diff --git a/CHANGELOG.md b/CHANGELOG.md index ecba5d207..b157c6bda 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ All notable changes to this project will be documented in this file. ### Changed +- Refactor of the wazuh-dashboard ansible role ([#1565](https://github.com/wazuh/wazuh-ansible/pull/1565)) - Refactor of the wazuh-indexer ansible role ([#1551](https://github.com/wazuh/wazuh-ansible/pull/1551)) - Remove default Wazuh agent configuration file and related tasks ([#1546](https://github.com/wazuh/wazuh-ansible/pull/1546)) - Refactor of the wazuh-agent ansible role ([#1517](https://github.com/wazuh/wazuh-ansible/pull/1517)) diff --git a/roles/wazuh-dashboard/defaults/main.yml b/roles/wazuh-dashboard/defaults/main.yml index bc37cd044..fbf834a97 100644 --- a/roles/wazuh-dashboard/defaults/main.yml +++ b/roles/wazuh-dashboard/defaults/main.yml @@ -1,31 +1,8 @@ --- -# Dashboard configuration -indexer_http_port: 9200 -indexer_api_protocol: https -dashboard_conf_path: /etc/wazuh-dashboard/ -dashboard_node_name: node-1 -dashboard_server_host: "0.0.0.0" -dashboard_server_port: "443" -dashboard_server_name: "dashboard" -wazuh_version: 5.0.0 +dashboard_node_name: "dashboard" indexer_cluster_nodes: - - 127.0.0.1 + - "{{ hostvars[inventory_hostname].private_ip }}" -# The Wazuh dashboard package repository -dashboard_version: "5.0.0" - -# API credentials -wazuh_api_credentials: - - id: "default" - url: "https://127.0.0.1" - port: 55000 - username: "wazuh-wui" - password: "wazuh-wui" - -# Dashboard Security -dashboard_security: true -indexer_admin_password: changeme -dashboard_user: kibanaserver -dashboard_password: changeme -local_certs_path: "{{ playbook_dir }}/indexer/certificates" +wazuh_dashboard_package_download_path: "/tmp/wazuh-dashboard" +wazuh_dashboard_package_name: "wazuh-dashboard-package" diff --git a/roles/wazuh-dashboard/tasks/Debian.yml b/roles/wazuh-dashboard/tasks/Debian.yml deleted file mode 100644 index 3f1f0c9db..000000000 --- a/roles/wazuh-dashboard/tasks/Debian.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- -- block: - - - include_vars: debian.yml - - name: Download apt repository signing key - get_url: - url: "{{ wazuh_repo.gpg }}" - dest: "{{ wazuh_repo.path }}" - - - name: Import Wazuh repository GPG key - command: "gpg --no-default-keyring --keyring gnupg-ring:{{ wazuh_repo.keyring_path }} --import {{ wazuh_repo.path }}" - args: - creates: "{{ wazuh_repo.keyring_path }}" - - - name: Set permissions for Wazuh repository GPG key - file: - path: "{{ wazuh_repo.keyring_path }}" - mode: '0644' - - - name: Debian systems | Add Wazuh dashboard repo - apt_repository: - repo: "{{ wazuh_repo.apt }}" - state: present - update_cache: yes - - - name: Install Wazuh dashboard - apt: - name: "wazuh-dashboard={{ dashboard_version }}-*" - state: present - update_cache: yes - register: install - - tags: - - install \ No newline at end of file diff --git a/roles/wazuh-dashboard/tasks/RMRedHat.yml b/roles/wazuh-dashboard/tasks/RMRedHat.yml deleted file mode 100644 index b34970eaf..000000000 --- a/roles/wazuh-dashboard/tasks/RMRedHat.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Remove Wazuh dashboard repository (and clean up left-over metadata) - yum_repository: - name: wazuh_repo - state: absent - changed_when: false diff --git a/roles/wazuh-dashboard/tasks/RedHat.yml b/roles/wazuh-dashboard/tasks/RedHat.yml deleted file mode 100644 index 5c9f496f9..000000000 --- a/roles/wazuh-dashboard/tasks/RedHat.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- block: - - - name: RedHat/CentOS/Fedora | Add Wazuh dashboard repo - yum_repository: - name: wazuh_repo - description: Wazuh yum repository - baseurl: "{{ wazuh_repo.yum }}" - gpgkey: "{{ wazuh_repo.gpg }}" - gpgcheck: true - - - name: Install Wazuh dashboard - package: - name: "wazuh-dashboard-{{ dashboard_version }}" - state: present - update_cache: yes - register: install - - tags: - - install diff --git a/roles/wazuh-dashboard/tasks/dependencies.yml b/roles/wazuh-dashboard/tasks/dependencies.yml new file mode 100644 index 000000000..9eb7559d9 --- /dev/null +++ b/roles/wazuh-dashboard/tasks/dependencies.yml @@ -0,0 +1,74 @@ +--- + +- name: Check if local_configs_path directory exists + block: + - name: Retrieve local_configs_path directory information + stat: + path: "{{ local_configs_path }}" + register: local_configs_path_stat + + - fail: + msg: "The directory {{ local_configs_path }} (local_configs_path) does not exist." + when: not local_configs_path_stat.stat.exists + run_once: true + delegate_to: localhost + become: no + +- name: Ensure wazuh-dashboard package download directory exists + file: + path: "{{ wazuh_dashboard_package_download_path }}" + state: directory + mode: '0755' + +- name: RHEL, CentOS, and Amazon Linux 2 | Configure system settings and install dependencies + block: + - name: RedHat/CentOS/Fedora | Install Dashboard dependencies + yum: + name: "{{ packages }}" + vars: + packages: + - libcap + + - name: RedHat/CentOS/Fedora (x86_64) | Download wazuh-dashboard package + get_url: + url: "{{ wazuh_dashboard_url_amd64_rpm }}" + dest: "{{ wazuh_dashboard_package_download_path }}/{{ wazuh_dashboard_package_name }}.rpm" + when: + - ansible_architecture == "x86_64" + + - name: RedHat/CentOS/Fedora (aarch64) | Download wazuh-dashboard package + get_url: + url: "{{ wazuh_dashboard_url_arm64_rpm }}" + dest: "{{ wazuh_dashboard_package_download_path }}/{{ wazuh_dashboard_package_name }}.rpm" + when: + - ansible_architecture == "aarch64" + + when: + - ansible_os_family == 'RedHat' + +- name: Debian-based systems | Install Wazuh dashboard dependencies and download package + block: + - name: Debian-based | Install Dashboard dependencies + apt: + name: + - 'debhelper' + - 'tar' + - 'curl' + - 'libcap2-bin' + state: present + + - name: Debian-based (AMD64) | Download wazuh-dashboard package + get_url: + url: "{{ wazuh_dashboard_url_amd64_deb }}" + dest: "{{ wazuh_dashboard_package_download_path }}/{{ wazuh_dashboard_package_name }}.deb" + when: + - ansible_architecture == "x86_64" + + - name: Debian-based (ARM64) | Download wazuh-dashboard package + get_url: + url: "{{ wazuh_dashboard_url_arm64_deb }}" + dest: "{{ wazuh_dashboard_package_download_path }}/{{ wazuh_dashboard_package_name }}.deb" + when: + - ansible_architecture == "aarch64" + when: + - ansible_os_family == 'Debian' diff --git a/roles/wazuh-dashboard/tasks/main.yml b/roles/wazuh-dashboard/tasks/main.yml old mode 100755 new mode 100644 index 3f3fa665a..465689711 --- a/roles/wazuh-dashboard/tasks/main.yml +++ b/roles/wazuh-dashboard/tasks/main.yml @@ -1,93 +1,64 @@ --- -- include_vars: ../../vars/repo_vars.yml -- include_vars: ../../vars/repo.yml - when: packages_repository == 'production' +- include_vars: ../../vars/main.yml -- include_vars: ../../vars/repo_pre-release.yml - when: packages_repository == 'pre-release' +- include_vars: ../../vars/{{ urls_file }} -- include_vars: ../../vars/repo_staging.yml - when: packages_repository == 'staging' - -- import_tasks: RedHat.yml - when: ansible_os_family == 'RedHat' - -- import_tasks: Debian.yml - when: ansible_os_family == 'Debian' - -- name: Remove Dashboard configuration file - file: - # noqa 503 - path: "{{ dashboard_conf_path }}/opensearch_dashboards.yml" - state: absent - tags: install - -- import_tasks: security_actions.yml - -- name: Copy Configuration File - template: - src: "templates/opensearch_dashboards.yml.j2" - dest: "{{ dashboard_conf_path }}/opensearch_dashboards.yml" - group: wazuh-dashboard - owner: wazuh-dashboard - mode: 0640 - force: yes - notify: restart wazuh-dashboard - tags: - - install - - configure - -- name: Ensuring Wazuh dashboard directory owner - file: - # noqa 208 - path: "/usr/share/wazuh-dashboard" - state: directory - owner: wazuh-dashboard - group: wazuh-dashboard - recurse: yes - -- name: Wait for Wazuh-Indexer port - wait_for: host={{ indexer_network_host }} port={{ indexer_http_port }} - -- name: Select correct API protocol - set_fact: - indexer_api_protocol: "{% if dashboard_security is defined and dashboard_security %}https{% else %}http{% endif %}" - -- name: Attempting to delete legacy Wazuh index if exists - uri: - url: "{{ indexer_api_protocol }}://{{ indexer_network_host }}:{{ indexer_http_port }}/.wazuh" - method: DELETE - user: "admin" - password: "{{ indexer_admin_password }}" - validate_certs: no - status_code: 200, 404 +- import_tasks: dependencies.yml + become: yes -- name: Create Wazuh Plugin config directory - file: - path: /usr/share/wazuh-dashboard/data/wazuh/config/ - state: directory - recurse: yes - owner: wazuh-dashboard - group: wazuh-dashboard - mode: 0751 - changed_when: False +- name: Linux