diff --git a/CHANGELOG.md b/CHANGELOG.md index 2eafec89..380909c0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,11 @@ # Change Log All notable changes to this project will be documented in this file. +## Wazuh Chef v4.0.1 + +### Added + +- Update to Wazuh version 4.0.1 ## Wazuh Chef v3.13.2_7.9.1 ### Added diff --git a/README.md b/README.md index c812dec1..392c8067 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,12 @@ Deploy the Wazuh platform using Chef cookbooks. Chef recipes are prepared for installing and configuring Agent, Manager (cluster) and RESTful API. +## Compatibility Matrix + +| Wazuh version | Elastic | ODFE | +|---------------|---------|--------| +| v4.0.1 | - | v1.11.0| + ## Dependencies Every cookbook will install its own required dependencies, *Berksfile* and *metadata.rb* contains all the information about which dependencies will be installed. @@ -151,6 +157,13 @@ In order to do so, it's only needed to assign the value `yes` to the variable ` default['ossec']['agent_auth']['register'] = 'yes' ``` +To connect an agent with the manager simply modify the `wazuh-chef/roles/wazuh_agent.json` with the desired IP address: + +``` +"registration_address": "", +"address": "" +``` + In other case, we just assign a different value which is not `yes`. ## Contribute diff --git a/cookbooks/wazuh_agent/CHANGELOG.md b/cookbooks/wazuh_agent/CHANGELOG.md index 1b4ea035..907a53a7 100644 --- a/cookbooks/wazuh_agent/CHANGELOG.md +++ b/cookbooks/wazuh_agent/CHANGELOG.md @@ -1,3 +1,6 @@ +## v0.1.0 +1. Bump to wazuh 4.0.1 version +2. Added suse repository ## v0.0.9 Amazon Linux OS included in repository.rb ## v0.0.8 diff --git a/cookbooks/wazuh_agent/attributes/active-response.rb b/cookbooks/wazuh_agent/attributes/active-response.rb index b096bf80..3222fc65 100644 --- a/cookbooks/wazuh_agent/attributes/active-response.rb +++ b/cookbooks/wazuh_agent/attributes/active-response.rb @@ -1,3 +1,6 @@ -default['ossec']['conf']['active-response']['disabled'] = false -default['ossec']['conf']['active-response']['ca_store'] = "/var/ossec/etc/wpk_root.pem" -default['ossec']['conf']['active-response']['ca_verification'] = true \ No newline at end of file +default['ossec']['conf']['active-response'] = [{ + 'disabled' => 'no', + 'ca_store' => "/var/ossec/etc/wpk_root.pem", + 'ca_verification' => 'yes' +}] + diff --git a/cookbooks/wazuh_agent/attributes/client.rb b/cookbooks/wazuh_agent/attributes/client.rb index 4a766534..bdcc07d9 100644 --- a/cookbooks/wazuh_agent/attributes/client.rb +++ b/cookbooks/wazuh_agent/attributes/client.rb @@ -1,7 +1,6 @@ - default['ossec']['conf']['client']['server']['address'] = node['ossec']['address'] default['ossec']['conf']['client']['server']['port'] = 1514 -default['ossec']['conf']['client']['server']['protocol'] = 'udp' +default['ossec']['conf']['client']['server']['protocol'] = 'tcp' default['ossec']['conf']['client']['server']['max_retries'] = '5' default['ossec']['conf']['client']['server']['retry_interval'] = '5' default['ossec']['conf']['client']['notify_time'] = 10 diff --git a/cookbooks/wazuh_agent/attributes/client_buffer.rb b/cookbooks/wazuh_agent/attributes/client_buffer.rb index 3244e3f0..6474e9c6 100644 --- a/cookbooks/wazuh_agent/attributes/client_buffer.rb +++ b/cookbooks/wazuh_agent/attributes/client_buffer.rb @@ -1,3 +1,5 @@ -default['ossec']['conf']['client_buffer']['disabled'] = false -default['ossec']['conf']['client_buffer']['queue_size'] = 5000 -default['ossec']['conf']['client_buffer']['events_per_second'] = 500 \ No newline at end of file +default['ossec']['conf']['client_buffer'] = [{ + 'disabled' => 'no', + 'queue_size' => '5000', + 'events_per_second' => '500' +}] diff --git a/cookbooks/wazuh_agent/attributes/default.rb b/cookbooks/wazuh_agent/attributes/default.rb index 4cebddd6..dcc84173 100644 --- a/cookbooks/wazuh_agent/attributes/default.rb +++ b/cookbooks/wazuh_agent/attributes/default.rb @@ -18,7 +18,5 @@ # # general settings default['ossec']['dir'] = '/var/ossec' -default['ossec']['address'] = nil +default['ossec']['address'] = '172.19.0.211' default['ossec']['ignore_failure'] = true - - diff --git a/cookbooks/wazuh_agent/attributes/rootcheck.rb b/cookbooks/wazuh_agent/attributes/rootcheck.rb index 4edc4e65..5b6f529e 100644 --- a/cookbooks/wazuh_agent/attributes/rootcheck.rb +++ b/cookbooks/wazuh_agent/attributes/rootcheck.rb @@ -1,13 +1,15 @@ # Rootcheck settings -default['ossec']['conf']['rootcheck']['disabled'] = false -default['ossec']['conf']['rootcheck']['check_files'] = true -default['ossec']['conf']['rootcheck']['check_trojans'] = true -default['ossec']['conf']['rootcheck']['check_dev'] = true -default['ossec']['conf']['rootcheck']['check_sys'] = true -default['ossec']['conf']['rootcheck']['check_pids'] = true -default['ossec']['conf']['rootcheck']['check_ports'] = true -default['ossec']['conf']['rootcheck']['check_if'] = true -default['ossec']['conf']['rootcheck']['frequency'] = 43200 -default['ossec']['conf']['rootcheck']['rootkit_files'] = "#{node['ossec']['dir']}/etc/shared/rootkit_files.txt" -default['ossec']['conf']['rootcheck']['rootkit_trojans'] = "#{node['ossec']['dir']}/etc/shared/rootkit_trojans.txt" -default['ossec']['conf']['rootcheck']['skip_nfs'] = true +default['ossec']['conf']['rootcheck'] = [{ + 'disabled' => 'no', + 'check_files' => 'yes', + 'check_trojans' => 'yes', + 'check_dev' => 'yes', + 'check_sys' => 'yes', + 'check_pids' => 'yes', + 'check_ports' => 'yes', + 'check_if' => 'yes', + 'frequency' => '43200', + 'rootkit_files' => "#{node['ossec']['dir']}/etc/shared/rootkit_files.txt", + 'rootkit_trojans' => "#{node['ossec']['dir']}/etc/shared/rootkit_trojans.txt", + 'skip_nfs' => 'yes' +}] diff --git a/cookbooks/wazuh_agent/attributes/sca.rb b/cookbooks/wazuh_agent/attributes/sca.rb index da98c89a..39bee6f1 100644 --- a/cookbooks/wazuh_agent/attributes/sca.rb +++ b/cookbooks/wazuh_agent/attributes/sca.rb @@ -1,5 +1,7 @@ -default['ossec']['conf']['sca']['enabled'] = true -default['ossec']['conf']['sca']['scan_on_start'] = true -default['ossec']['conf']['sca']['interval'] = "12h" -default['ossec']['conf']['sca']['skip_nfs'] = true \ No newline at end of file +default['ossec']['conf']['sca'] = [{ + 'enabled' => 'yes', + 'scan_on_start' => 'yes', + 'interval' => "12h", + 'skip_nfs' => 'yes' +}] diff --git a/cookbooks/wazuh_agent/attributes/syscheck.rb b/cookbooks/wazuh_agent/attributes/syscheck.rb index 8ade4d4e..86c96cb6 100644 --- a/cookbooks/wazuh_agent/attributes/syscheck.rb +++ b/cookbooks/wazuh_agent/attributes/syscheck.rb @@ -29,3 +29,37 @@ default['ossec']['conf']['syscheck']['nodiff'] = '/etc/ssl/private.key' default['ossec']['conf']['syscheck']['skip_nfs'] = true + +=begin +# Syscheck settings +default['ossec']['conf']['syscheck'] = [{ + 'disabled' => 'no', + 'frequency' => '43200', + 'scan_on_start' => 'yes', + ['ignore'] = [ + '/etc/mtab', + '/etc/hosts.deny', + '/etc/mail/statistics', + '/etc/random-seed', + '/etc/random.seed', + '/etc/adjtime', + '/etc/httpd/logs', + '/etc/utmpx', + '/etc/wtmpx', + '/etc/cups/certs', + '/etc/dumpdates', + '/etc/svc/volatile', + '/sys/kernel/security', + '/sys/kernel/debug', + '/dev/core', + { '@type' => 'sregex', 'content!' => '^/proc' }, + { '@type' => 'sregex', 'content!' => '.log$|.swp$'} + ], + ['directories'] = [ + { '@check_all' => true, 'content!' => '/etc,/usr/bin,/usr/sbin' }, + { '@check_all' => true, 'content!' => '/bin,/sbin,/boot' } + ], + 'nodiff' => '/etc/ssl/private.key', + 'skip_nfs' => 'yes' +}] +=end \ No newline at end of file diff --git a/cookbooks/wazuh_agent/attributes/version.rb b/cookbooks/wazuh_agent/attributes/version.rb index 1faae969..ce63a91b 100644 --- a/cookbooks/wazuh_agent/attributes/version.rb +++ b/cookbooks/wazuh_agent/attributes/version.rb @@ -1,2 +1,2 @@ -default['wazuh-agent']['version'] = "3.13.2" +default['wazuh-agent']['version'] = "4.0.1" diff --git a/cookbooks/wazuh_agent/metadata.rb b/cookbooks/wazuh_agent/metadata.rb index 55fe0dd0..984bde0c 100644 --- a/cookbooks/wazuh_agent/metadata.rb +++ b/cookbooks/wazuh_agent/metadata.rb @@ -4,7 +4,7 @@ license 'Apache 2.0' description 'Installs and onfigures ossec' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '0.0.9' +version '0.1.0' %w(redhat centos oracle).each do |el| supports el, '>= 6.0' diff --git a/cookbooks/wazuh_agent/recipes/repository.rb b/cookbooks/wazuh_agent/recipes/repository.rb index 83be9577..b9541d94 100644 --- a/cookbooks/wazuh_agent/recipes/repository.rb +++ b/cookbooks/wazuh_agent/recipes/repository.rb @@ -26,18 +26,30 @@ subscribes :reload, 'package[lsb-release]', :immediately end - apt_repository 'Wazuh' do - uri 'http://packages.wazuh.com/3.x/apt/' + apt_repository 'wazuh' do + uri 'http://packages.wazuh.com/4.x/apt/' key 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' components ['main'] distribution 'stable' end + apt_update elsif platform_family?