From a8ba8e44e5dc7146ab22aa424c67f46a23299af1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Thu, 4 Sep 2025 16:49:48 +0200 Subject: [PATCH 01/17] Fixing-email-title-for-backup-validation (#2657) Co-authored-by: Matej Stajduhar --- .../aws/aws_backup_validation/templates/validation_report.py.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_backup_validation/templates/validation_report.py.j2 b/roles/aws/aws_backup_validation/templates/validation_report.py.j2 index bc80f32a7..7501db7ca 100644 --- a/roles/aws/aws_backup_validation/templates/validation_report.py.j2 +++ b/roles/aws/aws_backup_validation/templates/validation_report.py.j2 @@ -126,7 +126,7 @@ failed_job = backup_cli.list_restore_jobs( }, 'Subject': { 'Charset': 'UTF-8', - 'Data': 'Restore testing - {{ _aws_profile }}: ' + mail_title, + 'Data': 'Restore testing - {{ _infra_name }}: ' + mail_title, }, }, Source='Lambda Backup Validation ', From 057138d196ffc97cbdf7a821362cea2d2d0a74c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20=C5=A0tajduhar?= <30931414+matej5@users.noreply.github.com> Date: Mon, 8 Sep 2025 13:56:58 +0200 Subject: [PATCH 02/17] Adding-task-to-create-aurora-cluster (#2659) * Adding-task-to-create-aurora-cluster * Adding-region-profile-and-tags-to-aurora-cluster * Updating-engine-for-aurora-cluster * Updating-parameter-group-engine * Updating-engine-version * Updating-engine-version-2 * Disabling-automated-backups * Disabling-automated-backups-2 * Disabling-automated-backups-3 * Disabling-automated-backups-4 * Skipping-task-if-not-aurora * Adding-subnet-group-to-instances * Adding-subnet-group-to-instances * Updating-SG-return-values * Updating-SG-return-values-2 * Updating-SG-return-values-3 * Updating-SG-return-values-4 * Updating-SG-return-value-debug * Updating-SG-return-value-debug-2 * Updating-SG-return-value-debug-3 * Removing-debug-tasks * Removing-init-var-for-SG-list * Adding-character-set-option --------- Co-authored-by: Matej Stajduhar --- roles/aws/aws_rds/tasks/main.yml | 41 +++++++++++++++++++++++--------- 1 file changed, 30 insertions(+), 11 deletions(-) diff --git a/roles/aws/aws_rds/tasks/main.yml b/roles/aws/aws_rds/tasks/main.yml index 977e9959c..28aff345a 100644 --- a/roles/aws/aws_rds/tasks/main.yml +++ b/roles/aws/aws_rds/tasks/main.yml @@ -23,12 +23,40 @@ - aws_rds.db_parameters is defined - aws_rds.db_parameters | length > 0 +- name: Generate security group information. + ansible.builtin.include_role: + name: aws/aws_security_groups + vars: + aws_security_groups: + profile: "{{ aws_rds.aws_profile }}" + region: "{{ aws_rds.region }}" + group_names: "{{ aws_rds.security_groups }}" + return_type: ids + when: aws_rds.security_groups | length > 0 + +- name: Create Aurora cluster. + amazon.aws.rds_cluster: + profile: "{{ aws_rds.aws_profile }}" + region: "{{ aws_rds.region }}" + cluster_id: "{{ aws_rds.name }}" + engine: "{{ aws_rds.engine }}" + engine_version: "{{ aws_rds.engine_version }}" + username: "{{ aws_rds.master_username }}" + password: "{{ aws_rds.master_user_password }}" + db_subnet_group_name: "{{ aws_rds.name }}" + vpc_security_group_ids: "{{ _aws_security_group_list }}" + backup_retention_period: "{{ aws_rds.backup_retention_period | default(35) }}" + character_set_name: "{{ aws_rds.character_set_name | default(omit) }}" + tags: "{{ aws_rds.tags | combine({'Name': aws_rds.name}) }}" + when: "'aurora' in aws_rds.engine" + - name: Create Aurora RDS instance. amazon.aws.rds_instance: db_instance_identifier: "{{ aws_rds.name }}-{{ aws_rds.aurora_suffix }}" db_instance_class: "{{ aws_rds.db_instance_class }}" db_cluster_identifier: "{{ aws_rds.db_cluster_identifier | default(aws_rds.name) }}" db_parameter_group_name: "{{ aws_rds.db_parameter_group_name | default(omit) }}" + db_subnet_group_name: "{{ aws_rds.name }}" state: "{{ aws_rds.state }}" engine: "{{ aws_rds.engine }}" copy_tags_to_snapshot: true @@ -49,6 +77,7 @@ db_cluster_identifier: "{{ aws_rds.db_cluster_identifier | default(aws_rds.name) }}" db_instance_class: "{{ aws_rds.db_instance_class }}" db_parameter_group_name: "{{ aws_rds.db_parameter_group_name | default(omit) }}" + db_subnet_group_name: "{{ aws_rds.name }}" state: "{{ aws_rds.state }}" engine: "{{ aws_rds.engine }}" copy_tags_to_snapshot: true @@ -64,17 +93,6 @@ - "'aurora' in aws_rds.engine" - aws_rds.aurora_reader -- name: Generate security group information. - ansible.builtin.include_role: - name: aws/aws_security_groups - vars: - aws_security_groups: - profile: "{{ aws_rds.aws_profile }}" - region: "{{ aws_rds.region }}" - group_names: "{{ aws_rds.security_groups }}" - return_type: ids - when: aws_rds.security_groups | length > 0 - - name: Create RDS instance. amazon.aws.rds_instance: profile: "{{ aws_rds.aws_profile }}" @@ -214,3 +232,4 @@ when: - aws_rds.backup is defined - aws_rds.backup | length > 0 + - "'aurora' not in aws_rds.engine" From 