Merge pull request #28 from wazuh/dev

Enhancements and fixes

docker-compose.yml

@@ -35,16 +35,30 @@ services:
       - elasticsearch
     environment:
       - LS_HEAP_SIZE=2048m
+      - XPACK_MONITORING_ENABLED=false
   elasticsearch:
-    image: elasticsearch:5.5.2
+    image: docker.elastic.co/elasticsearch/elasticsearch:5.6.4
     hostname: elasticsearch
     restart: always
-    command: elasticsearch -E node.name="node-1" -E cluster.name="wazuh" -E network.host=0.0.0.0
     ports:
       - "9200:9200"
-      - "9300:9300"
+#      - "9300:9300"
     environment:
-      ES_JAVA_OPTS: "-Xms2g -Xmx2g"
+      - node.name=node-1
+      - cluster.name=wazuh
+      - network.host=0.0.0.0
+      - bootstrap.memory_lock=true
+      - xpack.security.enabled=false
+      - xpack.monitoring.enabled=false
+      - xpack.ml.enabled=false
+      - xpack.watcher.enabled=false
+      - xpack.graph.enabled=false
+      - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+    mem_limit: 2g
 #    volumes:
 #      - my-path:/usr/share/elasticsearch/data
     networks:
@@ -53,17 +67,34 @@ services:
     image: wazuh/wazuh-kibana
     hostname: kibana
     restart: always
-    ports:
-      - "5601:5601"
+#    ports:
+#      - "5601:5601"
     networks:
         - docker_elk
     depends_on:
       - elasticsearch
     links:
       - elasticsearch:elasticsearch
-    entrypoint: sh wait-for-it.sh elasticsearch
+      - wazuh
+    entrypoint: /wait-for-it.sh elasticsearch
 #    environment:
 #      - "WAZUH_KIBANA_PLUGIN_URL=http://your.repo/wazuhapp-2.1.0-5.5.1.zip"
+  nginx:
+    image: wazuh/wazuh-nginx
+    hostname: nginx
+    restart: always
+    entrypoint: /run.sh
+    environment:
+      - NGINX_PORT=443
+    ports:
+      - "80:80"
+      - "443:443"
+    networks:
+      - docker_elk
+    depends_on:
+      - kibana
+    links:
+      - kibana
 
 networks:
   docker_elk:

kibana/Dockerfile

@@ -1,7 +1,9 @@
-FROM kibana:5.5.2
+FROM docker.elastic.co/kibana/kibana:5.6.4
 
-RUN apt-get update && apt-get install -y curl
+USER root
 
-COPY ./config/kibana.yml /opt/kibana/config/kibana.yml
+COPY ./config/kibana.yml /usr/share/kibana/config/kibana.yml
 
-COPY config/wait-for-it.sh /
+COPY config/wait-for-it.sh /wait-for-it.sh
+
+RUN chmod 755 /wait-for-it.sh

kibana/config/kibana.yml

@@ -81,7 +81,7 @@ elasticsearch.url: "http://elasticsearch:9200"
 # logging.silent: false
 
 # Set the value of this setting to true to suppress all logging output other than error messages.
-# logging.quiet: false
+logging.quiet: true
 
 # Set the value of this setting to true to log all events, including system usage information
 # and all requests.
@@ -90,3 +90,10 @@ elasticsearch.url: "http://elasticsearch:9200"
 # Set the interval in milliseconds to sample system and process performance
 # metrics. Minimum is 100ms. Defaults to 10000.
 # ops.interval: 10000
+
+xpack.security.enabled: false
+xpack.grokdebugger.enabled: false
+xpack.graph.enabled: false
+xpack.ml.enabled: false
+xpack.monitoring.enabled: false
+xpack.reporting.enabled: false

kibana/config/wait-for-it.sh

@@ -5,15 +5,13 @@ set -e
 host="$1"
 shift
 cmd="kibana"
-WAZUH_KIBANA_PLUGIN_URL=${WAZUH_KIBANA_PLUGIN_URL:-https://packages.wazuh.com/wazuhapp/wazuhapp-2.1.0_5.5.2.zip}
+WAZUH_KIBANA_PLUGIN_URL=${WAZUH_KIBANA_PLUGIN_URL:-https://packages.wazuh.com/wazuhapp/wazuhapp-2.1.1_5.6.4.zip}
 
 until curl -XGET $host:9200; do
   >&2 echo "Elastic is unavailable - sleeping"
-  sleep 1
+  sleep 5
 done
 
-sleep 30
-
 >&2 echo "Elastic is up - executing command"
 
 if /usr/share/kibana/bin/kibana-plugin list | grep wazuh; then
@@ -22,4 +20,37 @@ else
   /usr/share/kibana/bin/kibana-plugin install ${WAZUH_KIBANA_PLUGIN_URL}
 fi
 
