From 77cc6b654b17fd9dafca3fb300f951ca6c5e3176 Mon Sep 17 00:00:00 2001 From: Jesus Garcia Date: Thu, 23 Oct 2025 11:57:26 -0500 Subject: [PATCH] Adapt basic 5.0.0 directory structure and files to new 6.0.0 organization --- .ansible-lint | 16 +- .gitignore | 18 +- README.md | 428 ------------- docs/.gitignore | 1 + playbooks/ansible.cfg | 2 - playbooks/wazuh-agent.yml | 16 - playbooks/wazuh-dashboard.yml | 6 - playbooks/wazuh-indexer.yml | 20 - playbooks/wazuh-manager-oss-cluster.yml | 50 -- playbooks/wazuh-manager-oss.yml | 9 - playbooks/wazuh-production-ready.yml | 176 ------ playbooks/wazuh-single.yml | 40 -- requirements.yml | 6 + .../ansible-kibana/defaults/main.yml | 49 -- .../opendistro-kibana/defaults/main.yml | 57 -- roles/wazuh/ansible-filebeat-oss/README.md | 38 -- .../ansible-filebeat-oss/defaults/main.yml | 22 - .../ansible-filebeat-oss/handlers/main.yml | 3 - .../wazuh/ansible-filebeat-oss/meta/main.yml | 29 - .../ansible-filebeat-oss/tasks/Debian.yml | 33 - .../ansible-filebeat-oss/tasks/RMDebian.yml | 6 - .../ansible-filebeat-oss/tasks/RMRedHat.yml | 6 - .../ansible-filebeat-oss/tasks/RedHat.yml | 9 - .../ansible-filebeat-oss/tasks/config.yml | 22 - .../wazuh/ansible-filebeat-oss/tasks/main.yml | 93 --- .../tasks/security_actions.yml | 26 - .../templates/filebeat.yml.j2 | 42 -- .../wazuh/ansible-filebeat/defaults/main.yml | 36 -- roles/wazuh/ansible-wazuh-agent/README.md | 60 -- .../ansible-wazuh-agent/defaults/main.yml | 376 ------------ .../ansible-wazuh-agent/handlers/main.yml | 9 - roles/wazuh/ansible-wazuh-agent/meta/main.yml | 23 - .../ansible-wazuh-agent/tasks/Debian.yml | 122 ---- .../wazuh/ansible-wazuh-agent/tasks/Linux.yml | 258 -------- .../ansible-wazuh-agent/tasks/RMDebian.yml | 6 - .../ansible-wazuh-agent/tasks/RMRedHat.yml | 6 - .../ansible-wazuh-agent/tasks/RedHat.yml | 66 -- .../ansible-wazuh-agent/tasks/Windows.yml | 114 ---- .../installation_from_custom_packages.yml | 29 - .../wazuh/ansible-wazuh-agent/tasks/macOS.yml | 218 ------- .../wazuh/ansible-wazuh-agent/tasks/main.yml | 28 - .../templates/authd_pass.j2 | 1 - ...r-ossec-etc-local-internal-options.conf.j2 | 16 - .../var-ossec-etc-ossec-agent.conf.j2 | 492 --------------- roles/wazuh/ansible-wazuh-manager/README.md | 216 ------- .../ansible-wazuh-manager/defaults/main.yml | 431 ------------- .../files/create_user.py | 102 ---- .../decoders/sample_custom_decoders.xml | 25 - .../rules/sample_custom_rules.xml | 18 - .../ansible-wazuh-manager/handlers/main.yml | 12 - .../wazuh/ansible-wazuh-manager/meta/main.yml | 23 - .../ansible-wazuh-manager/tasks/Debian.yml | 125 ---- .../ansible-wazuh-manager/tasks/RedHat.yml | 134 ---- .../tasks/install_cmake.yml | 40 -- .../installation_from_custom_packages.yml | 32 - .../ansible-wazuh-manager/tasks/main.yml | 305 ---------- .../ansible-wazuh-manager/tasks/uninstall.yml | 15 - .../templates/admin.json.j2 | 4 - .../templates/authd_pass.j2 | 1 - .../templates/cdb_lists.j2 | 1 - ...r-ossec-etc-local-internal-options.conf.j2 | 12 - .../var-ossec-etc-ossec-server.conf.j2 | 572 ------------------ .../var-ossec-etc-shared-agent.conf.j2 | 106 ---- .../var-ossec-rules-local_decoder.xml.j2 | 25 - .../var-ossec-rules-local_rules.xml.j2 | 19 - .../ansible-wazuh-manager/vars/authd_pass.yml | 2 - .../vars/install_cmake.yml | 4 - roles/wazuh/check-packages/defaults/main.yml | 2 - .../check-packages/files/packages_uri.txt | 6 - .../check-packages/scripts/check_packages.sh | 80 --- roles/wazuh/check-packages/tasks/main.yml | 11 - roles/wazuh/vars/repo.yml | 20 - roles/wazuh/vars/repo_pre-release.yml | 20 - roles/wazuh/vars/repo_staging.yml | 21 - roles/wazuh/vars/repo_vars.yml | 1 - roles/wazuh/wazuh-dashboard/defaults/main.yml | 31 - roles/wazuh/wazuh-dashboard/handlers/main.yml | 3 - roles/wazuh/wazuh-dashboard/tasks/Debian.yml | 40 -- .../wazuh/wazuh-dashboard/tasks/RMRedHat.yml | 6 - roles/wazuh/wazuh-dashboard/tasks/RedHat.yml | 20 - roles/wazuh/wazuh-dashboard/tasks/main.yml | 99 --- .../tasks/security_actions.yml | 23 - .../templates/opensearch_dashboards.yml.j2 | 19 - .../wazuh-dashboard/templates/wazuh.yml.j2 | 134 ---- roles/wazuh/wazuh-dashboard/vars/debian.yml | 2 - roles/wazuh/wazuh-indexer/defaults/main.yml | 50 -- roles/wazuh/wazuh-indexer/handlers/main.yml | 5 - roles/wazuh/wazuh-indexer/meta/main.yml | 24 - roles/wazuh/wazuh-indexer/tasks/Debian.yml | 48 -- roles/wazuh/wazuh-indexer/tasks/RMRedHat.yml | 6 - roles/wazuh/wazuh-indexer/tasks/RedHat.yml | 59 -- .../wazuh-indexer/tasks/local_actions.yml | 48 -- roles/wazuh/wazuh-indexer/tasks/main.yml | 140 ----- .../wazuh-indexer/tasks/security_actions.yml | 118 ---- .../wazuh-indexer/templates/config.yml.j2 | 33 - .../templates/disabledlog4j.options.j2 | 4 - .../templates/internal_users.yml.j2 | 21 - .../wazuh-indexer/templates/jvm.options.j2 | 94 --- .../wazuh-indexer/templates/opensearch.yml.j2 | 56 -- .../wazuh-indexer/templates/tlsconfig.yml.j2 | 47 -- wazuh-agent.yml | 0 wazuh-aio.yml | 0 wazuh-distributed.yml | 0 103 files changed, 18 insertions(+), 6580 deletions(-) create mode 100644 docs/.gitignore delete mode 100644 playbooks/ansible.cfg delete mode 100644 playbooks/wazuh-agent.yml delete mode 100644 playbooks/wazuh-dashboard.yml delete mode 100644 playbooks/wazuh-indexer.yml delete mode 100644 playbooks/wazuh-manager-oss-cluster.yml delete mode 100644 playbooks/wazuh-manager-oss.yml delete mode 100644 playbooks/wazuh-production-ready.yml delete mode 100644 playbooks/wazuh-single.yml create mode 100644 requirements.yml delete mode 100644 roles/elastic-stack/ansible-kibana/defaults/main.yml delete mode 100644 roles/opendistro/opendistro-kibana/defaults/main.yml delete mode 100644 roles/wazuh/ansible-filebeat-oss/README.md delete mode 100644 roles/wazuh/ansible-filebeat-oss/defaults/main.yml delete mode 100644 roles/wazuh/ansible-filebeat-oss/handlers/main.yml delete mode 100644 roles/wazuh/ansible-filebeat-oss/meta/main.yml delete mode 100644 roles/wazuh/ansible-filebeat-oss/tasks/Debian.yml delete mode 100644 roles/wazuh/ansible-filebeat-oss/tasks/RMDebian.yml delete mode 100644 roles/wazuh/ansible-filebeat-oss/tasks/RMRedHat.yml delete mode 100644 roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml delete mode 100644 roles/wazuh/ansible-filebeat-oss/tasks/config.yml delete mode 100644 roles/wazuh/ansible-filebeat-oss/tasks/main.yml delete mode 100644 roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml delete mode 100644 roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 delete mode 100644 roles/wazuh/ansible-filebeat/defaults/main.yml delete mode 100644 roles/wazuh/ansible-wazuh-agent/README.md delete mode 100644 roles/wazuh/ansible-wazuh-agent/defaults/main.yml delete mode 100644 roles/wazuh/ansible-wazuh-agent/handlers/main.yml delete mode 100644 roles/wazuh/ansible-wazuh-agent/meta/main.yml delete mode 100644 roles/wazuh/ansible-wazuh-agent/tasks/Debian.yml delete mode 100644 roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml delete mode 100644 roles/wazuh/ansible-wazuh-agent/tasks/RMDebian.yml delete mode 100644 roles/wazuh/ansible-wazuh-agent/tasks/RMRedHat.yml delete mode 100644 roles/wazuh/ansible-wazuh-agent/tasks/RedHat.yml delete mode 100644 roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml delete mode 100644 roles/wazuh/ansible-wazuh-agent/tasks/installation_from_custom_packages.yml delete mode 100644 roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml delete mode 100644 roles/wazuh/ansible-wazuh-agent/tasks/main.yml delete mode 100644 roles/wazuh/ansible-wazuh-agent/templates/authd_pass.j2 delete mode 100644 roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-local-internal-options.conf.j2 delete mode 100644 roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 delete mode 100644 roles/wazuh/ansible-wazuh-manager/README.md delete mode 100644 roles/wazuh/ansible-wazuh-manager/defaults/main.yml delete mode 100644 roles/wazuh/ansible-wazuh-manager/files/create_user.py delete mode 100644 roles/wazuh/ansible-wazuh-manager/files/custom_ruleset/decoders/sample_custom_decoders.xml delete mode 100644 roles/wazuh/ansible-wazuh-manager/files/custom_ruleset/rules/sample_custom_rules.xml delete mode 100644 roles/wazuh/ansible-wazuh-manager/handlers/main.yml delete mode 100644 roles/wazuh/ansible-wazuh-manager/meta/main.yml delete mode 100644 roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml delete mode 100644 roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml delete mode 100644 roles/wazuh/ansible-wazuh-manager/tasks/install_cmake.yml delete mode 100644 roles/wazuh/ansible-wazuh-manager/tasks/installation_from_custom_packages.yml delete mode 100644 roles/wazuh/ansible-wazuh-manager/tasks/main.yml delete mode 100644 roles/wazuh/ansible-wazuh-manager/tasks/uninstall.yml delete mode 100644 roles/wazuh/ansible-wazuh-manager/templates/admin.json.j2 delete mode 100644 roles/wazuh/ansible-wazuh-manager/templates/authd_pass.j2 delete mode 100644 roles/wazuh/ansible-wazuh-manager/templates/cdb_lists.j2 delete mode 100644 roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-local-internal-options.conf.j2 delete mode 100644 roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 delete mode 100644 roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 delete mode 100644 roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_decoder.xml.j2 delete mode 100644 roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2 delete mode 100644 roles/wazuh/ansible-wazuh-manager/vars/authd_pass.yml delete mode 100644 roles/wazuh/ansible-wazuh-manager/vars/install_cmake.yml delete mode 100644 roles/wazuh/check-packages/defaults/main.yml delete mode 100644 roles/wazuh/check-packages/files/packages_uri.txt delete mode 100755 roles/wazuh/check-packages/scripts/check_packages.sh delete mode 100644 roles/wazuh/check-packages/tasks/main.yml delete mode 100644 roles/wazuh/vars/repo.yml delete mode 100644 roles/wazuh/vars/repo_pre-release.yml delete mode 100644 roles/wazuh/vars/repo_staging.yml delete mode 100644 roles/wazuh/vars/repo_vars.yml delete mode 100644 roles/wazuh/wazuh-dashboard/defaults/main.yml delete mode 100644 roles/wazuh/wazuh-dashboard/handlers/main.yml delete mode 100644 roles/wazuh/wazuh-dashboard/tasks/Debian.yml delete mode 100644 roles/wazuh/wazuh-dashboard/tasks/RMRedHat.yml delete mode 100644 roles/wazuh/wazuh-dashboard/tasks/RedHat.yml delete mode 100755 roles/wazuh/wazuh-dashboard/tasks/main.yml delete mode 100644 roles/wazuh/wazuh-dashboard/tasks/security_actions.yml delete mode 100644 roles/wazuh/wazuh-dashboard/templates/opensearch_dashboards.yml.j2 delete mode 100644 roles/wazuh/wazuh-dashboard/templates/wazuh.yml.j2 delete mode 100644 roles/wazuh/wazuh-dashboard/vars/debian.yml delete mode 100644 roles/wazuh/wazuh-indexer/defaults/main.yml delete mode 100644 roles/wazuh/wazuh-indexer/handlers/main.yml delete mode 100644 roles/wazuh/wazuh-indexer/meta/main.yml delete mode 100644 roles/wazuh/wazuh-indexer/tasks/Debian.yml delete mode 100644 roles/wazuh/wazuh-indexer/tasks/RMRedHat.yml delete mode 100644 roles/wazuh/wazuh-indexer/tasks/RedHat.yml delete mode 100644 roles/wazuh/wazuh-indexer/tasks/local_actions.yml delete mode 100644 roles/wazuh/wazuh-indexer/tasks/main.yml delete mode 100644 roles/wazuh/wazuh-indexer/tasks/security_actions.yml delete mode 100644 roles/wazuh/wazuh-indexer/templates/config.yml.j2 delete mode 100644 roles/wazuh/wazuh-indexer/templates/disabledlog4j.options.j2 delete mode 100644 roles/wazuh/wazuh-indexer/templates/internal_users.yml.j2 delete mode 100644 roles/wazuh/wazuh-indexer/templates/jvm.options.j2 delete mode 100644 roles/wazuh/wazuh-indexer/templates/opensearch.yml.j2 delete mode 100644 roles/wazuh/wazuh-indexer/templates/tlsconfig.yml.j2 create mode 100644 wazuh-agent.yml create mode 100644 wazuh-aio.yml create mode 100644 wazuh-distributed.yml diff --git a/.ansible-lint b/.ansible-lint index 6a6a1587..ede619ea 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,15 +1,13 @@ --- -use_default_rules: true -parseable: true -quiet: true -verbosity: 1 +# .ansible-lint -# State that naming for now should be a warning -# 106: ansible role name does not conform to pattern [a-z][a-z0-9_]+$ -warn_list: - - '106' +profile: production +use_default_rules: true # This is for false positives # 504: Do not use 'local_action', use 'delegate_to: localhost' skip_list: - - '504' \ No newline at end of file + - '504' + - 'ignore-errors' + - 'role-name' + - 'var-naming' diff --git a/.gitignore b/.gitignore index 0b40ae5e..cd8179ae 100644 --- a/.gitignore +++ b/.gitignore @@ -1,14 +1,4 @@ -*.retry -wazuh-agent.yml -wazuh-elastic_stack-distributed.yml -wazuh-elastic_stack-single.yml -wazuh-elastic.yml -wazuh-kibana.yml -wazuh-manager.yml -*.pyc -.mypy_cache -Pipfile.lock -*.swp -molecule/**/es_certs/ -molecule/**/opendistro/ -repository_bumper_*.log +roles/vars/artifacts_urls.yml +deployment-config-files/ +*.pem +*.ini diff --git a/README.md b/README.md index 27fcfb42..53564b8f 100644 --- a/README.md +++ b/README.md @@ -34,434 +34,6 @@ These playbooks install and configure Wazuh agent, manager and indexer and dashb - [Wazuh Ansible documentation](https://documentation.wazuh.com/current/deploying-with-ansible/index.html) - [Full documentation](http://documentation.wazuh.com) -## Directory structure - - ├── wazuh-ansible - │ ├── roles - │ │ ├── wazuh - │ │ │ ├── ansible-filebeat-oss - │ │ │ ├── ansible-wazuh-manager - │ │ │ ├── ansible-wazuh-agent - │ │ │ ├── wazuh-dashboard - │ │ │ ├── wazuh-indexer - │ │ - │ │ ├── ansible-galaxy - │ │ │ ├── meta - │ - │ ├── playbooks - │ │ ├── wazuh-agent.yml - │ │ ├── wazuh-dashboard.yml - │ │ ├── wazuh-indexer.yml - │ │ ├── wazuh-manager-oss.yml - | | ├── wazuh-production-ready - │ │ ├── wazuh-single.yml - │ - │ ├── README.md - │ ├── VERSION.json - │ ├── CHANGELOG.md - -## Example: production-ready distributed environment - -### Playbook - -The hereunder example playbook uses the `wazuh-ansible` role to provision a production-ready Wazuh environment. The architecture includes 2 Wazuh nodes, 3 Wazuh indexer nodes, and a Wazuh dashboard node. - -```yaml ---- -# Certificates generation - - hosts: wi1 - roles: - - role: ../roles/wazuh/wazuh-indexer - indexer_network_host: "{{ private_ip }}" - indexer_cluster_nodes: - - "{{ hostvars.wi1.private_ip }}" - - "{{ hostvars.wi2.private_ip }}" - - "{{ hostvars.wi3.private_ip }}" - indexer_discovery_nodes: - - "{{ hostvars.wi1.private_ip }}" - - "{{ hostvars.wi2.private_ip }}" - - "{{ hostvars.wi3.private_ip }}" - perform_installation: false - become: no - vars: - indexer_node_master: true - instances: - node1: - name: node-1 # Important: must be equal to indexer_node_name. - ip: "{{ hostvars.wi1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. - role: indexer - node2: - name: node-2 - ip: "{{ hostvars.wi2.private_ip }}" - role: indexer - node3: - name: node-3 - ip: "{{ hostvars.wi3.private_ip }}" - role: indexer - node4: - name: node-4 - ip: "{{ hostvars.manager.private_ip }}" - role: wazuh - node_type: master - node5: - name: node-5 - ip: "{{ hostvars.worker.private_ip }}" - role: wazuh - node_type: worker - node6: - name: node-6 - ip: "{{ hostvars.dashboard.private_ip }}" - role: dashboard - tags: - - generate-certs - -# Wazuh indexer cluster - - hosts: wi_cluster - strategy: free - roles: - - role: ../roles/wazuh/wazuh-indexer - indexer_network_host: "{{ private_ip }}" - become: yes - become_user: root - vars: - indexer_cluster_nodes: - - "{{ hostvars.wi1.private_ip }}" - - "{{ hostvars.wi2.private_ip }}" - - "{{ hostvars.wi3.private_ip }}" - indexer_discovery_nodes: - - "{{ hostvars.wi1.private_ip }}" - - "{{ hostvars.wi2.private_ip }}" - - "{{ hostvars.wi3.private_ip }}" - indexer_node_master: true - instances: - node1: - name: node-1 # Important: must be equal to indexer_node_name. - ip: "{{ hostvars.wi1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. - role: indexer - node2: - name: node-2 - ip: "{{ hostvars.wi2.private_ip }}" - role: indexer - node3: - name: node-3 - ip: "{{ hostvars.wi3.private_ip }}" - role: indexer - node4: - name: node-4 - ip: "{{ hostvars.manager.private_ip }}" - role: wazuh - node_type: master - node5: - name: node-5 - ip: "{{ hostvars.worker.private_ip }}" - role: wazuh - node_type: worker - node6: - name: node-6 - ip: "{{ hostvars.dashboard.private_ip }}" - role: dashboard - -# Wazuh cluster - - hosts: manager - roles: - - role: "../roles/wazuh/ansible-wazuh-manager" - - role: "../roles/wazuh/ansible-filebeat-oss" - become: yes - become_user: root - vars: - filebeat_node_name: node-4 - wazuh_manager_config: - connection: - - type: 'secure' - port: '1514' - protocol: 'tcp' - queue_size: 131072 - api: - https: 'yes' - cluster: - disable: 'no' - node_name: 'master' - node_type: 'master' - key: 'c98b62a9b6169ac5f67dae55ae4a9088' - nodes: - - "{{ hostvars.manager.private_ip }}" - hidden: 'no' - wazuh_api_users: - - username: custom-user - password: SecretPassword1! - filebeat_output_indexer_hosts: - - "{{ hostvars.wi1.private_ip }}" - - "{{ hostvars.wi2.private_ip }}" - - "{{ hostvars.wi3.private_ip }}" - - - hosts: worker - roles: - - role: "../roles/wazuh/ansible-wazuh-manager" - - role: "../roles/wazuh/ansible-filebeat-oss" - become: yes - become_user: root - vars: - filebeat_node_name: node-5 - wazuh_manager_config: - connection: - - type: 'secure' - port: '1514' - protocol: 'tcp' - queue_size: 131072 - api: - https: 'yes' - cluster: - disable: 'no' - node_name: 'worker_01' - node_type: 'worker' - key: 'c98b62a9b6169ac5f67dae55ae4a9088' - nodes: - - "{{ hostvars.manager.private_ip }}" - hidden: 'no' - filebeat_output_indexer_hosts: - - "{{ hostvars.wi1.private_ip }}" - - "{{ hostvars.wi2.private_ip }}" - - "{{ hostvars.wi3.private_ip }}" - -# Wazuh dashboard node - - hosts: dashboard - roles: - - role: "../roles/wazuh/wazuh-dashboard" - become: yes - become_user: root - vars: - indexer_network_host: "{{ hostvars.wi1.private_ip }}" - dashboard_node_name: node-6 - wazuh_api_credentials: - - id: default - url: https://{{ hostvars.manager.private_ip }} - port: 55000 - username: custom-user - password: SecretPassword1! - ansible_shell_allow_world_readable_temp: true -``` - -### Inventory file - -- The `ansible_host` variable should contain the `address/FQDN` used to gather facts and provision each node. -- The `private_ip` variable should contain the `address/FQDN` used for the internal cluster communications. -- Whether the environment is located in a local subnet, `ansible_host` and `private_ip` variables should match. -- The ssh credentials used by Ansible during the provision can be specified in this file too. Another option is including them directly on the playbook. - -```ini -wi1 ansible_host= private_ip= indexer_node_name=node-1 -wi2 ansible_host= private_ip= indexer_node_name=node-2 -wi3 ansible_host= private_ip= indexer_node_name=node-3 -dashboard ansible_host= private_ip= -manager ansible_host= private_ip= -worker ansible_host= private_ip= - -[wi_cluster] -wi1 -wi2 -wi3 - -[all:vars] -ansible_ssh_user=vagrant -ansible_ssh_private_key_file=/path/to/ssh/key.pem -ansible_ssh_extra_args='-o StrictHostKeyChecking=no' -``` - -### Launching the playbook - -```bash -sudo ansible-playbook wazuh-production-ready.yml -i inventory -``` - -After the playbook execution, the Wazuh UI should be reachable through `https://` - -## Example: single-host environment - -### Playbook - -The hereunder example playbook uses the `wazuh-ansible` role to provision a single-host Wazuh environment. This architecture includes all the Wazuh and Opensearch components in a single node. - -```yaml ---- -# Certificates generation - - hosts: aio - roles: - - role: ../roles/wazuh/wazuh-indexer - perform_installation: false - become: no - #become_user: root - vars: - indexer_node_master: true - instances: - node1: - name: node-1 # Important: must be equal to indexer_node_name. - ip: 127.0.0.1 - role: indexer - tags: - - generate-certs -# Single node - - hosts: aio - become: yes - become_user: root - roles: - - role: ../roles/wazuh/wazuh-indexer - - role: ../roles/wazuh/ansible-wazuh-manager - - role: ../roles/wazuh/ansible-filebeat-oss - - role: ../roles/wazuh/wazuh-dashboard - vars: - single_node: true - minimum_master_nodes: 1 - indexer_node_master: true - indexer_network_host: 127.0.0.1 - filebeat_node_name: node-1 - filebeat_output_indexer_hosts: - - 127.0.0.1 - instances: - node1: - name: node-1 # Important: must be equal to indexer_node_name. - ip: 127.0.0.1 - role: indexer - ansible_shell_allow_world_readable_temp: true -``` - -### Inventory file - -```ini -[aio] - - -[all:vars] -ansible_ssh_user=vagrant -ansible_ssh_private_key_file=/path/to/ssh/key.pem -ansible_ssh_extra_args='-o StrictHostKeyChecking=no' -``` - -### Launching the playbook - -```bash -sudo ansible-playbook wazuh-single.yml -i inventory -``` - -After the playbook execution, the Wazuh UI should be reachable through `https://` - -## Example: Wazuh server cluster (without Filebeat) - -### Playbook - -The hereunder example playbook uses the `wazuh-ansible` role to provision a Wazuh server cluster without Filebeat. This architecture includes 2 Wazuh servers distributed in two different nodes. - -```yaml ---- -# Wazuh cluster without Filebeat - - hosts: manager - roles: - - role: "../roles/wazuh/ansible-wazuh-manager" - become: yes - become_user: root - vars: - wazuh_manager_config: - connection: - - type: 'secure' - port: '1514' - protocol: 'tcp' - queue_size: 131072 - api: - https: 'yes' - cluster: - disable: 'no' - node_name: 'master' - node_type: 'master' - key: 'c98b62a9b6169ac5f67dae55ae4a9088' - nodes: - - "{{ hostvars.manager.private_ip }}" - hidden: 'no' - wazuh_api_users: - - username: custom-user - password: SecretPassword1! - - - hosts: worker01 - roles: - - role: "../roles/wazuh/ansible-wazuh-manager" - become: yes - become_user: root - vars: - wazuh_manager_config: - connection: - - type: 'secure' - port: '1514' - protocol: 'tcp' - queue_size: 131072 - api: - https: 'yes' - cluster: - disable: 'no' - node_name: 'worker_01' - node_type: 'worker' - key: 'c98b62a9b6169ac5f67dae55ae4a9088' - nodes: - - "{{ hostvars.manager.private_ip }}" - hidden: 'no' -``` - -### Inventory file - -```ini -[manager] - - -[worker01] - - -[all:vars] -ansible_ssh_user=vagrant -ansible_ssh_private_key_file=/path/to/ssh/key.pem -ansible_ssh_extra_args='-o StrictHostKeyChecking=no' -``` - -### Adding additional workers - -Add the following block at the end of the playbook - -```yaml - - hosts: worker02 - roles: - - role: "../roles/wazuh/ansible-wazuh-manager" - become: yes - become_user: root - vars: - wazuh_manager_config: - connection: - - type: 'secure' - port: '1514' - protocol: 'tcp' - queue_size: 131072 - api: - https: 'yes' - cluster: - disable: 'no' - node_name: 'worker_02' - node_type: 'worker' - key: 'c98b62a9b6169ac5f67dae55ae4a9088' - nodes: - - "{{ hostvars.manager.private_ip }}" - hidden: 'no' -``` - -NOTE: `hosts` and `wazuh_manager_config.cluster_node_name` are the only parameters that differ from the `worker01` configuration. - -Add the following lines to the inventory file: - -```ini -[worker02] - -``` - -### Launching the playbook - -```bash -sudo ansible-playbook wazuh-manager-oss-cluster.yml -i inventory -``` - ## Contribute If you want to contribute to our repository, please fork our Github repository and submit a pull request. diff --git a/docs/.gitignore b/docs/.gitignore new file mode 100644 index 00000000..7585238e --- /dev/null +++ b/docs/.gitignore @@ -0,0 +1 @@ +book diff --git a/playbooks/ansible.cfg b/playbooks/ansible.cfg deleted file mode 100644 index e153953a..00000000 --- a/playbooks/ansible.cfg +++ /dev/null @@ -1,2 +0,0 @@ -[defaults] -hash_behaviour=merge diff --git a/playbooks/wazuh-agent.yml b/playbooks/wazuh-agent.yml deleted file mode 100644 index 16ff48ae..00000000 --- a/playbooks/wazuh-agent.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -- hosts: - become: yes - become_user: root - roles: - - ../roles/wazuh/ansible-wazuh-agent - vars: - wazuh_managers: - - address: - port: 1514 - protocol: tcp - api_port: 55000 - api_proto: 'https' - api_user: wazuh - max_retries: 5 - retry_interval: 5 \ No newline at end of file diff --git a/playbooks/wazuh-dashboard.yml b/playbooks/wazuh-dashboard.yml deleted file mode 100644 index 5a50cbab..00000000 --- a/playbooks/wazuh-dashboard.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- hosts: wi1 - roles: - - role: ../roles/wazuh/wazuh-dashboard - vars: - ansible_shell_allow_world_readable_temp: true diff --git a/playbooks/wazuh-indexer.yml b/playbooks/wazuh-indexer.yml deleted file mode 100644 index 34d999c4..00000000 --- a/playbooks/wazuh-indexer.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- hosts: wi_cluster - roles: - - role: ../roles/wazuh/wazuh-indexer - - vars: - instances: # A certificate will be generated for every node using the name as CN. - node1: - name: node-1 - ip: - role: indexer - node2: - name: node-2 - ip: - role: indexer - node3: - name: node-3 - ip: - role: indexer - diff --git a/playbooks/wazuh-manager-oss-cluster.yml b/playbooks/wazuh-manager-oss-cluster.yml deleted file mode 100644 index 57109581..00000000 --- a/playbooks/wazuh-manager-oss-cluster.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -# Wazuh cluster without Filebeat - - hosts: manager - roles: - - role: "../roles/wazuh/ansible-wazuh-manager" - become: yes - become_user: root - vars: - wazuh_manager_config: - connection: - - type: 'secure' - port: '1514' - protocol: 'tcp' - queue_size: 131072 - api: - https: 'yes' - cluster: - disable: 'no' - node_name: 'master' - node_type: 'master' - key: 'c98b62a9b6169ac5f67dae55ae4a9088' - nodes: - - "{{ hostvars.manager.private_ip }}" - hidden: 'no' - wazuh_api_users: - - username: custom-user - password: SecretPassword1! - - - hosts: worker01 - roles: - - role: "../roles/wazuh/ansible-wazuh-manager" - become: yes - become_user: root - vars: - wazuh_manager_config: - connection: - - type: 'secure' - port: '1514' - protocol: 'tcp' - queue_size: 131072 - api: - https: 'yes' - cluster: - disable: 'no' - node_name: 'worker_01' - node_type: 'worker' - key: 'c98b62a9b6169ac5f67dae55ae4a9088' - nodes: - - "{{ hostvars.manager.private_ip }}" - hidden: 'no' diff --git a/playbooks/wazuh-manager-oss.yml b/playbooks/wazuh-manager-oss.yml deleted file mode 100644 index 9e9c4cba..00000000 --- a/playbooks/wazuh-manager-oss.