Skip to content

Tagging/beats security #416

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Wintermute2k6 wants to merge 13 commits into
base: main
Choose a base branch
from
Open

Tagging/beats security #416

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
e2b7d6e
improve encryption key handling and adjustable encryption key size, a…
Feb 13, 2026
93897fb
implemented checks if encryption keys already exist
Feb 13, 2026
d63b1c2
removed trailing spaces for lint
Feb 13, 2026
817f79e
Added seperate Task for setting new default index and introduced vari…
Feb 13, 2026
9996efb
adjusted trailing spaces for linting
Feb 13, 2026
8d690b0
added taggig to auditbeat.yml as an start. this shouldnt collide with…
Feb 13, 2026
0fc540a
fixed unhashable key error
Feb 16, 2026
2c16ee9
changed debug into ansible.builtin.debug
Feb 16, 2026
2d608a2
added missing fqdn for ansible linter
Feb 16, 2026
7bd049c
added tagging metricbeat tags
Feb 17, 2026
8969868
added tagging to filebeat role
Feb 17, 2026
0f0d8ab
added more tags to beats-security.yml
Feb 17, 2026
22c9bc8
Merge branch 'main' into tagging/beats_security
Wintermute2k6 Mar 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions roles/beats/tasks/auditbeat.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@
string ) if (elasticstack_version is defined and elasticstack_version | length > 0)) |
replace(' ', '')
}}
tags:
- auditbeat
- name

- name: Install Auditbeat - rpm - full stack
ansible.builtin.package:
Expand All @@ -21,6 +24,9 @@
when:
- ansible_os_family == "RedHat"
- elasticstack_full_stack | bool
tags:
- auditbeat
- rpm

- name: Install Auditbeat - rpm - standalone
ansible.builtin.package:
Expand All @@ -30,6 +36,10 @@
when:
- ansible_os_family == "RedHat"
- not elasticstack_full_stack | bool
tags:
- auditbeat
- standalone
- rpm

- name: Install Auditbeat - deb
ansible.builtin.package:
Expand All @@ -38,6 +48,9 @@
- Restart Auditbeat
when:
- ansible_os_family == "Debian"
tags:
- auditbeat
- deb

# KICS complains about "latest" package but this is a dedicated update task

Expand All @@ -55,11 +68,15 @@
- elasticstack_version == "latest"
- ansible_os_family == "RedHat"
- elasticstack_full_stack | bool
tags:
- auditbeat
- fullstack
- rpm

- name: Install Auditbeat latest version - rpm - standalone
ansible.builtin.package:
name: auditbeat
state: latest

Check warning on line 79 in roles/beats/tasks/auditbeat.yml

View workflow job for this annotation

GitHub Actions / kics

[LOW] Unpinned Package Version 

Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service
notify:
- Restart Auditbeat
when:
Expand All @@ -67,17 +84,25 @@
- elasticstack_version == "latest"
- ansible_os_family == "RedHat"
- not elasticstack_full_stack | bool
tags:
- auditbeat
- latest
- rpm

- name: Install Auditbeat latest version - deb
ansible.builtin.package:
name: auditbeat
state: latest

Check warning on line 95 in roles/beats/tasks/auditbeat.yml

View workflow job for this annotation

GitHub Actions / kics

[LOW] Unpinned Package Version 

Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service
notify:
- Restart Auditbeat
when:
- elasticstack_version is defined
- elasticstack_version == "latest"
- ansible_os_family == "Debian"
tags:
- auditbeat
- latest
- deb

- name: Configure Auditbeat
ansible.builtin.template:
Expand Down Expand Up @@ -105,10 +130,16 @@
when:
- beats_auditbeat_setup | bool
- beats_auditbeat_output == "elasticsearch"
tags:
- auditbeat
- setup

- name: Start Auditbeat
ansible.builtin.service:
name: auditbeat
state: started
enabled: true
when: beats_auditbeat_enable | bool
tags:
- auditbeat
- start
12 changes: 12 additions & 0 deletions roles/beats/tasks/beats-security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@
ansible.builtin.stat:
path: "/etc/beats/certs/{{ inventory_hostname }}-beats.crt"
register: beats_cert_exists
tags:
- beat_security
- cert_check

- name: Get the beats certificate expiration date
community.crypto.x509_certificate_info:
Expand All @@ -11,18 +14,27 @@
check_period: "{{ beats_cert_expiration_buffer }}"
register: beats_cert_expiration_date
when: beats_cert_exists.stat.exists | bool
tags:
- beat_security
- cert_expiration_date