+sleep 30
+
+echo "Configuring defaultIndex to wazuh-alerts-*"
+
+curl -s -XPUT http://$host:9200/.kibana/config/5.6.4 -H 'Content-Type: application/json' -d '{"defaultIndex" : "wazuh-alerts-*"}' > /dev/null
+
+echo "Setting API credentials into Wazuh APP"
+
+CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET http://$host:9200/.wazuh/wazuh-configuration/apiconfig)
+if [ "x$CONFIG_CODE" = "x404" ]; then
+  curl -s -XPOST http://$host:9200/.wazuh/wazuh-configuration/apiconfig -H 'Content-Type: application/json' -d'
+  {
+    "api_user": "foo",
+    "api_password": "YmFy",
+    "url": "https://wazuh",
+    "api_port": "55000",
+    "insecure": "true",
+    "component": "API",
+    "active": "true",
+    "manager": "wazuh-manager",
+    "extensions": {
+      "oscap": true,
+      "audit": true,
+      "pci": true
+    }
+  }
+  ' > /dev/null
+else
+  echo "Wazuh APP already configured"
+fi
+
+sleep 5
+
 exec $cmd

logstash/Dockerfile

@@ -1,12 +1,4 @@
-FROM logstash:5.5.2
-
-RUN apt-get update
+FROM docker.elastic.co/logstash/logstash:5.6.4
 
 COPY config/logstash.conf /etc/logstash/conf.d/logstash.conf
 COPY config/wazuh-elastic5-template.json /etc/logstash/wazuh-elastic5-template.json
-
-
-ADD config/run.sh /tmp/run.sh
-RUN chmod 755 /tmp/run.sh
-
-ENTRYPOINT ["/tmp/run.sh"]

nginx/Dockerfile

@@ -0,0 +1,7 @@
+FROM nginx:latest
+
+RUN apt-get update && apt-get install -y openssl apache2-utils
+
+COPY ./config/run.sh /run.sh
+
+RUN chmod 755 /run.sh

nginx/config/run.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+set -e
+
+if [ ! -d /etc/pki/tls/certs ]; then
+  echo "Generating SSL certificates"
+  mkdir -p /etc/pki/tls/certs /etc/pki/tls/private
+  openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/kibana-access.key -out /etc/pki/tls/certs/kibana-access.pem >/dev/null
+else
+  echo "SSL certificates already present"
+fi
+
+if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then
+  echo "Setting Nginx credentials"
+  echo bar|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd foo >/dev/null
+else
+  echo "Kibana credentials already configured"
+fi
+
+echo "Configuring NGINX"
+cat > /etc/nginx/conf.d/default.conf <<EOF
+server {
+    listen 80;
+    listen [::]:80;
+    return 301 https://\$host:$NGINX_PORT\$request_uri;
+}
+
+server {
+    listen $NGINX_PORT default_server;
+    listen [::]:$NGINX_PORT;
+    ssl on;
+    ssl_certificate /etc/pki/tls/certs/kibana-access.pem;
+    ssl_certificate_key /etc/pki/tls/private/kibana-access.key;
+    location / {
+        auth_basic "Restricted";
+        auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
+        proxy_pass http://kibana:5601/;
+    }
+}
+EOF
+
+echo "Starting Nginx"
+nginx -g 'daemon off; error_log /dev/stdout info;'

wazuh/Dockerfile

@@ -1,16 +1,15 @@
-FROM centos:latest
-ARG FILEBEAT_VERSION=5.5.2
-COPY config/*.repo /etc/yum.repos.d/
+FROM phusion/baseimage:latest
+ARG FILEBEAT_VERSION=5.6.4
 
-RUN yum -y update; yum clean all;
-RUN yum -y install epel-release openssl useradd; yum clean all
-RUN yum -y install postfix mailx cyrus-sasl cyrus-sasl-plain; yum clean all
+RUN apt-get update; apt-get -y dist-upgrade
+RUN apt-get -y install openssl postfix bsd-mailx curl apt-transport-https lsb-release
 RUN groupadd -g 1000 ossec
 RUN useradd -u 1000 -g 1000 ossec
-RUN curl --silent --location https://rpm.nodesource.com/setup_6.x | bash - &&\
-    yum install -y nodejs
-RUN yum install -y wazuh-manager wazuh-api
-
+RUN curl --silent --location https://deb.nodesource.com/setup_6.x | bash - &&\
+    apt-get install -y nodejs
+RUN curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
+RUN echo "deb https://packages.wazuh.com/apt $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/wazuh.list
+RUN apt-get update && apt-get -y install wazuh-manager wazuh-api expect
 
