diff --git a/CHANGELOG.md b/CHANGELOG.md index 7e2261d5..8e382c40 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,18 +1,51 @@ # Change Log All notable changes to this project will be documented in this file. -## Wazuh Docker v3.9.4_6.8.1 +## Wazuh Docker v3.10.2_7.3.2 + +### Added + +- Update to Wazuh version 3.10.2_7.3.2 + +## Wazuh Docker v3.10.0_7.3.2 + +### Added + +- Update to Wazuh version 3.10.0_7.3.2 + +## Wazuh Docker v3.9.5_7.2.1 + +### Added + +- Update to Wazuh version 3.9.5_7.2.1 + +## Wazuh Docker v3.9.4_7.2.0 + +### Added + +- Update to Wazuh version 3.9.4_7.2.0 +- Implemented Wazuh Filebeat Module ([jm404](https://www.github.com/jm404)) [#2a77c6a](https://github.com/wazuh/wazuh-docker/commit/2a77c6a6e6bf78f2492adeedbade7a507d9974b2) + + +## Wazuh Docker v3.9.3_7.2.0 + +### Fixed +- Wazuh-docker reinserts cluster settings after resuming containers ([@manuasir](https://github.com/manuasir)) [#213](https://github.com/wazuh/wazuh-docker/pull/213) + +## Wazuh Docker v3.9.2_7.1.1 + +### Added + +- Update to Wazuh version 3.9.2_7.1.1 ## Wazuh Docker v3.9.3_6.8.1 ### Added - Update to Wazuh version 3.9.3_6.8.1 - -### Added - - Option to disable additionals X-Pack applications and hide unnecesary management links ([@SitoRBJ](https://github.com/SitoRBJ)) ([#163](https://github.com/wazuh/wazuh-docker/pull/163)) + ## Wazuh Docker v3.9.2_6.8.0 ### Added @@ -20,6 +53,13 @@ All notable changes to this project will be documented in this file. - Update to Wazuh version 3.9.2_6.8.0 +## Wazuh Docker v3.9.1_7.1.0 + +### Added + +- Support for Elastic v7.1.0 +- New environment variables for Kibana ([@manuasir](https://github.com/manuasir)) [#22ad43](https://github.com/wazuh/wazuh-docker/commit/22ad4360f548e54bb0c5e929f8c84a186ad2ab88) + ## Wazuh Docker v3.9.1_6.8.0 ### Added @@ -31,6 +71,15 @@ All notable changes to this project will be documented in this file. - Fixed `ELASTICSEARCH_KIBANA_IP` environment variable ([@manuasir](https://github.com/manuasir)) ([#181](https://github.com/wazuh/wazuh-docker/pull/181)) + +## Wazuh Docker v3.9.1_7.1.0 + +### Added + +- Support for Elastic v7.1.0 +- New environment variables for Kibana ([@manuasir](https://github.com/manuasir)) [#22ad43](https://github.com/wazuh/wazuh-docker/commit/22ad4360f548e54bb0c5e929f8c84a186ad2ab88) + + ## Wazuh Docker v3.9.0_6.7.2 ### Changed diff --git a/README.md b/README.md index 8a673685..4635ac1b 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,6 @@ In this repository you will find the containers to run: * wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack) -* wazuh-logstash: It is used to receive alerts generated by the manager and feed Elasticsearch using an alerts template * wazuh-kibana: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status. * wazuh-nginx: Proxies the Kibana container, adding HTTPS (via self-signed SSL certificate) and [Basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Basic_authentication_scheme). * wazuh-elasticsearch: An Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).** @@ -33,11 +32,6 @@ In addition, a docker-compose file is provided to launch the containers mentione │   │   └── kibana.yml │   └── Dockerfile ├── LICENSE - ├── logstash - │   ├── config - │   │   ├── 01-wazuh.conf - │   │   └── run.sh - │   └── Dockerfile ├── nginx │   ├── config │   │   └── entrypoint.sh @@ -63,7 +57,7 @@ In addition, a docker-compose file is provided to launch the containers mentione * `stable` branch on correspond to the latest Wazuh-Docker stable version. * `master` branch contains the latest code, be aware of possible bugs on this branch. -* `Wazuh.Version_ElasticStack.Version` (for example 3.9.3_6.8.1) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch. +* `Wazuh.Version_ElasticStack.Version` (for example 3.10.2_7.3.2) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch. ## Credits and Thank you @@ -76,7 +70,7 @@ We thank you them and everyone else who has contributed to this project. ## License and copyright -Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) ## Web references diff --git a/VERSION b/VERSION index cfeb7686..1f3f87cd 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -WAZUH-DOCKER_VERSION="3.9.4_6.8.1" -REVISION="3942" \ No newline at end of file +WAZUH-DOCKER_VERSION="3.10.2_7.3.2" +REVISION="31020" diff --git a/docker-compose.yml b/docker-compose.yml index fb4171a9..2f59ee73 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,7 +3,7 @@ version: '2' services: wazuh: - image: wazuh/wazuh:3.9.3_6.8.1 + image: wazuh/wazuh:3.10.2_7.3.2 hostname: wazuh-manager restart: always ports: @@ -13,63 +13,52 @@ services: - "55000:55000" depends_on: - logstash - logstash: - image: wazuh/wazuh-logstash:3.9.3_6.8.1 - hostname: logstash - restart: always - links: - - elasticsearch:elasticsearch - ports: - - "5000:5000" - depends_on: - - elasticsearch - environment: - - LS_HEAP_SIZE=2048m - - SECURITY_ENABLED=yes - - SECURITY_LOGSTASH_USER=service_logstash - - SECURITY_LOGSTASH_PASS=logstash_pass - - LOGSTASH_OUTPUT=https://elasticsearch:9200 - - ELASTICSEARCH_URL=https://elasticsearch:9200 - - SECURITY_CA_PEM=server.TEST-CA-signed.pem + # logstash: + # image: wazuh/wazuh-elasticsearch:3.10.2_7.3.2 + # hostname: logstash + # restart: always + # links: + # - elasticsearch:elasticsearch + # ports: + # - "5000:5000" + # depends_on: + # - elasticsearch + # environment: + # - LS_HEAP_SIZE=2048m + # - SECURITY_ENABLED=no + # - SECURITY_LOGSTASH_USER=service_logstash + # - SECURITY_LOGSTASH_PASS=logstash_pass + # - LOGSTASH_OUTPUT=https://elasticsearch:9200 + # - ELASTICSEARCH_URL=https://elasticsearch:9200 + # - SECURITY_CA_PEM=server.TEST-CA-signed.pem elasticsearch: - image: wazuh/wazuh-elasticsearch:3.9.3_6.8.1 + image: wazuh/wazuh-elasticsearch:3.10.2_7.3.2 hostname: elasticsearch restart: always ports: - "9200:9200" environment: - - node.name=node-1 - - cluster.name=wazuh - - network.host=0.0.0.0 - - bootstrap.memory_lock=true - "ES_JAVA_OPTS=-Xms1g -Xmx1g" - - ELASTICSEARCH_PROTOCOL=https + - ELASTICSEARCH_PROTOCOL=http - ELASTICSEARCH_IP=elasticsearch - ELASTICSEARCH_PORT=9200 - - SECURITY_ENABLED=yes - - SECURITY_ADMIN_USER=wazuh_admin - - SECURITY_ADMIN_PASS=admin_pass + - SECURITY_ENABLED=no - SECURITY_ELASTIC_PASSWORD=elastic_pass - - SECURITY_KIBANA_USER=service_kibana - - SECURITY_KIBANA_PASS=kibana_pass - - SECURITY_LOGSTASH_USER=service_logstash - - SECURITY_LOGSTASH_PASS=logstash_pass - - SECURITY_CA_PASSPHRASE=ca_pass - - SECURITY_CERTIFICATE_DNS=elasticsearch - - SECURITY_CA_PEM=server.TEST-CA-signed.pem - - SECURITY_CA_KEY=server.TEST-CA.key - - SECURITY_CA_TRUST=server.TEST-CA-signed.pem - SECURITY_MAIN_NODE=elasticsearch - - SECURITY_OPENSSL_CONF=TEST_openssl.cnf - - SECURITY_MONITORING_USER=service_monitoring - - SECURITY_MONITORING_PASS=monitoring_pass + - ELASTIC_CLUSTER=true + - CLUSTER_NODE_MASTER=true + - CLUSTER_MASTER_NODE_NAME=elasticsearch + - CLUSTER_NODE_DATA=true + - CLUSTER_NODE_INGEST=true + - CLUSTER_MAX_NODES=3 ulimits: memlock: soft: -1 hard: -1 mem_limit: 2g + kibana: - image: wazuh/wazuh-kibana:3.9.3_6.8.1 + image: wazuh/wazuh-kibana:3.10.2_7.3.2 hostname: kibana restart: always depends_on: @@ -79,7 +68,7 @@ services: - wazuh:wazuh environment: - ELASTICSEARCH_URL=https://elasticsearch:9200 - - SECURITY_ENABLED=yes + - SECURITY_ENABLED=no - SECURITY_KIBANA_USER=service_kibana - SECURITY_KIBANA_PASS=kibana_pass - SECURITY_KIBANA_SSL_KEY_PATH=/usr/share/kibana/config/ssl/private @@ -88,3 +77,18 @@ services: - SECURITY_CA_PEM=server.TEST-CA-signed.pem ports: - "5601:5601" + + nginx: + image: wazuh/wazuh-nginx:3.10.2_7.3.2 + hostname: nginx + restart: always + environment: + - NGINX_PORT=443 + - NGINX_CREDENTIALS + ports: + - "80:80" + - "443:443" + depends_on: + - kibana + links: + - kibana:kibana \ No newline at end of file diff --git a/elasticsearch/Dockerfile b/elasticsearch/Dockerfile index c2073891..4ab5f86e 100644 --- a/elasticsearch/Dockerfile +++ b/elasticsearch/Dockerfile @@ -1,8 +1,9 @@ -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) -FROM docker.elastic.co/elasticsearch/elasticsearch:6.8.2 +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) +ARG ELASTIC_VERSION=7.3.2 +FROM docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION} +ARG TEMPLATE_VERSION=v3.10.2 -ENV ALERTS_SHARDS="1" \ - ALERTS_REPLICAS="0" +ENV ELASTICSEARCH_URL="http://elasticsearch:9200" ENV API_USER="foo" \ API_PASS="bar" @@ -11,8 +12,13 @@ ENV XPACK_ML="true" ENV ENABLE_CONFIGURE_S3="false" -ENV TEMPLATE_VERSION=v3.9.4 +ENV WAZUH_ALERTS_SHARDS="1" \ + WAZUH_ALERTS_REPLICAS="0" +ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /usr/share/elasticsearch/config + +RUN yum install epel-release -y && \ + yum install jq -y # This CA is created for testing. Please set your own CA zip containing the key and the signed certificate. # command: $ docker build --build-arg SECURITY_CA_PEM_LOCATION= --build-arg SECURITY_CA_KEY_LOCATION= @@ -29,19 +35,19 @@ ARG SECURITY_CA_TRUST_LOCATION="" # Elasticearch cluster configuration environment variables # If ELASTIC_CLUSTER is set to "true" the following variables will be added to the Elasticsearch configuration +# CLUSTER_INITIAL_MASTER_NODES set to own node by default. ENV ELASTIC_CLUSTER="false" \ CLUSTER_NAME="wazuh" \ - CLUSTER_NODE_MASTER="true" \ + CLUSTER_NODE_MASTER="false" \ CLUSTER_NODE_DATA="true" \ CLUSTER_NODE_INGEST="true" \ - CLUSTER_NODE_NAME="wazuh-elasticsearch" \ CLUSTER_MEMORY_LOCK="true" \ CLUSTER_DISCOVERY_SERVICE="wazuh-elasticsearch" \ CLUSTER_NUMBER_OF_MASTERS="2" \ CLUSTER_MAX_NODES="1" \ - CLUSTER_DELAYED_TIMEOUT="1m" - -ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/6.x/wazuh-template.json /usr/share/elasticsearch/config + CLUSTER_DELAYED_TIMEOUT="1m" \ + CLUSTER_INITIAL_MASTER_NODES="wazuh-elasticsearch" \ + CLUSTER_DISCOVERY_SEED="elasticsearch" # CA cert for Transport SSL ADD $SECURITY_CA_PEM_LOCATION /usr/share/elasticsearch/config @@ -49,31 +55,42 @@ ADD $SECURITY_CA_KEY_LOCATION /usr/share/elasticsearch/config ADD $SECURITY_OPENSSL_CONF_LOCATION /usr/share/elasticsearch/config ADD $SECURITY_CA_TRUST_LOCATION /usr/share/elasticsearch/config -RUN yum install openssl -y - RUN mkdir /entrypoint-scripts COPY config/entrypoint.sh /entrypoint.sh RUN chmod 755 /entrypoint.sh -COPY --chown=elasticsearch:elasticsearch ./config/load_settings.sh ./ - -RUN chmod +x ./load_settings.sh - -RUN bin/elasticsearch-plugin install --batch https://artifacts.elastic.co/downloads/elasticsearch-plugins/repository-s3/repository-s3-6.8.2.zip - -COPY config/configure_s3.sh ./config/configure_s3.sh -RUN chmod 755 ./config/configure_s3.sh +RUN bin/elasticsearch-plugin install repository-s3 -b COPY --chown=elasticsearch:elasticsearch ./config/10-config_cluster.sh /entrypoint-scripts/10-config_cluster.sh -RUN chmod +x /entrypoint-scripts/10-config_cluster.sh - -COPY --chown=elasticsearch:elasticsearch ./config/20-config_secure.sh /entrypoint-scripts/20-config_secure.sh -RUN chmod +x /entrypoint-scripts/10-config_cluster.sh - -COPY --chown=elasticsearch:elasticsearch ./config/30-entrypoint.sh /entrypoint-scripts/30-entrypoint.sh -RUN chmod +x /entrypoint-scripts/30-entrypoint.sh +COPY --chown=elasticsearch:elasticsearch ./config/15-get_CA_key.sh /entrypoint-scripts/15-get_CA_key.sh +COPY --chown=elasticsearch:elasticsearch ./config/20-security_instances.sh /entrypoint-scripts/20-security_instances.sh +COPY --chown=elasticsearch:elasticsearch ./config/22-security_certs.sh /entrypoint-scripts/22-security_certs.sh +COPY --chown=elasticsearch:elasticsearch ./config/24-security_configuration.sh /entrypoint-scripts/24-security_configuration.sh +COPY --chown=elasticsearch:elasticsearch ./config/26-security_keystore.sh /entrypoint-scripts/26-security_keystore.sh +COPY --chown=elasticsearch:elasticsearch ./config/30-decrypt_credentials.sh /entrypoint-scripts/30-decrypt_credentials.sh +COPY --chown=elasticsearch:elasticsearch ./config/35-entrypoint.sh /entrypoint-scripts/35-entrypoint.sh +COPY --chown=elasticsearch:elasticsearch ./config/35-entrypoint_load_settings.sh ./ +COPY config/35-load_settings_configure_s3.sh ./config/35-load_settings_configure_s3.sh +COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_users_management.sh ./ +COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_policies.sh ./ +COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_templates.sh ./ +COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_aliases.sh ./ +RUN chmod +x /entrypoint-scripts/10-config_cluster.sh && \ + chmod +x /entrypoint-scripts/15-get_CA_key.sh && \ + chmod +x /entrypoint-scripts/20-security_instances.sh && \ + chmod +x /entrypoint-scripts/22-security_certs.sh && \ + chmod +x /entrypoint-scripts/24-security_configuration.sh && \ + chmod +x /entrypoint-scripts/26-security_keystore.sh && \ + chmod +x /entrypoint-scripts/30-decrypt_credentials.sh && \ + chmod +x /entrypoint-scripts/35-entrypoint.sh && \ + chmod +x ./35-entrypoint_load_settings.sh && \ + chmod 755 ./config/35-load_settings_configure_s3.sh && \ + chmod +x ./35-load_settings_users_management.sh && \ + chmod +x ./35-load_settings_policies.sh && \ + chmod +x ./35-load_settings_templates.sh && \ + chmod +x ./35-load_settings_aliases.sh ENTRYPOINT ["/entrypoint.sh"] CMD ["elasticsearch"] diff --git a/elasticsearch/config/10-config_cluster.sh b/elasticsearch/config/10-config_cluster.sh index 51924331..b68d59ae 100644 --- a/elasticsearch/config/10-config_cluster.sh +++ b/elasticsearch/config/10-config_cluster.sh @@ -1,36 +1,93 @@ #!