paulmataruso/wazuh-docker-mirror
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-docker.git synced 2025-10-23 04:51:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #263 from wazuh/elastic-7-cloud

Browse Source
This commit is contained in:
Jesús Linares
2019-10-10 16:24:50 +02:00
committed by GitHub
parent 7a8b332c93 2113b5b3d5
commit 4d6f09cec8
56 changed files with 1621 additions and 713 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
CHANGELOG.md
View File

@@ -1,18 +1,51 @@
# Change Log
All notable changes to this project will be documented in this file.
## Wazuh Docker v3.9.4_6.8.1
## Wazuh Docker v3.10.2_7.3.2
### Added
- Update to Wazuh version 3.10.2_7.3.2
## Wazuh Docker v3.10.0_7.3.2
### Added
- Update to Wazuh version 3.10.0_7.3.2
## Wazuh Docker v3.9.5_7.2.1
### Added
- Update to Wazuh version 3.9.5_7.2.1
## Wazuh Docker v3.9.4_7.2.0
### Added
- Update to Wazuh version 3.9.4_7.2.0
- Implemented Wazuh Filebeat Module ([jm404](https://www.github.com/jm404)) [#2a77c6a](https://github.com/wazuh/wazuh-docker/commit/2a77c6a6e6bf78f2492adeedbade7a507d9974b2)
## Wazuh Docker v3.9.3_7.2.0
### Fixed
- Wazuh-docker reinserts cluster settings after resuming containers ([@manuasir](https://github.com/manuasir)) [#213](https://github.com/wazuh/wazuh-docker/pull/213)
## Wazuh Docker v3.9.2_7.1.1
### Added
- Update to Wazuh version 3.9.2_7.1.1
## Wazuh Docker v3.9.3_6.8.1
### Added
- Update to Wazuh version 3.9.3_6.8.1
### Added
- Option to disable additionals X-Pack applications and hide unnecesary management links ([@SitoRBJ](https://github.com/SitoRBJ)) ([#163](https://github.com/wazuh/wazuh-docker/pull/163))
## Wazuh Docker v3.9.2_6.8.0
### Added
@@ -20,6 +53,13 @@ All notable changes to this project will be documented in this file.
- Update to Wazuh version 3.9.2_6.8.0
## Wazuh Docker v3.9.1_7.1.0
### Added
- Support for Elastic v7.1.0
- New environment variables for Kibana ([@manuasir](https://github.com/manuasir)) [#22ad43](https://github.com/wazuh/wazuh-docker/commit/22ad4360f548e54bb0c5e929f8c84a186ad2ab88)
## Wazuh Docker v3.9.1_6.8.0
### Added
@@ -31,6 +71,15 @@ All notable changes to this project will be documented in this file.
- Fixed `ELASTICSEARCH_KIBANA_IP` environment variable ([@manuasir](https://github.com/manuasir)) ([#181](https://github.com/wazuh/wazuh-docker/pull/181))
## Wazuh Docker v3.9.1_7.1.0
### Added
- Support for Elastic v7.1.0
- New environment variables for Kibana ([@manuasir](https://github.com/manuasir)) [#22ad43](https://github.com/wazuh/wazuh-docker/commit/22ad4360f548e54bb0c5e929f8c84a186ad2ab88)
## Wazuh Docker v3.9.0_6.7.2
### Changed

10
README.md
View File

@@ -8,7 +8,6 @@
In this repository you will find the containers to run:
* wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack)
* wazuh-logstash: It is used to receive alerts generated by the manager and feed Elasticsearch using an alerts template
* wazuh-kibana: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status.
* wazuh-nginx: Proxies the Kibana container, adding HTTPS (via self-signed SSL certificate) and [Basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Basic_authentication_scheme).
* wazuh-elasticsearch: An Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).**
@@ -33,11 +32,6 @@ In addition, a docker-compose file is provided to launch the containers mentione
│   │   └── kibana.yml
│   └── Dockerfile
├── LICENSE
├── logstash
│   ├── config
│   │   ├── 01-wazuh.conf
│   │   └── run.sh
│   └── Dockerfile
├── nginx
│   ├── config
│   │   └── entrypoint.sh
@@ -63,7 +57,7 @@ In addition, a docker-compose file is provided to launch the containers mentione
* `stable` branch on correspond to the latest Wazuh-Docker stable version.
* `master` branch contains the latest code, be aware of possible bugs on this branch.
* `Wazuh.Version_ElasticStack.Version` (for example 3.9.3_6.8.1) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
* `Wazuh.Version_ElasticStack.Version` (for example 3.10.2_7.3.2) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
## Credits and Thank you
@@ -76,7 +70,7 @@ We thank you them and everyone else who has contributed to this project.
## License and copyright
Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
## Web references

4
VERSION
View File

@@ -1,2 +1,2 @@
WAZUH-DOCKER_VERSION="3.9.4_6.8.1"
REVISION="3942"
WAZUH-DOCKER_VERSION="3.10.2_7.3.2"
REVISION="31020"

88
docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '2'
services:
wazuh:
image: wazuh/wazuh:3.9.3_6.8.1
image: wazuh/wazuh:3.10.2_7.3.2
hostname: wazuh-manager
restart: always
ports:
@@ -13,63 +13,52 @@ services:
- "55000:55000"
depends_on:
- logstash
logstash:
image: wazuh/wazuh-logstash:3.9.3_6.8.1
hostname: logstash
restart: always
links:
- elasticsearch:elasticsearch
ports:
- "5000:5000"
depends_on:
- elasticsearch
environment:
- LS_HEAP_SIZE=2048m
- SECURITY_ENABLED=yes
- SECURITY_LOGSTASH_USER=service_logstash
- SECURITY_LOGSTASH_PASS=logstash_pass
- LOGSTASH_OUTPUT=https://elasticsearch:9200
- ELASTICSEARCH_URL=https://elasticsearch:9200
- SECURITY_CA_PEM=server.TEST-CA-signed.pem
# logstash:
# image: wazuh/wazuh-elasticsearch:3.10.2_7.3.2
# hostname: logstash
# restart: always
# links:
# - elasticsearch:elasticsearch
# ports:
# - "5000:5000"
# depends_on:
# - elasticsearch
# environment:
# - LS_HEAP_SIZE=2048m
# - SECURITY_ENABLED=no
# - SECURITY_LOGSTASH_USER=service_logstash
# - SECURITY_LOGSTASH_PASS=logstash_pass
# - LOGSTASH_OUTPUT=https://elasticsearch:9200
# - ELASTICSEARCH_URL=https://elasticsearch:9200
# - SECURITY_CA_PEM=server.TEST-CA-signed.pem
elasticsearch:
image: wazuh/wazuh-elasticsearch:3.9.3_6.8.1
image: wazuh/wazuh-elasticsearch:3.10.2_7.3.2
hostname: elasticsearch
restart: always
ports:
- "9200:9200"
environment:
- node.name=node-1
- cluster.name=wazuh
- network.host=0.0.0.0
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms1g -Xmx1g"
- ELASTICSEARCH_PROTOCOL=https
- ELASTICSEARCH_PROTOCOL=http
- ELASTICSEARCH_IP=elasticsearch
- ELASTICSEARCH_PORT=9200
- SECURITY_ENABLED=yes
- SECURITY_ADMIN_USER=wazuh_admin
- SECURITY_ADMIN_PASS=admin_pass
- SECURITY_ENABLED=no
- SECURITY_ELASTIC_PASSWORD=elastic_pass
- SECURITY_KIBANA_USER=service_kibana
- SECURITY_KIBANA_PASS=kibana_pass
- SECURITY_LOGSTASH_USER=service_logstash
- SECURITY_LOGSTASH_PASS=logstash_pass
- SECURITY_CA_PASSPHRASE=ca_pass
- SECURITY_CERTIFICATE_DNS=elasticsearch
- SECURITY_CA_PEM=server.TEST-CA-signed.pem
- SECURITY_CA_KEY=server.TEST-CA.key
- SECURITY_CA_TRUST=server.TEST-CA-signed.pem
- SECURITY_MAIN_NODE=elasticsearch
- SECURITY_OPENSSL_CONF=TEST_openssl.cnf
- SECURITY_MONITORING_USER=service_monitoring
- SECURITY_MONITORING_PASS=monitoring_pass
- ELASTIC_CLUSTER=true
- CLUSTER_NODE_MASTER=true
- CLUSTER_MASTER_NODE_NAME=elasticsearch
- CLUSTER_NODE_DATA=true
- CLUSTER_NODE_INGEST=true
- CLUSTER_MAX_NODES=3
ulimits:
memlock:
soft: -1
hard: -1
mem_limit: 2g
kibana:
image: wazuh/wazuh-kibana:3.9.3_6.8.1
image: wazuh/wazuh-kibana:3.10.2_7.3.2
hostname: kibana
restart: always
depends_on:
@@ -79,7 +68,7 @@ services:
- wazuh:wazuh
environment:
- ELASTICSEARCH_URL=https://elasticsearch:9200
- SECURITY_ENABLED=yes
- SECURITY_ENABLED=no
- SECURITY_KIBANA_USER=service_kibana
- SECURITY_KIBANA_PASS=kibana_pass
- SECURITY_KIBANA_SSL_KEY_PATH=/usr/share/kibana/config/ssl/private
@@ -88,3 +77,18 @@ services:
- SECURITY_CA_PEM=server.TEST-CA-signed.pem
ports:
- "5601:5601"
nginx:
image: wazuh/wazuh-nginx:3.10.2_7.3.2
hostname: nginx
restart: always
environment:
- NGINX_PORT=443
- NGINX_CREDENTIALS
ports:
- "80:80"
- "443:443"
depends_on:
- kibana
links:
- kibana:kibana