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- hosts: managers - roles: - - role: ../roles/wazuh/ansible-wazuh-manager - - role: ../roles/wazuh/ansible-filebeat-oss - filebeat_output_indexer_hosts: - - ":9200" - - ":9200" - - ":9200" diff --git a/playbooks/wazuh-production-ready.yml b/playbooks/wazuh-production-ready.yml deleted file mode 100644 index f1cbf3bc..00000000 --- a/playbooks/wazuh-production-ready.yml +++ /dev/null @@ -1,176 +0,0 @@ ---- -# Certificates generation - - hosts: wi1 - roles: - - role: ../roles/wazuh/wazuh-indexer - indexer_network_host: "{{ private_ip }}" - indexer_cluster_nodes: - - "{{ hostvars.wi1.private_ip }}" - - "{{ hostvars.wi2.private_ip }}" - - "{{ hostvars.wi3.private_ip }}" - indexer_discovery_nodes: - - "{{ hostvars.wi1.private_ip }}" - - "{{ hostvars.wi2.private_ip }}" - - "{{ hostvars.wi3.private_ip }}" - perform_installation: false - become: no - vars: - indexer_node_master: true - instances: - node1: - name: node-1 # Important: must be equal to indexer_node_name. - ip: "{{ hostvars.wi1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. - role: indexer - node2: - name: node-2 - ip: "{{ hostvars.wi2.private_ip }}" - role: indexer - node3: - name: node-3 - ip: "{{ hostvars.wi3.private_ip }}" - role: indexer - node4: - name: node-4 - ip: "{{ hostvars.manager.private_ip }}" - role: wazuh - node_type: master - node5: - name: node-5 - ip: "{{ hostvars.worker.private_ip }}" - role: wazuh - node_type: worker - node6: - name: node-6 - ip: "{{ hostvars.dashboard.private_ip }}" - role: dashboard - tags: - - generate-certs - -# Wazuh indexer cluster - - hosts: wi_cluster - strategy: free - roles: - - role: ../roles/wazuh/wazuh-indexer - indexer_network_host: "{{ private_ip }}" - become: yes - become_user: root - vars: - indexer_cluster_nodes: - - "{{ hostvars.wi1.private_ip }}" - - "{{ hostvars.wi2.private_ip }}" - - "{{ hostvars.wi3.private_ip }}" - indexer_discovery_nodes: - - "{{ hostvars.wi1.private_ip }}" - - "{{ hostvars.wi2.private_ip }}" - - "{{ hostvars.wi3.private_ip }}" - indexer_node_master: true - instances: - node1: - name: node-1 # Important: must be equal to indexer_node_name. - ip: "{{ hostvars.wi1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. - role: indexer - node2: - name: node-2 - ip: "{{ hostvars.wi2.private_ip }}" - role: indexer - node3: - name: node-3 - ip: "{{ hostvars.wi3.private_ip }}" - role: indexer - node4: - name: node-4 - ip: "{{ hostvars.manager.private_ip }}" - role: wazuh - node_type: master - node5: - name: node-5 - ip: "{{ hostvars.worker.private_ip }}" - role: wazuh - node_type: worker - node6: - name: node-6 - ip: "{{ hostvars.dashboard.private_ip }}" - role: dashboard - -# Wazuh cluster - - hosts: manager - roles: - - role: "../roles/wazuh/ansible-wazuh-manager" - - role: "../roles/wazuh/ansible-filebeat-oss" - become: yes - become_user: root - vars: - filebeat_node_name: node-4 - wazuh_manager_config: - connection: - - type: 'secure' - port: '1514' - protocol: 'tcp' - queue_size: 131072 - api: - https: 'yes' - cluster: - disable: 'no' - node_name: 'master' - node_type: 'master' - key: 'c98b62a9b6169ac5f67dae55ae4a9088' - nodes: - - "{{ hostvars.manager.private_ip }}" - hidden: 'no' - wazuh_api_users: - - username: custom-user - password: SecretPassword1! - filebeat_output_indexer_hosts: - - "{{ hostvars.wi1.private_ip }}" - - "{{ hostvars.wi2.private_ip }}" - - "{{ hostvars.wi3.private_ip }}" - - - hosts: worker - roles: - - role: "../roles/wazuh/ansible-wazuh-manager" - - role: "../roles/wazuh/ansible-filebeat-oss" - become: yes - become_user: root - vars: - filebeat_node_name: node-5 - wazuh_manager_config: - connection: - - type: 'secure' - port: '1514' - protocol: 'tcp' - queue_size: 131072 - api: - https: 'yes' - cluster: - disable: 'no' - node_name: 'worker_01' - node_type: 'worker' - key: 'c98b62a9b6169ac5f67dae55ae4a9088' - nodes: - - "{{ hostvars.manager.private_ip }}" - hidden: 'no' - filebeat_output_indexer_hosts: - - "{{ hostvars.wi1.private_ip }}" - - "{{ hostvars.wi2.private_ip }}" - - "{{ hostvars.wi3.private_ip }}" - -# Wazuh dashboard node - - hosts: dashboard - roles: - - role: "../roles/wazuh/wazuh-dashboard" - become: yes - become_user: root - vars: - indexer_network_host: "{{ hostvars.wi1.private_ip }}" - indexer_cluster_nodes: - - "{{ hostvars.wi1.private_ip }}" - - "{{ hostvars.wi2.private_ip }}" - - "{{ hostvars.wi3.private_ip }}" - dashboard_node_name: node-6 - wazuh_api_credentials: - - id: default - url: https://{{ hostvars.manager.private_ip }} - port: 55000 - username: custom-user - password: SecretPassword1! - ansible_shell_allow_world_readable_temp: true diff --git a/playbooks/wazuh-single.yml b/playbooks/wazuh-single.yml deleted file mode 100644 index 38499f5c..00000000 --- a/playbooks/wazuh-single.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -# Certificates generation - - hosts: aio - roles: - - role: ../roles/wazuh/wazuh-indexer - perform_installation: false - become: no - #become_user: root - vars: - indexer_node_master: true - instances: - node1: - name: node-1 # Important: must be equal to indexer_node_name. - ip: 127.0.0.1 - role: indexer - tags: - - generate-certs -# Single node - - hosts: aio - become: yes - become_user: root - roles: - - role: ../roles/wazuh/wazuh-indexer - - role: ../roles/wazuh/ansible-wazuh-manager - - role: ../roles/wazuh/ansible-filebeat-oss - - role: ../roles/wazuh/wazuh-dashboard - vars: - single_node: true - minimum_master_nodes: 1 - indexer_node_master: true - indexer_network_host: 127.0.0.1 - filebeat_node_name: node-1 - filebeat_output_indexer_hosts: - - 127.0.0.1 - instances: - node1: - name: node-1 # Important: must be equal to indexer_node_name. - ip: 127.0.0.1 - role: indexer - ansible_shell_allow_world_readable_temp: true diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 00000000..559dd1d4 --- /dev/null +++ b/requirements.yml @@ -0,0 +1,6 @@ +--- +collections: + - name: community.general + - name: community.docker + - name: ansible.windows + - name: community.windows diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml deleted file mode 100644 index e8126080..00000000 --- a/roles/elastic-stack/ansible-kibana/defaults/main.yml +++ /dev/null @@ -1,49 +0,0 @@ ---- -kibana_node_name: node-1 - -elasticsearch_http_port: "9200" -elasticsearch_network_host: "127.0.0.1" -kibana_server_host: "0.0.0.0" -kibana_server_port: "5601" -kibana_conf_path: /etc/kibana -elastic_stack_version: 7.10.2 -wazuh_version: 5.0.0 -wazuh_app_url: https://packages.wazuh.com/5.x/ui/kibana/wazuh_kibana - -elasticrepo: - apt: 'https://artifacts.elastic.co/packages/7.x/apt' - yum: 'https://artifacts.elastic.co/packages/7.x/yum' - gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' - key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' - -# API credentials -wazuh_api_credentials: - - id: "default" - url: "https://localhost" - port: 55000 - username: "wazuh" - password: "wazuh" - -# Xpack Security -kibana_xpack_security: false -kibana_ssl_verification_mode: "full" - -elasticsearch_xpack_security_user: elastic -elasticsearch_xpack_security_password: elastic_pass - -node_certs_destination: /etc/kibana/certs - -# CA Generation -master_certs_path: "{{ playbook_dir }}/es_certs" -generate_CA: true -ca_cert_name: "" - -# Nodejs -nodejs: - repo_dict: - debian: "deb" - redhat: "rpm" - repo_url_ext: "nodesource.com/setup_10.x" - -#Nodejs NODE_OPTIONS -node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536 diff --git a/roles/opendistro/opendistro-kibana/defaults/main.yml b/roles/opendistro/opendistro-kibana/defaults/main.yml deleted file mode 100644 index 36060f37..00000000 --- a/roles/opendistro/opendistro-kibana/defaults/main.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- - -# Kibana configuration -elasticsearch_http_port: 9200 -elastic_api_protocol: https -kibana_conf_path: /etc/kibana -kibana_node_name: node-1 -kibana_server_host: "0.0.0.0" -kibana_server_port: "5601" -kibana_server_name: "kibana" -kibana_max_payload_bytes: 1048576 -elastic_stack_version: 7.10.2 -wazuh_version: 4.4.1 -wazuh_app_url: https://packages.wazuh.com/5.x/ui/kibana/wazuh_kibana - -# The OpenDistro package repository -kibana_opendistro_version: 1.13.2-1 # Version includes the - for RedHat family compatibility, replace with = for Debian hosts - -package_repos: - yum: - opendistro: - baseurl: 'https://packages.wazuh.com/5.x/yum/' - gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' - apt: - opendistro: - baseurl: 'deb https://packages.wazuh.com/5.x/apt/ stable main' - gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' - -# API credentials -wazuh_api_credentials: - - id: "default" - url: "https://localhost" - port: 55000 - username: "wazuh" - password: "wazuh" - -# opendistro Security -kibana_opendistro_security: true -kibana_newsfeed_enabled: "false" -kibana_telemetry_optin: "false" -kibana_telemetry_enabled: "false" - -opendistro_admin_password: changeme -opendistro_kibana_user: kibanaserver -opendistro_kibana_password: changeme -local_certs_path: "{{ playbook_dir }}/opendistro/certificates" - -# Nodejs -nodejs: - repo_dict: - debian: "deb" - redhat: "rpm" - repo_url_ext: "nodesource.com/setup_10.x" - - -#Nodejs NODE_OPTIONS -node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536 diff --git a/roles/wazuh/ansible-filebeat-oss/README.md b/roles/wazuh/ansible-filebeat-oss/README.md deleted file mode 100644 index cd091d26..00000000 --- a/roles/wazuh/ansible-filebeat-oss/README.md +++ /dev/null @@ -1,38 +0,0 @@ -Ansible Role: Filebeat for Elastic Stack ------------------------------------- - -An Ansible Role that installs [Filebeat-oss](https://www.elastic.co/products/beats/filebeat), this can be used in conjunction with [ansible-wazuh-manager](https://github.com/wazuh/wazuh-ansible/ansible-wazuh-server). - -Requirements ------------- - -This role will work on: - * Red Hat - * CentOS - * Fedora - * Debian - * Ubuntu - -Role Variables --------------- - -Available variables are listed below, along with default values (see `defaults/main.yml`): - -``` - filebeat_output_indexer_hosts: - - "localhost:9200" - -``` - -License and copyright ---------------------- - -WAZUH Copyright (C) 2016, Wazuh Inc. (License GPLv3) - -### Based on previous work from geerlingguy - - - https://github.com/geerlingguy/ansible-role-filebeat - -### Modified by Wazuh - -The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem. diff --git a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml deleted file mode 100644 index e60d7c37..00000000 --- a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -filebeat_version: 7.10.2 - -wazuh_template_branch: v5.0.0 - -filebeat_node_name: node-1 - -filebeat_output_indexer_hosts: - - "localhost" - -filebeat_module_package_name: wazuh-filebeat-0.4.tar.gz -filebeat_module_package_path: /tmp/ -filebeat_module_destination: /usr/share/filebeat/module -filebeat_module_folder: /usr/share/filebeat/module/wazuh -indexer_security_user: admin -indexer_security_password: changeme -# Security plugin -filebeat_security: true -filebeat_ssl_dir: /etc/pki/filebeat - -# Local path to store the generated certificates (Opensearch security plugin) -local_certs_path: "{{ playbook_dir }}/indexer/certificates" diff --git a/roles/wazuh/ansible-filebeat-oss/handlers/main.yml b/roles/wazuh/ansible-filebeat-oss/handlers/main.yml deleted file mode 100644 index 96e15a22..00000000 --- a/roles/wazuh/ansible-filebeat-oss/handlers/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- name: restart filebeat - service: name=filebeat state=restarted diff --git a/roles/wazuh/ansible-filebeat-oss/meta/main.yml b/roles/wazuh/ansible-filebeat-oss/meta/main.yml deleted file mode 100644 index 4fd7e900..00000000 --- a/roles/wazuh/ansible-filebeat-oss/meta/main.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -dependencies: [] - -galaxy_info: - author: Wazuh - description: Installing and maintaining Filebeat-oss. - company: wazuh.com - license: license (GPLv3) - min_ansible_version: 2.0 - platforms: - - name: EL - versions: - - 6 - - 7 - - name: Fedora - versions: - - all - - name: Debian - versions: - - jessie - - name: Ubuntu - versions: - - precise - - trusty - - xenial - galaxy_tags: - - web - - system - - monitoring diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/Debian.yml b/roles/wazuh/ansible-filebeat-oss/tasks/Debian.yml deleted file mode 100644 index 135f1e07..00000000 --- a/roles/wazuh/ansible-filebeat-oss/tasks/Debian.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- -- name: Debian/Ubuntu | Install apt-transport-https, ca-certificate, acl and gnupg - apt: - name: - - apt-transport-https - - ca-certificates - - acl - - gnupg - state: present - register: filebeat_ca_packages_install - until: filebeat_ca_packages_install is succeeded - -- name: Debian/Ubuntu | Download Filebeat apt key. - get_url: - url: "{{ wazuh_repo.gpg }}" - dest: "{{ wazuh_repo.path }}" - -- name: Import Filebeat GPG key - command: "gpg --no-default-keyring --keyring gnupg-ring:{{ wazuh_repo.keyring_path }} --import {{ wazuh_repo.path }}" - args: - creates: "{{ wazuh_repo.keyring_path }}" - -- name: Set permissions for Filebeat GPG key - file: - path: "{{ wazuh_repo.keyring_path }}" - mode: '0644' - -- name: Debian/Ubuntu | Add Filebeat-oss repository. - apt_repository: - repo: "{{ wazuh_repo.apt }}" - state: present - update_cache: true - changed_when: false diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/RMDebian.yml b/roles/wazuh/ansible-filebeat-oss/tasks/RMDebian.yml deleted file mode 100644 index bc573eac..00000000 --- a/roles/wazuh/ansible-filebeat-oss/tasks/RMDebian.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Debian/Ubuntu | Remove Filebeat repository (and clean up left-over metadata) - apt_repository: - repo: "{{ wazuh_repo.apt }}" - state: absent - changed_when: false diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/RMRedHat.yml b/roles/wazuh/ansible-filebeat-oss/tasks/RMRedHat.yml deleted file mode 100644 index abf858fe..00000000 --- a/roles/wazuh/ansible-filebeat-oss/tasks/RMRedHat.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: RedHat/CentOS/Fedora | Remove Filebeat repository (and clean up left-over metadata) - yum_repository: - name: wazuh_repo - state: absent - changed_when: false diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml b/roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml deleted file mode 100644 index 9d1a0d12..00000000 --- a/roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: RedHat/CentOS/Fedora/Amazon Linux | Install Filebeats repo - yum_repository: - name: wazuh_repo - description: Wazuh Repo - baseurl: "{{ wazuh_repo.yum }}" - gpgkey: "{{ wazuh_repo.gpg }}" - gpgcheck: true - changed_when: false diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/config.yml b/roles/wazuh/ansible-filebeat-oss/tasks/config.yml deleted file mode 100644 index c6dcbe94..00000000 --- a/roles/wazuh/ansible-filebeat-oss/tasks/config.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -- block: - - name: Copy Filebeat configuration. - template: - src: filebeat.yml.j2 - dest: "/etc/filebeat/filebeat.yml" - owner: root - group: root - mode: 0400 - notify: restart filebeat - - - name: Fetch latest Wazuh alerts template - get_url: - url: https://raw.githubusercontent.com/wazuh/wazuh/{{ wazuh_template_branch }}/extensions/elasticsearch/7.x/wazuh-template.json - dest: "/etc/filebeat/wazuh-template.json" - owner: root - group: root - mode: 0400 - notify: restart filebeat - - tags: - - configure diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/main.yml b/roles/wazuh/ansible-filebeat-oss/tasks/main.yml deleted file mode 100644 index cb1f87a6..00000000 --- a/roles/wazuh/ansible-filebeat-oss/tasks/main.yml +++ /dev/null @@ -1,93 +0,0 @@ ---- -- include_vars: ../../vars/repo_vars.yml - -- include_vars: ../../vars/repo.yml - when: packages_repository == 'production' - -- include_vars: ../../vars/repo_pre-release.yml - when: packages_repository == 'pre-release' - -- include_vars: ../../vars/repo_staging.yml - when: packages_repository == 'staging' - -- include_tasks: RedHat.yml - when: ansible_os_family == 'RedHat' - -- include_tasks: Debian.yml - when: ansible_os_family == 'Debian' - -- name: Install Filebeat | Redhat - yum: - name: "filebeat-{{ filebeat_version }}" - state: present - lock_timeout: 200 - register: install - tags: - - install - - init - when: ansible_os_family == 'RedHat' - -- name: Install Filebeat | Debian - apt: - name: "filebeat={{ filebeat_version }}-*" - state: present - register: install - tags: - - install - - init - until: "install is not failed" - retries: 10 - delay: 10 - when: ansible_os_family == 'Debian' - -- name: Checking if Filebeat Module folder file exists - stat: - path: "{{ filebeat_module_folder }}" - register: filebeat_module_folder - -- name: Download Filebeat module package - get_url: - url: "{{ filebeat_module_package_url }}/{{ filebeat_module_package_name }}" - dest: "{{ filebeat_module_package_path }}" - when: not filebeat_module_folder.stat.exists - -- name: Unpack Filebeat module package - unarchive: - src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" - dest: "{{ filebeat_module_destination }}" - remote_src: yes - when: not filebeat_module_folder.stat.exists - -- name: Setting 0755 permission for Filebeat module folder - file: dest={{ filebeat_module_folder }} mode=u=rwX,g=rwX,o=rwX recurse=yes - when: not filebeat_module_folder.stat.exists - -- name: Checking if Filebeat Module package file exists - stat: - path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" - register: filebeat_module_package - when: filebeat_module_package is not defined - -- name: Delete Filebeat module package file - file: - state: absent - path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" - when: filebeat_module_package.stat.exists - -- import_tasks: config.yml - notify: restart filebeat - -- include_tasks: security_actions.yml - when: filebeat_security - -- name: Ensure Filebeat is started and enabled at boot. - service: - name: filebeat - state: started - enabled: true - -- include_tasks: "RMRedHat.yml" - when: ansible_os_family == "RedHat" - -- include_tasks: "RMDebian.yml" - when: ansible_os_family == "Debian" diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml b/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml deleted file mode 100644 index e4fe6c41..00000000 --- a/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml +++ /dev/null @@ -1,26 +0,0 @@ -- block: - - - name: Ensure Filebeat SSL key pair directory exists. - file: - path: "{{ filebeat_ssl_dir }}" - state: directory - owner: root - group: root - mode: 500 - - - name: Copy the certificates from local to the Manager instance - copy: - src: "{{ local_certs_path }}/wazuh-certificates/{{ item }}" - dest: "{{ filebeat_ssl_dir }}" - owner: root - group: root - mode: 400 - with_items: - - "{{ filebeat_node_name }}-key.pem" - - "{{ filebeat_node_name }}.pem" - - "root-ca.pem" - - tags: - - security - when: - - filebeat_security diff --git a/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 b/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 deleted file mode 100644 index a9da9dbd..00000000 --- a/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 +++ /dev/null @@ -1,42 +0,0 @@ -# Wazuh - Filebeat configuration file -filebeat.modules: - - module: wazuh - alerts: - enabled: true - archives: - enabled: false - -setup.template.json.enabled: true -setup.template.json.path: '/etc/filebeat/wazuh-template.json' -setup.template.json.name: 'wazuh' -setup.template.overwrite: true -setup.ilm.enabled: false - -# Send events directly to Wazuh indexer -output.elasticsearch: - hosts: -{% for item in filebeat_output_indexer_hosts %} - - {{ item }} -{% endfor %} - -{% if filebeat_security %} - username: {{ indexer_security_user }} - password: "{{ indexer_security_password }}" - protocol: https - ssl.certificate_authorities: - - {{ filebeat_ssl_dir }}/root-ca.pem - ssl.certificate: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}.pem" - ssl.key: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}-key.pem" -{% endif %} - -# Optional. Send events to Logstash instead of Wazuh indexer -#output.logstash.hosts: ["YOUR_LOGSTASH_SERVER_IP:5000"] - -logging.metrics.enabled: false - -seccomp: - default_action: allow - syscalls: - - action: allow - names: - - rseq diff --git a/roles/wazuh/ansible-filebeat/defaults/main.yml b/roles/wazuh/ansible-filebeat/defaults/main.yml deleted file mode 100644 index fd09929e..00000000 --- a/roles/wazuh/ansible-filebeat/defaults/main.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -filebeat_version: 7.10.2 - -wazuh_template_branch: v4.4.1 - -filebeat_create_config: true - -filebeat_node_name: node-1 - -filebeat_output_elasticsearch_hosts: - - "localhost:9200" - -filebeat_module_package_url: https://packages.wazuh.com/5.x/filebeat -filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz -filebeat_module_package_path: /tmp/ -filebeat_module_destination: /usr/share/filebeat/module -filebeat_module_folder: /usr/share/filebeat/module/wazuh - -# Xpack Security -filebeat_xpack_security: false - -elasticsearch_xpack_security_user: elastic -elasticsearch_xpack_security_password: elastic_pass - -node_certs_destination: /etc/filebeat/certs - -# CA Generation -master_certs_path: "{{ playbook_dir }}/es_certs" -generate_CA: true -ca_cert_name: "" - -elasticrepo: - apt: 'https://artifacts.elastic.co/packages/7.x/apt' - yum: 'https://artifacts.elastic.co/packages/7.x/yum' - gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' - key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' diff --git a/roles/wazuh/ansible-wazuh-agent/README.md b/roles/wazuh/ansible-wazuh-agent/README.md deleted file mode 100644 index 10255e54..00000000 --- a/roles/wazuh/ansible-wazuh-agent/README.md +++ /dev/null @@ -1,60 +0,0 @@ -Ansible Playbook - Wazuh agent -============================== - -This role will install and configure a Wazuh Agent. - -OS Requirements ----------------- - -This role is compatible with: - * Red Hat - * CentOS - * Fedora - * Debian - * Ubuntu - * Windows - * macOS - - -Role Variables --------------- - -* `wazuh_managers`: Collection of Wazuh Managers' IP address, port, and protocol used by the agent -* `wazuh_agent_authd`: Collection with the settings to register an agent using authd. - -Playbook example ----------------- - -The following is an example of how this role can be used: - - - hosts: all:!wazuh-manager - roles: - - ansible-wazuh-agent - vars: - wazuh_managers: - - address: 127.0.0.1 - port: 1514 - protocol: tcp - api_port: 55000 - api_proto: 'http' - api_user: 'ansible' - wazuh_agent_authd: - registration_address: 127.0.0.1 - enable: true - port: 1515 - ssl_agent_ca: null - ssl_auto_negotiate: 'no' - - -License and copyright ---------------------- - -WAZUH Copyright (C) 2016, Wazuh Inc. (License GPLv3) - -### Based on previous work from dj-wasabi - - - https://github.com/dj-wasabi/ansible-ossec-server - -### Modified by Wazuh - -The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem. diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml deleted file mode 100644 index 036da9b4..00000000 --- a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml +++ /dev/null @@ -1,376 +0,0 @@ ---- -wazuh_agent_version: 5.0.0 - -# Custom packages installation - -wazuh_custom_packages_installation_agent_enabled: false -wazuh_custom_packages_installation_agent_deb_url: "" -wazuh_custom_packages_installation_agent_rpm_url: "" - -wazuh_agent_yum_lock_timeout: 30 - -# We recommend the use of ansible-vault to protect Wazuh, api and authd credentials. -api_pass: wazuh -authd_pass: '' - -wazuh_api_reachable_from_agent: yes -wazuh_profile_centos: 'centos, centos7, centos7.6' -wazuh_profile_ubuntu: 'ubuntu, ubuntu18, ubuntu18.04' -wazuh_profile_macos: 'darwin, darwin21, darwin21.1' -wazuh_auto_restart: 'yes' - -wazuh_notify_time: '10' -wazuh_time_reconnect: '60' -wazuh_crypto_method: 'aes' -wazuh_winagent_config: - download_dir: C:\ - install_dir: C:\Program Files\ossec-agent\ - install_dir_x86: C:\Program Files (x86)\ossec-agent\ - auth_path: C:\Program Files\ossec-agent\agent-auth.exe - # Adding quotes to auth_path_x86 since win_shell outputs error otherwise - auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe - check_sha512: True - -# macOS deployment -wazuh_macos_config: - download_dir: /tmp/ - install_dir: /Library/Ossec/ - -wazuh_dir: "/var/ossec" - -# This is deprecated, see: wazuh_agent_address -wazuh_agent_nat: false - -########################################## -### Wazuh -########################################## - -wazuh_agent_nolog_sensible: yes -wazuh_agent_config_overlay: yes - -# This is a middle ground between breaking existing uses of wazuh_agent_nat -# and allow working with agents having several network interfaces -wazuh_agent_address: '{{ "any" if wazuh_agent_nat else ansible_default_ipv4.address }}' - -# List of managers. The first one with register variable declared *and* set to true -# is the one used to register the agent. Otherwise, the first one in the list will be used. -wazuh_managers: - - address: 127.0.0.1 - port: 1514 - protocol: tcp - api_port: 55000 - api_proto: https - api_user: wazuh - max_retries: 5 - retry_interval: 5 - register: yes - -## Authentication Method: Enrollment section (4.x) - -# For more information see: -# * https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/client.html#enrollment - -wazuh_agent_enrollment: - enabled: 'yes' - manager_address: '' - port: 1515 - agent_name: '' - groups: '' - agent_address: '' - ssl_ciphers: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH - server_ca_path: '' - agent_certificate_path: '' - agent_key_path: '' - authorization_pass_path: "{{ wazuh_dir }}/etc/authd.pass" - authorization_pass_path_macos: "/etc/authd.pass" - auto_method: 'no' - delay_after_enrollment: 20 - use_source_ip: 'no' - -## Authentication Method: invoking agent-auth - -# For more information see: -# * https://documentation.wazuh.com/current/user-manual/registering/password-authorization-registration.html - -wazuh_agent_authd: - registration_address: 127.0.0.1 - enable: false - port: 1515 - agent_name: null - groups: [] - ssl_agent_ca: null - ssl_agent_cert: null - ssl_agent_key: null - ssl_auto_negotiate: 'no' - -## Authentication Method: REST API - -# For more information see: -# * https://documentation.wazuh.com/current/user-manual/registering/restful-api-registration.html -wazuh_agent_api_validate: yes - -## Client buffer -wazuh_agent_client_buffer: - disable: 'no' - queue_size: '5000' - events_per_sec: '500' - -## Rootcheck -wazuh_agent_rootcheck: - frequency: 43200 - -## Wodles -wazuh_agent_openscap: - disable: 'yes' - timeout: 1800 - interval: '1d' - scan_on_start: 'yes' - -wazuh_agent_cis_cat: - disable: 'yes' - install_java: 'no' - timeout: 1800 - interval: '1d' - scan_on_start: 'yes' - java_path: 'wodles/java' - java_path_win: '\\server\jre\bin\java.exe' - ciscat_path: 'wodles/ciscat' - ciscat_path_win: 'C:\cis-cat' - -wazuh_agent_osquery: - disable: 'yes' - run_daemon: 'yes' - bin_path_win: 'C:\Program Files\osquery\osqueryd' - log_path: '/var/log/osquery/osqueryd.results.log' - log_path_win: 'C:\Program Files\osquery\log\osqueryd.results.log' - config_path: '/etc/osquery/osquery.conf' - config_path_win: 