/bin/bash -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml" - original_file="/usr/share/elasticsearch/config/original-elasticsearch.yml" +ELASTIC_HOSTAME=`hostname` + +echo "CLUSTER: - Prepare Configuration" +echo "CLUSTER: - Hostname" +echo $ELASTIC_HOSTAME +echo "CLUSTER: - Security main node" +echo $SECURITY_MAIN_NODE +echo "CLUSTER: - Discovery seed" +echo $CLUSTER_DISCOVERY_SEED +echo "CLUSTER: - Elastic cluster flag" +echo $ELASTIC_CLUSTER +echo "CLUSTER: - Node Master" +echo $CLUSTER_NODE_MASTER +echo "CLUSTER: - Node Data" +echo $CLUSTER_NODE_DATA +echo "CLUSTER: - Node Ingest" +echo $CLUSTER_NODE_INGEST cp $elastic_config_file $original_file -# If Elasticsearch cluster is enable -if [[ $ELASTIC_CLUSTER == "true" ]] -then - - # Set the cluster.name and discovery.zen.minimun_master_nodes variables - sed -i 's:cluster.name\: "docker-cluster":cluster.name\: "'$CLUSTER_NAME'":g' $elastic_config_file +remove_single_node_conf(){ + if grep -Fq "discovery.type" $1; then + sed -i '/discovery.type\: /d' $1 + fi +} - # Add the cluster configuration - echo " -#cluster node -node: - master: ${CLUSTER_NODE_MASTER} - data: ${CLUSTER_NODE_DATA} - ingest: ${CLUSTER_NODE_INGEST} - name: ${CLUSTER_NODE_NAME} - max_local_storage_nodes: ${CLUSTER_MAX_NODES} +remove_cluster_config(){ + sed -i '/# cluster node/,/# end cluster config/d' $1 +} -bootstrap: - memory_lock: ${CLUSTER_MEMORY_LOCK} +# If Elasticsearch cluster is enable, then set up the elasticsearch.yml +if [[ $ELASTIC_CLUSTER == "true" && $CLUSTER_NODE_MASTER != "" && $CLUSTER_NODE_DATA != "" && $CLUSTER_NODE_INGEST != "" && $ELASTIC_HOSTAME != "" ]]; then + # Remove the old configuration + remove_single_node_conf $elastic_config_file + remove_cluster_config $elastic_config_file + echo "CLUSTER: - Remove old configuration" -discovery: - zen: - ping.unicast.hosts: ${CLUSTER_DISCOVERY_SERVICE} - minimum_master_nodes: ${CLUSTER_NUMBER_OF_MASTERS} - -" >> $elastic_config_file +if [[ $ELASTIC_HOSTAME == $SECURITY_MAIN_NODE ]]; then +# Add the master configuration +# cluster.initial_master_nodes for bootstrap the cluster +echo "CLUSTER: - Add the master configuration" + +cat > $elastic_config_file << EOF +# cluster node +cluster.name: $CLUSTER_NAME +bootstrap.memory_lock: $CLUSTER_MEMORY_LOCK +network.host: 0.0.0.0 +node.name: $ELASTIC_HOSTAME +node.master: $CLUSTER_NODE_MASTER +node.data: $CLUSTER_NODE_DATA +node.ingest: $CLUSTER_NODE_INGEST +node.max_local_storage_nodes: $CLUSTER_MAX_NODES +cluster.initial_master_nodes: + - $ELASTIC_HOSTAME +# end cluster config" +EOF + +elif [[ $CLUSTER_DISCOVERY_SEED != "" ]]; then +# Remove the old configuration +remove_single_node_conf $elastic_config_file +remove_cluster_config $elastic_config_file +echo "CLUSTER: - Add standard cluster configuration." + +cat > $elastic_config_file << EOF +# cluster node +cluster.name: $CLUSTER_NAME +bootstrap.memory_lock: $CLUSTER_MEMORY_LOCK +network.host: 0.0.0.0 +node.name: $ELASTIC_HOSTAME +node.master: $CLUSTER_NODE_MASTER +node.data: $CLUSTER_NODE_DATA +node.ingest: $CLUSTER_NODE_INGEST +node.max_local_storage_nodes: $CLUSTER_MAX_NODES +discovery.seed_hosts: + - $CLUSTER_DISCOVERY_SEED +# end cluster config" +EOF fi +# If the cluster is disabled, then set a single-node configuration +else + # Remove the old configuration + remove_single_node_conf $elastic_config_file + remove_cluster_config $elastic_config_file + echo "discovery.type: single-node" >> $elastic_config_file + echo "CLUSTER: - Discovery type: single-node" +fi + +echo "CLUSTER: - Configured" \ No newline at end of file diff --git a/elasticsearch/config/15-get_CA_key.sh b/elasticsearch/config/15-get_CA_key.sh new file mode 100644 index 00000000..e555bcf1 --- /dev/null +++ b/elasticsearch/config/15-get_CA_key.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +############################################################################## +# Decrypt credentials. +# If the CA key is encrypted, it must be decrypted for later use. +############################################################################## + +echo "TO DO" + +# TO DO \ No newline at end of file diff --git a/elasticsearch/config/20-config_secure.sh b/elasticsearch/config/20-config_secure.sh deleted file mode 100644 index 30d0f080..00000000 --- a/elasticsearch/config/20-config_secure.sh +++ /dev/null @@ -1,111 +0,0 @@ -#!/bin/bash -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) - -elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml" - -############################################################################## -# Setup bootstrap password to chagne all Elastic Stack passwords. -# Set xpack.security.enabled to true. In Elastic 7 must add ssl options -############################################################################## - -if [[ $SECURITY_ENABLED == "yes" ]]; then - - echo "Creating certificate." - - pushd /usr/share/elasticsearch/config/ - - echo "Setting configuration options." - - # Create instances.yml for elasticsearch .p12 certificate and key - echo " -instances: -- name: \"elasticsearch\" - dns: - - $SECURITY_CERTIFICATE_DNS -" > instances.yml - - # Change permissions and owner of ca - chown elasticsearch: /usr/share/elasticsearch/config/$SECURITY_CA_PEM - chmod 440 /usr/share/elasticsearch/config/$SECURITY_CA_PEM - - - # Genereate .p12 certificate and key - SECURITY_KEY_PASSPHRASE=`date +%s | sha256sum | base64 | head -c 32 ; echo` - /usr/share/elasticsearch/bin/elasticsearch-certutil csr --in instances.yml --out certs.zip --pass $SECURITY_KEY_PASSPHRASE - unzip certs.zip - rm certs.zip - - # Change permissions and owner of certificates - chown -R elasticsearch: /usr/share/elasticsearch/config/elasticsearch - chmod -R 770 /usr/share/elasticsearch/config/elasticsearch - chmod 400 /usr/share/elasticsearch/config/elasticsearch/elasticsearch.csr - - # Prepare directories for openssl - mkdir /root/ca - mkdir /root/ca/certs /root/ca/crl /root/ca/newcerts /root/ca/private - chmod 700 /root/ca/private - touch /root/ca/index.txt - echo 1000 > /root/ca/serial - - mkdir /root/ca/intermediate - mkdir /root/ca/intermediate/certs /root/ca/intermediate/crl /root/ca/intermediate/csr /root/ca/intermediate/newcerts /root/ca/intermediate/private - chmod 700 /root/ca/intermediate/private - touch /root/ca/intermediate/index.txt - echo 1000 > /root/ca/intermediate/serial - echo 1000 > /root/ca/intermediate/crlnumber - - if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then - - openssl ca -batch -config $SECURITY_OPENSSL_CONF -in elasticsearch/elasticsearch.csr -cert $SECURITY_CA_PEM -keyfile $SECURITY_CA_KEY -key $SECURITY_CA_PASSPHRASE -out elasticsearch.cert.pem - - else - input=${SECURITY_CREDENTIALS_FILE} - CA_PASSPHRASE_FROM_FILE="" - while IFS= read -r line - do - if [[ $line == *"CA_PASSPHRASE"* ]]; then - arrIN=(${line//:/ }) - CA_PASSPHRASE_FROM_FILE=${arrIN[1]} - fi - done < "$input" - - openssl ca -batch -config $SECURITY_OPENSSL_CONF -in elasticsearch/elasticsearch.csr -cert $SECURITY_CA_PEM -keyfile $SECURITY_CA_KEY -key $CA_PASSPHRASE_FROM_FILE -out elasticsearch.cert.pem - - fi - - chmod 440 /usr/share/elasticsearch/config/elasticsearch.cert.pem - - # remove CA key - rm $SECURITY_CA_KEY - - popd - - echo "Setting configuration options." - - # Settings for elasticsearch.yml - echo " -# Required to set the passwords and TLS options -xpack.security.enabled: true -xpack.security.transport.ssl.enabled: true -xpack.security.transport.ssl.verification_mode: certificate -xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key -xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem -xpack.security.transport.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/$SECURITY_CA_TRUST\"] - -# HTTP layer -xpack.security.http.ssl.enabled: true -xpack.security.http.ssl.verification_mode: certificate -xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key -xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem -xpack.security.http.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/$SECURITY_CA_TRUST\"] -" >> $elastic_config_file - - # Create keystore - /usr/share/elasticsearch/bin/elasticsearch-keystore create - - # Add keys to keystore - echo -e "$SECURITY_KEY_PASSPHRASE" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.secure_key_passphrase --stdin - echo -e "$SECURITY_KEY_PASSPHRASE" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase --stdin - -fi - diff --git a/elasticsearch/config/20-security_instances.sh b/elasticsearch/config/20-security_instances.sh new file mode 100644 index 00000000..3ff7e3e5 --- /dev/null +++ b/elasticsearch/config/20-security_instances.sh @@ -0,0 +1,21 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +############################################################################## +# instances.yml +# This file is necessary for the creation of the Elasticsaerch certificate. +############################################################################## + +if [[ $SECURITY_ENABLED == "yes" ]]; then + echo "SECURITY - Setting Elasticserach security." + + # instance.yml to be added by the user. + # Example: + # echo " + # instances: + # - name: \"elasticsearch\" + # dns: + # - \"elasticsearch\" + # " > /user/share/elasticsearch/instances.yml + +fi \ No newline at end of file diff --git a/elasticsearch/config/22-security_certs.sh b/elasticsearch/config/22-security_certs.sh new file mode 100644 index 00000000..57614912 --- /dev/null +++ b/elasticsearch/config/22-security_certs.sh @@ -0,0 +1,16 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +############################################################################## +# Creation and management of certificates. +############################################################################## + +if [[ $SECURITY_ENABLED == "yes" ]]; then + echo "SECURITY - Elasticserach security certificates." + + # Creation of the certificate for Elasticsearch. + # After the execution of this script will have generated + # the Elasticsearch certificate and related keys and passphrase. + # Example: TO DO + +fi diff --git a/elasticsearch/config/24-security_configuration.sh b/elasticsearch/config/24-security_configuration.sh new file mode 100644 index 00000000..58be15c2 --- /dev/null +++ b/elasticsearch/config/24-security_configuration.sh @@ -0,0 +1,32 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +############################################################################## +# Adapt elasticsearch.yml configuration file +############################################################################## + +if [[ $SECURITY_ENABLED == "yes" ]]; then + echo "SECURITY - Elasticserach security configuration." + + echo "SECURITY - Setting configuration options." + + # Settings for elasticsearch.yml to be added by the user. + # Example: + # echo " + # # Required to set the passwords and TLS options + # xpack.security.enabled: true + # xpack.security.transport.ssl.enabled: true + # xpack.security.transport.ssl.verification_mode: certificate + # xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key + # xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem + # xpack.security.transport.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/ca.cert.pem\"] + + # # HTTP layer + # xpack.security.http.ssl.enabled: true + # xpack.security.http.ssl.verification_mode: certificate + # xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key + # xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem + # xpack.security.http.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/ca.cert.pem\"] + # " >> /usr/share/elasticsearch/config/elasticsearch.yml + +fi diff --git a/elasticsearch/config/26-security_keystore.sh b/elasticsearch/config/26-security_keystore.sh new file mode 100644 index 00000000..cc4d73d1 --- /dev/null +++ b/elasticsearch/config/26-security_keystore.sh @@ -0,0 +1,21 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +############################################################################## +# Adapt elasticsearch.yml keystore management +############################################################################## + +if [[ $SECURITY_ENABLED == "yes" ]]; then + echo "SECURITY - Elasticserach keystore management." + + # Create keystore + # /usr/share/elasticsearch/bin/elasticsearch-keystore create + + # Add keys to keystore by the user. + # Example + # echo -e "$abcd_1234" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.secure_key_passphrase --stdin + # echo -e "$abcd_1234" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase --stdin + +else + echo "SECURITY - Elasticsearch security not established." +fi \ No newline at end of file diff --git a/elasticsearch/config/30-decrypt_credentials.sh b/elasticsearch/config/30-decrypt_credentials.sh new file mode 100644 index 00000000..1f348e5f --- /dev/null +++ b/elasticsearch/config/30-decrypt_credentials.