71
elasticsearch/Dockerfile
View File

@@ -1,8 +1,9 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
FROM docker.elastic.co/elasticsearch/elasticsearch:6.8.2
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
ARG ELASTIC_VERSION=7.3.2
FROM docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION}
ARG TEMPLATE_VERSION=v3.10.2
ENV ALERTS_SHARDS="1" \
ALERTS_REPLICAS="0"
ENV ELASTICSEARCH_URL="http://elasticsearch:9200"
ENV API_USER="foo" \
API_PASS="bar"
@@ -11,8 +12,13 @@ ENV XPACK_ML="true"
ENV ENABLE_CONFIGURE_S3="false"
ENV TEMPLATE_VERSION=v3.9.4
ENV WAZUH_ALERTS_SHARDS="1" \
WAZUH_ALERTS_REPLICAS="0"
ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /usr/share/elasticsearch/config
RUN yum install epel-release -y && \
yum install jq -y
# This CA is created for testing. Please set your own CA zip containing the key and the signed certificate.
# command: $ docker build <elasticsearch_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION> --build-arg SECURITY_CA_KEY_LOCATION=<CA_KEY_LOCATION>
@@ -29,19 +35,19 @@ ARG SECURITY_CA_TRUST_LOCATION=""
# Elasticearch cluster configuration environment variables
# If ELASTIC_CLUSTER is set to "true" the following variables will be added to the Elasticsearch configuration
# CLUSTER_INITIAL_MASTER_NODES set to own node by default.
ENV ELASTIC_CLUSTER="false" \
CLUSTER_NAME="wazuh" \
CLUSTER_NODE_MASTER="true" \
CLUSTER_NODE_MASTER="false" \
CLUSTER_NODE_DATA="true" \
CLUSTER_NODE_INGEST="true" \
CLUSTER_NODE_NAME="wazuh-elasticsearch" \
CLUSTER_MEMORY_LOCK="true" \
CLUSTER_DISCOVERY_SERVICE="wazuh-elasticsearch" \
CLUSTER_NUMBER_OF_MASTERS="2" \
CLUSTER_MAX_NODES="1" \
CLUSTER_DELAYED_TIMEOUT="1m"
ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/6.x/wazuh-template.json /usr/share/elasticsearch/config
CLUSTER_DELAYED_TIMEOUT="1m" \
CLUSTER_INITIAL_MASTER_NODES="wazuh-elasticsearch" \
CLUSTER_DISCOVERY_SEED="elasticsearch"
# CA cert for Transport SSL
ADD $SECURITY_CA_PEM_LOCATION /usr/share/elasticsearch/config
@@ -49,31 +55,42 @@ ADD $SECURITY_CA_KEY_LOCATION /usr/share/elasticsearch/config
ADD $SECURITY_OPENSSL_CONF_LOCATION /usr/share/elasticsearch/config
ADD $SECURITY_CA_TRUST_LOCATION /usr/share/elasticsearch/config
RUN yum install openssl -y
RUN mkdir /entrypoint-scripts
COPY config/entrypoint.sh /entrypoint.sh
RUN chmod 755 /entrypoint.sh
COPY --chown=elasticsearch:elasticsearch ./config/load_settings.sh ./
RUN chmod +x ./load_settings.sh
RUN bin/elasticsearch-plugin install --batch https://artifacts.elastic.co/downloads/elasticsearch-plugins/repository-s3/repository-s3-6.8.2.zip
COPY config/configure_s3.sh ./config/configure_s3.sh
RUN chmod 755 ./config/configure_s3.sh
RUN bin/elasticsearch-plugin install repository-s3 -b
COPY --chown=elasticsearch:elasticsearch ./config/10-config_cluster.sh /entrypoint-scripts/10-config_cluster.sh
RUN chmod +x /entrypoint-scripts/10-config_cluster.sh
COPY --chown=elasticsearch:elasticsearch ./config/20-config_secure.sh /entrypoint-scripts/20-config_secure.sh
RUN chmod +x /entrypoint-scripts/10-config_cluster.sh
COPY --chown=elasticsearch:elasticsearch ./config/30-entrypoint.sh /entrypoint-scripts/30-entrypoint.sh
RUN chmod +x /entrypoint-scripts/30-entrypoint.sh
COPY --chown=elasticsearch:elasticsearch ./config/15-get_CA_key.sh /entrypoint-scripts/15-get_CA_key.sh
COPY --chown=elasticsearch:elasticsearch ./config/20-security_instances.sh /entrypoint-scripts/20-security_instances.sh
COPY --chown=elasticsearch:elasticsearch ./config/22-security_certs.sh /entrypoint-scripts/22-security_certs.sh
COPY --chown=elasticsearch:elasticsearch ./config/24-security_configuration.sh /entrypoint-scripts/24-security_configuration.sh
COPY --chown=elasticsearch:elasticsearch ./config/26-security_keystore.sh /entrypoint-scripts/26-security_keystore.sh
COPY --chown=elasticsearch:elasticsearch ./config/30-decrypt_credentials.sh /entrypoint-scripts/30-decrypt_credentials.sh
COPY --chown=elasticsearch:elasticsearch ./config/35-entrypoint.sh /entrypoint-scripts/35-entrypoint.sh
COPY --chown=elasticsearch:elasticsearch ./config/35-entrypoint_load_settings.sh ./
COPY config/35-load_settings_configure_s3.sh ./config/35-load_settings_configure_s3.sh
COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_users_management.sh ./
COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_policies.sh ./
COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_templates.sh ./
COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_aliases.sh ./
RUN chmod +x /entrypoint-scripts/10-config_cluster.sh && \
chmod +x /entrypoint-scripts/15-get_CA_key.sh && \
chmod +x /entrypoint-scripts/20-security_instances.sh && \
chmod +x /entrypoint-scripts/22-security_certs.sh && \
chmod +x /entrypoint-scripts/24-security_configuration.sh && \
chmod +x /entrypoint-scripts/26-security_keystore.sh && \
chmod +x /entrypoint-scripts/30-decrypt_credentials.sh && \
chmod +x /entrypoint-scripts/35-entrypoint.sh && \
chmod +x ./35-entrypoint_load_settings.sh && \
chmod 755 ./config/35-load_settings_configure_s3.sh && \
chmod +x ./35-load_settings_users_management.sh && \
chmod +x ./35-load_settings_policies.sh && \
chmod +x ./35-load_settings_templates.sh && \
chmod +x ./35-load_settings_aliases.sh
ENTRYPOINT ["/entrypoint.sh"]
CMD ["elasticsearch"]

107
elasticsearch/config/10-config_cluster.sh
View File

@@ -1,36 +1,93 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
original_file="/usr/share/elasticsearch/config/original-elasticsearch.yml"
ELASTIC_HOSTAME=`hostname`
echo "CLUSTER: - Prepare Configuration"
echo "CLUSTER: - Hostname"
echo $ELASTIC_HOSTAME
echo "CLUSTER: - Security main node"
echo $SECURITY_MAIN_NODE
echo "CLUSTER: - Discovery seed"
echo $CLUSTER_DISCOVERY_SEED
echo "CLUSTER: - Elastic cluster flag"
echo $ELASTIC_CLUSTER
echo "CLUSTER: - Node Master"
echo $CLUSTER_NODE_MASTER
echo "CLUSTER: - Node Data"
echo $CLUSTER_NODE_DATA
echo "CLUSTER: - Node Ingest"
echo $CLUSTER_NODE_INGEST
cp $elastic_config_file $original_file
# If Elasticsearch cluster is enable
if [[ $ELASTIC_CLUSTER == "true" ]]
then
# Set the cluster.name and discovery.zen.minimun_master_nodes variables
sed -i 's:cluster.name\: "docker-cluster":cluster.name\: "'$CLUSTER_NAME'":g' $elastic_config_file
remove_single_node_conf(){
if grep -Fq "discovery.type" $1; then
sed -i '/discovery.type\: /d' $1
fi
}
# Add the cluster configuration
echo "
#cluster node
node:
master: ${CLUSTER_NODE_MASTER}
data: ${CLUSTER_NODE_DATA}
ingest: ${CLUSTER_NODE_INGEST}
name: ${CLUSTER_NODE_NAME}
max_local_storage_nodes: ${CLUSTER_MAX_NODES}
remove_cluster_config(){
sed -i '/# cluster node/,/# end cluster config/d' $1
}
bootstrap:
memory_lock: ${CLUSTER_MEMORY_LOCK}
# If Elasticsearch cluster is enable, then set up the elasticsearch.yml
if [[ $ELASTIC_CLUSTER == "true" && $CLUSTER_NODE_MASTER != "" && $CLUSTER_NODE_DATA != "" && $CLUSTER_NODE_INGEST != "" && $ELASTIC_HOSTAME != "" ]]; then
# Remove the old configuration
remove_single_node_conf $elastic_config_file
remove_cluster_config $elastic_config_file
echo "CLUSTER: - Remove old configuration"
discovery:
zen:
ping.unicast.hosts: ${CLUSTER_DISCOVERY_SERVICE}
minimum_master_nodes: ${CLUSTER_NUMBER_OF_MASTERS}
" >> $elastic_config_file
if [[ $ELASTIC_HOSTAME == $SECURITY_MAIN_NODE ]]; then
# Add the master configuration
# cluster.initial_master_nodes for bootstrap the cluster
echo "CLUSTER: - Add the master configuration"
cat > $elastic_config_file << EOF
# cluster node
cluster.name: $CLUSTER_NAME
bootstrap.memory_lock: $CLUSTER_MEMORY_LOCK
network.host: 0.0.0.0
node.name: $ELASTIC_HOSTAME
node.master: $CLUSTER_NODE_MASTER
node.data: $CLUSTER_NODE_DATA
node.ingest: $CLUSTER_NODE_INGEST
node.max_local_storage_nodes: $CLUSTER_MAX_NODES
cluster.initial_master_nodes:
- $ELASTIC_HOSTAME
# end cluster config"
EOF
elif [[ $CLUSTER_DISCOVERY_SEED != "" ]]; then
# Remove the old configuration
remove_single_node_conf $elastic_config_file
remove_cluster_config $elastic_config_file
echo "CLUSTER: - Add standard cluster configuration."
cat > $elastic_config_file << EOF
# cluster node
cluster.name: $CLUSTER_NAME
bootstrap.memory_lock: $CLUSTER_MEMORY_LOCK
network.host: 0.0.0.0
node.name: $ELASTIC_HOSTAME
node.master: $CLUSTER_NODE_MASTER
node.data: $CLUSTER_NODE_DATA
node.ingest: $CLUSTER_NODE_INGEST
node.max_local_storage_nodes: $CLUSTER_MAX_NODES
discovery.seed_hosts:
- $CLUSTER_DISCOVERY_SEED
# end cluster config"
EOF
fi
# If the cluster is disabled, then set a single-node configuration
else
# Remove the old configuration
remove_single_node_conf $elastic_config_file
remove_cluster_config $elastic_config_file
echo "discovery.type: single-node" >> $elastic_config_file
echo "CLUSTER: - Discovery type: single-node"
fi
echo "CLUSTER: - Configured"

11
elasticsearch/config/15-get_CA_key.sh Normal file
View File

@@ -0,0 +1,11 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Decrypt credentials.
# If the CA key is encrypted, it must be decrypted for later use.
##############################################################################
echo "TO DO"
# TO DO