CentOS/RedHat | Install wazuh-dashboard using yum + yum: + name: "{{ wazuh_dashboard_package_download_path }}/{{ wazuh_dashboard_package_name }}.rpm" + state: present + disable_gpg_check: yes + become: yes + when: + - ansible_os_family|lower == "redhat" -- name: Configure Wazuh Dashboard Plugin - template: - src: wazuh.yml.j2 - dest: /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml +- name: Linux Debian | Install wazuh-dashboard using dpkg + shell: | + dpkg -i {{ wazuh_dashboard_package_download_path }}/{{ wazuh_dashboard_package_name }}.deb + become: yes + when: + - ansible_os_family|lower == 'debian' + +- name: Dashboard | Configure Wazuh dashboard + block: + - name: Dashboard | Remove current opensearch.hosts configuration + replace: + path: /etc/wazuh-dashboard/opensearch_dashboards.yml + regexp: 'opensearch\.hosts: .*$' + replace: 'opensearch.hosts:' + + - name: Dashboard | Add opensearch.hosts configuration + blockinfile: + path: /etc/wazuh-dashboard/opensearch_dashboards.yml + insertafter: 'opensearch.hosts:' + block: | + {% for node in indexer_cluster_nodes %} + - https://{{ node }}:9200 + {% endfor %} + +- name: Copy the certificates from local to the Wazuh dashboard instance + copy: + src: "{{ local_configs_path }}/wazuh-certificates/{{ item }}" + dest: /etc/wazuh-dashboard/certs/ owner: wazuh-dashboard group: wazuh-dashboard - mode: 0751 - changed_when: False - -- name: Configure opensearch.password in opensearch_dashboards.keystore - shell: >- - echo '{{ dashboard_password }}' | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add -f --stdin opensearch.password - args: - executable: /bin/bash + mode: 0400 + with_items: + - "root-ca.pem" + - "{{ dashboard_node_name }}-key.pem" + - "{{ dashboard_node_name }}.pem" + +- name: Rename certificates to match default names + command: mv /etc/wazuh-dashboard/certs/{{ item.src }} /etc/wazuh-dashboard/certs/{{ item.dest }} + with_items: + - { src: "{{ dashboard_node_name }}.pem", dest: "dashboard.pem" } + - { src: "{{ dashboard_node_name }}-key.pem", dest: "dashboard-key.pem" } become: yes + when: dashboard_node_name != "dashboard" - name: Ensure Wazuh dashboard started and enabled service: @@ -95,5 +66,9 @@ enabled: true state: started -- import_tasks: RMRedHat.yml - when: ansible_os_family == 'RedHat' +- name: Remove installation leftovers + file: + path: "{{ wazuh_dashboard_package_download_path }}" + state: absent + force: yes + become: yes diff --git a/roles/wazuh-dashboard/tasks/security_actions.yml b/roles/wazuh-dashboard/tasks/security_actions.yml deleted file mode 100644 index 06b3e2b39..000000000 --- a/roles/wazuh-dashboard/tasks/security_actions.yml +++ /dev/null @@ -1,23 +0,0 @@ -- block: - - - name: Ensure Dashboard certificates directory permissions. - file: - path: "/etc/wazuh-dashboard/certs/" - state: directory - owner: wazuh-dashboard - group: wazuh-dashboard - mode: 500 - - - name: Copy the certificates from local to the Wazuh dashboard instance - copy: - src: "{{ local_certs_path }}/wazuh-certificates/{{ item }}" - dest: /etc/wazuh-dashboard/certs/ - owner: wazuh-dashboard - group: wazuh-dashboard - mode: 0400 - with_items: - - "root-ca.pem" - - "{{ dashboard_node_name }}-key.pem" - - "{{ dashboard_node_name }}.pem" - tags: - - security diff --git a/roles/wazuh-dashboard/templates/opensearch_dashboards.yml.j2 b/roles/wazuh-dashboard/templates/opensearch_dashboards.yml.j2 deleted file mode 100644 index 100d9f2ba..000000000 --- a/roles/wazuh-dashboard/templates/opensearch_dashboards.yml.j2 +++ /dev/null @@ -1,15 +0,0 @@ -server.host: {{ dashboard_server_host }} -server.port: {{ dashboard_server_port }} -opensearch.hosts: -{% for item in indexer_cluster_nodes %} - - https://{{ item }}:{{ indexer_http_port }} -{% endfor %} -opensearch.ssl.verificationMode: certificate -opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"] -opensearch_security.multitenancy.enabled: false -opensearch_security.readonly_mode.roles: ["kibana_read_only"] -server.ssl.enabled: true -server.ssl.key: "/etc/wazuh-dashboard/certs/{{ dashboard_node_name }}-key.pem" -server.ssl.certificate: "/etc/wazuh-dashboard/certs/{{ dashboard_node_name }}.pem" -opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"] -uiSettings.overrides.defaultRoute: /app/wz-home diff --git a/roles/wazuh-dashboard/templates/wazuh.yml.j2 b/roles/wazuh-dashboard/templates/wazuh.yml.j2 deleted file mode 100644 index d3ab99a0b..000000000 --- a/roles/wazuh-dashboard/templates/wazuh.yml.j2 +++ /dev/null @@ -1,134 +0,0 @@ ---- -# -# Wazuh app - App configuration file -# Copyright (C) 2016, Wazuh Inc. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# Find more information about this on the LICENSE file. -# -# ======================== Wazuh app configuration file ======================== -# -# Please check the documentation for more information on configuration options: -# https://documentation.wazuh.com/current/installation-guide/index.html -# -# Also, you can check our repository: -# https://github.com/wazuh/wazuh-dashboard-plugins -# -# ------------------------------- Index patterns ------------------------------- -# -# Default index pattern to use. -#pattern: wazuh-alerts-5.x-* -# -# ----------------------------------- Checks ----------------------------------- -# -# Defines which checks must to be consider by the healthcheck -# step once the Wazuh app starts. Values must to be true or false. -#checks.pattern : true -#checks.template: true -#checks.api : true -#checks.setup : true -# -# --------------------------------- Extensions --------------------------------- -# -# Defines which extensions should be activated when you add a new API entry. -# You can change them after Wazuh app starts. -# Values must to be true or false. -#extensions.pci : true -#extensions.gdpr : true -#extensions.hipaa : true -#extensions.nist : true -#extensions.audit : true -#extensions.oscap : false -#extensions.ciscat : false -#extensions.aws : false -#extensions.virustotal: false -#extensions.osquery : false -#extensions.docker : false -# -# ---------------------------------- Time out ---------------------------------- -# -# Defines maximum timeout to be used on the Wazuh app requests. -# It will be ignored if it is bellow 1500. -# It means milliseconds before we consider a request as failed. -# Default: 20000 -#timeout: 20000 -# -# ------------------------------ Advanced indices ------------------------------ -# -# Configure .wazuh indices shards and replicas. -#wazuh.shards : 1 -#wazuh.replicas : 0 -# -# --------------------------- Index pattern selector --------------------------- -# -# Defines if the user is allowed to change the selected -# index pattern directly from the Wazuh app top menu. -# Default: true -#ip.selector: true -# -# List of index patterns to be ignored -#ip.ignore: [] -# -# -------------------------------- X-Pack RBAC --------------------------------- -# -# Custom setting to enable/disable built-in X-Pack RBAC security capabilities. -# Default: enabled -#xpack.rbac.enabled: true -# -# ------------------------------ wazuh-monitoring ------------------------------ -# -# Custom setting to enable/disable wazuh-monitoring indices. -# Values: true, false, worker -# If worker is given as value, the app will show the Agents status -# visualization but won't insert data on wazuh-monitoring indices. -# Default: true -#wazuh.monitoring.enabled: true -# -# Custom setting to set the frequency for wazuh-monitoring indices cron task. -# Default: 900 (s) -#wazuh.monitoring.frequency: 900 -# -# Configure wazuh-monitoring-5.x-* indices shards and replicas. -#wazuh.monitoring.shards: 2 -#wazuh.monitoring.replicas: 0 -# -# Configure wazuh-monitoring-5.x-* indices custom creation interval. -# Values: h (hourly), d (daily), w (weekly), m (monthly) -# Default: d -#wazuh.monitoring.creation: d -# -# Default index pattern to use for Wazuh monitoring -#wazuh.monitoring.pattern: wazuh-monitoring-5.x-* -# -# -# ------------------------------- App privileges -------------------------------- -#admin: true -# -# ------------------------------- App logging level ----------------------------- -# Set the logging level for the Wazuh App log files. -# Default value: info -# Allowed values: info, debug -#logs.level: info -# -#-------------------------------- API entries ----------------------------------- -#The following configuration is the default structure to define an API entry. -# -#hosts: -# - : -# url: http(s):// -# port: -# user: -# password: - -hosts: -{% for api in wazuh_api_credentials %} - - {{ api['id'] }}: - url: {{ api['url'] }} - port: {{ api['port'] }} - username: {{ api['username'] }} - password: "{{ api['password'] }}" -{% endfor %}