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +############################################################################## +# Decrypt credentials. +# If the credentials of the users to be created are encrypted, +# they must be decrypted for later use. +############################################################################## + +if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then + echo "Security credentials file not used. Nothing to do." +else + echo "TO DO" +fi +# TO DO \ No newline at end of file diff --git a/elasticsearch/config/30-entrypoint.sh b/elasticsearch/config/35-entrypoint.sh similarity index 96% rename from elasticsearch/config/30-entrypoint.sh rename to elasticsearch/config/35-entrypoint.sh index c1e45d1b..318e7f01 100644 --- a/elasticsearch/config/30-entrypoint.sh +++ b/elasticsearch/config/35-entrypoint.sh @@ -43,7 +43,7 @@ fi # Run load settings script. -bash /usr/share/elasticsearch/load_settings.sh & +bash /usr/share/elasticsearch/35-entrypoint_load_settings.sh & # Execute elasticsearch diff --git a/elasticsearch/config/35-entrypoint_load_settings.sh b/elasticsearch/config/35-entrypoint_load_settings.sh new file mode 100644 index 00000000..dc6b7756 --- /dev/null +++ b/elasticsearch/config/35-entrypoint_load_settings.sh @@ -0,0 +1,265 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +set -e + +############################################################################## +# Set Elasticsearch API url and Wazuh API url. +############################################################################## + +if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then + el_url="http://elasticsearch:9200" +else + el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}" +fi + +if [[ "x${WAZUH_API_URL}" = "x" ]]; then + wazuh_url="https://wazuh" +else + wazuh_url="${WAZUH_API_URL}" +fi + +echo "LOAD SETTINGS - Elasticsearch url: $el_url" + + +############################################################################## +# If Elasticsearch security is enabled get the elastic user password and +# WAZUH API credentials. +############################################################################## + +ELASTIC_PASS="" +WAZH_API_USER="" +WAZH_API_PASS="" + +if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then + ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD} + WAZH_API_USER=${API_USER} + WAZH_API_PASS=${API_PASS} +else + input=${SECURITY_CREDENTIALS_FILE} + while IFS= read -r line + do + if [[ $line == *"ELASTIC_PASSWORD"* ]]; then + arrIN=(${line//:/ }) + ELASTIC_PASS=${arrIN[1]} + elif [[ $line == *"WAZUH_API_USER"* ]]; then + arrIN=(${line//:/ }) + WAZH_API_USER=${arrIN[1]} + elif [[ $line == *"WAZUH_API_PASSWORD"* ]]; then + arrIN=(${line//:/ }) + WAZH_API_PASS=${arrIN[1]} + fi + done < "$input" + +fi + + +############################################################################## +# Set authentication for curl if Elasticsearch security is enabled. +############################################################################## + +if [ ${SECURITY_ENABLED} != "no" ]; then + auth="-uelastic:${ELASTIC_PASS} -k" + echo "LOAD SETTINGS - authentication for curl established." +elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then + auth="" + echo "LOAD SETTINGS - authentication for curl not established." +else + auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" + echo "LOAD SETTINGS - authentication for curl established." +fi + + +############################################################################## +# Wait until Elasticsearch is active. +############################################################################## + +until curl ${auth} -XGET $el_url; do + >&2 echo "LOAD SETTINGS - Elastic is unavailable - sleeping" + sleep 5 +done + +>&2 echo "LOAD SETTINGS - Elastic is up - executing command" + + +############################################################################## +# Configure S3 repository for Elasticsearch snapshots. +############################################################################## + +if [ $ENABLE_CONFIGURE_S3 ]; then + #Wait for Elasticsearch to be ready to create the repository + sleep 10 + >&2 echo "S3 - Configure S3" + if [ "x$S3_PATH" != "x" ]; then + >&2 echo "S3 - Path: $S3_PATH" + if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then + >&2 echo "S3 - Elasticsearch major version: $S3_ELASTIC_MAJOR" + echo "LOAD SETTINGS - Run 35-load_settings_configure_s3.sh." + bash /usr/share/elasticsearch/config/35-load_settings_configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR + else + >&2 echo "S3 - Elasticserach major version not given." + echo "LOAD SETTINGS - Run 35-load_settings_configure_s3.sh." + bash /usr/share/elasticsearch/config/35-load_settings_configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME + fi + + fi + +fi + + +############################################################################## +# Load custom policies. +############################################################################## + +echo "LOAD SETTINGS - Loading custom Elasticsearch policies." +bash /usr/share/elasticsearch/35-load_settings_policies.sh + + +############################################################################## +# Modify wazuh-alerts template shards and replicas +############################################################################## + +echo "LOAD SETTINGS - Change shards and replicas of wazuh-alerts template." +sed -i 's:"index.number_of_shards"\: "3":"index.number_of_shards"\: "'$WAZUH_ALERTS_SHARDS'":g' /usr/share/elasticsearch/config/wazuh-template.json +sed -i 's:"index.number_of_replicas"\: "0":"index.number_of_replicas"\: "'$WAZUH_ALERTS_REPLICAS'":g' /usr/share/elasticsearch/config/wazuh-template.json + + +############################################################################## +# Load default templates +############################################################################## + +echo "LOAD SETTINGS - Loading wazuh-alerts template" +bash /usr/share/elasticsearch/35-load_settings_templates.sh + + +############################################################################## +# Load custom aliases. +############################################################################## + +echo "LOAD SETTINGS - Loading custom Elasticsearch aliases." +bash /usr/share/elasticsearch/35-load_settings_aliases.sh + + +############################################################################## +# Elastic Stack users creation. +# Only security main node can manage users. +############################################################################## + +echo "LOAD SETTINGS - Run users_management.sh." +MY_HOSTNAME=`hostname` +echo "LOAD SETTINGS - Hostname: $MY_HOSTNAME" +if [[ $SECURITY_MAIN_NODE == $MY_HOSTNAME ]]; then + bash /usr/share/elasticsearch/35-load_settings_users_management.sh & +fi + + +############################################################################## +# Prepare Wazuh API credentials +############################################################################## + +API_PASS_Q=`echo "$WAZH_API_PASS" | tr -d '"'` +API_USER_Q=`echo "$WAZH_API_USER" | tr -d '"'` +API_PASSWORD=`echo -n $API_PASS_Q | base64` + +echo "LOAD SETTINGS - Setting API credentials into Wazuh APP" +CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013 ${auth}) + +if [ "x$CONFIG_CODE" != "x200" ]; then + curl -s -XPOST $el_url/.wazuh/_doc/1513629884013 ${auth} -H 'Content-Type: application/json' -d' + { + "api_user": "'"$API_USER_Q"'", + "api_password": "'"$API_PASSWORD"'", + "url": "'"$wazuh_url"'", + "api_port": "55000", + "insecure": "true", + "component": "API", + "cluster_info": { + "manager": "wazuh-manager", + "cluster": "Disabled", + "status": "disabled" + }, + "extensions": { + "oscap": true, + "audit": true, + "pci": true, + "aws": true, + "virustotal": true, + "gdpr": true, + "ciscat": true + } + } + ' > /dev/null +else + echo "LOAD SETTINGS - Wazuh APP already configured" + echo "LOAD SETTINGS - Check if it is an upgrade from Elasticsearch 6.x to 7.x" + wazuh_search_request=`curl -s ${auth} "$el_url/.wazuh/_search?pretty"` + full_type=`echo $wazuh_search_request | jq .hits.hits | jq .[] | jq ._type` + elasticsearch_request=`curl -s $auth "$el_url"` + full_elasticsearch_version=`echo $elasticsearch_request | jq .version.number` + type=`echo "$full_type" | tr -d '"'` + elasticsearch_version=`echo "$full_elasticsearch_version" | tr -d '"'` + elasticsearch_major="${elasticsearch_version:0:1}" + + if [[ $type == "wazuh-configuration" ]] && [[ $elasticsearch_major == "7" ]]; then + echo "LOAD SETTINGS - Elasticsearch major = $elasticsearch_major." + echo "LOAD SETTINGS - Reindex .wazuh in .wazuh-backup." + + curl -s ${auth} -XPOST "$el_url/_reindex" -H 'Content-Type: application/json' -d' + { + "source": { + "index": ".wazuh" + }, + "dest": { + "index": ".wazuh-backup" + } + } + ' + echo "LOAD SETTINGS - Remove .wazuh index." + curl -s ${auth} -XDELETE "$el_url/.wazuh" + + echo "LOAD SETTINGS - Reindex .wazuh-backup in .wazuh." + curl -s ${auth} -XPOST "$el_url/_reindex" -H 'Content-Type: application/json' -d' + { + "source": { + "index": ".wazuh-backup" + }, + "dest": { + "index": ".wazuh" + } + } + ' + curl -s ${auth} -XPUT "https://elasticsearch:9200/.wazuh-backup/_settings?pretty" -H 'Content-Type: application/json' -d' + { + "index" : { + "number_of_replicas" : 0 + } + } + ' + + fi + +fi +sleep 5 + +curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/json' -d' +{ + "persistent": { + "xpack.monitoring.collection.enabled": true + } +} +' + +############################################################################## +# Set cluster delayed timeout when node falls +############################################################################## + +curl -X PUT "$el_url/_all/_settings" ${auth} -H 'Content-Type: application/json' -d' +{ + "settings": { + "index.unassigned.node_left.delayed_timeout": "'"$CLUSTER_DELAYED_TIMEOUT"'" + } +} +' +echo "LOAD SETTINGS - cluster delayed timeout changed." + +echo "LOAD SETTINGS - Elasticsearch is ready." \ No newline at end of file diff --git a/elasticsearch/config/35-load_settings_aliases.sh b/elasticsearch/config/35-load_settings_aliases.sh new file mode 100644 index 00000000..cf67d7b1 --- /dev/null +++ b/elasticsearch/config/35-load_settings_aliases.sh @@ -0,0 +1,86 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +set -e + + +############################################################################## +# Set Elasticsearch API url +############################################################################## + +if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then + el_url="http://elasticsearch:9200" +else + el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}" +fi + +echo "ALIASES - Elasticsearch url: $el_url" + + +############################################################################## +# If Elasticsearch security is enabled get the elastic user password. +############################################################################## + +ELASTIC_PASS="" + +if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then + ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD} +else + input=${SECURITY_CREDENTIALS_FILE} + while IFS= read -r line + do + if [[ $line == *"ELASTIC_PASSWORD"* ]]; then + arrIN=(${line//:/ }) + ELASTIC_PASS=${arrIN[1]} + fi + done < "$input" + +fi + + +############################################################################## +# If Elasticsearch security is enabled get the users credentials. +############################################################################## + +# The user must get the credentials of the users. +# TO DO. + +############################################################################## +# Set authentication for curl if Elasticsearch security is enabled. +############################################################################## + +if [ ${SECURITY_ENABLED} != "no" ]; then + auth="-uelastic:${ELASTIC_PASS} -k" + echo "ALIASES - authentication for curl established." +elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then + auth="" + echo "ALIASES - authentication for curl not established." +else + auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" + echo "ALIASES - authentication for curl established." +fi + + +############################################################################## +# Wait until Elasticsearch is active. +############################################################################## + +until curl ${auth} -XGET $el_url; do + >&2 echo "ALIASES - Elastic is unavailable - sleeping" + sleep 5 +done + +>&2 echo "ALIASES - Elastic is up - executing command" + + +############################################################################## +# Add custom aliases. +############################################################################## + +# The user must add the credentials of the users. +# TO DO. +# Example +# echo "ALIASES - Add custom_user password and role:" +# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_ilm/policy/my_policy?pretty' -d' +# { "policy": { "phases": { "hot": { "actions": { "rollover": {"max_size": "50GB", "max_age": "5m"}}}}}}' + diff --git a/elasticsearch/config/configure_s3.sh b/elasticsearch/config/35-load_settings_configure_s3.sh similarity index 98% rename from elasticsearch/config/configure_s3.sh rename to elasticsearch/config/35-load_settings_configure_s3.sh index b09df73b..259bf9da 100644 --- a/elasticsearch/config/configure_s3.sh +++ b/elasticsearch/config/35-load_settings_configure_s3.sh @@ -1,4 +1,5 @@ #!