 ADD config/data_dirs.env /data_dirs.env
 ADD config/init.bash /init.bash
@@ -19,9 +18,8 @@ RUN chmod 755 /init.bash &&\
   sync && /init.bash &&\
   sync && rm /init.bash
 
-
-RUN  curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-x86_64.rpm &&\
-  rpm -vi filebeat-${FILEBEAT_VERSION}-x86_64.rpm && rm filebeat-${FILEBEAT_VERSION}-x86_64.rpm
+RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb &&\
+    dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm filebeat-${FILEBEAT_VERSION}-amd64.deb
 
 COPY config/filebeat.yml /etc/filebeat/
 

wazuh/config/run.sh

@@ -15,12 +15,31 @@ source /data_dirs.env
 FIRST_TIME_INSTALLATION=false
 DATA_PATH=/var/ossec/data
 
+print() {
+    echo -e $1
+}
+
+error_and_exit() {
+    echo "Error executing command: '$1'."
+    echo 'Exiting.'
+    exit 1
+}
+
+exec_cmd() {
+    eval $1 > /dev/null 2>&1 || error_and_exit "$1"
+}
+
+
+edit_configuration() { # $1 -> setting,  $2 -> value
+    sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${DATA_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)"
+}
+
 for ossecdir in "${DATA_DIRS[@]}"; do
   if [ ! -e "${DATA_PATH}/${ossecdir}" ]
   then
-    echo "Installing ${ossecdir}"
-    mkdir -p $(dirname ${DATA_PATH}/${ossecdir})
-    cp -pr /var/ossec/${ossecdir}-template ${DATA_PATH}/${ossecdir}
+    print "Installing ${ossecdir}"
+    exec_cmd "mkdir -p $(dirname ${DATA_PATH}/${ossecdir})"
+    exec_cmd "cp -pr /var/ossec/${ossecdir}-template ${DATA_PATH}/${ossecdir}"
     FIRST_TIME_INSTALLATION=true
   fi
 done
@@ -30,29 +49,37 @@ chgrp ossec ${DATA_PATH}/process_list
 chmod g+rw ${DATA_PATH}/process_list
 
 AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
+API_GENERATE_CERTS=${API_GENERATE_CERTS:-true}
 
 if [ $FIRST_TIME_INSTALLATION == true ]
 then
-
   if [ $AUTO_ENROLLMENT_ENABLED == true ]
   then
     if [ ! -e ${DATA_PATH}/etc/sslmanager.key ]
     then
-      echo "Creating ossec-authd key and cert"
-      openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096
-      openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key\
-        -out ${DATA_PATH}/etc/sslmanager.cert -days 3650\
-        -subj /CN=${HOSTNAME}/
+      print "Creating ossec-authd key and cert"
+      exec_cmd "openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096"
+      exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key -out ${DATA_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/"
+    fi
+  fi
+  if [ $API_GENERATE_CERTS == true ]
+  then
+    if [ ! -e ${DATA_PATH}/api/configuration/ssl/server.crt ]
+    then
+      print "Enabling Wazuh API HTTPS"
+      edit_configuration "https" "yes"
+      print "Create Wazuh API key and cert"
+      exec_cmd "openssl genrsa -out ${DATA_PATH}/api/configuration/ssl/server.key 4096"
+      exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/api/configuration/ssl/server.key -out ${DATA_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/"
     fi
   fi
 fi
 
+#Enabling ossec-authd.
+exec_cmd "/var/ossec/bin/ossec-control enable auth"
+
 function ossec_shutdown(){
-  /var/ossec/bin/ossec-control stop;
-  if [ $AUTO_ENROLLMENT_ENABLED == true ]
-  then
-     kill $AUTHD_PID
-  fi
+  ${DATA_PATH}/bin/ossec-control stop;
 }
 
 # Trap exit signals and do a proper shutdown
@@ -60,20 +87,9 @@ trap "ossec_shutdown; exit" SIGINT SIGTERM
 
 chmod -R g+rw ${DATA_PATH}
 
-if [ $AUTO_ENROLLMENT_ENABLED == true ]
-then
-  echo "Starting ossec-authd..."
-  /var/ossec/bin/ossec-authd -p 1515 -g ossec $AUTHD_OPTIONS >/dev/null 2>&1 &
-  AUTHD_PID=$!
-fi
-sleep 15 # give ossec a reasonable amount of time to start before checking status
-LAST_OK_DATE=`date +%s`
-
-## Start services
-/usr/sbin/postfix start
-/bin/node /var/ossec/api/app.js &
-/usr/bin/filebeat.sh &
-/var/ossec/bin/ossec-control restart
-
+service postfix start
+service wazuh-api start
+service wazuh-manager start
+service filebeat start
 
 tail -f /var/ossec/logs/ossec.log