpg }}"
gpgcheck: true
changed_when: false
when:
- repo_v5_manager_installed is skipped
- not wazuh_custom_packages_installation_manager_enabled
- name: RedHat/CentOS/Fedora | Install openscap
package: name={{ item }} state=present
with_items:
- openscap-scanner
register: wazuh_manager_openscp_packages_installed
until: wazuh_manager_openscp_packages_installed is succeeded
tags:
- init
when: not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") and
not (ansible_distribution == "CentOS" and ansible_distribution_major_version == "8")
- name: CentOS 6 | Install Software Collections (SCL) Repository
package: name=centos-release-scl state=present
register: wazuh_manager_scl_packages_installed
until: wazuh_manager_scl_packages_installed is succeeded
when:
- ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes'
- name: RedHat 6 | Enabling Red Hat Software Collections (RHSCL)
command: yum-config-manager --enable {{ item }}
with_items:
- rhui-REGION-rhel-server-rhscl
- rhel-server-rhscl-6-rpms
when:
- ansible_distribution == 'RedHat' and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes'
- name: CentOS/RedHat 6 | Install Python 2.7
package: name=python27 state=present
register: wazuh_manager_python_package_installed
until: wazuh_manager_python_package_installed is succeeded
when:
- ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6'
- wazuh_manager_config.cluster.disable != 'yes'
- name: RedHat/CentOS/Fedora | Install OpenJDK 1.8
yum:
name: java-1.8.0-openjdk
state: present
lock_timeout: 200
when:
- wazuh_manager_config.cis_cat.disable == 'no'
- wazuh_manager_config.cis_cat.install_java == 'yes'
tags:
- init
- name: Set Distribution CIS filename for RHEL5/CentOS-5
set_fact:
cis_distribution_filename: cis_rhel5_linux_rcl.txt
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == '5'
- name: Set Distribution CIS filename for RHEL6/CentOS-6
set_fact:
cis_distribution_filename: cis_rhel6_linux_rcl.txt
when: ansible_os_family == "RedHat" and ansible_distribution_major_version == '6'
- name: Set Distribution CIS filename for RHEL7/CentOS-7
set_fact:
cis_distribution_filename: cis_rhel7_linux_rcl.txt
when:
- ansible_os_family == "RedHat" and ansible_distribution_major_version == '7'
- name: Set Distribution CIS filename for RHEL7/CentOS-7 (Amazon)
set_fact:
cis_distribution_filename: cis_rhel7_linux_rcl.txt
when:
- ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA"
- name: CentOS/RedHat/Amazon | Install wazuh-manager
package:
name: "wazuh-manager-{{ wazuh_manager_version }}"
state: "{{ wazuh_manager_package_state }}"
register: wazuh_manager_main_packages_installed
until: wazuh_manager_main_packages_installed is succeeded
when:
- ansible_os_family|lower == "redhat"
- not wazuh_custom_packages_installation_manager_enabled
tags:
- init
- include_tasks: "../tasks/installation_from_custom_packages.yml"
when:
- wazuh_custom_packages_installation_manager_enabled
- name: CentOS/RedHat 6 | Enabling python2.7 and sqlite3
replace:
path: /etc/init.d/wazuh-manager
regexp: 'echo -n "Starting Wazuh-manager: "'
replace: "echo -n \"Starting Wazuh-manager (EL6): \"; source /opt/rh/python27/enable; export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:{{ wazuh_dir }}/framework/lib"
when:
- ansible_distribution in ['CentOS', 'RedHat', 'Amazon'] and ansible_distribution_major_version|int == 6
- wazuh_manager_config.cluster.disable != 'yes'
- name: Install expect (EL5)
package:
name: "{{ item }}"
state: "{{ wazuh_manager_package_state }}"
with_items:
- expect
register: wazuh_manager_main_packages_installed
until: wazuh_manager_main_packages_installed is succeeded
when:
- ansible_os_family|lower == "RedHat"
- ansible_distribution_major_version|int < 6
tags:
- init

40
roles/wazuh/ansible-wazuh-manager/tasks/install_cmake.yml
View File

@ -1,40 +0,0 @@
---
# Vars
# cmake_download_url: http://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz
# cmake_version: 3.18.3
#
- name: Include CMake install vars
include_vars: install_cmake.yml
- name: Download CMake sources
get_url:
url: "{{ cmake_download_url }}"
dest: "/tmp/cmake-{{ cmake_version }}.tar.gz"
register: cmake_download
- name: Unpack CMake
unarchive:
copy: no
dest: /tmp/
src: "{{ cmake_download.dest }}"
when: cmake_download.changed
register: cmake_unpack
- name: Configure CMake
command: "./bootstrap"
args:
chdir: "/tmp/cmake-{{ cmake_version }}"
when: cmake_unpack.changed
register: cmake_configure
- name: Install CMake
shell: make && make install
args:
chdir: "/tmp/cmake-{{ cmake_version }}"
when: cmake_configure.changed
- name: Delete installation files
file:
state: absent
path: "/tmp/cmake-{{ cmake_version }}"

32
roles/wazuh/ansible-wazuh-manager/tasks/installation_from_custom_packages.yml
View File

@ -1,32 +0,0 @@
---
- block:
- name: Install Wazuh Manager from .deb packages
apt:
deb: "{{ wazuh_custom_packages_installation_manager_deb_url }}"
state: present
when:
- wazuh_custom_packages_installation_manager_enabled
when:
- ansible_os_family|lower == "debian"
- block:
- name: Install Wazuh Manager from .rpm packages | yum
yum:
name: "{{ wazuh_custom_packages_installation_manager_rpm_url }}"
state: present
lock_timeout: 200
when:
- wazuh_custom_packages_installation_manager_enabled
- not (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8")
- not (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8")
- name: Install Wazuh Manager from .rpm packages | dnf
dnf:
name: "{{ wazuh_custom_packages_installation_manager_rpm_url }}"
state: present
when:
- wazuh_custom_packages_installation_manager_enabled
- (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") or
(ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8")
when:
- ansible_os_family|lower == "redhat"

305
roles/wazuh/ansible-wazuh-manager/tasks/main.yml
View File

@ -1,305 +0,0 @@
---
- name: "Install dependencies"
block:
- name: "Install common dependencies"
package:
name:
- unzip
- openssl
- tar
state: present
register: package_status
until: "package_status is not failed"
retries: 10
delay: 10
- name: "Install curl"
package:
name: curl
state: present
when: ansible_distribution != "Amazon" and ansible_distribution_version != "2023"
register: package_status
until: "package_status is not failed"
retries: 10
delay: 10
- name: "Install curl minimal in AL2023"
package:
name: curl-minimal
state: present
when: ansible_distribution == "Amazon" and ansible_distribution_version == "2023"
register: package_status
until: "package_status is not failed"
retries: 10
delay: 10
- include_vars: ../../vars/repo_vars.yml
- include_vars: ../../vars/repo.yml
when: packages_repository == 'production'
- include_vars: ../../vars/repo_pre-release.yml
when: packages_repository == 'pre-release'
- include_vars: ../../vars/repo_staging.yml
when: packages_repository == 'staging'
- name: Overlay wazuh_manager_config on top of defaults
set_fact:
wazuh_manager_config: '{{ wazuh_manager_config_defaults | combine(config_layer, recursive=True) }}'
vars:
config_layer: '{{ wazuh_manager_config | default({}) }}'
when: wazuh_manager_config_overlay | bool
- include_tasks: "RedHat.yml"
when: (ansible_os_family == "RedHat" and ansible_distribution_major_version|int > 5) or (ansible_os_family == "RedHat" and ansible_distribution == "Amazon")
- include_tasks: "Debian.yml"
when: ansible_os_family == "Debian"
- name: Generate the wazuh-keystore (username)
shell: >
/var/ossec/bin/wazuh-keystore -f indexer -k username -v {{ indexer_security_user }}
notify: restart wazuh-manager
tags:
- init
- config
- name: Generate the wazuh-keystore (password)
shell: >
/var/ossec/bin/wazuh-keystore -f indexer -k password -v {{ indexer_security_password }}
notify: restart wazuh-manager
tags:
- init
- config
- name: Install expect
package:
name: expect
state: "{{ wazuh_manager_package_state }}"
when:
- not (ansible_os_family|lower == "redhat" and ansible_distribution_major_version|int < 6) and
not (ansible_distribution|lower == "centos" and ansible_distribution_major_version|int == 8)
tags: init
- name: Generate SSL files for authd
command: "openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:1825 -keyout sslmanager.key -out sslmanager.cert -subj /CN={{ wazuh_manager_fqdn }}/"
args:
creates: sslmanager.cert
chdir: "{{ wazuh_dir }}/etc/"
tags:
- config
when: wazuh_manager_config.authd.ssl_agent_ca is not none
- name: Copy CA, SSL key and cert for authd
copy:
src: "{{ item }}"
dest: "{{ wazuh_dir }}/etc/{{ item }}"
mode: 0644
with_items:
- "{{ wazuh_manager_config.authd.ssl_agent_ca }}"
- "{{ wazuh_manager_config.authd.ssl_manager_cert }}"
- "{{ wazuh_manager_config.authd.ssl_manager_key }}"
tags:
- config
when: wazuh_manager_config.authd.ssl_agent_ca is not none
- name: Verifying for old init authd service
stat: path=/etc/init.d/ossec-authd
register: old_authd_service
tags:
- config
- name: Verifying for old systemd authd service
stat: path=/lib/systemd/system/ossec-authd.service
register: old_authd_service
tags:
- config
- name: Ensure ossec-authd service is disabled
service: name=ossec-authd enabled=no state=stopped
when: old_authd_service.stat.exists
tags:
- config
- name: Removing old init authd services
file: path="{{ item }}" state=absent
with_items:
- "/etc/init.d/ossec-authd"
- "/lib/systemd/system/ossec-authd.service"
when: old_authd_service.stat.exists
tags:
- config
- name: Installing the local_rules.xml (default local_rules.xml)
template: src=var-ossec-rules-local_rules.xml.j2
dest="{{ wazuh_dir }}/etc/rules/local_rules.xml"
owner=wazuh
group=wazuh
mode=0660
notify: restart wazuh-manager
tags:
- init
- config
- rules
- name: Adding local rules files
copy: src="{{ wazuh_manager_config.ruleset.rules_path }}"
dest="{{ wazuh_dir }}/etc/rules/"
owner=wazuh
group=wazuh
mode=0660
notify: restart wazuh-manager
tags:
- init
- config
- rules
- name: Installing the local_decoder.xml
template: src=var-ossec-rules-local_decoder.xml.j2
dest="{{ wazuh_dir }}/etc/decoders/local_decoder.xml"
owner=wazuh
group=wazuh
mode=0660
notify: restart wazuh-manager
tags:
- init
- config
- rules
- name: Adding local decoders files
copy: src="{{ wazuh_manager_config.ruleset.decoders_path }}"
dest="{{ wazuh_dir }}/etc/decoders/"
owner=wazuh
group=wazuh
mode=0660
notify: restart wazuh-manager
tags:
- init
- config
- rules
- name: Configure the shared-agent.conf
template:
src: var-ossec-etc-shared-agent.conf.j2
dest: "{{ wazuh_dir }}/etc/shared/default/agent.conf"
owner: wazuh
group: wazuh
mode: 0660
validate: "{{ wazuh_dir }}/bin/verify-agent-conf -f %s"
notify: restart wazuh-manager
tags:
- init
- config
when:
- shared_agent_config is defined
- name: Installing the local_internal_options.conf
template: src=var-ossec-etc-local-internal-options.conf.j2
dest="{{ wazuh_dir }}/etc/local_internal_options.conf"
owner=root
group=wazuh
mode=0640
notify: restart wazuh-manager
tags:
- init
- config
- name: Retrieving authd Credentials
include_vars: authd_pass.yml
tags:
- config
- name: Checking alert log output settings
fail: msg="Please enable json_output or alerts_log options."
when:
- wazuh_manager_config.json_output == 'no'
- wazuh_manager_config.alerts_log == 'no'
tags:
- init
- config
- name: Configure ossec.conf
template:
src: var-ossec-etc-ossec-server.conf.j2
dest: "{{ wazuh_dir }}/etc/ossec.conf"
owner: root
group: wazuh
mode: 0644
notify: restart wazuh-manager
tags:
- init
- config
- name: Ossec-authd password
template:
src: authd_pass.j2
dest: "{{ wazuh_dir }}/etc/authd.pass"
owner: wazuh
group: wazuh
mode: 0640
no_log: true
notify: restart wazuh-manager
when:
- wazuh_manager_config.authd.use_password is defined
- wazuh_manager_config.authd.use_password == 'yes'
tags:
- config
- name: Create custom API user
block:
- name: Copy create_user script
copy:
src: create_user.py
dest: "{{ wazuh_dir }}/framework/scripts/create_user.py"
owner: root
group: wazuh
mode: 0644
- name: Create admin.json
template:
src: templates/admin.json.j2
dest: "{{ wazuh_dir }}/api/configuration/admin.json"
owner: wazuh
group: wazuh
mode: 0644
no_log: true
- name: Execute create_user script
script:
chdir: "{{ wazuh_dir }}/framework/scripts/"
cmd: create_user.py --username "{{ item.username }}" --password "{{ item.password }}"
executable: "{{ wazuh_dir }}/framework/python/bin/python3"
with_items:
- "{{ wazuh_api_users }}"
- name: Delete create_user script
file:
path: "{{ wazuh_dir }}/framework/scripts/create_user.py"
state: absent
tags:
- config_api_users
when:
- wazuh_api_users is defined
- wazuh_manager_config.cluster.node_type == "master"
- name: Ensure Wazuh Manager service is started and enabled.
service:
name: "wazuh-manager"
enabled: true
state: started
tags:
- config
- name: Create agent groups
command: "{{ wazuh_dir }}/bin/agent_groups -a -g {{ item }} -q"
with_items:
- "{{ agent_groups }}"
when:
- ( agent_groups is defined) and ( agent_groups|length > 0)
tags: molecule-idempotence-notest
- name: Run uninstall tasks
include_tasks: uninstall.yml

