Migrate Wazuh Ansibles Roles

provisioning/playbooks/wazuh_environment.yaml

@@ -1,7 +1,7 @@
 # Certificates generation
 - hosts: wi1
   roles:
-    - role: "{{ wazuh_ansible_roles }}/wazuh/wazuh-indexer"
+    - role: "../roles/wazuh/wazuh-indexer"
       indexer_network_host: "{{ private_ip }}"
       perform_installation: false
   become: true
@@ -13,7 +13,7 @@
 # Wazuh indexer cluster
 - hosts: wi_cluster
   roles:
-    - role: "{{ wazuh_ansible_roles }}/wazuh/wazuh-indexer"
+    - role: "../roles/wazuh/wazuh-indexer"
       indexer_network_host: "{{ private_ip }}"
   become: true
   become_user: root
@@ -22,21 +22,21 @@
 
 - hosts: manager
   roles:
-    - role: "{{ wazuh_ansible_roles }}/wazuh/ansible-wazuh-manager"
+    - role: "../roles/wazuh/ansible-wazuh-manager"
   become: true
   become_user: root
 
 - hosts: filebeat
   roles:
-    - role: "{{ wazuh_ansible_roles }}/wazuh/ansible-filebeat-oss"
+    - role: "../roles/wazuh/ansible-filebeat-oss"
   become: true
   become_user: root
 
 # Indexer + dashboard node
 - hosts: dashboard
   roles:
-    - role: "{{ wazuh_ansible_roles }}/wazuh/wazuh-indexer"
-    - role: "{{ wazuh_ansible_roles }}/wazuh/wazuh-dashboard"
+    - role: "../roles/wazuh/wazuh-indexer"
+    - role: "../roles/wazuh/wazuh-dashboard"
   become: true
   become_user: root
   vars:
@@ -62,10 +62,10 @@
           become: true
           become_user: root
           import_role:
-            name: "{{ wazuh_ansible_roles }}/wazuh/ansible-wazuh-agent"
+            name: "../roles/wazuh/ansible-wazuh-agent"
           when: ansible_os_family != "Windows"
 
         - name: Install Windows based agents
           import_role:
-            name: "{{ wazuh_ansible_roles }}/wazuh/ansible-wazuh-agent"
+            name: "../roles/wazuh/ansible-wazuh-agent"
           when: ansible_os_family == "Windows"

provisioning/roles/wazuh/ansible-filebeat-oss/README.md

@@ -0,0 +1,38 @@
+Ansible Role: Filebeat for Elastic Stack
+------------------------------------
+
+An Ansible Role that installs [Filebeat-oss](https://www.elastic.co/products/beats/filebeat), this can be used in conjunction with [ansible-wazuh-manager](https://github.com/wazuh/wazuh-ansible/ansible-wazuh-server).
+
+Requirements
+------------
+
+This role will work on:
+ * Red Hat
+ * CentOS
+ * Fedora
+ * Debian
+ * Ubuntu
+
+Role Variables
+--------------
+
+Available variables are listed below, along with default values (see `defaults/main.yml`):
+
+```
+  filebeat_output_indexer_hosts:
+    - "localhost:9200"
+
+```
+
+License and copyright
+---------------------
+
+WAZUH Copyright (C) 2016, Wazuh Inc. (License GPLv3)
+
+### Based on previous work from geerlingguy
+
+ - https://github.com/geerlingguy/ansible-role-filebeat
+
+### Modified by Wazuh
+
+The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem.

provisioning/roles/wazuh/ansible-filebeat-oss/defaults/main.yml

@@ -0,0 +1,29 @@
+---
+filebeat_version: 7.10.2
+
+wazuh_template_branch: 4.8.0
+
+filebeat_node_name: node-1
+
+filebeat_output_indexer_hosts:
+  - "localhost:9200"
+
+filebeat_module_package_url: https://packages.wazuh.com/4.x/filebeat
+filebeat_module_package_name: wazuh-filebeat-0.2.tar.gz
+filebeat_module_package_path: /tmp/
+filebeat_module_destination: /usr/share/filebeat/module
+filebeat_module_folder: /usr/share/filebeat/module/wazuh
+indexer_security_user: admin
+indexer_security_password: changeme
+# Security plugin
+filebeat_security: true
+filebeat_ssl_dir: /etc/pki/filebeat
+
+# Local path to store the generated certificates (Opensearch security plugin)
+local_certs_path: "{{ playbook_dir }}/indexer/certificates"
+
+filebeatrepo:
+  apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main'
+  yum: 'https://packages.wazuh.com/4.x/yum/'
+  gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH'
+  key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145'

