Merge pull request #516 from pixelpark/4.3_fixing_execs

Fixing exec usage, handling and optimise code
wazuh · Jul 27, 2022 · c064588 · c064588
2 parents 1bef2a8 + 5be4a85
commit c064588
Show file tree

Hide file tree

Showing 4 changed files with 210 additions and 130 deletions.
diff --git a/manifests/certificates.pp b/manifests/certificates.pp
@@ -4,28 +4,29 @@
  $wazuh_repository = 'packages.wazuh.com',
  $wazuh_version = '4.3',
 ) {
+ file { 'Configure Wazuh Certificates config.yml':
+ owner => 'root',
+ path => '/tmp/config.yml',
+ group => 'root',
+ mode => '0640',
+ content => template('wazuh/wazuh_config_yml.erb'),
+ }
 
- $certs_path = '/tmp/wazuh-certificates'
-
- $path_exists = find_file($certs_path)
-
- unless $path_exists {
- file { 'Configure config.yml':
- owner => 'root',
- path => '/tmp/config.yml',
- group => 'root',
- mode => '0644',
- content => template('wazuh/wazuh_config_yml.erb'),
- }
-
- exec { 'Create Wazuh Certificates':
- path => '/usr/bin:/bin',
- command => "curl -so /tmp/wazuh-certs-tool.sh 'https://${wazuh_repository}/${wazuh_version}/wazuh-certs-tool.sh'\
- && chmod 744 /tmp/wazuh-certs-tool.sh\
- && bash /tmp/wazuh-certs-tool.sh --all",
-
- }
+ file { '/tmp/wazuh-certs-tool.sh':
+ ensure => file,
+ source => "https://${wazuh_repository}/${wazuh_version}/wazuh-certs-tool.sh",
+ owner => 'root',
+ group => 'root',
+ mode => '0740',
  }
 
+ exec { 'Create Wazuh Certificates':
+ path => '/usr/bin:/bin',
+ command => 'bash /tmp/wazuh-certs-tool.sh --all',
+ creates => '/tmp/wazuh-certificates',
+ require => [
+ File['/tmp/wazuh-certs-tool.sh'],
+ File['/tmp/config.yml'],
+ ],
+ }
 }
-
diff --git a/manifests/dashboard.pp b/manifests/dashboard.pp
@@ -9,61 +9,86 @@
  $indexer_server_ip = 'localhost',
  $indexer_server_port = '9200',
  $dashboard_path_certs = '/etc/wazuh-dashboard/certs',
+ $dashboard_fileuser = 'wazuh-dashboard',
+ $dashboard_filegroup = 'wazuh-dashboard',
 
  $dashboard_server_port = '5601',
  $dashboard_server_host = '0.0.0.0',
- $dashboard_server_hosts ="https://${indexer_server_ip}:$indexer_server_port}",
- $dashboard_wazuh_api_credentials = [ {
- 'id' => 'default',
- 'url' => 'http://localhost',
- 'port' => '55000',
- 'user' => 'foo',
- 'password' => 'bar',
- },
- ]
+ $dashboard_server_hosts = "https://${indexer_server_ip}:${indexer_server_port}",
+ $dashboard_wazuh_api_credentials = [
+ {
+ 'id' => 'default',
+ 'url' => 'http://localhost',
+ 'port' => '55000',
+ 'user' => 'foo',
+ 'password' => 'bar',
+ },
+ ]
 ) {
-
  # assign version according to the package manager
- case $::osfamily {
- 'Debian' : {
+ case $facts['os']['family'] {
+ 'Debian': {
  $dashboard_version_install = "${dashboard_version}-*"
  }
- 'Linux', 'RedHat' : {
- $dashboard_version_install = "${dashboard_version}"
+ 'Linux', 'RedHat', default: {
+ $dashboard_version_install = $dashboard_version
  }
  }
 
  # install package
- package { 'Installing Wazuh Dashboard...':
+ package { 'wazuh-dashboard':
  ensure => $dashboard_version_install,
  name => $dashboard_package,
  }
 
