Merge branch 'stackhpc/yoga' into hw-machine-type

Author: mnasiadka

doc/source/configuration/wazuh.rst

@@ -290,6 +290,21 @@ Example OpenSSL rune to convert to PKCS#8:
 
 TODO: document how to use a local certificate. Do we need to override all certificates?
 
+Custom SCA Policies (optional)
+------------------------------
+
+Wazuh ships with a large selection of Security Configuration Assessment
+rulesets. However, you may find you want to add more. This can be achieved via
+`custom policies <https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/how-to-configure.html>`_.
+
+SKC supports this automatically, just add the policy file from this PR to
+``{{ kayobe_env_config_path }}/wazuh/custom_sca_policies``.
+
+Currently, Wazuh does not ship with a CIS benchmark for Rocky 9. You can find
+the in-development policy here: https://github.com/wazuh/wazuh/pull/17810 To
+include this in your deployment, simply copy it to
+``{{ kayobe_env_config_path }}/wazuh/custom_sca_policies/cis_rocky_linux_9.yml``.
+
 Deploy
 ------
 

etc/kayobe/ansible/wazuh-manager.yml

@@ -17,6 +17,63 @@
     - role: "{{ playbook_dir }}/roles/wazuh-ansible/wazuh-ansible/roles/wazuh/ansible-filebeat-oss"
     - role: "{{ playbook_dir }}/roles/wazuh-ansible/wazuh-ansible/roles/wazuh/wazuh-dashboard"
   post_tasks:
+    - block:
+        - name: Check if custom SCA policies directory exists
+          stat:
+            path: "{{ local_custom_sca_policies_path }}"
+          register: custom_sca_policies_folder
+          delegate_to: localhost
+          become: no
+
+        - name: Gather list of custom SCA policies
+          find:
+            paths: "{{ local_custom_sca_policies_path }}"
+            patterns: '*.yml'
+          delegate_to: localhost
+          register: custom_sca_policies
+          when: custom_sca_policies_folder.stat.exists
+
+        - name: Allow Wazuh agents to execute commands in SCA policies sent from the Wazuh manager
+          blockinfile:
+            path: "/var/ossec/etc/local_internal_options.conf"
+            state: present
+            owner: wazuh
+            group: wazuh
+            block: |
+              sca.remote_commands=1
+          when: custom_sca_policies.files | length > 0
+
+        - name: Copy custom SCA policy files to Wazuh manager
+          copy:
+            # Note the trailing slash to copy directory contents
+            src: "{{ local_custom_sca_policies_path }}/"
+            dest: "/var/ossec/etc/shared/default/"
+            owner: wazuh
+            group: wazuh
+          when: custom_sca_policies.files | length > 0
+
+        - name: Add custom policy definition(s) to the shared Agent config
+          blockinfile:
+            path: "/var/ossec/etc/shared/default/agent.conf"
+            state: present
+            owner: wazuh
+            group: wazuh
+            marker: "{mark} ANSIBLE MANAGED BLOCK Custom SCA Policies"
+            insertafter: "<!-- Shared agent configuration here -->"
+            block: |
+              {% filter indent(width=2, first=true) %}
+              <sca>
+                <policies>
+              {% for item in custom_sca_policies.files %}
+                  <policy>etc/shared/{{ item.path | basename }}</policy>
+              {% endfor %}
+                </policies>
+              </sca>
+              {% endfilter %}
+          when: custom_sca_policies.files | length > 0
+      notify:
+        - Restart wazuh
+
     - name: Set http/s_proxy vars in ossec-init.conf for vulnerability detector
       blockinfile:
         path: "/var/ossec/etc/ossec.conf"

etc/kayobe/inventory/group_vars/wazuh-manager/wazuh-manager

@@ -24,6 +24,9 @@ local_certs_path: "{{ playbook_dir }}/wazuh/certificates"
 # Ansible control host custom certificates directory
 local_custom_certs_path: "{{ playbook_dir }}/wazuh/custom_certificates"
 
+# Ansible custom SCA policies directory
+local_custom_sca_policies_path: "{{ kayobe_env_config_path }}/wazuh/custom_sca_policies"
+
 # Indexer variables
 indexer_node_name: "{{ inventory_hostname }}"
 

etc/kayobe/kolla/config/prometheus/rabbitmq.rules

@@ -56,7 +56,7 @@ groups:
     annotations:
       description: RabbitMQ too much unack on {{ $labels.instance }}
   - alert: RabbitMQTooMuchConnections
-    expr: rabbitmq_connections > 1000
+    expr: rabbitmq_connections > {% endraw %}{{ (1500 * groups['controllers'] | length + 50 * groups['compute'] | length) }}{% raw %}
     for: 2m
     labels:
       severity: warning

etc/kayobe/stackhpc-overcloud-dib.yml

@@ -62,12 +62,14 @@ stackhpc_overcloud_dib_env_vars:
 
 # StackHPC overcloud DIB image packages.
 stackhpc_overcloud_dib_packages:
-  - "logrotate"
-  - "net-tools"
-  - "vim"
+  - "ethtool"
   - "git"
   - "less"
+  - "logrotate"
+  - "net-tools"
+  - "pciutils"
   - "python3"
+  - "vim"
   - "{% if os_distribution == 'ubuntu' %}netbase{% endif %}"
   - "{% if os_distribution == 'ubuntu' %}iputils-ping{% endif %}"
   - "{% if os_distribution == 'ubuntu' %}curl{% endif %}"

releasenotes/notes/bump-centos8-stream-snapshots-2023-09-04-a473edfd3f3b2298.yaml

@@ -2,9 +2,8 @@
 security:
   - |
     Bumps CentOS Stream 8 snapshots to include fixes for Zenbleed
-    (CVE-2023-20593), Downfall (CVE-2022-40982) and Inception (CVE-2023-20569).
-    It is recommended that you update your OS packages and reboot into the kernel
-    as soon as possible.
+    (CVE-2023-20593) and Downfall (CVE-2022-40982). It is recommended that you
+    update your OS packages and reboot into the kernel as soon as possible.
 upgrade:
   - |
     CentOS Stream 8 snapshots have been bumped and new container images are

releasenotes/notes/bump-ubuntu-snapshots-2023-09-15-22ca5250d40bd5b6.yaml

@@ -2,7 +2,7 @@
 security:
   - |
     Bumps Ubuntu repository snapshots and container images to bring in latest
-    security patches. This includes the microcode to patch Inception
-    (CVE-2023-20569) and Downfall (CVE-2022-40982). Zenbleed (CVE-2023-20593)
-    was patched in the previous snapshot bump. To apply the microcode updates,
-    it is recommended to reboot each host after upgrading all of the packages.
+    security patches. This includes the microcode to patch Downfall
+    (CVE-2022-40982). Zenbleed (CVE-2023-20593) was patched in the previous
+    snapshot bump. To apply the microcode updates, it is recommended to reboot
+    each host after upgrading all of the packages.

releasenotes/notes/overcloud-dib-ethtool-pciutils-5b3404b146c9f2a0.yaml

@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Adds ``ethtool`` and ``pciutils`` to the overcloud host disk image.

releasenotes/notes/rabbitmq-connection-alert-85cc7b29ddf8e3c3.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Adapt threshold of RabbitMQ connection alert based on the size of the
+    deployment to avoid spurious alerts.

releasenotes/notes/wazuh-custom-sca-policies-a5f15818948928b0.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Wazuh can now de deployed with additional custom SCA policies. Just add the
+    policy file(s) to the directory
+    ``{{ kayobe_env_config_path }}/wazuh/custom_sca_policies``.