From a6212a63f915b9645436dadfab8227f3a55863ac Mon Sep 17 00:00:00 2001 From: c-bordon Date: Tue, 20 Sep 2022 14:35:42 -0300 Subject: [PATCH 1/9] Testing changes --- manifests/dashboard.pp | 69 +++++++++++++++++++++++++++++------- manifests/indexer.pp | 79 ++++++++++++++++++++++++++++++------------ 2 files changed, 114 insertions(+), 34 deletions(-) diff --git a/manifests/dashboard.pp b/manifests/dashboard.pp index 4d183d83..9fb0faa5 100644 --- a/manifests/dashboard.pp +++ b/manifests/dashboard.pp @@ -4,23 +4,17 @@ $dashboard_package = 'wazuh-dashboard', $dashboard_service = 'wazuh-dashboard', $dashboard_version = '4.4.0', - $dashboard_user = 'admin', - $dashboard_password = 'admin', $indexer_server_ip = 'localhost', $indexer_server_port = '9200', $dashboard_path_certs = '/etc/wazuh-dashboard/certs', - $dashboard_server_port = '5601', + $dashboard_server_port = '443', $dashboard_server_host = '0.0.0.0', - $dashboard_server_hosts ="https://${indexer_server_ip}:$indexer_server_port}", - $dashboard_wazuh_api_credentials = [ { - 'id' => 'default', - 'url' => 'http://localhost', - 'port' => '55000', - 'user' => 'foo', - 'password' => 'bar', - }, - ] + $indexer_server_host = "https://${indexer_server_ip}:$indexer_server_port}", + $dashboard_wazuh_api_credentials_url = "http://localhost", + $dashboard_wazuh_api_credentials_port = "55000", + $dashboard_wazuh_api_credentials_user = "wazuh-wui", + $dashboard_wazuh_api_credentials_password = "wazuh-wui", ) { # assign version according to the package manager @@ -53,6 +47,57 @@ } + # TODO: Fully manage the opensearch_dashboards.yml and a template file resource + file_line { 'Setting host for wazuh-dashboard': + path => '/etc/wazuh-dashboard/opensearch_dashboards.yml', + line => "server.host: ${dashboard_server_host}", + match => "^server.host:\s", + require => Package['wazuh-dashboard'], + notify => Service['wazuh-dashboard'], + } + file_line { 'Setting port for wazuh-dashboard': + path => '/etc/wazuh-dashboard/opensearch_dashboards.yml', + line => "server.port: ${dashboard_server_port}", + match => "^server.port:\s", + require => Package['wazuh-dashboard'], + notify => Service['wazuh-dashboard'], + } + file_line { 'Setting Wazuh indexer host for wazuh-dashboard': + path => '/etc/wazuh-dashboard/opensearch_dashboards.yml', + line => "opensearch.hosts: ${indexer_server_host}", + match => "^opensearch.hosts:\s", + require => Package['wazuh-dashboard'], + notify => Service['wazuh-dashboard'], + } + file_line { 'Setting Wazuh api url for wazuh-dashboard': + path => '/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml', + line => "url: ${dashboard_wazuh_api_credentials_url}", + match => "^url:\s", + require => Package['wazuh-dashboard'], + notify => Service['wazuh-dashboard'], + } + file_line { 'Setting Wazuh api port for wazuh-dashboard': + path => '/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml', + line => "port: ${dashboard_wazuh_api_credentials_port}", + match => "^port:\s", + require => Package['wazuh-dashboard'], + notify => Service['wazuh-dashboard'], + } + file_line { 'Setting Wazuh api username for wazuh-dashboard': + path => '/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml', + line => "username: ${dashboard_wazuh_api_credentials_username}", + match => "^username:\s", + require => Package['wazuh-dashboard'], + notify => Service['wazuh-dashboard'], + } + file_line { 'Setting Wazuh api password for wazuh-dashboard': + path => '/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml', + line => "password: ${dashboard_wazuh_api_credentials_password}", + match => "^password:\s", + require => Package['wazuh-dashboard'], + notify => Service['wazuh-dashboard'], + } + service { 'wazuh-dashboard': ensure => running, enable => true, diff --git a/manifests/indexer.pp b/manifests/indexer.pp index 77ce6cc0..69d5c271 100644 --- a/manifests/indexer.pp +++ b/manifests/indexer.pp @@ -5,9 +5,6 @@ $indexer_cluster_name = 'wazuh-cluster', $indexer_node_name = 'node-1', - $indexer_node_master = true, - $indexer_node_data = true, - $indexer_node_ingest = true, $indexer_node_max_local_storage_nodes = '1', $indexer_service = 'wazuh-indexer', $indexer_package = 'wazuh-indexer', @@ -16,32 +13,19 @@ $indexer_path_data = '/var/lib/wazuh-indexer', $indexer_path_logs = '/var/log/wazuh-indexer', $indexer_path_certs = '/etc/wazuh-indexer/certs', - - - $indexer_ip = 'localhost', - $indexer_port = '9200', - $indexer_discovery_option = 'discovery.type: single-node', - $indexer_cluster_initial_master_nodes = "#cluster.initial_master_nodes: ['node-1']", - - $manage_repos = false, # Change to true when manager is not present. - -# JVM options - $jvm_options_memmory = '1g', + $network_host = '0.0.0.0', ){ - if $manage_repos { - class { 'wazuh::repo':} - if $::osfamily == 'Debian' { - Class['wazuh::repo'] -> Class['apt::update'] -> Package['wazuh-indexer'] - } else { - Class['wazuh::repo'] -> Package['wazuh-indexer'] - } + class { 'wazuh::repo':} + if $::osfamily == 'Debian' { + Class['wazuh::repo'] -> Class['apt::update'] -> Package['wazuh-indexer'] + } else { + Class['wazuh::repo'] -> Package['wazuh-indexer'] } - # install package package { 'wazuh-indexer': ensure => $indexer_version, @@ -65,6 +49,57 @@ } + file_line { 'Setting cluster name for wazuh-indexer': + path => '/etc/wazuh-indexer/opensearch.yml', + line => "cluster.name: ${indexer_cluster_name}", + match => "^cluster.name:\s", + require => Package[$indexer_package], + notify => Service[$indexer_service], + } + file_line { 'Setting node name for wazuh-indexer': + path => '/etc/wazuh-indexer/opensearch.yml', + line => "node.name: ${indexer_node_name}", + match => "^node.name:\s", + require => Package[$indexer_package], + notify => Service[$indexer_service], + } + file_line { 'Setting node master for wazuh-indexer': + path => '/etc/wazuh-indexer/opensearch.yml', + line => "- "${indexer_node_master}"", + match => "^- "node-1"\s", + require => Package[$indexer_package], + notify => Service[$indexer_service], + } + file_line { 'Setting node max local storage node for wazuh-indexer': + path => '/etc/wazuh-indexer/opensearch.yml', + line => "node.max_local_storage_nodes: ${indexer_node_max_local_storage_nodes}", + match => "^node.max_local_storage_nodes:\s", + require => Package[$indexer_package], + notify => Service[$indexer_service], + } + file_line { 'Setting path data for wazuh-indexer': + path => '/etc/wazuh-indexer/opensearch.yml', + line => "path.data: ${indexer_path_data}", + match => "^path.data:\s", + require => Package[$indexer_package], + notify => Service[$indexer_service], + } + file_line { 'Setting path logs for wazuh-indexer': + path => '/etc/wazuh-indexer/opensearch.yml', + line => "path.logs: ${indexer_path_logs}", + match => "^path.logs:\s", + require => Package[$indexer_package], + notify => Service[$indexer_service], + } + file_line { 'Setting network host for wazuh-indexer': + path => '/etc/wazuh-indexer/opensearch.yml', + line => "network.host: ${network_host}", + match => "^network.host:\s", + require => Package[$indexer_package], + notify => Service[$indexer_service], + } + + service { 'wazuh-indexer': ensure => running, enable => true, From 1fb533dc6a416312af14e8c1e0172aa67ef888d7 Mon Sep 17 00:00:00 2001 From: c-bordon Date: Tue, 20 Sep 2022 16:53:24 -0300 Subject: [PATCH 2/9] Add changes from 4.3 --- manifests/dashboard.pp | 125 +++++++---------- manifests/filebeat_oss.pp | 109 +++++++++------ manifests/indexer.pp | 178 +++++++++++++----------- templates/opensearch_dashboards_yml.erb | 14 ++ templates/wazuh_indexer_yml.erb | 44 ++++++ 5 files changed, 275 insertions(+), 195 deletions(-) create mode 100644 templates/opensearch_dashboards_yml.erb create mode 100644 templates/wazuh_indexer_yml.erb diff --git a/manifests/dashboard.pp b/manifests/dashboard.pp index 9fb0faa5..0f36225f 100644 --- a/manifests/dashboard.pp +++ b/manifests/dashboard.pp @@ -10,11 +10,16 @@ $dashboard_server_port = '443', $dashboard_server_host = '0.0.0.0', - $indexer_server_host = "https://${indexer_server_ip}:$indexer_server_port}", - $dashboard_wazuh_api_credentials_url = "http://localhost", - $dashboard_wazuh_api_credentials_port = "55000", - $dashboard_wazuh_api_credentials_user = "wazuh-wui", - $dashboard_wazuh_api_credentials_password = "wazuh-wui", + $indexer_server_host = "https://${indexer_server_ip}:${indexer_server_port}", + $dashboard_wazuh_api_credentials = [ + { + 'id' => 'default', + 'url' => 'https://localhost', + 'port' => '55000', + 'user' => 'wazuh-wui', + 'password' => 'wazuh-wui', + }, + ], ) { # assign version according to the package manager @@ -28,87 +33,65 @@ } # install package - package { 'Installing Wazuh Dashboard...': + package { 'wazuh-dashboard': ensure => $dashboard_version_install, name => $dashboard_package, } - include wazuh::certificates + require wazuh::certificates - exec { 'Copy Dashboard Certificates': + exec { "ensure full path of ${dashboard_path_certs}": path => '/usr/bin:/bin', - command => "mkdir $dashboard_path_certs \ - && cp /tmp/wazuh-certificates/dashboard.pem $dashboard_path_certs\ - && cp /tmp/wazuh-certificates/dashboard-key.pem $dashboard_path_certs\ - && cp /tmp/wazuh-certificates/root-ca.pem $dashboard_path_certs\ - && chown wazuh-dashboard:wazuh-dashboard -R $dashboard_path_certs\ - && chmod 500 $dashboard_path_certs\ - && chmod 400 $dashboard_path_certs/*", - - } - - # TODO: Fully manage the opensearch_dashboards.yml and a template file resource - file_line { 'Setting host for wazuh-dashboard': - path => '/etc/wazuh-dashboard/opensearch_dashboards.yml', - line => "server.host: ${dashboard_server_host}", - match => "^server.host:\s", + command => "mkdir -p ${dashboard_path_certs}", + creates => $dashboard_path_certs, require => Package['wazuh-dashboard'], - notify => Service['wazuh-dashboard'], } - file_line { 'Setting port for wazuh-dashboard': - path => '/etc/wazuh-dashboard/opensearch_dashboards.yml', - line => "server.port: ${dashboard_server_port}", - match => "^server.port:\s", - require => Package['wazuh-dashboard'], - notify => Service['wazuh-dashboard'], + -> file { $dashboard_path_certs: + ensure => directory, + owner => $dashboard_fileuser, + group => $dashboard_filegroup, + mode => '0500', } - file_line { 'Setting Wazuh indexer host for wazuh-dashboard': - path => '/etc/wazuh-dashboard/opensearch_dashboards.yml', - line => "opensearch.hosts: ${indexer_server_host}", - match => "^opensearch.hosts:\s", - require => Package['wazuh-dashboard'], - notify => Service['wazuh-dashboard'], - } - file_line { 'Setting Wazuh api url for wazuh-dashboard': - path => '/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml', - line => "url: ${dashboard_wazuh_api_credentials_url}", - match => "^url:\s", - require => Package['wazuh-dashboard'], - notify => Service['wazuh-dashboard'], - } - file_line { 'Setting Wazuh api port for wazuh-dashboard': - path => '/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml', - line => "port: ${dashboard_wazuh_api_credentials_port}", - match => "^port:\s", - require => Package['wazuh-dashboard'], - notify => Service['wazuh-dashboard'], + + [ + 'dashboard.pem', + 'dashboard-key.pem', + 'root-ca.pem', + ].each |String $certfile| { + file { "${dashboard_path_certs}/${certfile}": + ensure => file, + owner => $dashboard_fileuser, + group => $dashboard_filegroup, + mode => '0400', + replace => false, # only copy content when file not exist + source => "/tmp/wazuh-certificates/${certfile}", + } } - file_line { 'Setting Wazuh api username for wazuh-dashboard': - path => '/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml', - line => "username: ${dashboard_wazuh_api_credentials_username}", - match => "^username:\s", - require => Package['wazuh-dashboard'], - notify => Service['wazuh-dashboard'], + + # TODO: Fully manage the opensearch_dashboards.yml and a template file resource + file { '/etc/wazuh-dashboard/opensearch_dashboards.yml': + owner => 'wazuh-dashboard', + group => 'wazuh-dashboard', + mode => '0640', + content => template('wazuh/opensearch_dashboards_yml.erb'), + require => Package[$dashboard_package], + notify => Service[$dashboard_service] } - file_line { 'Setting Wazuh api password for wazuh-dashboard': - path => '/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml', - line => "password: ${dashboard_wazuh_api_credentials_password}", - match => "^password:\s", - require => Package['wazuh-dashboard'], - notify => Service['wazuh-dashboard'], + + file { '/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml': + owner => 'wazuh-dashboard', + group => 'wazuh-dashboard', + mode => '0600', + content => template('wazuh/wazuh_yml.erb'), + require => Package[$dashboard_package], + notify => Service[$dashboard_service] } + service { 'wazuh-dashboard': ensure => running, enable => true, hasrestart => true, + name => $dashboard_service, } - - exec {'Waiting for Wazuh indexer...': - path => '/usr/bin', - command => "curl -u ${dashboard_user}:${dashboard_password} -k -s -XGET https://${indexer_server_ip}:${indexer_server_port}", - tries => 100, - try_sleep => 3, - } - -} +} \ No newline at end of file diff --git a/manifests/filebeat_oss.pp b/manifests/filebeat_oss.pp index e8a9df37..bd78e0b1 100644 --- a/manifests/filebeat_oss.pp +++ b/manifests/filebeat_oss.pp @@ -5,23 +5,26 @@ $filebeat_oss_indexer_port = '9200', $indexer_server_ip = "\"${filebeat_oss_indexer_ip}:${filebeat_oss_indexer_port}\"", + $filebeat_oss_archives = false, $filebeat_oss_package = 'filebeat', $filebeat_oss_service = 'filebeat', $filebeat_oss_elastic_user = 'admin', $filebeat_oss_elastic_password = 'admin', $filebeat_oss_version = '7.10.2', - $wazuh_app_version = '4.4.0_7.10.0', + $wazuh_app_version = '4.4.0_7.10.2', $wazuh_extensions_version = 'v4.4.0', - $wazuh_filebeat_module = 'wazuh-filebeat-0.1.tar.gz', - $filebeat_path_certs = '/etc/filebeat/certs', -){ + $wazuh_filebeat_module = 'wazuh-filebeat-0.2.tar.gz', - class {'wazuh::repo_elastic_oss':} + $filebeat_fileuser = 'root', + $filebeat_filegroup = 'root', + $filebeat_path_certs = '/etc/filebeat/certs', +) { + include wazuh::repo_elastic_oss - if $::osfamily == 'Debian' { - Class['wazuh::repo_elastic_oss'] -> Class['apt::update'] -> Package[$filebeat_oss_package] + if $facts['os']['family'] == 'Debian' { + Class['wazuh::repo_elastic_oss'] -> Class['apt::update'] -> Package['filebeat'] } else { - Class['wazuh::repo_elastic_oss'] -> Package[$filebeat_oss_package] + Class['wazuh::repo_elastic_oss'] -> Package['filebeat'] } package { 'filebeat': @@ -29,58 +32,86 @@ name => $filebeat_oss_package, } - file { 'Configure filebeat.yml': + file { '/etc/filebeat/filebeat.yml': owner => 'root', - path => '/etc/filebeat/filebeat.yml', group => 'root', - mode => '0644', - notify => Service[$filebeat_oss_service], ## Restarts the service + mode => '0640', + notify => Service['filebeat'], ## Restarts the service content => template('wazuh/filebeat_oss_yml.erb'), - require => Package[$filebeat_oss_package] + require => Package['filebeat'], } - exec { 'Installing wazuh-template.json...': - path => '/usr/bin', - command => "curl -so /etc/filebeat/wazuh-template.json 'https://raw.githubusercontent.com/wazuh/wazuh/${wazuh_extensions_version}/extensions/elasticsearch/7.x/wazuh-template.json'", - notify => Service[$filebeat_oss_service], - require => Package[$filebeat_oss_package] + # work around: + # Use cmp to compare the content of local and remote file. When they differ than rm the file to get it recreated by the file resource. + # Needed since GitHub can only ETAG and result in changes of the mtime everytime. + # TODO: Include file into the wazuh/wazuh-puppet project or use file { checksum => '..' } for this instead of the exec construct. + exec { 'cleanup /etc/filebeat/wazuh-template.json': + command => '/bin/rm /etc/filebeat/wazuh-template.json', + onlyif => '/usr/bin/test -e /etc/filebeat/wazuh-template.json', + unless => "/bin/cmp -s '/etc/filebeat/wazuh-template.json' <(curl -s https://raw.githubusercontent.com/wazuh/wazuh/${wazuh_extensions_version}/extensions/elasticsearch/7.x/wazuh-template.json)", } - - exec { 'Installing filebeat module ... Downloading package': - path => '/usr/bin', - command => "curl -o /root/${$wazuh_filebeat_module} https://packages.wazuh.com/4.x/filebeat/${$wazuh_filebeat_module}", + -> file { '/etc/filebeat/wazuh-template.json': + owner => 'root', + group => 'root', + mode => '0440', + replace => false, # only copy content when file not exist + source => "https://raw.githubusercontent.com/wazuh/wazuh/${wazuh_extensions_version}/extensions/elasticsearch/7.x/wazuh-template.json", + notify => Service['filebeat'], + require => Package['filebeat'], } - exec { 'Unpackaging ...': - command => '/bin/tar -xzvf /root/wazuh-filebeat-0.2.tar.gz -C /usr/share/filebeat/module', - notify => Service[$filebeat_oss_service], - require => Package[$filebeat_oss_package] + archive { "/tmp/${$wazuh_filebeat_module}": + ensure => present, + source => "https://packages.wazuh.com/4.x/filebeat/${$wazuh_filebeat_module}", + extract => true, + extract_path => '/usr/share/filebeat/module', + creates => '/usr/share/filebeat/module/wazuh', + cleanup => true, + notify => Service['filebeat'], + require => Package['filebeat'], } file { '/usr/share/filebeat/module/wazuh': ensure => 'directory', mode => '0755', - require => Package[$filebeat_oss_package] + require => Package['filebeat'], } - include wazuh::certificates + require wazuh::certificates - exec { 'Copy Filebeat Certificates': + exec { "ensure full path of ${filebeat_path_certs}": path => '/usr/bin:/bin', - command => "mkdir $filebeat_path_certs \ - && cp /tmp/wazuh-certificates/server.pem $filebeat_path_certs/filebeat.pem\ - && cp /tmp/wazuh-certificates/server-key.pem $filebeat_path_certs/filebeat-key.pem\ - && cp /tmp/wazuh-certificates/root-ca.pem $filebeat_path_certs\ - && chown root:root -R $filebeat_path_certs\ - && chmod 500 $filebeat_path_certs\ - && chmod 400 $filebeat_path_certs/*", - require => Package[$filebeat_oss_package], + command => "mkdir -p ${filebeat_path_certs}", + creates => $filebeat_path_certs, + require => Package['filebeat'], + } + -> file { $filebeat_path_certs: + ensure => directory, + owner => $filebeat_fileuser, + group => $filebeat_filegroup, + mode => '0500', + } + $_certfiles = { + 'server.pem' => 'filebeat.pem', + 'server-key.pem' => 'filebeat-key.pem', + 'root-ca.pem' => 'root-ca.pem', + } + $_certfiles.each |String $certfile_source, String $certfile_target| { + file { "${filebeat_path_certs}/${certfile_target}": + ensure => file, + owner => $filebeat_fileuser, + group => $filebeat_filegroup, + mode => '0400', + replace => false, # only copy content when file not exist + source => "/tmp/wazuh-certificates/${certfile_source}", + } } service { 'filebeat': ensure => running, enable => true, - require => Package[$filebeat_oss_package] + name => $filebeat_oss_service, + require => Package['filebeat'], } -} +} \ No newline at end of file diff --git a/manifests/indexer.pp b/manifests/indexer.pp index 69d5c271..e08bd585 100644 --- a/manifests/indexer.pp +++ b/manifests/indexer.pp @@ -2,131 +2,139 @@ # Setup for Wazuh Indexer class wazuh::indexer ( # opensearch.yml configuration - + $indexer_network_host = '0.0.0.0' $indexer_cluster_name = 'wazuh-cluster', $indexer_node_name = 'node-1', $indexer_node_max_local_storage_nodes = '1', $indexer_service = 'wazuh-indexer', $indexer_package = 'wazuh-indexer', $indexer_version = '4.4.0-1', + $indexer_fileuser = 'wazuh-indexer', + $indexer_filegroup = 'wazuh-indexer', $indexer_path_data = '/var/lib/wazuh-indexer', $indexer_path_logs = '/var/log/wazuh-indexer', $indexer_path_certs = '/etc/wazuh-indexer/certs', - $network_host = '0.0.0.0', - -){ + $indexer_ip = 'localhost', + $indexer_port = '9200', + $indexer_discovery_hosts = [], # Empty array for single-node configuration + $indexer_cluster_initial_master_nodes = ['node-1'], - class { 'wazuh::repo':} - if $::osfamily == 'Debian' { + # JVM options + $jvm_options_memory = '1g', +) { + include wazuh::repo + if $facts['os']['family'] == 'Debian' { Class['wazuh::repo'] -> Class['apt::update'] -> Package['wazuh-indexer'] } else { Class['wazuh::repo'] -> Package['wazuh-indexer'] } - # install package package { 'wazuh-indexer': ensure => $indexer_version, name => $indexer_package, } - include wazuh::certificates + require wazuh::certificates - exec { 'Copy