From 086ba71c6901b62031573e1e8f63802ac15e8602 Mon Sep 17 00:00:00 2001 From: AlfonsoRBJ Date: Tue, 1 Oct 2019 11:28:04 +0200 Subject: [PATCH] Elastic 7-x cloud adaption (#255) Former-commit-id: 6d9595327d5c7bc4b8a8d84d57c00c19c7bf6a47 --- CHANGELOG.md | 39 +++++++- README.md | 10 +- VERSION | 4 +- docker-compose.yml | 17 ++-- elasticsearch/Dockerfile | 30 +++--- elasticsearch/config/10-config_cluster.sh | 107 +++++++++++++++++----- elasticsearch/config/20-config_secure.sh | 13 ++- elasticsearch/config/configure_s3.sh | 1 + elasticsearch/config/entrypoint.sh | 2 +- elasticsearch/config/load_settings.sh | 20 ++-- kibana/Dockerfile | 21 +++-- kibana/config/10-wazuh_app_config.sh | 2 +- kibana/config/20-entrypoint.sh | 6 +- kibana/config/entrypoint.sh | 4 +- kibana/config/kibana_settings.sh | 34 +++++-- kibana/config/welcome_wazuh.sh | 18 ++-- kibana/config/xpack_config.sh | 3 +- logstash/Dockerfile | 4 +- logstash/config/01-wazuh.conf | 11 ++- logstash/config/10-entrypoint.sh | 3 + nginx/Dockerfile | 2 +- nginx/config/entrypoint.sh | 2 +- wazuh/Dockerfile | 22 +++-- wazuh/config/entrypoint.sh | 2 +- wazuh/config/filebeat.runit.service | 1 + wazuh/config/filebeat.yml | 13 +-- wazuh/config/postfix.runit.service | 1 + wazuh/config/wazuh-api.runit.service | 1 + wazuh/config/wazuh.runit.service | 1 + 29 files changed, 266 insertions(+), 128 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7e2261d5..570175ae 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,18 +1,42 @@ # Change Log All notable changes to this project will be documented in this file. +## Wazuh Docker v3.9.5_7.2.1 + +### Added + +- Update to Wazuh version 3.9.5_7.2.1 + + +## Wazuh Docker v3.9.4_7.2.0 + +### Added + +- Update to Wazuh version 3.9.4_7.2.0 +- Implemented Wazuh Filebeat Module ([jm404](https://www.github.com/jm404)) [#2a77c6a](https://github.com/wazuh/wazuh-docker/commit/2a77c6a6e6bf78f2492adeedbade7a507d9974b2) + ## Wazuh Docker v3.9.4_6.8.1 + +## Wazuh Docker v3.9.3_7.2.0 + +### Fixed +- Wazuh-docker reinserts cluster settings after resuming containers ([@manuasir](https://github.com/manuasir)) [#213](https://github.com/wazuh/wazuh-docker/pull/213) + +## Wazuh Docker v3.9.2_7.1.1 + +### Added + +- Update to Wazuh version 3.9.2_7.1.1 + ## Wazuh Docker v3.9.3_6.8.1 ### Added - Update to Wazuh version 3.9.3_6.8.1 - -### Added - - Option to disable additionals X-Pack applications and hide unnecesary management links ([@SitoRBJ](https://github.com/SitoRBJ)) ([#163](https://github.com/wazuh/wazuh-docker/pull/163)) + ## Wazuh Docker v3.9.2_6.8.0 ### Added @@ -31,6 +55,15 @@ All notable changes to this project will be documented in this file. - Fixed `ELASTICSEARCH_KIBANA_IP` environment variable ([@manuasir](https://github.com/manuasir)) ([#181](https://github.com/wazuh/wazuh-docker/pull/181)) + +## Wazuh Docker v3.9.1_7.1.0 + +### Added + +- Support for Elastic v7.1.0 +- New environment variables for Kibana ([@manuasir](https://github.com/manuasir)) [#22ad43](https://github.com/wazuh/wazuh-docker/commit/22ad4360f548e54bb0c5e929f8c84a186ad2ab88) + + ## Wazuh Docker v3.9.0_6.7.2 ### Changed diff --git a/README.md b/README.md index 8a673685..7fdb7802 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,6 @@ In this repository you will find the containers to run: * wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack) -* wazuh-logstash: It is used to receive alerts generated by the manager and feed Elasticsearch using an alerts template * wazuh-kibana: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status. * wazuh-nginx: Proxies the Kibana container, adding HTTPS (via self-signed SSL certificate) and [Basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Basic_authentication_scheme). * wazuh-elasticsearch: An Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).