('rhel', 'redhat', 'centos', 'amazon') - yum_repository 'Wazuh' do - description 'WAZUH Repository - www.wazuh.com' - baseurl 'https://packages.wazuh.com/3.x/yum' + yum_repository 'wazuh' do + description 'WAZUH Yum Repository - www.wazuh.com' + gpgcheck true gpgkey 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' + enabled true + baseurl 'https://packages.wazuh.com/4.x/yum' + action :create + end +elsif + zypper_repository 'wazuh' do + description 'WAZUH Yum Repository - www.wazuh.com' + gpgcheck true + gpgkey 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' + enabled true + baseurl 'https://packages.wazuh.com/4.x/yum' action :create end else diff --git a/cookbooks/wazuh_elastic/Berksfile b/cookbooks/wazuh_elastic/Berksfile index 9d3506c2..cd27be5f 100644 --- a/cookbooks/wazuh_elastic/Berksfile +++ b/cookbooks/wazuh_elastic/Berksfile @@ -4,4 +4,4 @@ source 'https://supermarket.getchef.com' metadata cookbook 'hostsfile' -cookbook 'htpasswd', '~> 0.3.0' +cookbook 'htpasswd', '~> 1.0.0' diff --git a/cookbooks/wazuh_elastic/CHANGELOG.md b/cookbooks/wazuh_elastic/CHANGELOG.md new file mode 100644 index 00000000..77d190cf --- /dev/null +++ b/cookbooks/wazuh_elastic/CHANGELOG.md @@ -0,0 +1,6 @@ +## v0.1.0 +1. Bump to Opendistro for Elasticsearch 7.9.1 +2. Added suse repository +*Note*: in future version, kibana will be in an independent cookbook + +* Initial/current release diff --git a/cookbooks/wazuh_elastic/attributes/elasticsearch.rb b/cookbooks/wazuh_elastic/attributes/elasticsearch.rb index b41cb7b0..ba464c1f 100644 --- a/cookbooks/wazuh_elastic/attributes/elasticsearch.rb +++ b/cookbooks/wazuh_elastic/attributes/elasticsearch.rb @@ -19,5 +19,5 @@ default['wazuh-elastic']['elasticsearch_port'] = 9200 default['wazuh-elastic']['elasticsearch_ip'] = '0.0.0.0' default['wazuh-elastic']['elasticsearch_discovery_option'] = 'discovery.type: single-node' -default['wazuh-elastic']['elasticsearch_cluster_initial_master_nodes'] = "#cluster.initial_master_nodes: ['es-node-01']" +default['wazuh-elastic']['elasticsearch_cluster_initial_master_nodes'] = "['es-node-01']" diff --git a/cookbooks/wazuh_elastic/attributes/kibana.rb b/cookbooks/wazuh_elastic/attributes/kibana.rb index 19f3c3f7..d44d8504 100644 --- a/cookbooks/wazuh_elastic/attributes/kibana.rb +++ b/cookbooks/wazuh_elastic/attributes/kibana.rb @@ -1,4 +1,4 @@ default['wazuh-elastic']['kibana_server_host'] = '0.0.0.0' -default['wazuh-elastic']['kibana_server_port'] = '5601' -default['wazuh-elastic']['kibana_elasticsearch_server_hosts'] = "http://#{node['wazuh-elastic']['elasticsearch_ip']}:#{node['wazuh-elastic']['elasticsearch_port']}" -default['wazuh-elastic']['kibana_wazuh_api_credentials'] = [ { id: "default", url: "http://localhost", port: "55000", user: "foo", password: "bar" } ] \ No newline at end of file +default['wazuh-elastic']['kibana_server_port'] = 5601 +default['wazuh-elastic']['kibana_elasticsearch_server_hosts'] = "https://#{node['wazuh-elastic']['elasticsearch_ip']}:#{node['wazuh-elastic']['elasticsearch_port']}" +default['wazuh-elastic']['kibana_wazuh_api_credentials'] = [ { id: "default", url: "https://localhost", port: "55000", username: "wazuh", password: "wazuh" } ] diff --git a/cookbooks/wazuh_elastic/attributes/versions.rb b/cookbooks/wazuh_elastic/attributes/versions.rb index 333b630a..7f66ac51 100644 --- a/cookbooks/wazuh_elastic/attributes/versions.rb +++ b/cookbooks/wazuh_elastic/attributes/versions.rb @@ -1,3 +1,3 @@ -default['wazuh-elastic']['elastic_stack_version'] = '7.9.1' -default['wazuh-elastic']['wazuh_app_version'] = "3.13.2_7.9.1" -default['wazuh-elastic']['extensions_version'] = "v3.13.2" +default['wazuh-elastic']['elastic_stack_version'] = "7.9.1" +default['wazuh-elastic']['wazuh_app_version'] = "4.0.1_7.9.1" +default['wazuh-elastic']['extensions_version'] = "v4.0.1" diff --git a/cookbooks/wazuh_elastic/metadata.rb b/cookbooks/wazuh_elastic/metadata.rb index 7ac954a7..47aa2935 100644 --- a/cookbooks/wazuh_elastic/metadata.rb +++ b/cookbooks/wazuh_elastic/metadata.rb @@ -5,7 +5,7 @@ license 'All rights reserved' description 'setup Elastic: elasticsearch and kibana for Wazuh' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '0.0.2' +version '0.1.0' %w( apt ).each do |pkg| depends pkg diff --git a/cookbooks/wazuh_elastic/recipes/default.rb b/cookbooks/wazuh_elastic/recipes/default.rb index 15ce3b54..899e6d26 100644 --- a/cookbooks/wazuh_elastic/recipes/default.rb +++ b/cookbooks/wazuh_elastic/recipes/default.rb @@ -6,8 +6,7 @@ ############################################# include_recipe 'chef-sugar::default' - +include_recipe 'wazuh_elastic::prerequisites' include_recipe 'wazuh_elastic::repository' -include_recipe 'wazuh_elastic::nginx' include_recipe 'wazuh_elastic::elasticsearch' include_recipe 'wazuh_elastic::kibana' diff --git a/cookbooks/wazuh_elastic/recipes/elasticsearch.rb b/cookbooks/wazuh_elastic/recipes/elasticsearch.rb index 6b847dd0..268b3097 100644 --- a/cookbooks/wazuh_elastic/recipes/elasticsearch.rb +++ b/cookbooks/wazuh_elastic/recipes/elasticsearch.rb @@ -5,58 +5,118 @@ # ###################################################### +# Install opendistroforelasticsearch if platform_family?('debian', 'ubuntu') - - apt_package 'elasticsearch' do - version "#{node['wazuh-elastic']['elastic_stack_version']}" - end - + apt_package %w(elasticsearch-oss opendistroforelasticsearch) elsif platform_family?('rhel', 'redhat', 'centos', 'amazon') - yum_package 'elasticsearch' do - version "#{node['wazuh-elastic']['elastic_stack_version']}-1" - end - + yum_package 'opendistroforelasticsearch' +elsif platform_family?('suse') + zypper_package 'opendistroforelasticsearch' else raise "Currently platforn not supported yet. Feel free to open an issue on https://www.github.com/wazuh/wazuh-chef if you consider that support for a specific OS should be added" end +# Set up opendistro for elasticsearch configuration file + template '/etc/elasticsearch/elasticsearch.yml' do - source 'elasticsearch.yml.erb' + source 'od_elasticsearch.yml.erb' owner 'root' group 'elasticsearch' mode '0660' - variables({clustername: "cluster.name: #{node['wazuh-elastic']['elasticsearch_cluster_name']}", - node_name: "node.name: #{node['wazuh-elastic']['elasticsearch_node_name']}", - node_master: "node.master: #{node['wazuh-elastic']['elasticsearch_node_master']}", - node_data: "node.data: #{node['wazuh-elastic']['elasticsearch_node_data']}", - node_ingest: "node.ingest: #{node['wazuh-elastic']['elasticsearch_node_ingest']}", - node_max_local_storage_nodes: "node.max_local_storage_nodes: #{node['wazuh-elastic']['elasticsearch_node_max_local_storage_nodes']}", - cluster_remote_connect: "cluster.remote.connect: #{node['wazuh-elasticsearch']['elasticsearch_cluster_remote_connect']}", - path_data: "path.data: #{node['wazuh-elastic']['elasticsearch_path_data']}", - path_logs: "path.logs: #{node['wazuh-elastic']['elasticsearch_path_logs']}", - network_host: "network.host: #{node['wazuh-elastic']['elasticsearch_ip']}", - http_port: "http.port: #{node['wazuh-elastic']['elasticsearch_port']}", - discovery_option: "#{node['wazuh-elastic']['elasticsearch_discovery_option']}", - cluster_initial_master_nodes: "#{node['wazuh-elastic']['elasticsearch_cluster_initial_master_nodes']}" }) -end - -template '/etc/elasticsearch/jvm.options' do - source 'jvm.options.erb' + variables ({ + network_host: "network.host: #{node['wazuh-elastic']['elasticsearch_ip']}", + node_name: "node.name: #{node['wazuh-elastic']['elasticsearch_node_name']}", + cluster_initial_master_nodes: "cluster.initial_master_nodes: #{node['wazuh-elastic']['elasticsearch_cluster_initial_master_nodes']}", + path_data: "path.data: #{node['wazuh-elastic']['elasticsearch_path_data']}", + path_logs: "path.logs: #{node['wazuh-elastic']['elasticsearch_path_logs']}", + }) +end + +remote_file '/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml' do + source 'https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.0/resources/open-distro/elasticsearch/roles/roles.yml' +end + +remote_file '/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml' do + source 'https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.0/resources/open-distro/elasticsearch/roles/roles_mapping.yml' +end + +remote_file '/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml' do + source 'https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.0/resources/open-distro/elasticsearch/roles/internal_users.yml' +end + +# Certificates creation and deployment + +execute 'Remove the demo certificates' do + command 'rm /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/esnode.pem /etc/elasticsearch/kirk-key.pem /etc/elasticsearch/kirk.pem /etc/elasticsearch/root-ca.pem -f' +end + +directory '/etc/elasticsearch/certs' do + action :create +end + +remote_file '/tmp/search-guard-tlstool-1.8.zip' do + source 'https://maven.search-guard.com/search-guard-tlstool/1.8/search-guard-tlstool-1.8.zip' +end + +archive_file 'search-guard-tlstool-1.8.zip' do + path '/tmp/search-guard-tlstool-1.8.zip' + destination '/tmp/searchguard' +end + +# --------------Wazuh single-node cluster-------------- + +template '/tmp/searchguard/search-guard.yml' do + source 'search-guard.yml.erb' owner 'root' group 'elasticsearch' mode '0660' - variables({memmory: node['wazuh-elastic']['elasticsearch_memmory']}) + variables ({ + elasticsearch_ip: "#{node['wazuh-elastic']['elasticsearch_ip']}", + kibana_ip: "#{node['wazuh-elastic']['kibana_server_host']}" + }) +end + +# --------------Wazuh multi-node cluster-------------- +# ToDO +# ---------------------------------------------------- + +execute 'Run the Search Guard’s script to create the certificates' do + command "/tmp/searchguard/tools/sgtlstool.sh -c /tmp/searchguard/search-guard.yml -ca -crt -t /etc/elasticsearch/certs/" +end + +bash 'Compress all the necessary files to be sent to the all the instances' do + code <<-EOF + cd /etc/elasticsearch/certs + tar -cf certs.tar * + EOF +end + +execute 'Remove unnecessary files' do + command "rm /etc/elasticsearch/certs/client-certificates.readme /etc/elasticsearch/certs/elasticsearch_elasticsearch_config_snippet.yml /tmp/search-guard-tlstool-1.7.zip -f" end -bash 'insert_line_limits.conf' do +# Configure Filebeat certificates + +bash 'Configure Filebeat certificates' do code <<-EOH - echo "elasticsearch - nofile 65535" >> /etc/security/limits.conf - echo "elasticsearch - memlock unlimited" >> /etc/security/limits.conf + mkdir /etc/filebeat/certs + cp /etc/elasticsearch/certs/certs.tar /etc/filebeat/certs/ + cd /etc/filebeat/certs/ + tar --extract --file=certs.tar filebeat.pem filebeat.key root-ca.pem + rm certs.tar EOH - not_if "grep -q elasticsearch /etc/security/limits.conf" end +# Run filebeat service + +service "filebeat" do + supports :status => true, :restart => true, :reload => true + action [:start, :enable] +end + +# Run elasticsearch service + service "elasticsearch" do supports :start => true, :stop => true, :restart => true, :reload => true action [:enable, :start] @@ -77,4 +137,8 @@ notifies :restart, "service[elasticsearch]", :delayed end +execute 'Run the Elasticsearch’s securityadmin script' do + command "/usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin.key -h #{node['wazuh-elastic']['elasticsearch_ip']}" +end + diff --git a/cookbooks/wazuh_elastic/recipes/kibana.rb b/cookbooks/wazuh_elastic/recipes/kibana.rb index 931226be..32654669 100644 --- a/cookbooks/wazuh_elastic/recipes/kibana.rb +++ b/cookbooks/wazuh_elastic/recipes/kibana.rb @@ -1,124 +1,95 @@ -# + # Cookbook Name:: wazuh-elastic # Recipe:: kibana_install # Create user and group # +# Install the Kibana package + if platform_family?('debian', 'ubuntu') - apt_package 'kibana' do - version "#{node['wazuh-elastic']['elastic_stack_version']}" - end + apt_package 'opendistroforelasticsearch-kibana' elsif platform_family?('rhel', 'redhat', 'centos', 'amazon') - yum_package 'kibana' do - version "#{node['wazuh-elastic']['elastic_stack_version']}-1" - end + yum_package 'opendistroforelasticsearch-kibana' +elsif platform_family?('suse') + zypper_package 'opendistroforelasticsearch-kibana' else raise "Currently platforn not supported yet. Feel free to open an issue on https://www.github.com/wazuh/wazuh-chef if you consider that support for a specific OS should be added" end -template 'kibana.yml' do - path '/etc/kibana/kibana.yml' - source 'kibana.yml.erb' +# Download the Kibana configuration file + +template '/etc/kibana/kibana.yml' do + source 'od_kibana.yml.erb' owner 'root' - group 'root' + group 'kibana' variables({ - kibana_server_port: "server.port: #{node['wazuh-elastic']['kibana_server_port']}", - kibana_server_host: "server.host: #{node['wazuh-elastic']['kibana_server_host']}", - kibana_elasticsearch_server_hosts: "elasticsearch.hosts: ['#{node['wazuh-elastic']['kibana_elasticsearch_server_hosts']}']" + kibana_server_port: "server.port: #{node['wazuh-elastic']['kibana_server_port']}", + kibana_server_host: "server.host: #{node['wazuh-elastic']['kibana_server_host']}", + kibana_elasticsearch_server_hosts: "elasticsearch.hosts: ['#{node['wazuh-elastic']['kibana_elasticsearch_server_hosts']}']" }) mode 0755 end -service "kibana" do - supports :start => true, :stop => true, :restart => true, :reload => true - action [:restart] -end +# Update the optimize and plugins directories permissions -if node[:platform_family].include?("centos") - if node[:platform_version].include?("6.") - service "kibana" do - supports :start => true, :stop => true, :restart => true, :reload => true - provider Chef::Provider::Service::Init - action [:restart] - end - end -else - service "kibana" do - supports :start => true, :stop => true, :restart => true, :reload => true - action [:restart] - end +bash 'Update the optimize and plugins directories permissions' do + code <<-EOH + chown -R kibana:kibana /usr/share/kibana/optimize + chown -R kibana:kibana /usr/share/kibana/plugins + EOH end -ruby_block 'wait for elasticsearch' do - block do - loop { break if (TCPSocket.open("#{node['wazuh-elastic']['elasticsearch_ip']}",node['wazuh-elastic']['elasticsearch_port']) rescue nil); puts "Waiting elasticsearch...."; sleep 1 } - end -end +# Install the Wazuh Kibana plugin -bash 'Waiting for elasticsearch curl response...' do +bash 'Install the Wazuh Kibana plugin' do code <<-EOH - until (curl -XGET http://#{node['wazuh-elastic']['elasticsearch_ip']}:#{node['wazuh-elastic']['elasticsearch_port']}); do - printf 'Waiting for elasticsearch....' - sleep 5 - done + cd /usr/share/kibana + sudo -u kibana bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/#{node['wazuh-elastic']['wazuh_app_version']}-1.zip EOH end -bash 'Remove old Wazuh Kibana Plugin if exists' do +# Certificates placement + +directory '/etc/kibana/certs' do + action :create +end + +bash 'Copy kibana key and pem files and root-ca pem file' do code <<-EOH - if [ -d /usr/share/kibana/plugins/wazuh ] - then - sudo -u kibana /usr/share/kibana/bin/kibana-plugin remove wazuh - fi + cp /etc/elasticsearch/certs/certs.tar /etc/kibana/certs/ + cd /etc/kibana/certs/ + tar --extract --file=certs.tar kibana_http.pem kibana_http.key root-ca.pem + mv /etc/kibana/certs/kibana_http.key /etc/kibana/certs/kibana.key + mv /etc/kibana/certs/kibana_http.pem /etc/kibana/certs/kibana.pem + rm -f certs.tar EOH end -if platform_family?('debian', 'ubuntu') - bash 'Install Wazuh-APP (can take a while)' do - code <<-EOH - sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-#{node['wazuh-elastic']['wazuh_app_version']}.zip kibana - EOH - creates '/usr/share/kibana/plugins/wazuh/package.json' - notifies :restart, "service[kibana]", :delayed - end -elsif platform_family?('rhel', 'redhat', 'centos', 'amazon') - bash 'Install Wazuh-APP (can take a while)' do - code <<-EOH - sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-#{node['wazuh-elastic']['wazuh_app_version']}.zip - EOH - creates '/usr/share/kibana/plugins/wazuh/package.json' - notifies :restart, "service[kibana]", :delayed - end +# Link Kibana’s socket to privileged port 443 + +execute 'Link kibana socket to 443 port' do + command "setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node" end -bash 'Removing .wazuh index if exists' do - code <<-EOH - curl_response=$(curl -s -XDELETE -sL -w "%{http_code}" -I "http://#{node['wazuh-elastic']['elasticsearch_ip']}:#{node['wazuh-elastic']['elasticsearch_port']}/.wazuh" -o /dev/null) - if [ ${curl_response} == 404 ] - then - echo "Index .wazuh not found" - elif [ ${curl_response} == 200 ] - then - echo "Index .wazuh removed successfully" - else - echo "Unable to communicate with Elasticsearch API" - fi - EOH +# Enable and start the Kibana service + +service "kibana" do + supports :start => true, :stop => true, :restart => true, :reload => true + action [:restart] end -template 'Configuring API credentials in wazuh.yml file' do - path '/usr/share/kibana/plugins/wazuh/wazuh.yml' - source 'wazuh.yml.erb' - owner 'kibana' - group 'root' - mode 0644 - notifies :restart, "service[kibana]", :delayed +ruby_block 'Wait for elasticsearch' do + block do + loop { break if (TCPSocket.open("#{node['wazuh-elastic']['elasticsearch_ip']}",node['wazuh-elastic']['elasticsearch_port']) rescue nil); puts "Waiting elasticsearch...."; sleep 1 } + end end -bash 'Verify Kibana folders owner' do - code <<-EOF - chown -R kibana:kibana /usr/share/kibana/optimize - chown -R kibana:kibana /usr/share/kibana/plugins - EOF +bash 'Waiting for elasticsearch curl response...' do + code <<-EOH + until (curl -XGET http://#{node['wazuh-elastic']['elasticsearch_ip']}:#{node['wazuh-elastic']['elasticsearch_port']}); do + printf 'Waiting for elasticsearch....' + sleep 5 + done + EOH end \ No newline at end of file diff --git a/cookbooks/wazuh_elastic/recipes/nginx.rb b/cookbooks/wazuh_elastic/recipes/nginx.rb deleted file mode 100644 index 98de90c4..00000000 --- a/cookbooks/wazuh_elastic/recipes/nginx.rb +++ /dev/null @@ -1,76 +0,0 @@ -if platform_family?('rhel', 'redhat', 'centos', 'amazon') - yum_package 'epel-release' do - action :install - end -end - - -if platform_family?('debian', 'ubuntu') - apt_package 'nginx' do - action :install - end -elsif platform_family?('rhel', 'redhat', 'centos', 'amazon') - yum_package 'nginx' do - action :install - end -else - raise "Platform Family is not in {'debian', 'ubuntu', 'rhel', 'redhat', 'centos', 'amazon'} - Not Supported" -end - - -directory '/etc/nginx/sites-available' do - mode '0755' - recursive true - action :create -end - -directory '/etc/nginx/sites-enabled' do - mode '0755' - recursive true - action :create -end - -directory '/etc/ssl/certs' do - mode '0755' - recursive true - action :create -end - -directory '/etc/ssl/private' do - mode '0755' - recursive true - action :create -end - -bash 'Generate a self-signed ceritificate and a key' do - code <<-EOH - openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/kibana-access.key -out /etc/ssl/certs/kibana-access.pem - EOH -end - -template '/etc/nginx/conf.d/kibana.conf' do - source 'nginx.erb' - owner 'root' - group 'root' - mode '0644' -end - -if platform_family?('debian', 'ubuntu') - apt_package 'apache2-utils' do - action :install - end -end - - -node.override['htpasswd']['install_method'] = 'ruby' -include_recipe 'htpasswd::default' - -htpasswd "/etc/nginx/conf.d/kibana.htpasswd" do - user "#{node['mginx']['user']}" - password "#{node['mginx']['password']}" -end - -service "nginx" do - supports :start => true, :stop => true, :restart => true, :reload => true - action [:restart] -end \ No newline at end of file diff --git a/cookbooks/wazuh_elastic/recipes/prerequisites.rb b/cookbooks/wazuh_elastic/recipes/prerequisites.rb new file mode 100644 index 00000000..fb23d21c --- /dev/null +++ b/cookbooks/wazuh_elastic/recipes/prerequisites.rb @@ -0,0 +1,58 @@ +if platform_family?('debian','ubuntu') + package "lsb-release" + + ohai "reload lsb" do + plugin "lsb" + # action :nothing + subscribes :reload, "package[lsb-release]", :immediately + end + + # Install apt prerequisites + apt_package %w(curl apt-transport-https unzip wget software-properties-common libcap2-bin) + + # Add the repository for Java Development Kit (JDK) + case platform_family? + when 'debian' + bash 'add backports.list' do + code <<-EOH + echo 'deb http://deb.debian.org/debian stretch-backports main' > /etc/apt/sources.list.d/backports.list + EOH + end + when 'ubuntu' + execute 'add apt repository' do + command 'add-apt-repository ppa:openjdk-r/ppa' + end + else 'Error: cannot install JDK dependancie' + end + + # Update repository data + apt_update + + # Install all the required utilities + execute 'export JAVA_HOME' do + command 'export JAVA_HOME=/usr/' + end + apt_package 'openjdk-11-jdk' + + + +elsif platform_family?