diff --git a/roles/wazuh/wazuh-indexer/handlers/main.yml b/roles/wazuh/wazuh-indexer/handlers/main.yml index 0c463d0e6..087f13015 100644 --- a/roles/wazuh/wazuh-indexer/handlers/main.yml +++ b/roles/wazuh/wazuh-indexer/handlers/main.yml @@ -1,5 +1,5 @@ --- -- name: restart wazuh-indexer - service: +- name: Restart wazuh-indexer + ansible.builtin.service: name: wazuh-indexer state: restarted diff --git a/roles/wazuh/wazuh-indexer/tasks/Debian.yml b/roles/wazuh/wazuh-indexer/tasks/Debian.yml index a0c7329f3..9d4e0d37a 100644 --- a/roles/wazuh/wazuh-indexer/tasks/Debian.yml +++ b/roles/wazuh/wazuh-indexer/tasks/Debian.yml @@ -1,48 +1,46 @@ - --- - - name: Update cache - apt: - update_cache: yes + ansible.builtin.apt: + update_cache: true - name: Debian 9 (Stretch) when: (ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_major_version'] == "9") block: - - name: Install Wazuh indexer dependencies - apt: + ansible.builtin.apt: name: [ - 'unzip', 'wget', 'curl', 'apt-transport-https', software-properties-common + 'unzip', 'wget', 'curl', 'apt-transport-https', 'software-properties-common' ] state: present - name: Add Wazuh indexer repository block: - name: Add apt repository signing key - get_url: + ansible.builtin.get_url: url: "{{ wazuh_repo.gpg }}" dest: "{{ wazuh_repo.path }}" + mode: "0644" - name: Import Wazuh repository GPG key - command: "gpg --no-default-keyring --keyring gnupg-ring:{{ wazuh_repo.keyring_path }} --import {{ wazuh_repo.path }}" + ansible.builtin.command: "gpg --no-default-keyring --keyring gnupg-ring:{{ wazuh_repo.keyring_path }} --import {{ wazuh_repo.path }}" args: creates: "{{ wazuh_repo.keyring_path }}" - name: Set permissions for Wazuh repository GPG key - file: + ansible.builtin.file: path: "{{ wazuh_repo.keyring_path }}" - mode: '0644' + mode: "0644" - name: Add Wazuh indexer repository - apt_repository: + ansible.builtin.apt_repository: repo: "{{ wazuh_repo.apt }}" state: present - filename: 'wazuh-indexer' - update_cache: yes + filename: "wazuh-indexer" + update_cache: true - name: Install Wazuh indexer - apt: + ansible.builtin.apt: name: wazuh-indexer={{ indexer_version }}-1 state: present register: install - tags: install \ No newline at end of file + tags: install diff --git a/roles/wazuh/wazuh-indexer/tasks/RMRedHat.yml b/roles/wazuh/wazuh-indexer/tasks/RMRedHat.yml index d4e79892b..929e58321 100644 --- a/roles/wazuh/wazuh-indexer/tasks/RMRedHat.yml +++ b/roles/wazuh/wazuh-indexer/tasks/RMRedHat.yml @@ -1,6 +1,6 @@ --- - name: RedHat/CentOS/Fedora | Remove Wazuh indexer repository (and clean up left-over metadata) - yum_repository: + ansible.builtin.yum_repository: name: wazuh_repo state: absent changed_when: false diff --git a/roles/wazuh/wazuh-indexer/tasks/RedHat.yml b/roles/wazuh/wazuh-indexer/tasks/RedHat.yml index 591752137..2c256b095 100644 --- a/roles/wazuh/wazuh-indexer/tasks/RedHat.yml +++ b/roles/wazuh/wazuh-indexer/tasks/RedHat.yml @@ -1,56 +1,54 @@ --- -- block: - - - name: RedHat/CentOS/Fedora | Add Wazuh indexer repo - yum_repository: - name: wazuh_repo - description: Wazuh yum repository - baseurl: "{{ wazuh_repo.yum }}" - gpgkey: "{{ wazuh_repo.gpg }}" - gpgcheck: true - changed_when: false - - - - - name: Amazon Linux | Configure system settings - block: - - name: Install Amazon extras in Amazon Linux 2 - yum: - name: amazon-linux-extras - state: present - when: - - ansible_distribution == 'Amazon' - - ansible_distribution_major_version == '2' - - - name: Configure vm.max_map_count - lineinfile: - line: "vm.max_map_count=262144" - dest: "/etc/sysctl.conf" - insertafter: EOF - create: true - become: yes - - - name: Update vm.max_map_count - shell: sysctl -p - become: yes - - when: - - ansible_distribution == 'Amazon' - - - name: RedHat/CentOS/Fedora | Install Indexer dependencies - yum: - name: "{{ packages }}" - vars: - packages: - - wget - - unzip - - - name: Install Wazuh indexer - package: - name: wazuh-indexer-{{ indexer_version }} - state: present - register: install - tags: install - +- name: Redhat install tags: - - install + - install + block: + - name: RedHat/CentOS/Fedora | Add Wazuh indexer repo + ansible.builtin.yum_repository: + name: wazuh_repo + description: Wazuh yum repository + baseurl: "{{ wazuh_repo.yum }}" + gpgkey: "{{ wazuh_repo.gpg }}" + gpgcheck: true + changed_when: false + + - name: Amazon Linux | Configure system settings + when: + - ansible_distribution == 'Amazon' + block: + - name: Install Amazon extras in Amazon Linux 2 + ansible.builtin.yum: + name: amazon-linux-extras + state: present + when: + - ansible_distribution == 'Amazon' + - ansible_distribution_major_version == '2' + + - name: Configure vm.max_map_count + ansible.builtin.lineinfile: + line: "vm.max_map_count=262144" + dest: "/etc/sysctl.conf" + mode: "0644" + insertafter: EOF + create: true + become: true + + - name: Update vm.max_map_count + ansible.builtin.command: sysctl -p + become: true + changed_when: false + + - name: RedHat/CentOS/Fedora | Install Indexer dependencies + ansible.builtin.yum: + name: "{{ packages }}" + vars: + packages: + - wget + - unzip + + - name: Install Wazuh indexer + ansible.builtin.package: + name: wazuh-indexer-{{ indexer_version }} + state: present + register: install + tags: install diff --git a/roles/wazuh/wazuh-indexer/tasks/local_actions.yml b/roles/wazuh/wazuh-indexer/tasks/local_actions.yml index b5575a2b6..25fa31f2d 100644 --- a/roles/wazuh/wazuh-indexer/tasks/local_actions.yml +++ b/roles/wazuh/wazuh-indexer/tasks/local_actions.yml @@ -1,78 +1,79 @@ --- - name: Check if certificates already exists - stat: + ansible.builtin.stat: path: "{{ local_certs_path }}" register: certificates_folder delegate_to: localhost - become: no + become: false tags: - generate-certs +- name: Generate certificates if certificates folder is missing + run_once: true + delegate_to: localhost + become: false + tags: + - generate-certs + when: + - not certificates_folder.stat.exists + block: + - name: Local action | Create local temporary directory for certificates generation + ansible.builtin.file: + path: "{{ local_certs_path }}" + mode: "0755" + state: directory -- block: - - - name: Local action | Create local temporary directory for certificates generation - file: - path: "{{ local_certs_path }}" - mode: 0755 - state: directory - - - name: Local action | Check that the generation tool exists - stat: - path: "{{ local_certs_path }}/wazuh-certs-tool.sh" - register: tool_package - - - name: Local action | Download certificates generation tool - get_url: - url: "{{ certs_gen_tool_url }}" - dest: "{{ local_certs_path }}/wazuh-certs-tool.sh" - when: not tool_package.stat.exists and not macos_localhost + - name: Local action | Check that the generation tool exists + ansible.builtin.stat: + path: "{{ local_certs_path }}/wazuh-certs-tool.sh" + register: tool_package - - name: Local action | Prepare the certificates generation template file - template: - src: "templates/config.yml.j2" - dest: "{{ local_certs_path }}/config.yml" - mode: 0644 - register: tlsconfig_template + - name: Local action | Download certificates generation tool + ansible.builtin.get_url: + url: "{{ certs_gen_tool_url }}" + dest: "{{ local_certs_path }}/wazuh-certs-tool.sh" + mode: "0755" + when: not tool_package.stat.exists and not macos_localhost - - name: Local action | Generate the node & admin certificates in local - command: >- - bash {{ local_certs_path }}/wazuh-certs-tool.sh -A - when: not macos_localhost + - name: Local action | Prepare the certificates generation template file + ansible.builtin.template: + src: "templates/config.yml.j2" + dest: "{{ local_certs_path }}/config.yml" + mode: "0644" + register: tlsconfig_template - - name: Local action | Check for Docker installation on macOS - command: docker --version - register: docker_check - when: macos_localhost - ignore_errors: yes + - name: Local action | Generate the node & admin certificates in local + ansible.builtin.command: >- + bash {{ local_certs_path }}/wazuh-certs-tool.sh -A + changed_when: false + when: not macos_localhost - - name: Local action | Fail if Docker is not installed - fail: - msg: "Docker is not installed on this host." - when: (docker_check.rc | default(1)) != 0 and macos_localhost + - name: Local action | Check for Docker installation on macOS + ansible.builtin.command: docker --version + register: docker_check + changed_when: false + when: macos_localhost + ignore_errors: true - - name: Local action | Run Docker container on macOS - community.docker.docker_container: - name: wazuh-cert-tool - image: "{{ wazuh_certs_tool_docker }}" - state: started - auto_remove: true - volumes: - - "{{ local_certs_path }}/config.yml:/config/certs.yml" - - "{{ local_certs_path }}/wazuh-certificates/:/certificates/" - when: macos_localhost + - name: Local action | Fail if Docker is not installed + ansible.builtin.fail: + msg: "Docker is not installed on this host." + when: (docker_check.rc | default(1)) != 0 and macos_localhost - - name: Local action | Remove Docker image after execution - community.docker.docker_image: - name: "{{ wazuh_certs_tool_docker }}" - state: absent - force_absent: yes - when: macos_localhost + - name: Local action | Run Docker container on macOS + community.docker.docker_container: + name: wazuh-cert-tool + image: "{{ wazuh_certs_tool_docker }}" + state: started + auto_remove: true + volumes: + - "{{ local_certs_path }}/config.yml:/config/certs.yml" + - "{{ local_certs_path }}/wazuh-certificates/:/certificates/" + when: macos_localhost - run_once: true - delegate_to: localhost - become: no - tags: - - generate-certs - when: - - not certificates_folder.stat.exists + - name: Local action | Remove Docker image after execution + community.docker.docker_image: + name: "{{ wazuh_certs_tool_docker }}" + state: absent + force_absent: true + when: macos_localhost diff --git a/roles/wazuh/wazuh-indexer/tasks/main.yml b/roles/wazuh/wazuh-indexer/tasks/main.yml index 48034ae6a..63c475c2c 100644 --- a/roles/wazuh/wazuh-indexer/tasks/main.yml +++ b/roles/wazuh/wazuh-indexer/tasks/main.yml @@ -1,29 +1,38 @@ --- -- include_vars: ../../vars/repo_vars.yml +- name: Include repo vars + ansible.builtin.include_vars: ../../vars/repo_vars.yml -- include_vars: ../../vars/repo.yml +- name: Include