Merge branch 'stackhpc/yoga' into fix_esp_sizing

Author: mnasiadka

doc/source/configuration/wazuh.rst

@@ -290,6 +290,21 @@ Example OpenSSL rune to convert to PKCS#8:
 
 TODO: document how to use a local certificate. Do we need to override all certificates?
 
+Custom SCA Policies (optional)
+------------------------------
+
+Wazuh ships with a large selection of Security Configuration Assessment
+rulesets. However, you may find you want to add more. This can be achieved via
+`custom policies <https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/how-to-configure.html>`_.
+
+SKC supports this automatically, just add the policy file from this PR to
+``{{ kayobe_env_config_path }}/wazuh/custom_sca_policies``.
+
+Currently, Wazuh does not ship with a CIS benchmark for Rocky 9. You can find
+the in-development policy here: https://github.com/wazuh/wazuh/pull/17810 To
+include this in your deployment, simply copy it to
+``{{ kayobe_env_config_path }}/wazuh/custom_sca_policies/cis_rocky_linux_9.yml``.
+
 Deploy
 ------
 

etc/kayobe/ansible/wazuh-manager.yml

@@ -17,6 +17,63 @@
     - role: "{{ playbook_dir }}/roles/wazuh-ansible/wazuh-ansible/roles/wazuh/ansible-filebeat-oss"
     - role: "{{ playbook_dir }}/roles/wazuh-ansible/wazuh-ansible/roles/wazuh/wazuh-dashboard"
   post_tasks:
+    - block:
+        - name: Check if custom SCA policies directory exists
+          stat:
+            path: "{{ local_custom_sca_policies_path }}"
+          register: custom_sca_policies_folder
+          delegate_to: localhost
+          become: no
+
+        - name: Gather list of custom SCA policies
+          find:
+            paths: "{{ local_custom_sca_policies_path }}"
+            patterns: '*.yml'
+          delegate_to: localhost
+          register: custom_sca_policies
+          when: custom_sca_policies_folder.stat.exists
+
+        - name: Allow Wazuh agents to execute commands in SCA policies sent from the Wazuh manager
+          blockinfile:
+            path: "/var/ossec/etc/local_internal_options.conf"
+            state: present
+            owner: wazuh
+            group: wazuh
+            block: |
+              sca.remote_commands=1
+          when: custom_sca_policies.files | length > 0
+
+        - name: Copy custom SCA policy files to Wazuh manager
+          copy:
+            # Note the trailing slash to copy directory contents
+            src: "{{ local_custom_sca_policies_path }}/"
+            dest: "/var/ossec/etc/shared/default/"
+            owner: wazuh
+            group: wazuh
+          when: custom_sca_policies.files | length > 0
+
+        - name: Add custom policy definition(s) to the shared Agent config
+          blockinfile:
+            path: "/var/ossec/etc/shared/default/agent.conf"
+            state: present
+            owner: wazuh
+            group: wazuh
+            marker: "{mark} ANSIBLE MANAGED BLOCK Custom SCA Policies"
+            insertafter: "<!-- Shared agent configuration here -->"
+            block: |
+              {% filter indent(width=2, first=true) %}
+              <sca>
+                <policies>
+              {% for item in custom_sca_policies.files %}
+                  <policy>etc/shared/{{ item.path | basename }}</policy>
+              {% endfor %}
+                </policies>
+              </sca>
+              {% endfilter %}
+          when: custom_sca_policies.files | length > 0
+      notify:
+        - Restart wazuh
+
     - name: Set http/s_proxy vars in ossec-init.conf for vulnerability detector
       blockinfile:
         path: "/var/ossec/etc/ossec.conf"