'C:\Program Files\osquery\osquery.conf' - add_labels: 'yes' - -wazuh_agent_syscollector: - disable: 'no' - interval: '1h' - scan_on_start: 'yes' - hardware: 'yes' - os: 'yes' - network: 'yes' - packages: 'yes' - ports_no: 'yes' - processes: 'yes' - -## SCA -wazuh_agent_sca: - enabled: 'yes' - scan_on_start: 'yes' - interval: '12h' - skip_nfs: 'yes' - day: '' - wday: '' - time: '' - -## Syscheck -wazuh_agent_syscheck: - frequency: 43200 - scan_on_start: 'yes' - auto_ignore: 'no' - win_audit_interval: 60 - skip_nfs: 'yes' - skip_dev: 'yes' - skip_proc: 'yes' - skip_sys: 'yes' - process_priority: 10 - max_eps: 100 - sync_enabled: 'yes' - sync_interval: '5m' - sync_max_interval: '1h' - sync_max_eps: 10 - ignore: - - /etc/mtab - - /etc/hosts.deny - - /etc/mail/statistics - - /etc/random-seed - - /etc/random.seed - - /etc/adjtime - - /etc/httpd/logs - - /etc/utmpx - - /etc/wtmpx - - /etc/cups/certs - - /etc/dumpdates - - /etc/svc/volatile - ignore_linux_type: - - '.log$|.swp$' - ignore_win: - - '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$' - no_diff: - - /etc/ssl/private.key - directories: - - dirs: /etc,/usr/bin,/usr/sbin - checks: '' - - dirs: /bin,/sbin,/boot - checks: '' - macos_directories: - - dirs: /etc,/usr/bin,/usr/sbin - checks: '' - - dirs: /bin,/sbin - checks: '' - win_directories: - - dirs: '%WINDIR%' - checks: 'recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$"' - - dirs: '%WINDIR%\SysNative' - checks: >- - recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$| - net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$" - - dirs: '%WINDIR%\SysNative\drivers\etc%' - checks: 'recursion_level="0"' - - dirs: '%WINDIR%\SysNative\wbem' - checks: 'recursion_level="0" restrict="WMIC.exe$"' - - dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0' - checks: 'recursion_level="0" restrict="powershell.exe$"' - - dirs: '%WINDIR%\SysNative' - checks: 'recursion_level="0" restrict="winrm.vbs$"' - - dirs: '%WINDIR%\System32' - checks: >- - recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$| - netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$" - - dirs: '%WINDIR%\System32\drivers\etc' - checks: 'recursion_level="0"' - - dirs: '%WINDIR%\System32\wbem' - checks: 'recursion_level="0" restrict="WMIC.exe$"' - - dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0' - checks: 'recursion_level="0" restrict="powershell.exe$"' - - dirs: '%WINDIR%\System32' - checks: 'recursion_level="0" restrict="winrm.vbs$"' - - dirs: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup' - checks: 'realtime="yes"' - windows_registry: - - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' - - key: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile' - - key: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile' - - key: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile' - - key: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile' - - key: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects' - - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory' - - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder' - - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols' - arch: "both" - - key: 'HKEY_LOCAL_MACHINE\Software\Policies' - arch: "both" - - key: 'HKEY_LOCAL_MACHINE\Security' - - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' - arch: "both" - - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services' - - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs' - - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg' - - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run' - arch: "both" - - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce' - arch: "both" - - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx' - - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL' - arch: "both" - - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies' - arch: "both" - - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows' - arch: "both" - - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' - arch: "both" - - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components' - arch: "both" - windows_registry_ignore: - - key: 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets' - - key: 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users' - - key: '\Enum$' - type: "sregex" - -## Localfile -wazuh_agent_localfiles: - debian: - - format: 'syslog' - location: '/var/log/auth.log' - - format: 'syslog' - location: '/var/log/syslog' - - format: 'syslog' - location: '/var/log/dpkg.log' - - format: 'syslog' - location: '/var/log/kern.log' - centos: - - format: 'syslog' - location: '/var/log/messages' - - format: 'syslog' - location: '/var/log/secure' - - format: 'syslog' - location: '/var/log/maillog' - - format: 'audit' - location: '/var/log/audit/audit.log' - linux: - - format: 'syslog' - location: "{{ wazuh_dir }}/logs/active-responses.log" - - format: 'full_command' - command: 'last -n 20' - frequency: '360' - - format: 'command' - command: df -P - frequency: '360' - - format: 'full_command' - command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d - alias: 'netstat listening ports' - frequency: '360' - macos: - - format: 'full_command' - command: netstat -an | awk '{if ((/^(tcp|udp)/) && ($4 != "*.*") && ($5 == "*.*")) {print $1" "$4" "$5}}' | sort -u - alias: 'netstat listening ports' - frequency: '360' - - format: 'macos' - location: 'macos' - query: - type: 'trace,log,activity' - level: 'info' - value: (process == "sudo") or (process == "sessionlogoutd" and message contains "logout is complete.") or (process == "sshd") or (process == "tccd" and message contains "Update Access Record") or (message contains "SessionAgentNotificationCenter") or (process == "screensharingd" and message contains "Authentication") or (process == "securityd" and eventMessage contains "Session" and subsystem == "com.apple.securityd") - windows: - - format: 'eventlog' - location: 'Application' - - format: 'eventchannel' - location: 'Security' - query: 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]' - - format: 'eventlog' - location: 'System' - - format: 'syslog' - location: 'active-response\active-responses.log' - -## Labels -wazuh_agent_labels: - enable: false - list: - - key: Env - value: Production - -## Active response -wazuh_agent_active_response: - ar_disabled: 'no' - ca_store: "{{ wazuh_dir }}/etc/wpk_root.pem" - ca_store_win: 'wpk_root.pem' - ca_store_macos: 'etc/wpk_root.pem' - ca_verification: 'yes' - -## Logging -wazuh_agent_log_format: 'plain' - -# wazuh_agent_config -wazuh_agent_config_defaults: - repo: '{{ wazuh_repo }}' - active_response: '{{ wazuh_agent_active_response }}' - log_format: '{{ wazuh_agent_log_format }}' - client_buffer: '{{ wazuh_agent_client_buffer }}' - syscheck: '{{ wazuh_agent_syscheck }}' - - rootcheck: '{{ wazuh_agent_rootcheck }}' - openscap: '{{ wazuh_agent_openscap }}' - - osquery: '{{ wazuh_agent_osquery }}' - syscollector: '{{ wazuh_agent_syscollector }}' - sca: '{{ wazuh_agent_sca }}' - cis_cat: '{{ wazuh_agent_cis_cat }}' - localfiles: '{{ wazuh_agent_localfiles }}' - - labels: '{{ wazuh_agent_labels }}' - enrollment: '{{ wazuh_agent_enrollment }}' diff --git a/roles/wazuh/ansible-wazuh-agent/handlers/main.yml b/roles/wazuh/ansible-wazuh-agent/handlers/main.yml deleted file mode 100644 index f4770eb3..00000000 --- a/roles/wazuh/ansible-wazuh-agent/handlers/main.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: restart wazuh-agent - service: name=wazuh-agent state=restarted enabled=yes - -- name: Windows | Restart Wazuh Agent - win_service: name=WazuhSvc start_mode=auto state=restarted - -- name: macOS | Restart Wazuh Agent - command: /Library/Ossec/bin/wazuh-control restart \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-agent/meta/main.yml b/roles/wazuh/ansible-wazuh-agent/meta/main.yml deleted file mode 100644 index 7cd460c4..00000000 --- a/roles/wazuh/ansible-wazuh-agent/meta/main.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -galaxy_info: - author: Wazuh - description: Installing, deploying and configuring Wazuh Agent. - company: wazuh.com - license: license (GPLv3) - min_ansible_version: 2.0 - platforms: - - name: EL - versions: - - all - - name: Ubuntu - versions: - - all - - name: Debian - versions: - - all - - name: Fedora - versions: - - all - galaxy_tags: - - monitoring -dependencies: [] diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Debian.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Debian.yml deleted file mode 100644 index 043ad9ae..00000000 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Debian.yml +++ /dev/null @@ -1,122 +0,0 @@ ---- -- name: Update apt-get repo and cache - apt: - update_cache: yes - force_apt_get: yes - cache_valid_time: 3600 - -- name: Debian/Ubuntu | Install ca-certificates and gnupg - apt: - name: - - ca-certificates - - gnupg - state: present - register: wazuh_agent_ca_package_install - until: wazuh_agent_ca_package_install is succeeded - -- name: Debian/Ubuntu | Install apt-transport-https and acl - apt: - name: - - apt-transport-https - - acl - state: present - register: wazuh_agent_ca_package_install - until: wazuh_agent_ca_package_install is succeeded - when: not (ansible_distribution == "Debian" and ansible_distribution_major_version in ['11']) - -- name: Debian/Ubuntu | Installing Wazuh repository key (Ubuntu 14) - become: true - shell: | - set -o pipefail - curl -s {{ wazuh_agent_config.repo.gpg }} | apt-key add - - args: - # warn: false - executable: /bin/bash - changed_when: false - when: - - ansible_distribution == "Ubuntu" - - ansible_distribution_major_version | int == 14 - - not wazuh_custom_packages_installation_agent_enabled - -- name: Debian/Ubuntu | Download Wazuh repository key - get_url: - url: "{{ wazuh_agent_config.repo.gpg }}" - dest: "{{ wazuh_agent_config.repo.path }}" - when: - - not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14) - - not wazuh_custom_packages_installation_agent_enabled - -- name: Debian/Ubuntu | Import Wazuh GPG key - command: "gpg --no-default-keyring --keyring gnupg-ring:{{ wazuh_agent_config.repo.keyring_path }} --import {{ wazuh_agent_config.repo.path }}" - when: - - not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14) - - not wazuh_custom_packages_installation_agent_enabled - args: - creates: "{{ wazuh_agent_config.repo.keyring_path }}" - -- name: Debian/Ubuntu | Set permissions for Wazuh GPG key - file: - path: "{{ wazuh_agent_config.repo.keyring_path }}" - mode: '0644' - when: - - not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14) - - not wazuh_custom_packages_installation_agent_enabled - -- name: Debian/Ubuntu | Add Wazuh repositories - apt_repository: - filename: wazuh_repo - repo: "{{ wazuh_agent_config.repo.apt }}" - state: present - update_cache: true - when: - - not wazuh_custom_packages_installation_agent_enabled - -- name: Debian/Ubuntu | Set Distribution CIS filename for debian - set_fact: - cis_distribution_filename: cis_debian_linux_rcl.txt - when: ansible_os_family == "Debian" - -- name: Debian/Ubuntu | Install OpenJDK-8 repo - apt_repository: - repo: 'ppa:openjdk-r/ppa' - state: present - update_cache: true - when: - - (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14) - -- when: - - wazuh_agent_config.cis_cat.disable == 'no' - - wazuh_agent_config.cis_cat.install_java == 'yes' - block: - - name: Debian/Ubuntu | Install OpenJDK 1.8 - apt: name=openjdk-8-jre state=present cache_valid_time=3600 - tags: - - init - -- name: Debian/Ubuntu | Install OpenScap - apt: - name: - - libopenscap8 - - xsltproc - state: present - when: wazuh_agent_config.openscap.disable == 'no' - tags: - - init - register: wazuh_agent_OpenScap_package_install - until: wazuh_agent_OpenScap_package_install is succeeded - -- name: Debian/Ubuntu | Get OpenScap installed version - shell: "dpkg-query --showformat='${Version}' --show libopenscap8" - register: openscap_version - changed_when: false - when: wazuh_agent_config.openscap.disable == 'no' - tags: - - config - -- name: Debian/Ubuntu | Check OpenScap version - shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?" - register: openscap_version_valid - changed_when: false - when: wazuh_agent_config.openscap.disable == 'no' - tags: - - config diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml deleted file mode 100644 index 92808380..00000000 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml +++ /dev/null @@ -1,258 +0,0 @@ ---- -- include_tasks: "RedHat.yml" - when: ansible_os_family == "RedHat" - -- include_tasks: "Debian.yml" - when: ansible_os_family == "Debian" - -- include_tasks: "installation_from_custom_packages.yml" - when: - - wazuh_custom_packages_installation_agent_enabled - -- name: Linux CentOS/RedHat | Install wazuh-agent - yum: - name: wazuh-agent-{{ wazuh_agent_version }} - state: present - lock_timeout: '{{ wazuh_agent_yum_lock_timeout }}' - when: - - ansible_os_family|lower == "redhat" - - not wazuh_custom_packages_installation_agent_enabled - tags: - - init - -- name: Linux Debian | Install wazuh-agent - apt: - name: "wazuh-agent={{ wazuh_agent_version }}-*" - state: present - cache_valid_time: 3600 - when: - - ansible_os_family|lower != "redhat" - - not wazuh_custom_packages_installation_agent_enabled - - not ansible_check_mode - tags: - - init - -- name: Linux | Check if client.keys exists - stat: - path: "{{ wazuh_dir }}/etc/client.keys" - register: client_keys_file - tags: - - config - -- name: Linux | Agent registration via authd - block: - - - name: Copy CA root certificate to verify authd - copy: - src: "{{ wazuh_agent_authd.ssl_agent_ca }}" - dest: "{{ wazuh_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}" - mode: 0644 - when: - - wazuh_agent_authd.ssl_agent_ca is not none - - - name: Copy TLS/SSL certificate for agent verification - copy: - src: "{{ item }}" - dest: "{{ wazuh_dir }}/etc/{{ item | basename }}" - mode: 0644 - with_items: - - "{{ wazuh_agent_authd.ssl_agent_cert }}" - - "{{ wazuh_agent_authd.ssl_agent_key }}" - when: - - wazuh_agent_authd.ssl_agent_cert is not none - - wazuh_agent_authd.ssl_agent_key is not none - - - name: Linux | Register agent (via authd) - shell: > - {{ wazuh_dir }}/bin/agent-auth - {% if wazuh_agent_authd.agent_name is defined and wazuh_agent_authd.agent_name != None %} - -A {{ wazuh_agent_authd.agent_name }} - {% endif %} - -m {{ wazuh_agent_authd.registration_address }} - -p {{ wazuh_agent_authd.port }} - {% if wazuh_agent_nat %} -I "any" {% endif %} - {% if authd_pass | length > 0 %} -P {{ authd_pass }} {% endif %} - {% if wazuh_agent_authd.ssl_agent_ca is defined and wazuh_agent_authd.ssl_agent_ca != None %} - -v "{{ wazuh_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}" - {% endif %} - {% if wazuh_agent_authd.ssl_agent_cert is defined and wazuh_agent_authd.ssl_agent_cert != None %} - -x "{{ wazuh_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_cert | basename }}" - {% endif %} - {% if wazuh_agent_authd.ssl_agent_key is defined and wazuh_agent_authd.ssl_agent_key != None %} - -k "{{ wazuh_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_key | basename }}" - {% endif %} - {% if wazuh_agent_authd.ssl_auto_negotiate == 'yes' %} -a {% endif %} - {% if wazuh_agent_authd.groups is defined and wazuh_agent_authd.groups | length > 0 %} - -G "{{ wazuh_agent_authd.groups | join(',') }}" - {% endif %} - register: agent_auth_output - notify: restart wazuh-agent - vars: - agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ ansible_hostname }}{% endif %}" - when: - - not client_keys_file.stat.exists or client_keys_file.stat.size == 0 - - wazuh_agent_authd.registration_address is not none - - - name: Linux | Verify agent registration - shell: echo {{ agent_auth_output }} | grep "Valid key received" - when: - - not client_keys_file.stat.exists or client_keys_file.stat.size == 0 - - wazuh_agent_authd.registration_address is not none - - when: - - wazuh_agent_authd.enable | bool - - wazuh_agent_config.enrollment.enabled != 'yes' - tags: - - config - - authd - -- name: Linux | Agent registration via rest-API - block: - - - name: Establish target Wazuh Manager for registration task - set_fact: - target_manager: '{{ manager_primary | length | ternary(manager_primary, manager_fallback) | first }}' - vars: - manager_primary: "{{ wazuh_managers | selectattr('register','true') | list }}" - manager_fallback: "{{ wazuh_managers | list }}" - - - name: Linux | Obtain JWT Token - uri: - url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/security/user/authenticate' - method: POST - url_username: '{{ target_manager.api_user }}' - url_password: '{{ api_pass }}' - status_code: 200 - return_content: yes - force_basic_auth: yes - validate_certs: '{{ target_manager.validate_certs | default(false) }}' - no_log: '{{ wazuh_agent_nolog_sensible | bool }}' - delegate_to: '{{ inventory_hostname if wazuh_api_reachable_from_agent else "localhost" }}' - changed_when: api_jwt_result.json.error == 0 - register: api_jwt_result - become: no - tags: - - config - - api - - - name: Linux | Create the agent key via rest-API - uri: - url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/agents' - method: POST - body_format: json - body: - name: '{{ agent_name }}' - ip: '{{ wazuh_agent_address }}' - force_time: 1 - headers: - Authorization: 'Bearer {{ jwt_token }}' - status_code: 200 - return_content: yes - validate_certs: '{{ target_manager.validate_certs | default(false) }}' - become: no - no_log: '{{ wazuh_agent_nolog_sensible | bool }}' - delegate_to: '{{ inventory_hostname if wazuh_api_reachable_from_agent else "localhost" }}' - changed_when: api_agent_post.json.error == 0 - register: api_agent_post - vars: - agent_name: '{{ target_manager.agent_name | default(ansible_hostname) }}' - jwt_token: '{{ api_jwt_result.json.data.token }}' - tags: - - config - - api - - - name: Linux | Validate registered agent key matches manager record - uri: - url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/agents/{{ agent_id }}/key' - method: GET - headers: - Authorization: 'Bearer {{ jwt_token }}' - status_code: 200 - return_content: yes - validate_certs: '{{ target_manager.validate_certs | default(false) }}' - become: no - no_log: '{{ wazuh_agent_nolog_sensible | bool }}' - delegate_to: '{{ inventory_hostname if wazuh_api_reachable_from_agent else "localhost" }}' - register: api_agent_validation - vars: - agent_id: '{{ api_agent_post.json.data.id }}' - agent_key: '{{ api_agent_post.json.data.key }}' - jwt_token: '{{ api_jwt_result.json.data.token }}' - failed_when: api_agent_validation.json.data.affected_items[0].key != agent_key - when: - - wazuh_agent_api_validate | bool - - api_agent_post.json.error == 0 - tags: - - config - - api - - when: - - not ( wazuh_agent_authd.enable | bool ) - - wazuh_agent_config.enrollment.enabled != 'yes' - - not client_keys_file.stat.exists or client_keys_file.stat.size == 0 - tags: - - config - - api - -- name: Linux | Agent registration via auto-enrollment - debug: - msg: Agent registration will be performed through enrollment option in templated ossec.conf - when: wazuh_agent_config.enrollment.enabled == 'yes' - -- name: Linux | Ensure group "wazuh" exists - ansible.builtin.group: - name: wazuh - state: present - -- name: Linux | Installing agent configuration (ossec.conf) - template: - src: var-ossec-etc-ossec-agent.conf.j2 - dest: "{{ wazuh_dir }}/etc/ossec.conf" - owner: root - group: wazuh - mode: 0644 - notify: restart wazuh-agent - tags: - - init - - config - -- name: Linux | Installing local_internal_options.conf - template: - src: var-ossec-etc-local-internal-options.conf.j2 - dest: "{{ wazuh_dir }}/etc/local_internal_options.conf" - owner: root - group: wazuh - mode: 0640 - notify: restart wazuh-agent - tags: - - init - - config - -- name: Create auto-enrollment password file - template: - src: authd_pass.j2 - dest: "{{ wazuh_dir }}/etc/authd.pass" - owner: wazuh - group: wazuh - mode: 0640 - when: - - wazuh_agent_config.enrollment.enabled == 'yes' - - wazuh_agent_config.enrollment.authorization_pass_path | length > 0 - - authd_pass | length > 0 - tags: - - config - -- name: Linux | Ensure Wazuh Agent service is started and enabled - service: - name: wazuh-agent - enabled: true - state: started - tags: config - -- include_tasks: "RMRedHat.yml" - when: - - ansible_os_family == "RedHat" - -- include_tasks: "RMDebian.yml" - when: - - ansible_os_family == "Debian" diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/RMDebian.yml b/roles/wazuh/ansible-wazuh-agent/tasks/RMDebian.yml deleted file mode 100644 index 9999a7d3..00000000 --- a/roles/wazuh/ansible-wazuh-agent/tasks/RMDebian.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Remove Wazuh repository (and clean up left-over metadata) - apt_repository: - repo: "{{ wazuh_agent_config.repo.apt }}" - state: absent - changed_when: false diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/RMRedHat.yml b/roles/wazuh/ansible-wazuh-agent/tasks/RMRedHat.yml deleted file mode 100644 index 32bc6fce..00000000 --- a/roles/wazuh/ansible-wazuh-agent/tasks/RMRedHat.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Remove Wazuh repository (and clean up left-over metadata) - yum_repository: - name: wazuh_repo - state: absent - changed_when: false diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/RedHat.yml b/roles/wazuh/ansible-wazuh-agent/tasks/RedHat.yml deleted file mode 100644 index 5c053542..00000000 --- a/roles/wazuh/ansible-wazuh-agent/tasks/RedHat.yml +++ /dev/null @@ -1,66 +0,0 @@ ---- -- name: RedHat/CentOS 5 | Install Wazuh repo - yum_repository: - name: wazuh_repo - description: Wazuh repository - baseurl: "{{ wazuh_agent_config.repo.yum }}5/" - gpgkey: "{{ wazuh_agent_config.repo.gpg }}-5" - gpgcheck: true - changed_when: false - when: - - (ansible_facts['os_family']|lower == 'redhat') and (ansible_distribution|lower != 'amazon') - - (ansible_distribution_major_version|int <= 5) - - not wazuh_custom_packages_installation_agent_enabled - register: repo_v5_installed - -- name: RedHat/CentOS/Fedora | Install Wazuh repo - yum_repository: - name: wazuh_repo - description: Wazuh repository - baseurl: "{{ wazuh_agent_config.repo.yum }}" - gpgkey: "{{ wazuh_agent_config.repo.gpg }}" - gpgcheck: true - changed_when: false - when: - - repo_v5_installed is skipped - - not wazuh_custom_packages_installation_agent_enabled - -- name: RedHat/CentOS/Fedora | Install OpenJDK 1.8 - yum: name=java-1.8.0-openjdk state=present - when: - - wazuh_agent_config.cis_cat.disable == 'no' - - wazuh_agent_config.cis_cat.install_java == 'yes' - tags: - - init - -- name: Set Distribution CIS filename for RHEL5 - set_fact: - cis_distribution_filename: cis_rhel5_linux_rcl.txt - when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "5" - -- name: Set Distribution CIS filename for RHEL6 - set_fact: - cis_distribution_filename: cis_rhel6_linux_rcl.txt - when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "6" - -- name: Set Distribution CIS filename for RHEL7 - set_fact: - cis_distribution_filename: cis_rhel7_linux_rcl.txt - when: - - ansible_os_family == "RedHat" - - ansible_distribution_major_version == "7" - -- name: Set Distribution CIS filename for RHEL7 (Amazon) - set_fact: - cis_distribution_filename: cis_rhel7_linux_rcl.txt - when: - - ansible_distribution == "Amazon" - - ansible_distribution_major_version == "NA" - -- name: RedHat/CentOS/RedHat | Install openscap - package: name=openscap-scanner state=present - register: wazuh_agent_openscap_package_install - until: wazuh_agent_openscap_package_install is succeeded - when: wazuh_agent_config.openscap.disable == 'no' - tags: - - init diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml deleted file mode 100644 index f312253d..00000000 --- a/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml +++ /dev/null @@ -1,114 +0,0 @@ ---- -- name: Windows | Check if Program Files (x86) exists - win_stat: - path: C:\Program Files (x86) - register: check_path - -- name: Windows | Set Win Path (x86) - set_fact: - wazuh_agent_win_path: "{{ wazuh_winagent_config.install_dir_x86 }}" - wazuh_agent_win_auth_path: "{{ wazuh_winagent_config.auth_path_x86 }}" - when: - - check_path.stat.exists - -- name: Windows | Set Win Path (x64) - set_fact: - wazuh_agent_win_path: "{{ wazuh_winagent_config.install_dir }}" - wazuh_agent_win_auth_path: "{{ wazuh_winagent_config.auth_path }}" - when: - - not check_path.stat.exists - -- name: Windows | Check if Wazuh installer is already downloaded - win_stat: - path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}" - register: wazuh_package_downloaded - -- name: Windows | Download Wazuh Agent package - win_get_url: - url: "{{ wazuh_winagent_config_url }}" - dest: "{{ wazuh_winagent_config.download_dir }}" - when: - - not wazuh_package_downloaded.stat.exists - -- name: Windows | Download SHA512 checksum file - win_get_url: - url: "{{ wazuh_winagent_sha512_url }}" - dest: "{{ wazuh_winagent_config.download_dir }}" - when: - - wazuh_winagent_config.check_sha512 - -- name: Extract checksum from SHA512 file - win_shell: Get-Content "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}.sha512" | ForEach-Object { $_.Split(' ')[0] } - register: extracted_checksum - when: - - wazuh_winagent_config.check_sha512 - -- name: Windows | Verify the Wazuh Agent installer - win_stat: - path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}" - get_checksum: true - checksum_algorithm: sha512 - register: wazuh_agent_status - failed_when: - - wazuh_agent_status.stat.checksum != extracted_checksum.stdout_lines[0] - when: - - wazuh_winagent_config.check_sha512 - -- name: Windows | Install Agent if not already installed - win_package: - path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}" - state: present - -- name: Windows | Check if client.keys exists - win_stat: - path: "{{ wazuh_agent_win_path }}client.keys" - register: check_windows_key - tags: - - config - -- name: Windows | Register agent - win_shell: > - {{ wazuh_agent_win_auth_path }} - -m {{ wazuh_agent_authd.registration_address }} - -p {{ wazuh_agent_authd.port }} - {% if wazuh_agent_authd.agent_name is not none %}-A {{ wazuh_agent_authd.agent_name }} {% endif %} - {% if authd_pass | length > 0 %} -P {{ authd_pass }}{% endif %} - register: agent_auth_output - notify: Windows | Restart Wazuh Agent - when: - - wazuh_agent_authd.enable | bool - - not check_windows_key.stat.exists or check_windows_key.stat.size == 0 - - wazuh_agent_authd.registration_address is not none - tags: - - config - -- name: Windows | Check if ossec folder is accessible - win_file: - path: "{{ wazuh_agent_win_path }}" - state: directory - -- name: Windows | Installing agent configuration (ossec.conf) - template: # noqa 208 - src: var-ossec-etc-ossec-agent.conf.j2 - dest: "{{ wazuh_agent_win_path }}ossec.conf" - notify: Windows | Restart Wazuh Agent - tags: - - config - -- name: Windows | Installing local_internal_options.conf - template: - src: var-ossec-etc-local-internal-options.conf.j2 - dest: "{{ wazuh_agent_win_path }}local_internal_options.conf" - notify: Windows | Restart Wazuh Agent - tags: - - config - -- name: Windows | Delete downloaded Wazuh agent installer file - win_file: - path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}" - state: absent - -- name: Windows | Delete downloaded checksum file - win_file: - path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}.sha512" - state: absent diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/installation_from_custom_packages.yml b/roles/wazuh/ansible-wazuh-agent/tasks/installation_from_custom_packages.yml deleted file mode 100644 index 99103f29..00000000 --- a/roles/wazuh/ansible-wazuh-agent/tasks/installation_from_custom_packages.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- - - name: Install Wazuh Agent from .deb packages - apt: - deb: "{{ wazuh_custom_packages_installation_agent_deb_url }}" - state: present - when: - - ansible_os_family|lower == "debian" - - wazuh_custom_packages_installation_agent_enabled - - - name: Install Wazuh Agent from .rpm packages | yum - yum: - name: "{{ wazuh_custom_packages_installation_agent_rpm_url }}" - state: present - lock_timeout: 200 - when: - - ansible_os_family|lower == "redhat" - - wazuh_custom_packages_installation_agent_enabled - - not (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") - - not (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8") - - - name: Install Wazuh Agent from .rpm packages | dnf - dnf: - name: "{{ wazuh_custom_packages_installation_agent_rpm_url }}" - state: present - when: - - ansible_os_family|lower == "redhat" - - wazuh_custom_packages_installation_agent_enabled - - (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") or - (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8") \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml b/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml deleted file mode 100644 index 1c522472..00000000 --- a/roles/wazuh/ansible-wazuh-agent/tasks/macOS.yml +++ /dev/null @@ -1,218 +0,0 @@ ---- -- name: macOS | Check architecture - command: "/usr/bin/uname -m" - register: uname_result - -- name: macOS | Set architecture variable - set_fact: - macos_architecture: "{{ 'arm' if uname_result.stdout == 'arm64' else 'intel' }}" - -- name: macOS | Set package name and URL based on architecture - set_fact: - wazuh_macos_package_url: "{{ wazuh_macos_intel_package_url if macos_architecture == 'intel' else wazuh_macos_arm_package_url }}" - wazuh_macos_package_name: "{{ wazuh_macos_intel_package_name if macos_architecture == 'intel' else wazuh_macos_arm_package_name }}" - -- name: macOS | Check if Wazuh installer is already downloaded - stat: - path: "{{ wazuh_macos_config.download_dir }}{{ wazuh_macos_package_name }}" - register: wazuh_package_downloaded - -- name: macOS | Download Wazuh Agent package - get_url: - url: "{{ wazuh_macos_package_url }}" - dest: "{{ wazuh_macos_config.download_dir }}" - register: download_result - when: - - not wazuh_package_downloaded.stat.exists - -- name: macOS | Check if Wazuh Agent is already installed - stat: - path: "{{ wazuh_macos_config.install_dir }}" - register: wazuh_installed - -- name: macOS | Install Agent if not already installed - command: "installer -pkg {{ wazuh_macos_config.download_dir }}{{ wazuh_macos_package_name }} -target /" - register: install_result - -- name: macOS | Check if client.keys exists - stat: - path: "{{ wazuh_macos_config.install_dir }}/etc/client.keys" - register: client_keys_file - tags: - - config - -- name: macOS | Agent registration via authd - block: - - name: macOS | Register agent (via authd) - shell: > - {{ wazuh_macos_config.install_dir }}/bin/agent-auth - {% if wazuh_agent_authd.agent_name is defined and wazuh_agent_authd.agent_name != None %} - -A {{ wazuh_agent_authd.agent_name }} - {% endif %} - -m {{ wazuh_agent_authd.registration_address }} - -p {{ wazuh_agent_authd.port }} - {% if wazuh_agent_nat %} -I "any" {% endif %} - {% if authd_pass | length > 0 %} -P {{ authd_pass }} {% endif %} - {% if wazuh_agent_authd.ssl_auto_negotiate == 'yes' %} -a {% endif %} - {% if wazuh_agent_authd.groups is defined and wazuh_agent_authd.groups | length > 0 %} - -G "{{ wazuh_agent_authd.groups | join(',') }}" - {% endif %} - register: agent_auth_output - notify: macOS | Restart Wazuh Agent - vars: - agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ ansible_hostname }}{% endif %}" - when: - - not client_keys_file.stat.exists or client_keys_file.stat.size == 0 - - wazuh_agent_authd.registration_address is not none - - - name: macOS | Verify agent registration - shell: > - sh -c "echo '{{ agent_auth_output.stdout }} {{ agent_auth_output.stderr }}' | grep 'Valid key received'" - when: - - not client_keys_file.stat.exists or client_keys_file.stat.size == 0 - - wazuh_agent_authd.registration_address is not none - when: - - wazuh_agent_authd.enable | bool - - wazuh_agent_config.enrollment.enabled != 'yes' - tags: - - config - - authd - -- name: macOS | Agent registration via rest-API - block: - - - name: macOS | Establish target Wazuh Manager for registration task - set_fact: - target_manager: '{{ manager_primary | length | ternary(manager_primary, manager_fallback) | first }}' - vars: - manager_primary: "{{ wazuh_managers | selectattr('register','true') | list }}" - manager_fallback: "{{ wazuh_managers | list }}" - - - name: macOS | Obtain JWT Token - uri: - url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/security/user/authenticate' - method: POST - url_username: '{{ target_manager.api_user }}' - url_password: '{{ api_pass }}' - status_code: 200 - return_content: yes - force_basic_auth: yes - validate_certs: '{{ target_manager.validate_certs | default(false) }}' - no_log: '{{ wazuh_agent_nolog_sensible | bool }}' - delegate_to: '{{ inventory_hostname if wazuh_api_reachable_from_agent else "localhost" }}' - changed_when: api_jwt_result.json.error == 0 - register: api_jwt_result - become: no - tags: - - config - - api - - - name: macOS | Create the agent key via rest-API - uri: - url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/agents' - method: POST - body_format: json - body: - name: '{{ agent_name }}' - headers: - Authorization: 'Bearer {{ jwt_token }}' - status_code: 200 - return_content: yes - validate_certs: '{{ target_manager.validate_certs | default(false) }}' - become: no - no_log: '{{ wazuh_agent_nolog_sensible | bool }}' - delegate_to: '{{ inventory_hostname if wazuh_api_reachable_from_agent else "localhost" }}' - changed_when: api_agent_post.json.error == 0 - register: api_agent_post - vars: - agent_name: '{{ target_manager.agent_name | default(ansible_hostname) }}' - jwt_token: '{{ api_jwt_result.json.data.token }}' - tags: - - config - - api - - - name: macOS | Validate registered agent key matches manager record - uri: - url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/agents/{{ agent_id }}/key' - method: GET - headers: - Authorization: 'Bearer {{ jwt_token }}' - status_code: 200 - return_content: yes - validate_certs: '{{ target_manager.validate_certs | default(false) }}' - become: no - no_log: '{{ wazuh_agent_nolog_sensible | bool }}' - delegate_to: '{{ inventory_hostname if wazuh_api_reachable_from_agent else "localhost" }}' - register: api_agent_validation - vars: - agent_id: '{{ api_agent_post.json.data.id }}' - agent_key: '{{ api_agent_post.json.data.key }}' - jwt_token: '{{ api_jwt_result.json.data.token }}' - failed_when: api_agent_validation.json.data.affected_items[0].key != agent_key - when: - - wazuh_agent_api_validate | bool - - api_agent_post.json.error == 0 - tags: - - config - - api - - when: - - not ( wazuh_agent_authd.enable | bool ) - - wazuh_agent_config.enrollment.enabled != 'yes' - - not client_keys_file.stat.exists or client_keys_file.stat.size == 0 - tags: - - config - - api - -- name: macOS | Agent registration via auto-enrollment - debug: - msg: Agent registration will be performed through enrollment option in templated ossec.conf - when: wazuh_agent_config.enrollment.enabled == 'yes' - -- name: macOS | Ensure group "wazuh" exists - ansible.builtin.group: - name: wazuh - state: present - -- name: macOS | Installing agent configuration (ossec.conf) - template: - src: var-ossec-etc-ossec-agent.conf.j2 - dest: "{{ wazuh_macos_config.install_dir }}/etc/ossec.conf" - owner: root - group: wazuh - mode: 0644 - notify: macOS | Restart Wazuh Agent - tags: - - init - - config - -- name: macOS | Installing local_internal_options.conf - template: - src: var-ossec-etc-local-internal-options.conf.j2 - dest: "{{ wazuh_macos_config.install_dir }}/etc/local_internal_options.conf" - owner: root - group: wazuh - mode: 0640 - notify: macOS | Restart Wazuh Agent - tags: - - init - - config - -- name: Create auto-enrollment password file - template: - src: authd_pass.j2 - dest: "{{ wazuh_macos_config.install_dir }}/etc/authd.pass" - owner: wazuh - group: wazuh - mode: 0640 - when: - - wazuh_agent_config.enrollment.enabled == 'yes' - - wazuh_agent_config.enrollment.authorization_pass_path_macos | length > 0 - - authd_pass | length > 0 - tags: - - config - -- name: macOS | Delete downloaded Wazuh agent installer file - file: - path: "{{ wazuh_macos_config.download_dir }}{{ wazuh_macos_package_name }}" - state: absent \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/main.yml b/roles/wazuh/ansible-wazuh-agent/tasks/main.yml deleted file mode 100644 index 26c27817..00000000 --- a/roles/wazuh/ansible-wazuh-agent/tasks/main.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- - -- include_vars: ../../vars/repo_vars.yml - -- include_vars: ../../vars/repo.yml - when: packages_repository == 'production' - -- include_vars: ../../vars/repo_pre-release.yml - when: packages_repository == 'pre-release' - -- include_vars: ../../vars/repo_staging.yml - when: packages_repository == 'staging' - -- name: Overlay wazuh_agent_config on top of defaults - set_fact: - wazuh_agent_config: '{{ wazuh_agent_config_defaults | combine(config_layer, recursive=True) }}' - vars: - config_layer: '{{ wazuh_agent_config | default({}) }}' - when: wazuh_agent_config_overlay | bool - -- include_tasks: "Windows.yml" - when: ansible_os_family == "Windows" - -- include_tasks: "Linux.yml" - when: ansible_system == "Linux" - -- include_tasks: "macOS.yml" - when: ansible_system == "Darwin" \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-agent/templates/authd_pass.j2 b/roles/wazuh/ansible-wazuh-agent/templates/authd_pass.j2 deleted file mode 100644 index 97a481f2..00000000 --- a/roles/wazuh/ansible-wazuh-agent/templates/authd_pass.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ authd_pass }} \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-local-internal-options.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-local-internal-options.conf.j2 deleted file mode 100644 index 81979e59..00000000 --- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-local-internal-options.conf.j2 +++ /dev/null @@ -1,16 +0,0 @@ -# local_internal_options.conf -# -# This file should be handled with care. It contains -# run time modifications that can affect the use -# of OSSEC. Only change it if you know what you -# are doing. Look first at ossec.conf -# for most of the things you want to change. -# -# This file will not be overwritten during upgrades. - -# This is the template of Ansible for the file local_internal_options.conf -# In this file you could include the configuration settings for your agents - -# Logcollector - If it should accept remote commands from the manager -logcollector.remote_commands=1 - diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 deleted file mode 100644 index bcf68e9d..00000000 --- a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 +++ /dev/null @@ -1,492 +0,0 @@ -#jinja2: lstrip_blocks: True - - - - - - {% for manager in wazuh_managers %} - -
{{ manager.address }}
- {% if manager.port is defined %} - {{ manager.port }} - {% endif %} - {% if manager.protocol is defined %} - {{ manager.protocol }} - {% endif %} - {% if manager.max_retries is defined and manager.retry_interval is defined %} - {{ manager.max_retries }} - {{ manager.retry_interval }} - {% endif %} - - {% endfor %} - {% if wazuh_profile_centos is not none or wazuh_profile_ubuntu is not none %} - {% if ansible_distribution == 'CentOS' %} - {{ wazuh_profile_centos }} - {% elif ansible_distribution == "Ubuntu" %} - {{ wazuh_profile_ubuntu }} - {% endif %} - {% endif %} - {% if ansible_system == "Darwin" %} - {{ wazuh_profile_macos }} - {% endif %} - {% if wazuh_notify_time is not none and wazuh_time_reconnect is not none %} - {{ wazuh_notify_time }} - {{ wazuh_time_reconnect }} - {% endif %} - {{ wazuh_auto_restart }} - {{ wazuh_crypto_method }} - - {% if wazuh_agent_config.enrollment.enabled == 'yes' %} - - {{ wazuh_agent_config.enrollment.enabled }} - {% if wazuh_agent_config.enrollment.manager_address | length > 0 %} - {{ wazuh_agent_config.enrollment.manager_address }} - {% endif %} - {% if wazuh_agent_config.enrollment.agent_name | length > 0 %} - {{ wazuh_agent_config.enrollment.agent_name }} - {% endif %} - {% if wazuh_agent_config.enrollment.port is defined > 0 %} - {{ wazuh_agent_config.enrollment.port }} - {% endif %} - {% if wazuh_agent_config.enrollment.groups | length > 0 %} - {{ wazuh_agent_config.enrollment.groups }} - {% endif %} - {% if wazuh_agent_config.enrollment.agent_address | length > 0 %} - {{ wazuh_agent_config.enrollment.agent_address }} - {% endif %} - {% if wazuh_agent_config.enrollment.server_ca_path | length > 0 %} - {{ wazuh_agent_config.enrollment.server_ca_path }} - {% endif %} - {% if wazuh_agent_config.enrollment.agent_certificate_path | length > 0 %} - {{ wazuh_agent_config.enrollment.agent_certificate_path }} - {% endif %} - {% if wazuh_agent_config.enrollment.agent_key_path | length > 0 %} - {{ wazuh_agent_config.enrollment.agent_key_path }} - {% endif %} - {% if wazuh_agent_config.enrollment.authorization_pass_path | length > 0 and ansible_system != "Darwin" %} - {{ wazuh_agent_config.enrollment.authorization_pass_path }} - {% else %} - {{ wazuh_agent_config.enrollment.authorization_pass_path_macos }} - {% endif %} - {% if wazuh_agent_config.enrollment.auto_method | length > 0 %} - {{ wazuh_agent_config.enrollment.auto_method }} - {% endif %} - {% if wazuh_agent_config.enrollment.delay_after_enrollment is defined > 0 %} - {{ wazuh_agent_config.enrollment.delay_after_enrollment }} - {% endif %} - {% if wazuh_agent_config.enrollment.use_source_ip | length > 0 %} - {{ wazuh_agent_config.enrollment.use_source_ip }} - {% endif %} - - {% endif %} - - - - - - {{ wazuh_agent_config.client_buffer.disable }} - {{ wazuh_agent_config.client_buffer.queue_size }} - {{ wazuh_agent_config.client_buffer.events_per_sec }} - - - {% if wazuh_agent_config.rootcheck is defined %} - - no - {% if ansible_system == "Linux" or ansible_system == "Darwin" %} - yes - yes - yes - yes - yes - yes - yes - - - {{ wazuh_agent_config.rootcheck.frequency }} - - {% if ansible_system == "Darwin" %} - etc/shared/rootkit_files.txt - etc/shared/rootkit_trojans.txt - {% else %} - {{ wazuh_dir }}/etc/shared/rootkit_files.txt - {{ wazuh_dir }}/etc/shared/rootkit_trojans.txt - {% endif %} - yes - {% endif %} - {% if ansible_os_family == "Windows" %} - ./shared/win_applications_rcl.txt - ./shared/win_malware_rcl.txt - {% endif %} - - - - {% endif %} - - - {% if ansible_system == "Linux" and wazuh_agent_config.openscap.disable == 'no' %} - - {{ wazuh_agent_config.openscap.disable }} - {{ wazuh_agent_config.openscap.timeout }} - {{ wazuh_agent_config.openscap.interval }} - {{ wazuh_agent_config.openscap.scan_on_start }} - {% if ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'xenial' %} - - xccdf_org.ssgproject.content_profile_common - - {% elif ansible_distribution == 'Debian' %} - {% if ansible_distribution_release == 'jessie' %} - {% if openscap_version_valid.stdout == "0" %} - - xccdf_org.ssgproject.content_profile_common - - - {% endif %} - {% elif ansible_distribution_release == 'stretch' %} - - {% endif %} - {% elif ansible_distribution == 'CentOS' %} - {% if ansible_distribution_major_version == '8' %} - {# Policy not available #} - {% elif ansible_distribution_major_version == '7' %} - - xccdf_org.ssgproject.content_profile_pci-dss - xccdf_org.ssgproject.content_profile_common - - {% elif ansible_distribution_major_version == '6' %} - - xccdf_org.ssgproject.content_profile_pci-dss - xccdf_org.ssgproject.content_profile_common - - {% endif %} - {% elif ansible_distribution == 'RedHat' %} - {% if ansible_distribution_major_version == '8' %} - {# Policy not available #} - {% elif ansible_distribution_major_version == '7' %} - - xccdf_org.ssgproject.content_profile_pci-dss - xccdf_org.ssgproject.content_profile_common - - {% elif ansible_distribution_major_version == '6' %} - - xccdf_org.ssgproject.content_profile_pci-dss - xccdf_org.ssgproject.content_profile_common - - {% endif %} - {% if ansible_distribution_major_version == '7' %} - - {% elif ansible_distribution_major_version == '6' %} - - {% endif %} - {% elif ansible_distribution == 'Fedora' %} - - xccdf_org.ssgproject.content_profile_pci-dss - xccdf_org.ssgproject.content_profile_common - - {% endif %} - - {% endif %} - - {% if ansible_system != "Darwin" %} - - {{ wazuh_agent_config.cis_cat.disable }} - {{ wazuh_agent_config.cis_cat.timeout }} - {{ wazuh_agent_config.cis_cat.interval }} - {{ wazuh_agent_config.cis_cat.scan_on_start }} - {% if wazuh_agent_config.cis_cat.install_java == 'yes' and ansible_system == "Linux" %} - /usr/bin - {% elif ansible_os_family == "Windows" %} - {{ wazuh_agent_config.cis_cat.java_path_win }} - {% else %} - {{ wazuh_agent_config.cis_cat.java_path }} - {% endif %} - {% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.cis_cat.ciscat_path_win }}{% else %}{{ wazuh_agent_config.cis_cat.ciscat_path }}{% endif %} - - {% endif %} - - - - {{ wazuh_agent_config.osquery.disable }} - {{ wazuh_agent_config.osquery.run_daemon }} - {% if ansible_os_family == "Windows" %} - {{ wazuh_agent_config.osquery.bin_path_win }} - {% endif %} - {% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.osquery.log_path_win }}{% else %}{{ wazuh_agent_config.osquery.log_path }}{% endif %} - {% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.osquery.config_path_win }}{% else %}{{ wazuh_agent_config.osquery.config_path }}{% endif %} - {{ wazuh_agent_config.osquery.add_labels }} - - - - - {{ wazuh_agent_config.syscollector.disable }} - {{ wazuh_agent_config.syscollector.interval }} - {{ wazuh_agent_config.syscollector.scan_on_start }} - {{ wazuh_agent_config.syscollector.hardware }} - {{ wazuh_agent_config.syscollector.os }} - {{ wazuh_agent_config.syscollector.network }} - {{ wazuh_agent_config.syscollector.packages }} - {{ wazuh_agent_config.syscollector.ports_no }} - {{ wazuh_agent_config.syscollector.processes }} - - - - {% if wazuh_agent_config.sca.enabled | length > 0 %} - {{ wazuh_agent_config.sca.enabled }} - {% endif %} - {% if wazuh_agent_config.sca.scan_on_start | length > 0 %} - {{ wazuh_agent_config.sca.scan_on_start }} - {% endif %} - {% if wazuh_agent_config.sca.interval | length > 0 %} - {{ wazuh_agent_config.sca.interval }} - {% endif %} - {% if wazuh_agent_config.sca.skip_nfs | length > 0 %} - yes - {% endif %} - {% if wazuh_agent_config.sca.day | length > 0 %} - {{ wazuh_agent_config.sca.day }} - {% endif %} - {% if wazuh_agent_config.sca.wday | length > 0 %} - {{ wazuh_agent_config.sca.wday }} - {% endif %} - {% if wazuh_agent_config.sca.time | length > 0 %} - - {% endif %} - - - - - {% if wazuh_agent_config.syscheck is defined %} - - no - {{ wazuh_agent_config.syscheck.frequency }} - {% if ansible_system == "Linux" or ansible_system == "Darwin" %} - {{ wazuh_agent_config.syscheck.scan_on_start }} - - {% if wazuh_agent_config.syscheck.directories is defined and ansible_system == "Linux" %} - {% for directory in wazuh_agent_config.syscheck.directories %} - {{ directory.dirs }} - {% endfor %} - {% elif ansible_system == "Darwin" %} - {% for directory in wazuh_agent_config.syscheck.macos_directories %} - {{ directory.dirs }} - {% endfor %} - {% endif %} - {% endif %} - - - {% if wazuh_agent_config.syscheck.win_directories is defined and ansible_os_family == "Windows" %} - {% for directory in wazuh_agent_config.syscheck.win_directories %} - {{ directory.dirs }} - {% endfor %} - {% endif %} - - - {% if wazuh_agent_config.syscheck.ignore is defined and (ansible_system == "Linux" or ansible_system == "Darwin") %} - {% for ignore in wazuh_agent_config.syscheck.ignore %} - {{ ignore }} - {% endfor %} - {% endif %} - - - {% if wazuh_agent_config.syscheck.ignore_linux_type is defined %} - {% for ignore in wazuh_agent_config.syscheck.ignore_linux_type %} - {{ ignore }} - {% endfor %} - {% endif %} - - {% if wazuh_agent_config.syscheck.ignore is defined and ansible_os_family == "Windows" %} - {% for ignore in wazuh_agent_config.syscheck.ignore_win %} - {{ ignore }} - {% endfor %} - {% endif %} - - {% if ansible_system == "Linux" or ansible_system == "Darwin" %} - - {% for no_diff in wazuh_agent_config.syscheck.no_diff %} - {{ no_diff }} - {% endfor %} - - {{ wazuh_agent_config.syscheck.skip_nfs }} - {{ wazuh_agent_config.syscheck.skip_dev }} - {{ wazuh_agent_config.syscheck.skip_proc }} - {{ wazuh_agent_config.syscheck.skip_sys }} - {% endif %} - - {% if ansible_os_family == "Windows" %} - {% for registry_key in wazuh_agent_config.syscheck.windows_registry %} - {% if registry_key.arch is defined %} - {{ registry_key.key }} - {% else %} - {{ registry_key.key }} - {% endif %} - {% endfor %} - {% endif %} - - {% if ansible_os_family == "Windows" %} - {% for registry_key in wazuh_agent_config.syscheck.windows_registry_ignore %} - {% if registry_key.type is defined %} - {{ registry_key.key }} - {% else %} - {{ registry_key.key }} - {% endif %} - {% endfor %} - {% endif %} - - {% if ansible_os_family == "Windows" %} - - {{ wazuh_agent_config.syscheck.win_audit_interval }} - {% endif %} - - - {{ wazuh_agent_config.syscheck.process_priority }} - - - {{ wazuh_agent_config.syscheck.max_eps }} - - - - {{ wazuh_agent_config.syscheck.sync_enabled }} - {{ wazuh_agent_config.syscheck.sync_interval }} - {{ wazuh_agent_config.syscheck.sync_max_interval }} - {{ wazuh_agent_config.syscheck.sync_max_eps }} - - - {% endif %} - - - {% if ansible_system == "Linux" %} - {% for localfile in wazuh_agent_config.localfiles.linux %} - - - {{ localfile.format }} - {% if localfile.format == 'command' or localfile.format == 'full_command' %} - {{ localfile.command }} - {{ localfile.frequency }} - {% if localfile.alias is defined %} - {{ localfile.alias }} - {% endif %} - {% else %} - {{ localfile.location }} - {% if localfile.format == 'json' %} - {% for label in localfile.label %} - - {% endfor %} - {% endif %} - {% endif %} - - {% endfor %} - - journald - journald - - {% endif %} - - {% if ansible_system == "Darwin" %} - {% for localfile in wazuh_agent_config.localfiles.macos %} - - - {{ localfile.format }} - {% if localfile.format == 'command' or localfile.format == 'full_command' %} - {{ localfile.command }} - {{ localfile.frequency }} - {% if localfile.alias is defined %} - {{ localfile.alias }} - {% endif %} - {% else %} - {{ localfile.location }} - {% if localfile.format == 'macos' %} - {{ localfile.query.value }} - {% endif %} - {% endif %} - - {% endfor %} - {% endif %} - - {% if ansible_os_family == "Debian" %} - {% for localfile in wazuh_agent_config.localfiles.debian %} - - - {{ localfile.format }} - {% if localfile.format == 'command' or localfile.format == 'full_command' %} - {{ localfile.command }} - {{ localfile.frequency }} - {% if localfile.alias is defined %} - {{ localfile.alias }} - {% endif %} - {% else %} - {{ localfile.location }} - {% if localfile.format == 'json' %} - {% for label in localfile.label %} - - {% endfor %} - {% endif %} - {% endif %} - - {% endfor %} - {% endif %} - - {% if ansible_os_family == "RedHat" %} - {% for localfile in wazuh_agent_config.localfiles.centos %} - - - {{ localfile.format }} - {% if localfile.format == 'command' or localfile.format == 'full_command' %} - {{ localfile.command }} - {{ localfile.frequency }} - {% if localfile.alias is defined %} - {{ localfile.alias }} - {% endif %} - {% else %} - {{ localfile.location }} - {% if localfile.format == 'json' %} - {% for label in localfile.label %} - - {% endfor %} - {% endif %} - {% endif %} - - {% endfor %} - {% endif %} - - {% if ansible_os_family == "Windows" %} - {% for localfile in wazuh_agent_config.localfiles.windows %} - - - {{ localfile.format }} - {% if localfile.format == 'eventchannel' %} - {{ localfile.location }} - {{ localfile.query}} - {% else %} - {{ localfile.location }} - {% if localfile.format == 'json' %} - {% for label in localfile.label %} - - {% endfor %} - {% endif %} - {% endif %} - - {% endfor %} - {% endif %} - -{% if wazuh_agent_config.labels.enable == true %} - - {% for label in wazuh_agent_config.labels.list %} - - {% endfor %} - -{% endif %} - - - {{ wazuh_agent_config.active_response.ar_disabled|default('no') }} - {% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.active_response.ca_store_win }}{% elif ansible_system == "Darwin" %}{{ wazuh_agent_config.active_response.ca_store_macos }}{% else %}{{ wazuh_agent_config.active_response.ca_store }}{% endif %} - {{ wazuh_agent_config.active_response.ca_verification }} - - - - {{ wazuh_agent_config.log_format }} - - - diff --git a/roles/wazuh/ansible-wazuh-manager/README.md b/roles/wazuh/ansible-wazuh-manager/README.md deleted file mode 100644 index 2ad7a68b..00000000 --- a/roles/wazuh/ansible-wazuh-manager/README.md +++ /dev/null @@ -1,216 +0,0 @@ -Ansible Playbook - Wazuh manager -================================ - -This role will install the Wazuh manager on a host. - -Requirements ------------- - -This role will work on: - * Red Hat - * CentOS - * Fedora - * Debian - * Ubuntu - -Role Variables --------------- - -This role has some variables which you can or need to override. -``` -wazuh_manager_fqdn: ~ -wazuh_manager_config: [] -shared_agent_config: [] -``` - -Vault variables ----------------- - -### vars/wazuh_api_creds.yml -This file has user and password created in httpasswd format. -``` ---- -wazuh_api_user: - - "foo:$apr1$/axqZYWQ$Xo/nz/IG3PdwV82EnfYKh/" -``` - -### vars/authd_pass.yml -This file has the password to be used for the authd daemon. -``` ---- -authd_pass: foobar -``` - -Default config --------------- - -### defaults/main.yml -``` ---- -wazuh_manager_fqdn: "wazuh-server" - -wazuh_manager_config: - json_output: 'yes' - alerts_log: 'yes' - logall: 'no' - authd: - enable: false - email_notification: no - mail_to: - - admin@example.net - mail_smtp_server: localhost - mail_from: wazuh-server@example.com - syscheck: - frequency: 43200 - scan_on_start: 'yes' - ignore: - - /etc/mtab - - /etc/mnttab - - /etc/hosts.deny - - /etc/mail/statistics - - /etc/random-seed - - /etc/random.seed - - /etc/adjtime - - /etc/httpd/logs - - /etc/utmpx - - /etc/wtmpx - - /etc/cups/certs - - /etc/dumpdates - - /etc/svc/volatile - no_diff: - - /etc/ssl/private.key - directories: - - dirs: /etc,/usr/bin,/usr/sbin - checks: 'check_all="yes"' - - dirs: /bin,/sbin - checks: 'check_all="yes"' - rootcheck: - frequency: 43200 - openscap: - timeout: 1800 - interval: '1d' - scan_on_start: 'yes' - log_level: 1 - email_level: 12 - localfiles: - - format: 'syslog' - location: '/var/log/messages' - - format: 'syslog' - location: '/var/log/secure' - - format: 'command' - command: 'df -P' - frequency: '360' - - format: 'full_command' - command: 'netstat -tln | grep -v 127.0.0.1 | sort' - frequency: '360' - - format: 'full_command' - command: 'last -n 20' - frequency: '360' - globals: - - '127.0.0.1' - - '192.168.2.1' - connection: - - type: 'secure' - port: '1514' - protocol: 'tcp' - commands: - - name: 'disable-account' - executable: 'disable-account.sh' - expect: 'user' - timeout_allowed: 'yes' - - name: 'restart-ossec' - executable: 'restart-ossec.sh' - expect: '' - timeout_allowed: 'no' - - name: 'firewall-drop' - executable: 'firewall-drop.sh' - expect: 'srcip' - timeout_allowed: 'yes' - - name: 'host-deny' - executable: 'host-deny.sh' - expect: 'srcip' - timeout_allowed: 'yes' - - name: 'route-null' - executable: 'route-null.sh' - expect: 'srcip' - timeout_allowed: 'yes' - - name: 'win_route-null' - executable: 'route-null.cmd' - expect: 'srcip' - timeout_allowed: 'yes' - active_responses: - - command: 'host-deny' - location: 'local' - level: 6 - timeout: 600 - -shared_agent_config: - - type: os - type_value: linux - frequency_check: 79200 - ignore_files: - - /etc/mtab - - /etc/mnttab - - /etc/hosts.deny - - /etc/mail/statistics - - /etc/svc/volatile - directories: - - check_all: yes - dirs: /etc,/usr/bin,/usr/sbin - - check_all: yes - dirs: /bin,/sbin - localfiles: - - format: 'syslog' - location: '/var/log/messages' - - format: 'syslog' - location: '/var/log/secure' - - format: 'syslog' - location: '/var/log/maillog' - - format: 'apache' - location: '/var/log/httpd/error_log' - - format: 'apache' - location: '/var/log/httpd/access_log' - - format: 'apache' - location: '/var/ossec/logs/active-responses.log' -``` - -#### Custom variables: -You can create a YAML file and change the default variables for this role, to later using it with `-e` option in `ansible-playbooks`, for example: - -``` ---- -wazuh_manager_fqdn: "wazuh-server" - -wazuh_manager_config: - email_notification: yes - mail_to: - - myadmin@mydomain.com - mail_smtp_server: mysmtp.mydomain.com -``` - -Dependencies ------------- - -No dependencies. - -Example Playbook ----------------- - -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: wazuh-server.example.com - roles: - - { role: ansible-wazuh-server } - -License and copyright ---------------------- - -WAZUH Copyright (C) 2016, Wazuh Inc. (License GPLv3) - -### Based on previous work from dj-wasabi - - - https://github.com/dj-wasabi/ansible-ossec-server - -### Modified by Wazuh - -The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem. diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml deleted file mode 100644 index f2e1dae6..00000000 --- a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml +++ /dev/null @@ -1,431 +0,0 @@ ---- -wazuh_manager_version: 5.0.0 - -wazuh_manager_fqdn: "wazuh-server" -wazuh_manager_package_state: present - -# Custom packages installation -wazuh_custom_packages_installation_manager_enabled: false -wazuh_custom_packages_installation_manager_deb_url: "https://packages-dev.wazuh.com/" -wazuh_custom_packages_installation_manager_rpm_url: "https://packages-dev.wazuh.com/" - -wazuh_dir: "/var/ossec" - -########################################## -### Wazuh-OSSEC -########################################## - -# groups to create -agent_groups: [] - -## Global -wazuh_manager_json_output: 'yes' -wazuh_manager_alerts_log: 'yes' -wazuh_manager_logall: 'no' -wazuh_manager_logall_json: 'no' - -wazuh_manager_email_notification: 'no' -wazuh_manager_mailto: - - 'admin@example.net' - -wazuh_manager_email_smtp_server: smtp.example.wazuh.com -wazuh_manager_email_from: wazuh@example.wazuh.com -wazuh_manager_email_maxperhour: 12 -wazuh_manager_email_queue_size: 131072 -wazuh_manager_email_log_source: 'alerts.log' - -wazuh_manager_globals: - - '127.0.0.1' - - '^localhost.localdomain$' - - '127.0.0.53' - -wazuh_manager_agent_disconnection_time: '20s' -wazuh_manager_agents_disconnection_alert_time: '100s' - -## Alerts -wazuh_manager_log_level: 3 -wazuh_manager_email_level: 12 - -## Logging -wazuh_manager_log_format: 'plain' - -## Email alerts -wazuh_manager_extra_emails: - - enable: false - mail_to: 'recipient@example.wazuh.com' - format: full - level: 7 - event_location: null - group: null - do_not_delay: false - do_not_group: false - rule_id: null - - -## Remote -wazuh_manager_connection: - - type: 'secure' - port: '1514' - protocol: 'tcp' - queue_size: 131072 - -## Woodles -wazuh_manager_rootcheck: - frequency: 43200 - -wazuh_manager_openscap: - disable: 'yes' - timeout: 1800 - interval: '1d' - scan_on_start: 'yes' - -wazuh_manager_ciscat: - disable: 'yes' - install_java: 'yes' - timeout: 1800 - interval: '1d' - scan_on_start: 'yes' - java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin' - ciscat_path: 'wodles/ciscat' - -wazuh_manager_osquery: - disable: 'yes' - run_daemon: 'yes' - log_path: '/var/log/osquery/osqueryd.results.log' - config_path: '/etc/osquery/osquery.conf' - ad_labels: 'yes' - -wazuh_manager_syscollector: - disable: 'no' - interval: '1h' - scan_on_start: 'yes' - hardware: 'yes' - os: 'yes' - network: 'yes' - packages: 'yes' - ports_no: 'yes' - processes: 'yes' - -wazuh_manager_monitor_aws: - disabled: 'yes' - interval: '10m' - run_on_start: 'yes' - skip_on_error: 'yes' - s3: - - name: null - bucket_type: null - path: null - only_logs_after: null - access_key: null - secret_key: null - -## SCA -wazuh_manager_sca: - enabled: 'yes' - scan_on_start: 'yes' - interval: '12h' - skip_nfs: 'yes' - day: '' - wday: '' - time: '' - -## Vulnerability Detector -filebeat_node_name: node-1 -filebeat_output_indexer_hosts: - - "localhost" -filebeat_output_indexer_port: 9200 -indexer_security_user: admin -indexer_security_password: changeme -filebeat_ssl_dir: /etc/pki/filebeat - -wazuh_manager_vulnerability_detection: - enabled: 'yes' - index_status: 'yes' - feed_update_interval: '60m' - -wazuh_manager_indexer: - enabled: 'yes' - hosts: "{{ filebeat_output_indexer_hosts }}" - -## Syscheck -wazuh_manager_syscheck: - disable: 'no' - frequency: 43200 - scan_on_start: 'yes' - auto_ignore: 'no' - ignore: - - /etc/mtab - - /etc/hosts.deny - - /etc/mail/statistics - - /etc/random-seed - - /etc/random.seed - - /etc/adjtime - - /etc/httpd/logs - - /etc/utmpx - - /etc/wtmpx - - /etc/cups/certs - - /etc/dumpdates - - /etc/svc/volatile - ignore_linux_type: - - '.log$|.swp$' - no_diff: - - /etc/ssl/private.key - directories: - - dirs: /etc,/usr/bin,/usr/sbin - checks: '' - - dirs: /bin,/sbin,/boot - checks: '' - auto_ignore_frequency: - frequency: 'frequency="10"' - timeframe: 'timeframe="3600"' - value: 'no' - skip_nfs: 'yes' - skip_dev: 'yes' - skip_proc: 'yes' - skip_sys: 'yes' - process_priority: 10 - max_eps: 100 - sync_enabled: 'yes' - sync_interval: '5m' - sync_max_interval: '1h' - sync_max_eps: 10 - -## Command -wazuh_manager_commands: - - name: 'disable-account' - executable: 'disable-account' - timeout_allowed: 'yes' - - name: 'restart-wazuh' - executable: 'restart-wazuh' - - name: 'firewall-drop' - executable: 'firewall-drop' - expect: 'srcip' - timeout_allowed: 'yes' - - name: 'host-deny' - executable: 'host-deny' - timeout_allowed: 'yes' - - name: 'route-null' - executable: 'route-null' - timeout_allowed: 'yes' - - name: 'win_route-null' - executable: 'route-null.exe' - timeout_allowed: 'yes' - - name: 'netsh' - executable: 'netsh.exe' - timeout_allowed: 'yes' - -## Localfile -wazuh_manager_localfiles: - common: - - format: 'command' - command: df -P - frequency: '360' - - format: 'full_command' - command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d - alias: 'netstat listening ports' - frequency: '360' - - format: 'full_command' - command: 'last -n 20' - frequency: '360' - - format: 'syslog' - location: "{{ wazuh_dir }}/logs/active-responses.log" - debian: - - format: 'syslog' - location: '/var/log/auth.log' - - format: 'syslog' - location: '/var/log/syslog' - - format: 'syslog' - location: '/var/log/dpkg.log' - - format: 'syslog' - location: '/var/log/kern.log' - centos: - - format: 'syslog' - location: '/var/log/messages' - - format: 'syslog' - location: '/var/log/secure' - - format: 'syslog' - location: '/var/log/maillog' - - format: 'audit' - location: '/var/log/audit/audit.log' - -## Labels -wazuh_manager_labels: - enable: false - list: - - key: Env - value: Production - -## Ruleset -wazuh_manager_ruleset: - rules_path: 'custom_ruleset/rules/' - decoders_path: 'custom_ruleset/decoders/' - cdb_lists: - - 'audit-keys' - - 'security-eventchannel' - - 'amazon/aws-eventnames' - - 'malicious-ioc/malicious-ip' - - 'malicious-ioc/malicious-domains' - - 'malicious-ioc/malware-hashes' - -wazuh_manager_rule_exclude: - - '0215-policy_rules.xml' - -## Auth -wazuh_manager_authd: - enable: true - port: 1515 - use_source_ip: 'no' - force: - enabled: 'yes' - key_mismatch: 'yes' - disconnected_time: '1h' - after_registration_time: '1h' - purge: 'yes' - use_password: 'no' - ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH' - ssl_agent_ca: null - ssl_verify_host: 'no' - ssl_manager_cert: 'sslmanager.cert' - ssl_manager_key: 'sslmanager.key' - ssl_auto_negotiate: 'no' - -## Cluster -wazuh_manager_cluster: - disable: 'yes' - name: 'wazuh' - node_name: 'manager_01' - node_type: 'master' - key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa' - port: '1516' - bind_addr: '0.0.0.0' - nodes: - - 'manager' - hidden: 'no' - -## Wazuh API setup -wazuh_manager_api: - bind_addr: 0.0.0.0 - port: 55000 - behind_proxy_server: no - https: yes - https_key: "api/configuration/ssl/server.key" - https_cert: "api/configuration/ssl/server.crt" - https_use_ca: False - https_ca: "api/configuration/ssl/ca.crt" - logging_level: "info" - logging_path: "logs/api.log" - cors: no - cors_source_route: "*" - cors_expose_headers: "*" - cors_allow_headers: "*" - cors_allow_credentials: no - cache: yes - cache_time: 0.750 - access_max_login_attempts: 5 - access_block_time: 300 - access_max_request_per_minute: 300 - drop_privileges: yes - experimental_features: no - remote_commands_localfile: yes - remote_commands_localfile_exceptions: [] - remote_commands_wodle: yes - remote_commands_wodle_exceptions: [] -# wazuh_api_users: -# - username: custom-user -# password: .S3cur3Pa55w0rd*- # Must comply with requirements (8+ length, uppercase, lowercase, specials chars) - -# NOTE: As wazuh_manager_config is built dynamically per playbooks and ansible.cfg provided in the repo, -# we should also cover the case for partial settings in inventory variables overlayed on top of role's -# defaults with merge hash_behaviour. If you do a full replace instead of the hash_behaviour, set this to false. -# -# Please do notice this behaviour is deprecated in 2.13 and role will move away from it in future versions: -# https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-hash-behaviour -# -wazuh_manager_config_overlay: true - -## Other/Wrappers -wazuh_manager_config_defaults: - repo: '{{ wazuh_repo }}' - json_output: '{{ wazuh_manager_json_output }}' - alerts_log: '{{ wazuh_manager_alerts_log }}' - logall: '{{ wazuh_manager_logall }}' - logall_json: '{{ wazuh_manager_logall_json }}' - log_format: '{{ wazuh_manager_log_format }}' - api: '{{ wazuh_manager_api }}' - cluster: '{{ wazuh_manager_cluster }}' - connection: '{{ wazuh_manager_connection }}' - authd: '{{ wazuh_manager_authd }}' - email_notification: '{{ wazuh_manager_email_notification }}' - mail_to: '{{ wazuh_manager_mailto }}' - mail_smtp_server: '{{ wazuh_manager_email_smtp_server }}' - mail_from: '{{ wazuh_manager_email_from }}' - mail_maxperhour: '{{ wazuh_manager_email_maxperhour }}' - mail_queue_size: '{{ wazuh_manager_email_queue_size }}' - email_log_source: '{{ wazuh_manager_email_log_source }}' - extra_emails: '{{ wazuh_manager_extra_emails }}' - syscheck: '{{ wazuh_manager_syscheck }}' - rootcheck: '{{ wazuh_manager_rootcheck }}' - openscap: '{{ wazuh_manager_openscap }}' - cis_cat: '{{ wazuh_manager_ciscat }}' - osquery: '{{ wazuh_manager_osquery }}' - syscollector: '{{ wazuh_manager_syscollector }}' - sca: '{{ wazuh_manager_sca }}' - vulnerability_detection: '{{ wazuh_manager_vulnerability_detection }}' - indexer: '{{ wazuh_manager_indexer }}' - localfiles: '{{ wazuh_manager_localfiles }}' - globals: '{{ wazuh_manager_globals }}' - commands: '{{ wazuh_manager_commands }}' - ruleset: '{{ wazuh_manager_ruleset }}' - rule_exclude: '{{ wazuh_manager_rule_exclude }}' - monitor_aws: '{{ wazuh_manager_monitor_aws }}' - labels: '{{ wazuh_manager_labels }}' - agents_disconnection_time: '{{ wazuh_manager_agent_disconnection_time }}' - agents_disconnection_alert_time: '{{ wazuh_manager_agents_disconnection_alert_time }}' - -# shared-agent.conf - -# shared_agent_config: -# - type: os -# type_value: Linux -# syscheck: -# frequency: 43200 -# scan_on_start: 'yes' -# ignore: -# - /etc/mtab -# - /etc/mnttab -# - /etc/hosts.deny -# - /etc/mail/statistics -# - /etc/svc/volatile -# no_diff: -# - /etc/ssl/private.key -# rootcheck: -# frequency: 43200 -# cis_distribution_filename: null -# localfiles: -# - format: 'syslog' -# location: '/var/log/messages' -# - format: 'syslog' -# location: '/var/log/secure' -# - format: 'syslog' -# location: '/var/log/maillog' -# - format: 'apache' -# location: '/var/log/httpd/error_log' -# - format: 'apache' -# location: '/var/log/httpd/access_log' -# - format: 'apache' -# location: "{{ wazuh_dir }}/logs/active-responses.log" -# - type: os -# type_value: Windows -# syscheck: -# frequency: 43200 -# scan_on_start: 'yes' -# auto_ignore: 'no' -# windows_registry: -# - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' -# arch: 'both' -# - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder' -# localfiles: -# - location: 'Security' -# format: 'eventchannel' -# - location: 'System' -# format: 'eventlog' diff --git a/roles/wazuh/ansible-wazuh-manager/files/create_user.py b/roles/wazuh/ansible-wazuh-manager/files/create_user.py deleted file mode 100644 index 0216d58d..00000000 --- a/roles/wazuh/ansible-wazuh-manager/files/create_user.py +++ /dev/null @@ -1,102 +0,0 @@ -import logging -import sys -import json -import random -import string -import os - -# Set framework path -sys.path.append(os.path.dirname(sys.argv[0]) + "/../framework") - -USER_FILE_PATH = "/var/ossec/api/configuration/admin.json" -SPECIAL_CHARS = "@$!%*?&-_" - - -try: - from wazuh.rbac.orm import check_database_integrity - from wazuh.security import ( - create_user, - get_users, - get_roles, - set_user_role, - update_user, - ) -except Exception as e: - logging.error("No module 'wazuh' found.") - sys.exit(1) - - -def read_user_file(path=USER_FILE_PATH): - with open(path) as user_file: - data = json.load(user_file) - return data["username"], data["password"] - - -def db_users(): - users_result = get_users() - return {user["username"]: user["id"] for user in users_result.affected_items} - - -def db_roles(): - roles_result = get_roles() - return {role["name"]: role["id"] for role in roles_result.affected_items} - -def disable_user(uid): - random_pass = "".join( - random.choices( - string.ascii_uppercase - + string.ascii_lowercase - + string.digits - + SPECIAL_CHARS, - k=8, - ) - ) - # assure there must be at least one character from each group - random_pass = random_pass + ''.join([random.choice(chars) for chars in [string.ascii_lowercase, string.digits, string.ascii_uppercase, SPECIAL_CHARS]]) - random_pass = ''.join(random.sample(random_pass,len(random_pass))) - update_user( - user_id=[ - str(uid), - ], - password=random_pass, - ) - - -if __name__ == "__main__": - if not os.path.exists(USER_FILE_PATH): - # abort if no user file detected - sys.exit(0) - username, password = read_user_file() - - # create RBAC database - check_database_integrity() - - initial_users = db_users() - if username not in initial_users: - # create a new user - create_user(username=username, password=password) - users = db_users() - uid = users[username] - roles = db_roles() - rid = roles["administrator"] - set_user_role( - user_id=[ - str(uid), - ], - role_ids=[ - str(rid), - ], - ) - else: - # modify an existing user ("wazuh" or "wazuh-wui") - uid = initial_users[username] - update_user( - user_id=[ - str(uid), - ], - password=password, - ) - # disable unused default users - #for def_user in ['wazuh', 'wazuh-wui']: - # if def_user != username: - # disable_user(initial_users[def_user]) \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-manager/files/custom_ruleset/decoders/sample_custom_decoders.xml b/roles/wazuh/ansible-wazuh-manager/files/custom_ruleset/decoders/sample_custom_decoders.xml deleted file mode 100644 index bf5947c7..00000000 --- a/roles/wazuh/ansible-wazuh-manager/files/custom_ruleset/decoders/sample_custom_decoders.xml +++ /dev/null @@ -1,25 +0,0 @@ - - - - - - - - sample_custom_decoder - diff --git a/roles/wazuh/ansible-wazuh-manager/files/custom_ruleset/rules/sample_custom_rules.xml b/roles/wazuh/ansible-wazuh-manager/files/custom_ruleset/rules/sample_custom_rules.xml deleted file mode 100644 index e5fb3563..00000000 --- a/roles/wazuh/ansible-wazuh-manager/files/custom_ruleset/rules/sample_custom_rules.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - - - - - - 5716 - 1.1.1.1 - sshd: authentication failed from IP 1.1.1.1. - authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5, - - - diff --git a/roles/wazuh/ansible-wazuh-manager/handlers/main.yml b/roles/wazuh/ansible-wazuh-manager/handlers/main.yml deleted file mode 100644 index faf885b0..00000000 --- a/roles/wazuh/ansible-wazuh-manager/handlers/main.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: restart wazuh-manager - service: - name: wazuh-manager - state: restarted - enabled: true - -- name: restart wazuh-api - service: - name: wazuh-api - state: restarted - enabled: true diff --git a/roles/wazuh/ansible-wazuh-manager/meta/main.yml b/roles/wazuh/ansible-wazuh-manager/meta/main.yml deleted file mode 100644 index 1275d232..00000000 --- a/roles/wazuh/ansible-wazuh-manager/meta/main.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -galaxy_info: - author: Wazuh - description: Installing, deploying and configuring Wazuh Manager. - company: wazuh.com - license: license (GPLv3) - min_ansible_version: 2.0 - platforms: - - name: EL - versions: - - all - - name: Ubuntu - versions: - - all - - name: Debian - versions: - - all - - name: Fedora - versions: - - all - galaxy_tags: - - monitoring -dependencies: [] diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml b/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml deleted file mode 100644 index fdbfddee..00000000 --- a/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml +++ /dev/null @@ -1,125 +0,0 @@ ---- -- name: Debian/Ubuntu | Install apt-transport-https, ca-certificates and acl - apt: - name: - - apt-transport-https - - ca-certificates - - gnupg - - acl - state: present - cache_valid_time: 3600 - install_recommends: false - register: wazuh_manager_https_packages_installed - until: wazuh_manager_https_packages_installed is succeeded - -- name: Debian/Ubuntu | Installing Wazuh repository key (Ubuntu 14) - become: true - shell: | - set -o pipefail - curl -s {{ wazuh_manager_config.repo.gpg }} | apt-key add - - args: - # warn: false - executable: /bin/bash - changed_when: false - when: - - ansible_distribution == "Ubuntu" - - ansible_distribution_major_version | int == 14 - - not wazuh_custom_packages_installation_manager_enabled - -- name: Debian/Ubuntu | Download Wazuh repository key - get_url: - url: "{{ wazuh_manager_config.repo.gpg }}" - dest: "{{ wazuh_manager_config.repo.path }}" - when: - - not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14) - - not wazuh_custom_packages_installation_manager_enabled - -- name: Debian/Ubuntu | Import Wazuh GPG key - command: "gpg --no-default-keyring --keyring gnupg-ring:{{ wazuh_manager_config.repo.keyring_path }} --import {{ wazuh_manager_config.repo.path }}" - when: - - not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14) - - not wazuh_custom_packages_installation_manager_enabled - args: - creates: "{{ wazuh_manager_config.repo.keyring_path }}" - -- name: Debian/Ubuntu | Set permissions for Wazuh GPG key - file: - path: "{{ wazuh_manager_config.repo.keyring_path }}" - mode: '0644' - when: - - not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14) - - not wazuh_custom_packages_installation_manager_enabled - -- name: Debian/Ubuntu | Add Wazuh repositories - apt_repository: - filename: wazuh_repo - repo: "{{ wazuh_manager_config.repo.apt }}" - state: present - update_cache: true - changed_when: false - when: - - not wazuh_custom_packages_installation_manager_enabled - -- name: Debian/Ubuntu | Set Distribution CIS filename for Debian/Ubuntu - set_fact: - cis_distribution_filename: cis_debian_linux_rcl.txt - -- name: Debian/Ubuntu | Install OpenJDK-8 repo - apt_repository: - repo: 'ppa:openjdk-r/ppa' - state: present - update_cache: true - when: - - (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14) - -- when: - - wazuh_manager_config.cis_cat.disable == 'no' - - wazuh_manager_config.cis_cat.install_java == 'yes' - block: - - name: Debian/Ubuntu | Install OpenJDK 1.8 - apt: name=openjdk-8-jre state=present cache_valid_time=3600 - tags: - - init - -- name: Debian/Ubuntu | Install OpenScap - apt: - name: - - libopenscap8 - - xsltproc - state: present - cache_valid_time: 3600 - install_recommends: false - register: wazuh_manager_openscap_installed - until: wazuh_manager_openscap_installed is succeeded - when: wazuh_manager_config.openscap.disable == 'no' - tags: - - init - -- name: Debian/Ubuntu | Get OpenScap installed version - shell: "dpkg-query --showformat='${Version}' --show libopenscap8" - when: wazuh_manager_config.openscap.disable == 'no' - register: openscap_version - changed_when: false - tags: - - config - -- name: Debian/Ubuntu | Check OpenScap version - shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?" - when: wazuh_manager_config.openscap.disable == 'no' - register: openscap_version_valid - changed_when: false - tags: - - config - -- name: Debian/Ubuntu | Install wazuh-manager - apt: - name: - - "wazuh-manager={{ wazuh_manager_version }}-*" - state: present - tags: init - when: - - not wazuh_custom_packages_installation_manager_enabled - -- include_tasks: "installation_from_custom_packages.yml" - when: - - wazuh_custom_packages_installation_manager_enabled diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml b/roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml deleted file mode 100644 index eb50c4e1..00000000 --- a/roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml +++ /dev/null @@ -1,134 +0,0 @@ ---- -- name: RedHat/CentOS 5 | Install Wazuh repo - yum_repository: - name: wazuh_repo - description: Wazuh repository - baseurl: "{{ wazuh_manager_config.repo.yum }}5/" - gpgkey: "{{ wazuh_manager_config.repo.gpg }}-5" - gpgcheck: true - changed_when: false - when: - - (ansible_os_family|lower == 'redhat') and (ansible_distribution|lower != 'amazon') - - (ansible_distribution_major_version|int <= 5) - - not wazuh_custom_packages_installation_manager_enabled - register: repo_v5_manager_installed - -- name: RedHat/CentOS/Fedora | Install Wazuh repo - yum_repository: - name: wazuh_repo - description: Wazuh repository - baseurl: "{{ wazuh_manager_config.repo.yum }}" - gpgkey: "{{ wazuh_manager_config.repo.gpg }}" - gpgcheck: true - changed_when: false - when: - - repo_v5_manager_installed is skipped - - not wazuh_custom_packages_installation_manager_enabled - -- name: RedHat/CentOS/Fedora | Install openscap - package: name={{ item }} state=present - with_items: - - openscap-scanner - register: wazuh_manager_openscp_packages_installed - until: wazuh_manager_openscp_packages_installed is succeeded - tags: - - init - when: not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") and - not (ansible_distribution == "CentOS" and ansible_distribution_major_version == "8") - -- name: CentOS 6 | Install Software Collections (SCL) Repository - package: name=centos-release-scl state=present - register: wazuh_manager_scl_packages_installed - until: wazuh_manager_scl_packages_installed is succeeded - when: - - ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6' - - wazuh_manager_config.cluster.disable != 'yes' - -- name: RedHat 6 | Enabling Red Hat Software Collections (RHSCL) - command: yum-config-manager --enable {{ item }} - with_items: - - rhui-REGION-rhel-server-rhscl - - rhel-server-rhscl-6-rpms - when: - - ansible_distribution == 'RedHat' and ansible_distribution_major_version == '6' - - wazuh_manager_config.cluster.disable != 'yes' - -- name: CentOS/RedHat 6 | Install Python 2.7 - package: name=python27 state=present - register: wazuh_manager_python_package_installed - until: wazuh_manager_python_package_installed is succeeded - when: - - ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6' - - wazuh_manager_config.cluster.disable != 'yes' - -- name: RedHat/CentOS/Fedora | Install OpenJDK 1.8 - yum: - name: java-1.8.0-openjdk - state: present - lock_timeout: 200 - when: - - wazuh_manager_config.cis_cat.disable == 'no' - - wazuh_manager_config.cis_cat.install_java == 'yes' - tags: - - init - -- name: Set Distribution CIS filename for RHEL5/CentOS-5 - set_fact: - cis_distribution_filename: cis_rhel5_linux_rcl.txt - when: ansible_os_family == "RedHat" and ansible_distribution_major_version == '5' - -- name: Set Distribution CIS filename for RHEL6/CentOS-6 - set_fact: - cis_distribution_filename: cis_rhel6_linux_rcl.txt - when: ansible_os_family == "RedHat" and ansible_distribution_major_version == '6' - -- name: Set Distribution CIS filename for RHEL7/CentOS-7 - set_fact: - cis_distribution_filename: cis_rhel7_linux_rcl.txt - when: - - ansible_os_family == "RedHat" and ansible_distribution_major_version == '7' - -- name: Set Distribution CIS filename for RHEL7/CentOS-7 (Amazon) - set_fact: - cis_distribution_filename: cis_rhel7_linux_rcl.txt - when: - - ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA" - -- name: CentOS/RedHat/Amazon | Install wazuh-manager - package: - name: "wazuh-manager-{{ wazuh_manager_version }}" - state: "{{ wazuh_manager_package_state }}" - register: wazuh_manager_main_packages_installed - until: wazuh_manager_main_packages_installed is succeeded - when: - - ansible_os_family|lower == "redhat" - - not wazuh_custom_packages_installation_manager_enabled - tags: - - init - -- include_tasks: "../tasks/installation_from_custom_packages.yml" - when: - - wazuh_custom_packages_installation_manager_enabled - -- name: CentOS/RedHat 6 | Enabling python2.7 and sqlite3 - replace: - path: /etc/init.d/wazuh-manager - regexp: 'echo -n "Starting Wazuh-manager: "' - replace: "echo -n \"Starting Wazuh-manager (EL6): \"; source /opt/rh/python27/enable; export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:{{ wazuh_dir }}/framework/lib" - when: - - ansible_distribution in ['CentOS', 'RedHat', 'Amazon'] and ansible_distribution_major_version|int == 6 - - wazuh_manager_config.cluster.disable != 'yes' - -- name: Install expect (EL5) - package: - name: "{{ item }}" - state: "{{ wazuh_manager_package_state }}" - with_items: - - expect - register: wazuh_manager_main_packages_installed - until: wazuh_manager_main_packages_installed is succeeded - when: - - ansible_os_family|lower == "RedHat" - - ansible_distribution_major_version|int < 6 - tags: - - init diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/install_cmake.yml b/roles/wazuh/ansible-wazuh-manager/tasks/install_cmake.yml deleted file mode 100644 index 9940c700..00000000 --- a/roles/wazuh/ansible-wazuh-manager/tasks/install_cmake.