repo vars (production) + ansible.builtin.include_vars: ../../vars/repo.yml when: packages_repository == 'production' -- include_vars: ../../vars/repo_pre-release.yml +- name: Include repo vars (pre-release) + ansible.builtin.include_vars: ../../vars/repo_pre-release.yml when: packages_repository == 'pre-release' -- include_vars: ../../vars/repo_staging.yml +- name: Include repo vars (staging) + ansible.builtin.include_vars: ../../vars/repo_staging.yml when: packages_repository == 'staging' -- import_tasks: local_actions.yml +- name: Import local actions tasks + ansible.builtin.import_tasks: local_actions.yml when: - generate_certs -- block: - - import_tasks: RedHat.yml +- name: Perform installation + when: perform_installation + block: + - name: Import RedHat tasks + ansible.builtin.import_tasks: RedHat.yml when: ansible_os_family == 'RedHat' - - import_tasks: Debian.yml + - name: Import Debian tasks + ansible.builtin.import_tasks: Debian.yml when: ansible_os_family == 'Debian' - name: Remove performance analyzer plugin from Wazuh indexer become: true - command: ./opensearch-plugin remove opensearch-performance-analyzer + ansible.builtin.command: ./opensearch-plugin remove opensearch-performance-analyzer ignore_errors: true args: chdir: /usr/share/wazuh-indexer/bin/ @@ -34,65 +43,66 @@ changed_when: "remove_opensearch_performance_analyzer.rc == 0" - name: Remove Opensearch configuration file - file: + ansible.builtin.file: path: "{{ indexer_conf_path }}/opensearch.yml" state: absent + mode: "0644" tags: install - name: Copy Opensearch Configuration File - template: + ansible.builtin.template: src: "templates/opensearch.yml.j2" dest: "{{ indexer_conf_path }}/opensearch.yml" owner: root group: wazuh-indexer - mode: 0640 + mode: "0640" force: yes tags: install - - include_tasks: security_actions.yml + - name: Include security actions + ansible.builtin.include_tasks: security_actions.yml tags: - security - - name: Configure Wazuh indexer JVM memmory. - template: + ansible.builtin.template: src: "templates/jvm.options.j2" dest: "{{ indexer_conf_path }}/jvm.options" owner: root group: wazuh-indexer - mode: 0644 - force: yes - notify: restart wazuh-indexer + mode: "0644" + force: true + notify: Restart wazuh-indexer tags: install - name: Ensure extra time for Wazuh indexer to start on reboots - lineinfile: + ansible.builtin.lineinfile: path: /usr/lib/systemd/system/wazuh-indexer.service regexp: '^TimeoutStartSec=' line: "TimeoutStartSec={{ indexer_start_timeout }}" - become: yes + become: true tags: configure - name: Index files to remove - find: + ansible.builtin.find: paths: "{{ indexer_index_path }}" patterns: "*" register: files_to_delete - name: Remove Index Files - file: + ansible.builtin.file: path: "{{ item.path }}" state: absent with_items: "{{ files_to_delete.files }}" - name: Ensure Wazuh indexer started and enabled - service: + ansible.builtin.service: name: wazuh-indexer enabled: true state: started - name: Wait for Wazuh indexer API - uri: + ansible.builtin.uri: url: "https://{{ inventory_hostname if not single_node else indexer_network_host }}:{{ indexer_http_port }}/_cat/health/" user: "admin" # Default Indexer user is always "admin" password: "{{ indexer_admin_password }}" @@ -111,7 +121,7 @@ - hostvars[inventory_hostname]['private_ip'] is not defined or not hostvars[inventory_hostname]['private_ip'] - name: Wait for Wazuh indexer API (Private IP) - uri: + ansible.builtin.uri: url: "https://{{ hostvars[inventory_hostname]['private_ip'] if not single_node else indexer_network_host }}:{{ indexer_http_port }}/_cat/health/" user: "admin" # Default Indexer user is always "admin" password: "{{ indexer_admin_password }}" @@ -129,12 +139,12 @@ when: - hostvars[inventory_hostname]['private_ip'] is defined and hostvars[inventory_hostname]['private_ip'] - - import_tasks: "RMRedHat.yml" + - name: Import RMRedHat tasks + ansible.builtin.import_tasks: "RMRedHat.yml" when: ansible_os_family == "RedHat" - name: Reload systemd configuration - systemd: + ansible.builtin.systemd: daemon_reload: true - become: yes - notify: restart wazuh-indexer - when: perform_installation + become: true + notify: Restart wazuh-indexer diff --git a/roles/wazuh/wazuh-indexer/tasks/security_actions.yml b/roles/wazuh/wazuh-indexer/tasks/security_actions.yml index 8d4f8797d..e09382ab8 100644 --- a/roles/wazuh/wazuh-indexer/tasks/security_actions.yml +++ b/roles/wazuh/wazuh-indexer/tasks/security_actions.yml @@ -1,30 +1,30 @@ - name: Configure IP (Private address) - set_fact: + ansible.builtin.set_fact: target_address: "{{ hostvars[inventory_hostname]['private_ip'] if not single_node else indexer_network_host }}" when: - hostvars[inventory_hostname]['private_ip'] is defined - name: Configure IP (Public address) - set_fact: + ansible.builtin.set_fact: target_address: "{{ inventory_hostname if not single_node else indexer_network_host }}" when: - hostvars[inventory_hostname]['private_ip'] is not defined - name: Ensure Indexer certificates directory permissions. - file: + ansible.builtin.file: path: "{{ indexer_conf_path }}/certs/" state: directory owner: wazuh-indexer group: wazuh-indexer - mode: 500 + mode: "0500" - name: Copy the node & admin certificates to Wazuh indexer cluster - copy: + ansible.builtin.copy: src: "{{ local_certs_path }}/wazuh-certificates/{{ item }}" dest: "{{ indexer_conf_path }}/certs/" owner: wazuh-indexer group: wazuh-indexer - mode: 0400 + mode: "0400" with_items: - root-ca.pem - root-ca.key @@ -34,70 +34,73 @@ - admin.pem - name: Restart Wazuh indexer with security configuration - systemd: + ansible.builtin.systemd: name: wazuh-indexer state: restarted - name: Copy the Opensearch security internal users template - template: + ansible.builtin.template: src: "templates/internal_users.yml.j2" dest: "{{ indexer_sec_plugin_conf_path }}/internal_users.yml" mode: 0644 run_once: true -- block: - - name: Hashing the custom admin password - shell: | - export JAVA_HOME=/usr/share/wazuh-indexer/jdk - {{ indexer_sec_plugin_tools_path }}/hash.sh -p '{{ indexer_admin_password }}' - register: indexer_admin_password_hashed - no_log: '{{ indexer_nolog_sensible | bool }}' - - - name: Set the Admin user password - replace: - path: "{{ indexer_sec_plugin_conf_path }}/internal_users.yml" - regexp: '(?<=admin:\n hash: )(.*)(?=)' - replace: "{{ indexer_password_hash | quote }}" - vars: - indexer_password_hash: "{{ indexer_admin_password_hashed.stdout_lines | last }}" +- name: Configure security (on first play host) + when: inventory_hostname == ansible_play_hosts[0] + block: + - name: Hashing the custom admin password + ansible.builtin.shell: | + export JAVA_HOME=/usr/share/wazuh-indexer/jdk + {{ indexer_sec_plugin_tools_path }}/hash.sh -p '{{ indexer_admin_password }}' + register: indexer_admin_password_hashed + changed_when: false + no_log: '{{ indexer_nolog_sensible | bool }}' - # this can also be achieved with password_hash, but it requires dependencies on the controller - - name: Hash the kibanaserver role/user pasword - shell: | - export JAVA_HOME=/usr/share/wazuh-indexer/jdk - {{ indexer_sec_plugin_tools_path }}/hash.sh -p '{{ dashboard_password }}' - register: indexer_kibanaserver_password_hashed - no_log: '{{ indexer_nolog_sensible | bool }}' + - name: Set the Admin user password + ansible.builtin.replace: + path: "{{ indexer_sec_plugin_conf_path }}/internal_users.yml" + regexp: '(?<=admin:\n hash: )(.*)(?=)' + replace: "{{ indexer_password_hash | quote }}" + vars: + indexer_password_hash: "{{ indexer_admin_password_hashed.stdout_lines | last }}" - - name: Set the kibanaserver user password - replace: - path: "{{ indexer_sec_plugin_conf_path }}/internal_users.yml" - regexp: '(?<=kibanaserver:\n hash: )(.*)(?=)' - replace: "{{ indexer_password_hash | quote }}" - vars: - indexer_password_hash: "{{ indexer_kibanaserver_password_hashed.stdout_lines | last }}" + # this can also be achieved with password_hash, but it requires dependencies on the controller + - name: Hash the kibanaserver role/user pasword + ansible.builtin.shell: | + export JAVA_HOME=/usr/share/wazuh-indexer/jdk + {{ indexer_sec_plugin_tools_path }}/hash.sh -p '{{ dashboard_password }}' + register: indexer_kibanaserver_password_hashed + changed_when: false + no_log: '{{ indexer_nolog_sensible | bool }}' - - name: Initialize the Opensearch security index in Wazuh indexer - command: > - sudo -u wazuh-indexer OPENSEARCH_PATH_CONF={{ indexer_conf_path }} - JAVA_HOME=/usr/share/wazuh-indexer/jdk - {{ indexer_sec_plugin_tools_path }}/securityadmin.sh - -cd {{ indexer_sec_plugin_conf_path }}/ - -icl -p 9200 -cd {{ indexer_sec_plugin_conf_path }}/ - -nhnv - -cacert {{ indexer_conf_path }}/certs/root-ca.pem - -cert {{ indexer_conf_path }}/certs/admin.pem - -key {{ indexer_conf_path }}/certs/admin-key.pem - -h {{ target_address }} - retries: 2 - delay: 5 - register: result - until: result.rc == 0 + - name: Set the kibanaserver user password + ansible.builtin.replace: + path: "{{ indexer_sec_plugin_conf_path }}/internal_users.yml" + regexp: '(?<=kibanaserver:\n hash: )(.*)(?=)' + replace: "{{ indexer_password_hash | quote }}" + vars: + indexer_password_hash: "{{ indexer_kibanaserver_password_hashed.stdout_lines | last }}" - when: inventory_hostname == ansible_play_hosts[0] + - name: Initialize the Opensearch security index in Wazuh indexer + ansible.builtin.command: > + sudo -u wazuh-indexer OPENSEARCH_PATH_CONF={{ indexer_conf_path }} + JAVA_HOME=/usr/share/wazuh-indexer/jdk + {{ indexer_sec_plugin_tools_path }}/securityadmin.sh + -cd {{ indexer_sec_plugin_conf_path }}/ + -icl -p 9200 -cd {{ indexer_sec_plugin_conf_path }}/ + -nhnv + -cacert {{ indexer_conf_path }}/certs/root-ca.pem + -cert {{ indexer_conf_path }}/certs/admin.pem + -key {{ indexer_conf_path }}/certs/admin-key.pem + -h {{ target_address }} + retries: 2 + delay: 5 + register: result + changed_when: false + until: result.rc == 0 - name: Create custom user - uri: + ansible.builtin.uri: url: "https://{{ target_address }}:{{ indexer_http_port }}/_plugins/_security/api/internalusers/{{ indexer_custom_user }}" method: PUT user: "admin" # Default Indexer user is always "admin" @@ -115,5 +118,3 @@ when: - indexer_custom_user is defined and indexer_custom_user - inventory_hostname == ansible_play_hosts[0] - -