2b30a7848829b2eae2e82c9871888e97741520ea Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 10 Sep 2025 13:23:01 +0200 Subject: [PATCH 03/17] Fixing truthy variable mistakes. (#2662) * Fixing installer variable bug. * Fixing tests for external PRs. * Testing with a fork. * Adding repo owner's username into installer string. * Refactoring config repo detection to simplify. * No longer permitted to use an integer as a truthy value. * No longer permitted to use existence check as a truthy value. * Can't see a reason why linotp var shouldn't be a boolean. * No longer permitted to use existence check as a truthy value. * Fixing truthy errors in ce_deploy role. * No longer permitted to use an integer as a truthy value. --- .github/workflows/ce-provision-test-gitlab.yml | 2 +- .github/workflows/ce-provision-test-web.yml | 2 +- install.sh | 2 +- roles/_exit/tasks/main.yml | 4 ++-- roles/_init/tasks/main.yml | 6 +++--- .../apt_unattended_upgrades/defaults/main.yml | 2 +- roles/debian/ce_deploy/tasks/main.yml | 6 +++--- roles/debian/ce_provision/tasks/main.yml | 13 ++++--------- roles/debian/ssh_server/tasks/main.yml | 6 +++--- roles/debian/user_ansible/tasks/main.yml | 4 ++-- 10 files changed, 21 insertions(+), 26 deletions(-) diff --git a/.github/workflows/ce-provision-test-gitlab.yml b/.github/workflows/ce-provision-test-gitlab.yml index 9e5b46a30..6da7b5a4b 100644 --- a/.github/workflows/ce-provision-test-gitlab.yml +++ b/.github/workflows/ce-provision-test-gitlab.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Install ce-provision run: | - /usr/bin/curl -LO https://raw.githubusercontent.com/codeenigma/ce-provision/${{ github.event.pull_request.head.ref }}/install.sh + /usr/bin/curl -LO https://raw.githubusercontent.com/${{ github.event.pull_request.head.repo.owner.login }}/${{ github.event.pull_request.head.repo.name }}/${{ github.event.pull_request.head.ref }}/install.sh /usr/bin/chmod +x ./install.sh /usr/bin/sudo ./install.sh --version ${{ github.event.pull_request.head.ref }} --config-branch ${{ github.event.pull_request.base.ref }} --docker --no-firewall diff --git a/.github/workflows/ce-provision-test-web.yml b/.github/workflows/ce-provision-test-web.yml index 595905064..e95bf6337 100644 --- a/.github/workflows/ce-provision-test-web.yml +++ b/.github/workflows/ce-provision-test-web.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Install ce-provision run: | - /usr/bin/curl -LO https://raw.githubusercontent.com/codeenigma/ce-provision/${{ github.event.pull_request.head.ref }}/install.sh + /usr/bin/curl -LO https://raw.githubusercontent.com/${{ github.event.pull_request.head.repo.owner.login }}/${{ github.event.pull_request.head.repo.name }}/${{ github.event.pull_request.head.ref }}/install.sh /usr/bin/chmod +x ./install.sh /usr/bin/sudo ./install.sh --version ${{ github.event.pull_request.head.ref }} --config-branch ${{ github.event.pull_request.base.ref }} --docker --no-firewall diff --git a/install.sh b/install.sh index b74950a87..c8c8b8db4 100755 --- a/install.sh +++ b/install.sh @@ -210,7 +210,7 @@ ce_provision: venv_install_username: ${CONTROLLER_USER} upgrade_timer_name: upgrade_ce_provision_ansible aws_support: ${AWS_SUPPORT} - new_user: ${CONTROLLER_USER} + new_user: true username: ${CONTROLLER_USER} ssh_key_bits: "521" ssh_key_type: ed25519 diff --git a/roles/_exit/tasks/main.yml b/roles/_exit/tasks/main.yml index 51d676278..b9dce908d 100644 --- a/roles/_exit/tasks/main.yml +++ b/roles/_exit/tasks/main.yml @@ -3,8 +3,8 @@ - name: Generate/Update custom vars file. ansible.builtin.include_tasks: allowed_vars.yml when: - - _init.ce_provision_extra_repository - - _init.ce_provision_extra_repository_vars_file + - _init.ce_provision_extra_repository | length > 0 + - _init.ce_provision_extra_repository_vars_file | length > 0 - _init.ce_provision_extra_repository_push - name: Store current playbook md5. diff --git a/roles/_init/tasks/main.yml b/roles/_init/tasks/main.yml index c401fefb3..82668f566 100644 --- a/roles/_init/tasks/main.yml +++ b/roles/_init/tasks/main.yml @@ -121,9 +121,9 @@ - name: Load custom vars file. ansible.builtin.include_tasks: allowed_vars.yml when: - - _init.ce_provision_extra_repository - - _init.ce_provision_extra_repository_vars_file - - _init.ce_provision_extra_repository_allowed_vars + - _init.ce_provision_extra_repository | length > 0 + - _init.ce_provision_extra_repository_vars_file | length > 0 + - _init.ce_provision_extra_repository_allowed_vars | length > 0 # Install Ansible under the controller user for all servers # Ensure ansible_connection == 'ssh' (i.e. we are connecting to a server) before executing diff --git a/roles/debian/apt_unattended_upgrades/defaults/main.yml b/roles/debian/apt_unattended_upgrades/defaults/main.yml index 855c7f924..a63f3e140 100644 --- a/roles/debian/apt_unattended_upgrades/defaults/main.yml +++ b/roles/debian/apt_unattended_upgrades/defaults/main.yml @@ -4,7 +4,7 @@ _apt_unattended_upgrades_default_origins: - "origin=Debian,codename=${distro_codename}-security,label=Debian-Security" apt_unattended_upgrades: enable: true - linotp: "false" + linotp: false # unattended-upgrades template vars. # booleans must be strings to avoid Jinja2 interpretting. origins: "{{ _apt_unattended_upgrades_default_origins }}" diff --git a/roles/debian/ce_deploy/tasks/main.yml b/roles/debian/ce_deploy/tasks/main.yml index 15f2265dd..526d2bf86 100644 --- a/roles/debian/ce_deploy/tasks/main.yml +++ b/roles/debian/ce_deploy/tasks/main.yml @@ -62,7 +62,7 @@ version: "{{ ce_deploy.config_repository_branch | default('main') }}" become: false delegate_to: localhost - when: ce_deploy.config_repository is defined and ce_deploy.config_repository + when: ce_deploy.config_repository is defined and ce_deploy.config_repository | length > 0 - name: Synchronize config directory. ansible.posix.synchronize: @@ -71,7 +71,7 @@ delete: true rsync_opts: - "--chown={{ ce_deploy.username }}:{{ ce_deploy.username }}" - when: ce_deploy.config_repository is defined and ce_deploy.config_repository + when: ce_deploy.config_repository is defined and ce_deploy.config_repository | length > 0 - name: Check if we have a config directory. ansible.builtin.stat: @@ -81,7 +81,7 @@ - name: Register config repository. ansible.builtin.set_fact: key_value: ce_deploy_has_config_repo - ce_deploy_has_config_repo: "{{ 'yes' if ce_deploy_config_repo.stat.isdir is defined and ce_deploy_config_repo.stat.isdir else 'no' }}" + ce_deploy_has_config_repo: "{{ true if ce_deploy_config_repo.stat.isdir is defined and ce_deploy_config_repo.stat.isdir else false }}" - name: Create defaults folders. ansible.builtin.file: diff --git a/roles/debian/ce_provision/tasks/main.yml b/roles/debian/ce_provision/tasks/main.yml index 792eea3d6..0ccd6e680 100644 --- a/roles/debian/ce_provision/tasks/main.yml +++ b/roles/debian/ce_provision/tasks/main.yml @@ -57,11 +57,6 @@ filename: "{{ ce_provision.username }}" when: _ce_provision_username != ce_provision.username -# This prevent the original var to be re-evaluated when we move things around. -- name: Register config repository. - ansible.builtin.set_fact: - ce_provision_has_config_repo: "{{ 'yes' if ce_provision.config_repository else 'no' }}" - - name: Ensure APT dependencies are installed. ansible.builtin.apt: pkg: ["git", "parallel"] @@ -102,7 +97,7 @@ become: true become_user: "{{ ce_provision.username }}" when: - - ce_provision_has_config_repo + - ce_provision.config_repository | length > 0 - not ce_provision.config_repository_skip_checkout - name: Create defaults folders. @@ -111,13 +106,13 @@ state: directory with_items: - hosts - when: not ce_provision_has_config_repo + when: not ce_provision.config_repository | length > 0 - name: Create default config. ansible.builtin.copy: src: ansible.cfg dest: "{{ ce_provision.local_dir }}/ansible.cfg" - when: not ce_provision_has_config_repo + when: not ce_provision.config_repository | length > 0 - name: Symlink config folders to /etc/ansible. ansible.builtin.file: @@ -129,7 +124,7 @@ - files - templates - ansible.cfg - when: ce_provision_has_config_repo + when: ce_provision.config_repository | length > 0 - name: Create data dir. ansible.builtin.file: diff --git a/roles/debian/ssh_server/tasks/main.yml b/roles/debian/ssh_server/tasks/main.yml index 8d52d8eee..47c07ed41 100644 --- a/roles/debian/ssh_server/tasks/main.yml +++ b/roles/debian/ssh_server/tasks/main.yml @@ -18,7 +18,7 @@ with_items: "{{ sshd.groups }}" loop_control: loop_var: group - when: sshd.groups | length + when: sshd.groups | length > 0 - name: Generate group section of the sshd_config file. ansible.builtin.blockinfile: @@ -29,7 +29,7 @@ with_items: "{{ sshd.groups }}" loop_control: loop_var: group - when: sshd.groups | length + when: sshd.groups | length > 0 - name: Generate user section of the sshd_config file. ansible.builtin.blockinfile: @@ -40,7 +40,7 @@ with_items: "{{ sshd.users }}" loop_control: loop_var: users - when: sshd.users | length + when: sshd.users | length > 0 # - name: Trigger overrides # include_role: diff --git a/roles/debian/user_ansible/tasks/main.yml b/roles/debian/user_ansible/tasks/main.yml index 93290f410..5f138f26a 100644 --- a/roles/debian/user_ansible/tasks/main.yml +++ b/roles/debian/user_ansible/tasks/main.yml @@ -13,7 +13,7 @@ with_items: "{{ user_ansible.groups }}" loop_control: loop_var: group - when: user_ansible.groups | length + when: user_ansible.groups | length > 0 - name: Create the system user. ansible.builtin.user: @@ -74,7 +74,7 @@ owner: "{{ user_ansible.username }}" group: "{{ user_ansible.username }}" mode: '0600' - when: user_ansible.known_hosts | length + when: user_ansible.known_hosts | length > 0 - name: Add public keys to known_hosts. ansible.builtin.known_hosts: From cb636682cd8b8a28d4081948cf1bbe7e1dcf0312 Mon Sep 17 00:00:00 2001 From: Klaus Purer Date: Wed, 10 Sep 2025 13:55:24 +0200 Subject: [PATCH 04/17] feat(php): Add FPM slow logrotate (#2625) * feat(php): Support removal of APCU, add FPM slow logrotate * simplify condition * revert apcu installed setting, not needed From 9f05b904fd7c1e12a7d0a9ec6c457d8faa592946 Mon Sep 17 00:00:00 2001 From: nfawbert <62660788+nfawbert@users.noreply.github.com> Date: Wed, 10 Sep 2025 12:57:51 +0100 Subject: [PATCH 05/17] r73458-install-php-gmp-by-default2 (#2667) * r73458-install-php-gmp-by-default2 * re-add required packages --- roles/debian/php-common/tasks/main.