etc/kayobe/dnf.yml

@@ -112,19 +112,19 @@ dnf_custom_repos_rocky:
   appstream:
     baseurl: "{{ stackhpc_repo_rocky_appstream_url }}"
     description: "Rocky Linux $releasever - AppStream"
-    file: Rocky-AppStream
+    file: "{{ 'Rocky-AppStream' if os_release == '8' else 'rocky' }}"
     gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial
     gpgcheck: yes
   baseos:
     baseurl: "{{ stackhpc_repo_rocky_baseos_url }}"
     description: "Rocky Linux $releasever - BaseOS"
-    file: Rocky-BaseOS
+    file: "{{ 'Rocky-BaseOS' if os_release == '8' else 'rocky' }}"
     gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial
     gpgcheck: yes
   extras:
     baseurl: "{{ stackhpc_repo_rocky_extras_url }}"
     description: "Rocky Linux $releasever - Extras"
-    file: Rocky-Extras
+    file: "{{ 'Rocky-Extras' if os_release == '8' else 'rocky-extras' }}"
     gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial
     gpgcheck: yes
 

etc/kayobe/inventory/group_vars/wazuh-manager/wazuh-manager

@@ -24,6 +24,9 @@ local_certs_path: "{{ playbook_dir }}/wazuh/certificates"
 # Ansible control host custom certificates directory
 local_custom_certs_path: "{{ playbook_dir }}/wazuh/custom_certificates"
 
+# Ansible custom SCA policies directory
+local_custom_sca_policies_path: "{{ kayobe_env_config_path }}/wazuh/custom_sca_policies"
+
 # Indexer variables
 indexer_node_name: "{{ inventory_hostname }}"
 

etc/kayobe/kolla.yml

@@ -389,7 +389,7 @@ kolla_build_customizations_common:
   ironic_inspector_pip_packages_append:
     - /additions/*
 
-kolla_build_customizations_centos:
+kolla_build_customizations_el:
   base_yum_repo_files_remove:
     - proxysql.repo
   neutron_base_packages_remove:
@@ -415,15 +415,15 @@ kolla_build_customizations_centos:
     - openvswitch2.17
     - python3-openvswitch2.17
   ovn_base_packages_override:
-    - ovn22.09
+    - ovn22.12
   ovn_controller_packages_override:
-    - ovn22.09-host
+    - ovn22.12-host
   ovn_nb_db_server_packages_override:
-    - ovn22.09-central
+    - ovn22.12-central
   ovn_northd_packages_override:
-    - ovn22.09-central
+    - ovn22.12-central
   ovn_sb_db_server_packages_override:
-    - ovn22.09-central
+    - ovn22.12-central
   openvswitch_base_packages_remove:
     - openvswitch
     - python3-openvswitch
@@ -439,7 +439,7 @@ kolla_build_customizations_ubuntu: {}
 # Hyphens in the image name must be replaced with underscores. The
 # customization is most commonly packages. The operation should be one of
 # override, append or remove. The value should be a list.
-kolla_build_customizations: "{{ kolla_build_customizations_common | combine(kolla_build_customizations_centos if kolla_base_distro == 'centos' else kolla_build_customizations_ubuntu) }}"
+kolla_build_customizations: "{{ kolla_build_customizations_common | combine(kolla_build_customizations_el if kolla_base_distro in ['centos', 'rocky'] else kolla_build_customizations_ubuntu) }}"
 
 # Dict mapping Kolla Dockerfile ARG names to their values.
 kolla_build_args:

etc/kayobe/kolla/config/nova.conf

@@ -1,2 +1,2 @@
 [libvirt]
-hw_machine_type = q35
+hw_machine_type = x86_64=q35

etc/kayobe/kolla/config/prometheus/rabbitmq.rules

@@ -56,7 +56,7 @@ groups:
     annotations:
       description: RabbitMQ too much unack on {{ $labels.instance }}
   - alert: RabbitMQTooMuchConnections
-    expr: rabbitmq_connections > 1000
+    expr: rabbitmq_connections > {% endraw %}{{ (1500 * groups['controllers'] | length + 50 * groups['compute'] | length) }}{% raw %}
     for: 2m
     labels:
       severity: warning