111
elasticsearch/config/20-config_secure.sh
View File

@@ -1,111 +0,0 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
##############################################################################
# Setup bootstrap password to chagne all Elastic Stack passwords.
# Set xpack.security.enabled to true. In Elastic 7 must add ssl options
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "Creating certificate."
pushd /usr/share/elasticsearch/config/
echo "Setting configuration options."
# Create instances.yml for elasticsearch .p12 certificate and key
echo "
instances:
- name: \"elasticsearch\"
dns:
- $SECURITY_CERTIFICATE_DNS
" > instances.yml
# Change permissions and owner of ca
chown elasticsearch: /usr/share/elasticsearch/config/$SECURITY_CA_PEM
chmod 440 /usr/share/elasticsearch/config/$SECURITY_CA_PEM
# Genereate .p12 certificate and key
SECURITY_KEY_PASSPHRASE=`date +%s | sha256sum | base64 | head -c 32 ; echo`
/usr/share/elasticsearch/bin/elasticsearch-certutil csr --in instances.yml --out certs.zip --pass $SECURITY_KEY_PASSPHRASE
unzip certs.zip
rm certs.zip
# Change permissions and owner of certificates
chown -R elasticsearch: /usr/share/elasticsearch/config/elasticsearch
chmod -R 770 /usr/share/elasticsearch/config/elasticsearch
chmod 400 /usr/share/elasticsearch/config/elasticsearch/elasticsearch.csr
# Prepare directories for openssl
mkdir /root/ca
mkdir /root/ca/certs /root/ca/crl /root/ca/newcerts /root/ca/private
chmod 700 /root/ca/private
touch /root/ca/index.txt
echo 1000 > /root/ca/serial
mkdir /root/ca/intermediate
mkdir /root/ca/intermediate/certs /root/ca/intermediate/crl /root/ca/intermediate/csr /root/ca/intermediate/newcerts /root/ca/intermediate/private
chmod 700 /root/ca/intermediate/private
touch /root/ca/intermediate/index.txt
echo 1000 > /root/ca/intermediate/serial
echo 1000 > /root/ca/intermediate/crlnumber
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
openssl ca -batch -config $SECURITY_OPENSSL_CONF -in elasticsearch/elasticsearch.csr -cert $SECURITY_CA_PEM -keyfile $SECURITY_CA_KEY -key $SECURITY_CA_PASSPHRASE -out elasticsearch.cert.pem
else
input=${SECURITY_CREDENTIALS_FILE}
CA_PASSPHRASE_FROM_FILE=""
while IFS= read -r line
do
if [[ $line == *"CA_PASSPHRASE"* ]]; then
arrIN=(${line//:/ })
CA_PASSPHRASE_FROM_FILE=${arrIN[1]}
fi
done < "$input"
openssl ca -batch -config $SECURITY_OPENSSL_CONF -in elasticsearch/elasticsearch.csr -cert $SECURITY_CA_PEM -keyfile $SECURITY_CA_KEY -key $CA_PASSPHRASE_FROM_FILE -out elasticsearch.cert.pem
fi
chmod 440 /usr/share/elasticsearch/config/elasticsearch.cert.pem
# remove CA key
rm $SECURITY_CA_KEY
popd
echo "Setting configuration options."
# Settings for elasticsearch.yml
echo "
# Required to set the passwords and TLS options
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
xpack.security.transport.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/$SECURITY_CA_TRUST\"]
# HTTP layer
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
xpack.security.http.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/$SECURITY_CA_TRUST\"]
" >> $elastic_config_file
# Create keystore
/usr/share/elasticsearch/bin/elasticsearch-keystore create
# Add keys to keystore
echo -e "$SECURITY_KEY_PASSPHRASE" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.secure_key_passphrase --stdin
echo -e "$SECURITY_KEY_PASSPHRASE" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase --stdin
fi

21
elasticsearch/config/20-security_instances.sh Normal file
View File

@@ -0,0 +1,21 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# instances.yml
# This file is necessary for the creation of the Elasticsaerch certificate.
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "SECURITY - Setting Elasticserach security."
# instance.yml to be added by the user.
# Example:
# echo "
# instances:
# - name: \"elasticsearch\"
# dns:
# - \"elasticsearch\"
# " > /user/share/elasticsearch/instances.yml
fi

16
elasticsearch/config/22-security_certs.sh Normal file
View File

@@ -0,0 +1,16 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Creation and management of certificates.
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "SECURITY - Elasticserach security certificates."
# Creation of the certificate for Elasticsearch.
# After the execution of this script will have generated
# the Elasticsearch certificate and related keys and passphrase.
# Example: TO DO
fi

32
elasticsearch/config/24-security_configuration.sh Normal file
View File

@@ -0,0 +1,32 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Adapt elasticsearch.yml configuration file
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "SECURITY - Elasticserach security configuration."
echo "SECURITY - Setting configuration options."
# Settings for elasticsearch.yml to be added by the user.
# Example:
# echo "
# # Required to set the passwords and TLS options
# xpack.security.enabled: true
# xpack.security.transport.ssl.enabled: true
# xpack.security.transport.ssl.verification_mode: certificate
# xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
# xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
# xpack.security.transport.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/ca.cert.pem\"]
# # HTTP layer
# xpack.security.http.ssl.enabled: true
# xpack.security.http.ssl.verification_mode: certificate
# xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
# xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
# xpack.security.http.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/ca.cert.pem\"]
# " >> /usr/share/elasticsearch/config/elasticsearch.yml
fi

21
elasticsearch/config/26-security_keystore.sh Normal file
View File

@@ -0,0 +1,21 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Adapt elasticsearch.yml keystore management
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "SECURITY - Elasticserach keystore management."
# Create keystore
# /usr/share/elasticsearch/bin/elasticsearch-keystore create
# Add keys to keystore by the user.
# Example
# echo -e "$abcd_1234" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.secure_key_passphrase --stdin
# echo -e "$abcd_1234" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase --stdin
else
echo "SECURITY - Elasticsearch security not established."
fi

15
elasticsearch/config/30-decrypt_credentials.sh Normal file
View File

@@ -0,0 +1,15 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Decrypt credentials.
# If the credentials of the users to be created are encrypted,
# they must be decrypted for later use.
##############################################################################
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "Security credentials file not used. Nothing to do."
else
echo "TO DO"
fi
# TO DO

2
elasticsearch/config/30-entrypoint.sh → elasticsearch/config/35-entrypoint.sh
View File

@@ -43,7 +43,7 @@ fi
# Run load settings script.
bash /usr/share/elasticsearch/load_settings.sh &
bash /usr/share/elasticsearch/35-entrypoint_load_settings.sh &
# Execute elasticsearch

265
elasticsearch/config/35-entrypoint_load_settings.sh Normal file
View File

@@ -0,0 +1,265 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
##############################################################################
# Set Elasticsearch API url and Wazuh API url.
##############################################################################
if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
fi
if [[ "x${WAZUH_API_URL}" = "x" ]]; then
wazuh_url="https://wazuh"
else
wazuh_url="${WAZUH_API_URL}"
fi
echo "LOAD SETTINGS - Elasticsearch url: $el_url"
##############################################################################
# If Elasticsearch security is enabled get the elastic user password and
# WAZUH API credentials.
##############################################################################
ELASTIC_PASS=""
WAZH_API_USER=""
WAZH_API_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
WAZH_API_USER=${API_USER}
WAZH_API_PASS=${API_PASS}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ELASTIC_PASS=${arrIN[1]}
elif [[ $line == *"WAZUH_API_USER"* ]]; then
arrIN=(${line//:/ })
WAZH_API_USER=${arrIN[1]}
elif [[ $line == *"WAZUH_API_PASSWORD"* ]]; then
arrIN=(${line//:/ })
WAZH_API_PASS=${arrIN[1]}
fi
done < "$input"
fi
##############################################################################
# Set authentication for curl if Elasticsearch security is enabled.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-uelastic:${ELASTIC_PASS} -k"
echo "LOAD SETTINGS - authentication for curl established."
elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
auth=""
echo "LOAD SETTINGS - authentication for curl not established."
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
echo "LOAD SETTINGS - authentication for curl established."
fi
##############################################################################
# Wait until Elasticsearch is active.
##############################################################################
until curl ${auth} -XGET $el_url; do
>&2 echo "LOAD SETTINGS - Elastic is unavailable - sleeping"
sleep 5
done
>&2 echo "LOAD SETTINGS - Elastic is up - executing command"
##############################################################################
# Configure S3 repository for Elasticsearch snapshots.
##############################################################################
if [ $ENABLE_CONFIGURE_S3 ]; then
#Wait for Elasticsearch to be ready to create the repository
sleep 10
>&2 echo "S3 - Configure S3"
if [ "x$S3_PATH" != "x" ]; then
>&2 echo "S3 - Path: $S3_PATH"
if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then
>&2 echo "S3 - Elasticsearch major version: $S3_ELASTIC_MAJOR"
echo "LOAD SETTINGS - Run 35-load_settings_configure_s3.sh."
bash /usr/share/elasticsearch/config/35-load_settings_configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR
else
>&2 echo "S3 - Elasticserach major version not given."
echo "LOAD SETTINGS - Run 35-load_settings_configure_s3.sh."
bash /usr/share/elasticsearch/config/35-load_settings_configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME
fi
fi
fi
##############################################################################
# Load custom policies.
##############################################################################
echo "LOAD SETTINGS - Loading custom Elasticsearch policies."
bash /usr/share/elasticsearch/35-load_settings_policies.sh
##############################################################################
# Modify wazuh-alerts template shards and replicas
##############################################################################
echo "LOAD SETTINGS - Change shards and replicas of wazuh-alerts template."
sed -i 's:"index.number_of_shards"\: "3":"index.number_of_shards"\: "'$WAZUH_ALERTS_SHARDS'":g' /usr/share/elasticsearch/config/wazuh-template.json
sed -i 's:"index.number_of_replicas"\: "0":"index.number_of_replicas"\: "'$WAZUH_ALERTS_REPLICAS'":g' /usr/share/elasticsearch/config/wazuh-template.json
##############################################################################
# Load default templates
##############################################################################
echo "LOAD SETTINGS - Loading wazuh-alerts template"
bash /usr/share/elasticsearch/35-load_settings_templates.sh
##############################################################################
# Load custom aliases.
##############################################################################
echo "LOAD SETTINGS - Loading custom Elasticsearch aliases."
bash /usr/share/elasticsearch/35-load_settings_aliases.sh
##############################################################################
# Elastic Stack users creation.
# Only security main node can manage users.
##############################################################################
echo "LOAD SETTINGS - Run users_management.sh."
MY_HOSTNAME=`hostname`
echo "LOAD SETTINGS - Hostname: $MY_HOSTNAME"
if [[ $SECURITY_MAIN_NODE == $MY_HOSTNAME ]]; then
bash /usr/share/elasticsearch/35-load_settings_users_management.sh &
fi
##############################################################################
# Prepare Wazuh API credentials
##############################################################################
API_PASS_Q=`echo "$WAZH_API_PASS" | tr -d '"'`
API_USER_Q=`echo "$WAZH_API_USER" | tr -d '"'`
API_PASSWORD=`echo -n $API_PASS_Q | base64`
echo "LOAD SETTINGS - Setting API credentials into Wazuh APP"
CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013 ${auth})
if [ "x$CONFIG_CODE" != "x200" ]; then
curl -s -XPOST $el_url/.wazuh/_doc/1513629884013 ${auth} -H 'Content-Type: application/json' -d'
{
"api_user": "'"$API_USER_Q"'",
"api_password": "'"$API_PASSWORD"'",
"url": "'"$wazuh_url"'",
"api_port": "55000",
"insecure": "true",
"component": "API",
"cluster_info": {
"manager": "wazuh-manager",
"cluster": "Disabled",
"status": "disabled"
},
"extensions": {
"oscap": true,
"audit": true,
"pci": true,
"aws": true,
"virustotal": true,
"gdpr": true,
"ciscat": true
}
}
' > /dev/null
else
echo "LOAD SETTINGS - Wazuh APP already configured"
echo "LOAD SETTINGS - Check if it is an upgrade from Elasticsearch 6.x to 7.x"
wazuh_search_request=`curl -s ${auth} "$el_url/.wazuh/_search?pretty"`
full_type=`echo $wazuh_search_request | jq .hits.hits | jq .[] | jq ._type`
elasticsearch_request=`curl -s $auth "$el_url"`
full_elasticsearch_version=`echo $elasticsearch_request | jq .version.number`
type=`echo "$full_type" | tr -d '"'`
elasticsearch_version=`echo "$full_elasticsearch_version" | tr -d '"'`
elasticsearch_major="${elasticsearch_version:0:1}"
if [[ $type == "wazuh-configuration" ]] && [[ $elasticsearch_major == "7" ]]; then
echo "LOAD SETTINGS - Elasticsearch major = $elasticsearch_major."
echo "LOAD SETTINGS - Reindex .wazuh in .wazuh-backup."
curl -s ${auth} -XPOST "$el_url/_reindex" -H 'Content-Type: application/json' -d'
{
"source": {
"index": ".wazuh"
},
"dest": {
"index": ".wazuh-backup"
}
}
'
echo "LOAD SETTINGS - Remove .wazuh index."
curl -s ${auth} -XDELETE "$el_url/.wazuh"
echo "LOAD SETTINGS - Reindex .wazuh-backup in .wazuh."
curl -s ${auth} -XPOST "$el_url/_reindex" -H 'Content-Type: application/json' -d'
{
"source": {
"index": ".wazuh-backup"
},
"dest": {
"index": ".wazuh"
}
}
'
curl -s ${auth} -XPUT "https://elasticsearch:9200/.wazuh-backup/_settings?pretty" -H 'Content-Type: application/json' -d'
{
"index" : {
"number_of_replicas" : 0
}
}
'
fi
fi
sleep 5
curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/json' -d'
{
"persistent": {
"xpack.monitoring.collection.enabled": true
}
}
'
##############################################################################
# Set cluster delayed timeout when node falls
##############################################################################
curl -X PUT "$el_url/_all/_settings" ${auth} -H 'Content-Type: application/json' -d'
{
"settings": {
"index.unassigned.node_left.delayed_timeout": "'"$CLUSTER_DELAYED_TIMEOUT"'"
}
}
'
echo "LOAD SETTINGS - cluster delayed timeout changed."
echo "LOAD SETTINGS - Elasticsearch is ready."