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) set -e diff --git a/elasticsearch/config/35-load_settings_policies.sh b/elasticsearch/config/35-load_settings_policies.sh new file mode 100644 index 00000000..3e89e4c5 --- /dev/null +++ b/elasticsearch/config/35-load_settings_policies.sh @@ -0,0 +1,86 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +set -e + + +############################################################################## +# Set Elasticsearch API url +############################################################################## + +if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then + el_url="http://elasticsearch:9200" +else + el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}" +fi + +echo "POLICIES - Elasticsearch url: $el_url" + + +############################################################################## +# If Elasticsearch security is enabled get the elastic user password. +############################################################################## + +ELASTIC_PASS="" + +if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then + ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD} +else + input=${SECURITY_CREDENTIALS_FILE} + while IFS= read -r line + do + if [[ $line == *"ELASTIC_PASSWORD"* ]]; then + arrIN=(${line//:/ }) + ELASTIC_PASS=${arrIN[1]} + fi + done < "$input" + +fi + + +############################################################################## +# If Elasticsearch security is enabled get the users credentials. +############################################################################## + +# The user must get the credentials of the users. +# TO DO. + +############################################################################## +# Set authentication for curl if Elasticsearch security is enabled. +############################################################################## + +if [ ${SECURITY_ENABLED} != "no" ]; then + auth="-uelastic:${ELASTIC_PASS} -k" + echo "POLICIES - authentication for curl established." +elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then + auth="" + echo "POLICIES - authentication for curl not established." +else + auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" + echo "POLICIES - authentication for curl established." +fi + + +############################################################################## +# Wait until Elasticsearch is active. +############################################################################## + +until curl ${auth} -XGET $el_url; do + >&2 echo "POLICIES - Elastic is unavailable - sleeping" + sleep 5 +done + +>&2 echo "POLICIES - Elastic is up - executing command" + + +############################################################################## +# Add custom policies. +############################################################################## + +# The user must add the credentials of the users. +# TO DO. +# Example +# echo "POLICIES - Add custom_user password and role:" +# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_ilm/policy/my_policy?pretty' -d' +# { "policy": { "phases": { "hot": { "actions": { "rollover": {"max_size": "50GB", "max_age": "5m"}}}}}}' + diff --git a/elasticsearch/config/35-load_settings_templates.sh b/elasticsearch/config/35-load_settings_templates.sh new file mode 100644 index 00000000..dcee8ef8 --- /dev/null +++ b/elasticsearch/config/35-load_settings_templates.sh @@ -0,0 +1,81 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +set -e + + +############################################################################## +# Set Elasticsearch API url +############################################################################## + +if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then + el_url="http://elasticsearch:9200" +else + el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}" +fi + +echo "TEMPLATES - Elasticsearch url: $el_url" + + +############################################################################## +# If Elasticsearch security is enabled get the elastic user password. +############################################################################## + +ELASTIC_PASS="" + +if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then + ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD} +else + input=${SECURITY_CREDENTIALS_FILE} + while IFS= read -r line + do + if [[ $line == *"ELASTIC_PASSWORD"* ]]; then + arrIN=(${line//:/ }) + ELASTIC_PASS=${arrIN[1]} + fi + done < "$input" + +fi + + +############################################################################## +# If Elasticsearch security is enabled get the users credentials. +############################################################################## + +# The user must get the credentials of the users. +# TO DO. + +############################################################################## +# Set authentication for curl if Elasticsearch security is enabled. +############################################################################## + +if [ ${SECURITY_ENABLED} != "no" ]; then + auth="-uelastic:${ELASTIC_PASS} -k" + echo "TEMPLATES - authentication for curl established." +elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then + auth="" + echo "TEMPLATES - authentication for curl not established." +else + auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" + echo "TEMPLATES - authentication for curl established." +fi + + +############################################################################## +# Wait until Elasticsearch is active. +############################################################################## + +until curl ${auth} -XGET $el_url; do + >&2 echo "TEMPLATES - Elastic is unavailable - sleeping" + sleep 5 +done + +>&2 echo "TEMPLATES - Elastic is up - executing command" + + +############################################################################## +# Add wazuh-alerts templates. +############################################################################## + +echo "TEMPLATES - Loading default wazuh-alerts template." +cat /usr/share/elasticsearch/config/wazuh-template.json | curl -XPUT "$el_url/_template/wazuh" ${auth} -H 'Content-Type: application/json' -d @- diff --git a/elasticsearch/config/35-load_settings_users_management.sh b/elasticsearch/config/35-load_settings_users_management.sh new file mode 100644 index 00000000..98a5add2 --- /dev/null +++ b/elasticsearch/config/35-load_settings_users_management.sh @@ -0,0 +1,100 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +set -e + + +############################################################################## +# Set Elasticsearch API url +############################################################################## + +if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then + el_url="http://elasticsearch:9200" +else + el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}" +fi + +echo "USERS - Elasticsearch url: $el_url" + + +############################################################################## +# If Elasticsearch security is enabled get the elastic user password. +############################################################################## + +ELASTIC_PASS="" + +if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then + ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD} +else + input=${SECURITY_CREDENTIALS_FILE} + while IFS= read -r line + do + if [[ $line == *"ELASTIC_PASSWORD"* ]]; then + arrIN=(${line//:/ }) + ELASTIC_PASS=${arrIN[1]} + fi + done < "$input" + +fi + + +############################################################################## +# If Elasticsearch security is enabled get the users credentials. +############################################################################## + +# The user must get the credentials of the users. +# TO DO. + +############################################################################## +# Set authentication for curl if Elasticsearch security is enabled. +############################################################################## + +if [ ${SECURITY_ENABLED} != "no" ]; then + auth="-uelastic:${ELASTIC_PASS} -k" + echo "USERS - authentication for curl established." +elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then + auth="" + echo "USERS - authentication for curl not established." +else + auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" + echo "USERS - authentication for curl established." +fi + + +############################################################################## +# Wait until Elasticsearch is active. +############################################################################## + +until curl ${auth} -XGET $el_url; do + >&2 echo "USERS - Elastic is unavailable - sleeping" + sleep 5 +done + +>&2 echo "USERS - Elastic is up - executing command" + + +############################################################################## +# Setup passwords for Elastic Stack users. +############################################################################## + +# The user must add the credentials of the users. +# TO DO. +# Example +# echo "USERS - Add custom_user password and role:" +# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/custom_user_role ' -d ' +# { "indices": [ { "names": [ ".kibana*" ], "privileges": ["read"] }, { "names": [ "wazuh-monitoring*"], "privileges": ["all"] }] }' +# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/custom_user' -d ' +# { "password":"'$CUSTOM_USER_PASSWORD'", "roles" : [ "kibana_system", "custom_user_role"], "full_name" : "Custom User" }' + + +############################################################################## +# Remove credentials file. +############################################################################## + +if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then + echo "USERS - Security credentials file not used. Nothing to do." +else + shred -zvu ${SECURITY_CREDENTIALS_FILE} + echo "USERS - Security credentials file removed." +fi + diff --git a/elasticsearch/config/entrypoint.sh b/elasticsearch/config/entrypoint.sh index 333cc951..e64d5b9b 100644 --- a/elasticsearch/config/entrypoint.sh +++ b/elasticsearch/config/entrypoint.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) # It will run every .sh script located in entrypoint-scripts folder in lexicographical order for script in `ls /entrypoint-scripts/*.sh | sort -n`; do diff --git a/elasticsearch/config/load_settings.sh b/elasticsearch/config/load_settings.sh deleted file mode 100644 index e5a22bdc..00000000 --- a/elasticsearch/config/load_settings.sh +++ /dev/null @@ -1,232 +0,0 @@ -#!/bin/bash -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) - -set -e - -if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then - el_url="http://elasticsearch:9200" -else - el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}" -fi - -if [[ "x${WAZUH_API_URL}" = "x" ]]; then - wazuh_url="https://wazuh" -else - wazuh_url="${WAZUH_API_URL}" -fi - -ELASTIC_PASS="" -KIBANA_USER="" -KIBANA_PASS="" -LOGSTASH_USER="" -LOGSTASH_PASS="" -ADMIN_USER="" -ADMIN_PASS="" -WAZH_API_USER="" -WAZH_API_PASS="" -MONITORING_USER="" -MONITORING_PASS="" - -if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then - ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD} - KIBANA_USER=${SECURITY_KIBANA_USER} - KIBANA_PASS=${SECURITY_KIBANA_PASS} - LOGSTASH_USER=${SECURITY_LOGSTASH_USER} - LOGSTASH_PASS=${SECURITY_LOGSTASH_PASS} - ADMIN_USER=${SECURITY_ADMIN_USER} - ADMIN_PASS=${SECURITY_ADMIN_PASS} - WAZH_API_USER=${API_USER} - WAZH_API_PASS=${API_PASS} - MONITORING_USER=${SECURITY_MONITORING_USER} - MONITORING_PASS=${SECURITY_MONITORING_PASS} -else - input=${SECURITY_CREDENTIALS_FILE} - while IFS= read -r line - do - if [[ $line == *"ELASTIC_PASSWORD"* ]]; then - arrIN=(${line//:/ }) - ELASTIC_PASS=${arrIN[1]} - elif [[ $line == *"KIBANA_USER"* ]]; then - arrIN=(${line//:/ }) - KIBANA_USER=${arrIN[1]} - elif [[ $line == *"KIBANA_PASSWORD"* ]]; then - arrIN=(${line//:/ }) - KIBANA_PASS=${arrIN[1]} - elif [[ $line == *"LOGSTASH_USER"* ]]; then - arrIN=(${line//:/ }) - LOGSTASH_USER=${arrIN[1]} - elif [[ $line == *"LOGSTASH_PASSWORD"* ]]; then - arrIN=(${line//:/ }) - LOGSTASH_PASS=${arrIN[1]} - elif [[ $line == *"ADMIN_USER"* ]]; then - arrIN=(${line//:/ }) - ADMIN_USER=${arrIN[1]} - elif [[ $line == *"ADMIN_PASSWORD"* ]]; then - arrIN=(${line//:/ }) - ADMIN_PASS=${arrIN[1]} - elif [[ $line == *"WAZUH_API_USER"* ]]; then - arrIN=(${line//:/ }) - WAZH_API_USER=${arrIN[1]} - elif [[ $line == *"WAZUH_API_PASSWORD"* ]]; then - arrIN=(${line//:/ }) - WAZH_API_PASS=${arrIN[1]} - elif [[ $line == *"MONITORING_USER"* ]]; then - arrIN=(${line//:/ }) - MONITORING_USER=${arrIN[1]} - elif [[ $line == *"MONITORING_PASSWORD"* ]]; then - arrIN=(${line//:/ }) - MONITORING_PASS=${arrIN[1]} - fi - done < "$input" - -fi - - -if [ ${SECURITY_ENABLED} != "no" ]; then - auth="-uelastic:${ELASTIC_PASS} -k" -elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then - auth="" -else - auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" -fi - -until curl ${auth} -XGET $el_url; do - >&2 echo "Elastic is unavailable - sleeping" - sleep 5 -done - ->&2 