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/debian/php-common/tasks/main.yml b/roles/debian/php-common/tasks/main.yml index 15ff896a6..d9f5ac786 100644 --- a/roles/debian/php-common/tasks/main.yml +++ b/roles/debian/php-common/tasks/main.yml @@ -41,9 +41,12 @@ - name: Install PHP packages. ansible.builtin.apt: pkg: + - "php{{ version }}-apcu" + - "php{{ version }}-bcmath" - "php{{ version }}-curl" - "php{{ version }}-dev" - "php{{ version }}-gd" + - "php{{ version }}-gmp" - "php{{ version }}-imap" - "php{{ version }}-ldap" - "php{{ version }}-mbstring" @@ -54,8 +57,6 @@ - "php{{ version }}-soap" - "php{{ version }}-xml" - "php{{ version }}-zip" - - "php{{ version }}-bcmath" - - "php{{ version }}-apcu" state: present with_items: "{{ php.version }}" loop_control: From a89ae4537c013302ee6b1868d05e814c04c6ac98 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Thu, 11 Sep 2025 07:53:22 +0200 Subject: [PATCH 06/17] Wazuh-mitre-report-setup (#2588) * Wazuh-mitre-report-setup * Wazuh-mitre-shellshock-longurl-block * Fixing-vars * Wazuh-mitre-report-setup-PR-2.x --- roles/debian/wazuh/defaults/main.yml | 2 +- roles/debian/wazuh/tasks/main.yml | 52 ++++++++++++++++--- .../templates/generate_weekly_report.sh.j2 | 46 ++++++++++++++++ 3 files changed, 92 insertions(+), 8 deletions(-) create mode 100644 roles/debian/wazuh/templates/generate_weekly_report.sh.j2 diff --git a/roles/debian/wazuh/defaults/main.yml b/roles/debian/wazuh/defaults/main.yml index c98a57e03..fd28d0ffe 100644 --- a/roles/debian/wazuh/defaults/main.yml +++ b/roles/debian/wazuh/defaults/main.yml @@ -92,7 +92,7 @@ wazuh: active_responses: - command: "firewall-drop" location: "all" - rules_id: "31151,5712,104130,101071,101132,101238,101251,103011" + rules_id: "31115,31151,31168,5712,104130,101071,101132,101238,101251,103011" repeated_offenders: "30,60,120" timeout: 600 - command: "firewall-drop" diff --git a/roles/debian/wazuh/tasks/main.yml b/roles/debian/wazuh/tasks/main.yml index 808b9b77d..e37e70b29 100644 --- a/roles/debian/wazuh/tasks/main.yml +++ b/roles/debian/wazuh/tasks/main.yml @@ -139,6 +139,10 @@ ignore_errors: true changed_when: false +- name: Set fact if wazuh-manager service exists + ansible.builtin.set_fact: + wazuh_manager_exists: "{{ 'wazuh-manager.service' in wazuh_service.stdout }}" + - name: Deploy custom Wazuh local rules ansible.builtin.copy: src: custom_wazuh_rules.xml @@ -149,7 +153,7 @@ notify: restart wazuh-manager tags: - rules - when: "'wazuh-manager.service' in wazuh_service.stdout" + when: wazuh_manager_exists - name: Write the password to /var/ossec/etc/authd.pass ansible.builtin.copy: @@ -158,16 +162,50 @@ mode: '0640' owner: root group: wazuh - when: "'wazuh-manager.service' in wazuh_service.stdout or 'wazuh-agent.service' in wazuh_service.stdout" + when: wazuh_manager_exists or 'wazuh-agent.service' in wazuh_service.stdout -- name: Restart wazuh-manager to apply changes - ansible.builtin.systemd_service: +- name: Restart wazuh-manager to apply changes. + ansible.builtin.systemd: name: wazuh-manager state: restarted - when: "'wazuh-manager.service' in wazuh_service.stdout" + when: wazuh_manager_exists -- name: Restart wazuh-agent to apply changes - ansible.builtin.systemd_service: +- name: Restart wazuh-agent to apply changes. + ansible.builtin.systemd: name: wazuh-agent state: restarted when: "'wazuh-agent.service' in wazuh_service.stdout" + +- name: Read filebeat.yml content. + ansible.builtin.shell: | + set -o pipefail && awk -F'"' '/password:/ {print $2}' {{ wazuh.mitre_report.password_file }} + register: _wazuh_filebeat_password + no_log: true + args: + executable: /bin/bash + when: wazuh_manager_exists + +- name: Set password fact. + ansible.builtin.set_fact: + filebeat_password: "{{ _wazuh_filebeat_password.stdout }}" + no_log: true + when: wazuh_manager_exists + +- name: Deploy the weekly report script. + ansible.builtin.template: + src: generate_weekly_report.sh.j2 + dest: /usr/local/bin/generate_weekly_report.sh + owner: root + group: root + mode: '0755' + when: wazuh_manager_exists + +- name: Ensure weekly report cron job is present. + ansible.builtin.cron: + name: "Weekly OpenSearch report generation" + user: root + minute: 0 + hour: 2 + weekday: 1 # Monday + job: "/usr/local/bin/generate_weekly_report.sh >> /var/log/opensearch-reports.log 2>&1" + when: wazuh_manager_exists diff --git a/roles/debian/wazuh/templates/generate_weekly_report.sh.j2 b/roles/debian/wazuh/templates/generate_weekly_report.sh.j2 new file mode 100644 index 000000000..eb93662e1 --- /dev/null +++ b/roles/debian/wazuh/templates/generate_weekly_report.sh.j2 @@ -0,0 +1,46 @@ +#!