diff --git a/CHANGELOG.md b/CHANGELOG.md index e9aeb913..8ea1b929 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,24 @@ All notable changes to this project will be documented in this file. - Support to 4.4.0 Wazuh release. +## Wazuh Puppet v4.3.9 + +### Added + +- Support to 4.3.9 Wazuh release. + +## Wazuh Puppet v4.3.8 + +### Added + +- Support to 4.3.8 Wazuh release. + +## Wazuh Puppet v4.3.7 + +### Added + +- Support to 4.3.7 Wazuh release. + ## Wazuh Puppet v4.3.6 ### Added diff --git a/manifests/activeresponse.pp b/manifests/activeresponse.pp index ae496b2d..65154a57 100644 --- a/manifests/activeresponse.pp +++ b/manifests/activeresponse.pp @@ -13,7 +13,7 @@ $active_response_timeout = undef, $active_response_repeated_offenders = [], $target_arg = 'manager_ossec.conf', - $order_arg = undef, + $order_arg = 80, $before_arg = undef, $content_arg = 'wazuh/fragments/_activeresponse.erb' ) { diff --git a/manifests/certificates.pp b/manifests/certificates.pp index 9293020f..59143924 100644 --- a/manifests/certificates.pp +++ b/manifests/certificates.pp @@ -4,28 +4,29 @@ $wazuh_repository = 'packages.wazuh.com', $wazuh_version = '4.5', ) { + file { 'Configure Wazuh Certificates config.yml': + owner => 'root', + path => '/tmp/config.yml', + group => 'root', + mode => '0640', + content => template('wazuh/wazuh_config_yml.erb'), + } - $certs_path = '/tmp/wazuh-certificates' - - $path_exists = find_file($certs_path) - - unless $path_exists { - file { 'Configure config.yml': - owner => 'root', - path => '/tmp/config.yml', - group => 'root', - mode => '0644', - content => template('wazuh/wazuh_config_yml.erb'), - } - - exec { 'Create Wazuh Certificates': - path => '/usr/bin:/bin', - command => "curl -so /tmp/wazuh-certs-tool.sh 'https://${wazuh_repository}/${wazuh_version}/wazuh-certs-tool.sh'\ - && chmod 744 /tmp/wazuh-certs-tool.sh\ - && bash /tmp/wazuh-certs-tool.sh --all", - - } + file { '/tmp/wazuh-certs-tool.sh': + ensure => file, + source => "https://${wazuh_repository}/${wazuh_version}/wazuh-certs-tool.sh", + owner => 'root', + group => 'root', + mode => '0740', } + exec { 'Create Wazuh Certificates': + path => '/usr/bin:/bin', + command => 'bash /tmp/wazuh-certs-tool.sh --all', + creates => '/tmp/wazuh-certificates', + require => [ + File['/tmp/wazuh-certs-tool.sh'], + File['/tmp/config.yml'], + ], + } } - diff --git a/manifests/dashboard.pp b/manifests/dashboard.pp index 978adc7d..5aa21c2e 100644 --- a/manifests/dashboard.pp +++ b/manifests/dashboard.pp @@ -4,66 +4,126 @@ $dashboard_package = 'wazuh-dashboard', $dashboard_service = 'wazuh-dashboard', $dashboard_version = '4.5.0', - $dashboard_user = 'admin', - $dashboard_password = 'admin', $indexer_server_ip = 'localhost', $indexer_server_port = '9200', $dashboard_path_certs = '/etc/wazuh-dashboard/certs', + $dashboard_fileuser = 'wazuh-dashboard', + $dashboard_filegroup = 'wazuh-dashboard', - $dashboard_server_port = '5601', + $dashboard_server_port = '443', $dashboard_server_host = '0.0.0.0', - $dashboard_server_hosts ="https://${indexer_server_ip}:$indexer_server_port}", - $dashboard_wazuh_api_credentials = [ { - 'id' => 'default', - 'url' => 'http://localhost', - 'port' => '55000', - 'user' => 'foo', - 'password' => 'bar', - }, - ] + $dashboard_server_hosts = "https://${indexer_server_ip}:${indexer_server_port}", + + # If the keystore is used, the credentials are not managed by the module (TODO). + # If use_keystore is false, the keystore is deleted, the dashboard use the credentials in the configuration file. + $use_keystore = true, + $dashboard_user = 'kibanaserver', + $dashboard_password = 'kibanaserver', + + $dashboard_wazuh_api_credentials = [ + { + 'id' => 'default', + 'url' => 'https://localhost', + 'port' => '55000', + 'user' => 'wazuh-wui', + 'password' => 'wazuh-wui', + }, + ], + + $manage_repos = false, # Change to true when manager is not present. ) { + if $manage_repos { + include wazuh::repo + + if $::osfamily == 'Debian' { + Class['wazuh::repo'] -> Class['apt::update'] -> Package['wazuh-dashboard'] + } else { + Class['wazuh::repo'] -> Package['wazuh-dashboard'] + } + } # assign version according to the package manager - case $::osfamily { - 'Debian' : { + case $facts['os']['family'] { + 'Debian': { $dashboard_version_install = "${dashboard_version}-*" } - 'Linux', 'RedHat' : { - $dashboard_version_install = "${dashboard_version}" + 'Linux', 'RedHat', default: { + $dashboard_version_install = $dashboard_version } } # install package - package { 'Installing Wazuh Dashboard...': + package { 'wazuh-dashboard': ensure => $dashboard_version_install, name => $dashboard_package, } - include