86
elasticsearch/config/35-load_settings_aliases.sh Normal file
View File

@@ -0,0 +1,86 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
##############################################################################
# Set Elasticsearch API url
##############################################################################
if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
fi
echo "ALIASES - Elasticsearch url: $el_url"
##############################################################################
# If Elasticsearch security is enabled get the elastic user password.
##############################################################################
ELASTIC_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ELASTIC_PASS=${arrIN[1]}
fi
done < "$input"
fi
##############################################################################
# If Elasticsearch security is enabled get the users credentials.
##############################################################################
# The user must get the credentials of the users.
# TO DO.
##############################################################################
# Set authentication for curl if Elasticsearch security is enabled.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-uelastic:${ELASTIC_PASS} -k"
echo "ALIASES - authentication for curl established."
elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
auth=""
echo "ALIASES - authentication for curl not established."
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
echo "ALIASES - authentication for curl established."
fi
##############################################################################
# Wait until Elasticsearch is active.
##############################################################################
until curl ${auth} -XGET $el_url; do
>&2 echo "ALIASES - Elastic is unavailable - sleeping"
sleep 5
done
>&2 echo "ALIASES - Elastic is up - executing command"
##############################################################################
# Add custom aliases.
##############################################################################
# The user must add the credentials of the users.
# TO DO.
# Example
# echo "ALIASES - Add custom_user password and role:"
# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_ilm/policy/my_policy?pretty' -d'
# { "policy": { "phases": { "hot": { "actions": { "rollover": {"max_size": "50GB", "max_age": "5m"}}}}}}'

1
elasticsearch/config/configure_s3.sh → elasticsearch/config/35-load_settings_configure_s3.sh
View File

@@ -1,4 +1,5 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e

86
elasticsearch/config/35-load_settings_policies.sh Normal file
View File

@@ -0,0 +1,86 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
##############################################################################
# Set Elasticsearch API url
##############################################################################
if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
fi
echo "POLICIES - Elasticsearch url: $el_url"
##############################################################################
# If Elasticsearch security is enabled get the elastic user password.
##############################################################################
ELASTIC_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ELASTIC_PASS=${arrIN[1]}
fi
done < "$input"
fi
##############################################################################
# If Elasticsearch security is enabled get the users credentials.
##############################################################################
# The user must get the credentials of the users.
# TO DO.
##############################################################################
# Set authentication for curl if Elasticsearch security is enabled.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-uelastic:${ELASTIC_PASS} -k"
echo "POLICIES - authentication for curl established."
elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
auth=""
echo "POLICIES - authentication for curl not established."
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
echo "POLICIES - authentication for curl established."
fi
##############################################################################
# Wait until Elasticsearch is active.
##############################################################################
until curl ${auth} -XGET $el_url; do
>&2 echo "POLICIES - Elastic is unavailable - sleeping"
sleep 5
done
>&2 echo "POLICIES - Elastic is up - executing command"
##############################################################################
# Add custom policies.
##############################################################################
# The user must add the credentials of the users.
# TO DO.
# Example
# echo "POLICIES - Add custom_user password and role:"
# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_ilm/policy/my_policy?pretty' -d'
# { "policy": { "phases": { "hot": { "actions": { "rollover": {"max_size": "50GB", "max_age": "5m"}}}}}}'

81
elasticsearch/config/35-load_settings_templates.sh Normal file
View File

@@ -0,0 +1,81 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
##############################################################################
# Set Elasticsearch API url
##############################################################################
if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
fi
echo "TEMPLATES - Elasticsearch url: $el_url"
##############################################################################
# If Elasticsearch security is enabled get the elastic user password.
##############################################################################
ELASTIC_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ELASTIC_PASS=${arrIN[1]}
fi
done < "$input"
fi
##############################################################################
# If Elasticsearch security is enabled get the users credentials.
##############################################################################
# The user must get the credentials of the users.
# TO DO.
##############################################################################
# Set authentication for curl if Elasticsearch security is enabled.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-uelastic:${ELASTIC_PASS} -k"
echo "TEMPLATES - authentication for curl established."
elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
auth=""
echo "TEMPLATES - authentication for curl not established."
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
echo "TEMPLATES - authentication for curl established."
fi
##############################################################################
# Wait until Elasticsearch is active.
##############################################################################
until curl ${auth} -XGET $el_url; do
>&2 echo "TEMPLATES - Elastic is unavailable - sleeping"
sleep 5
done
>&2 echo "TEMPLATES - Elastic is up - executing command"
##############################################################################
# Add wazuh-alerts templates.
##############################################################################
echo "TEMPLATES - Loading default wazuh-alerts template."
cat /usr/share/elasticsearch/config/wazuh-template.json | curl -XPUT "$el_url/_template/wazuh" ${auth} -H 'Content-Type: application/json' -d @-

100
elasticsearch/config/35-load_settings_users_management.sh Normal file
View File

@@ -0,0 +1,100 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
##############################################################################
# Set Elasticsearch API url
##############################################################################
if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
fi
echo "USERS - Elasticsearch url: $el_url"
##############################################################################
# If Elasticsearch security is enabled get the elastic user password.
##############################################################################
ELASTIC_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ELASTIC_PASS=${arrIN[1]}
fi
done < "$input"
fi
##############################################################################
# If Elasticsearch security is enabled get the users credentials.
##############################################################################
# The user must get the credentials of the users.
# TO DO.
##############################################################################
# Set authentication for curl if Elasticsearch security is enabled.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-uelastic:${ELASTIC_PASS} -k"
echo "USERS - authentication for curl established."
elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
auth=""
echo "USERS - authentication for curl not established."
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
echo "USERS - authentication for curl established."
fi
##############################################################################
# Wait until Elasticsearch is active.
##############################################################################
until curl ${auth} -XGET $el_url; do
>&2 echo "USERS - Elastic is unavailable - sleeping"
sleep 5
done
>&2 echo "USERS - Elastic is up - executing command"
##############################################################################
# Setup passwords for Elastic Stack users.
##############################################################################
# The user must add the credentials of the users.
# TO DO.
# Example
# echo "USERS - Add custom_user password and role:"
# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/custom_user_role ' -d '
# { "indices": [ { "names": [ ".kibana*" ], "privileges": ["read"] }, { "names": [ "wazuh-monitoring*"], "privileges": ["all"] }] }'
# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/custom_user' -d '
# { "password":"'$CUSTOM_USER_PASSWORD'", "roles" : [ "kibana_system", "custom_user_role"], "full_name" : "Custom User" }'
##############################################################################
# Remove credentials file.
##############################################################################
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "USERS - Security credentials file not used. Nothing to do."
else
shred -zvu ${SECURITY_CREDENTIALS_FILE}
echo "USERS - Security credentials file removed."
fi

2
elasticsearch/config/entrypoint.sh
View File

@@ -1,5 +1,5 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
for script in `ls /entrypoint-scripts/*.sh | sort -n`; do