echo "Elastic is up - executing command" - -if [ $ENABLE_CONFIGURE_S3 ]; then - #Wait for Elasticsearch to be ready to create the repository - sleep 10 - >&2 echo "Configure S3" - if [ "x$S3_PATH" != "x" ]; then - >&2 echo "S3_PATH" - >&2 echo $S3_PATH - if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then - >&2 echo "Elasticsearch major version:" - >&2 echo $S3_ELASTIC_MAJOR - bash /usr/share/elasticsearch/config/configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR - else - >&2 echo "Elasticserach major version not given" - bash /usr/share/elasticsearch/config/configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME - - fi - - fi - -fi - -############################################################################## -# Setup passwords for Elastic Stack users -############################################################################## - -if [[ $SECURITY_ENABLED == "yes" ]]; then - MY_HOSTNAME=`hostname` - echo "Hostname:" - echo $MY_HOSTNAME - if [[ $SECURITY_MAIN_NODE == $MY_HOSTNAME ]]; then - echo "Setting up passwords for all Elastic Stack users" - - echo "Setting remote monitoring password" - SECURITY_REMOTE_USER_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo` - until curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/remote_monitoring_user/_password ' -d '{ "password":"'$SECURITY_REMOTE_USER_PASS'" }'; do - >&2 echo "Unavailable password seeting- sleeping" - sleep 2 - done - echo "Setting Kibana password" - curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_wazuh_app ' -d ' { "indices": [ { "names": [ ".kibana*", ".reporting*", ".monitoring*" ], "privileges": ["read"] }, { "names": [ "wazuh-monitoring*", ".wazuh*" ], "privileges": ["all"] } , { "names": [ "wazuh-alerts*" ], "privileges": ["read", "view_index_metadata"] } ] }' - sleep 5 - curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$KIBANA_USER" -d '{ "password":"'$KIBANA_PASS'", "roles" : [ "kibana_system", "service_wazuh_app"], "full_name" : "Service Internal Kibana User" }' - echo "Setting APM password" - SECURITY_APM_SYSTEM_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo` - curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/apm_system/_password ' -d '{ "password":"'$SECURITY_APM_SYSTEM_PASS'" }' - echo "Setting Beats password" - SECURITY_BEATS_SYSTEM_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo` - curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/beats_system/_password ' -d '{ "password":"'$SECURITY_BEATS_SYSTEM_PASS'" }' - echo "Setting Logstash password" - curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_logstash_writer ' -d '{ "cluster": ["manage_index_templates", "monitor", "manage_ilm"], "indices": [ { "names": [ "*" ], "privileges": ["write","delete","create_index","manage","manage_ilm"] } ] }' - sleep 5 - curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$LOGSTASH_USER" -d '{ "password":"'$LOGSTASH_PASS'", "roles" : [ "service_logstash_writer", "logstash_system"], "full_name" : "Service Internal Logstash User" }' - echo "Passwords established for all Elastic Stack users" - echo "Creating Admin user" - curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$ADMIN_USER" -d '{ "password":"'$ADMIN_PASS'", "roles" : [ "superuser"], "full_name" : "Wazuh admin" }' - echo "Admin user created" - echo "Setting monitoring user" - curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_monitoring_reader ' -d '{ "cluster": ["manage", "monitor"], "indices": [ { "names": [ "*" ], "privileges": ["write","create_index","manage","read", "index"] } ] }' - sleep 5 - curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$MONITORING_USER" -d '{ "password":"'$MONITORING_PASS'", "roles" : [ "service_monitoring_reader", "snapshot_user"], "full_name" : "Service Internal Monitoring User" }' - fi -fi - -#Insert default templates - -sed -i 's| "index.refresh_interval": "5s"| "index.refresh_interval": "5s", "number_of_shards" : '"${ALERTS_SHARDS}"', "number_of_replicas" : '"${ALERTS_REPLICAS}"'|' /usr/share/elasticsearch/config/wazuh-template.json - -cat /usr/share/elasticsearch/config/wazuh-template.json | curl -XPUT "$el_url/_template/wazuh" ${auth} -H 'Content-Type: application/json' -d @- -sleep 5 - - -API_PASS_Q=`echo "$WAZH_API_PASS" | tr -d '"'` -API_USER_Q=`echo "$WAZH_API_USER" | tr -d '"'` -API_PASSWORD=`echo -n $API_PASS_Q | base64` - -echo "Setting API credentials into Wazuh APP" -CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/wazuh-configuration/1513629884013 ${auth}) -if [ "x$CONFIG_CODE" = "x404" ]; then - curl -s -XPOST $el_url/.wazuh/wazuh-configuration/1513629884013 ${auth} -H 'Content-Type: application/json' -d' - { - "api_user": "'"$API_USER_Q"'", - "api_password": "'"$API_PASSWORD"'", - "url": "'"$wazuh_url"'", - "api_port": "55000", - "insecure": "true", - "component": "API", - "cluster_info": { - "manager": "wazuh-manager", - "cluster": "Disabled", - "status": "disabled" - }, - "extensions": { - "oscap": true, - "audit": true, - "pci": true, - "aws": true, - "virustotal": true, - "gdpr": true, - "ciscat": true - } - } - ' > /dev/null -else - echo "Wazuh APP already configured" -fi -sleep 5 - -curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/json' -d' -{ - "persistent": { - "xpack.monitoring.collection.enabled": true - } -} -' - -# Set cluster delayed timeout when node falls -curl -X PUT "$el_url/_all/_settings" ${auth} -H 'Content-Type: application/json' -d' -{ - "settings": { - "index.unassigned.node_left.delayed_timeout": "'"$CLUSTER_DELAYED_TIMEOUT"'" - } -} -' - -# Remove credentials file. - -if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then - echo "Security credentials file not used. Nothing to do." -else - shred -zvu ${SECURITY_CREDENTIALS_FILE} -fi - -echo "Elasticsearch is ready." diff --git a/kibana/Dockerfile b/kibana/Dockerfile index 0f0cccdc..fcf38f7d 100644 --- a/kibana/Dockerfile +++ b/kibana/Dockerfile @@ -1,25 +1,14 @@ -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) -FROM docker.elastic.co/kibana/kibana:6.8.2 -ARG WAZUH_APP_VERSION=3.9.4_6.8.2 +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) +FROM docker.elastic.co/kibana/kibana:7.3.2 +ARG ELASTIC_VERSION=7.3.2 +ARG WAZUH_VERSION=3.10.2 +ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" + USER root -ADD https://packages-dev.wazuh.com/pre-release/app/kibana/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp - -# This CA is created for testing. Please set your own CA pem signed certificate. -# command: $ docker build --build-arg SECURITY_CA_PEM_LOCATION= -# ENV variables are necessary: SECURITY_CA_PEM -# Sample: -# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem" -ARG SECURITY_CA_PEM_LOCATION="" - -# CA for secure communication with Elastic -ADD $SECURITY_CA_PEM_LOCATION /usr/share/kibana/config - -RUN NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip &&\ - chown -R kibana:kibana /usr/share/kibana &&\ - rm -rf /tmp/* - -RUN yum install openssl -y +ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp +RUN /usr/share/kibana/bin/kibana-plugin install --allow-root file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip +RUN rm -rf /tmp/wazuhapp-${WAZUH_APP_VERSION}.zip COPY config/entrypoint.sh ./entrypoint.sh RUN chmod 755 ./entrypoint.sh @@ -63,18 +52,22 @@ ARG XPACK_MONITORING="false" ARG XPACK_APM="false" ARG XPACK_MAPS="false" ARG XPACK_UPTIME="false" +ARG XPACK_SIEM="false" ARG CHANGE_WELCOME="true" COPY --chown=kibana:kibana ./config/10-wazuh_app_config.sh /entrypoint-scripts/10-wazuh_app_config.sh -RUN chmod +x /entrypoint-scripts/10-wazuh_app_config.sh - +COPY --chown=kibana:kibana ./config/15-decrypt_credentials.sh /entrypoint-scripts/15-decrypt_credentials.sh COPY --chown=kibana:kibana ./config/20-entrypoint.sh /entrypoint-scripts/20-entrypoint.sh -RUN chmod +x /entrypoint-scripts/20-entrypoint.sh - -COPY --chown=kibana:kibana ./config/kibana_settings.sh ./ - -RUN chmod +x ./kibana_settings.sh +COPY --chown=kibana:kibana ./config/20-entrypoint_kibana_settings.sh ./ +COPY --chown=kibana:kibana ./config/20-entrypoint_certs_management.sh ./ +COPY --chown=kibana:kibana ./config/20-entrypoint_security_configuration.sh ./ +RUN chmod +x /entrypoint-scripts/10-wazuh_app_config.sh && \ + chmod +x /entrypoint-scripts/15-decrypt_credentials.sh && \ + chmod +x /entrypoint-scripts/20-entrypoint.sh && \ + chmod +x ./20-entrypoint_kibana_settings.sh && \ + chmod +x ./20-entrypoint_certs_management.sh && \ + chmod +x ./20-entrypoint_security_configuration.sh COPY --chown=kibana:kibana ./config/xpack_config.sh ./ @@ -90,4 +83,13 @@ RUN ./welcome_wazuh.sh RUN /usr/local/bin/kibana-docker --optimize +USER root + +RUN chmod 660 /usr/share/kibana/plugins/wazuh/config.yml && \ + chmod 775 /usr/share/kibana/plugins/wazuh && \ + chown root:kibana /usr/share/kibana/plugins/wazuh/config.yml && \ + chown root:kibana /usr/share/kibana/plugins/wazuh + +USER kibana + ENTRYPOINT ./entrypoint.sh diff --git a/kibana/config/10-wazuh_app_config.sh b/kibana/config/10-wazuh_app_config.sh index 6fffd005..5f238325 100644 --- a/kibana/config/10-wazuh_app_config.sh +++ b/kibana/config/10-wazuh_app_config.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) kibana_config_file="/usr/share/kibana/plugins/wazuh/config.yml" diff --git a/kibana/config/15-decrypt_credentials.sh b/kibana/config/15-decrypt_credentials.sh new file mode 100644 index 00000000..1f348e5f --- /dev/null +++ b/kibana/config/15-decrypt_credentials.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +############################################################################## +# Decrypt credentials. +# If the credentials of the users to be created are encrypted, +# they must be decrypted for later use. +############################################################################## + +if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then + echo "Security credentials file not used. Nothing to do." +else + echo "TO DO" +fi +# TO DO \ No newline at end of file diff --git a/kibana/config/20-entrypoint.sh b/kibana/config/20-entrypoint.sh index 08584d1e..9addf10c 100644 --- a/kibana/config/20-entrypoint.sh +++ b/kibana/config/20-entrypoint.sh @@ -4,7 +4,7 @@ set -e ############################################################################## -# Waiting for elasticsearch +# Set Elasticsearch API url. ############################################################################## if [ "x${ELASTICSEARCH_URL}" = "x" ]; then @@ -13,6 +13,13 @@ else el_url="${ELASTICSEARCH_URL}" fi +echo "ENTRYPOINT - Set Elasticsearc url:${ELASTICSEARCH_URL}" + + +############################################################################## +# If there are credentials for Kibana they are obtained. +############################################################################## + KIBANA_USER="" KIBANA_PASS="" @@ -34,6 +41,11 @@ else fi +echo "ENTRYPOINT - Kibana credentials obtained." + +############################################################################## +# Establish the way to run the curl command, with or without authentication. +############################################################################## if [ ${SECURITY_ENABLED} != "no" ]; then auth="-u ${KIBANA_USER}:${KIBANA_PASS} -k" @@ -43,18 +55,24 @@ else auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" fi +echo "ENTRYPOINT - Kibana authentication established." + +############################################################################## +# Waiting for elasticsearch. +############################################################################## + until curl -XGET $el_url ${auth}; do - >&2 echo "Elastic is unavailable - sleeping" + >&2 echo "ENTRYPOINT - Elastic is unavailable: sleeping" sleep 5 done sleep 2 ->&2 echo "Elasticsearch is up." +>&2 echo "ENTRYPOINT - Elasticsearch is up." ############################################################################## -# Waiting for wazuh alerts template +# Waiting for wazuh alerts template. ############################################################################## strlen=0 @@ -63,71 +81,47 @@ while [[ $strlen -eq 0 ]] do template=$(curl $auth $el_url/_cat/templates/wazuh -s) strlen=${#template} - >&2 echo "Wazuh alerts template not loaded - sleeping." + >&2 echo "ENTRYPOINT - Wazuh alerts template not loaded - sleeping." sleep 2 done sleep 2 ->&2 echo "Wazuh alerts template is loaded." +>&2 echo "ENTRYPOINT - Wazuh alerts template is loaded." ############################################################################## -# If Secure access to Kibana is enabled, we must set the credentials. -# We must create the ssl certificate. +# Create keystore if security is enabled. ############################################################################## if [[ $SECURITY_ENABLED == "yes" ]]; then - - # Create keystore + echo "ENTRYPOINT - Create Keystore." /usr/share/kibana/bin/kibana-keystore create - - echo "Setting security Kibana configuiration options." - - echo " -# Elasticsearch from/to Kibana -elasticsearch.ssl.certificateAuthorities: [\"/usr/share/kibana/config/$SECURITY_CA_PEM\"] - -server.ssl.enabled: true -server.ssl.certificate: $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem -server.ssl.key: $SECURITY_KIBANA_SSL_KEY_PATH/kibana-access.key -server.ssl.supportedProtocols: - - TLSv1.1 - - TLSv1.2 -" >> /usr/share/kibana/config/kibana.yml - - echo "Create SSL directories." - - mkdir -p $SECURITY_KIBANA_SSL_KEY_PATH $SECURITY_KIBANA_SSL_CERT_PATH - CA_PATH="/usr/share/kibana/config" - - echo "Creating SSL certificates." - - pushd $CA_PATH - - chown kibana: $CA_PATH/$SECURITY_CA_PEM - chmod 400 $CA_PATH/$SECURITY_CA_PEM - SECURITY_KEY_PASS=`openssl rand -base64 32` - openssl req -batch -x509 -days 18250 -newkey rsa:2048 -keyout $SECURITY_KIBANA_SSL_KEY_PATH/kibana-access.key -out $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem -passout pass:"$SECURITY_KEY_PASS" >/dev/null - chown -R kibana: $CA_PATH/ssl - chmod -R 770 $CA_PATH/ssl - chmod 440 $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem - - popd - echo "SSL certificates created." - # Add keys to keystore echo -e "$KIBANA_PASS" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.password --stdin - echo -e "$SECURITY_KEY_PASS" | /usr/share/kibana/bin/kibana-keystore add server.ssl.keyPassphrase --stdin echo -e "$KIBANA_USER" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.username --stdin + echo "ENTRYPOINT - Keystore created." fi ############################################################################## -# Run more configuration scripts. +# If security is enabled set Kibana configuration. +# Create the ssl certificate. ############################################################################## -bash /usr/share/kibana/kibana_settings.sh & +if [[ $SECURITY_ENABLED == "yes" ]]; then + + bash /usr/share/kibana/20-entrypoint_certs_management.sh + bash /usr/share/kibana/20-entrypoint_security_configuration.sh + +fi + + +############################################################################## +# Run kibana_settings.sh script. +############################################################################## + +bash /usr/share/kibana/20-entrypoint_kibana_settings.sh & /usr/local/bin/kibana-docker diff --git a/kibana/config/20-entrypoint_certs_management.sh b/kibana/config/20-entrypoint_certs_management.sh new file mode 100644 index 00000000..0be8ff40 --- /dev/null +++ b/kibana/config/20-entrypoint_certs_management.sh @@ -0,0 +1,14 @@ +#!/bin/bash +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +############################################################################## +# Kibana certs and keystore management +############################################################################## + +if [[ $SECURITY_ENABLED == "yes" ]]; then + + + echo "CERTS_MANAGEMENT - Create certificates. TO DO." + # TO DO + +fi \ No newline at end of file diff --git a/kibana/config/20-entrypoint_kibana_settings.sh b/kibana/config/20-entrypoint_kibana_settings.sh new file mode 100644 index 00000000..8abe2947 --- /dev/null +++ b/kibana/config/20-entrypoint_kibana_settings.sh @@ -0,0 +1,183 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +WAZUH_MAJOR=3 + +############################################################################## +# Wait for the Kibana API to start. It is necessary to do it in this container +# because the others are running Elastic Stack and we can not interrupt them. +# +# The following actions are performed: +# +# Add the wazuh alerts index as default. +# Set the Discover time interval to 24 hours instead of 15 minutes. +# Do not ask user to help providing usage statistics to Elastic. +############################################################################## + +############################################################################## +# Customize elasticsearch ip +############################################################################## +if [ "$ELASTICSEARCH_KIBANA_IP" != "" ]; then + sed -i "s:#elasticsearch.hosts:elasticsearch.hosts:g" /usr/share/kibana/config/kibana.yml + sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml +fi + +echo "SETTINGS - Update Elasticsearch host." + +# If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate. +if [ "$KIBANA_INDEX" != "" ]; then + if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then + sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml + fi + echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml +fi + +# If XPACK_SECURITY_ENABLED was set, then change the xpack.security.enabled option from true (default) to false. +if [ "$XPACK_SECURITY_ENABLED" != "" ]; then + if grep -q 'xpack.security.enabled' /usr/share/kibana/config/kibana.yml; then + sed -i '/xpack.security.enabled/d' /usr/share/kibana/config/kibana.yml + fi + echo "xpack.security.enabled: $XPACK_SECURITY_ENABLED" >> /usr/share/kibana/config/kibana.yml +fi + +############################################################################## +# Get Kibana credentials +############################################################################## + +if [ "$KIBANA_IP" != "" ]; then + kibana_ip="$KIBANA_IP" +else + kibana_ip="kibana" +fi + +KIBANA_USER="" +KIBANA_PASS="" + +if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then + KIBANA_USER=${SECURITY_KIBANA_USER} + KIBANA_PASS=${SECURITY_KIBANA_PASS} +else + input=${SECURITY_CREDENTIALS_FILE} + while IFS= read -r line + do + if [[ $line == *"KIBANA_PASSWORD"* ]]; then + arrIN=(${line//:/ }) + KIBANA_PASS=${arrIN[1]} + elif [[ $line == *"KIBANA_USER"* ]]; then + arrIN=(${line//:/ }) + KIBANA_USER=${arrIN[1]} + fi + done < "$input" + +fi + +echo "SETTINGS - Kibana credentials obtained." + + +############################################################################## +# Set url authentication. +############################################################################## + +if [ ${SECURITY_ENABLED} != "no" ]; then + auth="-k -u $KIBANA_USER:${KIBANA_PASS}" + kibana_secure_ip="https://$kibana_ip" +else + auth="" + kibana_secure_ip="http://$kibana_ip" +fi + +echo "SETTINGS - Kibana authentication established." + + +############################################################################## +# Waiting for Kibana. +############################################################################## + +while [[ "$(curl $auth -XGET -I -s -o /dev/null -w ''%{http_code}'' $kibana_secure_ip:5601/status)" != "200" ]]; do + echo "SETTINGS - Waiting for Kibana API. Sleeping 5 seconds" + sleep 5 +done + +echo "SETTINGS - Kibana API is running" + + +############################################################################## +# Prepare index selection. +############################################################################## + +echo "SETTINGS - Prepare index selection." + +default_index="/tmp/default_index.json" + +if [[ $PATTERN == "" ]]; then + + cat > ${default_index} << EOF +{ + "changes": { + "defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*" + } +} +EOF + +else + + cat > ${default_index} << EOF +{ + "changes": { + "defaultIndex": "$PATTERN" + } +} +EOF + +fi + + +sleep 5 + + +############################################################################## +# Add the wazuh alerts index as default. +############################################################################## + +echo "SETTINGS - Add the wazuh alerts index as default." + +curl $auth -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index} +rm -f ${default_index} + +sleep 5 + + +############################################################################## +# Configuring Kibana TimePicker. +############################################################################## + +echo "SETTINGS - Configuring Kibana TimePicker." + +curl $auth -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \ +'{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}' + +sleep 5 + + +############################################################################## +# Do not ask user to help providing usage statistics to Elastic. +############################################################################## + +echo "SETTINGS - Do not ask user to help providing usage statistics to Elastic." + +curl $auth -POST "$kibana_secure_ip:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}' + + +############################################################################## +# Remove credentials file. +############################################################################## + +echo "SETTINGS - Remove credentials file." + +if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then + echo "Security credentials file not used. Nothing to do." +else + shred -zvu ${SECURITY_CREDENTIALS_FILE} +fi + +echo "End settings" diff --git a/kibana/config/20-entrypoint_security_configuration.sh b/kibana/config/20-entrypoint_security_configuration.sh new file mode 100644 index 00000000..9f482ff9 --- /dev/null +++ b/kibana/config/20-entrypoint_security_configuration.sh @@ -0,0 +1,28 @@ +#!/bin/bash +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +set -e + +############################################################################## +# Adapt kibana.yml configuration file +############################################################################## + +if [[ $SECURITY_ENABLED == "yes" ]]; then + + echo "CONFIGURATION - Setting security Kibana configuiration options." + + # Example: + + # echo " + # # Elasticsearch from/to Kibana + # elasticsearch.ssl.certificateAuthorities: [\"/usr/share/kibana/config/CA.pem\"] + + # server.ssl.enabled: true + # server.ssl.certificate: /usr/share/kibana/config/ssl/certs/cert.pem + # server.ssl.key: /usr/share/kibana/config/ssl/private/cert.key + # server.ssl.supportedProtocols: + # - TLSv1.1 + # - TLSv1.2 + # " >> /usr/share/kibana/config/kibana.yml + +fi \ No newline at end of file diff --git a/kibana/config/entrypoint.sh b/kibana/config/entrypoint.sh index 333cc951..ca575d93 100644 --- a/kibana/config/entrypoint.sh +++ b/kibana/config/entrypoint.sh @@ -1,8 +1,8 @@ #!/bin/bash -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) # It will run every .sh script located in entrypoint-scripts folder in lexicographical order for script in `ls /entrypoint-scripts/*.sh | sort -n`; do bash "$script" -done \ No newline at end of file +done diff --git a/kibana/config/kibana_settings.sh b/kibana/config/kibana_settings.sh deleted file mode 100644 index ce21430d..00000000 --- a/kibana/config/kibana_settings.sh +++ /dev/null @@ -1,101 +0,0 @@ -#!/bin/bash -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) - - -WAZUH_MAJOR=3 - -############################################################################## -# Wait for the Kibana API to start. It is necessary to do it in this container -# because the others are running Elastic Stack and we can not interrupt them. -# -# The following actions are performed: -# -# Add the wazuh alerts index as default. -# Set the Discover time interval to 24 hours instead of 15 minutes. -# Do not ask user to help providing usage statistics to Elastic. -############################################################################## - -############################################################################## -# Customize elasticsearch ip -############################################################################## -if [ "$ELASTICSEARCH_KIBANA_IP" != "" ]; then - sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml -fi - -if [ "$KIBANA_IP" != "" ]; then - kibana_ip="$KIBANA_IP" -else - kibana_ip="kibana" -fi - -KIBANA_USER="" -KIBANA_PASS="" - -if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then - KIBANA_USER=${SECURITY_KIBANA_USER} - KIBANA_PASS=${SECURITY_KIBANA_PASS} -else - input=${SECURITY_CREDENTIALS_FILE} - while IFS= read -r line - do - if [[ $line == *"KIBANA_PASSWORD"* ]]; then - arrIN=(${line//:/ }) - KIBANA_PASS=${arrIN[1]} - elif [[ $line == *"KIBANA_USER"* ]]; then - arrIN=(${line//:/ }) - KIBANA_USER=${arrIN[1]} - fi - done < "$input" - -fi - - -if [ ${SECURITY_ENABLED} != "no" ]; then - auth="-u $KIBANA_USER:${KIBANA_PASS}" - kibana_secure_ip="https://$kibana_ip" -else - auth="" - kibana_secure_ip="http://$kibana_ip" -fi - - -while [[ "$(curl $auth -k -XGET -I -s -o /dev/null -w ''%{http_code}'' $kibana_secure_ip:5601/status)" != "200" ]]; do - echo "Waiting for Kibana API. Sleeping 5 seconds" - sleep 5 -done - -# Prepare index selection. -echo "Kibana API is running" - -default_index="/tmp/default_index.json" - -cat > ${default_index} << EOF -{ - "changes": { - "defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*" - } -} -EOF - -sleep 5 -# Add the wazuh alerts index as default. -curl $auth -k -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index} -rm -f ${default_index} - -sleep 5 -# Configuring Kibana TimePicker. -curl $auth -k -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \ -'{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}' - -sleep 5 -# Do not ask user to help providing usage statistics to Elastic -curl $auth -k -POST "$kibana_secure_ip:5601/api/telemetry/v1/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}' - -# Remove credentials file -if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then - echo "Security credentials file not used. Nothing to do." -else - shred -zvu ${SECURITY_CREDENTIALS_FILE} -fi - -echo "End settings" diff --git a/kibana/config/welcome_wazuh.sh b/kibana/config/welcome_wazuh.sh index 1bcbc75b..6bf9ad7f 100644 --- a/kibana/config/welcome_wazuh.sh +++ b/kibana/config/welcome_wazuh.sh @@ -1,4 +1,5 @@ #!