wazuh::certificates + require wazuh::certificates - exec { 'Copy Dashboard Certificates': + exec { "ensure full path of ${dashboard_path_certs}": path => '/usr/bin:/bin', - command => "mkdir $dashboard_path_certs \ - && cp /tmp/wazuh-certificates/dashboard.pem $dashboard_path_certs\ - && cp /tmp/wazuh-certificates/dashboard-key.pem $dashboard_path_certs\ - && cp /tmp/wazuh-certificates/root-ca.pem $dashboard_path_certs\ - && chown wazuh-dashboard:wazuh-dashboard -R $dashboard_path_certs\ - && chmod 500 $dashboard_path_certs\ - && chmod 400 $dashboard_path_certs/*", + command => "mkdir -p ${dashboard_path_certs}", + creates => $dashboard_path_certs, + require => Package['wazuh-dashboard'], + } + -> file { $dashboard_path_certs: + ensure => directory, + owner => $dashboard_fileuser, + group => $dashboard_filegroup, + mode => '0500', + } + + [ + 'dashboard.pem', + 'dashboard-key.pem', + 'root-ca.pem', + ].each |String $certfile| { + file { "${dashboard_path_certs}/${certfile}": + ensure => file, + owner => $dashboard_fileuser, + group => $dashboard_filegroup, + mode => '0400', + replace => false, # only copy content when file not exist + source => "/tmp/wazuh-certificates/${certfile}", + } + } + + file { '/etc/wazuh-dashboard/opensearch_dashboards.yml': + content => template('wazuh/wazuh_dashboard_yml.erb'), + group => $dashboard_filegroup, + mode => '0640', + owner => $dashboard_fileuser, + require => Package['wazuh-dashboard'], + notify => Service['wazuh-dashboard'], + } + + file { [ '/usr/share/wazuh-dashboard/data/wazuh/', '/usr/share/wazuh-dashboard/data/wazuh/config' ]: + ensure => 'directory', + group => $dashboard_filegroup, + mode => '0755', + owner => $dashboard_fileuser, + require => Package['wazuh-dashboard'], + } + -> file { '/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml': + content => template('wazuh/wazuh_yml.erb'), + group => $dashboard_filegroup, + mode => '0600', + owner => $dashboard_fileuser, + notify => Service['wazuh-dashboard'], + } + unless $use_keystore { + file { '/usr/share/wazuh-dashboard/config/opensearch_dashboards.keystore': + ensure => absent, + require => Package['wazuh-dashboard'], + before => Service['wazuh-dashboard'], + } } service { 'wazuh-dashboard': ensure => running, enable => true, hasrestart => true, + name => $dashboard_service, } - - exec {'Waiting for Wazuh indexer...': - path => '/usr/bin', - command => "curl -u ${dashboard_user}:${dashboard_password} -k -s -XGET https://${indexer_server_ip}:${indexer_server_port}", - tries => 100, - try_sleep => 3, - } - } diff --git a/manifests/filebeat_oss.pp b/manifests/filebeat_oss.pp index cf70a32a..579a34bc 100644 --- a/manifests/filebeat_oss.pp +++ b/manifests/filebeat_oss.pp @@ -5,6 +5,7 @@ $filebeat_oss_indexer_port = '9200', $indexer_server_ip = "\"${filebeat_oss_indexer_ip}:${filebeat_oss_indexer_port}\"", + $filebeat_oss_archives = false, $filebeat_oss_package = 'filebeat', $filebeat_oss_service = 'filebeat', $filebeat_oss_elastic_user = 'admin', @@ -13,15 +14,17 @@ $wazuh_app_version = '4.5.0_7.10.2', $wazuh_extensions_version = 'v4.5.0', $wazuh_filebeat_module = 'wazuh-filebeat-0.2.tar.gz', - $filebeat_path_certs = '/etc/filebeat/certs', -){ - class {'wazuh::repo_elastic_oss':} + $filebeat_fileuser = 'root', + $filebeat_filegroup = 'root', + $filebeat_path_certs = '/etc/filebeat/certs', +) { + include wazuh::repo_elastic_oss - if $::osfamily == 'Debian' { - Class['wazuh::repo_elastic_oss'] -> Class['apt::update'] -> Package[$filebeat_oss_package] + if $facts['os']['family'] == 'Debian' { + Class['wazuh::repo_elastic_oss'] -> Class['apt::update'] -> Package['filebeat'] } else { - Class['wazuh::repo_elastic_oss'] -> Package[$filebeat_oss_package] + Class['wazuh::repo_elastic_oss'] -> Package['filebeat'] } package { 'filebeat': @@ -29,58 +32,86 @@ name => $filebeat_oss_package, } - file { 'Configure filebeat.yml': + file { '/etc/filebeat/filebeat.yml': owner => 'root', - path => '/etc/filebeat/filebeat.yml', group => 'root', - mode => '0644', - notify => Service[$filebeat_oss_service], ## Restarts the service + mode => '0640', + notify => Service['filebeat'], ## Restarts the service content => template('wazuh/filebeat_oss_yml.erb'), - require => Package[$filebeat_oss_package] + require => Package['filebeat'], } - exec { 'Installing wazuh-template.json...': - path => '/usr/bin', - command => "curl -so /etc/filebeat/wazuh-template.json 'https://raw.githubusercontent.com/wazuh/wazuh/${wazuh_extensions_version}/extensions/elasticsearch/7.x/wazuh-template.json'", - notify => Service[$filebeat_oss_service], - require => Package[$filebeat_oss_package] + # work