232
elasticsearch/config/load_settings.sh
View File

@@ -1,232 +0,0 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
fi
if [[ "x${WAZUH_API_URL}" = "x" ]]; then
wazuh_url="https://wazuh"
else
wazuh_url="${WAZUH_API_URL}"
fi
ELASTIC_PASS=""
KIBANA_USER=""
KIBANA_PASS=""
LOGSTASH_USER=""
LOGSTASH_PASS=""
ADMIN_USER=""
ADMIN_PASS=""
WAZH_API_USER=""
WAZH_API_PASS=""
MONITORING_USER=""
MONITORING_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
KIBANA_USER=${SECURITY_KIBANA_USER}
KIBANA_PASS=${SECURITY_KIBANA_PASS}
LOGSTASH_USER=${SECURITY_LOGSTASH_USER}
LOGSTASH_PASS=${SECURITY_LOGSTASH_PASS}
ADMIN_USER=${SECURITY_ADMIN_USER}
ADMIN_PASS=${SECURITY_ADMIN_PASS}
WAZH_API_USER=${API_USER}
WAZH_API_PASS=${API_PASS}
MONITORING_USER=${SECURITY_MONITORING_USER}
MONITORING_PASS=${SECURITY_MONITORING_PASS}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ELASTIC_PASS=${arrIN[1]}
elif [[ $line == *"KIBANA_USER"* ]]; then
arrIN=(${line//:/ })
KIBANA_USER=${arrIN[1]}
elif [[ $line == *"KIBANA_PASSWORD"* ]]; then
arrIN=(${line//:/ })
KIBANA_PASS=${arrIN[1]}
elif [[ $line == *"LOGSTASH_USER"* ]]; then
arrIN=(${line//:/ })
LOGSTASH_USER=${arrIN[1]}
elif [[ $line == *"LOGSTASH_PASSWORD"* ]]; then
arrIN=(${line//:/ })
LOGSTASH_PASS=${arrIN[1]}
elif [[ $line == *"ADMIN_USER"* ]]; then
arrIN=(${line//:/ })
ADMIN_USER=${arrIN[1]}
elif [[ $line == *"ADMIN_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ADMIN_PASS=${arrIN[1]}
elif [[ $line == *"WAZUH_API_USER"* ]]; then
arrIN=(${line//:/ })
WAZH_API_USER=${arrIN[1]}
elif [[ $line == *"WAZUH_API_PASSWORD"* ]]; then
arrIN=(${line//:/ })
WAZH_API_PASS=${arrIN[1]}
elif [[ $line == *"MONITORING_USER"* ]]; then
arrIN=(${line//:/ })
MONITORING_USER=${arrIN[1]}
elif [[ $line == *"MONITORING_PASSWORD"* ]]; then
arrIN=(${line//:/ })
MONITORING_PASS=${arrIN[1]}
fi
done < "$input"
fi
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-uelastic:${ELASTIC_PASS} -k"
elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
auth=""
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
fi
until curl ${auth} -XGET $el_url; do
>&2 echo "Elastic is unavailable - sleeping"
sleep 5
done
>&2 echo "Elastic is up - executing command"
if [ $ENABLE_CONFIGURE_S3 ]; then
#Wait for Elasticsearch to be ready to create the repository
sleep 10
>&2 echo "Configure S3"
if [ "x$S3_PATH" != "x" ]; then
>&2 echo "S3_PATH"
>&2 echo $S3_PATH
if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then
>&2 echo "Elasticsearch major version:"
>&2 echo $S3_ELASTIC_MAJOR
bash /usr/share/elasticsearch/config/configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR
else
>&2 echo "Elasticserach major version not given"
bash /usr/share/elasticsearch/config/configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME
fi
fi
fi
##############################################################################
# Setup passwords for Elastic Stack users
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
MY_HOSTNAME=`hostname`
echo "Hostname:"
echo $MY_HOSTNAME
if [[ $SECURITY_MAIN_NODE == $MY_HOSTNAME ]]; then
echo "Setting up passwords for all Elastic Stack users"
echo "Setting remote monitoring password"
SECURITY_REMOTE_USER_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo`
until curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/remote_monitoring_user/_password ' -d '{ "password":"'$SECURITY_REMOTE_USER_PASS'" }'; do
>&2 echo "Unavailable password seeting- sleeping"
sleep 2
done
echo "Setting Kibana password"
curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_wazuh_app ' -d ' { "indices": [ { "names": [ ".kibana*", ".reporting*", ".monitoring*" ], "privileges": ["read"] }, { "names": [ "wazuh-monitoring*", ".wazuh*" ], "privileges": ["all"] } , { "names": [ "wazuh-alerts*" ], "privileges": ["read", "view_index_metadata"] } ] }'
sleep 5
curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$KIBANA_USER" -d '{ "password":"'$KIBANA_PASS'", "roles" : [ "kibana_system", "service_wazuh_app"], "full_name" : "Service Internal Kibana User" }'
echo "Setting APM password"
SECURITY_APM_SYSTEM_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo`
curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/apm_system/_password ' -d '{ "password":"'$SECURITY_APM_SYSTEM_PASS'" }'
echo "Setting Beats password"
SECURITY_BEATS_SYSTEM_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo`
curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/beats_system/_password ' -d '{ "password":"'$SECURITY_BEATS_SYSTEM_PASS'" }'
echo "Setting Logstash password"
curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_logstash_writer ' -d '{ "cluster": ["manage_index_templates", "monitor", "manage_ilm"], "indices": [ { "names": [ "*" ], "privileges": ["write","delete","create_index","manage","manage_ilm"] } ] }'
sleep 5
curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$LOGSTASH_USER" -d '{ "password":"'$LOGSTASH_PASS'", "roles" : [ "service_logstash_writer", "logstash_system"], "full_name" : "Service Internal Logstash User" }'
echo "Passwords established for all Elastic Stack users"
echo "Creating Admin user"
curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$ADMIN_USER" -d '{ "password":"'$ADMIN_PASS'", "roles" : [ "superuser"], "full_name" : "Wazuh admin" }'
echo "Admin user created"
echo "Setting monitoring user"
curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_monitoring_reader ' -d '{ "cluster": ["manage", "monitor"], "indices": [ { "names": [ "*" ], "privileges": ["write","create_index","manage","read", "index"] } ] }'
sleep 5
curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$MONITORING_USER" -d '{ "password":"'$MONITORING_PASS'", "roles" : [ "service_monitoring_reader", "snapshot_user"], "full_name" : "Service Internal Monitoring User" }'
fi
fi
#Insert default templates
sed -i 's| "index.refresh_interval": "5s"| "index.refresh_interval": "5s", "number_of_shards" : '"${ALERTS_SHARDS}"', "number_of_replicas" : '"${ALERTS_REPLICAS}"'|' /usr/share/elasticsearch/config/wazuh-template.json
cat /usr/share/elasticsearch/config/wazuh-template.json | curl -XPUT "$el_url/_template/wazuh" ${auth} -H 'Content-Type: application/json' -d @-
sleep 5
API_PASS_Q=`echo "$WAZH_API_PASS" | tr -d '"'`
API_USER_Q=`echo "$WAZH_API_USER" | tr -d '"'`
API_PASSWORD=`echo -n $API_PASS_Q | base64`
echo "Setting API credentials into Wazuh APP"
CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/wazuh-configuration/1513629884013 ${auth})
if [ "x$CONFIG_CODE" = "x404" ]; then
curl -s -XPOST $el_url/.wazuh/wazuh-configuration/1513629884013 ${auth} -H 'Content-Type: application/json' -d'
{
"api_user": "'"$API_USER_Q"'",
"api_password": "'"$API_PASSWORD"'",
"url": "'"$wazuh_url"'",
"api_port": "55000",
"insecure": "true",
"component": "API",
"cluster_info": {
"manager": "wazuh-manager",
"cluster": "Disabled",
"status": "disabled"
},
"extensions": {
"oscap": true,
"audit": true,
"pci": true,
"aws": true,
"virustotal": true,
"gdpr": true,
"ciscat": true
}
}
' > /dev/null
else
echo "Wazuh APP already configured"
fi
sleep 5
curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/json' -d'
{
"persistent": {
"xpack.monitoring.collection.enabled": true
}
}
'
# Set cluster delayed timeout when node falls
curl -X PUT "$el_url/_all/_settings" ${auth} -H 'Content-Type: application/json' -d'
{
"settings": {
"index.unassigned.node_left.delayed_timeout": "'"$CLUSTER_DELAYED_TIMEOUT"'"
}
}
'
# Remove credentials file.
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "Security credentials file not used. Nothing to do."
else
shred -zvu ${SECURITY_CREDENTIALS_FILE}
fi
echo "Elasticsearch is ready."

56
kibana/Dockerfile
View File

@@ -1,25 +1,14 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
FROM docker.elastic.co/kibana/kibana:6.8.2
ARG WAZUH_APP_VERSION=3.9.4_6.8.2
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
FROM docker.elastic.co/kibana/kibana:7.3.2
ARG ELASTIC_VERSION=7.3.2
ARG WAZUH_VERSION=3.10.2
ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
USER root
ADD https://packages-dev.wazuh.com/pre-release/app/kibana/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
# This CA is created for testing. Please set your own CA pem signed certificate.
# command: $ docker build <kibana_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION>
# ENV variables are necessary: SECURITY_CA_PEM
# Sample:
# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem"
ARG SECURITY_CA_PEM_LOCATION=""
# CA for secure communication with Elastic
ADD $SECURITY_CA_PEM_LOCATION /usr/share/kibana/config
RUN NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip &&\
chown -R kibana:kibana /usr/share/kibana &&\
rm -rf /tmp/*
RUN yum install openssl -y
ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
RUN /usr/share/kibana/bin/kibana-plugin install --allow-root file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip
RUN rm -rf /tmp/wazuhapp-${WAZUH_APP_VERSION}.zip
COPY config/entrypoint.sh ./entrypoint.sh
RUN chmod 755 ./entrypoint.sh
@@ -63,18 +52,22 @@ ARG XPACK_MONITORING="false"
ARG XPACK_APM="false"
ARG XPACK_MAPS="false"
ARG XPACK_UPTIME="false"
ARG XPACK_SIEM="false"
ARG CHANGE_WELCOME="true"
COPY --chown=kibana:kibana ./config/10-wazuh_app_config.sh /entrypoint-scripts/10-wazuh_app_config.sh
RUN chmod +x /entrypoint-scripts/10-wazuh_app_config.sh
COPY --chown=kibana:kibana ./config/15-decrypt_credentials.sh /entrypoint-scripts/15-decrypt_credentials.sh
COPY --chown=kibana:kibana ./config/20-entrypoint.sh /entrypoint-scripts/20-entrypoint.sh
RUN chmod +x /entrypoint-scripts/20-entrypoint.sh
COPY --chown=kibana:kibana ./config/kibana_settings.sh ./
RUN chmod +x ./kibana_settings.sh
COPY --chown=kibana:kibana ./config/20-entrypoint_kibana_settings.sh ./
COPY --chown=kibana:kibana ./config/20-entrypoint_certs_management.sh ./
COPY --chown=kibana:kibana ./config/20-entrypoint_security_configuration.sh ./
RUN chmod +x /entrypoint-scripts/10-wazuh_app_config.sh && \
chmod +x /entrypoint-scripts/15-decrypt_credentials.sh && \
chmod +x /entrypoint-scripts/20-entrypoint.sh && \
chmod +x ./20-entrypoint_kibana_settings.sh && \
chmod +x ./20-entrypoint_certs_management.sh && \
chmod +x ./20-entrypoint_security_configuration.sh
COPY --chown=kibana:kibana ./config/xpack_config.sh ./
@@ -90,4 +83,13 @@ RUN ./welcome_wazuh.sh
RUN /usr/local/bin/kibana-docker --optimize
USER root
RUN chmod 660 /usr/share/kibana/plugins/wazuh/config.yml && \
chmod 775 /usr/share/kibana/plugins/wazuh && \
chown root:kibana /usr/share/kibana/plugins/wazuh/config.yml && \
chown root:kibana /usr/share/kibana/plugins/wazuh
USER kibana
ENTRYPOINT ./entrypoint.sh

2
kibana/config/10-wazuh_app_config.sh
View File

@@ -1,5 +1,5 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
kibana_config_file="/usr/share/kibana/plugins/wazuh/config.yml"

15
kibana/config/15-decrypt_credentials.sh Normal file
View File

@@ -0,0 +1,15 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Decrypt credentials.
# If the credentials of the users to be created are encrypted,
# they must be decrypted for later use.
##############################################################################
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "Security credentials file not used. Nothing to do."
else
echo "TO DO"
fi
# TO DO