- name: Set beats certificate will expire soon to true
ansible.builtin.set_fact:
beats_cert_will_expire_soon: true
when: beats_cert_expiration_date.skipped is not defined and not beats_cert_expiration_date.valid_at.check_period
tags:
- beat_security
- cert_expiration_soon

- name: Print the beats certificate renew message
ansible.builtin.debug:
msg: |
Your beats certificate will expire before {{ beats_cert_expiration_buffer }}.
Ansible will renew it.
when: beats_cert_expiration_date.skipped is not defined and not beats_cert_expiration_date.valid_at.check_period
tags:
- beat_security
- cert_renewal_message

- name: Backup beats certs then remove
when: "'renew_beats_cert' in ansible_run_tags or 'renew_ca' in ansible_run_tags or beats_cert_will_expire_soon | bool"
Expand Down
31 changes: 31 additions & 0 deletions roles/beats/tasks/filebeat.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@
elasticstack_version |
string ) if (elasticstack_version is defined and elasticstack_version | length > 0)) |
replace(' ', '') }}
tags:
- filebeat
- name

- name: Install Filebeat - rpm - full stack
ansible.builtin.package:
Expand All @@ -20,6 +23,9 @@
when:
- ansible_os_family == "RedHat"
- elasticstack_full_stack | bool
tags:
- filebeat
- rpm

- name: Install Filebeat - rpm - standalone
ansible.builtin.package:
Expand All @@ -29,6 +35,10 @@
when:
- ansible_os_family == "RedHat"
- not elasticstack_full_stack | bool
tags:
- filebeat
- standalone
- rpm

- name: Install Filebeat - deb
ansible.builtin.package:
Expand All @@ -37,11 +47,14 @@
- Restart Filebeat
when:
- ansible_os_family == "Debian"
tags:
- filebeat
- deb

- name: Install Filebeat latest version - rpm - full stack
ansible.builtin.package:
name: filebeat
state: latest

Check warning on line 57 in roles/beats/tasks/filebeat.yml

View workflow job for this annotation

GitHub Actions / kics

[LOW] Unpinned Package Version 

Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service
enablerepo:
- "elastic-{{ elasticstack_release }}.x"
notify:
Expand All @@ -51,11 +64,15 @@
- elasticstack_version == "latest"
- ansible_os_family == "RedHat"
- elasticstack_full_stack | bool
tags:
- filebeat
- fullstack
- rpm

- name: Install Filebeat latest version - rpm - standalone
ansible.builtin.package:
name: filebeat
state: latest

Check warning on line 75 in roles/beats/tasks/filebeat.yml

View workflow job for this annotation

GitHub Actions / kics

[LOW] Unpinned Package Version 

Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service
notify:
- Restart Filebeat
when:
Expand All @@ -63,17 +80,25 @@
- elasticstack_version == "latest"
- ansible_os_family == "RedHat"
- not elasticstack_full_stack | bool
tags:
- filebeat
- latest
- rpm

- name: Install Filebeat latest version - deb
ansible.builtin.package:
name: filebeat
state: latest

Check warning on line 91 in roles/beats/tasks/filebeat.yml

View workflow job for this annotation

GitHub Actions / kics

[LOW] Unpinned Package Version 

Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service
notify:
- Restart Filebeat
when:
- elasticstack_version is defined
- elasticstack_version == "latest"
- ansible_os_family == "Debian"
tags:
- filebeat
- latest
- deb

- name: Configure Filebeat
ansible.builtin.template:
Expand Down Expand Up @@ -122,10 +147,16 @@
with_items: "{{ beats_filebeat_modules }}"
notify:
- Restart Filebeat
tags:
- filebeat
- setup

- name: Start Filebeat
ansible.builtin.service:
name: filebeat
state: started
enabled: true
when: beats_filebeat_enable | bool
tags:
- filebeat
- start
40 changes: 39 additions & 1 deletion roles/beats/tasks/metricbeat.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@
string ) if (elasticstack_version is defined and elasticstack_version | length > 0)) |
replace(' ', '')
}}
tags:
- metricbeat
- name

- name: Install Metricbeat - rpm - full stack
ansible.builtin.package:
Expand All @@ -21,6 +24,10 @@
when:
- ansible_os_family == "RedHat"
- elasticstack_full_stack | bool
tags:
- metricbeat
- fullstack
- rpm

- name: Install Metricbeat - rpm - standalone
ansible.builtin.package:
Expand All @@ -30,6 +37,10 @@
when:
- ansible_os_family == "RedHat"
- not elasticstack_full_stack | bool
tags:
- metricbeat
- standalone
- rpm