around: + # Use cmp to compare the content of local and remote file. When they differ than rm the file to get it recreated by the file resource. + # Needed since GitHub can only ETAG and result in changes of the mtime everytime. + # TODO: Include file into the wazuh/wazuh-puppet project or use file { checksum => '..' } for this instead of the exec construct. + exec { 'cleanup /etc/filebeat/wazuh-template.json': + command => '/bin/rm /etc/filebeat/wazuh-template.json', + onlyif => '/bin/test -f /etc/filebeat/wazuh-template.json', + unless => "/bin/curl -s 'https://raw.githubusercontent.com/wazuh/wazuh/${wazuh_extensions_version}/extensions/elasticsearch/7.x/wazuh-template.json' | /bin/cmp -s '/etc/filebeat/wazuh-template.json'", } - - exec { 'Installing filebeat module ... Downloading package': - path => '/usr/bin', - command => "curl -o /root/${$wazuh_filebeat_module} https://packages.wazuh.com/4.x/filebeat/${$wazuh_filebeat_module}", + -> file { '/etc/filebeat/wazuh-template.json': + owner => 'root', + group => 'root', + mode => '0440', + replace => false, # only copy content when file not exist + source => "https://raw.githubusercontent.com/wazuh/wazuh/${wazuh_extensions_version}/extensions/elasticsearch/7.x/wazuh-template.json", + notify => Service['filebeat'], + require => Package['filebeat'], } - exec { 'Unpackaging ...': - command => '/bin/tar -xzvf /root/wazuh-filebeat-0.2.tar.gz -C /usr/share/filebeat/module', - notify => Service[$filebeat_oss_service], - require => Package[$filebeat_oss_package] + archive { "/tmp/${$wazuh_filebeat_module}": + ensure => present, + source => "https://packages.wazuh.com/4.x/filebeat/${$wazuh_filebeat_module}", + extract => true, + extract_path => '/usr/share/filebeat/module', + creates => '/usr/share/filebeat/module/wazuh', + cleanup => true, + notify => Service['filebeat'], + require => Package['filebeat'], } file { '/usr/share/filebeat/module/wazuh': ensure => 'directory', mode => '0755', - require => Package[$filebeat_oss_package] + require => Package['filebeat'], } - include wazuh::certificates + require wazuh::certificates - exec { 'Copy Filebeat Certificates': + exec { "ensure full path of ${filebeat_path_certs}": path => '/usr/bin:/bin', - command => "mkdir $filebeat_path_certs \ - && cp /tmp/wazuh-certificates/server.pem $filebeat_path_certs/filebeat.pem\ - && cp /tmp/wazuh-certificates/server-key.pem $filebeat_path_certs/filebeat-key.pem\ - && cp /tmp/wazuh-certificates/root-ca.pem $filebeat_path_certs\ - && chown root:root -R $filebeat_path_certs\ - && chmod 500 $filebeat_path_certs\ - && chmod 400 $filebeat_path_certs/*", - require => Package[$filebeat_oss_package], + command => "mkdir -p ${filebeat_path_certs}", + creates => $filebeat_path_certs, + require => Package['filebeat'], + } + -> file { $filebeat_path_certs: + ensure => directory, + owner => $filebeat_fileuser, + group => $filebeat_filegroup, + mode => '0500', + } + $_certfiles = { + 'server.pem' => 'filebeat.pem', + 'server-key.pem' => 'filebeat-key.pem', + 'root-ca.pem' => 'root-ca.pem', + } + $_certfiles.each |String $certfile_source, String $certfile_target| { + file { "${filebeat_path_certs}/${certfile_target}": + ensure => file, + owner => $filebeat_fileuser, + group => $filebeat_filegroup, + mode => '0400', + replace => false, # only copy content when file not exist + source => "/tmp/wazuh-certificates/${certfile_source}", + } } service { 'filebeat': ensure => running, enable => true, - require => Package[$filebeat_oss_package] + name => $filebeat_oss_service, + require => Package['filebeat'], } } diff --git a/manifests/indexer.pp b/manifests/indexer.pp index 1707fe75..392cd182 100644 --- a/manifests/indexer.pp +++ b/manifests/indexer.pp @@ -2,96 +2,142 @@ # Setup for Wazuh Indexer class wazuh::indexer ( # opensearch.yml configuration - $indexer_cluster_name = 'wazuh-cluster', $indexer_node_name = 'node-1', - $indexer_node_master = true, - $indexer_node_data = true, - $indexer_node_ingest = true, $indexer_node_max_local_storage_nodes = '1', $indexer_service = 'wazuh-indexer', $indexer_package = 'wazuh-indexer', $indexer_version = '4.5.0-1', + $indexer_fileuser = 'wazuh-indexer', + $indexer_filegroup = 'wazuh-indexer', $indexer_path_data = '/var/lib/wazuh-indexer', $indexer_path_logs = '/var/log/wazuh-indexer', $indexer_path_certs = '/etc/wazuh-indexer/certs', - + $indexer_security_init_lockfile = '/var/tmp/indexer-security-init.lock', $indexer_ip = 'localhost', $indexer_port = '9200', - $indexer_discovery_option = 'discovery.type: single-node', - $indexer_cluster_initial_master_nodes = "#cluster.initial_master_nodes: ['node-1']", + $indexer_discovery_hosts = [], # Empty array for single-node configuration + $indexer_cluster_initial_master_nodes = ['node-1'], $manage_repos = false, # Change to true when manager is not present. -# JVM options - $jvm_options_memmory = '1g', - -){ - - + # JVM options + $jvm_options_memory = '1g', +) { if $manage_repos { - class { 'wazuh::repo':} - if $::osfamily == 'Debian' { + include wazuh::repo + if $facts['os']['family'] == 'Debian' { Class['wazuh::repo'] -> Class['apt::update'] -> Package['wazuh-indexer'] } else { Class['wazuh::repo'] -> Package['wazuh-indexer'] } } - - # install package package { 'wazuh-indexer': ensure => $indexer_version, name => $indexer_package, } - include wazuh::certificates + require wazuh::certificates - exec { 'Copy Indexer Certificates': + exec { "ensure full path of ${indexer_path_certs}": path => '/usr/bin:/bin', - command => "mkdir $indexer_path_certs \ - && cp /tmp/wazuh-certificates/indexer.pem $indexer_path_certs\ - && cp /tmp/wazuh-certificates/indexer-key.pem $indexer_path_certs\ - && cp /tmp/wazuh-certificates/root-ca.pem $indexer_path_certs\ - && cp /tmp/wazuh-certificates/admin.pem $indexer_path_certs\ - && cp /tmp/wazuh-certificates/admin-key.pem $indexer_path_certs\ - && chown wazuh-indexer:wazuh-indexer -R $indexer_path_certs\ - && chmod 500 $indexer_path_certs\ - && chmod 400 $indexer_path_certs/*", - require => Package[$indexer_package], + command => "mkdir -p ${indexer_path_certs}", + creates => $indexer_path_certs, + require => Package['wazuh-indexer'], + } + -> file { $indexer_path_certs: + ensure => directory, + owner => $indexer_fileuser, + group => $indexer_filegroup, + mode => '0500', + } + + [ + 'indexer.pem', + 'indexer-key.pem', + 'root-ca.pem', + 'admin.pem', + 'admin-key.pem', + ].each |String $certfile| { + file { "${indexer_path_certs}/${certfile}": + ensure => file, + owner => $indexer_fileuser, + group => $indexer_filegroup, + mode => '0400', + replace => false, # only copy content when file not exist + source => "/tmp/wazuh-certificates/${certfile}", + } + } + file { 'configuration file': + path => '/etc/wazuh-indexer/opensearch.yml', + content => template('wazuh/wazuh_indexer_yml.erb'), + group => $indexer_filegroup, + mode => '0660', + owner => $indexer_fileuser, + require => Package['wazuh-indexer'], + notify => Service['wazuh-indexer'], + } + + file_line { 'Insert line initial size of total heap space': + path => '/etc/wazuh-indexer/jvm.options', + line => "-Xms${jvm_options_memory}", + match => '^-Xms', + require => Package['wazuh-indexer'], + notify => Service['wazuh-indexer'], + } + + file_line { 'Insert line maximum size of total heap space': + path => '/etc/wazuh-indexer/jvm.options', + line => "-Xmx${jvm_options_memory}", + match => '^-Xmx', + require => Package['wazuh-indexer'], + notify => Service['wazuh-indexer'], } service { 'wazuh-indexer': ensure => running, enable => true, - require => Package[$indexer_package], + name => $indexer_service, + require => Package['wazuh-indexer'], } - exec { 'Insert line limits': - path => '/usr/bin:/bin/', - command => "echo 'elasticsearch - nofile 65535\nelasticsearch - memlock unlimited' >> /etc/security/limits.conf", - require => Package[$indexer_package], - + file_line { "Insert line limits nofile for ${indexer_fileuser}": + path => '/etc/security/limits.conf', + line => "${indexer_fileuser} - nofile 65535", + match => "^${indexer_fileuser} - nofile\s", + notify => Service['wazuh-indexer'], + } + file_line { "Insert line limits memlock for ${indexer_fileuser}": + path => '/etc/security/limits.conf', + line => "${indexer_fileuser} - memlock unlimited", + match => "^${indexer_fileuser} - memlock\s", + notify => Service['wazuh-indexer'], } - exec { 'Verify wazuh-indexer folders owner': - path => '/usr/bin:/bin', - command => "chown wazuh-indexer:wazuh-indexer -R /etc/wazuh-indexer\ - && chown wazuh-indexer:wazuh-indexer -R /usr/share/wazuh-indexer\ - && chown wazuh-indexer:wazuh-indexer -R /var/lib/wazuh-indexer", - require => Package[$indexer_package], - + # TODO: this should be done by the package itself and not by puppet at all + [ + '/etc/wazuh-indexer', + '/usr/share/wazuh-indexer', + '/var/lib/wazuh-indexer', + ].each |String $file| { + exec { "set ecusive ownership of ${file}": + path => '/usr/bin:/bin', + command => "chown ${indexer_fileuser}:${indexer_filegroup} -R ${file}", + refreshonly => true, # only run when package is installed or updated + subscribe => Package['wazuh-indexer'], + notify => Service['wazuh-indexer'], + } } - exec { 'Launch security admin initializer': + exec { 'Initialize the Opensearch security index in Wazuh