/bin/bash + +# This script generates a PDF report from wazuh-dashboard visualization and emails it + +# Set variables +REPORT_DATE=$(date +"%Y-%m-%d") +REPORT_NAME="weekly-report-${REPORT_DATE}" +LOG_FILE="/var/log/opensearch-reports.log" +USERNAME= {{ wazuh.mitre_report.username }} +PASSWORD= {{ _wazuh_filebeat_password }} + +# Function to log messages +log_message() { + echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" | tee -a "$LOG_FILE" +} + +log_message "Starting weekly report generation" + +# Generate and send the report +opensearch-reporting-cli \ + -u "{{ wazuh.mitre_report.visualization_url }}" \ + -a basic \ + -c "$USERNAME:$PASSWORD" \ + --selfsignedcerts true \ + -f pdf \ + -n "$REPORT_NAME" \ + -e smtp \ + -s "{{ wazuh.mitre_report.e-mail_from }}" \ + -r "{{ wazuh.manager.wazuh_manager_mailto}}" \ + --subject "Weekly OpenSearch Report - $(date '+%B %d, %Y')" \ + --note "Hi,\n\nPlease find attached the weekly Wazuh Mitre report covering the last 7 days.\n\nReport generated on: $(date '+%Y-%m-%d %H:%M:%S')\n\nBest regards,\nAutomated Reporting System" \ + --smtphost localhost \ + --smtpport 25 + +# Check if the command was successful +if [ $? -eq 0 ]; then + log_message "Weekly report generated and sent successfully" +else + log_message "ERROR: Failed to generate or send weekly report" + exit 1 +fi + +# Optional: Clean up old report files (keep last 2 weeks) +find /tmp -name "weekly-report-*.pdf" -mtime +14 -delete 2>/dev/null + +log_message "Weekly report process completed" From 71278e9146b6238bc19ee274f5c8ceb9430d087b Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Thu, 11 Sep 2025 09:26:35 +0200 Subject: [PATCH 07/17] Wazuh mitre report setup pr 2.x (#2669) * Wazuh-mitre-report-setup * Wazuh-mitre-shellshock-longurl-block * Fixing-vars * Wazuh-mitre-report-setup-PR-2.x * Wazuh-mitre-report-setup-PR-2.x --- roles/debian/wazuh/templates/generate_weekly_report.sh.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/wazuh/templates/generate_weekly_report.sh.j2 b/roles/debian/wazuh/templates/generate_weekly_report.sh.j2 index eb93662e1..de717209a 100644 --- a/roles/debian/wazuh/templates/generate_weekly_report.sh.j2 +++ b/roles/debian/wazuh/templates/generate_weekly_report.sh.j2 @@ -25,7 +25,7 @@ opensearch-reporting-cli \ -f pdf \ -n "$REPORT_NAME" \ -e smtp \ - -s "{{ wazuh.mitre_report.e-mail_from }}" \ + -s "{{ wazuh.mitre_report.e_mail_from }}" \ -r "{{ wazuh.manager.wazuh_manager_mailto}}" \ --subject "Weekly OpenSearch Report - $(date '+%B %d, %Y')" \ --note "Hi,\n\nPlease find attached the weekly Wazuh Mitre report covering the last 7 days.\n\nReport generated on: $(date '+%Y-%m-%d %H:%M:%S')\n\nBest regards,\nAutomated Reporting System" \ From 65a6a0dd23f3512f3b16deead555ea0504553b13 Mon Sep 17 00:00:00 2001 From: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com> Date: Fri, 12 Sep 2025 16:55:54 +0300 Subject: [PATCH 08/17] pin_ansible_version (#2671) * pin_ansible_version * pin_ansible_version * pin_ansible_version * pin_ansible_version * pin_ansible_version_fix_upgrade_timer * pin_ansible_version_fix_upgrade_timer * pin_ansible_version_fix_upgrade_timer * pin_ansible_version_disable_upgrade_timer * pin_ansible_version_disable_upgrade_timer * pin_ansible_version_disable_upgrade_timer * pin_ansible_version_disable_upgrade_timer --- install.sh | 3 ++- roles/debian/ansible/defaults/main.yml | 3 ++- roles/debian/ansible/tasks/main.yml | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/install.sh b/install.sh index c8c8b8db4..c11219cbd 100755 --- a/install.sh +++ b/install.sh @@ -84,6 +84,7 @@ FIREWALL="true" AWS_SUPPORT="false" IS_LOCAL="false" SERVER_HOSTNAME=$(hostname) +ANSIBLE_VERSION="<12" # Parse options. parse_options "$@" @@ -146,7 +147,7 @@ fi /usr/bin/echo "-------------------------------------------------" /usr/bin/su - "$CONTROLLER_USER" -c "/usr/bin/python3 -m venv /home/$CONTROLLER_USER/ce-python" /usr/bin/su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/python3 -m pip install --upgrade pip" -/usr/bin/su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/pip install ansible netaddr python-debian" +/usr/bin/su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/pip install 'ansible$ANSIBLE_VERSION' netaddr python-debian" if [ "$AWS_SUPPORT" = "true" ]; then /usr/bin/su - "$CONTROLLER_USER" -c "/home/$CONTROLLER_USER/ce-python/bin/pip install boto3" fi diff --git a/roles/debian/ansible/defaults/main.yml b/roles/debian/ansible/defaults/main.yml