90
kibana/config/20-entrypoint.sh
View File

@@ -4,7 +4,7 @@
set -e
##############################################################################
# Waiting for elasticsearch
# Set Elasticsearch API url.
##############################################################################
if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
@@ -13,6 +13,13 @@ else
el_url="${ELASTICSEARCH_URL}"
fi
echo "ENTRYPOINT - Set Elasticsearc url:${ELASTICSEARCH_URL}"
##############################################################################
# If there are credentials for Kibana they are obtained.
##############################################################################
KIBANA_USER=""
KIBANA_PASS=""
@@ -34,6 +41,11 @@ else
fi
echo "ENTRYPOINT - Kibana credentials obtained."
##############################################################################
# Establish the way to run the curl command, with or without authentication.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-u ${KIBANA_USER}:${KIBANA_PASS} -k"
@@ -43,18 +55,24 @@ else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
fi
echo "ENTRYPOINT - Kibana authentication established."
##############################################################################
# Waiting for elasticsearch.
##############################################################################
until curl -XGET $el_url ${auth}; do
>&2 echo "Elastic is unavailable - sleeping"
>&2 echo "ENTRYPOINT - Elastic is unavailable: sleeping"
sleep 5
done
sleep 2
>&2 echo "Elasticsearch is up."
>&2 echo "ENTRYPOINT - Elasticsearch is up."
##############################################################################
# Waiting for wazuh alerts template
# Waiting for wazuh alerts template.
##############################################################################
strlen=0
@@ -63,71 +81,47 @@ while [[ $strlen -eq 0 ]]
do
template=$(curl $auth $el_url/_cat/templates/wazuh -s)
strlen=${#template}
>&2 echo "Wazuh alerts template not loaded - sleeping."
>&2 echo "ENTRYPOINT - Wazuh alerts template not loaded - sleeping."
sleep 2
done
sleep 2
>&2 echo "Wazuh alerts template is loaded."
>&2 echo "ENTRYPOINT - Wazuh alerts template is loaded."
##############################################################################
# If Secure access to Kibana is enabled, we must set the credentials.
# We must create the ssl certificate.
# Create keystore if security is enabled.
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
# Create keystore
echo "ENTRYPOINT - Create Keystore."
/usr/share/kibana/bin/kibana-keystore create
echo "Setting security Kibana configuiration options."
echo "
# Elasticsearch from/to Kibana
elasticsearch.ssl.certificateAuthorities: [\"/usr/share/kibana/config/$SECURITY_CA_PEM\"]
server.ssl.enabled: true
server.ssl.certificate: $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem
server.ssl.key: $SECURITY_KIBANA_SSL_KEY_PATH/kibana-access.key
server.ssl.supportedProtocols:
- TLSv1.1
- TLSv1.2
" >> /usr/share/kibana/config/kibana.yml
echo "Create SSL directories."
mkdir -p $SECURITY_KIBANA_SSL_KEY_PATH $SECURITY_KIBANA_SSL_CERT_PATH
CA_PATH="/usr/share/kibana/config"
echo "Creating SSL certificates."
pushd $CA_PATH
chown kibana: $CA_PATH/$SECURITY_CA_PEM
chmod 400 $CA_PATH/$SECURITY_CA_PEM
SECURITY_KEY_PASS=`openssl rand -base64 32`
openssl req -batch -x509 -days 18250 -newkey rsa:2048 -keyout $SECURITY_KIBANA_SSL_KEY_PATH/kibana-access.key -out $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem -passout pass:"$SECURITY_KEY_PASS" >/dev/null
chown -R kibana: $CA_PATH/ssl
chmod -R 770 $CA_PATH/ssl
chmod 440 $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem
popd
echo "SSL certificates created."
# Add keys to keystore
echo -e "$KIBANA_PASS" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.password --stdin
echo -e "$SECURITY_KEY_PASS" | /usr/share/kibana/bin/kibana-keystore add server.ssl.keyPassphrase --stdin
echo -e "$KIBANA_USER" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.username --stdin
echo "ENTRYPOINT - Keystore created."
fi
##############################################################################
# Run more configuration scripts.
# If security is enabled set Kibana configuration.
# Create the ssl certificate.
##############################################################################
bash /usr/share/kibana/kibana_settings.sh &
if [[ $SECURITY_ENABLED == "yes" ]]; then
bash /usr/share/kibana/20-entrypoint_certs_management.sh
bash /usr/share/kibana/20-entrypoint_security_configuration.sh
fi
##############################################################################
# Run kibana_settings.sh script.
##############################################################################
bash /usr/share/kibana/20-entrypoint_kibana_settings.sh &
/usr/local/bin/kibana-docker

14
kibana/config/20-entrypoint_certs_management.sh Normal file
View File

@@ -0,0 +1,14 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Kibana certs and keystore management
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "CERTS_MANAGEMENT - Create certificates. TO DO."
# TO DO
fi

183
kibana/config/20-entrypoint_kibana_settings.sh Normal file
View File

@@ -0,0 +1,183 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
WAZUH_MAJOR=3
##############################################################################
# Wait for the Kibana API to start. It is necessary to do it in this container
# because the others are running Elastic Stack and we can not interrupt them.
#
# The following actions are performed:
#
# Add the wazuh alerts index as default.
# Set the Discover time interval to 24 hours instead of 15 minutes.
# Do not ask user to help providing usage statistics to Elastic.
##############################################################################
##############################################################################
# Customize elasticsearch ip
##############################################################################
if [ "$ELASTICSEARCH_KIBANA_IP" != "" ]; then
sed -i "s:#elasticsearch.hosts:elasticsearch.hosts:g" /usr/share/kibana/config/kibana.yml
sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml
fi
echo "SETTINGS - Update Elasticsearch host."
# If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate.
if [ "$KIBANA_INDEX" != "" ]; then
if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then
sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml
fi
echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml
fi
# If XPACK_SECURITY_ENABLED was set, then change the xpack.security.enabled option from true (default) to false.
if [ "$XPACK_SECURITY_ENABLED" != "" ]; then
if grep -q 'xpack.security.enabled' /usr/share/kibana/config/kibana.yml; then
sed -i '/xpack.security.enabled/d' /usr/share/kibana/config/kibana.yml
fi
echo "xpack.security.enabled: $XPACK_SECURITY_ENABLED" >> /usr/share/kibana/config/kibana.yml
fi
##############################################################################
# Get Kibana credentials
##############################################################################
if [ "$KIBANA_IP" != "" ]; then
kibana_ip="$KIBANA_IP"
else
kibana_ip="kibana"
fi
KIBANA_USER=""
KIBANA_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
KIBANA_USER=${SECURITY_KIBANA_USER}
KIBANA_PASS=${SECURITY_KIBANA_PASS}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"KIBANA_PASSWORD"* ]]; then
arrIN=(${line//:/ })
KIBANA_PASS=${arrIN[1]}
elif [[ $line == *"KIBANA_USER"* ]]; then
arrIN=(${line//:/ })
KIBANA_USER=${arrIN[1]}
fi
done < "$input"
fi
echo "SETTINGS - Kibana credentials obtained."
##############################################################################
# Set url authentication.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-k -u $KIBANA_USER:${KIBANA_PASS}"
kibana_secure_ip="https://$kibana_ip"
else
auth=""
kibana_secure_ip="http://$kibana_ip"
fi
echo "SETTINGS - Kibana authentication established."
##############################################################################
# Waiting for Kibana.
##############################################################################
while [[ "$(curl $auth -XGET -I -s -o /dev/null -w ''%{http_code}'' $kibana_secure_ip:5601/status)" != "200" ]]; do
echo "SETTINGS - Waiting for Kibana API. Sleeping 5 seconds"
sleep 5
done
echo "SETTINGS - Kibana API is running"
##############################################################################
# Prepare index selection.
##############################################################################
echo "SETTINGS - Prepare index selection."
default_index="/tmp/default_index.json"
if [[ $PATTERN == "" ]]; then
cat > ${default_index} << EOF
{
"changes": {
"defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*"
}
}
EOF
else
cat > ${default_index} << EOF
{
"changes": {
"defaultIndex": "$PATTERN"
}
}
EOF
fi
sleep 5
##############################################################################
# Add the wazuh alerts index as default.
##############################################################################
echo "SETTINGS - Add the wazuh alerts index as default."
curl $auth -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
rm -f ${default_index}
sleep 5
##############################################################################
# Configuring Kibana TimePicker.
##############################################################################
echo "SETTINGS - Configuring Kibana TimePicker."
curl $auth -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
'{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}'
sleep 5
##############################################################################
# Do not ask user to help providing usage statistics to Elastic.
##############################################################################
echo "SETTINGS - Do not ask user to help providing usage statistics to Elastic."
curl $auth -POST "$kibana_secure_ip:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'
##############################################################################
# Remove credentials file.
##############################################################################
echo "SETTINGS - Remove credentials file."
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "Security credentials file not used. Nothing to do."
else
shred -zvu ${SECURITY_CREDENTIALS_FILE}
fi
echo "End settings"

28
kibana/config/20-entrypoint_security_configuration.sh Normal file
View File

@@ -0,0 +1,28 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
##############################################################################
# Adapt kibana.yml configuration file
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "CONFIGURATION - Setting security Kibana configuiration options."
# Example:
# echo "
# # Elasticsearch from/to Kibana
# elasticsearch.ssl.certificateAuthorities: [\"/usr/share/kibana/config/CA.pem\"]
# server.ssl.enabled: true
# server.ssl.certificate: /usr/share/kibana/config/ssl/certs/cert.pem
# server.ssl.key: /usr/share/kibana/config/ssl/private/cert.key
# server.ssl.supportedProtocols:
# - TLSv1.1
# - TLSv1.2
# " >> /usr/share/kibana/config/kibana.yml
fi

4
kibana/config/entrypoint.sh
View File

@@ -1,8 +1,8 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
bash "$script"
done
done

101
kibana/config/kibana_settings.sh
View File

@@ -1,101 +0,0 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
WAZUH_MAJOR=3
##############################################################################
# Wait for the Kibana API to start. It is necessary to do it in this container
# because the others are running Elastic Stack and we can not interrupt them.
#
# The following actions are performed:
#
# Add the wazuh alerts index as default.
# Set the Discover time interval to 24 hours instead of 15 minutes.
# Do not ask user to help providing usage statistics to Elastic.
##############################################################################
##############################################################################
# Customize elasticsearch ip
##############################################################################
if [ "$ELASTICSEARCH_KIBANA_IP" != "" ]; then
sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml
fi
if [ "$KIBANA_IP" != "" ]; then
kibana_ip="$KIBANA_IP"
else
kibana_ip="kibana"
fi
KIBANA_USER=""
KIBANA_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
KIBANA_USER=${SECURITY_KIBANA_USER}
KIBANA_PASS=${SECURITY_KIBANA_PASS}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"KIBANA_PASSWORD"* ]]; then
arrIN=(${line//:/ })
KIBANA_PASS=${arrIN[1]}
elif [[ $line == *"KIBANA_USER"* ]]; then
arrIN=(${line//:/ })
KIBANA_USER=${arrIN[1]}
fi
done < "$input"
fi
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-u $KIBANA_USER:${KIBANA_PASS}"
kibana_secure_ip="https://$kibana_ip"
else
auth=""
kibana_secure_ip="http://$kibana_ip"
fi
while [[ "$(curl $auth -k -XGET -I -s -o /dev/null -w ''%{http_code}'' $kibana_secure_ip:5601/status)" != "200" ]]; do
echo "Waiting for Kibana API. Sleeping 5 seconds"
sleep 5
done
# Prepare index selection.
echo "Kibana API is running"
default_index="/tmp/default_index.json"
cat > ${default_index} << EOF
{
"changes": {
"defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*"
}
}
EOF
sleep 5
# Add the wazuh alerts index as default.
curl $auth -k -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
rm -f ${default_index}
sleep 5
# Configuring Kibana TimePicker.
curl $auth -k -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
'{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}'
sleep 5
# Do not ask user to help providing usage statistics to Elastic
curl $auth -k -POST "$kibana_secure_ip:5601/api/telemetry/v1/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'
# Remove credentials file
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "Security credentials file not used. Nothing to do."
else
shred -zvu ${SECURITY_CREDENTIALS_FILE}
fi
echo "End settings"