indexer': path => ['/usr/bin', '/bin', '/usr/sbin'], - command => '/usr/share/wazuh-indexer/bin/indexer-security-init.sh', - require => Package[$indexer_package], - + command => "/usr/share/wazuh-indexer/bin/indexer-security-init.sh && touch ${indexer_security_init_lockfile}", + creates => $indexer_security_init_lockfile, + require => Service['wazuh-indexer'], } - } diff --git a/manifests/manager.pp b/manifests/manager.pp index a1b05f96..b38fbbef 100644 --- a/manifests/manager.pp +++ b/manifests/manager.pp @@ -13,6 +13,8 @@ ## Global + $ossec_logall = $wazuh::params_manager::ossec_logall, + $ossec_logall_json = $wazuh::params_manager::ossec_logall_json, $ossec_emailnotification = $wazuh::params_manager::ossec_emailnotification, $ossec_emailto = $wazuh::params_manager::ossec_emailto, $ossec_smtp_server = $wazuh::params_manager::ossec_smtp_server, diff --git a/manifests/params_agent.pp b/manifests/params_agent.pp index bb3bacd5..6b7a9d2b 100644 --- a/manifests/params_agent.pp +++ b/manifests/params_agent.pp @@ -146,6 +146,13 @@ $sca_rhel_skip_nfs = 'yes' $sca_rhel_policies = [] + ## Windows + $sca_windows_enabled = 'yes' + $sca_windows_scan_on_start = 'yes' + $sca_windows_interval = '12h' + $sca_windows_skip_nfs = 'yes' + $sca_windows_policies = [] + ## $sca_else_enabled = 'yes' $sca_else_scan_on_start = 'yes' @@ -214,6 +221,7 @@ '-f 1' ] + $windows_audit_interval = 300 # active-response $active_response_linux_ca_store = '/var/ossec/etc/wpk_root.pem' @@ -251,8 +259,8 @@ # Wodles - ## doker-listener - $wodle_doker_listener_disabled = 'yes' + ## docker-listener + $wodle_docker_listener_disabled = 'yes' ## cis-cat $wodle_ciscat_disabled = 'yes' @@ -475,14 +483,6 @@ $service_has_status = true $ossec_service_provider = undef - # sca - $sca_windows_enabled = 'yes' - $sca_windows_scan_on_start = 'yes' - $sca_windows_interval = '12h' - $sca_windows_skip_nfs = 'yes' - $sca_windows_policies = [] - - # Wodles ## syscollector @@ -541,7 +541,6 @@ 'log_format' => 'syslog' }, ] - $windows_audit_interval = 300 } default: { fail('This ossec module has not been tested on your distribution') } } diff --git a/manifests/params_manager.pp b/manifests/params_manager.pp index 7573900a..481a68c0 100644 --- a/manifests/params_manager.pp +++ b/manifests/params_manager.pp @@ -13,6 +13,8 @@ ### Ossec.conf blocks ## Global + $ossec_logall = 'no' + $ossec_logall_json = 'no' $ossec_emailnotification = false $ossec_emailto = ['recipient@example.wazuh.com'] $ossec_smtp_server = 'smtp.example.wazuh.com' diff --git a/metadata.json b/metadata.json index e5182ff3..5269ea5a 100644 --- a/metadata.json +++ b/metadata.json @@ -35,6 +35,10 @@ { "name": "puppetlabs/powershell", "version_requirement": ">= 2.0.0 < 5.0.0" + }, + { + "name": "puppet/archive", + "version_requirement": ">= 0.4.8 < 7.0.0" } ], "operatingsystem_support": [ diff --git a/templates/filebeat_oss_yml.erb b/templates/filebeat_oss_yml.erb index e904e354..51771cbc 100644 --- a/templates/filebeat_oss_yml.erb +++ b/templates/filebeat_oss_yml.erb @@ -4,7 +4,7 @@ filebeat.modules: alerts: enabled: true archives: - enabled: false + enabled: <%= @filebeat_oss_archives %> setup.template.json.enabled: true setup.template.json.path: "/etc/filebeat/wazuh-template.json" diff --git a/templates/wazuh_dashboard_yml.erb b/templates/wazuh_dashboard_yml.erb new file mode 100644 index 00000000..387b2836 --- /dev/null +++ b/templates/wazuh_dashboard_yml.erb @@ -0,0 +1,17 @@ +server.host: <%= @dashboard_server_host %> +server.port: <%= @dashboard_server_port %> +opensearch.hosts: <%= @dashboard_server_hosts %> +opensearch.ssl.verificationMode: certificate +<% if @dashboard_user and @dashboard_password -%> +opensearch.username: <%= @dashboard_user %> +opensearch.password: <%= @dashboard_password %> +<% end -%> +opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"] +opensearch_security.multitenancy.enabled: false +opensearch_security.readonly_mode.roles: ["kibana_read_only"] +server.ssl.enabled: true +server.ssl.key: "<%= @dashboard_path_certs %>/dashboard-key.pem" +server.ssl.certificate: "<%= @dashboard_path_certs %>/dashboard.pem" +opensearch.ssl.certificateAuthorities: ["<%= @dashboard_path_certs %>/root-ca.pem"] +uiSettings.overrides.defaultRoute: /app/wazuh + diff --git a/templates/wazuh_indexer_yml.erb b/templates/wazuh_indexer_yml.erb new file mode 100644 index 00000000..98e070dd --- /dev/null +++ b/templates/wazuh_indexer_yml.erb @@ -0,0 +1,44 @@ +network.host: "0.0.0.0" +node.name: "<%= @indexer_node_name %>" +cluster.initial_master_nodes: +<% @indexer_cluster_initial_master_nodes.each do |node| -%> +- "<%= node %>" +<% end -%> +cluster.name: "<%= @indexer_cluster_name %>" +<% if not @indexer_discovery_hosts.empty? -%> +discovery.seed_hosts: +<% @indexer_discovery_hosts.each do |host| -%> +- "<%= host %>" +<% end -%> +<% end -%> +node.max_local_storage_nodes: "<%= @indexer_node_max_local_storage_nodes %>" +path.data: "<%= @indexer_path_data %>" +path.logs: "<%= @indexer_path_logs %>" + +plugins.security.ssl.http.pemcert_filepath: <%= @indexer_path_certs %>/indexer.pem +plugins.security.ssl.http.pemkey_filepath: <%= @indexer_path_certs %>/indexer-key.pem +plugins.security.ssl.http.pemtrustedcas_filepath: <%= @indexer_path_certs %>/root-ca.pem +plugins.security.ssl.transport.pemcert_filepath: <%= @indexer_path_certs %>/indexer.pem +plugins.security.ssl.transport.pemkey_filepath: <%= @indexer_path_certs %>/indexer-key.pem +plugins.security.ssl.transport.pemtrustedcas_filepath: <%= @indexer_path_certs %>/root-ca.pem +plugins.security.ssl.http.enabled: true +plugins.security.ssl.transport.enforce_hostname_verification: false +plugins.security.ssl.transport.resolve_hostname: false + +plugins.security.authcz.admin_dn: +- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" +plugins.security.check_snapshot_restore_write_privileges: true +plugins.security.enable_snapshot_restore_privilege: true +plugins.security.nodes_dn: +<% @indexer_cluster_initial_master_nodes.each do |node| -%> +- "CN=<%= node %>,OU=Wazuh,O=Wazuh,L=California,C=US" +<% end -%> +plugins.security.restapi.roles_enabled: +- "all_access" +- "security_rest_api_access" + +plugins.security.system_indices.enabled: true +plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"] + +### Option to allow Filebeat-oss 7.10.2 to work ### +compatibility.override_main_response_version: true diff --git a/templates/wazuh_manager.conf.erb b/templates/wazuh_manager.conf.erb index bea40098..0359345a 100644 --- a/templates/wazuh_manager.conf.erb +++ b/templates/wazuh_manager.conf.erb @@ -1,8 +1,8 @@ yes yes - no - no + <%= @ossec_logall %> + <%= @ossec_logall_json %> 10m 0 <%- if @ossec_emailnotification -%> diff --git a/templates/wazuh_yml.erb b/templates/wazuh_yml.erb index eed345eb..ff058588 100644 --- a/templates/wazuh_yml.erb +++ b/templates/wazuh_yml.erb @@ -1,7 +1,7 @@ --- # -# Wazuh app - App configuration file -# Copyright (C) 2015, Wazuh Inc. +# Wazuh dashboard - App configuration file +# Copyright (C) 2015-2022 Wazuh, Inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -10,124 +10,236 @@ # # Find more information about this on the LICENSE file. # -# ======================== Wazuh app configuration file ======================== +# ======================== Wazuh dashboard configuration file ======================== # -# Please check the documentation for more information on configuration options: -# https://documentation.wazuh.com/current/installation-guide/index.html +# Please check the documentation for more information about configuration options: +# https://documentation.wazuh.com/4.5/user-manual/wazuh-dashboard/config-file.html # # Also, you can check our repository: # https://github.com/wazuh/wazuh-kibana-app # +# ---------------------------- Unauthorized roles ------------------------------ +# +# Disable Wazuh for the Elasticsearch / OpenSearch roles defined here. +# disabled_roles: +# - wazuh_disabled +# # ------------------------------- Index patterns ------------------------------- # -# Default index pattern to use. -#pattern: wazuh-alerts-4.x-* +# Default index pattern to use on the app. If there's no valid index pattern, the +# app will automatically create one with the name indicated in this option. +# pattern: wazuh-alerts-* # # ----------------------------------- Checks ----------------------------------- # -# Defines which checks must to be consider by the healthcheck -# step once the Wazuh app starts. Values must to be true or false. -#checks.pattern : true -#checks.template: true -#checks.api : true -#checks.setup : true +# Define which checks will be executed by the App's HealthCheck. +# Allowed values are: true, false +# +# Enable or disable the index pattern health check when opening the app. +# checks.pattern: true +# +# Enable or disable the template health check when opening the app. +# checks.template: true +# +# Enable or disable the API health check when opening the app. +# checks.api: true +# +# Enable or disable the setup health check when opening the app. +# checks.setup: true +# +# Enable or disable the known fields health check when opening the app. +# checks.fields: true +# +# Change the default value of the Wazuh dashboard metaField configuration +# checks.metaFields: true +# +# Change the default value of the