Indexer Certificates': + exec { "ensure full path of ${indexer_path_certs}": path => '/usr/bin:/bin', - command => "mkdir $indexer_path_certs \ - && cp /tmp/wazuh-certificates/indexer.pem $indexer_path_certs\ - && cp /tmp/wazuh-certificates/indexer-key.pem $indexer_path_certs\ - && cp /tmp/wazuh-certificates/root-ca.pem $indexer_path_certs\ - && cp /tmp/wazuh-certificates/admin.pem $indexer_path_certs\ - && cp /tmp/wazuh-certificates/admin-key.pem $indexer_path_certs\ - && chown wazuh-indexer:wazuh-indexer -R $indexer_path_certs\ - && chmod 500 $indexer_path_certs\ - && chmod 400 $indexer_path_certs/*", - require => Package[$indexer_package], - - } - - file_line { 'Setting cluster name for wazuh-indexer': - path => '/etc/wazuh-indexer/opensearch.yml', - line => "cluster.name: ${indexer_cluster_name}", - match => "^cluster.name:\s", - require => Package[$indexer_package], - notify => Service[$indexer_service], - } - file_line { 'Setting node name for wazuh-indexer': - path => '/etc/wazuh-indexer/opensearch.yml', - line => "node.name: ${indexer_node_name}", - match => "^node.name:\s", - require => Package[$indexer_package], - notify => Service[$indexer_service], + command => "mkdir -p ${indexer_path_certs}", + creates => $indexer_path_certs, + require => Package['wazuh-indexer'], } - file_line { 'Setting node master for wazuh-indexer': - path => '/etc/wazuh-indexer/opensearch.yml', - line => "- "${indexer_node_master}"", - match => "^- "node-1"\s", - require => Package[$indexer_package], - notify => Service[$indexer_service], - } - file_line { 'Setting node max local storage node for wazuh-indexer': - path => '/etc/wazuh-indexer/opensearch.yml', - line => "node.max_local_storage_nodes: ${indexer_node_max_local_storage_nodes}", - match => "^node.max_local_storage_nodes:\s", - require => Package[$indexer_package], - notify => Service[$indexer_service], + -> file { $indexer_path_certs: + ensure => directory, + owner => $indexer_fileuser, + group => $indexer_filegroup, + mode => '0500', } - file_line { 'Setting path data for wazuh-indexer': - path => '/etc/wazuh-indexer/opensearch.yml', - line => "path.data: ${indexer_path_data}", - match => "^path.data:\s", - require => Package[$indexer_package], - notify => Service[$indexer_service], + + [ + 'indexer.pem', + 'indexer-key.pem', + 'root-ca.pem', + 'admin.pem', + 'admin-key.pem', + ].each |String $certfile| { + file { "${indexer_path_certs}/${certfile}": + ensure => file, + owner => $indexer_fileuser, + group => $indexer_filegroup, + mode => '0400', + replace => false, # only copy content when file not exist + source => "/tmp/wazuh-certificates/${certfile}", + } } - file_line { 'Setting path logs for wazuh-indexer': + + file { 'configuration file': path => '/etc/wazuh-indexer/opensearch.yml', - line => "path.logs: ${indexer_path_logs}", - match => "^path.logs:\s", - require => Package[$indexer_package], - notify => Service[$indexer_service], + content => template('wazuh/wazuh_indexer_yml.erb'), + group => $indexer_filegroup, + mode => '0660', + owner => $indexer_fileuser, + require => Package['wazuh-indexer'], + notify => Service['wazuh-indexer'], } - file_line { 'Setting network host for wazuh-indexer': - path => '/etc/wazuh-indexer/opensearch.yml', - line => "network.host: ${network_host}", - match => "^network.host:\s", - require => Package[$indexer_package], - notify => Service[$indexer_service], + + file_line { 'Insert line initial size of total heap space': + path => '/etc/wazuh-indexer/jvm.options', + line => "-Xms${jvm_options_memory}", + match => '^-Xms', + require => Package['wazuh-indexer'], + notify => Service['wazuh-indexer'], } + file_line { 'Insert line maximum size of total heap space': + path => '/etc/wazuh-indexer/jvm.options', + line => "-Xmx${jvm_options_memory}", + match => '^-Xmx', + require => Package['wazuh-indexer'], + notify => Service['wazuh-indexer'], + } service { 'wazuh-indexer': ensure => running, enable => true, - require => Package[$indexer_package], + name => $indexer_service, + require => Package['wazuh-indexer'], } - exec { 'Insert line limits': - path => '/usr/bin:/bin/', - command => "echo 'elasticsearch - nofile 65535\nelasticsearch - memlock unlimited' >> /etc/security/limits.conf", - require => Package[$indexer_package], - + file_line { "Insert line limits nofile for ${indexer_fileuser}": + path => '/etc/security/limits.conf', + line => "${indexer_fileuser} - nofile 65535", + match => "^${indexer_fileuser} - nofile\s", + notify => Service['wazuh-indexer'], } - - exec { 'Verify wazuh-indexer folders owner': - path => '/usr/bin:/bin', - command => "chown wazuh-indexer:wazuh-indexer -R /etc/wazuh-indexer\ - && chown wazuh-indexer:wazuh-indexer -R /usr/share/wazuh-indexer\ - && chown wazuh-indexer:wazuh-indexer -R /var/lib/wazuh-indexer", - require => Package[$indexer_package], - + file_line { "Insert line limits memlock for ${indexer_fileuser}": + path => '/etc/security/limits.conf', + line => "${indexer_fileuser} - memlock unlimited", + match => "^${indexer_fileuser} - memlock\s", + notify => Service['wazuh-indexer'], } - exec { 'Launch security admin initializer': - path => ['/usr/bin', '/bin', '/usr/sbin'], - command => '/usr/share/wazuh-indexer/bin/indexer-security-init.sh', - require => Package[$indexer_package], - + # TODO: this should be done by the package itself and not by puppet at all + [ + '/etc/wazuh-indexer', + '/usr/share/wazuh-indexer', + '/var/lib/wazuh-indexer', + ].each |String $file| { + exec { "set ecusive ownership of ${file}": + path => '/usr/bin:/bin', + command => "chown ${indexer_fileuser}:${indexer_filegroup} -R ${file}", + refreshonly => true, # only run when package is installed or updated + subscribe => Package['wazuh-indexer'], + notify => Service['wazuh-indexer'], + } } -} + exec { 'Initialize the Opensearch security index in Wazuh indexer': + path => ['/usr/bin', '/bin', '/usr/sbin'], + command => '/usr/share/wazuh-indexer/bin/indexer-security-init.sh', + refreshonly => true, # only run when package is installed or updated + subscribe => Package['wazuh-indexer'], + require => Service['wazuh-indexer'], + } +} \ No newline at end of file diff --git a/templates/opensearch_dashboards_yml.erb b/templates/opensearch_dashboards_yml.erb new file mode 100644 index 00000000..e07cce83 --- /dev/null +++ b/templates/opensearch_dashboards_yml.erb @@ -0,0 +1,14 @@ +server.host: <%= @dashboard_server_host %> +server.port: <%= @dashboard_server_port %> +opensearch.hosts: <%= @indexer_server_host %> +opensearch.ssl.verificationMode: certificate +#opensearch.username: +#opensearch.password: +opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"] +opensearch_security.multitenancy.enabled: false +opensearch_security.readonly_mode.roles: ["kibana_read_only"] +server.ssl.enabled: true +server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem" +server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem" +opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"] +uiSettings.overrides.defaultRoute: /app/wazuh \ No newline at end of file diff --git a/templates/wazuh_indexer_yml.erb b/templates/wazuh_indexer_yml.erb new file mode 100644 index 00000000..3e351a8e --- /dev/null +++ b/templates/wazuh_indexer_yml.erb @@ -0,0 +1,44 @@ +network.host: "<%= @indexer_network_host %>" +node.name: "<%= @indexer_node_name %>" +cluster.initial_master_nodes: +<% @indexer_cluster_initial_master_nodes.each do |node| -%> +- "<%= node %>" +<% end -%> +cluster.name: "<%= @indexer_cluster_name %>" +<% if not @indexer_discovery_hosts.empty? -%> +discovery.seed_hosts: +<% @indexer_discovery_hosts.each do |host| -%> +- "<%= host %>" +<% end -%> +<% end -%> +node.max_local_storage_nodes: "<%= @indexer_node_max_local_storage_nodes %>" +path.data: "<%= @indexer_path_data %>" +path.logs: "<%= @indexer_path_logs %>" + +plugins.security.ssl.http.pemcert_filepath: <%= @indexer_path_certs %>/indexer.pem +plugins.security.ssl.http.pemkey_filepath: <%= @indexer_path_certs %>/indexer-key.pem +plugins.security.ssl.http.pemtrustedcas_filepath: <%= @indexer_path_certs %>/root-ca.pem +plugins.security.ssl.transport.pemcert_filepath: <%= @indexer_path_certs %>/indexer.pem +plugins.security.ssl.transport.pemkey_filepath: <%= @indexer_path_certs %>/indexer-key.pem +plugins.security.ssl.transport.pemtrustedcas_filepath: <%= @indexer_path_certs %>/root-ca.pem +plugins.security.ssl.http.enabled: true +plugins.security.ssl.transport.enforce_hostname_verification: false +plugins.security.ssl.transport.resolve_hostname: false + +plugins.security.authcz.admin_dn: +- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" +plugins.security.check_snapshot_restore_write_privileges: true +plugins.security.enable_snapshot_restore_privilege: true +plugins.security.nodes_dn: +<% @indexer_cluster_initial_master_nodes.each do |node| -%> +- "CN=<%= node %>,OU=Wazuh,O=Wazuh,L=California,C=US" +<% end -%> +plugins.security.restapi.roles_enabled: +- "all_access" +- "security_rest_api_access" + +plugins.security.system_indices.enabled: true +plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"] + +### Option to allow Filebeat-oss 7.10.2 to work ### +compatibility.override_main_response_version: true \ No newline at end of file From f9b3c72047aab3105a11e3c60ded22344a02a34d Mon Sep 17 00:00:00 2001 From: c-bordon Date: Wed, 21 Sep 2022 06:07:35 -0300 Subject: [PATCH 3/9] Add install of archive module --- manifests/indexer.pp | 2 +- metadata.json | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/manifests/indexer.pp b/manifests/indexer.pp index e08bd585..bf25cd62 100644 --- a/manifests/indexer.pp +++ b/manifests/indexer.pp @@ -2,7 +2,7 @@ # Setup for Wazuh Indexer class wazuh::indexer ( # opensearch.yml configuration - $indexer_network_host = '0.0.0.0' + $indexer_network_host = '0.0.0.0', $indexer_cluster_name = 'wazuh-cluster', $indexer_node_name = 'node-1', $indexer_node_max_local_storage_nodes = '1', diff --git a/metadata.json b/metadata.json index ae4616a4..c7927472 100644 --- a/metadata.json +++ b/metadata.json @@ -35,6 +35,10 @@ { "name": "puppetlabs/powershell", "version_requirement": ">= 2.0.0 < 5.0.0" + }, + { + "name": "puppet/archive", + "version_requirement": ">= 