20
kibana/config/welcome_wazuh.sh
View File

@@ -1,4 +1,5 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
if [[ $CHANGE_WELCOME == "true" ]]
then
@@ -8,20 +9,21 @@ then
kibana_path="/usr/share/kibana"
# Set Wazuh app as the default landing page
echo "Set Wazuh app as the default landing page"
echo "server.defaultRoute: /app/wazuh" >> /usr/share/kibana/config/kibana.yml
echo "server.defaultRoute: /app/wazuh" >> $kibana_path/config/kibana.yml
# Redirect Kibana welcome screen to Discover
echo "Redirect Kibana welcome screen to Discover"
sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/global_nav/global_nav.html
sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/header_global_nav/header_global_nav.js
sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/core/public/chrome/chrome_service.js
# Hide management undesired links
echo "Hide management undesired links"
sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/rollup/public/crud_app/index.js
sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/license_management/public/management_section.js
sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/index_lifecycle_management/public/register_management_section.js
sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/cross_cluster_replication/public/register_routes.js
sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/remote_clusters/public/index.js
sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/upgrade_assistant/public/index.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/rollup/public/crud_app/index.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/license_management/public/management_section.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/index_lifecycle_management/public/register_management_section.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/cross_cluster_replication/public/register_routes.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/remote_clusters/public/index.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/upgrade_assistant/public/index.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/snapshot_restore/public/plugin.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/remote_clusters/public/plugin.js
fi

3
kibana/config/xpack_config.sh
View File

@@ -1,4 +1,5 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
kibana_config_file="/usr/share/kibana/config/kibana.yml"
if grep -Fq "#xpack features" "$kibana_config_file";
@@ -14,6 +15,7 @@ then
[xpack.monitoring.enabled]=$XPACK_MONITORING
[xpack.maps.enabled]=$XPACK_MAPS
[xpack.uptime.enabled]=$XPACK_UPTIME
[xpack.siem.enabled]=$XPACK_SIEM
[console.enabled]=$XPACK_DEVTOOLS
)
for i in "${!CONFIG_MAP[@]}"
@@ -35,6 +37,7 @@ xpack.infra.enabled: $XPACK_INFRA
xpack.monitoring.enabled: $XPACK_MONITORING
xpack.maps.enabled: $XPACK_MAPS
xpack.uptime.enabled: $XPACK_UPTIME
xpack.siem.enabled: $XPACK_SIEM
console.enabled: $XPACK_DEVTOOLS
" >> $kibana_config_file
fi

14
logstash/Dockerfile
View File

@@ -1,5 +1,7 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
FROM docker.elastic.co/logstash/logstash:6.8.2
ARG LOGSTASH_VERSION=7.3.2
FROM docker.elastic.co/logstash/logstash:${LOGSTASH_VERSION}
COPY --chown=logstash:logstash config/entrypoint.sh /entrypoint.sh
@@ -30,8 +32,16 @@ RUN if [[ "x$SECURITY_CA_PEM_LOCATION" == x ]] ; then echo Nothing to do ; else
RUN mkdir /entrypoint-scripts
RUN chmod -R 774 /entrypoint-scripts
RUN chown -R logstash:logstash /entrypoint-scripts
COPY --chown=logstash:logstash ./config/05-decrypt_credentials.sh /entrypoint-scripts/05-decrypt_credentials.sh
COPY --chown=logstash:logstash ./config/10-entrypoint.sh /entrypoint-scripts/10-entrypoint.sh
RUN chmod +x /entrypoint-scripts/10-entrypoint.sh
COPY --chown=logstash:logstash ./config/10-entrypoint_configuration.sh ./config/10-entrypoint_configuration.sh
COPY --chown=logstash:logstash ./config/10-entrypoint_pipeline.sh ./config/10-entrypoint_pipeline.sh
RUN chmod +x /entrypoint-scripts/05-decrypt_credentials.sh && \
chmod +x /entrypoint-scripts/10-entrypoint.sh && \
chmod +x ./config/10-entrypoint_configuration.sh && \
chmod +x ./config/10-entrypoint_pipeline.sh
USER logstash
ENTRYPOINT /entrypoint.sh

9
logstash/config/01-wazuh.conf
View File

@@ -4,12 +4,16 @@
input {
beats {
port => 5000
codec => "json_lines"
# ssl => true
# ssl_certificate => "/etc/logstash/logstash.crt"
# ssl_key => "/etc/logstash/logstash.key"
}
}
filter {
json {
source => "message"
}
}
filter {
if [data][srcip] {
mutate {
@@ -33,14 +37,13 @@ filter {
target => "@timestamp"
}
mutate {
remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]
remove_field => [ "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]
}
}
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
document_type => "wazuh"
#user => service_logstash
#password => service_logstash_internal_password
#ssl => true

15
logstash/config/05-decrypt_credentials.sh Normal file
View File

@@ -0,0 +1,15 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Decrypt credentials.
# If the credentials of the users to be created are encrypted,
# they must be decrypted for later use.
##############################################################################
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "Security credentials file not used. Nothing to do."
else
echo "TO DO"
fi
# TO DO

70
logstash/config/10-entrypoint.sh
View File

@@ -8,7 +8,7 @@
set -e
##############################################################################
# Waiting for elasticsearch
# Set elasticsearch url.
##############################################################################
if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
@@ -17,6 +17,12 @@ else
el_url="${ELASTICSEARCH_URL}"
fi
echo "ENTRYPOINT - Elasticsearch url: $el_url"
##############################################################################
# Get Logstash credentials.
##############################################################################
LOGSTASH_USER=""
LOGSTASH_PASS=""
@@ -38,6 +44,12 @@ else
fi
echo "ENTRYPOINT - Logstash credentials obtained."
##############################################################################
# Set authentication for curl command.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-u ${LOGSTASH_USER}:${LOGSTASH_PASS} -k"
elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
@@ -46,67 +58,58 @@ else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
fi
echo "ENTRYPOINT - curl authentication established"
##############################################################################
# Customize logstash output ip
# Customize logstash output ip.
##############################################################################
if [ "$LOGSTASH_OUTPUT" != "" ]; then
>&2 echo "Customize Logstash ouput ip."
>&2 echo "ENTRYPOINT - Customize Logstash ouput ip."
sed -i 's|elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/pipeline/01-wazuh.conf
sed -i 's|http://elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/config/logstash.yml
fi
##############################################################################
# Waiting for elasticsearch.
##############################################################################
until curl $auth -XGET $el_url; do
>&2 echo "Elastic is unavailable - sleeping."
>&2 echo "ENTRYPOINT - Elastic is unavailable - sleeping."
sleep 5
done
sleep 2
>&2 echo "Elasticsearch is up."
>&2 echo "ENTRYPOINT - Elasticsearch is up."
##############################################################################
# Set Logstash password
##############################################################################
##############################################################################
# If Secure access to Kibana is enabled, we must set the credentials.
# Create keystore if security is enabled.
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "ENTRYPOINT - Create Keystore."
## Create secure keystore
SECURITY_RANDOM_PASS=`date +%s | sha256sum | base64 | head -c 32 ; echo`
export LOGSTASH_KEYSTORE_PASS=$SECURITY_RANDOM_PASS
/usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config create
## Settings for logstash.yml
echo "
# Required set the passwords
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: \${LOGSTASH_KS_USER}
xpack.monitoring.elasticsearch.password: \${LOGSTASH_KS_PASS}
xpack.monitoring.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/$SECURITY_CA_PEM
xpack.management.elasticsearch.hosts: \"$LOGSTASH_OUTPUT/\"
xpack.management.elasticsearch.username: \${LOGSTASH_KS_USER}
xpack.management.elasticsearch.password: \${LOGSTASH_KS_PASS}
xpack.management.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/$SECURITY_CA_PEM
" >> /usr/share/logstash/config/logstash.yml
bash /usr/share/logstash/config/10-entrypoint_configuration.sh
## Settings for 01-wazuh.conf
sed -i 's:#user => service_logstash:user => "${LOGSTASH_KS_USER}":g' /usr/share/logstash/pipeline/01-wazuh.conf
sed -i 's:#password => service_logstash_internal_password:password => "${LOGSTASH_KS_PASS}":g' /usr/share/logstash/pipeline/01-wazuh.conf
sed -i 's:#ssl => true:ssl => true:g' /usr/share/logstash/pipeline/01-wazuh.conf
sed -i 's:#cacert => "/path/to/cert.pem":cacert => "/usr/share/logstash/config/'$SECURITY_CA_PEM'":g' /usr/share/logstash/pipeline/01-wazuh.conf
bash /usr/share/logstash/config/10-entrypoint_pipeline.sh
## Add keys to the keystore
echo -e "$LOGSTASH_USER" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_USER
echo -e "$LOGSTASH_PASS" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_PASS
fi
@@ -120,25 +123,28 @@ while [[ $strlen -eq 0 ]]
do
template=$(curl $auth $el_url/_cat/templates/wazuh -s)
strlen=${#template}
>&2 echo "Wazuh alerts template not loaded - sleeping."
>&2 echo "ENTRYPOINT - Wazuh alerts template not loaded - sleeping."
sleep 2
done
sleep 2
>&2 echo "Wazuh alerts template is loaded."
>&2 echo "ENTRYPOINT - Wazuh alerts template is loaded."
##############################################################################
# Remove credentials file
##############################################################################
>&2 echo "ENTRYPOINT - Removing unnecessary files."
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "Security credentials file not used. Nothing to do."
echo "ENTRYPOINT - Security credentials file not used. Nothing to do."
else
shred -zvu ${SECURITY_CREDENTIALS_FILE}
fi
>&2 echo "ENTRYPOINT - Unnecessary files removed."
##############################################################################
# Map environment variables to entries in logstash.yml.