Wazuh dashboard timeFilter configuration +# checks.timeFilter: true +# +# Change the default value of the Wazuh dashboard max buckets configuration +# checks.maxBuckets: true # # --------------------------------- Extensions --------------------------------- # -# Defines which extensions should be activated when you add a new API entry. -# You can change them after Wazuh app starts. -# Values must to be true or false. -#extensions.pci : true -#extensions.gdpr : true -#extensions.hipaa : true -#extensions.nist : true -#extensions.audit : true -#extensions.oscap : false -#extensions.ciscat : false -#extensions.aws : false -#extensions.virustotal: false -#extensions.osquery : false -#extensions.docker : false -# -# ---------------------------------- Time out ---------------------------------- -# -# Defines maximum timeout to be used on the Wazuh app requests. -# It will be ignored if it is bellow 1500. -# It means milliseconds before we consider a request as failed. -# Default: 20000 -#timeout: 20000 -# -# ------------------------------ Advanced indices ------------------------------ -# -# Configure .wazuh indices shards and replicas. -#wazuh.shards : 1 -#wazuh.replicas : 0 +# Define the initial state of the extensions (enabled / disabled) for recently +# added hosts. The extensions can be enabled or disabled anytime using the UI. +# Allowed values are: true, false +# +# Enable or disable the PCI DSS tab on Overview and Agents. +# extensions.pci: true +# +# Enable or disable the GDPR tab on Overview and Agents. +# extensions.gdpr: true +# +# Enable or disable the HIPAA tab on Overview and Agents. +# extensions.hipaa: true +# +# Enable or disable the NIST 800-53 tab on Overview and Agents. +# extensions.nist: true +# +# Enable or disable the TSC tab on Overview and Agents. +# extensions.tsc: true +# +# Enable or disable the Audit tab on Overview and Agents. +# extensions.audit: true +# +# Enable or disable the Open SCAP tab on Overview and Agents. +# extensions.oscap: false +# +# Enable or disable the CIS-CAT tab on Overview and Agents. +# extensions.ciscat: false +# +# Enable or disable the Amazon (AWS) tab on Overview. +# extensions.aws: false +# +# Enable or disable the Google Cloud Platform tab on Overview. +# extensions.gcp: false +# +# Enable or disable the VirusTotal tab on Overview and Agents. +# extensions.virustotal: false +# +# Enable or disable the Osquery tab on Overview and Agents. +# extensions.osquery: false +# +# Enable or disable the Docker listener tab on Overview and Agents. +# extensions.docker: false +# +# ------------------------------- Timeout -------------------------------------- +# +# Maximum time, in milliseconds, the app will wait for an API response when making +# requests to it. It will be ignored if the value is set under 1500 milliseconds. +# timeout: 20000 # # --------------------------- Index pattern selector --------------------------- # -# Defines if the user is allowed to change the selected -# index pattern directly from the Wazuh app top menu. -# Default: true -#ip.selector: true +# Define if the user is allowed to change the selected index pattern directly from +# the top menu bar. +# ip.selector: true +# +# Disable certain index pattern names from being available in index pattern +# selector from the Wazuh app. +# ip.ignore: +# +# ------------------------------ Monitoring ------------------------------------ +# +# Enable or disable the wazuh-monitoring index creation and/or visualization. +# wazuh.monitoring.enabled: true +# +# Frequency, in seconds, of API requests to get the state of the agents and create +# a new document in the wazuh-monitoring index with this data. +# wazuh.monitoring.frequency: 900 +# +# Define the number of shards to use for the wazuh-monitoring-* indices. +# wazuh.monitoring.shards: 1 +# +# Define the number of replicas to use for the wazuh-monitoring-* indices. +# wazuh.monitoring.replicas: 0 +# +# Define the interval in which a new wazuh-monitoring index will be created. +# Allowed values are: h (hourly), d (daily), w (weekly), m (monthly) +# wazuh.monitoring.creation: w +# +# Default index pattern to use for Wazuh monitoring. +# wazuh.monitoring.pattern: wazuh-monitoring-* +# +# --------------------------------- Sample data -------------------------------- +# +# Define the index name prefix of sample alerts. It must match the template used +# by the index pattern to avoid unknown fields in dashboards. +# alerts.sample.prefix: wazuh-alerts-4.x- +# +# ------------------------------ Background tasks ------------------------------ +# +# Define the index prefix of predefined jobs. +# cron.prefix: wazuh +# +# ------------------------------ Wazuh Statistics ------------------------------ +# +# Enable or disable the statistics tasks. +# cron.statistics.status: true +# +# Enter the ID of the hosts you want to save data from, leave this empty to run +# the task on every host. +# cron.statistics.apis: +# +# Define the frequency of task execution using cron schedule expressions. +# cron.statistics.interval: 0 */5 * * * * +# +# Define the name of the index in which the documents will be saved. +# cron.statistics.index.name: statistics +# +# Define the interval in which a new index will be created. +# cron.statistics.index.creation: w +# +# Define the number of shards to use for the statistics indices. +# cron.statistics.shards: 1 +# +# Define the number of replicas to use for the statistics indices. +# cron.statistics.replicas: 0 +# +# ------------------------------ Logo customization ---------------------------- # -# List of index patterns to be ignored -#ip.ignore: [] +# Set the name of the app logo stored at /plugins/wazuh/public/assets/ +# customization.logo.app: # -# -------------------------------- X-Pack RBAC --------------------------------- +# Set the name of the sidebar logo stored at /plugins/wazuh/public/assets/ +# customization.logo.sidebar: # -# Custom setting to enable/disable built-in X-Pack RBAC security capabilities. -# Default: enabled -#xpack.rbac.enabled: true +# Set the name of the health-check logo stored at /plugins/wazuh/public/assets/ +# customization.logo.healthcheck: # -# ------------------------------ wazuh-monitoring ------------------------------ +# Set the name of the reports logo (.png) stored at /plugins/wazuh/public/assets/ +# customization.logo.reports: # -# Custom setting to enable/disable wazuh-monitoring indices. -# Values: true, false, worker -# If worker is given as value, the app will show the Agents status -# visualization but won't insert data on wazuh-monitoring indices. -# Default: true -#wazuh.monitoring.enabled: true +# ---------------------------- Hide manager alerts ----------------------------- # -# Custom setting to set the frequency for wazuh-monitoring indices cron task. -# Default: 900 (s) -#wazuh.monitoring.frequency: 900 +# Hide the alerts of the manager in every dashboard. +# hideManagerAlerts: false # -# Configure wazuh-monitoring-4.x-* indices shards and replicas. -#wazuh.monitoring.shards: 2 -#wazuh.monitoring.replicas: 0 +# ------------------------------- App logging level ---------------------------- # -# Configure wazuh-monitoring-4.x-* indices custom creation interval. -# Values: h (hourly), d (daily), w (weekly), m (monthly) -# Default: d -#wazuh.monitoring.creation: d +# Logging level of the App. +# Allowed values are: info, debug +# logs.level: info # -# Default index pattern to use for Wazuh monitoring -#wazuh.monitoring.pattern: wazuh-monitoring-4.x-* +# ------------------------------- Agent enrollment ----------------------------- # +# Specifies the Wazuh registration server, used for the agent enrollment. +# enrollment.dns: # -# ------------------------------- App privileges -------------------------------- -#admin: true +# Specifies the password used to authenticate during the agent enrollment. +# enrollment.password: # -# ------------------------------- App logging level ----------------------------- -# Set the logging level for the Wazuh App log files. -# Default value: info -# Allowed values: info, debug -#logs.level: info +#-------------------------------- Wazuh hosts ---------------------------------- # -#-------------------------------- API entries ----------------------------------- -#The following configuration is the default structure to define an API entry. +# The following configuration is the default structure to define a host. # -#hosts: -# - : -# url: http(s):// -# port: -# user: -# password: +# hosts: +# # Host ID / name, +# - env-1: +# # Host URL +# url: https://env-1.example +# # Host / API port +# port: 55000 +# # Host / API username +# username: wazuh-wui +# # Host / API password +# password: wazuh-wui +# # Use RBAC or not. If set to true, the username must be "wazuh-wui". +# run_as: true +# - env-2: +# url: https://env-2.example +# port: 55000 +# username: wazuh-wui +# password: wazuh-wui +# run_as: true + hosts: -<% @kibana_wazuh_api_credentials.each do |api_profile| -%> +<% @dashboard_wazuh_api_credentials.each do |api_profile| -%> - <%= api_profile['id'] %>: url: <%= api_profile['url'] %> port: <%= api_profile['port'] %> username: <%= api_profile['user'] %> password: <%= api_profile['password'] %> -<% end -%> \ No newline at end of file + run_as: false +<% end -%>