** @@ -33,11 +32,6 @@ In addition, a docker-compose file is provided to launch the containers mentione │   │   └── kibana.yml │   └── Dockerfile ├── LICENSE - ├── logstash - │   ├── config - │   │   ├── 01-wazuh.conf - │   │   └── run.sh - │   └── Dockerfile ├── nginx │   ├── config │   │   └── entrypoint.sh @@ -63,7 +57,7 @@ In addition, a docker-compose file is provided to launch the containers mentione * `stable` branch on correspond to the latest Wazuh-Docker stable version. * `master` branch contains the latest code, be aware of possible bugs on this branch. -* `Wazuh.Version_ElasticStack.Version` (for example 3.9.3_6.8.1) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch. +* `Wazuh.Version_ElasticStack.Version` (for example 3.9.5_7.2.1) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch. ## Credits and Thank you @@ -76,7 +70,7 @@ We thank you them and everyone else who has contributed to this project. ## License and copyright -Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) ## Web references diff --git a/VERSION b/VERSION index cfeb7686..b1f431ca 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -WAZUH-DOCKER_VERSION="3.9.4_6.8.1" -REVISION="3942" \ No newline at end of file +WAZUH-DOCKER_VERSION="3.9.5_7.2.1" +REVISION="3950" diff --git a/docker-compose.yml b/docker-compose.yml index fb4171a9..07eedefb 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,7 +3,7 @@ version: '2' services: wazuh: - image: wazuh/wazuh:3.9.3_6.8.1 + image: wazuh/wazuh:3.9.5_7.2.1 hostname: wazuh-manager restart: always ports: @@ -32,16 +32,12 @@ services: - ELASTICSEARCH_URL=https://elasticsearch:9200 - SECURITY_CA_PEM=server.TEST-CA-signed.pem elasticsearch: - image: wazuh/wazuh-elasticsearch:3.9.3_6.8.1 + image: wazuh/wazuh-elasticsearch:3.9.5_7.2.1 hostname: elasticsearch restart: always ports: - "9200:9200" environment: - - node.name=node-1 - - cluster.name=wazuh - - network.host=0.0.0.0 - - bootstrap.memory_lock=true - "ES_JAVA_OPTS=-Xms1g -Xmx1g" - ELASTICSEARCH_PROTOCOL=https - ELASTICSEARCH_IP=elasticsearch @@ -63,13 +59,20 @@ services: - SECURITY_OPENSSL_CONF=TEST_openssl.cnf - SECURITY_MONITORING_USER=service_monitoring - SECURITY_MONITORING_PASS=monitoring_pass + - ELASTIC_CLUSTER=true + - CLUSTER_NODE_MASTER=true + - CLUSTER_MASTER_NODE_NAME=elasticsearch + - CLUSTER_NODE_DATA=true + - CLUSTER_NODE_INGEST=true + - CLUSTER_MAX_NODES=3 ulimits: memlock: soft: -1 hard: -1 mem_limit: 2g + kibana: - image: wazuh/wazuh-kibana:3.9.3_6.8.1 + image: wazuh/wazuh-kibana:3.9.5_7.2.1 hostname: kibana restart: always depends_on: diff --git a/elasticsearch/Dockerfile b/elasticsearch/Dockerfile index c2073891..ae77d488 100644 --- a/elasticsearch/Dockerfile +++ b/elasticsearch/Dockerfile @@ -1,8 +1,9 @@ -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) -FROM docker.elastic.co/elasticsearch/elasticsearch:6.8.2 +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) +ARG ELASTIC_VERSION=7.2.1 +FROM docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION} +ARG TEMPLATE_VERSION=v3.9.5 -ENV ALERTS_SHARDS="1" \ - ALERTS_REPLICAS="0" +ENV ELASTICSEARCH_URL="http://elasticsearch:9200" ENV API_USER="foo" \ API_PASS="bar" @@ -11,8 +12,10 @@ ENV XPACK_ML="true" ENV ENABLE_CONFIGURE_S3="false" -ENV TEMPLATE_VERSION=v3.9.4 +ENV WAZUH_ALERTS_SHARDS="1" \ + WAZUH_ALERTS_REPLICAS="0" +ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /usr/share/elasticsearch/config # This CA is created for testing. Please set your own CA zip containing the key and the signed certificate. # command: $ docker build --build-arg SECURITY_CA_PEM_LOCATION= --build-arg SECURITY_CA_KEY_LOCATION= @@ -29,19 +32,19 @@ ARG SECURITY_CA_TRUST_LOCATION="" # Elasticearch cluster configuration environment variables # If ELASTIC_CLUSTER is set to "true" the following variables will be added to the Elasticsearch configuration +# CLUSTER_INITIAL_MASTER_NODES set to own node by default. ENV ELASTIC_CLUSTER="false" \ CLUSTER_NAME="wazuh" \ - CLUSTER_NODE_MASTER="true" \ + CLUSTER_NODE_MASTER="false" \ CLUSTER_NODE_DATA="true" \ CLUSTER_NODE_INGEST="true" \ - CLUSTER_NODE_NAME="wazuh-elasticsearch" \ CLUSTER_MEMORY_LOCK="true" \ CLUSTER_DISCOVERY_SERVICE="wazuh-elasticsearch" \ CLUSTER_NUMBER_OF_MASTERS="2" \ CLUSTER_MAX_NODES="1" \ - CLUSTER_DELAYED_TIMEOUT="1m" - -ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/6.x/wazuh-template.json /usr/share/elasticsearch/config + CLUSTER_DELAYED_TIMEOUT="1m" \ + CLUSTER_INITIAL_MASTER_NODES="wazuh-elasticsearch" \ + CLUSTER_DISCOVERY_SEED="elasticsearch" # CA cert for Transport SSL ADD $SECURITY_CA_PEM_LOCATION /usr/share/elasticsearch/config @@ -49,7 +52,8 @@ ADD $SECURITY_CA_KEY_LOCATION /usr/share/elasticsearch/config ADD $SECURITY_OPENSSL_CONF_LOCATION /usr/share/elasticsearch/config ADD $SECURITY_CA_TRUST_LOCATION /usr/share/elasticsearch/config -RUN yum install openssl -y +RUN yum install openssl -y && \ + yum install unzip -y RUN mkdir /entrypoint-scripts @@ -61,7 +65,7 @@ COPY --chown=elasticsearch:elasticsearch ./config/load_settings.sh ./ RUN chmod +x ./load_settings.sh -RUN bin/elasticsearch-plugin install --batch https://artifacts.elastic.co/downloads/elasticsearch-plugins/repository-s3/repository-s3-6.8.2.zip +RUN bin/elasticsearch-plugin install repository-s3 -b COPY config/configure_s3.sh ./config/configure_s3.sh RUN chmod 755 ./config/configure_s3.sh @@ -70,7 +74,7 @@ COPY --chown=elasticsearch:elasticsearch ./config/10-config_cluster.sh /entrypoi RUN chmod +x /entrypoint-scripts/10-config_cluster.sh COPY --chown=elasticsearch:elasticsearch ./config/20-config_secure.sh /entrypoint-scripts/20-config_secure.sh -RUN chmod +x /entrypoint-scripts/10-config_cluster.sh +RUN chmod +x /entrypoint-scripts/20-config_cluster.sh COPY --chown=elasticsearch:elasticsearch ./config/30-entrypoint.sh /entrypoint-scripts/30-entrypoint.sh RUN chmod +x /entrypoint-scripts/30-entrypoint.sh diff --git a/elasticsearch/config/10-config_cluster.sh b/elasticsearch/config/10-config_cluster.sh index 51924331..b68d59ae 100644 --- a/elasticsearch/config/10-config_cluster.sh +++ b/elasticsearch/config/10-config_cluster.sh @@ -1,36 +1,93 @@ #!/bin/bash -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml" - original_file="/usr/share/elasticsearch/config/original-elasticsearch.yml" +ELASTIC_HOSTAME=`hostname` + +echo "CLUSTER: - Prepare Configuration" +echo "CLUSTER: - Hostname" +echo $ELASTIC_HOSTAME +echo "CLUSTER: - Security main node" +echo $SECURITY_MAIN_NODE +echo "CLUSTER: - Discovery seed" +echo $CLUSTER_DISCOVERY_SEED +echo "CLUSTER: - Elastic cluster flag" +echo $ELASTIC_CLUSTER +echo "CLUSTER: - Node Master" +echo $CLUSTER_NODE_MASTER +echo "CLUSTER: - Node Data" +echo $CLUSTER_NODE_DATA +echo "CLUSTER: - Node Ingest" +echo $CLUSTER_NODE_INGEST cp $elastic_config_file $original_file -# If Elasticsearch cluster is enable -if [[ $ELASTIC_CLUSTER == "true" ]] -then - - # Set the cluster.name and discovery.zen.minimun_master_nodes variables - sed -i 's:cluster.name\: "docker-cluster":cluster.name\: "'$CLUSTER_NAME'":g' $elastic_config_file +remove_single_node_conf(){ + if grep -Fq "discovery.type" $1; then + sed -i '/discovery.type\: /d' $1 + fi +} - # Add the cluster configuration - echo " -#cluster node -node: - master: ${CLUSTER_NODE_MASTER} - data: ${CLUSTER_NODE_DATA} - ingest: ${CLUSTER_NODE_INGEST} - name: ${CLUSTER_NODE_NAME} - max_local_storage_nodes: ${CLUSTER_MAX_NODES} +remove_cluster_config(){ + sed -i '/# cluster node/,/# end cluster config/d' $1 +} -bootstrap: - memory_lock: ${CLUSTER_MEMORY_LOCK} +# If Elasticsearch cluster is enable, then set up the elasticsearch.yml +if [[ $ELASTIC_CLUSTER == "true" && $CLUSTER_NODE_MASTER != "" && $CLUSTER_NODE_DATA != "" && $CLUSTER_NODE_INGEST != "" && $ELASTIC_HOSTAME != "" ]]; then + # Remove the old configuration + remove_single_node_conf $elastic_config_file + remove_cluster_config $elastic_config_file + echo "CLUSTER: - Remove old configuration" -discovery: - zen: - ping.unicast.hosts: ${CLUSTER_DISCOVERY_SERVICE} - minimum_master_nodes: ${CLUSTER_NUMBER_OF_MASTERS} - -" >> $elastic_config_file +if [[ $ELASTIC_HOSTAME == $SECURITY_MAIN_NODE ]]; then +# Add the master configuration +# cluster.initial_master_nodes for bootstrap the cluster +echo "CLUSTER: - Add the master configuration" + +cat > $elastic_config_file << EOF +# cluster node +cluster.name: $CLUSTER_NAME +bootstrap.memory_lock: $CLUSTER_MEMORY_LOCK +network.host: 0.0.0.0 +node.name: $ELASTIC_HOSTAME +node.master: $CLUSTER_NODE_MASTER +node.data: $CLUSTER_NODE_DATA +node.ingest: $CLUSTER_NODE_INGEST +node.max_local_storage_nodes: $CLUSTER_MAX_NODES +cluster.initial_master_nodes: + - $ELASTIC_HOSTAME +# end cluster config" +EOF + +elif [[ $CLUSTER_DISCOVERY_SEED != "" ]]; then +# Remove the old configuration +remove_single_node_conf $elastic_config_file +remove_cluster_config $elastic_config_file +echo "CLUSTER: - Add standard cluster configuration." + +cat > $elastic_config_file << EOF +# cluster node +cluster.name: $CLUSTER_NAME +bootstrap.memory_lock: $CLUSTER_MEMORY_LOCK +network.host: 0.0.0.0 +node.name: $ELASTIC_HOSTAME +node.master: $CLUSTER_NODE_MASTER +node.data: $CLUSTER_NODE_DATA +node.ingest: $CLUSTER_NODE_INGEST +node.max_local_storage_nodes: $CLUSTER_MAX_NODES +discovery.seed_hosts: + - $CLUSTER_DISCOVERY_SEED +# end cluster config" +EOF fi +# If the cluster is disabled, then set a single-node configuration +else + # Remove the old configuration + remove_single_node_conf $elastic_config_file + remove_cluster_config $elastic_config_file + echo "discovery.type: single-node" >> $elastic_config_file + echo "CLUSTER: - Discovery type: single-node" +fi + +echo "CLUSTER: - Configured" \ No newline at end of file diff --git a/elasticsearch/config/20-config_secure.sh b/elasticsearch/config/20-config_secure.sh index 30d0f080..d3ae3fcf 100644 --- a/elasticsearch/config/20-config_secure.sh +++ b/elasticsearch/config/20-config_secure.sh @@ -16,14 +16,21 @@ if [[ $SECURITY_ENABLED == "yes" ]]; then echo "Setting configuration options." + ELASTIC_HOSTNAME=`hostname` + POD_DNS="$ELASTIC_HOSTNAME.$NAMESPACE.pod.cluster.local" + SVC_DNS="elasticsearch.$NAMESPACE.svc.cluster.local" + # Create instances.yml for elasticsearch .p12 certificate and key echo " instances: - name: \"elasticsearch\" - dns: - - $SECURITY_CERTIFICATE_DNS + dns: + - \"$POD_DNS\" + - \"$SVC_DNS\" " > instances.yml + cp instances.yml /usr/share/elasticsearch + # Change permissions and owner of ca chown elasticsearch: /usr/share/elasticsearch/config/$SECURITY_CA_PEM chmod 440 /usr/share/elasticsearch/config/$SECURITY_CA_PEM @@ -32,6 +39,7 @@ instances: # Genereate .p12 certificate and key SECURITY_KEY_PASSPHRASE=`date +%s | sha256sum | base64 | head -c 32 ; echo` /usr/share/elasticsearch/bin/elasticsearch-certutil csr --in instances.yml --out certs.zip --pass $SECURITY_KEY_PASSPHRASE + mv /usr/share/elasticsearch/certs.zip /usr/share/elasticsearch/config/certs.zip unzip certs.zip rm certs.zip @@ -108,4 +116,3 @@ xpack.security.http.ssl.certificate_authorities: [\"/usr/share/elasticsearch/con echo -e "$SECURITY_KEY_PASSPHRASE" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase --stdin fi - diff --git a/elasticsearch/config/configure_s3.sh b/elasticsearch/config/configure_s3.sh index b09df73b..259bf9da 100644 --- a/elasticsearch/config/configure_s3.sh +++ b/elasticsearch/config/configure_s3.sh @@ -1,4 +1,5 @@ #!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) set -e diff --git a/elasticsearch/config/entrypoint.sh b/elasticsearch/config/entrypoint.sh index 333cc951..e64d5b9b 100644 --- a/elasticsearch/config/entrypoint.sh +++ b/elasticsearch/config/entrypoint.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) # It will run every .sh script located in entrypoint-scripts folder in lexicographical order for script in `ls /entrypoint-scripts/*.sh | sort -n`; do diff --git a/elasticsearch/config/load_settings.sh b/elasticsearch/config/load_settings.sh index e5a22bdc..b56b76da 100644 --- a/elasticsearch/config/load_settings.sh +++ b/elasticsearch/config/load_settings.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) set -e @@ -84,7 +84,7 @@ fi if [ ${SECURITY_ENABLED} != "no" ]; then auth="-uelastic:${ELASTIC_PASS} -k" -elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then +elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then auth="" else auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" @@ -160,22 +160,24 @@ if [[ $SECURITY_ENABLED == "yes" ]]; then fi fi -#Insert default templates - -sed -i 's| "index.refresh_interval": "5s"| "index.refresh_interval": "5s", "number_of_shards" : '"${ALERTS_SHARDS}"', "number_of_replicas" : '"${ALERTS_REPLICAS}"'|' /usr/share/elasticsearch/config/wazuh-template.json +# Modify wazuh-alerts template shards and replicas +sed -i 's:"index.number_of_shards"\: "3":"index.number_of_shards"\: "'$WAZUH_ALERTS_SHARDS'":g' /usr/share/elasticsearch/config/wazuh-template.json +sed -i 's:"index.number_of_replicas"\: "0":"index.number_of_replicas"\: "'$WAZUH_ALERTS_REPLICAS'":g' /usr/share/elasticsearch/config/wazuh-template.json +# Insert default templates cat /usr/share/elasticsearch/config/wazuh-template.json | curl -XPUT "$el_url/_template/wazuh" ${auth} -H 'Content-Type: application/json' -d @- sleep 5 - +# Prepare Wazuh API credentials API_PASS_Q=`echo "$WAZH_API_PASS" | tr -d '"'` API_USER_Q=`echo "$WAZH_API_USER" | tr -d '"'` API_PASSWORD=`echo -n $API_PASS_Q | base64` echo "Setting API credentials into Wazuh APP" -CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/wazuh-configuration/1513629884013 ${auth}) -if [ "x$CONFIG_CODE" = "x404" ]; then - curl -s -XPOST $el_url/.wazuh/wazuh-configuration/1513629884013 ${auth} -H 'Content-Type: application/json' -d' +CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013 ${auth}) + +if [ "x$CONFIG_CODE" != "x200" ]; then + curl -s -XPOST $el_url/.wazuh/_doc/1513629884013 ${auth} -H 'Content-Type: application/json' -d' { "api_user": "'"$API_USER_Q"'", "api_password": "'"$API_PASSWORD"'", diff --git a/kibana/Dockerfile b/kibana/Dockerfile index 0f0cccdc..c407afad 100644 --- a/kibana/Dockerfile +++ b/kibana/Dockerfile @@ -1,9 +1,12 @@ # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) -FROM docker.elastic.co/kibana/kibana:6.8.2 -ARG WAZUH_APP_VERSION=3.9.4_6.8.2 +FROM docker.elastic.co/kibana/kibana:7.2.1 +ARG ELASTIC_VERSION=7.2.1 +ARG WAZUH_VERSION=3.9.5 +ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" + USER root -ADD https://packages-dev.wazuh.com/pre-release/app/kibana/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp +ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp # This CA is created for testing. Please set your own CA pem signed certificate. # command: $ docker build --build-arg SECURITY_CA_PEM_LOCATION= @@ -15,9 +18,8 @@ ARG SECURITY_CA_PEM_LOCATION="" # CA for secure communication with Elastic ADD $SECURITY_CA_PEM_LOCATION /usr/share/kibana/config -RUN NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip &&\ - chown -R kibana:kibana /usr/share/kibana &&\ - rm -rf /tmp/* +RUN /usr/share/kibana/bin/kibana-plugin install --allow-root file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip +RUN rm -rf /tmp/wazuhapp-${WAZUH_APP_VERSION}.zip RUN yum install openssl -y @@ -90,4 +92,11 @@ RUN ./welcome_wazuh.sh RUN /usr/local/bin/kibana-docker --optimize +USER root + +RUN chmod 777 /usr/share/kibana/plugins/wazuh/config.yml +RUN chmod 777 /usr/share/kibana/plugins/wazuh + +USER kibana + ENTRYPOINT ./entrypoint.sh diff --git a/kibana/config/10-wazuh_app_config.sh b/kibana/config/10-wazuh_app_config.sh index 6fffd005..5f238325 100644 --- a/kibana/config/10-wazuh_app_config.sh +++ b/kibana/config/10-wazuh_app_config.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) kibana_config_file="/usr/share/kibana/plugins/wazuh/config.yml" diff --git a/kibana/config/20-entrypoint.sh b/kibana/config/20-entrypoint.sh index 08584d1e..063ec5cf 100644 --- a/kibana/config/20-entrypoint.sh +++ b/kibana/config/20-entrypoint.sh @@ -106,11 +106,11 @@ server.ssl.supportedProtocols: pushd $CA_PATH - chown kibana: $CA_PATH/$SECURITY_CA_PEM - chmod 400 $CA_PATH/$SECURITY_CA_PEM + # chown kibana: $CA_PATH/$SECURITY_CA_PEM + # chmod 400 $CA_PATH/$SECURITY_CA_PEM SECURITY_KEY_PASS=`openssl rand -base64 32` openssl req -batch -x509 -days 18250 -newkey rsa:2048 -keyout $SECURITY_KIBANA_SSL_KEY_PATH/kibana-access.key -out $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem -passout pass:"$SECURITY_KEY_PASS" >/dev/null - chown -R kibana: $CA_PATH/ssl + # chown -R kibana: $CA_PATH/ssl chmod -R 770 $CA_PATH/ssl chmod 440 $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem diff --git a/kibana/config/entrypoint.sh b/kibana/config/entrypoint.sh index 333cc951..ca575d93 100644 --- a/kibana/config/entrypoint.sh +++ b/kibana/config/entrypoint.sh @@ -1,8 +1,8 @@ #!/bin/bash -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) # It will run every .sh script located in entrypoint-scripts folder in lexicographical order for script in `ls /entrypoint-scripts/*.sh | sort -n`; do bash "$script" -done \ No newline at end of file +done diff --git a/kibana/config/kibana_settings.sh b/kibana/config/kibana_settings.sh index ce21430d..9c984bc8 100644 --- a/kibana/config/kibana_settings.sh +++ b/kibana/config/kibana_settings.sh @@ -1,6 +1,5 @@ #!