provisioning/roles/wazuh/ansible-filebeat-oss/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: restart filebeat
+  service: name=filebeat state=restarted

provisioning/roles/wazuh/ansible-filebeat-oss/meta/main.yml

@@ -0,0 +1,29 @@
+---
+dependencies: []
+
+galaxy_info:
+  author: Wazuh
+  description: Installing and maintaining Filebeat-oss.
+  company: wazuh.com
+  license: license (GPLv3)
+  min_ansible_version: 2.0
+  platforms:
+    - name: EL
+      versions:
+        - 6
+        - 7
+    - name: Fedora
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - jessie
+    - name: Ubuntu
+      versions:
+        - precise
+        - trusty
+        - xenial
+  galaxy_tags:
+    - web
+    - system
+    - monitoring

provisioning/roles/wazuh/ansible-filebeat-oss/tasks/Debian.yml

@@ -0,0 +1,23 @@
+---
+- name: Debian/Ubuntu | Install apt-transport-https, ca-certificates and acl
+  apt:
+    name:
+      - apt-transport-https
+      - ca-certificates
+      - acl
+    state: present
+  register: filebeat_ca_packages_install
+  until: filebeat_ca_packages_install is succeeded
+
+- name: Debian/Ubuntu | Add Elasticsearch apt key.
+  apt_key:
+    url: "{{ filebeatrepo.gpg }}"
+    id: "{{ filebeatrepo.key_id }}"
+    state: present
+
+- name: Debian/Ubuntu | Add Filebeat-oss repository.
+  apt_repository:
+    repo: "{{ filebeatrepo.apt }}"
+    state: present
+    update_cache: true
+  changed_when: false

provisioning/roles/wazuh/ansible-filebeat-oss/tasks/RMDebian.yml

@@ -0,0 +1,6 @@
+---
+- name: Debian/Ubuntu | Remove Filebeat repository (and clean up left-over metadata)
+  apt_repository:
+    repo: "{{ filebeatrepo.apt }}"
+    state: absent
+  changed_when: false

provisioning/roles/wazuh/ansible-filebeat-oss/tasks/RMRedHat.yml

@@ -0,0 +1,6 @@
+---
+- name: RedHat/CentOS/Fedora | Remove Filebeat repository (and clean up left-over metadata)
+  yum_repository:
+    name: wazuh_repo
+    state: absent
+  changed_when: false

provisioning/roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml

@@ -0,0 +1,9 @@
+---
+- name: RedHat/CentOS/Fedora/Amazon Linux | Install Filebeats repo
+  yum_repository:
+    name: wazuh_repo
+    description: Wazuh Repo
+    baseurl: "{{ filebeatrepo.yum }}"
+    gpgkey: "{{ filebeatrepo.gpg }}"
+    gpgcheck: true
+  changed_when: false

provisioning/roles/wazuh/ansible-filebeat-oss/tasks/config.yml

@@ -0,0 +1,22 @@
+---
+- block:
+  - name: Copy Filebeat configuration.
+    template:
+      src: filebeat.yml.j2
+      dest: "/etc/filebeat/filebeat.yml"
+      owner: root
+      group: root
+      mode: 0400
+    notify: restart filebeat
+
+  - name: Fetch latest Wazuh alerts template
+    get_url:
+      url: https://raw.githubusercontent.com/wazuh/wazuh/{{ wazuh_template_branch }}/extensions/elasticsearch/7.x/wazuh-template.json
+      dest: "/etc/filebeat/wazuh-template.json"
+      owner: root
+      group: root
+      mode: 0400
+    notify: restart filebeat
+
+  tags:
+  - configure