- name: Install Metricbeat - deb
ansible.builtin.package:
Expand All @@ -38,11 +49,14 @@
- Restart Metricbeat
when:
- ansible_os_family == "Debian"
tags:
- metricbeat
- deb

- name: Install Metricbeat latest version - rpm - full stack
ansible.builtin.package:
name: metricbeat
state: latest

Check warning on line 59 in roles/beats/tasks/metricbeat.yml

View workflow job for this annotation

GitHub Actions / kics

[LOW] Unpinned Package Version 

Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service
enablerepo:
- "elastic-{{ elasticstack_release }}.x"
notify:
Expand All @@ -52,11 +66,15 @@
- elasticstack_version == "latest"
- ansible_os_family == "RedHat"
- elasticstack_full_stack | bool
tags:
- metricbeat
- fullstack
- rpm

- name: Install Metricbeat latest version - rpm - standalone
ansible.builtin.package:
name: metricbeat
state: latest

Check warning on line 77 in roles/beats/tasks/metricbeat.yml

View workflow job for this annotation

GitHub Actions / kics

[LOW] Unpinned Package Version 

Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service
notify:
- Restart Metricbeat
when:
Expand All @@ -64,18 +82,25 @@
- elasticstack_version == "latest"
- ansible_os_family == "RedHat"
- not elasticstack_full_stack | bool

tags:
- metricbeat
- latest
- rpm

- name: Install Metricbeat latest version - deb
ansible.builtin.package:
name: metricbeat
state: latest

Check warning on line 93 in roles/beats/tasks/metricbeat.yml

View workflow job for this annotation

GitHub Actions / kics

[LOW] Unpinned Package Version 

Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service
notify:
- Restart Metricbeat
when:
- elasticstack_version is defined
- elasticstack_version == "latest"
- ansible_os_family == "Debian"
tags:
- metricbeat
- latest
- deb

- name: Configure Metricbeat
ansible.builtin.template:
Expand All @@ -86,13 +111,20 @@
mode: 0644
notify:
- Restart Metricbeat
tags:
- configuration
- beats_metricbeat_configuration
- beats_configuration

- name: Enable modules
ansible.builtin.command: "metricbeat modules enable {{ item }}"
args:
creates: "/etc/metricbeat/modules.d/{{ item }}.yml"
with_items: "{{ beats_metricbeat_modules }}"
when: beats_metricbeat_modules is defined
tags:
- metricbeat
- metricbeat_enable_module

- name: Enable Ingest Pipelines
ansible.builtin.command: >
Expand All @@ -106,10 +138,16 @@
when:
- beats_metricbeat_modules is defined
- beats_metricbeat_output == "elasticsearch"
tags:
- metricbeat
- metricbeat_ingest_pipelines

- name: Start Metricbeat
ansible.builtin.service:
name: metricbeat
state: started
enabled: true
when: beats_metricbeat_enable | bool
tags:
- metricbeat
- metricbeat_start
1 change: 1 addition & 0 deletions roles/elasticstack/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ elasticstack_security: true
elasticstack_variant: elastic
elasticstack_force_pip: false
elasticstack_manage_pip: false
elasticstack_encryption_key_size: 64

# for debugging only
elasticstack_no_log: true
1 change: 1 addition & 0 deletions roles/kibana/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ kibana_cert_validity_period: 1095
kibana_cert_will_expire_soon: false
kibana_sniff_on_start: false
kibana_sniff_on_connection_fault: false
kibana_custom_default_index: 979390d0-3def-11ea-ad1f-5b09c073c7d3

kibana_freshstart:
changed: false
16 changes: 16 additions & 0 deletions roles/kibana/tasks/kibana-default-index.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
---

- name: Set Custom Default Index
ansible.builtin.uri:
url: 'http://{{ ansible_default_ipv4.address }}:5601/api/kibana/settings'

Check warning on line 5 in roles/kibana/tasks/kibana-default-index.yml

View workflow job for this annotation

GitHub Actions / kics

[MEDIUM] Communication Over HTTP 

Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks

Check warning

Code scanning / KICS

Communication Over HTTP Warning

ansible.builtin.uri.url is accessed via the HTTP protocol'
method: POST
body:
changes:
defaultIndex: '{{ kibana_custom_default_index }}'
body_format: json
headers:
kbn-version: 8.19.11
Content-Type: application/json
register: result
- ansible.builtin.debug:
msg: "setting new custom Index to {{ kibana_custom_default_index }}"
Loading
Loading