/bin/bash -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) - +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) WAZUH_MAJOR=3 @@ -19,9 +18,30 @@ WAZUH_MAJOR=3 # Customize elasticsearch ip ############################################################################## if [ "$ELASTICSEARCH_KIBANA_IP" != "" ]; then + sed -i "s:#elasticsearch.hosts:elasticsearch.hosts:g" /usr/share/kibana/config/kibana.yml sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml fi +# If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate. +if [ "$KIBANA_INDEX" != "" ]; then + if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then + sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml + fi + echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml +fi + +# If XPACK_SECURITY_ENABLED was set, then change the xpack.security.enabled option from true (default) to false. +if [ "$XPACK_SECURITY_ENABLED" != "" ]; then + if grep -q 'xpack.security.enabled' /usr/share/kibana/config/kibana.yml; then + sed -i '/xpack.security.enabled/d' /usr/share/kibana/config/kibana.yml + fi + echo "xpack.security.enabled: $XPACK_SECURITY_ENABLED" >> /usr/share/kibana/config/kibana.yml +fi + +############################################################################## +# Set url and credentials +############################################################################## + if [ "$KIBANA_IP" != "" ]; then kibana_ip="$KIBANA_IP" else @@ -51,7 +71,7 @@ fi if [ ${SECURITY_ENABLED} != "no" ]; then - auth="-u $KIBANA_USER:${KIBANA_PASS}" + auth="-k -u $KIBANA_USER:${KIBANA_PASS}" kibana_secure_ip="https://$kibana_ip" else auth="" @@ -59,7 +79,7 @@ else fi -while [[ "$(curl $auth -k -XGET -I -s -o /dev/null -w ''%{http_code}'' $kibana_secure_ip:5601/status)" != "200" ]]; do +while [[ "$(curl $auth -XGET -I -s -o /dev/null -w ''%{http_code}'' $kibana_secure_ip:5601/status)" != "200" ]]; do echo "Waiting for Kibana API. Sleeping 5 seconds" sleep 5 done @@ -79,17 +99,17 @@ EOF sleep 5 # Add the wazuh alerts index as default. -curl $auth -k -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index} +curl $auth -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index} rm -f ${default_index} sleep 5 # Configuring Kibana TimePicker. -curl $auth -k -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \ +curl $auth -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \ '{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}' sleep 5 # Do not ask user to help providing usage statistics to Elastic -curl $auth -k -POST "$kibana_secure_ip:5601/api/telemetry/v1/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}' +curl $auth -POST "$kibana_secure_ip:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}' # Remove credentials file if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then diff --git a/kibana/config/welcome_wazuh.sh b/kibana/config/welcome_wazuh.sh index 1bcbc75b..c56fe9f4 100644 --- a/kibana/config/welcome_wazuh.sh +++ b/kibana/config/welcome_wazuh.sh @@ -1,4 +1,5 @@ #!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) if [[ $CHANGE_WELCOME == "true" ]] then @@ -8,20 +9,19 @@ then kibana_path="/usr/share/kibana" # Set Wazuh app as the default landing page echo "Set Wazuh app as the default landing page" - echo "server.defaultRoute: /app/wazuh" >> /usr/share/kibana/config/kibana.yml + echo "server.defaultRoute: /app/wazuh" >> $kibana_path/config/kibana.yml # Redirect Kibana welcome screen to Discover echo "Redirect Kibana welcome screen to Discover" - sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/global_nav/global_nav.html - sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/header_global_nav/header_global_nav.js + sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/legacy/ui/public/chrome/directives/header_global_nav/header_global_nav.js # Hide management undesired links echo "Hide management undesired links" - sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/rollup/public/crud_app/index.js - sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/license_management/public/management_section.js - sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/index_lifecycle_management/public/register_management_section.js - sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/cross_cluster_replication/public/register_routes.js - sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/remote_clusters/public/index.js - sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/upgrade_assistant/public/index.js + sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/plugins/rollup/public/crud_app/index.js + sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/plugins/license_management/public/management_section.js + sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/plugins/index_lifecycle_management/public/register_management_section.js + sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/plugins/cross_cluster_replication/public/register_routes.js + sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/plugins/remote_clusters/public/index.js + sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/plugins/upgrade_assistant/public/index.js fi diff --git a/kibana/config/xpack_config.sh b/kibana/config/xpack_config.sh index 454072e8..64a01858 100644 --- a/kibana/config/xpack_config.sh +++ b/kibana/config/xpack_config.sh @@ -1,4 +1,5 @@ #!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) kibana_config_file="/usr/share/kibana/config/kibana.yml" if grep -Fq "#xpack features" "$kibana_config_file"; @@ -9,7 +10,6 @@ then [xpack.searchprofiler.enabled]=$XPACK_DEVTOOLS [xpack.ml.enabled]=$XPACK_ML [xpack.canvas.enabled]=$XPACK_CANVAS - [xpack.logstash.enabled]=$XPACK_LOGS [xpack.infra.enabled]=$XPACK_INFRA [xpack.monitoring.enabled]=$XPACK_MONITORING [xpack.maps.enabled]=$XPACK_MAPS @@ -30,7 +30,6 @@ xpack.grokdebugger.enabled: $XPACK_DEVTOOLS xpack.searchprofiler.enabled: $XPACK_DEVTOOLS xpack.ml.enabled: $XPACK_ML xpack.canvas.enabled: $XPACK_CANVAS -xpack.logstash.enabled: $XPACK_LOGS xpack.infra.enabled: $XPACK_INFRA xpack.monitoring.enabled: $XPACK_MONITORING xpack.maps.enabled: $XPACK_MAPS diff --git a/logstash/Dockerfile b/logstash/Dockerfile index f713b31e..000dde07 100644 --- a/logstash/Dockerfile +++ b/logstash/Dockerfile @@ -1,5 +1,7 @@ # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) -FROM docker.elastic.co/logstash/logstash:6.8.2 + +ARG LOGSTASH_VERSION=7.2.1 +FROM docker.elastic.co/logstash/logstash:${LOGSTASH_VERSION} COPY --chown=logstash:logstash config/entrypoint.sh /entrypoint.sh diff --git a/logstash/config/01-wazuh.conf b/logstash/config/01-wazuh.conf index 5b0dc1bc..57a6dba5 100644 --- a/logstash/config/01-wazuh.conf +++ b/logstash/config/01-wazuh.conf @@ -4,12 +4,16 @@ input { beats { port => 5000 - codec => "json_lines" # ssl => true # ssl_certificate => "/etc/logstash/logstash.crt" # ssl_key => "/etc/logstash/logstash.key" } } +filter { + json { + source => "message" + } +} filter { if [data][srcip] { mutate { @@ -30,17 +34,16 @@ filter { } date { match => ["timestamp", "ISO8601"] - target => "@timestamp" + target => "timestamp" } mutate { - remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"] + remove_field => [ "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"] } } output { elasticsearch { hosts => ["elasticsearch:9200"] index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}" - document_type => "wazuh" #user => service_logstash #password => service_logstash_internal_password #ssl => true diff --git a/logstash/config/10-entrypoint.sh b/logstash/config/10-entrypoint.sh index c441577b..16c3f490 100644 --- a/logstash/config/10-entrypoint.sh +++ b/logstash/config/10-entrypoint.sh @@ -133,12 +133,15 @@ sleep 2 # Remove credentials file ############################################################################## +>&2 echo "Removing unnecessary files." + if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then echo "Security credentials file not used. Nothing to do." else shred -zvu ${SECURITY_CREDENTIALS_FILE} fi +>&2 echo "Unnecessary files removed." ############################################################################## # Map environment variables to entries in logstash.yml. diff --git a/nginx/Dockerfile b/nginx/Dockerfile index 9ed0950e..2ca20d6f 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -1,4 +1,4 @@ -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) FROM nginx:latest ENV DEBIAN_FRONTEND noninteractive diff --git a/nginx/config/entrypoint.sh b/nginx/config/entrypoint.sh index 385d7aa8..468c8a92 100644 --- a/nginx/config/entrypoint.sh +++ b/nginx/config/entrypoint.