etc/kayobe/kolla/globals.yml

@@ -41,9 +41,11 @@ kayobe_image_tags:
     # with signature: `Missing section footer for 0000:00:01.3/piix4_pm`. Test carefully before bumping.
     centos: yoga-20230718T112646
   openvswitch:
-    rocky: yoga-20230515T150233
+    centos: yoga-20231019T102525
+    rocky: yoga-20231019T102525
   ovn:
-    rocky: yoga-20230515T150233
+    centos: yoga-20231019T102525
+    rocky: yoga-20231019T102525
   prometheus_node_exporter:
     rocky: yoga-20230315T170614
 

etc/kayobe/stackhpc-overcloud-dib.yml

@@ -62,12 +62,14 @@ stackhpc_overcloud_dib_env_vars:
 
 # StackHPC overcloud DIB image packages.
 stackhpc_overcloud_dib_packages:
-  - "logrotate"
-  - "net-tools"
-  - "vim"
+  - "ethtool"
   - "git"
   - "less"
+  - "logrotate"
+  - "net-tools"
+  - "pciutils"
   - "python3"
+  - "vim"
   - "{% if os_distribution == 'ubuntu' %}netbase{% endif %}"
   - "{% if os_distribution == 'ubuntu' %}iputils-ping{% endif %}"
   - "{% if os_distribution == 'ubuntu' %}curl{% endif %}"

releasenotes/notes/bump-centos8-stream-snapshots-2023-09-04-a473edfd3f3b2298.yaml

@@ -2,9 +2,8 @@
 security:
   - |
     Bumps CentOS Stream 8 snapshots to include fixes for Zenbleed
-    (CVE-2023-20593), Downfall (CVE-2022-40982) and Inception (CVE-2023-20569).
-    It is recommended that you update your OS packages and reboot into the kernel
-    as soon as possible.
+    (CVE-2023-20593) and Downfall (CVE-2022-40982). It is recommended that you
+    update your OS packages and reboot into the kernel as soon as possible.
 upgrade:
   - |
     CentOS Stream 8 snapshots have been bumped and new container images are

releasenotes/notes/bump-ubuntu-snapshots-2023-09-15-22ca5250d40bd5b6.yaml

@@ -2,7 +2,7 @@
 security:
   - |
     Bumps Ubuntu repository snapshots and container images to bring in latest
-    security patches. This includes the microcode to patch Inception
-    (CVE-2023-20569) and Downfall (CVE-2022-40982). Zenbleed (CVE-2023-20593)
-    was patched in the previous snapshot bump. To apply the microcode updates,
-    it is recommended to reboot each host after upgrading all of the packages.
+    security patches. This includes the microcode to patch Downfall
+    (CVE-2022-40982). Zenbleed (CVE-2023-20593) was patched in the previous
+    snapshot bump. To apply the microcode updates, it is recommended to reboot
+    each host after upgrading all of the packages.

releasenotes/notes/overcloud-dib-ethtool-pciutils-5b3404b146c9f2a0.yaml

@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Adds ``ethtool`` and ``pciutils`` to the overcloud host disk image.

releasenotes/notes/rabbitmq-connection-alert-85cc7b29ddf8e3c3.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Adapt threshold of RabbitMQ connection alert based on the size of the
+    deployment to avoid spurious alerts.

releasenotes/notes/wazuh-custom-sca-policies-a5f15818948928b0.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Wazuh can now de deployed with additional custom SCA policies. Just add the
+    policy file(s) to the directory
+    ``{{ kayobe_env_config_path }}/wazuh/custom_sca_policies``.

terraform/aio/README.rst

@@ -84,7 +84,7 @@ Generate Terraform variables:
    cat << EOF > terraform.tfvars
    ssh_public_key = "id_rsa.pub"
    aio_vm_name = "kayobe-aio"
-   aio_vm_image = "CentOS-stream8"
+   aio_vm_image = "overcloud-centos-8-stream-yoga-20230525T095243"
    aio_vm_flavor = "general.v1.medium"
    aio_vm_network = "stackhpc-ipv4-geneve"
    aio_vm_subnet = "stackhpc-ipv4-geneve-subnet"