0.4.8 < 7.0.0" } ], "operatingsystem_support": [ From ee20e520a2d79c3e02602db3250be99cb36e40a2 Mon Sep 17 00:00:00 2001 From: c-bordon Date: Wed, 21 Sep 2022 09:34:00 -0300 Subject: [PATCH 4/9] Fix wazuh.yml template --- manifests/dashboard.pp | 42 ++++++++++++++++++++++++------------- templates/wazuh_api_yml.erb | 19 +++++++---------- templates/wazuh_yml.erb | 2 +- 3 files changed, 36 insertions(+), 27 deletions(-) diff --git a/manifests/dashboard.pp b/manifests/dashboard.pp index 0f36225f..e862d35e 100644 --- a/manifests/dashboard.pp +++ b/manifests/dashboard.pp @@ -7,6 +7,8 @@ $indexer_server_ip = 'localhost', $indexer_server_port = '9200', $dashboard_path_certs = '/etc/wazuh-dashboard/certs', + $dashboard_fileuser = 'wazuh-dashboard', + $dashboard_filegroup = 'wazuh-dashboard', $dashboard_server_port = '443', $dashboard_server_host = '0.0.0.0', @@ -22,13 +24,21 @@ ], ) { + include wazuh::repo + + if $::osfamily == 'Debian' { + Class['wazuh::repo'] -> Class['apt::update'] -> Package['wazuh-dashboard'] + } else { + Class['wazuh::repo'] -> Package['wazuh-dashboard'] + } + # assign version according to the package manager - case $::osfamily { - 'Debian' : { + case $facts['os']['family'] { + 'Debian': { $dashboard_version_install = "${dashboard_version}-*" } - 'Linux', 'RedHat' : { - $dashboard_version_install = "${dashboard_version}" + 'Linux', 'RedHat', default: { + $dashboard_version_install = $dashboard_version } } @@ -78,20 +88,24 @@ notify => Service[$dashboard_service] } - file { '/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml': - owner => 'wazuh-dashboard', - group => 'wazuh-dashboard', - mode => '0600', - content => template('wazuh/wazuh_yml.erb'), - require => Package[$dashboard_package], - notify => Service[$dashboard_service] - } - - service { 'wazuh-dashboard': ensure => running, enable => true, hasrestart => true, name => $dashboard_service, } + + exec {'Waiting for Wazuh dashboard...': + require => Service[$dashboard_service], + command => "sleep 15 ", + path => "/usr/bin:/bin", + } + + file { '/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml': + owner => 'wazuh-dashboard', + group => 'wazuh-dashboard', + mode => '0600', + content => template('wazuh/wazuh_yml.erb'), + require => Package[$dashboard_package] + } } \ No newline at end of file diff --git a/templates/wazuh_api_yml.erb b/templates/wazuh_api_yml.erb index dcff5ae2..fd36a7ab 100644 --- a/templates/wazuh_api_yml.erb +++ b/templates/wazuh_api_yml.erb @@ -17,7 +17,6 @@ https: # Values for API log level: disabled, info, warning, error, debug, debug2 (each level includes the previous level). logs: level: <%= @wazuh_api_logs_level %> - format: <%= @wazuh_api_logs_format %> # Cross-origin resource sharing: https://github.com/aio-libs/aiohttp-cors#usage cors: enabled: <%= @wazuh_api_cors_enabled %> @@ -39,14 +38,10 @@ drop_privileges: <%= @wazuh_api_drop_privileges %> # Enable features under development experimental_features: <%= @wazuh_api_experimental_features %> # Enable remote commands -upload_configuration: - remote_commands: - localfile: - allow: <%= @remote_commands_localfile %> - exceptions: <%= @remote_commands_localfile_exceptions %> - wodle_command: - allow: <%= @remote_commands_wodle %> - exceptions: <%= @remote_commands_wodle_exceptions %> - limits: - eps: - allow: <%= @limits_eps %> +remote_commands: + localfile: + enabled: <%= @remote_commands_localfile %> + exceptions: <%= @remote_commands_localfile_exceptions %> + wodle_command: + enabled: <%= @remote_commands_wodle %> + exceptions: <%= @remote_commands_wodle_exceptions %> \ No newline at end of file diff --git a/templates/wazuh_yml.erb b/templates/wazuh_yml.erb index eed345eb..8e473c8a 100644 --- a/templates/wazuh_yml.erb +++ b/templates/wazuh_yml.erb @@ -124,7 +124,7 @@ # user: # password: hosts: -<% @kibana_wazuh_api_credentials.each do |api_profile| -%> +<% @dashboard_wazuh_api_credentials.each do |api_profile| -%> - <%= api_profile['id'] %>: url: <%= api_profile['url'] %> port: <%= api_profile['port'] %> From 4d73f32d1a7924618af386caee5cadf9733d20ad Mon Sep 17 00:00:00 2001 From: c-bordon Date: Wed, 21 Sep 2022 11:49:38 -0300 Subject: [PATCH 5/9] Removed manage_repo validation for dashboard --- manifests/dashboard.pp | 9 --------- 1 file changed, 9 deletions(-) diff --git a/manifests/dashboard.pp b/manifests/dashboard.pp index 233415a1..b338e516 100644 --- a/manifests/dashboard.pp +++ b/manifests/dashboard.pp @@ -23,15 +23,6 @@ }, ], ) { - if $manage_repos { - include wazuh::repo - - if $::osfamily == 'Debian' { - Class['wazuh::repo'] -> Class['apt::update'] -> Package['wazuh-dashboard'] - } else { - Class['wazuh::repo'] -> Package['wazuh-dashboard'] - } - } include wazuh::repo From fe6e4a835e814c0166e874ed1e1f36099f4aa49b Mon Sep 17 00:00:00 2001 From: c-bordon Date: Wed, 21 Sep 2022 11:55:08 -0300 Subject: [PATCH 6/9] Changed with PR #551 --- manifests/filebeat_oss.