Whole Repository Refactor. Upgraded Cookbooks to install Wazuh 3.9 and ELK 6.7.2

.gitignore

@@ -1,3 +1,9 @@
 .kitchen/*
-./cookbooks/wazuh/.kitchen
-./cookbooks/wazuh/.kitchen/*
+./cookbooks/wazuh_agent/.kitchen
+./cookbooks/wazuh_agent/.kitchen/*
+./cookbooks/wazuh_manager/.kitchen
+./cookbooks/wazuh_manager/.kitchen/*
+./cookbooks/wazuh_elastic/.kitchen
+./cookbooks/wazuh_elastic/.kitchen/*
+./cookbooks/wazuh_filebeat/.kitchen
+./cookbooks/wazuh_filebeat/.kitchen/*

README.md

@@ -1,19 +1,121 @@
-# Wazuh - Chef cookbooks
+# Wazuh - Chef 
 
 [![Slack](https://img.shields.io/badge/slack-join-blue.svg)](https://goo.gl/forms/M2AoZC4b2R9A9Zy12)
 [![Email](https://img.shields.io/badge/email-join-blue.svg)](https://groups.google.com/forum/#!forum/wazuh)
 [![Documentation](https://img.shields.io/badge/docs-view-green.svg)](https://documentation.wazuh.com)
 [![Documentation](https://img.shields.io/badge/web-view-green.svg)](https://wazuh.com)
 
-Deploy Wazuh platform using Chef cookbooks. Chef recipes are prepared for installing and configuring Manager (cluster), Agent and RESTful API.
+Deploy Wazuh platform using Chef cookbooks. Chef recipes are prepared for installing and configuring Agent, Manager (cluster) and RESTful API.
 
 ## Cookbooks
 
-* [Wazuh (Manager, Agent, API)](https://github.com/wazuh/wazuh-chef/tree/master/wazuh)
+* [Wazuh Agent ](https://github.com/wazuh/wazuh-chef/tree/master/wazuh_agent)
+* [Wazuh Manager and API](https://github.com/wazuh/wazuh-chef/tree/master/wazuh_manager)
 * [Elastic Stack (Elasticsearch, Logstash, Kibana)](https://github.com/wazuh/wazuh-chef/tree/master/wazuh_elastic)
 * [Filebeat](https://github.com/wazuh/wazuh-chef/tree/master/wazuh_filebeat)
 