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- - -# Vars -# cmake_download_url: http://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz -# cmake_version: 3.18.3 -# - - name: Include CMake install vars - include_vars: install_cmake.yml - - - name: Download CMake sources - get_url: - url: "{{ cmake_download_url }}" - dest: "/tmp/cmake-{{ cmake_version }}.tar.gz" - register: cmake_download - - - name: Unpack CMake - unarchive: - copy: no - dest: /tmp/ - src: "{{ cmake_download.dest }}" - when: cmake_download.changed - register: cmake_unpack - - - name: Configure CMake - command: "./bootstrap" - args: - chdir: "/tmp/cmake-{{ cmake_version }}" - when: cmake_unpack.changed - register: cmake_configure - - - name: Install CMake - shell: make && make install - args: - chdir: "/tmp/cmake-{{ cmake_version }}" - when: cmake_configure.changed - - - name: Delete installation files - file: - state: absent - path: "/tmp/cmake-{{ cmake_version }}" \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_custom_packages.yml b/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_custom_packages.yml deleted file mode 100644 index e52d1e8a..00000000 --- a/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_custom_packages.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- - - block: - - name: Install Wazuh Manager from .deb packages - apt: - deb: "{{ wazuh_custom_packages_installation_manager_deb_url }}" - state: present - when: - - wazuh_custom_packages_installation_manager_enabled - when: - - ansible_os_family|lower == "debian" - - - block: - - name: Install Wazuh Manager from .rpm packages | yum - yum: - name: "{{ wazuh_custom_packages_installation_manager_rpm_url }}" - state: present - lock_timeout: 200 - when: - - wazuh_custom_packages_installation_manager_enabled - - not (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") - - not (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8") - - - name: Install Wazuh Manager from .rpm packages | dnf - dnf: - name: "{{ wazuh_custom_packages_installation_manager_rpm_url }}" - state: present - when: - - wazuh_custom_packages_installation_manager_enabled - - (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") or - (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8") - when: - - ansible_os_family|lower == "redhat" \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml deleted file mode 100644 index 828e73f5..00000000 --- a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml +++ /dev/null @@ -1,305 +0,0 @@ ---- - -- name: "Install dependencies" - block: - - name: "Install common dependencies" - package: - name: - - unzip - - openssl - - tar - state: present - register: package_status - until: "package_status is not failed" - retries: 10 - delay: 10 - - - name: "Install curl" - package: - name: curl - state: present - when: ansible_distribution != "Amazon" and ansible_distribution_version != "2023" - register: package_status - until: "package_status is not failed" - retries: 10 - delay: 10 - - - name: "Install curl minimal in AL2023" - package: - name: curl-minimal - state: present - when: ansible_distribution == "Amazon" and ansible_distribution_version == "2023" - register: package_status - until: "package_status is not failed" - retries: 10 - delay: 10 - -- include_vars: ../../vars/repo_vars.yml - -- include_vars: ../../vars/repo.yml - when: packages_repository == 'production' - -- include_vars: ../../vars/repo_pre-release.yml - when: packages_repository == 'pre-release' - -- include_vars: ../../vars/repo_staging.yml - when: packages_repository == 'staging' - -- name: Overlay wazuh_manager_config on top of defaults - set_fact: - wazuh_manager_config: '{{ wazuh_manager_config_defaults | combine(config_layer, recursive=True) }}' - vars: - config_layer: '{{ wazuh_manager_config | default({}) }}' - when: wazuh_manager_config_overlay | bool - -- include_tasks: "RedHat.yml" - when: (ansible_os_family == "RedHat" and ansible_distribution_major_version|int > 5) or (ansible_os_family == "RedHat" and ansible_distribution == "Amazon") - -- include_tasks: "Debian.yml" - when: ansible_os_family == "Debian" - -- name: Generate the wazuh-keystore (username) - shell: > - /var/ossec/bin/wazuh-keystore -f indexer -k username -v {{ indexer_security_user }} - notify: restart wazuh-manager - tags: - - init - - config - -- name: Generate the wazuh-keystore (password) - shell: > - /var/ossec/bin/wazuh-keystore -f indexer -k password -v {{ indexer_security_password }} - notify: restart wazuh-manager - tags: - - init - - config - -- name: Install expect - package: - name: expect - state: "{{ wazuh_manager_package_state }}" - when: - - not (ansible_os_family|lower == "redhat" and ansible_distribution_major_version|int < 6) and - not (ansible_distribution|lower == "centos" and ansible_distribution_major_version|int == 8) - tags: init - -- name: Generate SSL files for authd - command: "openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:1825 -keyout sslmanager.key -out sslmanager.cert -subj /CN={{ wazuh_manager_fqdn }}/" - args: - creates: sslmanager.cert - chdir: "{{ wazuh_dir }}/etc/" - tags: - - config - when: wazuh_manager_config.authd.ssl_agent_ca is not none - -- name: Copy CA, SSL key and cert for authd - copy: - src: "{{ item }}" - dest: "{{ wazuh_dir }}/etc/{{ item }}" - mode: 0644 - with_items: - - "{{ wazuh_manager_config.authd.ssl_agent_ca }}" - - "{{ wazuh_manager_config.authd.ssl_manager_cert }}" - - "{{ wazuh_manager_config.authd.ssl_manager_key }}" - tags: - - config - when: wazuh_manager_config.authd.ssl_agent_ca is not none - -- name: Verifying for old init authd service - stat: path=/etc/init.d/ossec-authd - register: old_authd_service - tags: - - config - -- name: Verifying for old systemd authd service - stat: path=/lib/systemd/system/ossec-authd.service - register: old_authd_service - tags: - - config - -- name: Ensure ossec-authd service is disabled - service: name=ossec-authd enabled=no state=stopped - when: old_authd_service.stat.exists - tags: - - config - -- name: Removing old init authd services - file: path="{{ item }}" state=absent - with_items: - - "/etc/init.d/ossec-authd" - - "/lib/systemd/system/ossec-authd.service" - when: old_authd_service.stat.exists - tags: - - config - -- name: Installing the local_rules.xml (default local_rules.xml) - template: src=var-ossec-rules-local_rules.xml.j2 - dest="{{ wazuh_dir }}/etc/rules/local_rules.xml" - owner=wazuh - group=wazuh - mode=0660 - notify: restart wazuh-manager - tags: - - init - - config - - rules - -- name: Adding local rules files - copy: src="{{ wazuh_manager_config.ruleset.rules_path }}" - dest="{{ wazuh_dir }}/etc/rules/" - owner=wazuh - group=wazuh - mode=0660 - notify: restart wazuh-manager - tags: - - init - - config - - rules - -- name: Installing the local_decoder.xml - template: src=var-ossec-rules-local_decoder.xml.j2 - dest="{{ wazuh_dir }}/etc/decoders/local_decoder.xml" - owner=wazuh - group=wazuh - mode=0660 - notify: restart wazuh-manager - tags: - - init - - config - - rules - -- name: Adding local decoders files - copy: src="{{ wazuh_manager_config.ruleset.decoders_path }}" - dest="{{ wazuh_dir }}/etc/decoders/" - owner=wazuh - group=wazuh - mode=0660 - notify: restart wazuh-manager - tags: - - init - - config - - rules - -- name: Configure the shared-agent.conf - template: - src: var-ossec-etc-shared-agent.conf.j2 - dest: "{{ wazuh_dir }}/etc/shared/default/agent.conf" - owner: wazuh - group: wazuh - mode: 0660 - validate: "{{ wazuh_dir }}/bin/verify-agent-conf -f %s" - notify: restart wazuh-manager - tags: - - init - - config - when: - - shared_agent_config is defined - -- name: Installing the local_internal_options.conf - template: src=var-ossec-etc-local-internal-options.conf.j2 - dest="{{ wazuh_dir }}/etc/local_internal_options.conf" - owner=root - group=wazuh - mode=0640 - notify: restart wazuh-manager - tags: - - init - - config - -- name: Retrieving authd Credentials - include_vars: authd_pass.yml - tags: - - config - -- name: Checking alert log output settings - fail: msg="Please enable json_output or alerts_log options." - when: - - wazuh_manager_config.json_output == 'no' - - wazuh_manager_config.alerts_log == 'no' - tags: - - init - - config - -- name: Configure ossec.conf - template: - src: var-ossec-etc-ossec-server.conf.j2 - dest: "{{ wazuh_dir }}/etc/ossec.conf" - owner: root - group: wazuh - mode: 0644 - notify: restart wazuh-manager - tags: - - init - - config - -- name: Ossec-authd password - template: - src: authd_pass.j2 - dest: "{{ wazuh_dir }}/etc/authd.pass" - owner: wazuh - group: wazuh - mode: 0640 - no_log: true - notify: restart wazuh-manager - when: - - wazuh_manager_config.authd.use_password is defined - - wazuh_manager_config.authd.use_password == 'yes' - tags: - - config - -- name: Create custom API user - block: - - name: Copy create_user script - copy: - src: create_user.py - dest: "{{ wazuh_dir }}/framework/scripts/create_user.py" - owner: root - group: wazuh - mode: 0644 - - - name: Create admin.json - template: - src: templates/admin.json.j2 - dest: "{{ wazuh_dir }}/api/configuration/admin.json" - owner: wazuh - group: wazuh - mode: 0644 - no_log: true - - - name: Execute create_user script - script: - chdir: "{{ wazuh_dir }}/framework/scripts/" - cmd: create_user.py --username "{{ item.username }}" --password "{{ item.password }}" - executable: "{{ wazuh_dir }}/framework/python/bin/python3" - with_items: - - "{{ wazuh_api_users }}" - - - name: Delete create_user script - file: - path: "{{ wazuh_dir }}/framework/scripts/create_user.py" - state: absent - - tags: - - config_api_users - when: - - wazuh_api_users is defined - - wazuh_manager_config.cluster.node_type == "master" - -- name: Ensure Wazuh Manager service is started and enabled. - service: - name: "wazuh-manager" - enabled: true - state: started - tags: - - config - -- name: Create agent groups - command: "{{ wazuh_dir }}/bin/agent_groups -a -g {{ item }} -q" - with_items: - - "{{ agent_groups }}" - when: - - ( agent_groups is defined) and ( agent_groups|length > 0) - tags: molecule-idempotence-notest - -- name: Run uninstall tasks - include_tasks: uninstall.yml diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/uninstall.yml b/roles/wazuh/ansible-wazuh-manager/tasks/uninstall.yml deleted file mode 100644 index 824e6926..00000000 --- a/roles/wazuh/ansible-wazuh-manager/tasks/uninstall.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- - -- name: Debian/Ubuntu | Remove Wazuh repository. - apt_repository: - repo: "{{ wazuh_manager_config.repo.apt }}" - state: absent - changed_when: false - when: ansible_os_family == "Debian" - -- name: RedHat/CentOS/Fedora | Remove Wazuh repository (and clean up left-over metadata) - yum_repository: - name: wazuh_repo - state: absent - changed_when: false - when: ansible_os_family == "RedHat" or ansible_os_family == "Amazon" diff --git a/roles/wazuh/ansible-wazuh-manager/templates/admin.json.j2 b/roles/wazuh/ansible-wazuh-manager/templates/admin.json.j2 deleted file mode 100644 index 6522f530..00000000 --- a/roles/wazuh/ansible-wazuh-manager/templates/admin.json.j2 +++ /dev/null @@ -1,4 +0,0 @@ - -{% for api in wazuh_api_users %} -{"username":"{{ api['username'] }}", "password": "{{ api['password'] }}"} -{% endfor %} \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-manager/templates/authd_pass.j2 b/roles/wazuh/ansible-wazuh-manager/templates/authd_pass.j2 deleted file mode 100644 index 97a481f2..00000000 --- a/roles/wazuh/ansible-wazuh-manager/templates/authd_pass.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ authd_pass }} \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-manager/templates/cdb_lists.j2 b/roles/wazuh/ansible-wazuh-manager/templates/cdb_lists.j2 deleted file mode 100644 index 37774b9c..00000000 --- a/roles/wazuh/ansible-wazuh-manager/templates/cdb_lists.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ item.content }} diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-local-internal-options.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-local-internal-options.conf.j2 deleted file mode 100644 index 5718f800..00000000 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-local-internal-options.conf.j2 +++ /dev/null @@ -1,12 +0,0 @@ -# local_internal_options.conf -# -# This file should be handled with care. It contains -# run time modifications that can affect the use -# of OSSEC. Only change it if you know what you -# are doing. Look first at ossec.conf -# for most of the things you want to change. -# -# This file will not be overwritten during upgrades. - -# This is the template of Ansible for the file local_internal_options.conf -# In this file you could include the configuration settings for your manager diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 deleted file mode 100644 index cef6ffc9..00000000 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 +++ /dev/null @@ -1,572 +0,0 @@ -#jinja2: lstrip_blocks: True - - - - - {{ wazuh_manager_config.json_output }} - {{ wazuh_manager_config.alerts_log }} - {{ wazuh_manager_config.logall }} - {{ wazuh_manager_config.logall_json }} - {{ wazuh_manager_config.email_notification }} - {% for to in wazuh_manager_config.mail_to %} - {{ to }} - {% endfor %} - {{ wazuh_manager_config.mail_smtp_server }} - {{ wazuh_manager_config.mail_from }} - {{ wazuh_manager_config.mail_maxperhour }} - {{ wazuh_manager_config.email_log_source }} - {{ wazuh_manager_config.agents_disconnection_time }} - {{ wazuh_manager_config.agents_disconnection_alert_time }} - - - - - {{ wazuh_manager_config.log_format }} - - -{% for connection in wazuh_manager_config.connection %} - - {{ connection.type }} - {% if connection.port is defined %} - {{ connection.port }} - {% endif %} - {% if connection.protocol is defined %} - {{ connection.protocol }} - {% endif %} - {% if connection.allowed_ips is defined %} - {% for allowed_ip in connection.allowed_ips %} - {{ allowed_ip }} - {% endfor %} - {% endif %} - {% if connection.denied_ips is defined %} - {% for denied_ip in connection.denied_ips %} - {{ denied_ip }} - {% endfor %} - {% endif %} - {% if connection.local_ip is defined %} - {{ connection.local_ip }} - {% endif %} - {% if connection.ipv6 is defined %} - {{ connection.ipv6 }} - {% endif %} - {% if connection.queue_size is defined %} - {{connection.queue_size}} - {% endif %} - -{% endfor %} - - - - no - yes - yes - yes - yes - yes - yes - yes - - - {{ wazuh_manager_config.rootcheck.frequency }} - - {{ wazuh_dir }}/etc/rootcheck/rootkit_files.txt - {{ wazuh_dir }}/etc/rootcheck/rootkit_trojans.txt - - yes - - - {% if ansible_system == "Linux" and wazuh_manager_config.openscap.disable == 'no' %} - - no - {{ wazuh_manager_config.openscap.timeout }} - {{ wazuh_manager_config.openscap.interval }} - {{ wazuh_manager_config.openscap.scan_on_start }} - {% if ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'xenial' %} - - xccdf_org.ssgproject.content_profile_common - - {% elif ansible_distribution == 'Debian' %} - {% if ansible_distribution_release == 'jessie' %} - {% if openscap_version_valid.stdout == "0" %} - - xccdf_org.ssgproject.content_profile_common - - - {% endif %} - {% elif ansible_distribution_release == 'stretch' %} - - {% endif %} - {% elif ansible_distribution == 'CentOS' %} - {% if ansible_distribution_major_version == '8' %} - {# Policy not available #} - {% elif ansible_distribution_major_version == '7' %} - - xccdf_org.ssgproject.content_profile_pci-dss - xccdf_org.ssgproject.content_profile_common - - {% elif ansible_distribution_major_version == '6' %} - - xccdf_org.ssgproject.content_profile_pci-dss - xccdf_org.ssgproject.content_profile_common - - {% endif %} - {% elif ansible_distribution == 'RedHat' %} - {% if ansible_distribution_major_version == '8' %} - {# Policy not available #} - {% elif ansible_distribution_major_version == '7' %} - - xccdf_org.ssgproject.content_profile_pci-dss - xccdf_org.ssgproject.content_profile_common - - {% elif ansible_distribution_major_version == '6' %} - - xccdf_org.ssgproject.content_profile_pci-dss - xccdf_org.ssgproject.content_profile_common - - {% endif %} - {% if ansible_distribution_major_version == '7' %} - - {% elif ansible_distribution_major_version == '6' %} - - {% endif %} - {% elif ansible_distribution == 'Fedora' %} - - xccdf_org.ssgproject.content_profile_pci-dss - xccdf_org.ssgproject.content_profile_common - - {% endif %} - - {% endif %} - - - {{ wazuh_manager_config.cis_cat.disable}} - {{ wazuh_manager_config.cis_cat.timeout }} - {{ wazuh_manager_config.cis_cat.interval }} - {{ wazuh_manager_config.cis_cat.scan_on_start }} - {% if wazuh_manager_config.cis_cat.install_java == 'yes' %} - wodles/java - {% else %} - {{ wazuh_manager_config.cis_cat.java_path }} - {% endif %} - {{ wazuh_manager_config.cis_cat.ciscat_path }} - - - - - {{ wazuh_manager_config.osquery.disable }} - {{ wazuh_manager_config.osquery.run_daemon }} - {{ wazuh_manager_config.osquery.log_path }} - {{ wazuh_manager_config.osquery.config_path }} - {{ wazuh_manager_config.osquery.ad_labels }} - - - - - {{ wazuh_manager_config.syscollector.disable }} - {{ wazuh_manager_config.syscollector.interval }} - {{ wazuh_manager_config.syscollector.scan_on_start }} - {{ wazuh_manager_config.syscollector.hardware }} - {{ wazuh_manager_config.syscollector.os }} - {{ wazuh_manager_config.syscollector.network }} - {{ wazuh_manager_config.syscollector.packages }} - {{ wazuh_manager_config.syscollector.ports_no }} - {{ wazuh_manager_config.syscollector.processes }} - - - - {% if wazuh_manager_config.sca.enabled | length > 0 %} - {{ wazuh_manager_config.sca.enabled }} - {% endif %} - {% if wazuh_manager_config.sca.scan_on_start | length > 0 %} - {{ wazuh_manager_config.sca.scan_on_start }} - {% endif %} - {% if wazuh_manager_config.sca.interval | length > 0 %} - {{ wazuh_manager_config.sca.interval }} - {% endif %} - {% if wazuh_manager_config.sca.skip_nfs | length > 0 %} - yes - {% endif %} - {% if wazuh_manager_config.sca.day | length > 0 %} - {{ wazuh_manager_config.sca.day }} - {% endif %} - {% if wazuh_manager_config.sca.wday | length > 0 %} - {{ wazuh_manager_config.sca.wday }} - {% endif %} - {% if wazuh_manager_config.sca.time | length > 0 %} - - {% endif %} - - - - {{ wazuh_manager_config.vulnerability_detection.enabled }} - {{ wazuh_manager_config.vulnerability_detection.index_status }} - {{ wazuh_manager_config.vulnerability_detection.feed_update_interval }} - - - - {% if wazuh_manager_config.vulnerability_detection.enabled == 'yes' or wazuh_manager_config.indexer.enabled == 'yes' %}yes{% else %}no{% endif %} - - {% for item in wazuh_manager_config.indexer.hosts %} - https://{{ item }}:{{ filebeat_output_indexer_port }} - {% endfor %} - - - - - {{ filebeat_ssl_dir }}/root-ca.pem - - {{ filebeat_ssl_dir }}/{{ filebeat_node_name }}.pem - {{ filebeat_ssl_dir }}/{{ filebeat_node_name }}-key.pem - - - - - - {{ wazuh_manager_config.syscheck.disable }} - {{ wazuh_manager_config.syscheck.frequency }} - {{ wazuh_manager_config.syscheck.scan_on_start }} - - - {% if wazuh_manager_config.syscheck.auto_ignore_frequency is defined %} - {{wazuh_manager_config.syscheck.auto_ignore_frequency.value }} - {% endif %} - - - {% if wazuh_manager_config.syscheck.directories is defined %} - {% for directory in wazuh_manager_config.syscheck.directories %} - {{ directory.dirs }} - {% endfor %} - {% endif %} - - - {% if wazuh_manager_config.syscheck.ignore is defined %} - {% for ignore in wazuh_manager_config.syscheck.ignore %} - {{ ignore }} - {% endfor %} - {% endif %} - - - {% if wazuh_manager_config.syscheck.ignore_linux_type is defined %} - {% for ignore in wazuh_manager_config.syscheck.ignore_linux_type %} - {{ ignore }} - {% endfor %} - {% endif %} - - - - {% for no_diff in wazuh_manager_config.syscheck.no_diff %} - {{ no_diff }} - {% endfor %} - {% if wazuh_manager_config.syscheck.skip_nfs is defined %} - {{ wazuh_manager_config.syscheck.skip_nfs }} - {% endif %} - {% if wazuh_manager_config.syscheck.skip_dev is defined %} - {{ wazuh_manager_config.syscheck.skip_dev }} - {% endif %} - {% if wazuh_manager_config.syscheck.skip_proc is defined %} - {{ wazuh_manager_config.syscheck.skip_proc }} - {% endif %} - {% if wazuh_manager_config.syscheck.skip_sys is defined %} - {{ wazuh_manager_config.syscheck.skip_sys }} - {% endif %} - - - {{ wazuh_manager_config.syscheck.process_priority }} - - - {{ wazuh_manager_config.syscheck.max_eps }} - - - - {{ wazuh_manager_config.syscheck.sync_enabled }} - {{ wazuh_manager_config.syscheck.sync_interval }} - {{ wazuh_manager_config.syscheck.sync_max_interval }} - {{ wazuh_manager_config.syscheck.sync_max_eps }} - - - - -{% for white_list in wazuh_manager_config.globals %} - {{ white_list }} -{% endfor %} - - -{% for command in wazuh_manager_config.commands %} - - - {{ command.name }} - {{ command.executable }} - {% if command.timeout_allowed is defined %} - {{ command.timeout_allowed }} - {% endif %} - -{% endfor %} - -{% if wazuh_manager_config.active_responses is defined %} - {% for response in wazuh_manager_config.active_responses %} - - {% if response.disabled is defined %}{{ response.disabled }}{% else %}no{% endif %} - {%if response.command is defined %}{{ response.command }}{% endif %} - {%if response.location is defined %}{{ response.location }}{% endif %} - {%if response.agent_id is defined %}{{ response.agent_id }}{% endif %} - {%if response.level is defined %}{{ response.level }}{% endif %} - {%if response.rules_group is defined %}{{ response.rules_group }}{% endif %} - {%if response.rules_id is defined %}{{ response.rules_id }}{% endif %} - {%if response.timeout is defined %}{{ response.timeout }}{% endif %} - {%if response.repeated_offenders is defined %}{{ response.repeated_offenders }}{% endif %} - - {% endfor %} -{% endif -%} - - -{% for localfile in wazuh_manager_config.localfiles.common %} - - - {{ localfile.format }} - {% if localfile.format == 'command' or localfile.format == 'full_command' %} - {{ localfile.command }} - {% if localfile.alias is defined %} - {{ localfile.alias }} - {% endif %} - {% if localfile.frequency is defined %} - {{ localfile.frequency }} - {% endif %} - {% else %} - {{ localfile.location }} - {% if localfile.format == 'eventchannel' %} - {% if localfile.only_future_events is defined %} - {{ localfile.only_future_events }} - {% endif %} - {% if localfile.query is defined %} - {{ localfile.query }} - {% endif %} - {% endif %} - {% endif %} - {% if localfile.format == 'json' and localfile.labels is defined %} - {% for key, value in localfile.labels.items() %} - - {% endfor %} - {% endif %} - {% if localfile.target is defined %} - {{ localfile.target }} - {% endif %} - {% if localfile.out_format is defined %} - {{ localfile.out_format }} - {% endif %} - -{% endfor %} - -{% if ansible_os_family == "Debian" %} -{% for localfile in wazuh_manager_config.localfiles.debian %} - - - {{ localfile.format }} - {% if localfile.format == 'command' or localfile.format == 'full_command' %} - {{ localfile.command }} - {% if localfile.alias is defined %} - {{ localfile.alias }} - {% endif %} - {% if localfile.frequency is defined %} - {{ localfile.frequency }} - {% endif %} - {% else %} - {{ localfile.location }} - {% if localfile.format == 'eventchannel' %} - {% if localfile.only_future_events is defined %} - {{ localfile.only_future_events }} - {% endif %} - {% if localfile.query is defined %} - {{ localfile.query }} - {% endif %} - {% endif %} - {% endif %} - {% if localfile.format == 'json' and localfile.labels is defined %} - {% for key, value in localfile.labels.items() %} - - {% endfor %} - {% endif %} - {% if localfile.target is defined %} - {{ localfile.target }} - {% endif %} - {% if localfile.out_format is defined %} - {{ localfile.out_format }} - {% endif %} - -{% endfor %} -{% endif -%} - -{% if ansible_os_family == "RedHat" %} -{% for localfile in wazuh_manager_config.localfiles.centos %} - - - {{ localfile.format }} - {% if localfile.format == 'command' or localfile.format == 'full_command' %} - {{ localfile.command }} - {% if localfile.alias is defined %} - {{ localfile.alias }} - {% endif %} - {% if localfile.frequency is defined %} - {{ localfile.frequency }} - {% endif %} - {% else %} - {{ localfile.location }} - {% if localfile.format == 'eventchannel' %} - {% if localfile.only_future_events is defined %} - {{ localfile.only_future_events }} - {% endif %} - {% if localfile.query is defined %} - {{ localfile.query }} - {% endif %} - {% endif %} - {% endif %} - {% if localfile.format == 'json' and localfile.labels is defined %} - {% for key, value in localfile.labels.items() %} - - {% endfor %} - {% endif %} - {% if localfile.target is defined %} - {{ localfile.target }} - {% endif %} - {% if localfile.out_format is defined %} - {{ localfile.out_format }} - {% endif %} - -{% endfor %} -{% endif -%} - -{% if monitor_aws is defined and monitor_aws.disabled == "no" %} - - - {{ monitor_aws.disabled }} - {{ monitor_aws.interval }} - {{ monitor_aws.run_on_start }} - {{ monitor_aws.skip_on_error }} - {% for bucket in monitor_aws.s3 %} - - {{ bucket.name }} - {% if bucket.path is defined %} - {{ bucket.path }} - {% endif %} - {% if bucket.only_logs_after is defined %} - {{ bucket.only_logs_after }} - {% endif %} - {{ bucket.access_key }} - {{ bucket.secret_key }} - - {% endfor %} - -{% endif %} - -{% if wazuh_manager_config.labels.enable == true %} - - {% for label in wazuh_manager_config.labels.list %} - - {% endfor %} - -{% endif %} - - - - - ruleset/decoders - ruleset/rules - {% if wazuh_manager_config.rule_exclude is defined %} - {% for rule in wazuh_manager_config.rule_exclude %} - {{ rule }} - {% endfor %} - {% endif %} - {% if wazuh_manager_config.ruleset.cdb_lists is defined %} - {% for list in wazuh_manager_config.ruleset.cdb_lists %} - etc/lists/{{ list }} - {% endfor %} - {% endif %} - - - etc/decoders - etc/rules - - -{% if wazuh_manager_config.authd.enable == true %} - - no - {% if wazuh_manager_config.authd.port is not none %} - {{wazuh_manager_config.authd.port}} - {% else %} - 1515 - {% endif %} - {% if wazuh_manager_config.authd.use_source_ip is not none %} - {{wazuh_manager_config.authd.use_source_ip}} - {% endif %} - - {% if wazuh_manager_config.authd.force.enabled is not none %} - {{wazuh_manager_config.authd.force.enabled}} - {% else %} - yes - {% endif %} - {% if wazuh_manager_config.authd.force.key_mismatch is not none %} - {{wazuh_manager_config.authd.force.key_mismatch}} - {% else %} - yes - {% endif %} - {% if wazuh_manager_config.authd.force.disconnected_time is not none %} - {{wazuh_manager_config.authd.force.disconnected_time}} - {% else %} - 1h - {% endif %} - {% if wazuh_manager_config.authd.force.after_registration_time is not none %} - {{wazuh_manager_config.authd.force.after_registration_time}} - {% else %} - 1h - {% endif %} - - {% if wazuh_manager_config.authd.purge is not none %} - {{wazuh_manager_config.authd.purge}} - {% endif %} - {% if wazuh_manager_config.authd.use_password is not none %} - {{wazuh_manager_config.authd.use_password}} - {% endif %} - {% if wazuh_manager_config.authd.ciphers is not none %} - {{wazuh_manager_config.authd.ciphers}} - {% endif %} - {% if wazuh_manager_config.authd.ssl_agent_ca is not none %} - {{ wazuh_dir }}/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}} - {% endif %} - {% if wazuh_manager_config.authd.ssl_verify_host is not none %} - {{wazuh_manager_config.authd.ssl_verify_host}} - {% endif %} - {% if wazuh_manager_config.authd.ssl_manager_cert is not none %} - {{ wazuh_dir }}/etc/{{wazuh_manager_config.authd.ssl_manager_cert | basename}} - {% endif %} - {% if wazuh_manager_config.authd.ssl_manager_key is not none %} - {{ wazuh_dir }}/etc/{{wazuh_manager_config.authd.ssl_manager_key | basename}} - {% endif %} - {% if wazuh_manager_config.authd.ssl_auto_negotiate is not none %} - {{wazuh_manager_config.authd.ssl_auto_negotiate}} - {% endif %} - -{% endif %} - - - {{ wazuh_manager_config.cluster.disable }} - {{ wazuh_manager_config.cluster.name }} - {{ wazuh_manager_config.cluster.node_name }} - {{ wazuh_manager_config.cluster.node_type }} - {{ wazuh_manager_config.cluster.key }} - {% if wazuh_manager_config.cluster.interval is defined %} - {{ wazuh_manager_config.cluster.interval }} - {% endif %} - {{ wazuh_manager_config.cluster.port }} - {{ wazuh_manager_config.cluster.bind_addr }} - - {% for node in wazuh_manager_config.cluster.nodes %} - {{ node }} - {% endfor %} - - {{ wazuh_manager_config.cluster.hidden }} - - - diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 deleted file mode 100644 index 7af5e3f3..00000000 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 +++ /dev/null @@ -1,106 +0,0 @@ -#jinja2: trim_blocks: False -{% if shared_agent_config is defined %} -{% for agent_config in shared_agent_config %} - - {% if agent_config.syscheck is defined %} - - {% if agent_config.syscheck.auto_ignore is defined %} - {{ agent_config.syscheck.auto_ignore }} - {% endif %} - {{ agent_config.syscheck.frequency }} - {{ agent_config.syscheck.scan_on_start }} - - - {% if agent_config.syscheck.directories is defined %} - {% for directory in agent_config.syscheck.directories %} - {{ directory.dirs }} - {% endfor %} - {% endif %} - - - {% if agent_config.syscheck.ignore is defined %} - {% for ignore in agent_config.syscheck.ignore %} - {{ ignore }} - {% endfor %} - {% endif %} - - - {% if agent_config.syscheck.no_diff is defined %} - {% for no_diff in agent_config.syscheck.no_diff %} - {{ no_diff }} - {% endfor %} - {% endif %} - - {% if agent_config.syscheck.windows_registry is defined %} - {% for registry_key in agent_config.syscheck.windows_registry %} - {% if registry_key.arch is defined %} - {{ registry_key.key }} - {% else %} - {{ registry_key.key }} - {% endif %} - {% endfor %} - {% endif %} - - {% endif %} - - {% if agent_config.localfiles is defined %} - {% for localfile in agent_config.localfiles %} - - {{ localfile.format }} - {% if localfile.format == 'command' or localfile.format == 'full_command' %} - {{ localfile.command }} - {% if localfile.alias is defined %} - {{ localfile.alias }} - {% endif %} - {% if localfile.frequency is defined %} - {{ localfile.frequency }} - {% endif %} - {% else %} - {{ localfile.location }} - {% if localfile.format == 'eventchannel' %} - {% if localfile.only_future_events is defined %} - {{ localfile.only_future_events }} - {% endif %} - {% if localfile.query is defined %} - {{ localfile.query }} - {% endif %} - {% endif %} - {% endif %} - {% if localfile.format == 'json' and localfile.labels is defined %} - {% for item in localfile.labels %} - - {% endfor %} - {% endif %} - {% if localfile.target is defined %} - {{ localfile.target }} - {% endif %} - {% if localfile.out_format is defined %} - {{ localfile.out_format }} - {% endif %} - - {% endfor %} - {% endif %} - - {% if agent_config.rootcheck is defined %} - - no - yes - yes - yes - yes - yes - yes - yes - - - {{ agent_config.rootcheck.frequency }} - - {% if agent_config.rootcheck.cis_distribution_filename is not none %} - {{ wazuh_dir }}/etc/shared/default/{{ agent_config.rootcheck.cis_distribution_filename }} - {% endif %} - yes - - {% endif %} - -{% endfor %} -{% endif %} diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_decoder.xml.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_decoder.xml.j2 deleted file mode 100644 index 653167f8..00000000 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_decoder.xml.j2 +++ /dev/null @@ -1,25 +0,0 @@ - - - - - - - - local_decoder_example - diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2 deleted file mode 100644 index 987d75a9..00000000 --- a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2 +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - 5716 - 1.1.1.1 - sshd: authentication failed from IP 1.1.1.1. - authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5, - - - \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-manager/vars/authd_pass.yml b/roles/wazuh/ansible-wazuh-manager/vars/authd_pass.yml deleted file mode 100644 index b23855a5..00000000 --- a/roles/wazuh/ansible-wazuh-manager/vars/authd_pass.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# authd_pass: foobar diff --git a/roles/wazuh/ansible-wazuh-manager/vars/install_cmake.yml b/roles/wazuh/ansible-wazuh-manager/vars/install_cmake.yml deleted file mode 100644 index cda00c6e..00000000 --- a/roles/wazuh/ansible-wazuh-manager/vars/install_cmake.yml +++ /dev/null @@ -1,4 +0,0 @@ -# Install cmake vars - -cmake_version: 3.18.3 -cmake_download_url: "http://packages.wazuh.com/utils/cmake/cmake-{{ cmake_version }}.tar.gz" \ No newline at end of file diff --git a/roles/wazuh/check-packages/defaults/main.yml b/roles/wazuh/check-packages/defaults/main.yml deleted file mode 100644 index 131b85c7..00000000 --- a/roles/wazuh/check-packages/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -wazuh_version: 5.0.0 diff --git a/roles/wazuh/check-packages/files/packages_uri.txt b/roles/wazuh/check-packages/files/packages_uri.txt deleted file mode 100644 index bd59e004..00000000 --- a/roles/wazuh/check-packages/files/packages_uri.txt +++ /dev/null @@ -1,6 +0,0 @@ -yum/wazuh-manager-VERSION-1.x86_64.rpm -apt/pool/main/w/wazuh-manager/wazuh-manager_VERSION-1_amd64.deb -yum/wazuh-dashboard-VERSION-1.x86_64.rpm -yum/wazuh-indexer-VERSION-1.x86_64.rpm -apt/pool/main/w/wazuh-agent/wazuh-agent_VERSION-1_amd64.deb -yum/wazuh-agent-VERSION-1.x86_64.rpm \ No newline at end of file diff --git a/roles/wazuh/check-packages/scripts/check_packages.sh b/roles/wazuh/check-packages/scripts/check_packages.sh deleted file mode 100755 index 11f1c9e7..00000000 --- a/roles/wazuh/check-packages/scripts/check_packages.sh +++ /dev/null @@ -1,80 +0,0 @@ -#!/bin/bash - -VERSION=$1 -#echo $VERSION -## Replace VERSION with $VERSION in packages_uri.txt and save it as packages_uri_new.txt -sed 's,VERSION,'$VERSION',g' ../files/packages_uri.txt > ../files/packages_uri_new.txt - -checkPackages(){ - ## Set S3 Bucket URL - if [ $1 == "production" ]; then - echo "production" - PACKAGES_URL=https://packages.wazuh.com/5.x/ - elif [ $1 == "pre-release" ]; then - echo "pre-release" - PACKAGES_URL=https://packages-dev.wazuh.com/pre-release/ - elif [ $1 == "staging" ]; then - echo "staging" - PACKAGES_URL=https://packages-dev.wazuh.com/staging/ - CHECK_WIN_PACKAGE=$(grep windows ../files/packages_uri_new.txt) - echo $CHECK_WIN_PACKAGE - if [ -n "$CHECK_WIN_PACKAGE" ]; then - WIN_AGENT_NAME=$(aws s3 ls s3://xdrsiem-packages-dev/staging/windows/wazuh-agent-$VERSION --region=us-west-1 | tail -1 | awk '{printf $4}') - if [ -z $WIN_AGENT_NAME ]; then - echo "Windows agent package for version " $VERSION " does not exist in the staging repository" - exit 1 - fi - WIN_AGENT_URI="windows/"$WIN_AGENT_NAME - echo $PACKAGES_URL$WIN_AGENT_URI "check" - sed -i 's,windows/.*,'$WIN_AGENT_URI',g' ../files/packages_uri_new.txt - sed -i 's,wazuh_winagent_config_url.*,wazuh_winagent_config_url: \"'$PACKAGES_URL$WIN_AGENT_URI'\",g' ../../vars/repo_staging.yml - sed -i 's,wazuh_winagent_package_name.*,wazuh_winagent_package_name: \"'$WIN_AGENT_NAME'\",g' ../../vars/repo_staging.yml - fi - fi - - ## Set EXISTS to 0 (true) - EXISTS=0 - - ## Loop through the packages_uri_new.txt file - while IFS= read -r URI - do - echo "$URI" - ## Check if the package exists - PACKAGE=$(curl --silent -I $PACKAGES_URL$URI | grep -E "^HTTP" | awk '{print $2}') - ## If it does not exist set EXISTS to 1 (false) - if [ "$PACKAGE" != "200" ]; then - EXISTS=1 - #echo $PACKAGES_URL$URI "does not exist" - return $EXISTS - fi - done < ../files/packages_uri_new.txt - - return $EXISTS -} - -replaceVars(){ - sed -i "s|packages_repository:.*|packages_repository: $1|g" ../../vars/repo_vars.yml - -} - -## Call the checkPackages function for each repository -if checkPackages "production"; then - echo "production" - replaceVars "production" - exit 0 -elif checkPackages "pre-release"; then - echo "pre-release" - replaceVars "pre-release" - exit 0 -elif checkPackages "production"; then - echo "production" - replaceVars "production" - exit 0 -elif checkPackages "staging"; then - echo "staging" - replaceVars "staging" - exit 0 -else - echo "Failed" - exit 1 -fi \ No newline at end of file diff --git a/roles/wazuh/check-packages/tasks/main.yml b/roles/wazuh/check-packages/tasks/main.yml deleted file mode 100644 index 467657da..00000000 --- a/roles/wazuh/check-packages/tasks/main.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- - - name: Check packages - shell: | - ./check_packages.sh {{ wazuh_version }} - args: - # warn: false - executable: /bin/bash - chdir: "{{ role_path }}/scripts/" - delegate_to: localhost - become: no - diff --git a/roles/wazuh/vars/repo.yml b/roles/wazuh/vars/repo.yml deleted file mode 100644 index d6e6ad1a..00000000 --- a/roles/wazuh/vars/repo.yml +++ /dev/null @@ -1,20 +0,0 @@ -wazuh_repo: - keyring_path: '/usr/share/keyrings/wazuh.gpg' - apt: 'deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/5.x/apt/ stable main' - yum: 'https://packages.wazuh.com/5.x/yum/' - gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' - path: '/tmp/WAZUH-GPG-KEY' -wazuh_winagent_config_url: "https://packages.wazuh.com/5.x/windows/wazuh-agent-{{ wazuh_agent_version }}-1.msi" -wazuh_winagent_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.msi" -wazuh_winagent_sha512_url: "https://packages.wazuh.com/5.x/checksums/wazuh/{{ wazuh_agent_version }}/wazuh-agent-{{ wazuh_agent_version }}-1.msi.sha512" -filebeat_module_package_url: https://packages.wazuh.com/5.x/filebeat - -wazuh_macos_intel_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.intel64.pkg" -wazuh_macos_arm_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.arm64.pkg" -wazuh_macos_intel_package_url: "https://packages.wazuh.com/5.x/macos/{{ wazuh_macos_intel_package_name }}" -wazuh_macos_arm_package_url: "https://packages.wazuh.com/5.x/macos/{{ wazuh_macos_arm_package_name }}" - -certs_gen_tool_version: "5.0" - -# Url of certificates generator tool -certs_gen_tool_url: "https://packages.wazuh.com/{{ certs_gen_tool_version }}/wazuh-certs-tool.sh" diff --git a/roles/wazuh/vars/repo_pre-release.yml b/roles/wazuh/vars/repo_pre-release.yml deleted file mode 100644 index b8d5bbbd..00000000 --- a/roles/wazuh/vars/repo_pre-release.yml +++ /dev/null @@ -1,20 +0,0 @@ -wazuh_repo: - keyring_path: '/usr/share/keyrings/wazuh.gpg' - apt: 'deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main' - yum: 'https://packages-dev.wazuh.com/pre-release/yum/' - gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH' - path: '/tmp/WAZUH-GPG-KEY' -wazuh_winagent_config_url: "https://packages-dev.wazuh.com/pre-release/windows/wazuh-agent-{{ wazuh_agent_version }}-1.msi" -wazuh_winagent_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.msi" -wazuh_winagent_sha512_url: "https://packages-dev.wazuh.com/pre-release/checksums/wazuh/{{ wazuh_agent_version }}/wazuh-agent-{{ wazuh_agent_version }}-1.msi.sha512" -filebeat_module_package_url: https://packages-dev.wazuh.com/pre-release/filebeat - -wazuh_macos_intel_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.intel64.pkg" -wazuh_macos_arm_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.arm64.pkg" -wazuh_macos_intel_package_url: "https://packages-dev.wazuh.com/pre-release/{{ wazuh_macos_intel_package_name }}" -wazuh_macos_arm_package_url: "https://packages-dev.wazuh.com/pre-release/macos/{{ wazuh_macos_arm_package_name }}" - -certs_gen_tool_version: "5.0" - -# Url of certificates generator tool -certs_gen_tool_url: "https://packages-dev.wazuh.com/{{ certs_gen_tool_version }}/wazuh-certs-tool.sh" diff --git a/roles/wazuh/vars/repo_staging.yml b/roles/wazuh/vars/repo_staging.yml deleted file mode 100644 index 68e66d78..00000000 --- a/roles/wazuh/vars/repo_staging.yml +++ /dev/null @@ -1,21 +0,0 @@ -wazuh_repo: - keyring_path: '/usr/share/keyrings/wazuh.gpg' - apt: 'deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/staging/apt/ unstable main' - yum: 'https://packages-dev.wazuh.com/staging/yum/' - gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH' - path: '/tmp/WAZUH-GPG-KEY' -wazuh_winagent_config_url: "https://packages-dev.wazuh.com/staging/windows/wazuh-agent-{{ wazuh_agent_version }}-1.msi" -wazuh_winagent_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.msi" -wazuh_winagent_sha512_url: "https://packages-dev.wazuh.com/staging/checksums/wazuh/{{ wazuh_agent_version }}/wazuh-agent-{{ wazuh_agent_version }}-1.msi.sha512" -check_sha512: False -filebeat_module_package_url: https://packages-dev.wazuh.com/staging/filebeat - -wazuh_macos_intel_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.intel64.pkg" -wazuh_macos_arm_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.arm64.pkg" -wazuh_macos_intel_package_url: "https://packages-dev.wazuh.com/staging/macos/{{ wazuh_macos_intel_package_name }}" -wazuh_macos_arm_package_url: "https://packages-dev.wazuh.com/staging/macos/{{ wazuh_macos_arm_package_name }}" - -certs_gen_tool_version: "5.0" - -# Url of certificates generator tool -certs_gen_tool_url: "https://packages-dev.wazuh.com/{{ certs_gen_tool_version }}/wazuh-certs-tool.sh" diff --git a/roles/wazuh/vars/repo_vars.yml b/roles/wazuh/vars/repo_vars.yml deleted file mode 100644 index 53157764..00000000 --- a/roles/wazuh/vars/repo_vars.yml +++ /dev/null @@ -1 +0,0 @@ -packages_repository: production \ No newline at end of file diff --git a/roles/wazuh/wazuh-dashboard/defaults/main.yml b/roles/wazuh/wazuh-dashboard/defaults/main.yml deleted file mode 100644 index 67896ac5..00000000 --- a/roles/wazuh/wazuh-dashboard/defaults/main.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- - -# Dashboard configuration -indexer_http_port: 9200 -indexer_api_protocol: https -dashboard_conf_path: /etc/wazuh-dashboard/ -dashboard_node_name: node-1 -dashboard_server_host: "0.0.0.0" -dashboard_server_port: "443" -dashboard_server_name: "dashboard" -wazuh_version: 5.0.0 -indexer_cluster_nodes: - - 127.0.0.1 - -# The Wazuh dashboard package repository -dashboard_version: "5.0.0" - -# API credentials -wazuh_api_credentials: - - id: "default" - url: "https://127.0.0.1" - port: 55000 - username: "wazuh" - password: "wazuh" - -# Dashboard Security -dashboard_security: true -indexer_admin_password: changeme -dashboard_user: kibanaserver -dashboard_password: changeme -local_certs_path: "{{ playbook_dir }}/indexer/certificates" diff --git a/roles/wazuh/wazuh-dashboard/handlers/main.yml b/roles/wazuh/wazuh-dashboard/handlers/main.yml deleted file mode 100644 index 45f71935..00000000 --- a/roles/wazuh/wazuh-dashboard/handlers/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- name: restart wazuh-dashboard - service: name=wazuh-dashboard state=restarted diff --git a/roles/wazuh/wazuh-dashboard/tasks/Debian.yml b/roles/wazuh/wazuh-dashboard/tasks/Debian.yml deleted file mode 100644 index 2a09ac3d..00000000 --- a/roles/wazuh/wazuh-dashboard/tasks/Debian.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -- block: - - - include_vars: debian.yml - - name: Download apt repository signing key - get_url: - url: "{{ wazuh_repo.gpg }}" - dest: "{{ wazuh_repo.path }}" - - - name: Debian/Ubuntu | Install gnupg - apt: - name: - - gnupg - state: present - - - name: Import Wazuh repository GPG key - command: "gpg --no-default-keyring --keyring gnupg-ring:{{ wazuh_repo.keyring_path }} --import {{ wazuh_repo.path }}" - args: - creates: "{{ wazuh_repo.keyring_path }}" - - - name: Set permissions for Wazuh repository GPG key - file: - path: "{{ wazuh_repo.keyring_path }}" - mode: '0644' - - - name: Debian systems | Add Wazuh dashboard repo - apt_repository: - repo: "{{ wazuh_repo.apt }}" - state: present - update_cache: yes - - - name: Install Wazuh dashboard - apt: - name: "wazuh-dashboard={{ dashboard_version }}-*" - state: present - update_cache: yes - register: install - - tags: - - install \ No newline at end of file diff --git a/roles/wazuh/wazuh-dashboard/tasks/RMRedHat.yml b/roles/wazuh/wazuh-dashboard/tasks/RMRedHat.yml deleted file mode 100644 index b34970ea..00000000 --- a/roles/wazuh/wazuh-dashboard/tasks/RMRedHat.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Remove Wazuh dashboard repository (and clean up left-over metadata) - yum_repository: - name: wazuh_repo - state: absent - changed_when: false diff --git a/roles/wazuh/wazuh-dashboard/tasks/RedHat.yml b/roles/wazuh/wazuh-dashboard/tasks/RedHat.yml deleted file mode 100644 index 5c9f496f..00000000 --- a/roles/wazuh/wazuh-dashboard/tasks/RedHat.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- block: - - - name: RedHat/CentOS/Fedora | Add Wazuh dashboard repo - yum_repository: - name: wazuh_repo - description: Wazuh yum repository - baseurl: "{{ wazuh_repo.yum }}" - gpgkey: "{{ wazuh_repo.gpg }}" - gpgcheck: true - - - name: Install Wazuh dashboard - package: - name: "wazuh-dashboard-{{ dashboard_version }}" - state: present - update_cache: yes - register: install - - tags: - - install diff --git a/roles/wazuh/wazuh-dashboard/tasks/main.yml b/roles/wazuh/wazuh-dashboard/tasks/main.yml deleted file mode 100755 index 3f3fa665..00000000 --- a/roles/wazuh/wazuh-dashboard/tasks/main.yml +++ /dev/null @@ -1,99 +0,0 @@ ---- -- include_vars: ../../vars/repo_vars.yml - -- include_vars: ../../vars/repo.yml - when: packages_repository == 'production' - -- include_vars: ../../vars/repo_pre-release.yml - when: packages_repository == 'pre-release' - -- include_vars: ../../vars/repo_staging.yml - when: packages_repository == 'staging' - -- import_tasks: RedHat.yml - when: ansible_os_family == 'RedHat' - -- import_tasks: Debian.yml - when: ansible_os_family == 'Debian' - -- name: Remove Dashboard configuration file - file: - # noqa 503 - path: "{{ dashboard_conf_path }}/opensearch_dashboards.yml" - state: absent - tags: install - -- import_tasks: security_actions.yml - -- name: Copy Configuration File - template: - src: "templates/opensearch_dashboards.yml.j2" - dest: "{{ dashboard_conf_path }}/opensearch_dashboards.yml" - group: wazuh-dashboard - owner: wazuh-dashboard - mode: 0640 - force: yes - notify: restart wazuh-dashboard - tags: - - install - - configure - -- name: Ensuring Wazuh dashboard directory owner - file: - # noqa 208 - path: "/usr/share/wazuh-dashboard" - state: directory - owner: wazuh-dashboard - group: wazuh-dashboard - recurse: yes - -- name: Wait for Wazuh-Indexer port - wait_for: host={{ indexer_network_host }} port={{ indexer_http_port }} - -- name: Select correct API protocol - set_fact: - indexer_api_protocol: "{% if dashboard_security is defined and dashboard_security %}https{% else %}http{% endif %}" - -- name: Attempting to delete legacy Wazuh index if exists - uri: - url: "{{ indexer_api_protocol }}://{{ indexer_network_host }}:{{ indexer_http_port }}/.wazuh" - method: DELETE - user: "admin" - password: "{{ indexer_admin_password }}" - validate_certs: no - status_code: 200, 404 - -- name: Create Wazuh Plugin config directory - file: - path: /usr/share/wazuh-dashboard/data/wazuh/config/ - state: directory - recurse: yes - owner: wazuh-dashboard - group: wazuh-dashboard - mode: 0751 - changed_when: False - -- name: Configure Wazuh Dashboard Plugin - template: - src: wazuh.yml.j2 - dest: /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml - owner: wazuh-dashboard - group: wazuh-dashboard - mode: 0751 - changed_when: False - -- name: Configure opensearch.password in opensearch_dashboards.keystore - shell: >- - echo '{{ dashboard_password }}' | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add -f --stdin opensearch.password - args: - executable: /bin/bash - become: yes - -- name: Ensure Wazuh dashboard started and enabled - service: - name: wazuh-dashboard - enabled: true - state: started - -- import_tasks: RMRedHat.yml - when: ansible_os_family == 'RedHat' diff --git a/roles/wazuh/wazuh-dashboard/tasks/security_actions.yml b/roles/wazuh/wazuh-dashboard/tasks/security_actions.yml deleted file mode 100644 index 06b3e2b3..00000000 --- a/roles/wazuh/wazuh-dashboard/tasks/security_actions.yml +++ /dev/null @@ -1,23 +0,0 @@ -- block: - - - name: Ensure Dashboard certificates directory permissions. - file: - path: "/etc/wazuh-dashboard/certs/" - state: directory - owner: wazuh-dashboard - group: wazuh-dashboard - mode: 500 - - - name: Copy the certificates from local to the Wazuh dashboard instance - copy: - src: "{{ local_certs_path }}/wazuh-certificates/{{ item }}" - dest: /etc/wazuh-dashboard/certs/ - owner: wazuh-dashboard - group: wazuh-dashboard - mode: 0400 - with_items: - - "root-ca.pem" - - "{{ dashboard_node_name }}-key.pem" - - "{{ dashboard_node_name }}.pem" - tags: - - security diff --git a/roles/wazuh/wazuh-dashboard/templates/opensearch_dashboards.yml.j2 b/roles/wazuh/wazuh-dashboard/templates/opensearch_dashboards.yml.j2 deleted file mode 100644 index 36695daf..00000000 --- a/roles/wazuh/wazuh-dashboard/templates/opensearch_dashboards.yml.j2 +++ /dev/null @@ -1,19 +0,0 @@ -server.host: {{ dashboard_server_host }} -server.port: {{ dashboard_server_port }} -opensearch.hosts: -{% for item in indexer_cluster_nodes %} - - https://{{ item }}:{{ indexer_http_port }} -{% endfor %} -opensearch.ssl.verificationMode: certificate -opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"] -opensearch_security.multitenancy.enabled: false -opensearch_security.readonly_mode.roles: ["kibana_read_only"] -server.ssl.enabled: true -server.ssl.key: "/etc/wazuh-dashboard/certs/{{ dashboard_node_name }}-key.pem" -server.ssl.certificate: "/etc/wazuh-dashboard/certs/{{ dashboard_node_name }}.pem" -opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"] -uiSettings.overrides.defaultRoute: /app/wz-home -# Session expiration settings -opensearch_security.cookie.ttl: 900000 -opensearch_security.session.ttl: 900000 -opensearch_security.session.keepalive: true diff --git a/roles/wazuh/wazuh-dashboard/templates/wazuh.yml.j2 b/roles/wazuh/wazuh-dashboard/templates/wazuh.yml.j2 deleted file mode 100644 index d3ab99a0..00000000 --- a/roles/wazuh/wazuh-dashboard/templates/wazuh.yml.j2 +++ /dev/null @@ -1,134 +0,0 @@ ---- -# -# Wazuh app - App configuration file -# Copyright (C) 2016, Wazuh Inc. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# Find more information about this on the LICENSE file. -# -# ======================== Wazuh app configuration file ======================== -# -# Please check the documentation for more information on configuration options: -# https://documentation.wazuh.com/current/installation-guide/index.html -# -# Also, you can check our repository: -# https://github.com/wazuh/wazuh-dashboard-plugins -# -# ------------------------------- Index patterns ------------------------------- -# -# Default index pattern to use. -#pattern: wazuh-alerts-5.x-* -# -# ----------------------------------- Checks ----------------------------------- -# -# Defines which checks must to be consider by the healthcheck -# step once the Wazuh app starts. Values must to be true or false. -#checks.pattern : true -#checks.template: true -#checks.api : true -#checks.setup : true -# -# --------------------------------- Extensions --------------------------------- -# -# Defines which extensions should be activated when you add a new API entry. -# You can change them after Wazuh app starts. -# Values must to be true or false. -#extensions.pci : true -#extensions.gdpr : true -#extensions.hipaa : true -#extensions.nist : true -#extensions.audit : true -#extensions.oscap : false -#extensions.ciscat : false -#extensions.aws : false -#extensions.virustotal: false -#extensions.osquery : false -#extensions.docker : false -# -# ---------------------------------- Time out ---------------------------------- -# -# Defines maximum timeout to be used on the Wazuh app requests. -# It will be ignored if it is bellow 1500. -# It means milliseconds before we consider a request as failed. -# Default: 20000 -#timeout: 20000 -# -# ------------------------------ Advanced indices ------------------------------ -# -# Configure .wazuh indices shards and replicas. -#wazuh.shards : 1 -#wazuh.replicas : 0 -# -# --------------------------- Index pattern selector --------------------------- -# -# Defines if the user is allowed to change the selected -# index pattern directly from the Wazuh app top menu. -# Default: true -#ip.selector: true -# -# List of index patterns to be ignored -#ip.ignore: [] -# -# -------------------------------- X-Pack RBAC --------------------------------- -# -# Custom setting to enable/disable built-in X-Pack RBAC security capabilities. -# Default: enabled -#xpack.rbac.enabled: true -# -# ------------------------------ wazuh-monitoring ------------------------------ -# -# Custom setting to enable/disable wazuh-monitoring indices. -# Values: true, false, worker -# If worker is given as value, the app will show the Agents status -# visualization but won't insert data on wazuh-monitoring indices. -# Default: true -#wazuh.monitoring.enabled: true -# -# Custom setting to set the frequency for wazuh-monitoring indices cron task. -# Default: 900 (s) -#wazuh.monitoring.frequency: 900 -# -# Configure wazuh-monitoring-5.x-* indices shards and replicas. -#wazuh.monitoring.shards: 2 -#wazuh.monitoring.replicas: 0 -# -# Configure wazuh-monitoring-5.x-* indices custom creation interval. -# Values: h (hourly), d (daily), w (weekly), m (monthly) -# Default: d -#wazuh.monitoring.creation: d -# -# Default index pattern to use for Wazuh monitoring -#wazuh.monitoring.pattern: wazuh-monitoring-5.x-* -# -# -# ------------------------------- App privileges -------------------------------- -#admin: true -# -# ------------------------------- App logging level ----------------------------- -# Set the logging level for the Wazuh App log files. -# Default value: info -# Allowed values: info, debug -#logs.level: info -# -#-------------------------------- API entries ----------------------------------- -#The following configuration is the default structure to define an API entry. -# -#hosts: -# - : -# url: http(s):// -# port: -# user: -# password: - -hosts: -{% for api in wazuh_api_credentials %} - - {{ api['id'] }}: - url: {{ api['url'] }} - port: {{ api['port'] }} - username: {{ api['username'] }} - password: "{{ api['password'] }}" -{% endfor %} diff --git a/roles/wazuh/wazuh-dashboard/vars/debian.yml b/roles/wazuh/wazuh-dashboard/vars/debian.yml deleted file mode 100644 index 77bd8e4d..00000000 --- a/roles/wazuh/wazuh-dashboard/vars/debian.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -dashboard_version: 5.0.0 diff --git a/roles/wazuh/wazuh-indexer/defaults/main.yml b/roles/wazuh/wazuh-indexer/defaults/main.yml deleted file mode 100644 index e1796da9..00000000 --- a/roles/wazuh/wazuh-indexer/defaults/main.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -# Cluster Settings -indexer_version: 5.0.0 - -single_node: false -indexer_node_name: node-1 -indexer_cluster_name: wazuh -indexer_network_host: '0.0.0.0' - -indexer_node_master: true -indexer_node_data: true -indexer_node_ingest: true -indexer_start_timeout: 90 - -indexer_cluster_nodes: - - 127.0.0.1 -indexer_discovery_nodes: - - 127.0.0.1 - -local_certs_path: "{{ playbook_dir }}/indexer/certificates" - -# Minimum master nodes in cluster, 2 for 3 nodes Wazuh indexer cluster -minimum_master_nodes: 2 - -# Configure hostnames for Wazuh indexer nodes -# Example es1.example.com, es2.example.com -domain_name: wazuh.com - -indexer_sec_plugin_conf_path: /etc/wazuh-indexer/opensearch-security -indexer_sec_plugin_tools_path: /usr/share/wazuh-indexer/plugins/opensearch-security/tools -indexer_conf_path: /etc/wazuh-indexer -indexer_index_path: /var/lib/wazuh-indexer/ - -# Security password -indexer_custom_user: "" -indexer_custom_user_role: "admin" - -# Set JVM memory limits -indexer_jvm_xms: null - -indexer_http_port: 9200 - -indexer_admin_password: changeme -dashboard_password: changeme - -# Deployment settings -generate_certs: true -perform_installation: true - -indexer_nolog_sensible: true diff --git a/roles/wazuh/wazuh-indexer/handlers/main.yml b/roles/wazuh/wazuh-indexer/handlers/main.yml deleted file mode 100644 index 0c463d0e..00000000 --- a/roles/wazuh/wazuh-indexer/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: restart wazuh-indexer - service: - name: wazuh-indexer - state: restarted diff --git a/roles/wazuh/wazuh-indexer/meta/main.yml b/roles/wazuh/wazuh-indexer/meta/main.yml deleted file mode 100644 index 1b9648a6..00000000 --- a/roles/wazuh/wazuh-indexer/meta/main.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -galaxy_info: - author: Wazuh - description: Installing and maintaining Wazuh indexer. - company: wazuh.com - license: license (GPLv3) - min_ansible_version: 2.0 - platforms: - - name: EL - versions: - - all - - name: Ubuntu - versions: - - all - - name: Debian - versions: - - all - - name: Fedora - versions: - - all - galaxy_tags: - - web - - system - - monitoring diff --git a/roles/wazuh/wazuh-indexer/tasks/Debian.yml b/roles/wazuh/wazuh-indexer/tasks/Debian.yml deleted file mode 100644 index 7c1d83b2..00000000 --- a/roles/wazuh/wazuh-indexer/tasks/Debian.yml +++ /dev/null @@ -1,48 +0,0 @@ - ---- - -- name: Update cache - apt: - update_cache: yes - -- name: Install Wazuh indexer dependencies - apt: - name: - - unzip - - wget - - curl - - apt-transport-https - - software-properties-common - - gnupg - state: present - -- name: Add Wazuh indexer repository - block: - - name: Add apt repository signing key - get_url: - url: "{{ wazuh_repo.gpg }}" - dest: "{{ wazuh_repo.path }}" - - - name: Import Wazuh repository GPG key - command: "gpg --no-default-keyring --keyring gnupg-ring:{{ wazuh_repo.keyring_path }} --import {{ wazuh_repo.path }}" - args: - creates: "{{ wazuh_repo.keyring_path }}" - - - name: Set permissions for Wazuh repository GPG key - file: - path: "{{ wazuh_repo.keyring_path }}" - mode: '0644' - - - name: Add Wazuh indexer repository - apt_repository: - repo: "{{ wazuh_repo.apt }}" - state: present - filename: 'wazuh-indexer' - update_cache: yes - -- name: Install Wazuh indexer - apt: - name: wazuh-indexer={{ indexer_version }}-1 - state: present - register: install - tags: install \ No newline at end of file diff --git a/roles/wazuh/wazuh-indexer/tasks/RMRedHat.yml b/roles/wazuh/wazuh-indexer/tasks/RMRedHat.yml deleted file mode 100644 index d4e79892..00000000 --- a/roles/wazuh/wazuh-indexer/tasks/RMRedHat.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: RedHat/CentOS/Fedora | Remove Wazuh indexer repository (and clean up left-over metadata) - yum_repository: - name: wazuh_repo - state: absent - changed_when: false diff --git a/roles/wazuh/wazuh-indexer/tasks/RedHat.yml b/roles/wazuh/wazuh-indexer/tasks/RedHat.yml deleted file mode 100644 index c2a9c54d..00000000 --- a/roles/wazuh/wazuh-indexer/tasks/RedHat.yml +++ /dev/null @@ -1,59 +0,0 @@ ---- -- block: - - - name: RedHat/CentOS/Fedora | Add Wazuh indexer repo - yum_repository: - name: wazuh_repo - description: Wazuh yum repository - baseurl: "{{ wazuh_repo.yum }}" - gpgkey: "{{ wazuh_repo.gpg }}" - gpgcheck: true - changed_when: false - - - - - name: Amazon Linux | Configure system settings - block: - - name: Install Amazon extras in Amazon Linux 2 - yum: - name: amazon-linux-extras - state: present - lock_timeout: 200 - when: - - ansible_distribution == 'Amazon' - - ansible_distribution_major_version == '2' - - - name: Configure vm.max_map_count - lineinfile: - line: "vm.max_map_count=262144" - dest: "/etc/sysctl.conf" - insertafter: EOF - create: true - become: yes - - - name: Update vm.max_map_count - shell: sysctl -p - become: yes - - when: - - ansible_distribution == 'Amazon' - - - name: RedHat/CentOS/Fedora | Install Indexer dependencies - yum: - name: "{{ packages }}" - state: present - lock_timeout: 200 - vars: - packages: - - wget - - unzip - - - name: Install Wazuh indexer - package: - name: wazuh-indexer-{{ indexer_version }} - state: present - register: install - tags: install - - tags: - - install diff --git a/roles/wazuh/wazuh-indexer/tasks/local_actions.yml b/roles/wazuh/wazuh-indexer/tasks/local_actions.yml deleted file mode 100644 index 4a215bef..00000000 --- a/roles/wazuh/wazuh-indexer/tasks/local_actions.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- -- name: Check if certificates already exists - stat: - path: "{{ local_certs_path }}" - register: certificates_folder - delegate_to: localhost - become: no - tags: - - generate-certs - - -- block: - - - name: Local action | Create local temporary directory for certificates generation - file: - path: "{{ local_certs_path }}" - mode: 0755 - state: directory - - - name: Local action | Check that the generation tool exists - stat: - path: "{{ local_certs_path }}/wazuh-certs-tool.sh" - register: tool_package - - - name: Local action | Download certificates generation tool - get_url: - url: "{{ certs_gen_tool_url }}" - dest: "{{ local_certs_path }}/wazuh-certs-tool.sh" - when: not tool_package.stat.exists - - - name: Local action | Prepare the certificates generation template file - template: - src: "templates/config.yml.j2" - dest: "{{ local_certs_path }}/config.yml" - mode: 0644 - register: tlsconfig_template - - - name: Local action | Generate the node & admin certificates in local - command: >- - bash {{ local_certs_path }}/wazuh-certs-tool.sh -A - - run_once: true - delegate_to: localhost - become: no - tags: - - generate-certs - when: - - not certificates_folder.stat.exists diff --git a/roles/wazuh/wazuh-indexer/tasks/main.yml b/roles/wazuh/wazuh-indexer/tasks/main.yml deleted file mode 100644 index 48034ae6..00000000 --- a/roles/wazuh/wazuh-indexer/tasks/main.yml +++ /dev/null @@ -1,140 +0,0 @@ ---- -- include_vars: ../../vars/repo_vars.yml - -- include_vars: ../../vars/repo.yml - when: packages_repository == 'production' - -- include_vars: ../../vars/repo_pre-release.yml - when: packages_repository == 'pre-release' - -- include_vars: ../../vars/repo_staging.yml - when: packages_repository == 'staging' - -- import_tasks: local_actions.yml - when: - - generate_certs - -- block: - - import_tasks: RedHat.yml - when: ansible_os_family == 'RedHat' - - - import_tasks: Debian.yml - when: ansible_os_family == 'Debian' - - - name: Remove performance analyzer plugin from Wazuh indexer - become: true - command: ./opensearch-plugin remove opensearch-performance-analyzer - ignore_errors: true - args: - chdir: /usr/share/wazuh-indexer/bin/ - register: remove_opensearch_performance_analyzer - failed_when: - - remove_opensearch_performance_analyzer.rc != 0 - - '"not found" not in remove_opensearch_performance_analyzer.stderr' - changed_when: "remove_opensearch_performance_analyzer.rc == 0" - - - name: Remove Opensearch configuration file - file: - path: "{{ indexer_conf_path }}/opensearch.yml" - state: absent - tags: install - - - name: Copy Opensearch Configuration File - template: - src: "templates/opensearch.yml.j2" - dest: "{{ indexer_conf_path }}/opensearch.yml" - owner: root - group: wazuh-indexer - mode: 0640 - force: yes - tags: install - - - include_tasks: security_actions.yml - tags: - - security - - - - name: Configure Wazuh indexer JVM memmory. - template: - src: "templates/jvm.options.j2" - dest: "{{ indexer_conf_path }}/jvm.options" - owner: root - group: wazuh-indexer - mode: 0644 - force: yes - notify: restart wazuh-indexer - tags: install - - - name: Ensure extra time for Wazuh indexer to start on reboots - lineinfile: - path: /usr/lib/systemd/system/wazuh-indexer.service - regexp: '^TimeoutStartSec=' - line: "TimeoutStartSec={{ indexer_start_timeout }}" - become: yes - tags: configure - - - name: Index files to remove - find: - paths: "{{ indexer_index_path }}" - patterns: "*" - register: files_to_delete - - - name: Remove Index Files - file: - path: "{{ item.path }}" - state: absent - with_items: "{{ files_to_delete.files }}" - - - name: Ensure Wazuh indexer started and enabled - service: - name: wazuh-indexer - enabled: true - state: started - - - name: Wait for Wazuh indexer API - uri: - url: "https://{{ inventory_hostname if not single_node else indexer_network_host }}:{{ indexer_http_port }}/_cat/health/" - user: "admin" # Default Indexer user is always "admin" - password: "{{ indexer_admin_password }}" - validate_certs: no - status_code: 200,401 - return_content: yes - timeout: 4 - register: _result - until: - - _result is defined - - '"green" in _result.content or ( "yellow" in _result.content and single_node )' - retries: 24 - delay: 5 - tags: debug - when: - - hostvars[inventory_hostname]['private_ip'] is not defined or not hostvars[inventory_hostname]['private_ip'] - - - name: Wait for Wazuh indexer API (Private IP) - uri: - url: "https://{{ hostvars[inventory_hostname]['private_ip'] if not single_node else indexer_network_host }}:{{ indexer_http_port }}/_cat/health/" - user: "admin" # Default Indexer user is always "admin" - password: "{{ indexer_admin_password }}" - validate_certs: no - status_code: 200,401 - return_content: yes - timeout: 4 - register: _result - until: - - _result is defined - - '"green" in _result.content or ( "yellow" in _result.content and single_node )' - retries: 24 - delay: 5 - tags: debug - when: - - hostvars[inventory_hostname]['private_ip'] is defined and hostvars[inventory_hostname]['private_ip'] - - - import_tasks: "RMRedHat.yml" - when: ansible_os_family == "RedHat" - - - name: Reload systemd configuration - systemd: - daemon_reload: true - become: yes - notify: restart wazuh-indexer - when: perform_installation diff --git a/roles/wazuh/wazuh-indexer/tasks/security_actions.yml b/roles/wazuh/wazuh-indexer/tasks/security_actions.yml deleted file mode 100644 index 6df4de92..00000000 --- a/roles/wazuh/wazuh-indexer/tasks/security_actions.yml +++ /dev/null @@ -1,118 +0,0 @@ -- name: Configure IP (Private address) - set_fact: - target_address: "{{ hostvars[inventory_hostname]['private_ip'] if not single_node else indexer_network_host }}" - when: - - hostvars[inventory_hostname]['private_ip'] is defined - -- name: Configure IP (Public address) - set_fact: - target_address: "{{ inventory_hostname if not single_node else indexer_network_host }}" - when: - - hostvars[inventory_hostname]['private_ip'] is not defined - -- name: Ensure Indexer certificates directory permissions. - file: - path: "{{ indexer_conf_path }}/certs/" - state: directory - owner: wazuh-indexer - group: wazuh-indexer - mode: 500 - -- name: Copy the node & admin certificates to Wazuh indexer cluster - copy: - src: "{{ local_certs_path }}/wazuh-certificates/{{ item }}" - dest: "{{ indexer_conf_path }}/certs/" - owner: wazuh-indexer - group: wazuh-indexer - mode: 0400 - with_items: - - root-ca.pem - - "{{ indexer_node_name }}-key.pem" - - "{{ indexer_node_name }}.pem" - - admin-key.pem - - admin.pem - -- name: Restart Wazuh indexer with security configuration - systemd: - name: wazuh-indexer - state: restarted - -- name: Copy the Opensearch security internal users template - template: - src: "templates/internal_users.yml.j2" - dest: "{{ indexer_sec_plugin_conf_path }}/internal_users.yml" - mode: 0644 - run_once: true - -- block: - - name: Hashing the custom admin password - shell: | - export JAVA_HOME=/usr/share/wazuh-indexer/jdk - {{ indexer_sec_plugin_tools_path }}/hash.sh -p '{{ indexer_admin_password }}' - register: indexer_admin_password_hashed - no_log: '{{ indexer_nolog_sensible | bool }}' - - - name: Set the Admin user password - replace: - path: "{{ indexer_sec_plugin_conf_path }}/internal_users.yml" - regexp: '(?<=admin:\n hash: )(.*)(?=)' - replace: "{{ indexer_password_hash | quote }}" - vars: - indexer_password_hash: "{{ indexer_admin_password_hashed.stdout_lines | last }}" - - # this can also be achieved with password_hash, but it requires dependencies on the controller - - name: Hash the kibanaserver role/user pasword - shell: | - export JAVA_HOME=/usr/share/wazuh-indexer/jdk - {{ indexer_sec_plugin_tools_path }}/hash.sh -p '{{ dashboard_password }}' - register: indexer_kibanaserver_password_hashed - no_log: '{{ indexer_nolog_sensible | bool }}' - - - name: Set the kibanaserver user password - replace: - path: "{{ indexer_sec_plugin_conf_path }}/internal_users.yml" - regexp: '(?<=kibanaserver:\n hash: )(.*)(?=)' - replace: "{{ indexer_password_hash | quote }}" - vars: - indexer_password_hash: "{{ indexer_kibanaserver_password_hashed.stdout_lines | last }}" - - - name: Initialize the Opensearch security index in Wazuh indexer - command: > - sudo -u wazuh-indexer OPENSEARCH_PATH_CONF={{ indexer_conf_path }} - JAVA_HOME=/usr/share/wazuh-indexer/jdk - {{ indexer_sec_plugin_tools_path }}/securityadmin.sh - -cd {{ indexer_sec_plugin_conf_path }}/ - -icl -p 9200 -cd {{ indexer_sec_plugin_conf_path }}/ - -nhnv - -cacert {{ indexer_conf_path }}/certs/root-ca.pem - -cert {{ indexer_conf_path }}/certs/admin.pem - -key {{ indexer_conf_path }}/certs/admin-key.pem - -h {{ target_address }} - retries: 2 - delay: 5 - register: result - until: result.rc == 0 - - when: inventory_hostname == ansible_play_hosts[0] - -- name: Create custom user - uri: - url: "https://{{ target_address }}:{{ indexer_http_port }}/_plugins/_security/api/internalusers/{{ indexer_custom_user }}" - method: PUT - user: "admin" # Default Indexer user is always "admin" - password: "{{ indexer_admin_password }}" - body: | - { - "password": "{{ indexer_admin_password }}", - "backend_roles": ["{{ indexer_custom_user_role }}"] - } - body_format: json - validate_certs: no - status_code: 200,201,401 - return_content: yes - timeout: 4 - register: result - until: result.status in [200,201,401] - when: - - indexer_custom_user is defined and indexer_custom_user - - inventory_hostname == ansible_play_hosts[0] diff --git a/roles/wazuh/wazuh-indexer/templates/config.yml.j2 b/roles/wazuh/wazuh-indexer/templates/config.yml.j2 deleted file mode 100644 index dd565d06..00000000 --- a/roles/wazuh/wazuh-indexer/templates/config.yml.j2 +++ /dev/null @@ -1,33 +0,0 @@ -nodes: - # Indexer server nodes - indexer: -{% for (key,value) in instances.items() %} -{% if (value.role is defined and value.role == 'indexer') %} - - name: {{ value.name }} - ip: {{ value.ip }} -{% endif %} -{% endfor %} - - # Wazuh server nodes - # Use node_type only with more than one Wazuh manager - server: -{% for (key,value) in instances.items() %} -{% if (value.role is defined and value.role == 'wazuh') %} - - name: {{ value.name }} - ip: {{ value.ip }} -{% endif %} -{% if (value.node_type is defined and value.node_type == 'master') %} - node_type: master -{% elif (value.node_type is defined and value.node_type == 'worker') %} - node_type: worker -{% endif %} -{% endfor %} - - # Dashboard node - dashboard: -{% for (key,value) in instances.items() %} -{% if (value.role is defined and value.role == 'dashboard') %} - - name: {{ value.name }} - ip: {{ value.ip }} -{% endif %} -{% endfor %} diff --git a/roles/wazuh/wazuh-indexer/templates/disabledlog4j.options.j2 b/roles/wazuh/wazuh-indexer/templates/disabledlog4j.options.j2 deleted file mode 100644 index ccfefab1..00000000 --- a/roles/wazuh/wazuh-indexer/templates/disabledlog4j.options.j2 +++ /dev/null @@ -1,4 +0,0 @@ -## JVM configuration - -## Disable log4j --Dlog4j2.formatMsgNoLookups=true \ No newline at end of file diff --git a/roles/wazuh/wazuh-indexer/templates/internal_users.yml.j2 b/roles/wazuh/wazuh-indexer/templates/internal_users.yml.j2 deleted file mode 100644 index e00ebe01..00000000 --- a/roles/wazuh/wazuh-indexer/templates/internal_users.yml.j2 +++ /dev/null @@ -1,21 +0,0 @@ ---- -# This is the internal user database -# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh - -_meta: - type: "internalusers" - config_version: 2 - -# Define your internal users here - -admin: - hash: "{{ indexer_admin_password }}" - reserved: true - backend_roles: - - "admin" - description: "admin user" - -kibanaserver: - hash: "{{ dashboard_password }}" - reserved: true - description: "kibanaserver user" diff --git a/roles/wazuh/wazuh-indexer/templates/jvm.options.j2 b/roles/wazuh/wazuh-indexer/templates/jvm.options.j2 deleted file mode 100644 index 74c01054..00000000 --- a/roles/wazuh/wazuh-indexer/templates/jvm.options.j2 +++ /dev/null @@ -1,94 +0,0 @@ -## JVM configuration - -################################################################ -## IMPORTANT: JVM heap size -################################################################ -## -## You should always set the min and max JVM heap -## size to the same value. For example, to set -## the heap to 4 GB, set: -## -## -Xms4g -## -Xmx4g -## -## -################################################################ - -# Xms represents the initial size of total heap space -# Xmx represents the maximum size of total heap space - -{% if indexer_jvm_xms is not none %} -{% if indexer_jvm_xms < 32000 %} --Xms{{ indexer_jvm_xms }}m - --Xmx{{ indexer_jvm_xms }}m -{% else %} --Xms32000m - --Xmx32000m -{% endif %} -{% else %} --Xms{% if ansible_memtotal_mb < 64000 %}{{ ((ansible_memtotal_mb|int)/2)|int }}m{% else %}32000m{% endif %} - --Xmx{% if ansible_memtotal_mb < 64000 %}{{ ((ansible_memtotal_mb|int)/2)|int }}m{% else %}32000m{% endif %} -{% endif %} - - -################################################################ -## Expert settings -################################################################ -## -## All settings below this section are considered -## expert settings. Don't tamper with them unless -## you understand what you are doing -## -################################################################ - -## GC configuration -8-13:-XX:+UseConcMarkSweepGC -8-13:-XX:CMSInitiatingOccupancyFraction=75 -8-13:-XX:+UseCMSInitiatingOccupancyOnly - -## G1GC Configuration -# NOTE: G1 GC is only supported on JDK version 10 or later -# to use G1GC, uncomment the next two lines and update the version on the -# following three lines to your version of the JDK -# 10-13:-XX:-UseConcMarkSweepGC -# 10-13:-XX:-UseCMSInitiatingOccupancyOnly -14-:-XX:+UseG1GC -14-:-XX:G1ReservePercent=25 -14-:-XX:InitiatingHeapOccupancyPercent=30 - -## JVM temporary directory --Djava.io.tmpdir=${OPENSEARCH_TMPDIR} - -## heap dumps - -# generate a heap dump when an allocation from the Java heap fails -# heap dumps are created in the working directory of the JVM --XX:+HeapDumpOnOutOfMemoryError - -# specify an alternative path for heap dumps; ensure the directory exists and -# has sufficient space --XX:HeapDumpPath=data - -# specify an alternative path for JVM fatal error logs --XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log - -## JDK 8 GC logging -8:-XX:+PrintGCDetails -8:-XX:+PrintGCDateStamps -8:-XX:+PrintTenuringDistribution -8:-XX:+PrintGCApplicationStoppedTime -8:-Xloggc:/var/log/wazuh-indexer/gc.log -8:-XX:+UseGCLogFileRotation -8:-XX:NumberOfGCLogFiles=32 -8:-XX:GCLogFileSize=64m - -# JDK 9+ GC logging -9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m - -## Opensearch Performance Analyzer --Dclk.tck=100 --Djdk.attach.allowAttachSelf=true --Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy diff --git a/roles/wazuh/wazuh-indexer/templates/opensearch.yml.j2 b/roles/wazuh/wazuh-indexer/templates/opensearch.yml.j2 deleted file mode 100644 index c5ecd3cb..00000000 --- a/roles/wazuh/wazuh-indexer/templates/opensearch.yml.j2 +++ /dev/null @@ -1,56 +0,0 @@ -network.host: {{ indexer_network_host }} -node.name: {{ indexer_node_name }} -{% if single_node == true %} -discovery.type: single-node -{% else %} -cluster.initial_cluster_manager_nodes: -{% for item in indexer_cluster_nodes %} - - {{ item }} -{% endfor %} - -discovery.seed_hosts: -{% for item in indexer_discovery_nodes %} - - {{ item }} -{% endfor %} -{% endif %} - -cluster.name: {{ indexer_cluster_name }} - -http.port: 9200-9299 -transport.tcp.port: 9300-9399 -node.max_local_storage_nodes: "3" -path.data: /var/lib/wazuh-indexer -path.logs: /var/log/wazuh-indexer - - -############################################################################### -# # -# WARNING: Demo certificates set up in this file. # -# Please change on production cluster! # -# # -############################################################################### - -plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/{{ indexer_node_name }}.pem -plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/{{ indexer_node_name }}-key.pem -plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem -plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/{{ indexer_node_name }}.pem -plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/{{ indexer_node_name }}-key.pem -plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem -plugins.security.ssl.http.enabled: true -plugins.security.ssl.transport.enforce_hostname_verification: false -plugins.security.ssl.transport.resolve_hostname: false - -plugins.security.authcz.admin_dn: -- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" -plugins.security.check_snapshot_restore_write_privileges: true -plugins.security.enable_snapshot_restore_privilege: true -plugins.security.nodes_dn: -{% for (key,value) in instances.items() %} -- "CN={{ value.name }},OU=Wazuh,O=Wazuh,L=California,C=US" -{% endfor %} -plugins.security.restapi.roles_enabled: -- "all_access" -- "security_rest_api_access" - -plugins.security.system_indices.enabled: true -plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"] diff --git a/roles/wazuh/wazuh-indexer/templates/tlsconfig.yml.j2 b/roles/wazuh/wazuh-indexer/templates/tlsconfig.yml.j2 deleted file mode 100644 index 67ab5470..00000000 --- a/roles/wazuh/wazuh-indexer/templates/tlsconfig.yml.j2 +++ /dev/null @@ -1,47 +0,0 @@ -ca: - root: - dn: CN=root.ca.{{ domain_name }},OU=CA,O={{ domain_name }}\, Inc.,DC={{ domain_name }} - keysize: 2048 - validityDays: 730 - pkPassword: none - file: root-ca.pem - -### Default values and global settings -defaults: - validityDays: 730 - pkPassword: none - # Set this to true in order to generate config and certificates for - # the HTTP interface of nodes - httpsEnabled: true - reuseTransportCertificatesForHttp: false - verifyHostnames: false - resolveHostnames: false - -### -### Nodes -### -# -# Specify the nodes of your ES cluster here -# -nodes: -{% for (key,value) in instances.items() %} -{% if (value.ip is defined and value.ip | length > 0) %} - - name: {{ value.name }} - dn: CN={{ value.name }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} - dns: {{ value.name }}.{{ domain_name }} - ip: {{ value.ip }} -{% endif %} -{% endfor %} -### -### Clients -### -# -# Specify the clients that shall access your ES cluster with certificate authentication here -# -# At least one client must be an admin user (i.e., a super-user). Admin users can -# be specified with the attribute admin: true -# -clients: - - name: admin - dn: CN=admin.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} - admin: true diff --git a/wazuh-agent.yml b/wazuh-agent.yml new file mode 100644 index 00000000..e69de29b diff --git a/wazuh-aio.yml b/wazuh-aio.yml new file mode 100644 index 00000000..e69de29b diff --git a/wazuh-distributed.yml b/wazuh-distributed.yml new file mode 100644 index 00000000..e69de29b