index e7256e5f8..47707d7d0 100644 --- a/roles/debian/ansible/defaults/main.yml +++ b/roles/debian/ansible/defaults/main.yml @@ -4,8 +4,9 @@ ce_ansible: #venv_path: "/home/{{ ce_provision.username }}/ansible" #venv_command: /usr/bin/python3.11 -m venv #venv_install_username: ansible # user to become when creating venv + ansible_version: "<12.0" # also check install.sh script in the repo root and set the version there accordingly. upgrade: - enabled: true # create systemd timer to auto-upgrade Ansible + enabled: false # create systemd timer to auto-upgrade Ansible. Temporary disabled due to ansible 2.19 breaking changes. command: "{{ _venv_path }}/bin/python3 -m pip install --upgrade ansible" # if you set venv_path above then set it here too on_calendar: "*-*-* 01:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events #timer_name: upgrade_ansible diff --git a/roles/debian/ansible/tasks/main.yml b/roles/debian/ansible/tasks/main.yml index 57af8cbf0..cdf6d0862 100644 --- a/roles/debian/ansible/tasks/main.yml +++ b/roles/debian/ansible/tasks/main.yml @@ -60,7 +60,7 @@ packages: - name: pip state: latest - - name: ansible + - name: "ansible{{ ce_ansible.ansible_version }}" - name: python-debian - name: Install linters. From 854a245a4c7b47690316cc1060c7432be75d8311 Mon Sep 17 00:00:00 2001 From: drazenCE <140631110+drazenCE@users.noreply.github.com> Date: Tue, 16 Sep 2025 10:11:46 +0200 Subject: [PATCH 09/17] Fixing-ce-provision-vars (#2678) --- roles/debian/ce_provision/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/ce_provision/tasks/main.yml b/roles/debian/ce_provision/tasks/main.yml index 0ccd6e680..6d65d25f9 100644 --- a/roles/debian/ce_provision/tasks/main.yml +++ b/roles/debian/ce_provision/tasks/main.yml @@ -16,7 +16,7 @@ with_items: "{{ ce_provision.groups }}" loop_control: loop_var: group - when: ce_provision.groups | length + when: ce_provision.groups is defined and ce_provision.groups | length > 0 # User normally created already in the _init role. - name: Generate SSH key for the controller user for provisioning. From 9cfef8e52513dc4e3b863a369a1e19e1097acfa8 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 16 Sep 2025 16:19:25 +0200 Subject: [PATCH 10/17] Added-tasks-to-backup-Aurora-and-copy-AMI-to-safe-region --- .../aws/aws_ec2_autoscale_cluster/tasks/main.yml | 8 ++++++++ roles/aws/aws_rds/tasks/main.yml | 15 +++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml index e8f63de73..40d67637a 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml +++ b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml @@ -772,3 +772,11 @@ when: - aws_ec2_autoscale_cluster.route_53.zone is defined - aws_ec2_autoscale_cluster.route_53.zone | length > 0 + +- name: Copy AMI to backup region. + community.aws.ec2_ami_copy: + aws_profile: "{{ aws_ec2_autoscale_cluster.aws_profile }}" + source_region: "{{ aws_ec2_autoscale_cluster.region }}" + region: "{{ aws_backup_region }}" + source_image_id: "{{ aws_ec2_autoscale_cluster_image_latest }}" + when: aws_backup_region is defined diff --git a/roles/aws/aws_rds/tasks/main.yml b/roles/aws/aws_rds/tasks/main.yml index 28aff345a..f87a7b304 100644 --- a/roles/aws/aws_rds/tasks/main.yml +++ b/roles/aws/aws_rds/tasks/main.yml @@ -233,3 +233,18 @@ - aws_rds.backup is defined - aws_rds.backup | length > 0 - "'aurora' not in aws_rds.engine" + +- name: Assign Aurora resource to backup plan. + ansible.builtin.include_role: + name: aws/aws_backup + tasks_from: resource + vars: + backup: + backup_plan_name: "{{ aws_rds.backup }}" + selection_name: "RDS-{{ aws_rds.name }}-{{ _env_type }}" + resource_id: "{{ aws_rds.name }}-{{ aws_rds.aurora_suffix }}" + resource_type: "db" + when: + - aws_rds.backup is defined + - aws_rds.backup | length > 0 + - "'aurora' in aws_rds.engine" From 1a320e5b274c295cb13181d7b48c8df25fae46bd Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 16 Sep 2025 16:23:07 +0200 Subject: [PATCH 11/17] Reverting-wazuh-tasks --- .../wazuh/templates/generate_weekly_report.sh.j2 | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/roles/debian/wazuh/templates/generate_weekly_report.sh.j2 b/roles/debian/wazuh/templates/generate_weekly_report.sh.j2 index de717209a..2acdcc151 100644 --- a/roles/debian/wazuh/templates/generate_weekly_report.sh.j2 +++ b/roles/debian/wazuh/templates/generate_weekly_report.sh.j2 @@ -6,8 +6,8 @@ REPORT_DATE=$(date +"%Y-%m-%d") REPORT_NAME="weekly-report-${REPORT_DATE}" LOG_FILE="/var/log/opensearch-reports.log" -USERNAME= {{ wazuh.mitre_report.username }} -PASSWORD= {{ _wazuh_filebeat_password }} +USERNAME="{{ wazuh.mitre_report.username | default('') }}" +PASSWORD="{{ _wazuh_filebeat_password.stdout | default('') }}" # Function to log messages log_message() { @@ -17,16 +17,14 @@ log_message() { log_message "Starting weekly report generation" # Generate and send the report -opensearch-reporting-cli \ +/usr/local/bin/opensearch-reporting-cli \ -u "{{ wazuh.mitre_report.visualization_url }}" \ -a basic \ -c "$USERNAME:$PASSWORD" \ - --selfsignedcerts true \ - -f pdf \ -n "$REPORT_NAME" \ -e smtp \ -s "{{ wazuh.mitre_report.e_mail_from }}" \ - -r "{{ wazuh.manager.wazuh_manager_mailto}}" \ + -r "{{ wazuh.manager.wazuh_manager_mailto }}" \ --subject "Weekly OpenSearch Report - $(date '+%B %d, %Y')" \ --note "Hi,\n\nPlease find attached the weekly Wazuh Mitre report covering the last 7 days.