-Each cookbook has its own README.
+Each cookbook has its own README.md
+
+## Roles
+
+You can find predefined roles for a default installation of Wazuh Agent and Manager in the roles folder.
+
+- [Wazuh Agent Role](https://github.com/wazuh/wazuh-chef/tree/master/roles/wazuh_agent.json)
+- [Wazuh Manager Role](https://github.com/wazuh/wazuh-chef/tree/master/roles/wazuh_agent.json)
+
+Check roles README for more information about default attributes and how to customize your installation.
+
+## Installation
+
+#### Cloning whole repository
+
+You can clone the repository by running:  ```git clone https://github.com/wazuh/wazuh-chef```  and you will get the whole repository.
+
+#### Use through Berkshelf
+
+The easiest way to making use of these cookbooks (especially `wazuh_filebeat` & `wazuh_elastic` until they are published to Supermarket) is by including in your `Berksfile` the desired cookbooks as stated below:
+
+```ruby
+cookbook "wazuh_agent", git: "https://github.com/wazuh/wazuh-chef.git",rel: 'cookbooks/wazuh_agent'
+cookbook "wazuh_manager", git: "https://github.com/wazuh/wazuh-chef.git",rel: 'cookbooks/wazuh_manager'
+cookbook 'wazuh_filebeat', github: 'https://github.com/wazuh/wazuh-chef.git', rel: 'cookbooks/wazuh_filebeat'
+cookbook 'wazuh_elastic', github: 'https://github.com/wazuh/wazuh-chef.git', rel: 'cookbooks/wazuh_elastic'
+```
+
+You can specify tags, branches, and revisions. More info on https://docs.chef.io/berkshelf.html
+
+#### Secrets
+
+The following describes how to define the needed JSON files to generate an encrypted data bag.
+
+**Important**: If API user secret is declared will be installed. Otherwise, the default user will be *foo:bar*. Also if *logstash_certificate* secret is not generated, empty *logstash.crt* will be created. Remember that whatever options you choose, the Logstash SSL protocol is disabled by default.
+
+##### api.json
+
+It contains the username and password that will be installed for Wazuh API authentication. Is required by the manager.
+
+Example of JSON before encryption:
+
+```json
+{
+  "id": "api",
+  "htpasswd_user": "<YOUR USER>",
+  "htpasswd_passcode": "<YOUR PASSWORD>"
+}
+
+```
+
+##### logstash_certificate.json
+
+It contains the certificate and the certificate key that will secure communication with Logstash. Required by  Elastic and Filebeat.
+
+```json
+{
+  "id": "logstash_certificate",
+  "logstash_certificate": "<YOUR LOGSTASH CERTIFICATE>",
+  "logstash_certificate_key": "<YOUR LOGSTASH CERTIFICATE KEY>"
+}
+
+```
+
+#### Generate data bags
+
+In order to transfer our credentials securely, Chef provides *[data_bags](https://docs.chef.io/data_bags.html)* that allows encrypting some sensitive data before communication.
+
+The following process describes an example of how to create secrets and data bags to encrypt data.
+
+* Install a key or generate one (with OpenSSL for example) on your Workstation.
+
+* Create the required secret by using : ```knife data bag create wazuh_secrets api --secret-file <path> -z```  (execute once per file: *api*, *logstash_certificate*)
+
+* Upload your new secrets with ```knife upload data_bags/```
+
+* Before installing Wazuh-Manager, Wazuh-Filebeat or Wazuh-Elastic you will need to copy the key in */etc/chef/encrypted_data_bag_secret* (default path) or in the desired path (remember to specify the key path in *knife.rb* and *config.rb*) of your workstation.
+
+
+
+After encryption, the previous JSON files will have new fields that describe the encryption method and other useful info. For example *api.json* after encryption will look like this:
+
+```json
+{
+  "id": "api",
+  "htpasswd_user": {
+    "encrypted_data": "whdiITsM/JFBwiAcCE5MaVE2MinRLdDIGbJ0\n",
+    "iv": "NVK/ezXHBsSFuiMm\n",
+    "auth_tag": "NFPZcxGrjqxRSF7v/+i6Kw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "htpasswd_passcode": {
+    "encrypted_data": "rX952YaNifO1gtcFXHxjteKCk6Zi592FZGgyE1gs0A==\n",
+    "iv": "LThJWRCIB4JaDP4E\n",
+    "auth_tag": "2oS9JDBtNdcRhsOdgg/A9A==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  }
+}
+```
+
 
 
 ## Use through Berkshelf
@@ -26,16 +128,15 @@ cookbook 'wazuh_filebeat', github: 'wazuh/wazuh-chef', rel: 'wazuh_filebeat'
 cookbook 'wazuh_elastic', github: 'wazuh/wazuh-chef', rel: 'wazuh_elastic'
 ```
 
-This will source all three cookbook housed in this repo from github.
+This will source all three cookbooks housed in this repo from GitHub.
 
 ## Contribute
 
 If you want to contribute to our project please don't hesitate to send a pull request. You can also join our users [mailing list](https://groups.google.com/d/forum/wazuh), by sending an email to [[email protected]](mailto:[email protected]), to ask questions and participate in discussions.
 
 ## License and copyright
 
-WAZUH
-Copyright (C) 2017 Wazuh Inc.  (License GPLv2)
+Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 
 ## References

cookbooks/README.md

@@ -0,0 +1,128 @@
+Wazuh cookbooks
+====================================
+
+Requirements
+------------
+#### Platforms
+Tested on Ubuntu and CentOS, but should work on any Unix/Linux platform supported by Wazuh. Installation by default is done from packages.
+
+These cookbooks don't configure Windows systems yet. For manual agent installation on Windows, check the [documentation](https://documentation.wazuh.com/current/installation-guide/installing-wazuh-agent/wazuh_agent_windows.html)
+
+#### Chef
+- Chef 12+
+
+#### Cookbooks Dependencies
+- chef-sugar
+- hostsfile
+- apt
+- yum
+- poise-python
+
+Attributes for Agent and Manager
+----------
+
+All default attributes files are defined in the ```attributes/``` folder of each cookbook. Chef applies attributes from all attribute files regardless of which recipes were executed. It's important to mention that Chef will load ```default.rb``` first and then will proceed alphabetically. 
+
+### ossec.conf
+
+OSSEC's configuration is mainly read from an XML file called `ossec.conf`. You can directly control the contents of this file using node attributes under `node['ossec']['conf']`. These attributes are mapped to XML using Gyoku. See the [Gyoku site](https://github.com/savonrb/gyoku) for details on how this works.
+
+Values `true` and `false`  are automatically mapped to `"yes"` and `"no"` as OSSEC expects the latter.
+
+`ossec.conf` makes use of XML attributes so you can generally construct nested hashes in the usual fashion. Where an attribute is required, you can do it like this:
+
+```ruby
+default['ossec']['conf']['all']['syscheck']['directories'] = [
+  { '@check_all' => true, 'content!' => '/bin,/sbin' },
+  '/etc,/usr/bin,/usr/sbin'
+]
+```
+
+This produces:
+
+    <syscheck>
+      <directories check_all="yes">/bin,/sbin</directories>
+      <directories>/etc,/usr/bin,/usr/sbin</directories>
+    </syscheck>
+
+## Customize Installation
+
+**Important note:** Gyoku will hash the defined attributes and the ```ossec.conf``` file will only contain the declared attributes, via default attributes or overridden ones. Any other information will be overwritten and deleted from the file.
+
+If you want to add new fields to customize your installation, you can declare it as a default attribute in its respective .rb file in the attributes folder or add it manually to the role.
+
+For example: To enable cluster configuration, the following lane would be added to ```/cookbooks/wazuh_manager/attributes/cluster.rb ```.
+
+`````` ruby
+default['ossec']['conf']['cluster']['disabled'] == false
+``````
+
+This will transform the **disabled** field of from:
+
+```xml
+<cluster>
+  <name>wazuh</name>
+  <node_name>manager_01</node_name>
+  <node_type>master</node_type>
+  <key>ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa</key>
+  <port>1516</port>
+  <bind_addr>0.0.0.0</bind_addr>
+  <nodes>
+    <node>master</node>
+  </nodes>
+  <hidden>no</hidden>
+  <disabled>yes</disabled>
+</cluster>
+```
+
+To:
+
+```xml
+<cluster>
+  <name>wazuh</name>
+  <node_name>manager_01</node_name>
+  <node_type>master</node_type>
+  <key>ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa</key>
+  <port>1516</port>
+  <bind_addr>0.0.0.0</bind_addr>
+  <nodes>
+    <node>master</node>
+  </nodes>
+  <hidden>no</hidden>
+  <disabled>no</disabled>
+</cluster>
+```
+
+
+
+In case you want to customize your installation using roles, you can declare attributes like this: 
+
+```json
+{
+    "name": "wazuh_manager",
+    "description": "Wazuh Manager host",
+    "json_class": "Chef::Role",
+    "default_attributes": {
+        "ossec": {
+            "cluster":{
+                "disabled" : "false"
+            }
+        }
+    },
+    "override_attributes": {
+
+    },
+    "chef_type": "role",
+    "run_list": [
+      "recipe[wazuh_manager::manager]"
+    ],
+    "env_run_lists": {
+
+    }
+  }
+```
+
+The same example applies for Wazuh Agent and it's own attributes.
+
+You can get more info about attributes and how the work on the chef documentation: https://docs.chef.io/attributes.html
+

wazuh/Berksfile → cookbooks/wazuh_agent/Berksfile

@@ -1,10 +1,7 @@
 source 'https://supermarket.chef.io'
 
-cookbook 'wazuh_filebeat', path: '../wazuh_filebeat'
-cookbook 'wazuh_elastic', path: '../wazuh_elastic'
 metadata
 
-
 cookbook 'chef-sugar'
 cookbook 'hostsfile'
 cookbook 'apt'

cookbooks/wazuh_agent/README.md

@@ -0,0 +1,91 @@
+# Wazuh Agent cookbook
+
+These cookbooks install and configure a Wazuh Agent on specified nodes.
+
+Agent is automatically registered in the specified address by using ['agent authd'](https://documentation.wazuh.com/current/user-manual/agents/registering-agents/register-agent-authd.html#simple-method) (```['ossec']['registration_address']``` and connects with the manager address ```['ossec']['address']```). You can set this attributes by default on attributes folder or specify it in the ['wazuh_agent role'](https://github.com/wazuh/wazuh-chef/blob/3.9-repository-refactor/roles/wazuh_agent.json). 
+
+### Usage
+
+Create a role following the ['wazuh_agent'](https://github.com/wazuh/wazuh-chef/roles/wazuh_agent.json) role structure and specify your desired configuration attributes. Note that **address** and **registration_address** are mandatory.
+
+Assign the current role to desired nodes and run ```chef-client``` on them.
+
+You can declare desired *agent_auth* parameters to customize the registration process.
+
+For example:
+
+```
+{
+    "name": "wazuh_agent",
+    "description": "Wazuh agent",
+    "json_class": "Chef::Role",
+    "default_attributes": {
+    },
+    "override_attributes": {
+      "ossec": {
+        "registration_address": "172.19.0.211",
+        "address": "172.19.0.211",
+        "agent_auth": {
+          "name" : "Agent_01", 
+          "set_group" : "group_01",
+          "agent_ip_by_manager": "true"
+        }
+      }
+    },
+    "chef_type": "role",
+    "run_list": [
+      "recipe[wazuh_agent::agent]"
+    ],
+    "env_run_lists": {
+    }
+}
+```
+
+**Will generate**: ```agent_auth -m 172.19.0.211 -p 1515 -A Agent_01 -G group_01 -i   ```  
+
+The agent_auth parameters are the following:
+
+```
+-a  : "auto_negotiate"
+-A  : "name"
+-m  : "host"
+-p  : "port"
+-c  : "cipher_list"
+-D  : "wazuh_directory"
+-d  : "debug_mode" : "true"
+-g  : "run_as_group"
+-G  : "set_group"
+-i  : "agent_ip_by_manager" : "true"
+-I  : "agent_ip"
+-P  : "password"
+-v  : "ca"
+-x  : "certificate"
+-k  : "key"
+```
+
+You can use any of the quoted attributes, as stated in the previous example. Flags options must be set to "true" or "false".
+
+### Attributes
+
+The ``attributes`` folder contains all the default configuration files in order to generate ossec.conf file.
+
+Check ['ossec.conf']( https://documentation.wazuh.com/3.x/user-manual/reference/ossec-conf/index.html) documentation to see all configuration sections.
+
+### Recipes
+
+#### agent.rb
+
+Register agent by using agent authd method. You can declare the desired fields to customize the registration process. 
+
+#### common.rb
+
+It generates the ossec.conf file using Gyoku and restarts the wazuh-agent service
+
+#### repository.rb
+
+Declares repository of Wazuh and GPG keys based on different installations.
+
+### References
+
+Check https://documentation.wazuh.com/3.x/user-manual/agents/index.html for more information about Wazuh-Agent.
+

cookbooks/wazuh_agent/attributes/active-response.rb

@@ -0,0 +1,3 @@
+default['ossec']['conf']['active-response']['disabled'] = false
+default['ossec']['conf']['active-response']['ca_store'] = "/var/ossec/etc/wpk_root.pem"
+default['ossec']['conf']['active-response']['ca_verification'] = true