15
roles/wazuh/ansible-wazuh-manager/tasks/uninstall.yml
View File

@ -1,15 +0,0 @@
---
- name: Debian/Ubuntu | Remove Wazuh repository.
apt_repository:
repo: "{{ wazuh_manager_config.repo.apt }}"
state: absent
changed_when: false
when: ansible_os_family == "Debian"
- name: RedHat/CentOS/Fedora | Remove Wazuh repository (and clean up left-over metadata)
yum_repository:
name: wazuh_repo
state: absent
changed_when: false
when: ansible_os_family == "RedHat" or ansible_os_family == "Amazon"

4
roles/wazuh/ansible-wazuh-manager/templates/admin.json.j2
View File

@ -1,4 +0,0 @@
{% for api in wazuh_api_users %}
{"username":"{{ api['username'] }}", "password": "{{ api['password'] }}"}
{% endfor %}

1
roles/wazuh/ansible-wazuh-manager/templates/authd_pass.j2
View File

@ -1 +0,0 @@
{{ authd_pass }}

1
roles/wazuh/ansible-wazuh-manager/templates/cdb_lists.j2
View File

@ -1 +0,0 @@
{{ item.content }}

12
roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-local-internal-options.conf.j2
View File

@ -1,12 +0,0 @@
# local_internal_options.conf
#
# This file should be handled with care. It contains
# run time modifications that can affect the use
# of OSSEC. Only change it if you know what you
# are doing. Look first at ossec.conf
# for most of the things you want to change.
#
# This file will not be overwritten during upgrades.
# This is the template of Ansible for the file local_internal_options.conf
# In this file you could include the configuration settings for your manager

572
roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2
View File

@ -1,572 +0,0 @@
#jinja2: lstrip_blocks: True
<!--
Wazuh - Manager - Default configuration
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->
<ossec_config>
<global>
<jsonout_output>{{ wazuh_manager_config.json_output }}</jsonout_output>
<alerts_log>{{ wazuh_manager_config.alerts_log }}</alerts_log>
<logall>{{ wazuh_manager_config.logall }}</logall>
<logall_json>{{ wazuh_manager_config.logall_json }}</logall_json>
<email_notification>{{ wazuh_manager_config.email_notification }}</email_notification>
{% for to in wazuh_manager_config.mail_to %}
<email_to>{{ to }}</email_to>
{% endfor %}
<smtp_server>{{ wazuh_manager_config.mail_smtp_server }}</smtp_server>
<email_from>{{ wazuh_manager_config.mail_from }}</email_from>
<email_maxperhour>{{ wazuh_manager_config.mail_maxperhour }}</email_maxperhour>
<email_log_source>{{ wazuh_manager_config.email_log_source }}</email_log_source>
<agents_disconnection_time>{{ wazuh_manager_config.agents_disconnection_time }}</agents_disconnection_time>
<agents_disconnection_alert_time>{{ wazuh_manager_config.agents_disconnection_alert_time }}</agents_disconnection_alert_time>
</global>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>{{ wazuh_manager_config.log_format }}</log_format>
</logging>
{% for connection in wazuh_manager_config.connection %}
<remote>
<connection>{{ connection.type }}</connection>
{% if connection.port is defined %}
<port>{{ connection.port }}</port>
{% endif %}
{% if connection.protocol is defined %}
<protocol>{{ connection.protocol }}</protocol>
{% endif %}
{% if connection.allowed_ips is defined %}
{% for allowed_ip in connection.allowed_ips %}
<allowed-ips>{{ allowed_ip }}</allowed-ips>
{% endfor %}
{% endif %}
{% if connection.denied_ips is defined %}
{% for denied_ip in connection.denied_ips %}
<denied-ips>{{ denied_ip }}</denied-ips>
{% endfor %}
{% endif %}
{% if connection.local_ip is defined %}
<local_ip>{{ connection.local_ip }}</local_ip>
{% endif %}
{% if connection.ipv6 is defined %}
<ipv6>{{ connection.ipv6 }}</ipv6>
{% endif %}
{% if connection.queue_size is defined %}
<queue_size>{{connection.queue_size}}</queue_size>
{% endif %}
</remote>
{% endfor %}
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>{{ wazuh_manager_config.rootcheck.frequency }}</frequency>
<rootkit_files>{{ wazuh_dir }}/etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>{{ wazuh_dir }}/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>
{% if ansible_system == "Linux" and wazuh_manager_config.openscap.disable == 'no' %}
<wodle name="open-scap">
<disabled>no</disabled>
<timeout>{{ wazuh_manager_config.openscap.timeout }}</timeout>
<interval>{{ wazuh_manager_config.openscap.interval }}</interval>
<scan-on-start>{{ wazuh_manager_config.openscap.scan_on_start }}</scan-on-start>
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'xenial' %}
<content type="xccdf" path="ssg-ubuntu-1604-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% elif ansible_distribution == 'Debian' %}
{% if ansible_distribution_release == 'jessie' %}
{% if openscap_version_valid.stdout == "0" %}
<content type="xccdf" path="ssg-debian-8-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
<content type="oval" path="cve-debian-8-oval.xml"/>
{% endif %}
{% elif ansible_distribution_release == 'stretch' %}
<content type="oval" path="cve-debian-9-oval.xml"/>
{% endif %}
{% elif ansible_distribution == 'CentOS' %}
{% if ansible_distribution_major_version == '8' %}
{# Policy not available #}
{% elif ansible_distribution_major_version == '7' %}
<content type="xccdf" path="ssg-centos-7-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% elif ansible_distribution_major_version == '6' %}
<content type="xccdf" path="ssg-centos-6-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% endif %}
{% elif ansible_distribution == 'RedHat' %}
{% if ansible_distribution_major_version == '8' %}
{# Policy not available #}
{% elif ansible_distribution_major_version == '7' %}
<content type="xccdf" path="ssg-rhel-7-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% elif ansible_distribution_major_version == '6' %}
<content type="xccdf" path="ssg-rhel-6-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% endif %}
{% if ansible_distribution_major_version == '7' %}
<content type="oval" path="cve-redhat-7-ds.xml"/>
{% elif ansible_distribution_major_version == '6' %}
<content type="oval" path="cve-redhat-6-ds.xml"/>
{% endif %}
{% elif ansible_distribution == 'Fedora' %}
<content type="xccdf" path="ssg-fedora-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
{% endif %}
</wodle>
{% endif %}
<wodle name="cis-cat">
<disabled>{{ wazuh_manager_config.cis_cat.disable}}</disabled>
<timeout>{{ wazuh_manager_config.cis_cat.timeout }}</timeout>
<interval>{{ wazuh_manager_config.cis_cat.interval }}</interval>
<scan-on-start>{{ wazuh_manager_config.cis_cat.scan_on_start }}</scan-on-start>
{% if wazuh_manager_config.cis_cat.install_java == 'yes' %}
<java_path>wodles/java</java_path>
{% else %}
<java_path>{{ wazuh_manager_config.cis_cat.java_path }}</java_path>
{% endif %}
<ciscat_path>{{ wazuh_manager_config.cis_cat.ciscat_path }}</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>{{ wazuh_manager_config.osquery.disable }}</disabled>
<run_daemon>{{ wazuh_manager_config.osquery.run_daemon }}</run_daemon>
<log_path>{{ wazuh_manager_config.osquery.log_path }}</log_path>
<config_path>{{ wazuh_manager_config.osquery.config_path }}</config_path>
<add_labels>{{ wazuh_manager_config.osquery.ad_labels }}</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>{{ wazuh_manager_config.syscollector.disable }}</disabled>
<interval>{{ wazuh_manager_config.syscollector.interval }}</interval>
<scan_on_start>{{ wazuh_manager_config.syscollector.scan_on_start }}</scan_on_start>
<hardware>{{ wazuh_manager_config.syscollector.hardware }}</hardware>
<os>{{ wazuh_manager_config.syscollector.os }}</os>
<network>{{ wazuh_manager_config.syscollector.network }}</network>
<packages>{{ wazuh_manager_config.syscollector.packages }}</packages>
<ports all="yes">{{ wazuh_manager_config.syscollector.ports_no }}</ports>
<processes>{{ wazuh_manager_config.syscollector.processes }}</processes>
</wodle>
<sca>
{% if wazuh_manager_config.sca.enabled | length > 0 %}
<enabled>{{ wazuh_manager_config.sca.enabled }}</enabled>
{% endif %}
{% if wazuh_manager_config.sca.scan_on_start | length > 0 %}
<scan_on_start>{{ wazuh_manager_config.sca.scan_on_start }}</scan_on_start>
{% endif %}
{% if wazuh_manager_config.sca.interval | length > 0 %}
<interval>{{ wazuh_manager_config.sca.interval }}</interval>
{% endif %}
{% if wazuh_manager_config.sca.skip_nfs | length > 0 %}
<skip_nfs>yes</skip_nfs>
{% endif %}
{% if wazuh_manager_config.sca.day | length > 0 %}
<day>{{ wazuh_manager_config.sca.day }}</day>
{% endif %}
{% if wazuh_manager_config.sca.wday | length > 0 %}
<wday>{{ wazuh_manager_config.sca.wday }}</wday>
{% endif %}
{% if wazuh_manager_config.sca.time | length > 0 %}
<time>{{ wazuh_manager_config.sca.time }}</time>
{% endif %}
</sca>
<vulnerability-detection>
<enabled>{{ wazuh_manager_config.vulnerability_detection.enabled }}</enabled>
<index-status>{{ wazuh_manager_config.vulnerability_detection.index_status }}</index-status>
<feed-update-interval>{{ wazuh_manager_config.vulnerability_detection.feed_update_interval }}</feed-update-interval>
</vulnerability-detection>
<indexer>
<enabled>{% if wazuh_manager_config.vulnerability_detection.enabled == 'yes' or wazuh_manager_config.indexer.enabled == 'yes' %}yes{% else %}no{% endif %}</enabled>
<hosts>
{% for item in wazuh_manager_config.indexer.hosts %}
<host>https://{{ item }}:{{ filebeat_output_indexer_port }}</host>
{% endfor %}
</hosts>
<ssl>
<certificate_authorities>
<ca>{{ filebeat_ssl_dir }}/root-ca.pem</ca>
</certificate_authorities>
<certificate>{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}.pem</certificate>
<key>{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}-key.pem</key>
</ssl>
</indexer>
<!-- File integrity monitoring -->
<syscheck>
<disabled>{{ wazuh_manager_config.syscheck.disable }}</disabled>
<frequency>{{ wazuh_manager_config.syscheck.frequency }}</frequency>
<scan_on_start>{{ wazuh_manager_config.syscheck.scan_on_start }}</scan_on_start>
<!-- Do not ignore files that change more than 'frequency' times -->
{% if wazuh_manager_config.syscheck.auto_ignore_frequency is defined %}
<auto_ignore {{ wazuh_manager_config.syscheck.auto_ignore_frequency.frequency }} {{ wazuh_manager_config.syscheck.auto_ignore_frequency.timeframe }}>{{wazuh_manager_config.syscheck.auto_ignore_frequency.value }}</auto_ignore>
{% endif %}
<!-- Directories to check (perform all possible verifications) -->
{% if wazuh_manager_config.syscheck.directories is defined %}
{% for directory in wazuh_manager_config.syscheck.directories %}
<directories {{ directory.checks }}>{{ directory.dirs }}</directories>
{% endfor %}
{% endif %}
<!-- Files/directories to ignore -->
{% if wazuh_manager_config.syscheck.ignore is defined %}
{% for ignore in wazuh_manager_config.syscheck.ignore %}
<ignore>{{ ignore }}</ignore>
{% endfor %}
{% endif %}
<!-- File types to ignore -->
{% if wazuh_manager_config.syscheck.ignore_linux_type is defined %}
{% for ignore in wazuh_manager_config.syscheck.ignore_linux_type %}
<ignore type="sregex">{{ ignore }}</ignore>
{% endfor %}
{% endif %}
<!-- Files no diff -->
{% for no_diff in wazuh_manager_config.syscheck.no_diff %}
<nodiff>{{ no_diff }}</nodiff>
{% endfor %}
{% if wazuh_manager_config.syscheck.skip_nfs is defined %}
<skip_nfs>{{ wazuh_manager_config.syscheck.skip_nfs }}</skip_nfs>
{% endif %}
{% if wazuh_manager_config.syscheck.skip_dev is defined %}
<skip_dev>{{ wazuh_manager_config.syscheck.skip_dev }}</skip_dev>
{% endif %}
{% if wazuh_manager_config.syscheck.skip_proc is defined %}
<skip_proc>{{ wazuh_manager_config.syscheck.skip_proc }}</skip_proc>
{% endif %}
{% if wazuh_manager_config.syscheck.skip_sys is defined %}
<skip_sys>{{ wazuh_manager_config.syscheck.skip_sys }}</skip_sys>
{% endif %}
<!-- Nice value for Syscheck module -->
<process_priority>{{ wazuh_manager_config.syscheck.process_priority }}</process_priority>
<!-- Maximum output throughput -->
<max_eps>{{ wazuh_manager_config.syscheck.max_eps }}</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>{{ wazuh_manager_config.syscheck.sync_enabled }}</enabled>
<interval>{{ wazuh_manager_config.syscheck.sync_interval }}</interval>
<max_interval>{{ wazuh_manager_config.syscheck.sync_max_interval }}</max_interval>
<max_eps>{{ wazuh_manager_config.syscheck.sync_max_eps }}</max_eps>
</synchronization>
</syscheck>
<global>
{% for white_list in wazuh_manager_config.globals %}
<white_list>{{ white_list }}</white_list>
{% endfor %}
</global>
{% for command in wazuh_manager_config.commands %}
<command>
<name>{{ command.name }}</name>
<executable>{{ command.executable }}</executable>
{% if command.timeout_allowed is defined %}
<timeout_allowed>{{ command.timeout_allowed }}</timeout_allowed>
{% endif %}
</command>
{% endfor %}
{% if wazuh_manager_config.active_responses is defined %}
{% for response in wazuh_manager_config.active_responses %}
<active-response>
<disabled>{% if response.disabled is defined %}{{ response.disabled }}{% else %}no{% endif %}</disabled>
{%if response.command is defined %}<command>{{ response.command }}</command>{% endif %}
{%if response.location is defined %}<location>{{ response.location }}</location>{% endif %}
{%if response.agent_id is defined %}<agent_id>{{ response.agent_id }}</agent_id>{% endif %}
{%if response.level is defined %}<level>{{ response.level }}</level>{% endif %}
{%if response.rules_group is defined %}<rules_group>{{ response.rules_group }}</rules_group>{% endif %}
{%if response.rules_id is defined %}<rules_id>{{ response.rules_id }}</rules_id>{% endif %}
{%if response.timeout is defined %}<timeout>{{ response.timeout }}</timeout>{% endif %}
{%if response.repeated_offenders is defined %}<repeated_offenders>{{ response.repeated_offenders }}</repeated_offenders>{% endif %}
</active-response>
{% endfor %}
{% endif -%}
<!-- Files to monitor (localfiles) -->
{% for localfile in wazuh_manager_config.localfiles.common %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% if localfile.frequency is defined %}
<frequency>{{ localfile.frequency }}</frequency>
{% endif %}
{% else %}
<location>{{ localfile.location }}</location>
{% if localfile.format == 'eventchannel' %}
{% if localfile.only_future_events is defined %}
<only-future-events>{{ localfile.only_future_events }}</only_future_events>
{% endif %}
{% if localfile.query is defined %}
<query>{{ localfile.query }}</query>
{% endif %}
{% endif %}
{% endif %}
{% if localfile.format == 'json' and localfile.labels is defined %}
{% for key, value in localfile.labels.items() %}
<label key="{{ key }}">{{ value }}</label>
{% endfor %}
{% endif %}
{% if localfile.target is defined %}
<target>{{ localfile.target }}</target>
{% endif %}
{% if localfile.out_format is defined %}
<out_format>{{ localfile.out_format }}</out_format>
{% endif %}
</localfile>
{% endfor %}
{% if ansible_os_family == "Debian" %}
{% for localfile in wazuh_manager_config.localfiles.debian %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% if localfile.frequency is defined %}
<frequency>{{ localfile.frequency }}</frequency>
{% endif %}
{% else %}
<location>{{ localfile.location }}</location>
{% if localfile.format == 'eventchannel' %}
{% if localfile.only_future_events is defined %}
<only-future-events>{{ localfile.only_future_events }}</only_future_events>
{% endif %}
{% if localfile.query is defined %}
<query>{{ localfile.query }}</query>
{% endif %}
{% endif %}
{% endif %}
{% if localfile.format == 'json' and localfile.labels is defined %}
{% for key, value in localfile.labels.items() %}
<label key="{{ key }}">{{ value }}</label>
{% endfor %}
{% endif %}
{% if localfile.target is defined %}
<target>{{ localfile.target }}</target>
{% endif %}
{% if localfile.out_format is defined %}
<out_format>{{ localfile.out_format }}</out_format>
{% endif %}
</localfile>
{% endfor %}
{% endif -%}
{% if ansible_os_family == "RedHat" %}
{% for localfile in wazuh_manager_config.localfiles.centos %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% if localfile.frequency is defined %}
<frequency>{{ localfile.frequency }}</frequency>
{% endif %}
{% else %}
<location>{{ localfile.location }}</location>
{% if localfile.format == 'eventchannel' %}
{% if localfile.only_future_events is defined %}
<only-future-events>{{ localfile.only_future_events }}</only_future_events>
{% endif %}
{% if localfile.query is defined %}
<query>{{ localfile.query }}</query>
{% endif %}
{% endif %}
{% endif %}
{% if localfile.format == 'json' and localfile.labels is defined %}
{% for key, value in localfile.labels.items() %}
<label key="{{ key }}">{{ value }}</label>
{% endfor %}
{% endif %}
{% if localfile.target is defined %}
<target>{{ localfile.target }}</target>
{% endif %}
{% if localfile.out_format is defined %}
<out_format>{{ localfile.out_format }}</out_format>
{% endif %}
</localfile>
{% endfor %}
{% endif -%}
{% if monitor_aws is defined and monitor_aws.disabled == "no" %}
<!-- S3 -->
<wodle name="aws-s3">
<disabled>{{ monitor_aws.disabled }}</disabled>
<interval>{{ monitor_aws.interval }}</interval>
<run_on_start>{{ monitor_aws.run_on_start }}</run_on_start>
<skip_on_error>{{ monitor_aws.skip_on_error }}</skip_on_error>
{% for bucket in monitor_aws.s3 %}
<bucket type="{{ bucket.bucket_type }}">
<name>{{ bucket.name }}</name>
{% if bucket.path is defined %}
<path>{{ bucket.path }}</path>
{% endif %}
{% if bucket.only_logs_after is defined %}
<only_logs_after>{{ bucket.only_logs_after }}</only_logs_after>
{% endif %}
<access_key>{{ bucket.access_key }}</access_key>
<secret_key>{{ bucket.secret_key }}</secret_key>
</bucket>
{% endfor %}
</wodle>
{% endif %}
{% if wazuh_manager_config.labels.enable == true %}
<labels>
{% for label in wazuh_manager_config.labels.list %}
<label key="{{ label.key }}"{% if label.hidden is defined %} hidden="{{ label.hidden }}"{% endif %}>{{ label.value }}</label>
{% endfor %}
</labels>
{% endif %}
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
{% if wazuh_manager_config.rule_exclude is defined %}
{% for rule in wazuh_manager_config.rule_exclude %}
<rule_exclude>{{ rule }}</rule_exclude>
{% endfor %}
{% endif %}
{% if wazuh_manager_config.ruleset.cdb_lists is defined %}
{% for list in wazuh_manager_config.ruleset.cdb_lists %}
<list>etc/lists/{{ list }}</list>
{% endfor %}
{% endif %}
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
{% if wazuh_manager_config.authd.enable == true %}
<auth>
<disabled>no</disabled>
{% if wazuh_manager_config.authd.port is not none %}
<port>{{wazuh_manager_config.authd.port}}</port>
{% else %}
<port>1515</port>
{% endif %}
{% if wazuh_manager_config.authd.use_source_ip is not none %}
<use_source_ip>{{wazuh_manager_config.authd.use_source_ip}}</use_source_ip>
{% endif %}
<force>
{% if wazuh_manager_config.authd.force.enabled is not none %}
<enabled>{{wazuh_manager_config.authd.force.enabled}}</enabled>
{% else %}
<enabledport>yes</enabled>
{% endif %}
{% if wazuh_manager_config.authd.force.key_mismatch is not none %}
<key_mismatch>{{wazuh_manager_config.authd.force.key_mismatch}}</key_mismatch>
{% else %}
<key_mismatch>yes</key_mismatch>
{% endif %}
{% if wazuh_manager_config.authd.force.disconnected_time is not none %}
<disconnected_time enabled="yes">{{wazuh_manager_config.authd.force.disconnected_time}}</disconnected_time>
{% else %}
<disconnected_time enabled="yes">1h</disconnected_time>
{% endif %}
{% if wazuh_manager_config.authd.force.after_registration_time is not none %}
<after_registration_time>{{wazuh_manager_config.authd.force.after_registration_time}}</after_registration_time>
{% else %}
<after_registration_time>1h</after_registration_time>
{% endif %}
</force>
{% if wazuh_manager_config.authd.purge is not none %}
<purge>{{wazuh_manager_config.authd.purge}}</purge>
{% endif %}
{% if wazuh_manager_config.authd.use_password is not none %}
<use_password>{{wazuh_manager_config.authd.use_password}}</use_password>
{% endif %}
{% if wazuh_manager_config.authd.ciphers is not none %}
<ciphers>{{wazuh_manager_config.authd.ciphers}}</ciphers>
{% endif %}
{% if wazuh_manager_config.authd.ssl_agent_ca is not none %}
<ssl_agent_ca>{{ wazuh_dir }}/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}}</ssl_agent_ca>
{% endif %}
{% if wazuh_manager_config.authd.ssl_verify_host is not none %}
<ssl_verify_host>{{wazuh_manager_config.authd.ssl_verify_host}}</ssl_verify_host>
{% endif %}
{% if wazuh_manager_config.authd.ssl_manager_cert is not none %}
<ssl_manager_cert>{{ wazuh_dir }}/etc/{{wazuh_manager_config.authd.ssl_manager_cert | basename}}</ssl_manager_cert>
{% endif %}
{% if wazuh_manager_config.authd.ssl_manager_key is not none %}
<ssl_manager_key>{{ wazuh_dir }}/etc/{{wazuh_manager_config.authd.ssl_manager_key | basename}}</ssl_manager_key>
{% endif %}
{% if wazuh_manager_config.authd.ssl_auto_negotiate is not none %}
<ssl_auto_negotiate>{{wazuh_manager_config.authd.ssl_auto_negotiate}}</ssl_auto_negotiate>
{% endif %}
</auth>
{% endif %}
<cluster>
<disabled>{{ wazuh_manager_config.cluster.disable }}</disabled>
<name>{{ wazuh_manager_config.cluster.name }}</name>
<node_name>{{ wazuh_manager_config.cluster.node_name }}</node_name>
<node_type>{{ wazuh_manager_config.cluster.node_type }}</node_type>
<key>{{ wazuh_manager_config.cluster.key }}</key>
{% if wazuh_manager_config.cluster.interval is defined %}
<interval>{{ wazuh_manager_config.cluster.interval }}</interval>
{% endif %}
<port>{{ wazuh_manager_config.cluster.port }}</port>
<bind_addr>{{ wazuh_manager_config.cluster.bind_addr }}</bind_addr>
<nodes>
{% for node in wazuh_manager_config.cluster.nodes %}
<node>{{ node }}</node>
{% endfor %}
</nodes>
<hidden>{{ wazuh_manager_config.cluster.hidden }}</hidden>
</cluster>
</ossec_config>

106
roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2
View File

@ -1,106 +0,0 @@
#jinja2: trim_blocks: False
{% if shared_agent_config is defined %}
{% for agent_config in shared_agent_config %}
<agent_config {{ agent_config.type }}="{{ agent_config.type_value }}">
{% if agent_config.syscheck is defined %}
<syscheck>
{% if agent_config.syscheck.auto_ignore is defined %}
<auto_ignore>{{ agent_config.syscheck.auto_ignore }}</auto_ignore>
{% endif %}
<frequency>{{ agent_config.syscheck.frequency }}</frequency>
<scan_on_start>{{ agent_config.syscheck.scan_on_start }}</scan_on_start>
<!-- Directories to check (perform all possible verifications) -->
{% if agent_config.syscheck.directories is defined %}
{% for directory in agent_config.syscheck.directories %}
<directories {{ directory.checks }}>{{ directory.dirs }}</directories>
{% endfor %}
{% endif %}
<!-- Files/directories to ignore -->
{% if agent_config.syscheck.ignore is defined %}
{% for ignore in agent_config.syscheck.ignore %}
<ignore>{{ ignore }}</ignore>
{% endfor %}
{% endif %}
<!-- Files no diff -->
{% if agent_config.syscheck.no_diff is defined %}
{% for no_diff in agent_config.syscheck.no_diff %}
<nodiff>{{ no_diff }}</nodiff>
{% endfor %}
{% endif %}
{% if agent_config.syscheck.windows_registry is defined %}
{% for registry_key in agent_config.syscheck.windows_registry %}
{% if registry_key.arch is defined %}
<windows_registry arch="{{ registry_key.arch }}">{{ registry_key.key }}</windows_registry>
{% else %}
<windows_registry>{{ registry_key.key }}</windows_registry>
{% endif %}
{% endfor %}
{% endif %}
</syscheck>
{% endif %}
{% if agent_config.localfiles is defined %}
{% for localfile in agent_config.localfiles %}
<localfile>
<log_format>{{ localfile.format }}</log_format>
{% if localfile.format == 'command' or localfile.format == 'full_command' %}
<command>{{ localfile.command }}</command>
{% if localfile.alias is defined %}
<alias>{{ localfile.alias }}</alias>
{% endif %}
{% if localfile.frequency is defined %}
<frequency>{{ localfile.frequency }}</frequency>
{% endif %}
{% else %}
<location>{{ localfile.location }}</location>
{% if localfile.format == 'eventchannel' %}
{% if localfile.only_future_events is defined %}
<only-future-events>{{ localfile.only_future_events }}</only_future_events>
{% endif %}
{% if localfile.query is defined %}
<query>{{ localfile.query }}</query>
{% endif %}
{% endif %}
{% endif %}
{% if localfile.format == 'json' and localfile.labels is defined %}
{% for item in localfile.labels %}
<label key="{{ item.key }}">{{ item.value }}</label>
{% endfor %}
{% endif %}
{% if localfile.target is defined %}
<target>{{ localfile.target }}</target>
{% endif %}
{% if localfile.out_format is defined %}
<out_format>{{ localfile.out_format }}</out_format>
{% endif %}
</localfile>
{% endfor %}
{% endif %}
{% if agent_config.rootcheck is defined %}
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>{{ agent_config.rootcheck.frequency }}</frequency>
{% if agent_config.rootcheck.cis_distribution_filename is not none %}
<system_audit>{{ wazuh_dir }}/etc/shared/default/{{ agent_config.rootcheck.cis_distribution_filename }}</system_audit>
{% endif %}
<skip_nfs>yes</skip_nfs>
</rootcheck>
{% endif %}
</agent_config>
{% endfor %}
{% endif %}

25
roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_decoder.xml.j2
View File

@ -1,25 +0,0 @@
<!-- Local Decoders -->
<!-- Modify it at your will. -->
<!--
- Allowed static fields:
- location - where the log came from (only on FTS)
- srcuser - extracts the source username
- dstuser - extracts the destination (target) username
- user - an alias to dstuser (only one of the two can be used)
- srcip - source ip
- dstip - dst ip
- srcport - source port
- dstport - destination port
- protocol - protocol
- id - event id
- url - url of the event
- action - event action (deny, drop, accept, etc)
- status - event status (success, failure, etc)
- extra_data - Any extra data
-->
<decoder name="local_decoder_example">
<program_name>local_decoder_example</program_name>
</decoder>

19
roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2
View File

@ -1,19 +0,0 @@
<!-- Local rules -->
<!-- Modify it at your will. -->
<!-- Copyright (C) 2016, Wazuh Inc. -->
<!-- Example -->
<group name="local,syslog,sshd,">
<!--
Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
-->
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<srcip>1.1.1.1</srcip>
<description>sshd: authentication failed from IP 1.1.1.1.</description>
<group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
</group>

2
roles/wazuh/ansible-wazuh-manager/vars/authd_pass.yml
View File

@ -1,2 +0,0 @@
---
# authd_pass: foobar

4
roles/wazuh/ansible-wazuh-manager/vars/install_cmake.yml
View File

@ -1,4 +0,0 @@
# Install cmake vars
cmake_version: 3.18.3
cmake_download_url: "http://packages.wazuh.com/utils/cmake/cmake-{{ cmake_version }}.tar.gz"

2
roles/wazuh/check-packages/defaults/main.yml
View File

@ -1,2 +0,0 @@
---
wazuh_version: 5.0.0

6
roles/wazuh/check-packages/files/packages_uri.txt
View File

@ -1,6 +0,0 @@
yum/wazuh-manager-VERSION-1.x86_64.rpm
apt/pool/main/w/wazuh-manager/wazuh-manager_VERSION-1_amd64.deb
yum/wazuh-dashboard-VERSION-1.x86_64.rpm
yum/wazuh-indexer-VERSION-1.x86_64.rpm
apt/pool/main/w/wazuh-agent/wazuh-agent_VERSION-1_amd64.deb
yum/wazuh-agent-VERSION-1.x86_64.rpm

80
roles/wazuh/check-packages/scripts/check_packages.sh
View File

@ -1,80 +0,0 @@
#!/bin/bash
VERSION=$1
#echo $VERSION
## Replace VERSION with $VERSION in packages_uri.txt and save it as packages_uri_new.txt
sed 's,VERSION,'$VERSION',g' ../files/packages_uri.txt > ../files/packages_uri_new.txt
checkPackages(){
## Set S3 Bucket URL
if [ $1 == "production" ]; then
echo "production"
PACKAGES_URL=https://packages.wazuh.com/5.x/
elif [ $1 == "pre-release" ]; then
echo "pre-release"
PACKAGES_URL=https://packages-dev.wazuh.com/pre-release/
elif [ $1 == "staging" ]; then
echo "staging"
PACKAGES_URL=https://packages-dev.wazuh.com/staging/
CHECK_WIN_PACKAGE=$(grep windows ../files/packages_uri_new.txt)
echo $CHECK_WIN_PACKAGE
if [ -n "$CHECK_WIN_PACKAGE" ]; then
WIN_AGENT_NAME=$(aws s3 ls s3://xdrsiem-packages-dev/staging/windows/wazuh-agent-$VERSION --region=us-west-1 | tail -1 | awk '{printf $4}')
if [ -z $WIN_AGENT_NAME ]; then
echo "Windows agent package for version " $VERSION " does not exist in the staging repository"
exit 1
fi
WIN_AGENT_URI="windows/"$WIN_AGENT_NAME
echo $PACKAGES_URL$WIN_AGENT_URI "check"
sed -i 's,windows/.*,'$WIN_AGENT_URI',g' ../files/packages_uri_new.txt
sed -i 's,wazuh_winagent_config_url.*,wazuh_winagent_config_url: \"'$PACKAGES_URL$WIN_AGENT_URI'\",g' ../../vars/repo_staging.yml
sed -i 's,wazuh_winagent_package_name.*,wazuh_winagent_package_name: \"'$WIN_AGENT_NAME'\",g' ../../vars/repo_staging.yml
fi
fi
## Set EXISTS to 0 (true)
EXISTS=0
## Loop through the packages_uri_new.txt file
while IFS= read -r URI
do
echo "$URI"
## Check if the package exists
PACKAGE=$(curl --silent -I $PACKAGES_URL$URI | grep -E "^HTTP" | awk '{print $2}')
## If it does not exist set EXISTS to 1 (false)
if [ "$PACKAGE" != "200" ]; then
EXISTS=1
#echo $PACKAGES_URL$URI "does not exist"
return $EXISTS
fi
done < ../files/packages_uri_new.txt
return $EXISTS
}
replaceVars(){
sed -i "s|packages_repository:.*|packages_repository: $1|g" ../../vars/repo_vars.yml
}
## Call the checkPackages function for each repository
if checkPackages "production"; then
echo "production"
replaceVars "production"
exit 0
elif checkPackages "pre-release"; then
echo "pre-release"
replaceVars "pre-release"
exit 0
elif checkPackages "production"; then
echo "production"
replaceVars "production"
exit 0
elif checkPackages "staging"; then
echo "staging"
replaceVars "staging"
exit 0
else
echo "Failed"
exit 1
fi

11
roles/wazuh/check-packages/tasks/main.yml
View File

@ -1,11 +0,0 @@
---
- name: Check packages
shell: |
./check_packages.sh {{ wazuh_version }}
args:
# warn: false
executable: /bin/bash
chdir: "{{ role_path }}/scripts/"
delegate_to: localhost
become: no

20
roles/wazuh/vars/repo.yml
View File

@ -1,20 +0,0 @@
wazuh_repo:
keyring_path: '/usr/share/keyrings/wazuh.gpg'
apt: 'deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/5.x/apt/ stable main'
yum: 'https://packages.wazuh.com/5.x/yum/'
gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
path: '/tmp/WAZUH-GPG-KEY'
wazuh_winagent_config_url: "https://packages.wazuh.com/5.x/windows/wazuh-agent-{{ wazuh_agent_version }}-1.msi"
wazuh_winagent_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.msi"
wazuh_winagent_sha512_url: "https://packages.wazuh.com/5.x/checksums/wazuh/{{ wazuh_agent_version }}/wazuh-agent-{{ wazuh_agent_version }}-1.msi.sha512"
filebeat_module_package_url: https://packages.wazuh.com/5.x/filebeat
wazuh_macos_intel_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.intel64.pkg"
wazuh_macos_arm_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.arm64.pkg"
wazuh_macos_intel_package_url: "https://packages.wazuh.com/5.x/macos/{{ wazuh_macos_intel_package_name }}"
wazuh_macos_arm_package_url: "https://packages.wazuh.com/5.x/macos/{{ wazuh_macos_arm_package_name }}"
certs_gen_tool_version: "5.0"
# Url of certificates generator tool
certs_gen_tool_url: "https://packages.wazuh.com/{{ certs_gen_tool_version }}/wazuh-certs-tool.sh"

20
roles/wazuh/vars/repo_pre-release.yml
View File

@ -1,20 +0,0 @@
wazuh_repo:
keyring_path: '/usr/share/keyrings/wazuh.gpg'
apt: 'deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main'
yum: 'https://packages-dev.wazuh.com/pre-release/yum/'
gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH'
path: '/tmp/WAZUH-GPG-KEY'
wazuh_winagent_config_url: "https://packages-dev.wazuh.com/pre-release/windows/wazuh-agent-{{ wazuh_agent_version }}-1.msi"
wazuh_winagent_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.msi"
wazuh_winagent_sha512_url: "https://packages-dev.wazuh.com/pre-release/checksums/wazuh/{{ wazuh_agent_version }}/wazuh-agent-{{ wazuh_agent_version }}-1.msi.sha512"
filebeat_module_package_url: https://packages-dev.wazuh.com/pre-release/filebeat
wazuh_macos_intel_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.intel64.pkg"
wazuh_macos_arm_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.arm64.pkg"
wazuh_macos_intel_package_url: "https://packages-dev.wazuh.com/pre-release/{{ wazuh_macos_intel_package_name }}"
wazuh_macos_arm_package_url: "https://packages-dev.wazuh.com/pre-release/macos/{{ wazuh_macos_arm_package_name }}"
certs_gen_tool_version: "5.0"
# Url of certificates generator tool
certs_gen_tool_url: "https://packages-dev.wazuh.com/{{ certs_gen_tool_version }}/wazuh-certs-tool.sh"

21
roles/wazuh/vars/repo_staging.yml
View File

@ -1,21 +0,0 @@
wazuh_repo:
keyring_path: '/usr/share/keyrings/wazuh.gpg'
apt: 'deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/staging/apt/ unstable main'
yum: 'https://packages-dev.wazuh.com/staging/yum/'
gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH'
path: '/tmp/WAZUH-GPG-KEY'
wazuh_winagent_config_url: "https://packages-dev.wazuh.com/staging/windows/wazuh-agent-{{ wazuh_agent_version }}-1.msi"
wazuh_winagent_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.msi"
wazuh_winagent_sha512_url: "https://packages-dev.wazuh.com/staging/checksums/wazuh/{{ wazuh_agent_version }}/wazuh-agent-{{ wazuh_agent_version }}-1.msi.sha512"
check_sha512: False
filebeat_module_package_url: https://packages-dev.wazuh.com/staging/filebeat
wazuh_macos_intel_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.intel64.pkg"
wazuh_macos_arm_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.arm64.pkg"
wazuh_macos_intel_package_url: "https://packages-dev.wazuh.com/staging/macos/{{ wazuh_macos_intel_package_name }}"
wazuh_macos_arm_package_url: "https://packages-dev.wazuh.com/staging/macos/{{ wazuh_macos_arm_package_name }}"
certs_gen_tool_version: "5.0"
# Url of certificates generator tool
certs_gen_tool_url: "https://packages-dev.wazuh.com/{{ certs_gen_tool_version }}/wazuh-certs-tool.sh"

1
roles/wazuh/vars/repo_vars.yml
View File

@ -1 +0,0 @@
packages_repository: production

31
roles/wazuh/wazuh-dashboard/defaults/main.yml
View File

@ -1,31 +0,0 @@
---
# Dashboard configuration
indexer_http_port: 9200
indexer_api_protocol: https
dashboard_conf_path: /etc/wazuh-dashboard/
dashboard_node_name: node-1
dashboard_server_host: "0.0.0.0"
dashboard_server_port: "443"
dashboard_server_name: "dashboard"
wazuh_version: 5.0.0
indexer_cluster_nodes:
- 127.0.0.1
# The Wazuh dashboard package repository
dashboard_version: "5.0.0"
# API credentials
wazuh_api_credentials:
- id: "default"
url: "https://127.0.0.1"
port: 55000
username: "wazuh"
password: "wazuh"
# Dashboard Security
dashboard_security: true
indexer_admin_password: changeme
dashboard_user: kibanaserver
dashboard_password: changeme
local_certs_path: "{{ playbook_dir }}/indexer/certificates"

3
roles/wazuh/wazuh-dashboard/handlers/main.yml
View File

@ -1,3 +0,0 @@
---
- name: restart wazuh-dashboard
service: name=wazuh-dashboard state=restarted

40
roles/wazuh/wazuh-dashboard/tasks/Debian.yml
View File

@ -1,40 +0,0 @@
---
- block:
- include_vars: debian.yml
- name: Download apt repository signing key
get_url:
url: "{{ wazuh_repo.gpg }}"
dest: "{{ wazuh_repo.path }}"
- name: Debian/Ubuntu | Install gnupg
apt:
name:
- gnupg
state: present
- name: Import Wazuh repository GPG key
command: "gpg --no-default-keyring --keyring gnupg-ring:{{ wazuh_repo.keyring_path }} --import {{ wazuh_repo.path }}"
args:
creates: "{{ wazuh_repo.keyring_path }}"
- name: Set permissions for Wazuh repository GPG key
file:
path: "{{ wazuh_repo.keyring_path }}"
mode: '0644'
- name: Debian systems | Add Wazuh dashboard repo
apt_repository:
repo: "{{ wazuh_repo.apt }}"
state: present
update_cache: yes
- name: Install Wazuh dashboard
apt:
name: "wazuh-dashboard={{ dashboard_version }}-*"
state: present
update_cache: yes
register: install
tags:
- install

6
roles/wazuh/wazuh-dashboard/tasks/RMRedHat.yml
View File

@ -1,6 +0,0 @@
---
- name: Remove Wazuh dashboard repository (and clean up left-over metadata)
yum_repository:
name: wazuh_repo
state: absent
changed_when: false

20
roles/wazuh/wazuh-dashboard/tasks/RedHat.yml
View File

@ -1,20 +0,0 @@
---
- block:
- name: RedHat/CentOS/Fedora | Add Wazuh dashboard repo
yum_repository:
name: wazuh_repo
description: Wazuh yum repository
baseurl: "{{ wazuh_repo.yum }}"
gpgkey: "{{ wazuh_repo.gpg }}"
gpgcheck: true
- name: Install Wazuh dashboard
package:
name: "wazuh-dashboard-{{ dashboard_version }}"
state: present
update_cache: yes
register: install
tags:
- install

99
roles/wazuh/wazuh-dashboard/tasks/main.yml
View File

@ -1,99 +0,0 @@
---
- include_vars: ../../vars/repo_vars.yml
- include_vars: ../../vars/repo.yml
when: packages_repository == 'production'
- include_vars: ../../vars/repo_pre-release.yml
when: packages_repository == 'pre-release'
- include_vars: ../../vars/repo_staging.yml
when: packages_repository == 'staging'
- import_tasks: RedHat.yml
when: ansible_os_family == 'RedHat'
- import_tasks: Debian.yml
when: ansible_os_family == 'Debian'
- name: Remove Dashboard configuration file
file:
# noqa 503
path: "{{ dashboard_conf_path }}/opensearch_dashboards.yml"
state: absent
tags: install
- import_tasks: security_actions.yml
- name: Copy Configuration File
template:
src: "templates/opensearch_dashboards.yml.j2"
dest: "{{ dashboard_conf_path }}/opensearch_dashboards.yml"
group: wazuh-dashboard
owner: wazuh-dashboard
mode: 0640
force: yes
notify: restart wazuh-dashboard
tags:
- install
- configure
- name: Ensuring Wazuh dashboard directory owner
file:
# noqa 208
path: "/usr/share/wazuh-dashboard"
state: directory
owner: wazuh-dashboard
group: wazuh-dashboard
recurse: yes
- name: Wait for Wazuh-Indexer port
wait_for: host={{ indexer_network_host }} port={{ indexer_http_port }}
- name: Select correct API protocol
set_fact:
indexer_api_protocol: "{% if dashboard_security is defined and dashboard_security %}https{% else %}http{% endif %}"
- name: Attempting to delete legacy Wazuh index if exists
uri:
url: "{{ indexer_api_protocol }}://{{ indexer_network_host }}:{{ indexer_http_port }}/.wazuh"
method: DELETE
user: "admin"
password: "{{ indexer_admin_password }}"
validate_certs: no
status_code: 200, 404
- name: Create Wazuh Plugin config directory
file:
path: /usr/share/wazuh-dashboard/data/wazuh/config/
state: directory
recurse: yes
owner: wazuh-dashboard
group: wazuh-dashboard
mode: 0751
changed_when: False
- name: Configure Wazuh Dashboard Plugin
template:
src: wazuh.yml.j2
dest: /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
owner: wazuh-dashboard
group: wazuh-dashboard
mode: 0751
changed_when: False
- name: Configure opensearch.password in opensearch_dashboards.keystore
shell: >-
echo '{{ dashboard_password }}' | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add -f --stdin opensearch.password
args:
executable: /bin/bash
become: yes
- name: Ensure Wazuh dashboard started and enabled
service:
name: wazuh-dashboard
enabled: true
state: started
- import_tasks: RMRedHat.yml
when: ansible_os_family == 'RedHat'

23
roles/wazuh/wazuh-dashboard/tasks/security_actions.yml
View File

@ -1,23 +0,0 @@
- block:
- name: Ensure Dashboard certificates directory permissions.
file:
path: "/etc/wazuh-dashboard/certs/"
state: directory
owner: wazuh-dashboard
group: wazuh-dashboard
mode: 500
- name: Copy the certificates from local to the Wazuh dashboard instance
copy:
src: "{{ local_certs_path }}/wazuh-certificates/{{ item }}"
dest: /etc/wazuh-dashboard/certs/
owner: wazuh-dashboard
group: wazuh-dashboard
mode: 0400
with_items:
- "root-ca.pem"
- "{{ dashboard_node_name }}-key.pem"
- "{{ dashboard_node_name }}.pem"
tags:
- security

19
roles/wazuh/wazuh-dashboard/templates/opensearch_dashboards.yml.j2
View File

@ -1,19 +0,0 @@
server.host: {{ dashboard_server_host }}
server.port: {{ dashboard_server_port }}
opensearch.hosts:
{% for item in indexer_cluster_nodes %}
- https://{{ item }}:{{ indexer_http_port }}
{% endfor %}
opensearch.ssl.verificationMode: certificate
opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/etc/wazuh-dashboard/certs/{{ dashboard_node_name }}-key.pem"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/{{ dashboard_node_name }}.pem"
opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wz-home
# Session expiration settings
opensearch_security.cookie.ttl: 900000
opensearch_security.session.ttl: 900000
opensearch_security.session.keepalive: true

134
roles/wazuh/wazuh-dashboard/templates/wazuh.yml.j2
View File

@ -1,134 +0,0 @@
---
#
# Wazuh app - App configuration file
# Copyright (C) 2016, Wazuh Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Find more information about this on the LICENSE file.
#
# ======================== Wazuh app configuration file ========================
#
# Please check the documentation for more information on configuration options:
# https://documentation.wazuh.com/current/installation-guide/index.html
#
# Also, you can check our repository:
# https://github.com/wazuh/wazuh-dashboard-plugins
#
# ------------------------------- Index patterns -------------------------------
#
# Default index pattern to use.
#pattern: wazuh-alerts-5.x-*
#
# ----------------------------------- Checks -----------------------------------
#
# Defines which checks must to be consider by the healthcheck
# step once the Wazuh app starts. Values must to be true or false.
#checks.pattern : true
#checks.template: true
#checks.api : true
#checks.setup : true
#
# --------------------------------- Extensions ---------------------------------
#
# Defines which extensions should be activated when you add a new API entry.
# You can change them after Wazuh app starts.
# Values must to be true or false.
#extensions.pci : true
#extensions.gdpr : true
#extensions.hipaa : true
#extensions.nist : true
#extensions.audit : true
#extensions.oscap : false
#extensions.ciscat : false
#extensions.aws : false
#extensions.virustotal: false
#extensions.osquery : false
#extensions.docker : false
#
# ---------------------------------- Time out ----------------------------------
#
# Defines maximum timeout to be used on the Wazuh app requests.
# It will be ignored if it is bellow 1500.
# It means milliseconds before we consider a request as failed.
# Default: 20000
#timeout: 20000
#
# ------------------------------ Advanced indices ------------------------------
#
# Configure .wazuh indices shards and replicas.
#wazuh.shards : 1
#wazuh.replicas : 0
#
# --------------------------- Index pattern selector ---------------------------
#
# Defines if the user is allowed to change the selected
# index pattern directly from the Wazuh app top menu.
# Default: true
#ip.selector: true
#
# List of index patterns to be ignored
#ip.ignore: []
#
# -------------------------------- X-Pack RBAC ---------------------------------
#
# Custom setting to enable/disable built-in X-Pack RBAC security capabilities.
# Default: enabled
#xpack.rbac.enabled: true
#
# ------------------------------ wazuh-monitoring ------------------------------
#
# Custom setting to enable/disable wazuh-monitoring indices.
# Values: true, false, worker
# If worker is given as value, the app will show the Agents status
# visualization but won't insert data on wazuh-monitoring indices.
# Default: true
#wazuh.monitoring.enabled: true
#
# Custom setting to set the frequency for wazuh-monitoring indices cron task.
# Default: 900 (s)
#wazuh.monitoring.frequency: 900
#
# Configure wazuh-monitoring-5.x-* indices shards and replicas.
#wazuh.monitoring.shards: 2
#wazuh.monitoring.replicas: 0
#
# Configure wazuh-monitoring-5.x-* indices custom creation interval.
# Values: h (hourly), d (daily), w (weekly), m (monthly)
# Default: d
#wazuh.monitoring.creation: d
#
# Default index pattern to use for Wazuh monitoring
#wazuh.monitoring.pattern: wazuh-monitoring-5.x-*
#
#
# ------------------------------- App privileges --------------------------------
#admin: true
#
# ------------------------------- App logging level -----------------------------
# Set the logging level for the Wazuh App log files.
# Default value: info
# Allowed values: info, debug
#logs.level: info
#
#-------------------------------- API entries -----------------------------------
#The following configuration is the default structure to define an API entry.
#
#hosts:
# - <id>:
# url: http(s)://<url>
# port: <port>
# user: <user>
# password: <password>
hosts:
{% for api in wazuh_api_credentials %}
- {{ api['id'] }}:
url: {{ api['url'] }}
port: {{ api['port'] }}
username: {{ api['username'] }}
password: "{{ api['password'] }}"
{% endfor %}

2
roles/wazuh/wazuh-dashboard/vars/debian.yml
View File

@ -1,2 +0,0 @@
---
dashboard_version: 5.0.0

50
roles/wazuh/wazuh-indexer/defaults/main.yml
View File

@ -1,50 +0,0 @@
---
# Cluster Settings
indexer_version: 5.0.0
single_node: false
indexer_node_name: node-1
indexer_cluster_name: wazuh
indexer_network_host: '0.0.0.0'
indexer_node_master: true
indexer_node_data: true
indexer_node_ingest: true
indexer_start_timeout: 90
indexer_cluster_nodes:
- 127.0.0.1
indexer_discovery_nodes:
- 127.0.0.1
local_certs_path: "{{ playbook_dir }}/indexer/certificates"
# Minimum master nodes in cluster, 2 for 3 nodes Wazuh indexer cluster
minimum_master_nodes: 2
# Configure hostnames for Wazuh indexer nodes
# Example es1.example.com, es2.example.com
domain_name: wazuh.com
indexer_sec_plugin_conf_path: /etc/wazuh-indexer/opensearch-security
indexer_sec_plugin_tools_path: /usr/share/wazuh-indexer/plugins/opensearch-security/tools
indexer_conf_path: /etc/wazuh-indexer
indexer_index_path: /var/lib/wazuh-indexer/
# Security password
indexer_custom_user: ""
indexer_custom_user_role: "admin"
# Set JVM memory limits
indexer_jvm_xms: null
indexer_http_port: 9200
indexer_admin_password: changeme
dashboard_password: changeme
# Deployment settings
generate_certs: true
perform_installation: true
indexer_nolog_sensible: true

5
roles/wazuh/wazuh-indexer/handlers/main.yml
View File

@ -1,5 +0,0 @@
---
- name: restart wazuh-indexer
service:
name: wazuh-indexer
state: restarted

24
roles/wazuh/wazuh-indexer/meta/main.yml
View File

@ -1,24 +0,0 @@
---
galaxy_info:
author: Wazuh
description: Installing and maintaining Wazuh indexer.
company: wazuh.com
license: license (GPLv3)
min_ansible_version: 2.0
platforms:
- name: EL
versions:
- all
- name: Ubuntu
versions:
- all
- name: Debian
versions:
- all
- name: Fedora
versions:
- all
galaxy_tags:
- web
- system
- monitoring

48
roles/wazuh/wazuh-indexer/tasks/Debian.yml
View File

@ -1,48 +0,0 @@
---
- name: Update cache
apt:
update_cache: yes
- name: Install Wazuh indexer dependencies
apt:
name:
- unzip
- wget
- curl
- apt-transport-https
- software-properties-common
- gnupg
state: present
- name: Add Wazuh indexer repository
block:
- name: Add apt repository signing key
get_url:
url: "{{ wazuh_repo.gpg }}"
dest: "{{ wazuh_repo.path }}"
- name: Import Wazuh repository GPG key
command: "gpg --no-default-keyring --keyring gnupg-ring:{{ wazuh_repo.keyring_path }} --import {{ wazuh_repo.path }}"
args:
creates: "{{ wazuh_repo.keyring_path }}"
- name: Set permissions for Wazuh repository GPG key
file:
path: "{{ wazuh_repo.keyring_path }}"
mode: '0644'
- name: Add Wazuh indexer repository
apt_repository:
repo: "{{ wazuh_repo.apt }}"
state: present
filename: 'wazuh-indexer'
update_cache: yes
- name: Install Wazuh indexer
apt:
name: wazuh-indexer={{ indexer_version }}-1
state: present
register: install
tags: install

6
roles/wazuh/wazuh-indexer/tasks/RMRedHat.yml
View File

@ -1,6 +0,0 @@
---
- name: RedHat/CentOS/Fedora | Remove Wazuh indexer repository (and clean up left-over metadata)
yum_repository:
name: wazuh_repo
state: absent
changed_when: false

59
roles/wazuh/wazuh-indexer/tasks/RedHat.yml
View File

@ -1,59 +0,0 @@
---
- block:
- name: RedHat/CentOS/Fedora | Add Wazuh indexer repo
yum_repository:
name: wazuh_repo
description: Wazuh yum repository
baseurl: "{{ wazuh_repo.yum }}"
gpgkey: "{{ wazuh_repo.gpg }}"
gpgcheck: true
changed_when: false
- name: Amazon Linux | Configure system settings
block:
- name: Install Amazon extras in Amazon Linux 2
yum:
name: amazon-linux-extras
state: present
lock_timeout: 200
when:
- ansible_distribution == 'Amazon'
- ansible_distribution_major_version == '2'
- name: Configure vm.max_map_count
lineinfile:
line: "vm.max_map_count=262144"
dest: "/etc/sysctl.conf"
insertafter: EOF
create: true
become: yes
- name: Update vm.max_map_count
shell: sysctl -p
become: yes
when:
- ansible_distribution == 'Amazon'
- name: RedHat/CentOS/Fedora | Install Indexer dependencies
yum:
name: "{{ packages }}"
state: present
lock_timeout: 200
vars:
packages:
- wget
- unzip
- name: Install Wazuh indexer
package:
name: wazuh-indexer-{{ indexer_version }}
state: present
register: install
tags: install
tags:
- install

48
roles/wazuh/wazuh-indexer/tasks/local_actions.yml
View File

@ -1,48 +0,0 @@
---
- name: Check if certificates already exists
stat:
path: "{{ local_certs_path }}"
register: certificates_folder
delegate_to: localhost
become: no
tags:
- generate-certs
- block:
- name: Local action | Create local temporary directory for certificates generation
file:
path: "{{ local_certs_path }}"
mode: 0755
state: directory
- name: Local action | Check that the generation tool exists
stat:
path: "{{ local_certs_path }}/wazuh-certs-tool.sh"
register: tool_package
- name: Local action | Download certificates generation tool
get_url:
url: "{{ certs_gen_tool_url }}"
dest: "{{ local_certs_path }}/wazuh-certs-tool.sh"
when: not tool_package.stat.exists
- name: Local action | Prepare the certificates generation template file
template:
src: "templates/config.yml.j2"
dest: "{{ local_certs_path }}/config.yml"
mode: 0644
register: tlsconfig_template
- name: Local action | Generate the node & admin certificates in local
command: >-
bash {{ local_certs_path }}/wazuh-certs-tool.sh -A
run_once: true
delegate_to: localhost
become: no
tags:
- generate-certs
when:
- not certificates_folder.stat.exists

140
roles/wazuh/wazuh-indexer/tasks/main.yml
View File

@ -1,140 +0,0 @@
---
- include_vars: ../../vars/repo_vars.yml
- include_vars: ../../vars/repo.yml
when: packages_repository == 'production'
- include_vars: ../../vars/repo_pre-release.yml
when: packages_repository == 'pre-release'
- include_vars: ../../vars/repo_staging.yml
when: packages_repository == 'staging'
- import_tasks: local_actions.yml
when:
- generate_certs
- block:
- import_tasks: RedHat.yml
when: ansible_os_family == 'RedHat'
- import_tasks: Debian.yml
when: ansible_os_family == 'Debian'
- name: Remove performance analyzer plugin from Wazuh indexer
become: true
command: ./opensearch-plugin remove opensearch-performance-analyzer
ignore_errors: true
args:
chdir: /usr/share/wazuh-indexer/bin/
register: remove_opensearch_performance_analyzer
failed_when:
- remove_opensearch_performance_analyzer.rc != 0
- '"not found" not in remove_opensearch_performance_analyzer.stderr'
changed_when: "remove_opensearch_performance_analyzer.rc == 0"
- name: Remove Opensearch configuration file
file:
path: "{{ indexer_conf_path }}/opensearch.yml"
state: absent
tags: install
- name: Copy Opensearch Configuration File
template:
src: "templates/opensearch.yml.j2"
dest: "{{ indexer_conf_path }}/opensearch.yml"
owner: root
group: wazuh-indexer
mode: 0640
force: yes
tags: install
- include_tasks: security_actions.yml
tags:
- security
- name: Configure Wazuh indexer JVM memmory.
template:
src: "templates/jvm.options.j2"
dest: "{{ indexer_conf_path }}/jvm.options"
owner: root
group: wazuh-indexer
mode: 0644
force: yes
notify: restart wazuh-indexer
tags: install
- name: Ensure extra time for Wazuh indexer to start on reboots
lineinfile:
path: /usr/lib/systemd/system/wazuh-indexer.service
regexp: '^TimeoutStartSec='
line: "TimeoutStartSec={{ indexer_start_timeout }}"
become: yes
tags: configure
- name: Index files to remove
find:
paths: "{{ indexer_index_path }}"
patterns: "*"
register: files_to_delete
- name: Remove Index Files
file:
path: "{{ item.path }}"
state: absent
with_items: "{{ files_to_delete.files }}"
- name: Ensure Wazuh indexer started and enabled
service:
name: wazuh-indexer
enabled: true
state: started
- name: Wait for Wazuh indexer API
uri:
url: "https://{{ inventory_hostname if not single_node else indexer_network_host }}:{{ indexer_http_port }}/_cat/health/"
user: "admin" # Default Indexer user is always "admin"
password: "{{ indexer_admin_password }}"
validate_certs: no
status_code: 200,401
return_content: yes
timeout: 4
register: _result
until:
- _result is defined
- '"green" in _result.content or ( "yellow" in _result.content and single_node )'
retries: 24
delay: 5
tags: debug
when:
- hostvars[inventory_hostname]['private_ip'] is not defined or not hostvars[inventory_hostname]['private_ip']
- name: Wait for Wazuh indexer API (Private IP)
uri:
url: "https://{{ hostvars[inventory_hostname]['private_ip'] if not single_node else indexer_network_host }}:{{ indexer_http_port }}/_cat/health/"
user: "admin" # Default Indexer user is always "admin"
password: "{{ indexer_admin_password }}"
validate_certs: no
status_code: 200,401
return_content: yes
timeout: 4
register: _result
until:
- _result is defined
- '"green" in _result.content or ( "yellow" in _result.content and single_node )'
retries: 24
delay: 5
tags: debug
when:
- hostvars[inventory_hostname]['private_ip'] is defined and hostvars[inventory_hostname]['private_ip']
- import_tasks: "RMRedHat.yml"
when: ansible_os_family == "RedHat"
- name: Reload systemd configuration
systemd:
daemon_reload: true
become: yes
notify: restart wazuh-indexer
when: perform_installation

118
roles/wazuh/wazuh-indexer/tasks/security_actions.yml
View File

@ -1,118 +0,0 @@
- name: Configure IP (Private address)
set_fact:
target_address: "{{ hostvars[inventory_hostname]['private_ip'] if not single_node else indexer_network_host }}"
when:
- hostvars[inventory_hostname]['private_ip'] is defined
- name: Configure IP (Public address)
set_fact:
target_address: "{{ inventory_hostname if not single_node else indexer_network_host }}"
when:
- hostvars[inventory_hostname]['private_ip'] is not defined
- name: Ensure Indexer certificates directory permissions.
file:
path: "{{ indexer_conf_path }}/certs/"
state: directory
owner: wazuh-indexer
group: wazuh-indexer
mode: 500
- name: Copy the node & admin certificates to Wazuh indexer cluster
copy:
src: "{{ local_certs_path }}/wazuh-certificates/{{ item }}"
dest: "{{ indexer_conf_path }}/certs/"
owner: wazuh-indexer
group: wazuh-indexer
mode: 0400
with_items:
- root-ca.pem
- "{{ indexer_node_name }}-key.pem"
- "{{ indexer_node_name }}.pem"
- admin-key.pem
- admin.pem
- name: Restart Wazuh indexer with security configuration
systemd:
name: wazuh-indexer
state: restarted
- name: Copy the Opensearch security internal users template
template:
src: "templates/internal_users.yml.j2"
dest: "{{ indexer_sec_plugin_conf_path }}/internal_users.yml"
mode: 0644
run_once: true
- block:
- name: Hashing the custom admin password
shell: |
export JAVA_HOME=/usr/share/wazuh-indexer/jdk
{{ indexer_sec_plugin_tools_path }}/hash.sh -p '{{ indexer_admin_password }}'
register: indexer_admin_password_hashed
no_log: '{{ indexer_nolog_sensible | bool }}'
- name: Set the Admin user password
replace:
path: "{{ indexer_sec_plugin_conf_path }}/internal_users.yml"
regexp: '(?<=admin:\n hash: )(.*)(?=)'
replace: "{{ indexer_password_hash | quote }}"
vars:
indexer_password_hash: "{{ indexer_admin_password_hashed.stdout_lines | last }}"
# this can also be achieved with password_hash, but it requires dependencies on the controller
- name: Hash the kibanaserver role/user pasword
shell: |
export JAVA_HOME=/usr/share/wazuh-indexer/jdk
{{ indexer_sec_plugin_tools_path }}/hash.sh -p '{{ dashboard_password }}'
register: indexer_kibanaserver_password_hashed
no_log: '{{ indexer_nolog_sensible | bool }}'
- name: Set the kibanaserver user password
replace:
path: "{{ indexer_sec_plugin_conf_path }}/internal_users.yml"
regexp: '(?<=kibanaserver:\n hash: )(.*)(?=)'
replace: "{{ indexer_password_hash | quote }}"
vars:
indexer_password_hash: "{{ indexer_kibanaserver_password_hashed.stdout_lines | last }}"
- name: Initialize the Opensearch security index in Wazuh indexer
command: >
sudo -u wazuh-indexer OPENSEARCH_PATH_CONF={{ indexer_conf_path }}
JAVA_HOME=/usr/share/wazuh-indexer/jdk
{{ indexer_sec_plugin_tools_path }}/securityadmin.sh
-cd {{ indexer_sec_plugin_conf_path }}/
-icl -p 9200 -cd {{ indexer_sec_plugin_conf_path }}/
-nhnv
-cacert {{ indexer_conf_path }}/certs/root-ca.pem
-cert {{ indexer_conf_path }}/certs/admin.pem
-key {{ indexer_conf_path }}/certs/admin-key.pem
-h {{ target_address }}
retries: 2
delay: 5
register: result
until: result.rc == 0
when: inventory_hostname == ansible_play_hosts[0]
- name: Create custom user
uri:
url: "https://{{ target_address }}:{{ indexer_http_port }}/_plugins/_security/api/internalusers/{{ indexer_custom_user }}"
method: PUT
user: "admin" # Default Indexer user is always "admin"
password: "{{ indexer_admin_password }}"
body: |
{
"password": "{{ indexer_admin_password }}",
"backend_roles": ["{{ indexer_custom_user_role }}"]
}
body_format: json
validate_certs: no
status_code: 200,201,401
return_content: yes
timeout: 4
register: result
until: result.status in [200,201,401]
when:
- indexer_custom_user is defined and indexer_custom_user
- inventory_hostname == ansible_play_hosts[0]

33
roles/wazuh/wazuh-indexer/templates/config.yml.j2
View File

@ -1,33 +0,0 @@
nodes:
# Indexer server nodes
indexer:
{% for (key,value) in instances.items() %}
{% if (value.role is defined and value.role == 'indexer') %}
- name: {{ value.name }}
ip: {{ value.ip }}
{% endif %}
{% endfor %}
# Wazuh server nodes
# Use node_type only with more than one Wazuh manager
server:
{% for (key,value) in instances.items() %}
{% if (value.role is defined and value.role == 'wazuh') %}
- name: {{ value.name }}
ip: {{ value.ip }}
{% endif %}
{% if (value.node_type is defined and value.node_type == 'master') %}
node_type: master
{% elif (value.node_type is defined and value.node_type == 'worker') %}
node_type: worker
{% endif %}
{% endfor %}
# Dashboard node
dashboard:
{% for (key,value) in instances.items() %}
{% if (value.role is defined and value.role == 'dashboard') %}
- name: {{ value.name }}
ip: {{ value.ip }}
{% endif %}
{% endfor %}

4
roles/wazuh/wazuh-indexer/templates/disabledlog4j.options.j2
View File

@ -1,4 +0,0 @@
## JVM configuration
## Disable log4j
-Dlog4j2.formatMsgNoLookups=true

21
roles/wazuh/wazuh-indexer/templates/internal_users.yml.j2
View File

@ -1,21 +0,0 @@
---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
_meta:
type: "internalusers"
config_version: 2
# Define your internal users here
admin:
hash: "{{ indexer_admin_password }}"
reserved: true
backend_roles:
- "admin"
description: "admin user"
kibanaserver:
hash: "{{ dashboard_password }}"
reserved: true
description: "kibanaserver user"

94
roles/wazuh/wazuh-indexer/templates/jvm.options.j2
View File

@ -1,94 +0,0 @@
## JVM configuration
################################################################
## IMPORTANT: JVM heap size
################################################################
##
## You should always set the min and max JVM heap
## size to the same value. For example, to set
## the heap to 4 GB, set:
##
## -Xms4g
## -Xmx4g
##
##
################################################################
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
{% if indexer_jvm_xms is not none %}
{% if indexer_jvm_xms < 32000 %}
-Xms{{ indexer_jvm_xms }}m
-Xmx{{ indexer_jvm_xms }}m
{% else %}
-Xms32000m
-Xmx32000m
{% endif %}
{% else %}
-Xms{% if ansible_memtotal_mb < 64000 %}{{ ((ansible_memtotal_mb|int)/2)|int }}m{% else %}32000m{% endif %}
-Xmx{% if ansible_memtotal_mb < 64000 %}{{ ((ansible_memtotal_mb|int)/2)|int }}m{% else %}32000m{% endif %}
{% endif %}
################################################################
## Expert settings
################################################################
##
## All settings below this section are considered
## expert settings. Don't tamper with them unless
## you understand what you are doing
##
################################################################
## GC configuration
8-13:-XX:+UseConcMarkSweepGC
8-13:-XX:CMSInitiatingOccupancyFraction=75
8-13:-XX:+UseCMSInitiatingOccupancyOnly
## G1GC Configuration
# NOTE: G1 GC is only supported on JDK version 10 or later
# to use G1GC, uncomment the next two lines and update the version on the
# following three lines to your version of the JDK
# 10-13:-XX:-UseConcMarkSweepGC
# 10-13:-XX:-UseCMSInitiatingOccupancyOnly
14-:-XX:+UseG1GC
14-:-XX:G1ReservePercent=25
14-:-XX:InitiatingHeapOccupancyPercent=30
## JVM temporary directory
-Djava.io.tmpdir=${OPENSEARCH_TMPDIR}
## heap dumps
# generate a heap dump when an allocation from the Java heap fails
# heap dumps are created in the working directory of the JVM
-XX:+HeapDumpOnOutOfMemoryError
# specify an alternative path for heap dumps; ensure the directory exists and
# has sufficient space
-XX:HeapDumpPath=data
# specify an alternative path for JVM fatal error logs
-XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log
## JDK 8 GC logging
8:-XX:+PrintGCDetails
8:-XX:+PrintGCDateStamps
8:-XX:+PrintTenuringDistribution
8:-XX:+PrintGCApplicationStoppedTime
8:-Xloggc:/var/log/wazuh-indexer/gc.log
8:-XX:+UseGCLogFileRotation
8:-XX:NumberOfGCLogFiles=32
8:-XX:GCLogFileSize=64m
# JDK 9+ GC logging
9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m
## Opensearch Performance Analyzer
-Dclk.tck=100
-Djdk.attach.allowAttachSelf=true
-Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy

56
roles/wazuh/wazuh-indexer/templates/opensearch.yml.j2
View File

@ -1,56 +0,0 @@
network.host: {{ indexer_network_host }}
node.name: {{ indexer_node_name }}
{% if single_node == true %}
discovery.type: single-node
{% else %}
cluster.initial_cluster_manager_nodes:
{% for item in indexer_cluster_nodes %}
- {{ item }}
{% endfor %}
discovery.seed_hosts:
{% for item in indexer_discovery_nodes %}
- {{ item }}
{% endfor %}
{% endif %}
cluster.name: {{ indexer_cluster_name }}
http.port: 9200-9299
transport.tcp.port: 9300-9399
node.max_local_storage_nodes: "3"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer
###############################################################################
# #
# WARNING: Demo certificates set up in this file. #
# Please change on production cluster! #
# #
###############################################################################
plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/{{ indexer_node_name }}.pem
plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/{{ indexer_node_name }}-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/{{ indexer_node_name }}.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/{{ indexer_node_name }}-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
{% for (key,value) in instances.items() %}
- "CN={{ value.name }},OU=Wazuh,O=Wazuh,L=California,C=US"
{% endfor %}
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]

47
roles/wazuh/wazuh-indexer/templates/tlsconfig.yml.j2
View File

@ -1,47 +0,0 @@
ca:
root:
dn: CN=root.ca.{{ domain_name }},OU=CA,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
keysize: 2048
validityDays: 730
pkPassword: none
file: root-ca.pem
### Default values and global settings
defaults:
validityDays: 730
pkPassword: none
# Set this to true in order to generate config and certificates for
# the HTTP interface of nodes
httpsEnabled: true
reuseTransportCertificatesForHttp: false
verifyHostnames: false
resolveHostnames: false
###
### Nodes
###
#
# Specify the nodes of your ES cluster here
#
nodes:
{% for (key,value) in instances.items() %}
{% if (value.ip is defined and value.ip | length > 0) %}
- name: {{ value.name }}
dn: CN={{ value.name }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
dns: {{ value.name }}.{{ domain_name }}
ip: {{ value.ip }}
{% endif %}
{% endfor %}
###
### Clients
###
#
# Specify the clients that shall access your ES cluster with certificate authentication here
#
# At least one client must be an admin user (i.e., a super-user). Admin users can
# be specified with the attribute admin: true
#
clients:
- name: admin
dn: CN=admin.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }}
admin: true

Some files were not shown because too many files have changed in this diff Show More