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/filebeat_oss.pp b/manifests/filebeat_oss.pp index 3bcf5b91..d74e7cb7 100644 --- a/manifests/filebeat_oss.pp +++ b/manifests/filebeat_oss.pp @@ -47,8 +47,8 @@ # TODO: Include file into the wazuh/wazuh-puppet project or use file { checksum => '..' } for this instead of the exec construct. exec { 'cleanup /etc/filebeat/wazuh-template.json': command => '/bin/rm /etc/filebeat/wazuh-template.json', - onlyif => '/usr/bin/test -e /etc/filebeat/wazuh-template.json', - unless => "/bin/cmp -s '/etc/filebeat/wazuh-template.json' <(curl -s https://raw.githubusercontent.com/wazuh/wazuh/${wazuh_extensions_version}/extensions/elasticsearch/7.x/wazuh-template.json)", + onlyif => '/bin/test -f /etc/filebeat/wazuh-template.json', + unless => "/bin/curl -s 'https://raw.githubusercontent.com/wazuh/wazuh/${wazuh_extensions_version}/extensions/elasticsearch/7.x/wazuh-template.json' | /bin/cmp -s '/etc/filebeat/wazuh-template.json'", } -> file { '/etc/filebeat/wazuh-template.json': owner => 'root', From c6b639f5024ad7aa311db97eaac0c0c292f32ecc Mon Sep 17 00:00:00 2001 From: Carlos Bordon <64099752+c-bordon@users.noreply.github.com> Date: Wed, 21 Sep 2022 11:57:58 -0300 Subject: [PATCH 7/9] Update manifests/dashboard.pp LGTM Co-authored-by: cruelsmith <92088441+cruelsmith@users.noreply.github.com> --- manifests/dashboard.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/dashboard.pp b/manifests/dashboard.pp index b338e516..55cd39b9 100644 --- a/manifests/dashboard.pp +++ b/manifests/dashboard.pp @@ -84,8 +84,8 @@ group => 'wazuh-dashboard', mode => '0640', content => template('wazuh/opensearch_dashboards_yml.erb'), - require => Package[$dashboard_package], - notify => Service[$dashboard_service] + require => Package['wazuh-dashboard'], + notify => Service['wazuh-dashboard'] } service { 'wazuh-dashboard': From 7718392e4616ebd6a3d519fdd5648c9150ae1eca Mon Sep 17 00:00:00 2001 From: Carlos Bordon <64099752+c-bordon@users.noreply.github.com> Date: Wed, 21 Sep 2022 11:58:08 -0300 Subject: [PATCH 8/9] Update manifests/dashboard.pp LGTM Co-authored-by: cruelsmith <92088441+cruelsmith@users.noreply.github.com> --- manifests/dashboard.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/dashboard.pp b/manifests/dashboard.pp index 55cd39b9..7654b2ae 100644 --- a/manifests/dashboard.pp +++ b/manifests/dashboard.pp @@ -106,6 +106,6 @@ group => 'wazuh-dashboard', mode => '0600', content => template('wazuh/wazuh_yml.erb'), - require => Package[$dashboard_package] + require => Package['wazuh-dashboard'] } } From dd7060b4975d414794c1138329702b2d1207935a Mon Sep 17 00:00:00 2001 From: c-bordon Date: Thu, 22 Sep 2022 09:28:34 -0300 Subject: [PATCH 9/9] Changes requested by community --- manifests/dashboard.pp | 29 +++++++++++++++++++---------- manifests/indexer.pp | 14 +++++++++----- 2 files changed, 28 insertions(+), 15 deletions(-) diff --git a/manifests/dashboard.pp b/manifests/dashboard.pp index 7654b2ae..60732386 100644 --- a/manifests/dashboard.pp +++ b/manifests/dashboard.pp @@ -22,14 +22,18 @@ 'password' => 'wazuh-wui', }, ], + + $manage_repos = false, # Change to true when manager is not present. ) { - include wazuh::repo + if $manage_repos { + include wazuh::repo - if $::osfamily == 'Debian' { - Class['wazuh::repo'] -> Class['apt::update'] -> Package['wazuh-dashboard'] - } else { - Class['wazuh::repo'] -> Package['wazuh-dashboard'] + if $::osfamily == 'Debian' { + Class['wazuh::repo'] -> Class['apt::update'] -> Package['wazuh-dashboard'] + } else { + Class['wazuh::repo'] -> Package['wazuh-dashboard'] + } } # assign version according to the package manager @@ -95,10 +99,14 @@ name => $dashboard_service, } - exec {'Waiting for Wazuh dashboard...': - require => Service[$dashboard_service], - command => "sleep 15 ", - path => "/usr/bin:/bin", + file { ['/usr/share/wazuh-dashboard/data/wazuh/', + '/usr/share/wazuh-dashboard/data/wazuh/config/']: + ensure => 'directory', + owner => 'wazuh-dashboard', + group => 'wazuh-dashboard', + mode => '0600', + require => Package['wazuh-dashboard'], + notify => Service['wazuh-dashboard'], } file { '/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml': @@ -106,6 +114,7 @@ group => 'wazuh-dashboard', mode => '0600', content => template('wazuh/wazuh_yml.erb'), - require => Package['wazuh-dashboard'] + require => Package['wazuh-dashboard'], + notify => Service['wazuh-dashboard'], } } diff --git a/manifests/indexer.pp b/manifests/indexer.pp index 89c70a0e..1dc7b4a3 100644 --- a/manifests/indexer.pp +++ b/manifests/indexer.pp @@ -21,14 +21,18 @@ $indexer_discovery_hosts = [], # Empty array for single-node configuration $indexer_cluster_initial_master_nodes = ['node-1'], + $manage_repos = false, # Change to true when manager is not present. + # JVM options $jvm_options_memory = '1g', ) { - include wazuh::repo - if $facts['os']['family'] == 'Debian' { - Class['wazuh::repo'] -> Class['apt::update'] -> Package['wazuh-indexer'] - } else { - Class['wazuh::repo'] -> Package['wazuh-indexer'] + if $manage_repos { + include wazuh::repo + if $facts['os']['family'] == 'Debian' { + Class['wazuh::repo'] -> Class['apt::update'] -> Package['wazuh-indexer'] + } else { + Class['wazuh::repo'] -> Package['wazuh-indexer'] + } } # install package