27
logstash/config/10-entrypoint_configuration.sh Normal file
View File

@@ -0,0 +1,27 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
#
# OSSEC container bootstrap. See the README for information of the environment
# variables expected by this script.
#
set -e
##############################################################################
# Adapt logstash.yml configuration.
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "CONFIGURATION - TO DO"
# Settings for logstash.yml
# Example:
# echo "
# xpack.monitoring.enabled: true
# xpack.monitoring.elasticsearch.username: LOGSTASH_USER
# xpack.monitoring.elasticsearch.password: LOGSTASH_PASS
# xpack.monitoring.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/CA.pem
# " >> /usr/share/logstash/config/logstash.yml
fi

21
logstash/config/10-entrypoint_pipeline.sh Normal file
View File

@@ -0,0 +1,21 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
#
# OSSEC container bootstrap. See the README for information of the environment
# variables expected by this script.
#
set -e
##############################################################################
# Adapt 01-wazuh.conf pipeline. Adapt pipeline if it is necessary.
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "PIPELINE - TO DO"
# Settings for 01-wazuh.conf
# TO DO
fi

2
nginx/Dockerfile
View File

@@ -1,4 +1,4 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
FROM nginx:latest
ENV DEBIAN_FRONTEND noninteractive

2
nginx/config/entrypoint.sh
View File

@@ -1,5 +1,5 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e

46
wazuh/Dockerfile
View File

@@ -1,13 +1,16 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
FROM phusion/baseimage:latest
# Arguments
ARG FILEBEAT_VERSION=6.8.2
ARG WAZUH_VERSION=3.9.4-1
ARG FILEBEAT_VERSION=7.3.2
ARG WAZUH_VERSION=3.10.2-1
# Environment variables
ENV API_USER="foo" \
API_PASS="bar"
API_PASS="bar"
ARG TEMPLATE_VERSION="v3.10.2"
ENV FILEBEAT_DESTINATION="elasticsearch"
# Install packages
RUN set -x && \
@@ -39,9 +42,9 @@ RUN set -x && \
# Services
RUN mkdir /etc/service/wazuh && \
mkdir /etc/service/wazuh-api && \
mkdir /etc/service/postfix && \
mkdir /etc/service/filebeat
mkdir /etc/service/wazuh-api && \
mkdir /etc/service/postfix && \
mkdir /etc/service/filebeat
COPY config/wazuh.runit.service /etc/service/wazuh/run
COPY config/wazuh-api.runit.service /etc/service/wazuh-api/run
@@ -49,13 +52,13 @@ COPY config/postfix.runit.service /etc/service/postfix/run
COPY config/filebeat.runit.service /etc/service/filebeat/run
RUN chmod +x /etc/service/wazuh-api/run && \
chmod +x /etc/service/wazuh/run && \
chmod +x /etc/service/postfix/run && \
chmod +x /etc/service/filebeat/run
chmod +x /etc/service/wazuh/run && \
chmod +x /etc/service/postfix/run && \
chmod +x /etc/service/filebeat/run
# Copy configuration files from repository
COPY config/filebeat.yml /etc/filebeat/
RUN chmod go-w /etc/filebeat/filebeat.yml
COPY config/filebeat_to_elasticsearch.yml ./
COPY config/filebeat_to_logstash.yml ./
# Prepare permanent data
# Sync calls are due to https://github.com/docker/docker/issues/9547
@@ -90,10 +93,21 @@ VOLUME ["/var/lib/filebeat"]
RUN mkdir /entrypoint-scripts
COPY config/entrypoint.sh /entrypoint.sh
COPY config/00-decrypt_credentials.sh /entrypoint-scripts/00-decrypt_credentials.sh
COPY config/01-wazuh.sh /entrypoint-scripts/01-wazuh.sh
COPY config/02-set_filebeat_destination.sh /entrypoint-scripts/02-set_filebeat_destination.sh
COPY config/03-config_filebeat.sh /entrypoint-scripts/03-config_filebeat.sh
COPY config/05-remove_credentials_file.sh /entrypoint-scripts/05-remove_credentials_file.sh
COPY config/10-backups.sh /entrypoint-scripts/10-backups.sh
COPY config/20-ossec-configuration.sh /entrypoint-scripts/20-ossec-configuration.sh
RUN chmod 755 /entrypoint.sh && \
chmod 755 /entrypoint-scripts/01-wazuh.sh
chmod 755 /entrypoint-scripts/00-decrypt_credentials.sh && \
chmod 755 /entrypoint-scripts/01-wazuh.sh && \
chmod 755 /entrypoint-scripts/02-set_filebeat_destination.sh && \
chmod 755 /entrypoint-scripts/03-config_filebeat.sh && \
chmod 755 /entrypoint-scripts/05-remove_credentials_file.sh && \
chmod 755 /entrypoint-scripts/10-backups.sh && \
chmod 755 /entrypoint-scripts/20-ossec-configuration.sh
# Workaround.
# Issues: Wazuh-api
@@ -102,5 +116,9 @@ RUN chmod 755 /entrypoint.sh && \
COPY --chown=root:ossec config/agents.js /var/ossec/api/controllers/agents.js
RUN chmod 770 /var/ossec/api/controllers/agents.js
# Load wazuh alerts template.
ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat
RUN chmod go-w /etc/filebeat/wazuh-template.json
# Run all services
ENTRYPOINT ["/entrypoint.sh"]

15
wazuh/config/00-decrypt_credentials.sh Normal file
View File

@@ -0,0 +1,15 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Decrypt credentials.
# If the credentials of the API user to be created are encrypted,
# it must be decrypted for later use.
##############################################################################
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "CREDENTIALS - Security credentials file not used. Nothing to do."
else
echo "CREDENTIALS - TO DO"
fi
# TO DO

24
wazuh/config/02-set_filebeat_destination.sh Normal file
View File

@@ -0,0 +1,24 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Set Filebeat destination.
##############################################################################
if [[ $FILEBEAT_DESTINATION == "elasticsearch" ]]; then
echo "FILEBEAT - Set destination to Elasticsearch"
cp filebeat_to_elasticsearch.yml /etc/filebeat/filebeat.yml
elif [[ $FILEBEAT_DESTINATION == "logstash" ]]; then
echo "FILEBEAT - Set destination to Logstash"
cp filebeat_to_logstash.yml /etc/filebeat/filebeat.yml
else
echo "FILEBEAT - Error choosing destination. Set default filebeat.yml "
fi
echo "FILEBEAT - Set permissions"
chmod go-w /etc/filebeat/filebeat.yml

23
wazuh/config/03-config_filebeat.sh Normal file
View File

@@ -0,0 +1,23 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
if [[ $FILEBEAT_DESTINATION == "elasticsearch" ]]; then
WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.1.tar.gz
# Modify the output to Elasticsearch if th ELASTICSEARCH_URL is set
if [ "$ELASTICSEARCH_URL" != "" ]; then
>&2 echo "FILEBEAT - Customize Elasticsearch ouput IP."
sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_URL'|g' /etc/filebeat/filebeat.yml
fi
# Install Wazuh Filebeat Module
>&2 echo "FILEBEAT - Install Wazuh Filebeat Module."
curl -s "https://packages.wazuh.com/3.x/filebeat/${WAZUH_FILEBEAT_MODULE}" | tar -xvz -C /usr/share/filebeat/module
mkdir -p /usr/share/filebeat/module/wazuh
chmod 755 -R /usr/share/filebeat/module/wazuh
fi

14
wazuh/config/05-remove_credentials_file.sh Normal file
View File

@@ -0,0 +1,14 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Decrypt credentials.
# Remove the credentials file for security reasons.
##############################################################################
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "CREDENTIALS - Security credentials file not used. Nothing to do."
else
echo "CREDENTIALS - Remove credentiasl file."
shred -zvu ${SECURITY_CREDENTIALS_FILE}
fi

10
wazuh/config/10-backups.sh Normal file
View File

@@ -0,0 +1,10 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Enable Wazuh backups and store them in a repository.
##############################################################################
# TO DO
echo "BACKUPS - TO DO"

13
wazuh/config/20-ossec-configuration.sh Normal file
View File

@@ -0,0 +1,13 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Change Wazuh manager configuration.
##############################################################################
# # Example:
# # Change remote protocol from udp to tcp
# PROTOCOL="tcp"
# sed -i -e '/<remote>/,/<\/remote>/ s|<protocol>udp</protocol>|<protocol>'$PROTOCOL'</protocol>|g' /var/ossec/etc/ossec.conf
# # It is necessary to restart the service in order to apply the new configuration.
# service wazuh-manager restart

2
wazuh/config/entrypoint.sh
View File

@@ -1,5 +1,5 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
for script in `ls /entrypoint-scripts/*.sh | sort -n`; do

1
wazuh/config/filebeat.runit.service
View File

@@ -1,3 +1,4 @@
#!/bin/sh
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
service filebeat start
tail -f /var/log/filebeat/filebeat

18
wazuh/config/filebeat.yml
View File

@@ -1,18 +0,0 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
filebeat:
prospectors:
- type: log
paths:
- "/var/ossec/logs/alerts/alerts.json"
document_type: json
json.message_key: log
json.keys_under_root: true
json.overwrite_keys: true
tail_files: true
output:
logstash:
# The Logstash hosts
hosts: ["logstash:5000"]
# ssl:
# certificate_authorities: ["/etc/filebeat/logstash.crt"]

55
wazuh/config/filebeat_to_elasticsearch.yml Normal file
View File

@@ -0,0 +1,55 @@
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Wazuh - Filebeat configuration file
filebeat.inputs:
- type: log
paths:
- '/var/ossec/logs/alerts/alerts.json'
setup.template.json.enabled: true
setup.template.json.path: "/etc/filebeat/wazuh-template.json"
setup.template.json.name: "wazuh"
setup.template.overwrite: true
processors:
- decode_json_fields:
fields: ['message']
process_array: true
max_depth: 200
target: ''
overwrite_keys: true
- drop_fields:
fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host']
- rename:
fields:
- from: "data.aws.sourceIPAddress"
to: "@src_ip"
ignore_missing: true
fail_on_error: false
when:
regexp:
data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
- rename:
fields:
- from: "data.srcip"
to: "@src_ip"
ignore_missing: true
fail_on_error: false
when:
regexp:
data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
- rename:
fields:
- from: "data.win.eventdata.ipAddress"
to: "@src_ip"
ignore_missing: true
fail_on_error: false
when:
regexp:
data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
output.elasticsearch:
hosts: ['http://elasticsearch:9200']
#pipeline: geoip
indices:
- index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}'

15
wazuh/config/filebeat_to_logstash.yml Normal file
View File

@@ -0,0 +1,15 @@
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Wazuh - Filebeat configuration file
filebeat:
inputs:
- type: log
paths:
- "/var/ossec/logs/alerts/alerts.json"
output:
logstash:
# The Logstash hosts
hosts: ["logstash:5000"]
# ssl:
# certificate_authorities: ["/etc/filebeat/logstash.crt"]

1
wazuh/config/postfix.runit.service
View File

@@ -1,3 +1,4 @@
#!/bin/sh
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
service postfix start
tail -f /var/log/mail.log

1
wazuh/config/wazuh-api.runit.service
View File

@@ -1,4 +1,5 @@
#!/bin/sh
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
service wazuh-api start
tail -f /var/ossec/logs/api.log

1
wazuh/config/wazuh.runit.service
View File

@@ -1,4 +1,5 @@
#!/bin/sh
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
service wazuh-manager start
tail -f /var/ossec/logs/ossec.log