- include wazuh::certificates
+ require wazuh::certificates
 
- exec { 'Copy Dashboard Certificates':
+ exec { "ensure full path of ${dashboard_path_certs}":
  path => '/usr/bin:/bin',
- command => "mkdir $dashboard_path_certs \
- && cp /tmp/wazuh-certificates/dashboard.pem $dashboard_path_certs\
- && cp /tmp/wazuh-certificates/dashboard-key.pem $dashboard_path_certs\
- && cp /tmp/wazuh-certificates/root-ca.pem $dashboard_path_certs\
- && chown wazuh-dashboard:wazuh-dashboard -R $dashboard_path_certs\
- && chmod 500 $dashboard_path_certs\
- && chmod 400 $dashboard_path_certs/*",
+ command => "mkdir -p ${dashboard_path_certs}",
+ creates => $dashboard_path_certs,
+ require => Package['wazuh-dashboard'],
+ }
+ -> file { $dashboard_path_certs:
+ ensure => directory,
+ owner => $dashboard_fileuser,
+ group => $dashboard_filegroup,
+ mode => '0500',
+ }
+
+ [
+ 'dashboard.pem',
+ 'dashboard-key.pem',
+ 'root-ca.pem',
+ ].each |String $certfile| {
+ file { "${dashboard_path_certs}/${certfile}":
+ ensure => file,
+ owner => $dashboard_fileuser,
+ group => $dashboard_filegroup,
+ mode => '0400',
+ replace => false, # only copy content when file not exist
+ source => "/tmp/wazuh-certificates/${certfile}",
+ }
+ }
 
+ # TODO: Fully manage the opensearch_dashboards.yml and a template file resource
+ file_line { 'Setting host for wazuh-dashboard':
+ path => '/etc/wazuh-dashboard/opensearch_dashboards.yml',
+ line => "server.host: ${dashboard_server_host}",
+ match => "^server.host:\s",
+ notify => Service['wazuh-dashboard'],
+ }
+ file_line { 'Setting port for wazuh-dashboard':
+ path => '/etc/wazuh-dashboard/opensearch_dashboards.yml',
+ line => "server.port: ${dashboard_server_port}",
+ match => "^server.port:\s",
+ notify => Service['wazuh-dashboard'],
  }
 
  service { 'wazuh-dashboard':
  ensure => running,
  enable => true,
  hasrestart => true,
+ name => $dashboard_service,
  }
-
- exec {'Waiting for Wazuh indexer...':
- path => '/usr/bin',
- command => "curl -u ${dashboard_user}:${dashboard_password} -k -s -XGET https://${indexer_server_ip}:${indexer_server_port}",
- tries => 100,
- try_sleep => 3,
- }
-
 }
diff --git a/manifests/filebeat_oss.pp b/manifests/filebeat_oss.pp
@@ -14,74 +14,105 @@
  $wazuh_extensions_version = 'v4.3.6',
  $wazuh_filebeat_module = 'wazuh-filebeat-0.2.tar.gz',
 
+ $filebeat_fileuser = 'root',
+ $filebeat_filegroup = 'root',
  $filebeat_path_certs = '/etc/filebeat/certs',
-){
+) {
+ include wazuh::repo_elastic_oss
 
- class {'wazuh::repo_elastic_oss':}
-
- if $::osfamily == 'Debian' {
- Class['wazuh::repo_elastic_oss'] -> Class['apt::update'] -> Package[$filebeat_oss_package]
+ if $facts['os']['family'] == 'Debian' {
+ Class['wazuh::repo_elastic_oss'] -> Class['apt::update'] -> Package['filebeat']
  } else {
- Class['wazuh::repo_elastic_oss'] -> Package[$filebeat_oss_package]
+ Class['wazuh::repo_elastic_oss'] -> Package['filebeat']
  }
 
  package { 'filebeat':
  ensure => $filebeat_oss_version,
  name => $filebeat_oss_package,
  }
 
- file { 'Configure filebeat.yml':
+ file { '/etc/filebeat/filebeat.yml':
  owner => 'root',
- path => '/etc/filebeat/filebeat.yml',
  group => 'root',
  mode => '0644',
- notify => Service[$filebeat_oss_service], ## Restarts the service
+ notify => Service['filebeat'], ## Restarts the service
  content => template('wazuh/filebeat_oss_yml.erb'),
- require => Package[$filebeat_oss_package]
+ require => Package['filebeat'],
  }
 