('rhel', 'redhat', 'centos', 'amazon') + + # Install all the necessary packages for the installation + execute 'export JAVA_HOME' do + command 'export JAVA_HOME=/usr/' + end + + yum_package 'prerequisites' do + package_name ['curl', 'unzip', 'wget', 'java-11-openjdk-devel', 'libcap'] + action :install + end + +elsif platform_family?('suse') + # Install zypper prerequisites + zypper_package 'prerequisites' do + package_name ['curl', 'unzip', 'wget', 'libcap2'] + end +else + raise "Currently platforn not supported yet. Feel free to open an issue on https://www.github.com/wazuh/wazuh-chef if you consider that support for a specific OS should be added" +end diff --git a/cookbooks/wazuh_elastic/recipes/repository.rb b/cookbooks/wazuh_elastic/recipes/repository.rb index 6d0625fd..7e9aad89 100644 --- a/cookbooks/wazuh_elastic/recipes/repository.rb +++ b/cookbooks/wazuh_elastic/recipes/repository.rb @@ -11,23 +11,39 @@ subscribes :reload, "package[lsb-release]", :immediately end - apt_repository "elastic-7.x" do - uri "https://artifacts.elastic.co/packages/7.x/apt" - key "https://artifacts.elastic.co/GPG-KEY-elasticsearch" + # Install GPG key and add repository + apt_repository "wazuh" do + uri "https://packages.wazuh.com/4.x/apt/ " + key "https://packages.wazuh.com/key/GPG-KEY-WAZUH" distribution "stable" components ["main"] not_if do - File.exists?("/etc/apt/sources.list.d/elastic-7.x.list") + File.exists?("/etc/apt/sources.list.d/wazuh.list") end end + + # Update the package information + apt_update elsif platform_family?('rhel', 'redhat', 'centos', 'amazon') - yum_repository "elastic-7.x" do - description "Elastic repository for 7.x packages" - baseurl "https://artifacts.elastic.co/packages/7.x/yum" - gpgkey "https://artifacts.elastic.co/GPG-KEY-elasticsearch" + yum_repository "wazuh" do + description "OpenDistro Elasticseach Yum" + baseurl "https://packages.wazuh.com/4.x/yum/" + gpgkey "https://packages.wazuh.com/key/GPG-KEY-WAZUH" action :create - not_if "grep -q elasticsearch /etc/yum.repos.d/elastic-7.x.repo" + not_if do + File.exists?("/etc/yum.repos.d/wazuh.repo") + end + end +elsif platform_family?('suse') + zypper_repository "wazuh" do + description "OpenDistro Elasticseach Zypper" + baseurl "https://packages.wazuh.com/4.x/yum/" + gpgkey "https://packages.wazuh.com/key/GPG-KEY-WAZUH" + action :create + not_if do + File.exists?("/etc/zypp/repos.d/wazuh.repo") + end end else raise "Currently platforn not supported yet. Feel free to open an issue on https://www.github.com/wazuh/wazuh-chef if you consider that support for a specific OS should be added" -end \ No newline at end of file +end diff --git a/cookbooks/wazuh_elastic/templates/default/elasticsearch.yml.erb b/cookbooks/wazuh_elastic/templates/default/elasticsearch.yml.erb deleted file mode 100644 index fcb4d920..00000000 --- a/cookbooks/wazuh_elastic/templates/default/elasticsearch.yml.erb +++ /dev/null @@ -1,89 +0,0 @@ -# ======================== Elasticsearch Configuration ========================= -# -# NOTE: Elasticsearch comes with reasonable defaults for most settings. -# Before you set out to tweak and tune the configuration, make sure you -# understand what are you trying to accomplish and the consequences. -# -# The primary way of configuring a node is via this file. This template lists -# the most important settings you may want to configure for a production cluster. -# -# Please consult the documentation for further information on configuration options: -# https://www.elastic.co/guide/en/elasticsearch/reference/index.html -# -# ---------------------------------- Cluster ----------------------------------- -# -# Use a descriptive name for your cluster: -# -<%= @clustername %> -# -# ------------------------------------ Node ------------------------------------ -# -# Use a descriptive name for the node: -# -<%= @node_name %> -# -# Add custom attributes to the node: -# -<%= @node_master %> -# -# ----------------------------------- Paths ------------------------------------ -# -# Path to directory where to store the data (separate multiple locations by comma): -# -<%= @path_data %> -# -# Path to log files: -# -<%= @path_logs %> -# -# ----------------------------------- Memory ----------------------------------- -# -# Lock the memory on startup: -# -#bootstrap.memory_lock: true -# -# Make sure that the heap size is set to about half the memory available -# on the system and that the owner of the process is allowed to use this -# limit. -# -# Elasticsearch performs poorly when the system is swapping the memory. -# -# ---------------------------------- Network ----------------------------------- -# -# Set the bind address to a specific IP (IPv4 or IPv6): -# -<%= @network_host %> -# -# Set a custom port for HTTP: -# -<%= @http_port %> -# -# For more information, consult the network module documentation. -# -# --------------------------------- Discovery ---------------------------------- -# -# Pass an initial list of hosts to perform discovery when this node is started: -# The default list of hosts is ["127.0.0.1", "[::1]"] -# -#discovery.seed_hosts: ["host1", "host2"] -# -# Bootstrap the cluster using an initial set of master-eligible nodes: -# -<%= @cluster_initial_master_nodes %> -<%= @discovery_option %> -# -# For more information, consult the discovery and cluster formation module documentation. -# -# ---------------------------------- Gateway ----------------------------------- -# -# Block initial recovery after a full cluster restart until N nodes are started: -# -#gateway.recover_after_nodes: 3 -# -# For more information, consult the gateway module documentation. -# -# ---------------------------------- Various ----------------------------------- -# -# Require explicit names when deleting indices: -# -#action.destructive_requires_name: true \ No newline at end of file diff --git a/cookbooks/wazuh_elastic/templates/default/jvm.options.erb b/cookbooks/wazuh_elastic/templates/default/jvm.options.erb deleted file mode 100644 index 458349ad..00000000 --- a/cookbooks/wazuh_elastic/templates/default/jvm.options.erb +++ /dev/null @@ -1,120 +0,0 @@ -################################################################ -## IMPORTANT: JVM heap size -################################################################ -## -## You should always set the min and max JVM heap -## size to the same value. For example, to set -## the heap to 4 GB, set: -## -## -Xms4g -## -Xmx4g -## -## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html -## for more information -## -################################################################ - -# Xms represents the initial size of total heap space -# Xmx represents the maximum size of total heap space - --Xms<%= @memmory %> --Xmx<%= @memmory %> - -################################################################ -## Expert settings -################################################################ -## -## All settings below this section are considered -## expert settings. Don't tamper with them unless -## you understand what you are doing -## -################################################################ - -## GC configuration --XX:+UseConcMarkSweepGC --XX:CMSInitiatingOccupancyFraction=75 --XX:+UseCMSInitiatingOccupancyOnly - -## G1GC Configuration -# NOTE: G1GC is only supported on JDK version 10 or later. -# To use G1GC uncomment the lines below. -# 10-:-XX:-UseConcMarkSweepGC -# 10-:-XX:-UseCMSInitiatingOccupancyOnly -# 10-:-XX:+UseG1GC -# 10-:-XX:InitiatingHeapOccupancyPercent=75 - -## DNS cache policy -# cache ttl in seconds for positive DNS lookups noting that this overrides the -# JDK security property networkaddress.cache.ttl; set to -1 to cache forever --Des.networkaddress.cache.ttl=60 -# cache ttl in seconds for negative DNS lookups noting that this overrides the -# JDK security property networkaddress.cache.negative ttl; set to -1 to cache -# forever --Des.networkaddress.cache.negative.ttl=10 - -## optimizations - -# pre-touch memory pages used by the JVM during initialization --XX:+AlwaysPreTouch - -## basic - -# explicitly set the stack size --Xss1m - -# set to headless, just in case --Djava.awt.headless=true - -# ensure UTF-8 encoding by default (e.g. filenames) --Dfile.encoding=UTF-8 - -# use our provided JNA always versus the system one --Djna.nosys=true - -# turn off a JDK optimization that throws away stack traces for common -# exceptions because stack traces are important for debugging --XX:-OmitStackTraceInFastThrow - -# flags to configure Netty --Dio.netty.noUnsafe=true --Dio.netty.noKeySetOptimization=true --Dio.netty.recycler.maxCapacityPerThread=0 - -# log4j 2 --Dlog4j.shutdownHookEnabled=false --Dlog4j2.disable.jmx=true - --Djava.io.tmpdir=${ES_TMPDIR} - -## heap dumps - -# generate a heap dump when an allocation from the Java heap fails -# heap dumps are created in the working directory of the JVM --XX:+HeapDumpOnOutOfMemoryError - -# specify an alternative path for heap dumps; ensure the directory exists and -# has sufficient space --XX:HeapDumpPath=/var/lib/elasticsearch - -# specify an alternative path for JVM fatal error logs --XX:ErrorFile=/var/log/elasticsearch/hs_err_pid%p.log - -## JDK 8 GC logging - -8:-XX:+PrintGCDetails -8:-XX:+PrintGCDateStamps -8:-XX:+PrintTenuringDistribution -8:-XX:+PrintGCApplicationStoppedTime -8:-Xloggc:/var/log/elasticsearch/gc.log -8:-XX:+UseGCLogFileRotation -8:-XX:NumberOfGCLogFiles=32 -8:-XX:GCLogFileSize=64m - -# JDK 9+ GC logging -9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/elasticsearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m -# due to internationalization enhancements in JDK 9 Elasticsearch need to set the provider to COMPAT otherwise -# time/date parsing will break in an incompatible way for some date patterns and locals -9-:-Djava.locale.providers=COMPAT - -# temporary workaround for C2 bug with JDK 10 on hardware with AVX-512 -10-:-XX:UseAVX=2 \ No newline at end of file diff --git a/cookbooks/wazuh_elastic/templates/default/kibana.yml.erb b/cookbooks/wazuh_elastic/templates/default/kibana.yml.erb deleted file mode 100644 index 433cb6ae..00000000 --- a/cookbooks/wazuh_elastic/templates/default/kibana.yml.erb +++ /dev/null @@ -1,116 +0,0 @@ -# The default roles file is empty as the preferred method of defining roles is -# through the API/UI. File based roles are useful in error scenarios when the -# API based roles may not be available. -# Kibana is served by a back end server. This setting specifies the port to use. -<%= @kibana_server_port %> - -# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values. -# The default is 'localhost', which usually means remote machines will not be able to connect. -# To allow connections from remote users, set this parameter to a non-loopback address. -<%= @kibana_server_host %> - -# Enables you to specify a path to mount Kibana at if you are running behind a proxy. -# Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath -# from requests it receives, and to prevent a deprecation warning at startup. -# This setting cannot end in a slash. -#server.basePath: "" - -# Specifies whether Kibana should rewrite requests that are prefixed with -# `server.basePath` or require that they are rewritten by your reverse proxy. -# This setting was effectively always `false` before Kibana 6.3 and will -# default to `true` starting in Kibana 7.0. -#server.rewriteBasePath: false - -# The maximum payload size in bytes for incoming server requests. -#server.maxPayloadBytes: 1048576 - -# The Kibana server's name. This is used for display purposes. -#server.name: "your-hostname" - -# The URLs of the Elasticsearch instances to use for all your queries. -<%= @kibana_elasticsearch_server_hosts %> - -# When this setting's value is true Kibana uses the hostname specified in the server.host -# setting. When the value of this setting is false, Kibana uses the hostname of the host -# that connects to this Kibana instance. -#elasticsearch.preserveHost: true - -# Kibana uses an index in Elasticsearch to store saved searches, visualizations and -# dashboards. Kibana creates a new index if the index doesn't already exist. -#kibana.index: ".kibana" - -# The default application to load. -#kibana.defaultAppId: "home" - -# If your Elasticsearch is protected with basic authentication, these settings provide -# the username and password that the Kibana server uses to perform maintenance on the Kibana -# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which -# is proxied through the Kibana server. -#elasticsearch.username: "user" -#elasticsearch.password: "pass" - -# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively. -# These settings enable SSL for outgoing requests from the Kibana server to the browser. -#server.ssl.enabled: false -#server.ssl.certificate: /path/to/your/server.crt -#server.ssl.key: /path/to/your/server.key - -# Optional settings that provide the paths to the PEM-format SSL certificate and key files. -# These files validate that your Elasticsearch backend uses the same key files. -#elasticsearch.ssl.certificate: /path/to/your/client.crt -#elasticsearch.ssl.key: /path/to/your/client.key - -# Optional setting that enables you to specify a path to the PEM file for the certificate -# authority for your Elasticsearch instance. -#elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ] - -# To disregard the validity of SSL certificates, change this setting's value to 'none'. -#elasticsearch.ssl.verificationMode: full - -# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of -# the elasticsearch.requestTimeout setting. -#elasticsearch.pingTimeout: 1500 - -# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value -# must be a positive integer. -#elasticsearch.requestTimeout: 30000 - -# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side -# headers, set this value to [] (an empty list). -#elasticsearch.requestHeadersWhitelist: [ authorization ] - -# Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten -# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration. -#elasticsearch.customHeaders: {} - -# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable. -#elasticsearch.shardTimeout: 30000 - -# Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying. -#elasticsearch.startupTimeout: 5000 - -# Logs queries sent to Elasticsearch. Requires logging.verbose set to true. -#elasticsearch.logQueries: false - -# Specifies the path where Kibana creates the process ID file. -#pid.file: /var/run/kibana.pid - -# Enables you specify a file where Kibana stores log output. -#logging.dest: stdout - -# Set the value of this setting to true to suppress all logging output. -#logging.silent: false - -# Set the value of this setting to true to suppress all logging output other than error messages. -#logging.quiet: false - -# Set the value of this setting to true to log all events, including system usage information -# and all requests. -#logging.verbose: false - -# Set the interval in milliseconds to sample system and process performance -# metrics. Minimum is 100ms. Defaults to 5000. -#ops.interval: 5000 - -# Specifies locale to be used for all localizable strings, dates and number formats. -#i18n.locale: "en" \ No newline at end of file diff --git a/cookbooks/wazuh_elastic/templates/default/od_elasticsearch.yml.erb b/cookbooks/wazuh_elastic/templates/default/od_elasticsearch.yml.erb new file mode 100644 index 00000000..0794960a --- /dev/null +++ b/cookbooks/wazuh_elastic/templates/default/od_elasticsearch.yml.erb @@ -0,0 +1,27 @@ +<%= @network_host %> +<%= @node_name %> +<%= @cluster_initial_master_nodes %> + +opendistro_security.ssl.transport.pemcert_filepath: /etc/elasticsearch/certs/elasticsearch.pem +opendistro_security.ssl.transport.pemkey_filepath: /etc/elasticsearch/certs/elasticsearch.key +opendistro_security.ssl.transport.pemtrustedcas_filepath: /etc/elasticsearch/certs/root-ca.pem +opendistro_security.ssl.transport.enforce_hostname_verification: false +opendistro_security.ssl.transport.resolve_hostname: false +opendistro_security.ssl.http.enabled: true +opendistro_security.ssl.http.pemcert_filepath: /etc/elasticsearch/certs/elasticsearch_http.pem +opendistro_security.ssl.http.pemkey_filepath: /etc/elasticsearch/certs/elasticsearch_http.key +opendistro_security.ssl.http.pemtrustedcas_filepath: /etc/elasticsearch/certs/root-ca.pem +opendistro_security.nodes_dn: +- CN=node-1,OU=Docu,O=Wazuh,L=California,C=US +opendistro_security.authcz.admin_dn: +- CN=admin,OU=Docu,O=Wazuh,L=California,C=US + +opendistro_security.audit.type: internal_elasticsearch +opendistro_security.enable_snapshot_restore_privilege: true +opendistro_security.check_snapshot_restore_write_privileges: true +opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] +cluster.routing.allocation.disk.threshold_enabled: false +node.max_local_storage_nodes: 3 + +<%= @path_data %> +<%= @path_logs %> diff --git a/cookbooks/wazuh_elastic/templates/default/od_kibana.yml.erb b/cookbooks/wazuh_elastic/templates/default/od_kibana.yml.erb new file mode 100644 index 00000000..c9345c84 --- /dev/null +++ b/cookbooks/wazuh_elastic/templates/default/od_kibana.yml.erb @@ -0,0 +1,15 @@ +<%= @kibana_server_host %> +<%= @kibana_elasticsearch_server_hosts %> +<%= @kibana_server_port %> +elasticsearch.ssl.verificationMode: certificate +elasticsearch.username: kibanaserver +elasticsearch.password: kibanaserver +elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"] +opendistro_security.multitenancy.enabled: false +opendistro_security.readonly_mode.roles: ["kibana_read_only"] +server.ssl.enabled: true +server.ssl.key: "/etc/kibana/certs/kibana.key" +server.ssl.certificate: "/etc/kibana/certs/kibana.pem" +elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/certs/root-ca.pem"] + +server.defaultRoute: /app/wazuh diff --git a/cookbooks/wazuh_elastic/templates/default/search-guard.yml.erb b/cookbooks/wazuh_elastic/templates/default/search-guard.yml.erb new file mode 100644 index 00000000..4ce1fce6 --- /dev/null +++ b/cookbooks/wazuh_elastic/templates/default/search-guard.yml.erb @@ -0,0 +1,40 @@ +# ======================== Searcguard Configuration ========================= +# +# Please consult the documentation for further information on configuration options: +# https://documentation.wazuh.com/4.0/user-manual/certificates.html#user-manual-certificates +# + +# Self-signed certificate authority +ca: + root: + dn: CN=elasticsearch,OU=Docu,O=Wazuh,L=California,C=US + keysize: 2048 + validityDays: 3650 + pkPassword: none + file: root-ca.pem + +# Default values and global settings +defaults: + validityDays: 3650 + pkPassword: none + generatedPasswordLength: 12 + httpsEnabled: true + +# Nodes certificates +nodes: + - name: elasticsearch + dn: CN=node-1,OU=Docu,O=Wazuh,L=California,C=US + ip: + - <%= @elasticsearch_ip %> + - name: kibana + dn: CN=kibana,OU=Docu,O=Wazuh,L=California,C=US + ip: + - <%= @kibana_ip %> + +# Clients certificates +clients: + - name: admin + dn: CN=admin,OU=Docu,O=Wazuh,L=California,C=US + admin: true + - name: filebeat + dn: CN=filebeat,OU=Docu,O=Wazuh,L=California,C=US diff --git a/cookbooks/wazuh_elastic/templates/default/wazuh.yml.erb b/cookbooks/wazuh_elastic/templates/default/wazuh.yml.erb deleted file mode 100644 index 0dd5d366..00000000 --- a/cookbooks/wazuh_elastic/templates/default/wazuh.yml.erb +++ /dev/null @@ -1,136 +0,0 @@ ---- -# -# Wazuh app - App configuration file -# Copyright (C) 2015-2019 Wazuh, Inc. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# Find more information about this on the LICENSE file. -# -# ======================== Wazuh app configuration file ======================== -# -# Please check the documentation for more information on configuration options: -# https://documentation.wazuh.com/current/installation-guide/index.html -# -# Also, you can check our repository: -# https://github.com/wazuh/wazuh-kibana-app -# -# ------------------------------- Index patterns ------------------------------- -# -# Default index pattern to use. -#pattern: wazuh-alerts-3.x-* -# -# ----------------------------------- Checks ----------------------------------- -# -# Defines which checks must to be consider by the healthcheck -# step once the Wazuh app starts. Values must to be true or false. -#checks.pattern : true -#checks.template: true -#checks.api : true -#checks.setup : true -# -# --------------------------------- Extensions --------------------------------- -# -# Defines which extensions should be activated when you add a new API entry. -# You can change them after Wazuh app starts. -# Values must to be true or false. -#extensions.pci : true -#extensions.gdpr : true -#extensions.hipaa : true -#extensions.nist : true -#extensions.audit : true -#extensions.oscap : false -#extensions.ciscat : false -#extensions.aws : false -#extensions.virustotal: false -#extensions.osquery : false -#extensions.docker : false -# -# ---------------------------------- Time out ---------------------------------- -# -# Defines maximum timeout to be used on the Wazuh app requests. -# It will be ignored if it is bellow 1500. -# It means milliseconds before we consider a request as failed. -# Default: 20000 -#timeout: 20000 -# -# ------------------------------ Advanced indices ------------------------------ -# -# Configure .wazuh indices shards and replicas. -#wazuh.shards : 1 -#wazuh.replicas : 0 -# -# --------------------------- Index pattern selector --------------------------- -# -# Defines if the user is allowed to change the selected -# index pattern directly from the Wazuh app top menu. -# Default: true -#ip.selector: true -# -# List of index patterns to be ignored -#ip.ignore: [] -# -# -------------------------------- X-Pack RBAC --------------------------------- -# -# Custom setting to enable/disable built-in X-Pack RBAC security capabilities. -# Default: enabled -#xpack.rbac.enabled: true -# -# ------------------------------ wazuh-monitoring ------------------------------ -# -# Custom setting to enable/disable wazuh-monitoring indices. -# Values: true, false, worker -# If worker is given as value, the app will show the Agents status -# visualization but won't insert data on wazuh-monitoring indices. -# Default: true -#wazuh.monitoring.enabled: true -# -# Custom setting to set the frequency for wazuh-monitoring indices cron task. -# Default: 900 (s) -#wazuh.monitoring.frequency: 900 -# -# Configure wazuh-monitoring-3.x-* indices shards and replicas. -#wazuh.monitoring.shards: 2 -#wazuh.monitoring.replicas: 0 -# -# Configure wazuh-monitoring-3.x-* indices custom creation interval. -# Values: h (hourly), d (daily), w (weekly), m (monthly) -# Default: d -#wazuh.monitoring.creation: d -# -# Default index pattern to use for Wazuh monitoring -#wazuh.monitoring.pattern: wazuh-monitoring-3.x-* -# -# -# ------------------------------- App privileges -------------------------------- -#admin: true -# -# ------------------------------- App logging level ----------------------------- -# Set the logging level for the Wazuh App log files. -# Default value: info -# Allowed values: info, debug -#logs.level: info -# -#-------------------------------- API entries ----------------------------------- -#The following configuration is the default structure to define an API entry. -# -#hosts: -# - : -# url: http(s):// -# port: -# user: -# password: -hosts: -<% if node['wazuh-elastic']['kibana_wazuh_api_credentials'].length > 0 %> -<% node['wazuh-elastic']['kibana_wazuh_api_credentials'].each do |api| -%> - - <%= api[:id] %>: - url: <%= api[:url] %> - port: <%= api[:port] %> - user: <%= api[:user] %> - password: <%= api[:password] %> -<% end -%> -<% else -%> -<% end -%> \ No newline at end of file diff --git a/cookbooks/wazuh_filebeat/CHANGELOG.md b/cookbooks/wazuh_filebeat/CHANGELOG.md new file mode 100644 index 00000000..4b9aee97 --- /dev/null +++ b/cookbooks/wazuh_filebeat/CHANGELOG.md @@ -0,0 +1,10 @@ +## v0.1.0 +1. Bump to filebeat OSS 7.9.1 +2. Remove repository.rb since it is useless. To install filebeat, you need first to install first +wazuh manager in the same node. Filebeat use the same URI and GPG KEY repository as the latter +to install the package +3. Added suse repository + +*Note*: in future version, filebeat will be included into wazuh-manager cookbook + +* Initial/current release diff --git a/cookbooks/wazuh_filebeat/README.md b/cookbooks/wazuh_filebeat/README.md index 2120e490..08ab5b1a 100644 --- a/cookbooks/wazuh_filebeat/README.md +++ b/cookbooks/wazuh_filebeat/README.md @@ -55,11 +55,7 @@ Recipes #### default.rb -This recipe imports and executes the recipe *wazuh_filebeat::repository* and *wazuh_filebeat::filebeat* - -#### repository.rb - -Installs Filebeat repository and creates the */etc/apt/sources.list.d/elastic-6.x.list* file. +This recipe imports and executes the recipe *wazuh_filebeat::filebeat* #### filebeat.rb @@ -67,4 +63,4 @@ Install the package Filebeats, create the configuration of */etc/filebeat/filebe ## References -Check [Wazuh Filebeat Documentation](https://documentation.wazuh.com/current/installation-guide/installing-wazuh-server/wazuh_server_rpm.html#installing-filebeat) for more information about Wazuh and Filebeat. \ No newline at end of file +Check [Wazuh Filebeat Documentation](https://documentation.wazuh.com/4.0/installation-guide/open-distro/distributed-deployment/step-by-step-installation/wazuh-cluster/wazuh_single_node_cluster.html#installing-filebeat) for more information about Wazuh and Filebeat. \ No newline at end of file diff --git a/cookbooks/wazuh_filebeat/attributes/default.rb b/cookbooks/wazuh_filebeat/attributes/default.rb index c6684d70..144d3fd9 100644 --- a/cookbooks/wazuh_filebeat/attributes/default.rb +++ b/cookbooks/wazuh_filebeat/attributes/default.rb @@ -7,7 +7,7 @@ # default['filebeat']['package_name'] = 'filebeat' default['filebeat']['service_name'] = 'filebeat' -default['filebeat']['elasticsearch_server_ip'] = "localhost" +default['filebeat']['elasticsearch_server_ip'] = '0.0.0.0' default['filebeat']['timeout'] = 15 default['filebeat']['config_path'] = '/etc/filebeat/filebeat.yml' - +default['filebeat']['elasticsearch_server_port'] = 9200 diff --git a/cookbooks/wazuh_filebeat/attributes/versions.rb b/cookbooks/wazuh_filebeat/attributes/versions.rb index b83ca59f..9eb33dd4 100644 --- a/cookbooks/wazuh_filebeat/attributes/versions.rb +++ b/cookbooks/wazuh_filebeat/attributes/versions.rb @@ -1,4 +1,5 @@ -default['filebeat']['elastic_stack_version'] = '7.9.1' -default['filebeat']['wazuh_app_version'] = "3.13.2_7.9.1" -default['filebeat']['extensions_version'] = "v3.13.2" +default['filebeat']['version'] = "7.9.1" +default['filebeat']['elastic_stack_version'] = "7.9.1" +default['filebeat']['wazuh_app_version'] = "4.0.1_7.9.1" +default['filebeat']['extensions_version'] = "v4.0.1" default['filebeat']['wazuh_filebeat_module'] = "wazuh-filebeat-0.1.tar.gz" diff --git a/cookbooks/wazuh_filebeat/metadata.rb b/cookbooks/wazuh_filebeat/metadata.rb index c66a697c..e66a1364 100644 --- a/cookbooks/wazuh_filebeat/metadata.rb +++ b/cookbooks/wazuh_filebeat/metadata.rb @@ -4,7 +4,7 @@ license 'Apache 2.0' description 'Installs and configures filebeat' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '0.1.1' +version '0.1.0' supports 'debian' diff --git a/cookbooks/wazuh_filebeat/recipes/filebeat.rb b/cookbooks/wazuh_filebeat/recipes/filebeat.rb index 34183250..40b4fe78 100644 --- a/cookbooks/wazuh_filebeat/recipes/filebeat.rb +++ b/cookbooks/wazuh_filebeat/recipes/filebeat.rb @@ -3,55 +3,66 @@ # Recipe:: default # Author:: Wazuh -include_recipe 'wazuh_filebeat::repository' - -if platform_family?('debian', 'ubuntu') +# Install Filebeat package +if platform_family?('debian','ubuntu') + package 'lsb-release' + ohai 'reload lsb' do + plugin 'lsb' + # action :nothing + subscribes :reload, 'package[lsb-release]', :immediately + end + apt_package 'filebeat' do - version "#{node['filebeat']['elastic_stack_version']}" + version "#{node['filebeat']['version']}" + only_if do + File.exists?("/etc/apt/sources.list.d/wazuh.list") + end end - elsif platform_family?('rhel', 'redhat', 'centos', 'amazon') yum_package 'filebeat' do - version "#{node['filebeat']['elastic_stack_version']}-1" + version "#{node['filebeat']['version']}" + only_if do + File.exists?("/etc/yum.repos.d/wazuh.repo") + end + end +elsif platform_family?('suse') + yum_package 'filebeat' do + version "#{node['filebeat']['version']}" + only_if do + File.exists?("/etc/zypp/repos.d/wazuh.repo") + end end - else raise "Currently platforn not supported yet. Feel free to open an issue on https://www.github.com/wazuh/wazuh-chef if you consider that support for a specific OS should be added" end -bash 'Elasticsearch_template' do +# Edit the file /etc/filebeat/filebeat.yml +template node['filebeat']['config_path'] do + source 'filebeat.yml.erb' + owner 'root' + group 'root' + mode '0640' + variables(output_elasticsearch_hosts: "hosts: [\"#{node['filebeat']['elasticsearch_server_ip']}:#{node['filebeat']['elasticsearch_server_port']}\"]") +end + +# Download the alerts template for Elasticsearch: +bash 'Download alerts template' do code <<-EOH - curl -so /etc/filebeat/wazuh-template.json "https://raw.githubusercontent.com/wazuh/wazuh/#{node['filebeat']['extensions_version']}/extensions/elasticsearch/7.x/wazuh-template.json" + curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.0/extensions/elasticsearch/7.x/wazuh-template.json + chmod go+r /etc/filebeat/wazuh-template.json EOH end +# Download the Wazuh module for Filebeat: bash 'Import Wazuh module for filebeat' do code <<-EOH - curl -s "https://packages.wazuh.com/3.x/filebeat/#{node['filebeat']['wazuh_filebeat_module']}" | tar -xvz -C /usr/share/filebeat/module + curl -s "https://packages.wazuh.com/4.x/filebeat/#{node['filebeat']['wazuh_filebeat_module']}" | tar -xvz -C /usr/share/filebeat/module EOH end +# Change module permission directory '/usr/share/filebeat/module/wazuh' do mode '0755' recursive true - action :create -end - -directory '/usr/share/filebeat/module/wazuh' do - mode '0755' - recursive true -end - -template node['filebeat']['config_path'] do - source 'filebeat.yml.erb' - owner 'root' - group 'root' - mode '0640' - variables(output_server_host: "output.elasticsearch.hosts: ['#{node['filebeat']['elasticsearch_server_ip']}:9200']") -end - -service node['filebeat']['service_name'] do - supports :status => true, :restart => true, :reload => true - action [:start, :enable] end diff --git a/cookbooks/wazuh_filebeat/recipes/repository.rb b/cookbooks/wazuh_filebeat/recipes/repository.rb deleted file mode 100644 index 92736487..00000000 --- a/cookbooks/wazuh_filebeat/recipes/repository.rb +++ /dev/null @@ -1,35 +0,0 @@ -# -# Cookbook Name:: filebeat -# Recipe:: default -# Author:: Wazuh - - -if platform_family?('debian','ubuntu') - package 'lsb-release' - - ohai 'reload lsb' do - plugin 'lsb' - # action :nothing - subscribes :reload, 'package[lsb-release]', :immediately - end - - apt_repository "elastic-7.x" do - uri 'https://artifacts.elastic.co/packages/7.x/apt' - key 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' - distribution "stable" - components ["main"] - not_if do - File.exists?("/etc/apt/sources.list.d/elastic-7.x.list") - end - end -elsif platform_family?('rhel', 'redhat', 'centos', 'amazon') - yum_repository "elastic-7.x" do - description "Elastic repository for 7.x packages" - baseurl "https://artifacts.elastic.co/packages/7.x/yum" - gpgkey "https://artifacts.elastic.co/GPG-KEY-elasticsearch" - action :create - end -else - raise "Currently platforn not supported yet. Feel free to open an issue on https://www.github.com/wazuh/wazuh-chef if you consider that support for a specific OS should be added" -end - diff --git a/cookbooks/wazuh_filebeat/templates/default/filebeat.yml.erb b/cookbooks/wazuh_filebeat/templates/default/filebeat.yml.erb index aa03109e..d7895ad7 100644 --- a/cookbooks/wazuh_filebeat/templates/default/filebeat.yml.erb +++ b/cookbooks/wazuh_filebeat/templates/default/filebeat.yml.erb @@ -1,15 +1,22 @@ # Wazuh - Filebeat configuration file +output.elasticsearch: + <%= @output_elasticsearch_hosts %> + protocol: https + username: "admin" + password: "admin" + ssl.certificate_authorities: + - /etc/filebeat/certs/root-ca.pem + ssl.certificate: "/etc/filebeat/certs/filebeat.pem" + ssl.key: "/etc/filebeat/certs/filebeat.key" +setup.template.json.enabled: true +setup.template.json.path: '/etc/filebeat/wazuh-template.json' +setup.template.json.name: 'wazuh' +setup.ilm.overwrite: true +setup.ilm.enabled: false + filebeat.modules: - module: wazuh alerts: enabled: true archives: enabled: false - -setup.template.json.enabled: true -setup.template.json.path: '/etc/filebeat/wazuh-template.json' -setup.template.json.name: 'wazuh' -setup.template.overwrite: true -setup.ilm.enabled: false - -<%= @output_server_host %> \ No newline at end of file diff --git a/cookbooks/wazuh_manager/CHANGELOG.md b/cookbooks/wazuh_manager/CHANGELOG.md index 1b4ea035..907a53a7 100644 --- a/cookbooks/wazuh_manager/CHANGELOG.md +++ b/cookbooks/wazuh_manager/CHANGELOG.md @@ -1,3 +1,6 @@ +## v0.1.0 +1. Bump to wazuh 4.0.1 version +2. Added suse repository ## v0.0.9 Amazon Linux OS included in repository.rb ## v0.0.8 diff --git a/cookbooks/wazuh_manager/README.md b/cookbooks/wazuh_manager/README.md index 8f4ababc..520e9906 100644 --- a/cookbooks/wazuh_manager/README.md +++ b/cookbooks/wazuh_manager/README.md @@ -118,16 +118,6 @@ Generates the ossec.conf file using Gyoku. Declares wazuh repository and gpg key urls. -#### wazuh_api.rb - -Installs Node.js and Wazuh API. **Important:** You can add your credentials by setting the attributes: - -* `['api']['user'] = "foo"` -* `['api']['passcode'] = "bar"` -* `['api']['password_plaintext'] = "yes" ` - -If `password_plaintext` is set to `"no"` the password won't be hashed. - ### References Check https://documentation.wazuh.com/current/user-manual/manager/index.html for more information about Wazuh Manager. diff --git a/cookbooks/wazuh_manager/attributes/api.rb b/cookbooks/wazuh_manager/attributes/api.rb index 4deedab2..4903708e 100644 --- a/cookbooks/wazuh_manager/attributes/api.rb +++ b/cookbooks/wazuh_manager/attributes/api.rb @@ -1,11 +1,23 @@ -default['ossec']['api_cert']['country'] = 'US' -default['ossec']['api_cert']['state'] = 'CA' -default['ossec']['api_cert']['locality'] = 'San Jose' -default['ossec']['api_cert']['organization'] = 'Wazuh' -default['ossec']['api_cert']['organizationalunit'] = 'IT' -default['ossec']['api_cert']['email'] = 'hello@wazuh.com' -default['ossec']['api_cert']['password'] = 'dummypassword' - -default['api']['password_plaintext'] = "yes" -default['api']['user'] = "foo" -default['api']['passcode'] = "bar" \ No newline at end of file +default['api']['bind_addr'] = "0.0.0.0" +default['api']['port'] = 55000 +default['api']['behind_proxy_server'] = "no" +default['api']['https'] = "yes" +default['api']['https_key'] = "api/configuration/ssl/server.key" +default['api']['https_cert'] = "api/configuration/ssl/server.crt" +default['api']['https_use_ca'] = "False" +default['api']['https_ca'] = "api/configuration/ssl/ca.crt" +default['api']['logging_level'] = "info" +default['api']['logging_path'] = "logs/api.log" +default['api']['cors'] = "no" +default['api']['cors_source_route'] = "*" +default['api']['cors_expose_headers'] = "*" +default['api']['cors_allow_headers'] = "*" +default['api']['cors_allow_credentials'] = "no" +default['api']['cache'] = "yes" +default['api']['cache_time'] = 0.750 +default['api']['access_max_login_attempts'] = 5 #Should be updated +default['api']['access_block_time'] = 300 +default['api']['access_max_request_per_minute'] = 300 +default['api']['use_only_authd'] = 300 +default['api']['drop_privileges'] = "yes" +default['api']['experimental_features'] = "no" diff --git a/cookbooks/wazuh_manager/attributes/remote.rb b/cookbooks/wazuh_manager/attributes/remote.rb index 993b6d49..2db10027 100644 --- a/cookbooks/wazuh_manager/attributes/remote.rb +++ b/cookbooks/wazuh_manager/attributes/remote.rb @@ -1,5 +1,5 @@ # Remoted settings default['ossec']['conf']['remote']['connection'] = ['secure'] default['ossec']['conf']['remote']['port'] = "1514" -default['ossec']['conf']['remote']['protocol'] = "udp" +default['ossec']['conf']['remote']['protocol'] = "tcp" default['ossec']['conf']['remote']['queue_size'] = "131072" \ No newline at end of file diff --git a/cookbooks/wazuh_manager/attributes/versions.rb b/cookbooks/wazuh_manager/attributes/versions.rb index 8a277874..0658b9fe 100644 --- a/cookbooks/wazuh_manager/attributes/versions.rb +++ b/cookbooks/wazuh_manager/attributes/versions.rb @@ -1 +1 @@ -default['wazuh-manager']['version'] = "3.13.2" +default['wazuh-manager']['version'] = "4.0.1" diff --git a/cookbooks/wazuh_manager/attributes/vulnerability-detector.rb b/cookbooks/wazuh_manager/attributes/vulnerability-detector.rb index 91d03f42..208d906b 100644 --- a/cookbooks/wazuh_manager/attributes/vulnerability-detector.rb +++ b/cookbooks/wazuh_manager/attributes/vulnerability-detector.rb @@ -5,7 +5,7 @@ default['ossec']['conf']['vulnerability-detector']['provider'] = [ { '@name' => 'canonical', 'enabled' => 'no', - 'os' => ['trusty', 'xenial', 'bionic'], + 'os' => ['trusty', 'xenial', 'bionic', 'focal'], 'update_interval' => '1h' }, { '@name' => 'debian', diff --git a/cookbooks/wazuh_manager/metadata.rb b/cookbooks/wazuh_manager/metadata.rb index de7ae1c7..c582ce51 100644 --- a/cookbooks/wazuh_manager/metadata.rb +++ b/cookbooks/wazuh_manager/metadata.rb @@ -4,7 +4,7 @@ license 'Apache 2.0' description 'Installs and onfigures ossec' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '0.0.9' +version '0.1.0' %w(redhat centos oracle).each do |el| supports el, '>= 6.0' @@ -13,7 +13,8 @@ supports 'amazon' supports 'fedora' supports 'debian', '>= 7.0' -supports 'ubuntu', '>= 12.04' +supports 'ubuntu', '>= 14.04' +supports 'suse' %w( apt ).each do |pkg| depends pkg diff --git a/cookbooks/wazuh_manager/recipes/default.rb b/cookbooks/wazuh_manager/recipes/default.rb index 91ead6e4..61084ba0 100644 --- a/cookbooks/wazuh_manager/recipes/default.rb +++ b/cookbooks/wazuh_manager/recipes/default.rb @@ -1,3 +1,4 @@ include_recipe 'apt::default' +include_recipe 'wazuh_manager::prerequisites' include_recipe 'wazuh_manager::repository' include_recipe 'wazuh_manager::manager' \ No newline at end of file diff --git a/cookbooks/wazuh_manager/recipes/manager.rb b/cookbooks/wazuh_manager/recipes/manager.rb index 6ff39e6b..8d6cd611 100644 --- a/cookbooks/wazuh_manager/recipes/manager.rb +++ b/cookbooks/wazuh_manager/recipes/manager.rb @@ -27,6 +27,10 @@ yum_package 'wazuh-manager' do version "#{node['wazuh-manager']['version']}-1" end +elsif platform_family?('suse') + zypper_package 'wazuh-manager' do + version "#{node['wazuh-manager']['version']}-1" + end else raise "Currently platforn not supported yet. Feel free to open an issue on https://www.github.com/wazuh/wazuh-chef if you consider that support for a specific OS should be added" end @@ -57,7 +61,6 @@ end include_recipe 'wazuh_manager::common' -include_recipe 'wazuh_manager::wazuh_api' template "#{node['ossec']['dir']}/etc/local_internal_options.conf" do source 'var/ossec/etc/manager_local_internal_options.conf' @@ -81,6 +84,37 @@ mode '0640' end + +template "#{node['ossec']['dir']}/api/configuration/api.yaml" do + source 'api.yaml.erb' + owner 'root' + group 'ossec' + mode '0660' + variables({bind_addr: "host: #{node['api']['bind_addr']}", + port: "port: #{node['api']['port']}", + behind_proxy_server: "behind_proxy_server: #{node['api']['behind_proxy_server']}", + https_enabled: "enabled: #{node['api']['https']}", + https_key: "key: #{node['api']['https_key']}", + https_cert: "cert: #{node['api']['https_cert']}", + https_use_ca: "use_ca: #{node['api']['https_use_ca']}", + https_ca: "ca: #{node['api']['https_ca']}", + logging_level: "level: #{node['api']['logging_level']}", + logging_path: "path: #{node['api']['logging_path']}", + cors_enabled: "enabled: #{node['api']['cors']}", + cors_source_route: "source_route: \"#{node['api']['cors_source_route']}\"", + cors_expose_headers: "expose_headers: \"#{node['api']['cors_expose_headers']}\"", + cors_allow_headers: "allow_headers: \"#{node['api']['cors_allow_headers']}\"", + cors_allow_credentials: "allow_credentials: #{node['api']['cors_allow_credentials']}", + cache_enabled: "enabled: #{node['api']['cache']}", + access_max_login_attempts: "max_login_attempts: #{node['api']['access_max_login_attempts']}", + access_block_time: "block_time: #{node['api']['access_block_time']}", + access_max_request_per_minute: "max_request_per_minute: #{node['api']['access_max_request_per_minute']}", + use_only_authd: "use_only_authd: #{node['api']['use_only_authd']}", + drop_privileges: "drop_privileges: #{node['api']['drop_privileges']}", + experimental_features: "experimental_features: #{node['api']['experimental_features']}" }) +end + + service 'wazuh' do service_name 'wazuh-manager' supports :status => true, :restart => true, :reload => true diff --git a/cookbooks/wazuh_manager/recipes/prerequisites.rb b/cookbooks/wazuh_manager/recipes/prerequisites.rb new file mode 100644 index 00000000..4bae9830 --- /dev/null +++ b/cookbooks/wazuh_manager/recipes/prerequisites.rb @@ -0,0 +1,22 @@ +# Install all the required utilities + +if platform_family?('debian','ubuntu') + package "lsb-release" + + ohai "reload lsb" do + plugin "lsb" + # action :nothing + subscribes :reload, "package[lsb-release]", :immediately + end + + apt_package %w(curl apt-transport-https) + +elsif platform_family?('rhel', 'redhat', 'centos', 'amazon') + yum_package 'curl' + +elsif platform_family?('suse') + zypper_package 'curl' + +else + raise "Currently platforn not supported yet. Feel free to open an issue on https://www.github.com/wazuh/wazuh-chef if you consider that support for a specific OS should be added" +end diff --git a/cookbooks/wazuh_manager/recipes/repository.rb b/cookbooks/wazuh_manager/recipes/repository.rb index 23dbc767..bc106726 100644 --- a/cookbooks/wazuh_manager/recipes/repository.rb +++ b/cookbooks/wazuh_manager/recipes/repository.rb @@ -18,29 +18,43 @@ # if platform_family?('ubuntu', 'debian') - package 'lsb-release' + package 'lsb-release' - ohai 'reload lsb' do - plugin 'lsb' - # action :nothing - subscribes :reload, 'package[lsb-release]', :immediately - end + ohai 'reload lsb' do + plugin 'lsb' + # action :nothing + subscribes :reload, 'package[lsb-release]', :immediately + end - apt_repository 'Wazuh' do - uri 'http://packages.wazuh.com/3.x/apt/' - key 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' - components ['main'] - distribution 'stable' - end + apt_repository 'wazuh' do + key 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' + uri 'http://packages.wazuh.com/4.x/apt/' + components ['main'] + distribution 'stable' + action :add + end - apt_update + apt_update elsif platform_family?('rhel','redhat', 'centos', 'amazon') - yum_repository 'Wazuh' do - description 'WAZUH Repository - www.wazuh.com' - baseurl 'https://packages.wazuh.com/3.x/yum' + yum_repository 'wazuh' do + description 'WAZUH Yum Repository - www.wazuh.com' + gpgcheck true gpgkey 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' + enabled true + baseurl 'https://packages.wazuh.com/4.x/yum' + action :create + end +elsif platform_family?('suse') + zypper_repository 'wazuh' do + description 'WAZUH Zypper Repository - www.wazuh.com' + gpgcheck true + gpgkey 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' + enabled true + baseurl 'https://packages.wazuh.com/4.x/yum' action :create end else raise "Currently platforn not supported yet. Feel free to open an issue on https://www.github.com/wazuh/wazuh-chef if you consider that support for a specific OS should be added" end + + diff --git a/cookbooks/wazuh_manager/recipes/wazuh_api.rb b/cookbooks/wazuh_manager/recipes/wazuh_api.rb deleted file mode 100644 index a7cc9cfe..00000000 --- a/cookbooks/wazuh_manager/recipes/wazuh_api.rb +++ /dev/null @@ -1,83 +0,0 @@ - - -if platform_family?('ubuntu', 'debian') - bash 'Install nodejs' do - code <<-EOH - cd /tmp && - curl -sL https://deb.nodesource.com/setup_10.x | sudo -E bash - - EOH - not_if { ::File.exist?('/etc/apt/sources.list.d/nodesource.list') } - end - - apt_package 'wazuh-api' do - version "#{node['wazuh-manager']['version']}-1" - end - -elsif platform_family?('redhat', 'centos', 'rhel', 'amazon') - - bash 'Install nodejs' do - code <<-EOH - cd /tmp && - curl --silent --location https://rpm.nodesource.com/setup_10.x | bash - - EOH - not_if { ::File.exist?('/etc/yum.repos.d/nodesource-el.repo') } - end - - yum_package 'wazuh-api' do - version "#{node['wazuh-manager']['version']}-1" - end -else - raise "Currently platforn not supported yet. Feel free to open an issue on https://www.github.com/wazuh/wazuh-chef if you consider that support for a specific OS should be added" -end - -chef_gem 'chef-vault' do - compile_time true if respond_to?(:compile_time) -end - -require 'chef-vault' - -begin - - if ChefVault::Item.vault?('wazuh_secrets', 'api') - api_keys = ChefVault::Item.load('wazuh_secrets', 'api') - log "Chef Vault found: Loading Encrypted credentials" do - level :info - end - else - api_keys = Chef::EncryptedDataBagItem.load('wazuh_secrets', 'api') - log "Chef - Data Bag found: Loading Encrypted credentials." do - level :info - end - end - -rescue ArgumentError, Net::HTTPServerException - api_keys = {'htpasswd_user' => "#{node['api']['user']}", 'htpasswd_passcode' => "#{node['api']['passcode']}"} - log "No api crendentials. Installation will continue with defaults (foo:bar)..." do - level :info - end - -end - -if (node['api']['password_plaintext'] == "yes") - bash "Installing user..." do - code <<-EOH - cd /var/ossec/api/configuration/auth/ - node htpasswd -c user #{api_keys['htpasswd_user']} -b #{api_keys['htpasswd_passcode']} - cd - EOH - end - -else - file "#{node['ossec']['dir']}/api/configuration/auth/user" do - mode '0650' - owner 'root' - group 'root' - content "#{api_keys['htpasswd_user']}:#{api_keys['htpasswd_passcode']}" - action :create - end -end - -service 'wazuh-api' do - supports :status => true, :restart => true, :reload => true - action [:enable, :restart] -end diff --git a/cookbooks/wazuh_manager/templates/default/api.yaml.erb b/cookbooks/wazuh_manager/templates/default/api.yaml.erb new file mode 100644 index 00000000..2d923afa --- /dev/null +++ b/cookbooks/wazuh_manager/templates/default/api.yaml.erb @@ -0,0 +1,45 @@ +# USE THIS FILE AS A TEMPLATE. UNCOMMENT LINES TO APPLY CUSTOM CONFIGURATION + +<%= @bind_addr %> +<%= @port %> + +# Set this option to "yes" in case the API is running behind a proxy server. Values: yes, no + +<%= @behind_proxy_server %> +#Advanced configuration + +https: + <%= @https_enabled %> + <%= @https_key %> + <%= @https_cert %> + <%= @https_use_ca %> + <%= @https_ca %> + +# Logging configuration +# Values for API log level: disabled, info, warning, error, debug, debug2 (each level includes the previous level). +logs: + <%= @logging_level %> + <%= @logging_path %> +# Cross-origin resource sharing: https://github.com/aio-libs/aiohttp-cors#usage +cors: + <%= @cors_enabled %> + <%= @cors_source_route %> + <%= @cors_expose_headers %> + <%= @cors_allow_headers %> + <%= @cors_allow_credentials %> +# Cache (time in seconds) +cache: + <%= @cache_enabled %> + <%= @cache_time %> +# Access parameters +access: + <%= @access_max_login_attempts %> + <%= @access_block_time %> + <%= @access_max_request_per_minute %> + +# Force the use of authd when adding and removing agents. Values: yes, no +<%= @use_only_authd %> +# Drop privileges (Run as ossec user) +<%= @drop_privileges %> +# Enable features under development +<%= @experimental_features %> \ No newline at end of file diff --git a/roles/wazuh_agent.json b/roles/wazuh_agent.json index 758febe4..98e74977 100644 --- a/roles/wazuh_agent.json +++ b/roles/wazuh_agent.json @@ -8,7 +8,7 @@ "override_attributes": { "ossec": { "registration_address": "", - "address": "" + "address": "" } }, "chef_type": "role", @@ -18,4 +18,4 @@ "env_run_lists": { } - } \ No newline at end of file + }