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) set -e diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index 470771f2..b90e30a5 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -1,13 +1,15 @@ -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) FROM phusion/baseimage:latest # Arguments -ARG FILEBEAT_VERSION=6.8.2 -ARG WAZUH_VERSION=3.9.4-1 +ARG FILEBEAT_VERSION=7.2.1 +ARG WAZUH_VERSION=3.9.5-1 # Environment variables ENV API_USER="foo" \ - API_PASS="bar" + API_PASS="bar" + +ARG TEMPLATE_VERSION="v3.9.5" # Install packages RUN set -x && \ @@ -39,9 +41,9 @@ RUN set -x && \ # Services RUN mkdir /etc/service/wazuh && \ - mkdir /etc/service/wazuh-api && \ - mkdir /etc/service/postfix && \ - mkdir /etc/service/filebeat + mkdir /etc/service/wazuh-api && \ + mkdir /etc/service/postfix && \ + mkdir /etc/service/filebeat COPY config/wazuh.runit.service /etc/service/wazuh/run COPY config/wazuh-api.runit.service /etc/service/wazuh-api/run @@ -49,9 +51,9 @@ COPY config/postfix.runit.service /etc/service/postfix/run COPY config/filebeat.runit.service /etc/service/filebeat/run RUN chmod +x /etc/service/wazuh-api/run && \ - chmod +x /etc/service/wazuh/run && \ - chmod +x /etc/service/postfix/run && \ - chmod +x /etc/service/filebeat/run + chmod +x /etc/service/wazuh/run && \ + chmod +x /etc/service/postfix/run && \ + chmod +x /etc/service/filebeat/run # Copy configuration files from repository COPY config/filebeat.yml /etc/filebeat/ diff --git a/wazuh/config/entrypoint.sh b/wazuh/config/entrypoint.sh index ed31fc84..36c776bd 100644 --- a/wazuh/config/entrypoint.sh +++ b/wazuh/config/entrypoint.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) # It will run every .sh script located in entrypoint-scripts folder in lexicographical order for script in `ls /entrypoint-scripts/*.sh | sort -n`; do diff --git a/wazuh/config/filebeat.runit.service b/wazuh/config/filebeat.runit.service index 2a46f7b0..9b048caa 100644 --- a/wazuh/config/filebeat.runit.service +++ b/wazuh/config/filebeat.runit.service @@ -1,3 +1,4 @@ #!/bin/sh +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) service filebeat start tail -f /var/log/filebeat/filebeat diff --git a/wazuh/config/filebeat.yml b/wazuh/config/filebeat.yml index bb02a5d8..f7879997 100644 --- a/wazuh/config/filebeat.yml +++ b/wazuh/config/filebeat.yml @@ -1,18 +1,13 @@ -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh - Filebeat configuration file filebeat: - prospectors: + inputs: - type: log paths: - "/var/ossec/logs/alerts/alerts.json" - document_type: json - json.message_key: log - json.keys_under_root: true - json.overwrite_keys: true - tail_files: true output: logstash: # The Logstash hosts - hosts: ["logstash:5000"] + hosts: ["logstash:5000"] # ssl: -# certificate_authorities: ["/etc/filebeat/logstash.crt"] +# certificate_authorities: ["/etc/filebeat/logstash.crt"] \ No newline at end of file diff --git a/wazuh/config/postfix.runit.service b/wazuh/config/postfix.runit.service index 02856a35..e900b5e5 100644 --- a/wazuh/config/postfix.runit.service +++ b/wazuh/config/postfix.runit.service @@ -1,3 +1,4 @@ #!/bin/sh +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) service postfix start tail -f /var/log/mail.log diff --git a/wazuh/config/wazuh-api.runit.service b/wazuh/config/wazuh-api.runit.service index a2bce18d..032e3738 100644 --- a/wazuh/config/wazuh-api.runit.service +++ b/wazuh/config/wazuh-api.runit.service @@ -1,4 +1,5 @@ #!/bin/sh +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) service wazuh-api start tail -f /var/ossec/logs/api.log diff --git a/wazuh/config/wazuh.runit.service b/wazuh/config/wazuh.runit.service index 03c10850..c1b5b30e 100644 --- a/wazuh/config/wazuh.runit.service +++ b/wazuh/config/wazuh.runit.service @@ -1,4 +1,5 @@ #!/bin/sh +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) service wazuh-manager start tail -f /var/ossec/logs/ossec.log