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) if [[ $CHANGE_WELCOME == "true" ]] then @@ -8,20 +9,21 @@ then kibana_path="/usr/share/kibana" # Set Wazuh app as the default landing page echo "Set Wazuh app as the default landing page" - echo "server.defaultRoute: /app/wazuh" >> /usr/share/kibana/config/kibana.yml + echo "server.defaultRoute: /app/wazuh" >> $kibana_path/config/kibana.yml # Redirect Kibana welcome screen to Discover echo "Redirect Kibana welcome screen to Discover" - sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/global_nav/global_nav.html - sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/header_global_nav/header_global_nav.js + sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/core/public/chrome/chrome_service.js # Hide management undesired links echo "Hide management undesired links" - sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/rollup/public/crud_app/index.js - sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/license_management/public/management_section.js - sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/index_lifecycle_management/public/register_management_section.js - sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/cross_cluster_replication/public/register_routes.js - sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/remote_clusters/public/index.js - sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/upgrade_assistant/public/index.js + sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/rollup/public/crud_app/index.js + sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/license_management/public/management_section.js + sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/index_lifecycle_management/public/register_management_section.js + sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/cross_cluster_replication/public/register_routes.js + sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/remote_clusters/public/index.js + sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/upgrade_assistant/public/index.js + sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/snapshot_restore/public/plugin.js + sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/remote_clusters/public/plugin.js fi diff --git a/kibana/config/xpack_config.sh b/kibana/config/xpack_config.sh index 454072e8..8817480a 100644 --- a/kibana/config/xpack_config.sh +++ b/kibana/config/xpack_config.sh @@ -1,4 +1,5 @@ #!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) kibana_config_file="/usr/share/kibana/config/kibana.yml" if grep -Fq "#xpack features" "$kibana_config_file"; @@ -14,6 +15,7 @@ then [xpack.monitoring.enabled]=$XPACK_MONITORING [xpack.maps.enabled]=$XPACK_MAPS [xpack.uptime.enabled]=$XPACK_UPTIME + [xpack.siem.enabled]=$XPACK_SIEM [console.enabled]=$XPACK_DEVTOOLS ) for i in "${!CONFIG_MAP[@]}" @@ -35,6 +37,7 @@ xpack.infra.enabled: $XPACK_INFRA xpack.monitoring.enabled: $XPACK_MONITORING xpack.maps.enabled: $XPACK_MAPS xpack.uptime.enabled: $XPACK_UPTIME +xpack.siem.enabled: $XPACK_SIEM console.enabled: $XPACK_DEVTOOLS " >> $kibana_config_file fi diff --git a/logstash/Dockerfile b/logstash/Dockerfile index f713b31e..385b105f 100644 --- a/logstash/Dockerfile +++ b/logstash/Dockerfile @@ -1,5 +1,7 @@ # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) -FROM docker.elastic.co/logstash/logstash:6.8.2 + +ARG LOGSTASH_VERSION=7.3.2 +FROM docker.elastic.co/logstash/logstash:${LOGSTASH_VERSION} COPY --chown=logstash:logstash config/entrypoint.sh /entrypoint.sh @@ -30,8 +32,16 @@ RUN if [[ "x$SECURITY_CA_PEM_LOCATION" == x ]] ; then echo Nothing to do ; else RUN mkdir /entrypoint-scripts RUN chmod -R 774 /entrypoint-scripts RUN chown -R logstash:logstash /entrypoint-scripts + +COPY --chown=logstash:logstash ./config/05-decrypt_credentials.sh /entrypoint-scripts/05-decrypt_credentials.sh COPY --chown=logstash:logstash ./config/10-entrypoint.sh /entrypoint-scripts/10-entrypoint.sh -RUN chmod +x /entrypoint-scripts/10-entrypoint.sh +COPY --chown=logstash:logstash ./config/10-entrypoint_configuration.sh ./config/10-entrypoint_configuration.sh +COPY --chown=logstash:logstash ./config/10-entrypoint_pipeline.sh ./config/10-entrypoint_pipeline.sh +RUN chmod +x /entrypoint-scripts/05-decrypt_credentials.sh && \ + chmod +x /entrypoint-scripts/10-entrypoint.sh && \ + chmod +x ./config/10-entrypoint_configuration.sh && \ + chmod +x ./config/10-entrypoint_pipeline.sh + USER logstash ENTRYPOINT /entrypoint.sh diff --git a/logstash/config/01-wazuh.conf b/logstash/config/01-wazuh.conf index 5b0dc1bc..f51d38ab 100644 --- a/logstash/config/01-wazuh.conf +++ b/logstash/config/01-wazuh.conf @@ -4,12 +4,16 @@ input { beats { port => 5000 - codec => "json_lines" # ssl => true # ssl_certificate => "/etc/logstash/logstash.crt" # ssl_key => "/etc/logstash/logstash.key" } } +filter { + json { + source => "message" + } +} filter { if [data][srcip] { mutate { @@ -33,14 +37,13 @@ filter { target => "@timestamp" } mutate { - remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"] + remove_field => [ "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"] } } output { elasticsearch { hosts => ["elasticsearch:9200"] index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}" - document_type => "wazuh" #user => service_logstash #password => service_logstash_internal_password #ssl => true diff --git a/logstash/config/05-decrypt_credentials.sh b/logstash/config/05-decrypt_credentials.sh new file mode 100644 index 00000000..1f348e5f --- /dev/null +++ b/logstash/config/05-decrypt_credentials.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +############################################################################## +# Decrypt credentials. +# If the credentials of the users to be created are encrypted, +# they must be decrypted for later use. +############################################################################## + +if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then + echo "Security credentials file not used. Nothing to do." +else + echo "TO DO" +fi +# TO DO \ No newline at end of file diff --git a/logstash/config/10-entrypoint.sh b/logstash/config/10-entrypoint.sh index c441577b..491c9b67 100644 --- a/logstash/config/10-entrypoint.sh +++ b/logstash/config/10-entrypoint.sh @@ -8,7 +8,7 @@ set -e ############################################################################## -# Waiting for elasticsearch +# Set elasticsearch url. ############################################################################## if [ "x${ELASTICSEARCH_URL}" = "x" ]; then @@ -17,6 +17,12 @@ else el_url="${ELASTICSEARCH_URL}" fi +echo "ENTRYPOINT - Elasticsearch url: $el_url" + +############################################################################## +# Get Logstash credentials. +############################################################################## + LOGSTASH_USER="" LOGSTASH_PASS="" @@ -38,6 +44,12 @@ else fi +echo "ENTRYPOINT - Logstash credentials obtained." + +############################################################################## +# Set authentication for curl command. +############################################################################## + if [ ${SECURITY_ENABLED} != "no" ]; then auth="-u ${LOGSTASH_USER}:${LOGSTASH_PASS} -k" elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then @@ -46,67 +58,58 @@ else auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" fi +echo "ENTRYPOINT - curl authentication established" + ############################################################################## -# Customize logstash output ip +# Customize logstash output ip. ############################################################################## if [ "$LOGSTASH_OUTPUT" != "" ]; then - >&2 echo "Customize Logstash ouput ip." + >&2 echo "ENTRYPOINT - Customize Logstash ouput ip." sed -i 's|elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/pipeline/01-wazuh.conf sed -i 's|http://elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/config/logstash.yml fi + +############################################################################## +# Waiting for elasticsearch. +############################################################################## + until curl $auth -XGET $el_url; do - >&2 echo "Elastic is unavailable - sleeping." + >&2 echo "ENTRYPOINT - Elastic is unavailable - sleeping." sleep 5 done sleep 2 ->&2 echo "Elasticsearch is up." +>&2 echo "ENTRYPOINT - Elasticsearch is up." ############################################################################## -# Set Logstash password -############################################################################## - -############################################################################## -# If Secure access to Kibana is enabled, we must set the credentials. +# Create keystore if security is enabled. ############################################################################## if [[ $SECURITY_ENABLED == "yes" ]]; then + echo "ENTRYPOINT - Create Keystore." + ## Create secure keystore SECURITY_RANDOM_PASS=`date +%s | sha256sum | base64 | head -c 32 ; echo` export LOGSTASH_KEYSTORE_PASS=$SECURITY_RANDOM_PASS /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config create ## Settings for logstash.yml - echo " -# Required set the passwords -xpack.monitoring.enabled: true -xpack.monitoring.elasticsearch.username: \${LOGSTASH_KS_USER} -xpack.monitoring.elasticsearch.password: \${LOGSTASH_KS_PASS} -xpack.monitoring.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/$SECURITY_CA_PEM - -xpack.management.elasticsearch.hosts: \"$LOGSTASH_OUTPUT/\" -xpack.management.elasticsearch.username: \${LOGSTASH_KS_USER} -xpack.management.elasticsearch.password: \${LOGSTASH_KS_PASS} -xpack.management.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/$SECURITY_CA_PEM -" >> /usr/share/logstash/config/logstash.yml - + bash /usr/share/logstash/config/10-entrypoint_configuration.sh + ## Settings for 01-wazuh.conf - sed -i 's:#user => service_logstash:user => "${LOGSTASH_KS_USER}":g' /usr/share/logstash/pipeline/01-wazuh.conf - sed -i 's:#password => service_logstash_internal_password:password => "${LOGSTASH_KS_PASS}":g' /usr/share/logstash/pipeline/01-wazuh.conf - sed -i 's:#ssl => true:ssl => true:g' /usr/share/logstash/pipeline/01-wazuh.conf - sed -i 's:#cacert => "/path/to/cert.pem":cacert => "/usr/share/logstash/config/'$SECURITY_CA_PEM'":g' /usr/share/logstash/pipeline/01-wazuh.conf + + bash /usr/share/logstash/config/10-entrypoint_pipeline.sh ## Add keys to the keystore echo -e "$LOGSTASH_USER" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_USER echo -e "$LOGSTASH_PASS" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_PASS - - + fi @@ -120,25 +123,28 @@ while [[ $strlen -eq 0 ]] do template=$(curl $auth $el_url/_cat/templates/wazuh -s) strlen=${#template} - >&2 echo "Wazuh alerts template not loaded - sleeping." + >&2 echo "ENTRYPOINT - Wazuh alerts template not loaded - sleeping." sleep 2 done sleep 2 ->&2 echo "Wazuh alerts template is loaded." +>&2 echo "ENTRYPOINT - Wazuh alerts template is loaded." ############################################################################## # Remove credentials file ############################################################################## +>&2 echo "ENTRYPOINT - Removing unnecessary files." + if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then - echo "Security credentials file not used. Nothing to do." + echo "ENTRYPOINT - Security credentials file not used. Nothing to do." else shred -zvu ${SECURITY_CREDENTIALS_FILE} fi +>&2 echo "ENTRYPOINT - Unnecessary files removed." ############################################################################## # Map environment variables to entries in logstash.yml. diff --git a/logstash/config/10-entrypoint_configuration.sh b/logstash/config/10-entrypoint_configuration.sh new file mode 100644 index 00000000..44c016af --- /dev/null +++ b/logstash/config/10-entrypoint_configuration.sh @@ -0,0 +1,27 @@ +#!/bin/bash +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# +# OSSEC container bootstrap. See the README for information of the environment +# variables expected by this script. +# + +set -e + +############################################################################## +# Adapt logstash.yml configuration. +############################################################################## + +if [[ $SECURITY_ENABLED == "yes" ]]; then + + echo "CONFIGURATION - TO DO" + + # Settings for logstash.yml + # Example: + # echo " + # xpack.monitoring.enabled: true + # xpack.monitoring.elasticsearch.username: LOGSTASH_USER + # xpack.monitoring.elasticsearch.password: LOGSTASH_PASS + # xpack.monitoring.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/CA.pem + # " >> /usr/share/logstash/config/logstash.yml + +fi \ No newline at end of file diff --git a/logstash/config/10-entrypoint_pipeline.sh b/logstash/config/10-entrypoint_pipeline.sh new file mode 100644 index 00000000..3c232689 --- /dev/null +++ b/logstash/config/10-entrypoint_pipeline.sh @@ -0,0 +1,21 @@ +#!