\n\nReport generated on: $(date '+%Y-%m-%d %H:%M:%S')\n\nBest regards,\nAutomated Reporting System" \ --smtphost localhost \ From 1b9cf13546d2754790cdd37bdf8f16acd01393f9 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 16 Sep 2025 17:58:07 +0200 Subject: [PATCH 12/17] Fixing-aurora-backup-tasks --- roles/aws/aws_backup/tasks/resource.yml | 1 + roles/aws/aws_backup_validation/tasks/testing_resources.yml | 1 + roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml | 3 +-- roles/aws/aws_rds/tasks/main.yml | 4 ++-- 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/roles/aws/aws_backup/tasks/resource.yml b/roles/aws/aws_backup/tasks/resource.yml index 44924f6ff..1b6dedc23 100644 --- a/roles/aws/aws_backup/tasks/resource.yml +++ b/roles/aws/aws_backup/tasks/resource.yml @@ -52,6 +52,7 @@ instance: "ec2" file-system: "elasticfilesystem" db: "rds" + cluster: "rds" ansible.builtin.set_fact: _resource_arn: "arn:aws:{{ arn_construct[backup.resource_type] }}:{{ _aws_region }}:{{ caller_info.account }}:{{ backup.resource_type }}{% if backup.resource_type == 'db' %}:{% else %}/{% endif %}{{ backup.resource_id }}" diff --git a/roles/aws/aws_backup_validation/tasks/testing_resources.yml b/roles/aws/aws_backup_validation/tasks/testing_resources.yml index 56fd50eda..e19c0ba7b 100644 --- a/roles/aws/aws_backup_validation/tasks/testing_resources.yml +++ b/roles/aws/aws_backup_validation/tasks/testing_resources.yml @@ -62,6 +62,7 @@ instance: "EC2" file-system: "EFS" db: "RDS" + cluster: "RDS" - name: Set instance type for template. ansible.builtin.set_fact: diff --git a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml index 40d67637a..36ed43672 100644 --- a/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml +++ b/roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml @@ -777,6 +777,5 @@ community.aws.ec2_ami_copy: aws_profile: "{{ aws_ec2_autoscale_cluster.aws_profile }}" source_region: "{{ aws_ec2_autoscale_cluster.region }}" - region: "{{ aws_backup_region }}" + region: "{{ aws_backup.copy_vault.region }}" source_image_id: "{{ aws_ec2_autoscale_cluster_image_latest }}" - when: aws_backup_region is defined diff --git a/roles/aws/aws_rds/tasks/main.yml b/roles/aws/aws_rds/tasks/main.yml index f87a7b304..32de57f85 100644 --- a/roles/aws/aws_rds/tasks/main.yml +++ b/roles/aws/aws_rds/tasks/main.yml @@ -242,8 +242,8 @@ backup: backup_plan_name: "{{ aws_rds.backup }}" selection_name: "RDS-{{ aws_rds.name }}-{{ _env_type }}" - resource_id: "{{ aws_rds.name }}-{{ aws_rds.aurora_suffix }}" - resource_type: "db" + resource_id: "{{ aws_rds.name }}" + resource_type: "cluster" when: - aws_rds.backup is defined - aws_rds.backup | length > 0 From 0a807577bff832dfb53985c2381ae2af4ea54d4b Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 16 Sep 2025 18:02:30 +0200 Subject: [PATCH 13/17] Fixing-aurora-backup-tasks-2 --- roles/aws/aws_backup/tasks/resource.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_backup/tasks/resource.yml b/roles/aws/aws_backup/tasks/resource.yml index 1b6dedc23..c939a5805 100644 --- a/roles/aws/aws_backup/tasks/resource.yml +++ b/roles/aws/aws_backup/tasks/resource.yml @@ -54,7 +54,7 @@ db: "rds" cluster: "rds" ansible.builtin.set_fact: - _resource_arn: "arn:aws:{{ arn_construct[backup.resource_type] }}:{{ _aws_region }}:{{ caller_info.account }}:{{ backup.resource_type }}{% if backup.resource_type == 'db' %}:{% else %}/{% endif %}{{ backup.resource_id }}" + _resource_arn: "arn:aws:{{ arn_construct[backup.resource_type] }}:{{ _aws_region }}:{{ caller_info.account }}:{{ backup.resource_type }}{% if backup.resource_type == 'db' or backup.resource_type == 'cluster' %}:{% else %}/{% endif %}{{ backup.resource_id }}" - name: Check if the resource selection exists. ansible.builtin.command: > From ee26695638fbb093054cfd58066fa25549ab5685 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 16 Sep 2025 18:08:25 +0200 Subject: [PATCH 14/17] Fixing-aurora-backup-tasks-3 --- roles/aws/aws_backup_validation/tasks/testing_resources.