- exec { 'Installing wazuh-template.json...':
- path => '/usr/bin',
- command => "curl -so /etc/filebeat/wazuh-template.json 'https://raw.githubusercontent.com/wazuh/wazuh/${wazuh_extensions_version}/extensions/elasticsearch/7.x/wazuh-template.json'",
- notify => Service[$filebeat_oss_service],
- require => Package[$filebeat_oss_package]
+ # work around:
+ # Use cmp to compare the content of local and remote file. When they differ than rm the file to get it recreated by the file resource.
+ # Needed since GitHub can only ETAG and result in changes of the mtime everytime.
+ # TODO: Include file into the wazuh/wazuh-puppet project or use file { checksum => '..' } for this instead of the exec construct.
+ exec { 'cleanup /etc/filebeat/wazuh-template.json':
+ command => '/bin/rm /etc/filebeat/wazuh-template.json',
+ unless => "/bin/cmp -s '/etc/filebeat/wazuh-template.json' <(curl -s https://raw.githubusercontent.com/wazuh/wazuh/${wazuh_extensions_version}/extensions/elasticsearch/7.x/wazuh-template.json)",
  }
-
- exec { 'Installing filebeat module ... Downloading package':
- path => '/usr/bin',
- command => "curl -o /root/${$wazuh_filebeat_module} https://packages.wazuh.com/4.x/filebeat/${$wazuh_filebeat_module}",
+ -> file { '/etc/filebeat/wazuh-template.json':
+ owner => 'root',
+ group => 'root',
+ mode => '0440',
+ replace => false, # only copy content when file not exist
+ source => "https://raw.githubusercontent.com/wazuh/wazuh/${wazuh_extensions_version}/extensions/elasticsearch/7.x/wazuh-template.json",
+ notify => Service['filebeat'],
+ require => Package['filebeat'],
  }
 
- exec { 'Unpackaging ...':
- command => '/bin/tar -xzvf /root/wazuh-filebeat-0.2.tar.gz -C /usr/share/filebeat/module',
- notify => Service[$filebeat_oss_service],
- require => Package[$filebeat_oss_package]
+ # TODO: use archive from puppet-archive module for this task
+ file { "/tmp/${$wazuh_filebeat_module}":
+ owner => 'root',
+ group => 'root',
+ mode => '0440',
+ source => "https://packages.wazuh.com/4.x/filebeat/${$wazuh_filebeat_module}",
+ }
+ ~> exec { "Unpackaging /tmp/${$wazuh_filebeat_module}":
+ command => "/bin/tar -xzvf /tmp/${$wazuh_filebeat_module} -C /usr/share/filebeat/module",
+ notify => Service['filebeat'],
+ require => Package['filebeat'],
+ refreshonly => true,
  }
 
  file { '/usr/share/filebeat/module/wazuh':
  ensure => 'directory',
  mode => '0755',
- require => Package[$filebeat_oss_package]
+ require => Package['filebeat'],
  }
 
- include wazuh::certificates
+ require wazuh::certificates
 
- exec { 'Copy Filebeat Certificates':
+ exec { "ensure full path of ${filebeat_path_certs}":
  path => '/usr/bin:/bin',
- command => "mkdir $filebeat_path_certs \
- && cp /tmp/wazuh-certificates/server.pem $filebeat_path_certs/filebeat.pem\
- && cp /tmp/wazuh-certificates/server-key.pem $filebeat_path_certs/filebeat-key.pem\
- && cp /tmp/wazuh-certificates/root-ca.pem $filebeat_path_certs\
- && chown root:root -R $filebeat_path_certs\
- && chmod 500 $filebeat_path_certs\
- && chmod 400 $filebeat_path_certs/*",
- require => Package[$filebeat_oss_package],
+ command => "mkdir -p ${filebeat_path_certs}",
+ creates => $filebeat_path_certs,
+ require => Package['filebeat'],
+ }
+ -> file { $filebeat_path_certs:
+ ensure => directory,
+ owner => $filebeat_fileuser,
+ group => $filebeat_filegroup,
+ mode => '0500',
+ }
 
+ $_certfiles = {
+ 'server.pem' => 'filebeat.pem',
+ 'server-key.pem' => 'filebeat-key.pem',
+ 'root-ca.pem' => 'root-ca.pem',
+ }
+ $_certfiles.each |String $certfile_source, String $certfile_target| {
+ file { "${filebeat_path_certs}/${certfile_target}":
+ ensure => file,
+ owner => $filebeat_fileuser,
+ group => $filebeat_filegroup,
+ mode => '0400',
+ replace => false, # only copy content when file not exist
+ source => "/tmp/wazuh-certificates/${certfile_source}",
+ }
  }
 
  service { 'filebeat':
  ensure => running,
  enable => true,
- require => Package[$filebeat_oss_package]
+ name => $filebeat_oss_service,
+ require => Package['filebeat'],
  }
 }