provisioning/roles/wazuh/ansible-filebeat-oss/tasks/main.yml

@@ -0,0 +1,78 @@
+---
+- include_tasks: RedHat.yml
+  when: ansible_os_family == 'RedHat'
+
+- include_tasks: Debian.yml
+  when: ansible_os_family == 'Debian'
+
+- name: Install Filebeat | Redhat
+  yum:
+    name: "filebeat-{{ filebeat_version }}"
+    state: present
+  register: install
+  tags:
+  - install
+  - init
+  when: ansible_os_family == 'RedHat'
+
+- name: Install Filebeat | Debian
+  apt:
+    name: "filebeat={{ filebeat_version }}"
+    state: present
+  register: install
+  tags:
+  - install
+  - init
+  when: ansible_os_family == 'Debian'
+
+- name: Checking if Filebeat Module folder file exists
+  stat:
+    path: "{{ filebeat_module_folder }}"
+  register: filebeat_module_folder
+
+- name: Download Filebeat module package
+  get_url:
+    url: "{{ filebeat_module_package_url }}/{{ filebeat_module_package_name }}"
+    dest: "{{ filebeat_module_package_path }}"
+  when: not filebeat_module_folder.stat.exists
+
+- name: Unpack Filebeat module package
+  unarchive:
+    src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
+    dest: "{{ filebeat_module_destination }}"
+    remote_src: yes
+  when: not filebeat_module_folder.stat.exists
+
+- name: Setting 0755 permission for Filebeat module folder
+  file: dest={{ filebeat_module_folder }} mode=u=rwX,g=rwX,o=rwX recurse=yes
+  when: not filebeat_module_folder.stat.exists
+
+- name: Checking if Filebeat Module package file exists
+  stat:
+    path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
+  register: filebeat_module_package
+  when: filebeat_module_package is not defined
+
+- name: Delete Filebeat module package file
+  file:
+    state: absent
+    path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}"
+  when: filebeat_module_package.stat.exists
+
+- import_tasks: config.yml
+  notify: restart filebeat
+
+- include_tasks: security_actions.yml
+  when: filebeat_security
+
+- name: Ensure Filebeat is started and enabled at boot.
+  service:
+    name: filebeat
+    state: started
+    enabled: true
+
+- include_tasks: "RMRedHat.yml"
+  when: ansible_os_family == "RedHat"
+
+- include_tasks: "RMDebian.yml"
+  when: ansible_os_family == "Debian"

provisioning/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml

@@ -0,0 +1,26 @@
+- block:
+
+  - name: Ensure Filebeat SSL key pair directory exists.
+    file:
+      path: "{{ filebeat_ssl_dir }}"
+      state: directory
+      owner: root
+      group: root
+      mode: 500
+
+  - name: Copy the certificates from local to the Manager instance
+    copy:
+      src: "{{ local_certs_path }}/wazuh-certificates/{{ item }}"
+      dest: "{{ filebeat_ssl_dir }}"
+      owner: root
+      group: root
+      mode: 400
+    with_items:
+      - "{{ filebeat_node_name }}-key.pem"
+      - "{{ filebeat_node_name }}.pem"
+      - "root-ca.pem"
+
+  tags:
+  - security
+  when:
+  - filebeat_security

provisioning/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2

@@ -0,0 +1,42 @@
+# Wazuh - Filebeat configuration file
+filebeat.modules:
+  - module: wazuh
+    alerts:
+      enabled: true
+    archives:
+      enabled: false
+
+setup.template.json.enabled: true
+setup.template.json.path: '/etc/filebeat/wazuh-template.json'
+setup.template.json.name: 'wazuh'
+setup.template.overwrite: true
+setup.ilm.enabled: false
+
+# Send events directly to Wazuh indexer
+output.elasticsearch:
+  hosts:
+{% for item in filebeat_output_indexer_hosts %}
+  - {{ item }}
+{% endfor %}
+
+{% if filebeat_security %}
+  username: {{ indexer_security_user }}
+  password: "{{ indexer_security_password }}"
+  protocol: https
+  ssl.certificate_authorities:
+    - {{ filebeat_ssl_dir }}/root-ca.pem
+  ssl.certificate: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}.pem"
+  ssl.key: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}-key.pem"
+{% endif %}
+
+# Optional. Send events to Logstash instead of Wazuh indexer
+#output.logstash.hosts: ["YOUR_LOGSTASH_SERVER_IP:5000"]
+
+logging.metrics.enabled: false
+
+seccomp:
+  default_action: allow
+  syscalls:
+  - action: allow
+    names:
+    - rseq