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_backup_validation/tasks/testing_resources.yml b/roles/aws/aws_backup_validation/tasks/testing_resources.yml index e19c0ba7b..2e66f9b8c 100644 --- a/roles/aws/aws_backup_validation/tasks/testing_resources.yml +++ b/roles/aws/aws_backup_validation/tasks/testing_resources.yml @@ -62,7 +62,7 @@ instance: "EC2" file-system: "EFS" db: "RDS" - cluster: "RDS" + cluster: "AURORA" - name: Set instance type for template. ansible.builtin.set_fact: From df86dab0a7cb226a7b6f39cac3678b6aaffd3571 Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 16 Sep 2025 18:11:06 +0200 Subject: [PATCH 15/17] Fixing-aurora-backup-tasks-4 --- .../tasks/testing_resources.yml | 7 ------- .../templates/AURORA_restore_testing.j2 | 16 ++++++++++++++++ 2 files changed, 16 insertions(+), 7 deletions(-) create mode 100644 roles/aws/aws_backup_validation/templates/AURORA_restore_testing.j2 diff --git a/roles/aws/aws_backup_validation/tasks/testing_resources.yml b/roles/aws/aws_backup_validation/tasks/testing_resources.yml index 551888dba..49f28b985 100644 --- a/roles/aws/aws_backup_validation/tasks/testing_resources.yml +++ b/roles/aws/aws_backup_validation/tasks/testing_resources.yml @@ -76,13 +76,6 @@ _template_prefix: "{{ instance_type[backup.resource_type] }}" when: backup.resource_type != 'file-system' -- name: Set instance type to Aurora if defined. - ansible.builtin.set_fact: - _instance_type_restore: "Aurora" - when: - - backup.resource_type == 'db' - - "'aurora' in aws_rds.engine" - - name: Create restore testing query file. ansible.builtin.template: src: "{{ _template_prefix }}_restore_testing.j2" diff --git a/roles/aws/aws_backup_validation/templates/AURORA_restore_testing.j2 b/roles/aws/aws_backup_validation/templates/AURORA_restore_testing.j2 new file mode 100644 index 000000000..1cb7e06f7 --- /dev/null +++ b/roles/aws/aws_backup_validation/templates/AURORA_restore_testing.j2 @@ -0,0 +1,16 @@ +{ + "RestoreTestingPlanName": "{{ _testing_plan_info.stdout | from_json | json_query("RestoreTestingPlanName") }}", + "RestoreTestingSelection": { + "IamRoleArn": "{{ _default_backup_role_arn.iam_roles[0].arn }}", + "ProtectedResourceArns": [ + "{{ _resource_arn }}" + ], + "ProtectedResourceType": "{{ _instance_type_restore }}", + "RestoreMetadataOverrides": { + "vpcSecurityGroupIds": "[\"{{ _restore_testing_sg.group_id }}\"]", + "dbsubnetgroupname": "{{ aws_rds.name }}" + }, + "RestoreTestingSelectionName": "{{ backup.selection_name | replace("-", "_") }}", + "ValidationWindowHours": 1 + } +} From 1c7fd066e6dd30fc938eb543c60a900a3787a45c Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 16 Sep 2025 18:33:09 +0200 Subject: [PATCH 16/17] Fixing-aurora-backup-tasks-5 --- .../aws_backup_validation/tasks/testing_resources.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/roles/aws/aws_backup_validation/tasks/testing_resources.yml b/roles/aws/aws_backup_validation/tasks/testing_resources.yml index 49f28b985..63c79421d 100644 --- a/roles/aws/aws_backup_validation/tasks/testing_resources.yml +++ b/roles/aws/aws_backup_validation/tasks/testing_resources.yml @@ -73,22 +73,21 @@ - name: Set instance type for template. ansible.builtin.set_fact: _instance_type_restore: "{{ instance_type[backup.resource_type] }}" - _template_prefix: "{{ instance_type[backup.resource_type] }}" when: backup.resource_type != 'file-system' - name: Create restore testing query file. ansible.builtin.template: - src: "{{ _template_prefix }}_restore_testing.j2" + src: "{{ _instance_type_restore }}_restore_testing.j2" dest: /tmp/restore_testing.json register: _restore_testing_query - when: _template_prefix is defined + when: _instance_type_restore is defined - name: Check if protected reource exist. ansible.builtin.command: > aws backup list-protected-resources --query "Results[?ResourceArn=='{{ _resource_arn }}']" --region {{ _aws_region }} register: _protected_res -- name: Assign {{ _template_prefix }} resource to AWS restore testing plan. +- name: Assign {{ _instance_type_restore }} resource to AWS restore testing plan. ansible.builtin.command: > aws backup create-restore-testing-selection --cli-input-json file:///tmp/restore_testing.json --region {{ _aws_region }} - when: _template_prefix is defined and _testing_plan_info.stdout != "null" and _testing_selection_exists.stdout | length == 0 and _protected_res.stdout | length != 0 + when: _instance_type_restore is defined and _testing_plan_info.stdout != "null" and _testing_selection_exists.stdout | length == 0 and _protected_res.stdout | length != 0 From 8ac74be7e5eafa3abf7e87806acc80fa7943164c Mon Sep 17 00:00:00 2001 From: Matej Stajduhar Date: Tue, 16 Sep 2025 20:14:22 +0200 Subject: [PATCH 17/17] Updating-aurora-vars --- roles/aws/aws_rds/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_rds/tasks/main.yml b/roles/aws/aws_rds/tasks/main.yml index 32de57f85..602f13439 100644 --- a/roles/aws/aws_rds/tasks/main.yml +++ b/roles/aws/aws_rds/tasks/main.yml @@ -241,7 +241,7 @@ vars: backup: backup_plan_name: "{{ aws_rds.backup }}" - selection_name: "RDS-{{ aws_rds.name }}-{{ _env_type }}" + selection_name: "AURORA-{{ aws_rds.name }}-{{ _env_type }}" resource_id: "{{ aws_rds.name }}" resource_type: "cluster" when: