wazuh-manager-playbook.yml 2.93 KB
Newer Older
singuliere's avatar
singuliere committed
1
---
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
- name: firewall for web
  hosts: localhost
  gather_facts: false

  tasks:
    - include_role:
        name: firewall
      vars:
        firewall_server: "{{ item }}"
        firewall_clients: [ 0.0.0.0/0 ]
        firewall_protocols: [ tcp ]
        firewall_ports: [ 80, 443 ]
      when: hostvars[item].ansible_host is defined
      with_items: "{{ groups['wazuh-service-group'] | default([]) }}"

17 18 19 20 21 22 23
- name: setup wazuh DNS
  hosts: wazuh-service-group
  become: true

  pre_tasks:
    - name: set CNAME
      nsupdate:
Loïc Dachary's avatar
Loïc Dachary committed
24
        server: "127.0.0.1"
25 26 27 28 29 30 31
        zone: "{{ domain }}"
        record: "wazuh.{{ domain }}."
        ttl: 1800
        type: CNAME
        value: "{{ groups['wazuh-service-group'][0] }}.{{ domain }}."
      delegate_to: bind-host

singuliere's avatar
singuliere committed
32
- name: install wazuh-manager
Loïc Dachary's avatar
Loïc Dachary committed
33
  hosts: wazuh-service-group
singuliere's avatar
singuliere committed
34 35 36 37 38
  become: true

  roles:
    - role: ansible-wazuh-manager
      vars:
Loïc Dachary's avatar
Loïc Dachary committed
39 40 41 42 43 44 45 46
        wazuh_manager_email_notification: 'yes'
        wazuh_manager_mailto:
          - '{{ wazuh_mailto }}'
        wazuh_manager_email_smtp_server: "localhost"
        wazuh_manager_email_from: '{{ wazuh_email_from }}'
        wazuh_api_users:
          - username: "{{ wazuh_api_username }}"
            password: "{{ wazuh_api_password }}"
singuliere's avatar
singuliere committed
47
        wazuh_manager_fqdn: "wazuh.{{ domain }}"
48 49 50 51 52 53 54 55 56 57 58 59 60 61 62
        wazuh_manager_vulnerability_detector:
          enabled: 'yes'
          interval: '5m'
          ignore_time: '6h'
          run_on_start: "{{ wazuh_manager_vulnerability_detector_run_on_start | default('no') }}"
          providers:
            - enabled: 'yes'
              os:
                - 'buster'
              update_interval: '1h'
              name: '"debian"'
            - enabled: 'yes'
              update_from_year: '2010'
              update_interval: '1h'
              name: '"nvd"'
Loïc Dachary's avatar
Loïc Dachary committed
63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82
        wazuh_manager_authd:
          enable: false
          #
          # The following lines are not needed because it is not enabled.
          # But they are used anyway during template instantiation
          # and must be present.
          #
          port: 1515
          use_source_ip: 'no'
          force_insert: 'yes'
          force_time: 0
          purge: 'yes'
          use_password: 'no'
          limit_maxagents: 'yes'
          ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH'
          ssl_agent_ca: null
          ssl_verify_host: 'no'
          ssl_manager_cert: 'sslmanager.cert'
          ssl_manager_key: 'sslmanager.key'
          ssl_auto_negotiate: 'no'
Loïc Dachary's avatar
Loïc Dachary committed
83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98

  tasks:

    - name: /var/ossec/etc/rules/local_rules.xml
      copy:
        content: |
          <!-- Local rules -->
          <group name="vulnerability-detector">
            <rule id="100010" level="0">
              <if_sid>23506</if_sid>
              <field name="vulnerability.cve">CVE-2019-20367</field>
              <description>Vulnerable non-upgradeable packages</description>
            </rule>
          </group>
        dest: /var/ossec/etc/rules/local_rules.xml
        mode: 0444