/bin/bash +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# +# OSSEC container bootstrap. See the README for information of the environment +# variables expected by this script. +# + +set -e + +############################################################################## +# Adapt 01-wazuh.conf pipeline. Adapt pipeline if it is necessary. +############################################################################## + +if [[ $SECURITY_ENABLED == "yes" ]]; then + + echo "PIPELINE - TO DO" + # Settings for 01-wazuh.conf + # TO DO + +fi + \ No newline at end of file diff --git a/nginx/Dockerfile b/nginx/Dockerfile index 9ed0950e..2ca20d6f 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -1,4 +1,4 @@ -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) FROM nginx:latest ENV DEBIAN_FRONTEND noninteractive diff --git a/nginx/config/entrypoint.sh b/nginx/config/entrypoint.sh index 385d7aa8..468c8a92 100644 --- a/nginx/config/entrypoint.sh +++ b/nginx/config/entrypoint.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) set -e diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index 470771f2..7b43eae5 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -1,13 +1,16 @@ -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) FROM phusion/baseimage:latest # Arguments -ARG FILEBEAT_VERSION=6.8.2 -ARG WAZUH_VERSION=3.9.4-1 +ARG FILEBEAT_VERSION=7.3.2 +ARG WAZUH_VERSION=3.10.2-1 # Environment variables ENV API_USER="foo" \ - API_PASS="bar" + API_PASS="bar" + +ARG TEMPLATE_VERSION="v3.10.2" +ENV FILEBEAT_DESTINATION="elasticsearch" # Install packages RUN set -x && \ @@ -39,9 +42,9 @@ RUN set -x && \ # Services RUN mkdir /etc/service/wazuh && \ - mkdir /etc/service/wazuh-api && \ - mkdir /etc/service/postfix && \ - mkdir /etc/service/filebeat + mkdir /etc/service/wazuh-api && \ + mkdir /etc/service/postfix && \ + mkdir /etc/service/filebeat COPY config/wazuh.runit.service /etc/service/wazuh/run COPY config/wazuh-api.runit.service /etc/service/wazuh-api/run @@ -49,13 +52,13 @@ COPY config/postfix.runit.service /etc/service/postfix/run COPY config/filebeat.runit.service /etc/service/filebeat/run RUN chmod +x /etc/service/wazuh-api/run && \ - chmod +x /etc/service/wazuh/run && \ - chmod +x /etc/service/postfix/run && \ - chmod +x /etc/service/filebeat/run + chmod +x /etc/service/wazuh/run && \ + chmod +x /etc/service/postfix/run && \ + chmod +x /etc/service/filebeat/run # Copy configuration files from repository -COPY config/filebeat.yml /etc/filebeat/ -RUN chmod go-w /etc/filebeat/filebeat.yml +COPY config/filebeat_to_elasticsearch.yml ./ +COPY config/filebeat_to_logstash.yml ./ # Prepare permanent data # Sync calls are due to https://github.com/docker/docker/issues/9547 @@ -90,10 +93,21 @@ VOLUME ["/var/lib/filebeat"] RUN mkdir /entrypoint-scripts COPY config/entrypoint.sh /entrypoint.sh +COPY config/00-decrypt_credentials.sh /entrypoint-scripts/00-decrypt_credentials.sh COPY config/01-wazuh.sh /entrypoint-scripts/01-wazuh.sh - +COPY config/02-set_filebeat_destination.sh /entrypoint-scripts/02-set_filebeat_destination.sh +COPY config/03-config_filebeat.sh /entrypoint-scripts/03-config_filebeat.sh +COPY config/05-remove_credentials_file.sh /entrypoint-scripts/05-remove_credentials_file.sh +COPY config/10-backups.sh /entrypoint-scripts/10-backups.sh +COPY config/20-ossec-configuration.sh /entrypoint-scripts/20-ossec-configuration.sh RUN chmod 755 /entrypoint.sh && \ - chmod 755 /entrypoint-scripts/01-wazuh.sh + chmod 755 /entrypoint-scripts/00-decrypt_credentials.sh && \ + chmod 755 /entrypoint-scripts/01-wazuh.sh && \ + chmod 755 /entrypoint-scripts/02-set_filebeat_destination.sh && \ + chmod 755 /entrypoint-scripts/03-config_filebeat.sh && \ + chmod 755 /entrypoint-scripts/05-remove_credentials_file.sh && \ + chmod 755 /entrypoint-scripts/10-backups.sh && \ + chmod 755 /entrypoint-scripts/20-ossec-configuration.sh # Workaround. # Issues: Wazuh-api @@ -102,5 +116,9 @@ RUN chmod 755 /entrypoint.sh && \ COPY --chown=root:ossec config/agents.js /var/ossec/api/controllers/agents.js RUN chmod 770 /var/ossec/api/controllers/agents.js +# Load wazuh alerts template. +ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat +RUN chmod go-w /etc/filebeat/wazuh-template.json + # Run all services ENTRYPOINT ["/entrypoint.sh"] \ No newline at end of file diff --git a/wazuh/config/00-decrypt_credentials.sh b/wazuh/config/00-decrypt_credentials.sh new file mode 100644 index 00000000..767b8cae --- /dev/null +++ b/wazuh/config/00-decrypt_credentials.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +############################################################################## +# Decrypt credentials. +# If the credentials of the API user to be created are encrypted, +# it must be decrypted for later use. +############################################################################## + +if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then + echo "CREDENTIALS - Security credentials file not used. Nothing to do." +else + echo "CREDENTIALS - TO DO" +fi +# TO DO \ No newline at end of file diff --git a/wazuh/config/02-set_filebeat_destination.sh b/wazuh/config/02-set_filebeat_destination.sh new file mode 100644 index 00000000..dc7478c2 --- /dev/null +++ b/wazuh/config/02-set_filebeat_destination.sh @@ -0,0 +1,24 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +############################################################################## +# Set Filebeat destination. +############################################################################## + +if [[ $FILEBEAT_DESTINATION == "elasticsearch" ]]; then + + echo "FILEBEAT - Set destination to Elasticsearch" + cp filebeat_to_elasticsearch.yml /etc/filebeat/filebeat.yml + +elif [[ $FILEBEAT_DESTINATION == "logstash" ]]; then + + echo "FILEBEAT - Set destination to Logstash" + cp filebeat_to_logstash.yml /etc/filebeat/filebeat.yml + +else + echo "FILEBEAT - Error choosing destination. Set default filebeat.yml " +fi + +echo "FILEBEAT - Set permissions" + +chmod go-w /etc/filebeat/filebeat.yml \ No newline at end of file diff --git a/wazuh/config/03-config_filebeat.sh b/wazuh/config/03-config_filebeat.sh new file mode 100644 index 00000000..9edc4b07 --- /dev/null +++ b/wazuh/config/03-config_filebeat.sh @@ -0,0 +1,23 @@ +#!/bin/bash +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +set -e + +if [[ $FILEBEAT_DESTINATION == "elasticsearch" ]]; then + + WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.1.tar.gz + + # Modify the output to Elasticsearch if th ELASTICSEARCH_URL is set + if [ "$ELASTICSEARCH_URL" != "" ]; then + >&2 echo "FILEBEAT - Customize Elasticsearch ouput IP." + sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_URL'|g' /etc/filebeat/filebeat.yml + fi + + # Install Wazuh Filebeat Module + + >&2 echo "FILEBEAT - Install Wazuh Filebeat Module." + curl -s "https://packages.wazuh.com/3.x/filebeat/${WAZUH_FILEBEAT_MODULE}" | tar -xvz -C /usr/share/filebeat/module + mkdir -p /usr/share/filebeat/module/wazuh + chmod 755 -R /usr/share/filebeat/module/wazuh + +fi \ No newline at end of file diff --git a/wazuh/config/05-remove_credentials_file.sh b/wazuh/config/05-remove_credentials_file.sh new file mode 100644 index 00000000..5bf941c7 --- /dev/null +++ b/wazuh/config/05-remove_credentials_file.sh @@ -0,0 +1,14 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +############################################################################## +# Decrypt credentials. +# Remove the credentials file for security reasons. +############################################################################## + +if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then + echo "CREDENTIALS - Security credentials file not used. Nothing to do." +else + echo "CREDENTIALS - Remove credentiasl file." + shred -zvu ${SECURITY_CREDENTIALS_FILE} +fi \ No newline at end of file diff --git a/wazuh/config/10-backups.sh b/wazuh/config/10-backups.sh new file mode 100644 index 00000000..68f3b555 --- /dev/null +++ b/wazuh/config/10-backups.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +############################################################################## +# Enable Wazuh backups and store them in a repository. +############################################################################## + + +# TO DO +echo "BACKUPS - TO DO" \ No newline at end of file diff --git a/wazuh/config/20-ossec-configuration.sh b/wazuh/config/20-ossec-configuration.sh new file mode 100644 index 00000000..b27a12a6 --- /dev/null +++ b/wazuh/config/20-ossec-configuration.sh @@ -0,0 +1,13 @@ +#!/bin/bash +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +############################################################################## +# Change Wazuh manager configuration. +############################################################################## + +# # Example: +# # Change remote protocol from udp to tcp +# PROTOCOL="tcp" +# sed -i -e '//,/<\/remote>/ s|udp|'$PROTOCOL'|g' /var/ossec/etc/ossec.conf +# # It is necessary to restart the service in order to apply the new configuration. +# service wazuh-manager restart \ No newline at end of file diff --git a/wazuh/config/entrypoint.sh b/wazuh/config/entrypoint.sh index ed31fc84..36c776bd 100644 --- a/wazuh/config/entrypoint.sh +++ b/wazuh/config/entrypoint.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) # It will run every .sh script located in entrypoint-scripts folder in lexicographical order for script in `ls /entrypoint-scripts/*.sh | sort -n`; do diff --git a/wazuh/config/filebeat.runit.service b/wazuh/config/filebeat.runit.service index 2a46f7b0..9b048caa 100644 --- a/wazuh/config/filebeat.runit.service +++ b/wazuh/config/filebeat.runit.service @@ -1,3 +1,4 @@ #!/bin/sh +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) service filebeat start tail -f /var/log/filebeat/filebeat diff --git a/wazuh/config/filebeat.yml b/wazuh/config/filebeat.yml deleted file mode 100644 index bb02a5d8..00000000 --- a/wazuh/config/filebeat.yml +++ /dev/null @@ -1,18 +0,0 @@ -# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) -filebeat: - prospectors: - - type: log - paths: - - "/var/ossec/logs/alerts/alerts.json" - document_type: json - json.message_key: log - json.keys_under_root: true - json.overwrite_keys: true - tail_files: true - -output: - logstash: - # The Logstash hosts - hosts: ["logstash:5000"] -# ssl: -# certificate_authorities: ["/etc/filebeat/logstash.crt"] diff --git a/wazuh/config/filebeat_to_elasticsearch.yml b/wazuh/config/filebeat_to_elasticsearch.yml new file mode 100644 index 00000000..3d1b145d --- /dev/null +++ b/wazuh/config/filebeat_to_elasticsearch.yml @@ -0,0 +1,55 @@ +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +# Wazuh - Filebeat configuration file +filebeat.inputs: + - type: log + paths: + - '/var/ossec/logs/alerts/alerts.json' + +setup.template.json.enabled: true +setup.template.json.path: "/etc/filebeat/wazuh-template.json" +setup.template.json.name: "wazuh" +setup.template.overwrite: true + +processors: + - decode_json_fields: + fields: ['message'] + process_array: true + max_depth: 200 + target: '' + overwrite_keys: true + - drop_fields: + fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host'] + - rename: + fields: + - from: "data.aws.sourceIPAddress" + to: "@src_ip" + ignore_missing: true + fail_on_error: false + when: + regexp: + data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b + - rename: + fields: + - from: "data.srcip" + to: "@src_ip" + ignore_missing: true + fail_on_error: false + when: + regexp: + data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b + - rename: + fields: + - from: "data.win.eventdata.ipAddress" + to: "@src_ip" + ignore_missing: true + fail_on_error: false + when: + regexp: + data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b + +output.elasticsearch: + hosts: ['http://elasticsearch:9200'] + #pipeline: geoip + indices: + - index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}' \ No newline at end of file diff --git a/wazuh/config/filebeat_to_logstash.yml b/wazuh/config/filebeat_to_logstash.yml new file mode 100644 index 00000000..8eec470b --- /dev/null +++ b/wazuh/config/filebeat_to_logstash.yml @@ -0,0 +1,15 @@ +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +# Wazuh - Filebeat configuration file +filebeat: + inputs: + - type: log + paths: + - "/var/ossec/logs/alerts/alerts.json" + +output: + logstash: + # The Logstash hosts + hosts: ["logstash:5000"] +# ssl: +# certificate_authorities: ["/etc/filebeat/logstash.crt"] diff --git a/wazuh/config/postfix.runit.service b/wazuh/config/postfix.runit.service index 02856a35..e900b5e5 100644 --- a/wazuh/config/postfix.runit.service +++ b/wazuh/config/postfix.runit.service @@ -1,3 +1,4 @@ #!/bin/sh +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) service postfix start tail -f /var/log/mail.log diff --git a/wazuh/config/wazuh-api.runit.service b/wazuh/config/wazuh-api.runit.service index a2bce18d..032e3738 100644 --- a/wazuh/config/wazuh-api.runit.service +++ b/wazuh/config/wazuh-api.runit.service @@ -1,4 +1,5 @@ #!/bin/sh +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) service wazuh-api start tail -f /var/ossec/logs/api.log diff --git a/wazuh/config/wazuh.runit.service b/wazuh/config/wazuh.runit.service index 03c10850..c1b5b30e 100644 --- a/wazuh/config/wazuh.runit.service +++ b/wazuh/config/wazuh.runit.service @@ -1,4 +1,5 @@ #!/bin/sh +# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2) service wazuh-manager start tail -f /var/ossec/logs/ossec.log