From 5c7454270e8cd3d41c0cc9503c661b0fe489315f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Luis=20Ruiz=20Ruiz?= Date: Mon, 25 Dec 2017 16:40:14 -0800 Subject: [PATCH] Upgrade to Wazuh 3.1.0 and Kibabna 6.1.0 --- README.md | 2 +- docker-compose.yml | 4 +- kibana/Dockerfile | 2 +- kibana/config/wait-for-it.sh | 55 +- logstash/Dockerfile | 3 +- logstash/config/logstash.conf | 35 +- logstash/config/wazuh-elastic5-template.json | 620 ------------------- wazuh/Dockerfile | 5 +- 8 files changed, 59 insertions(+), 667 deletions(-) delete mode 100644 logstash/config/wazuh-elastic5-template.json diff --git a/README.md b/README.md index 546f9bc9..60f8e167 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ In addition, a docker-compose file is provided to launch the containers mentione ## Current release -Containers are currently tested on Wazuh version 2.0 and Elastic Stack version 5.5.2. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack. +Containers are currently tested on Wazuh version 3.1.0 and Elastic Stack version 6.1.0. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack. ## Installation notes diff --git a/docker-compose.yml b/docker-compose.yml index faea2709..57b26e17 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -37,7 +37,7 @@ services: - LS_HEAP_SIZE=2048m - XPACK_MONITORING_ENABLED=false elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:5.6.4 + image: docker.elastic.co/elasticsearch/elasticsearch:6.1.0 hostname: elasticsearch restart: always ports: @@ -78,7 +78,7 @@ services: - wazuh entrypoint: /wait-for-it.sh elasticsearch # environment: -# - "WAZUH_KIBANA_PLUGIN_URL=http://your.repo/wazuhapp-2.1.0-5.5.1.zip" +# - "WAZUH_KIBANA_PLUGIN_URL=http://your.repo/wazuhapp-3.1.0-6.1.0.zip" nginx: image: wazuh/wazuh-nginx hostname: nginx diff --git a/kibana/Dockerfile b/kibana/Dockerfile index 90b81d58..40032b80 100644 --- a/kibana/Dockerfile +++ b/kibana/Dockerfile @@ -1,4 +1,4 @@ -FROM docker.elastic.co/kibana/kibana:5.6.4 +FROM docker.elastic.co/kibana/kibana:6.1.0 USER root diff --git a/kibana/config/wait-for-it.sh b/kibana/config/wait-for-it.sh index 7fd776fc..83f64897 100644 --- a/kibana/config/wait-for-it.sh +++ b/kibana/config/wait-for-it.sh @@ -5,7 +5,7 @@ set -e host="$1" shift cmd="kibana" -WAZUH_KIBANA_PLUGIN_URL=${WAZUH_KIBANA_PLUGIN_URL:-https://packages.wazuh.com/wazuhapp/wazuhapp-2.1.1_5.6.4.zip} +WAZUH_KIBANA_PLUGIN_URL=${WAZUH_KIBANA_PLUGIN_URL:-https://packages.wazuh.com/wazuhapp/wazuhapp-3.1.0_6.1.0.zip} until curl -XGET $host:9200; do >&2 echo "Elastic is unavailable - sleeping" @@ -14,6 +14,18 @@ done >&2 echo "Elastic is up - executing command" +#Insert default templates +curl https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -XPUT 'http://elasticsearch:9200/_template/wazuh' -H 'Content-Type: application/json' -d @- +sleep 5 + +curl https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/elasticsearch/wazuh-elastic6-template-monitoring.json | curl -XPUT 'http://elasticsearch:9200/_template/wazuh-agent' -H 'Content-Type: application/json' -d @- + +#Insert sample alert: +sleep 5 +curl https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/elasticsearch/alert_sample.json | curl -XPUT "http://elasticsearch:9200/wazuh-alerts-3.x-"`date +%Y.%m.%d`"/wazuh/sample" -H 'Content-Type: application/json' -d @- +sleep 5 + + if /usr/share/kibana/bin/kibana-plugin list | grep wazuh; then echo "Wazuh APP already installed" else @@ -22,31 +34,30 @@ fi sleep 30 -echo "Configuring defaultIndex to wazuh-alerts-*" - -curl -s -XPUT http://$host:9200/.kibana/config/5.6.4 -H 'Content-Type: application/json' -d '{"defaultIndex" : "wazuh-alerts-*"}' > /dev/null - echo "Setting API credentials into Wazuh APP" -CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET http://$host:9200/.wazuh/wazuh-configuration/apiconfig) +CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET http://$host:9200/.wazuh/wazuh-configuration/1513629884013) if [ "x$CONFIG_CODE" = "x404" ]; then - curl -s -XPOST http://$host:9200/.wazuh/wazuh-configuration/apiconfig -H 'Content-Type: application/json' -d' - { - "api_user": "foo", - "api_password": "YmFy", - "url": "https://wazuh", - "api_port": "55000", - "insecure": "true", - "component": "API", - "active": "true", - "manager": "wazuh-manager", - "extensions": { - "oscap": true, - "audit": true, - "pci": true + curl -s -XPOST http://$host:9200/.wazuh/wazuh-configuration/1513629884013 -H 'Content-Type: application/json' -d' + { + "api_user": "foo", + "api_password": "YmFy", + "url": "https://wazuh", + "api_port": "55000", + "insecure": "true", + "component": "API", + "cluster_info": { + "manager": "wazuh-manager", + "cluster": "Disabled", + "status": "disabled" + }, + "extensions": { + "oscap": true, + "audit": true, + "pci": true + } } - } - ' > /dev/null + ' > /dev/null else echo "Wazuh APP already configured" fi diff --git a/logstash/Dockerfile b/logstash/Dockerfile index 6510c2ae..14cfea2d 100644 --- a/logstash/Dockerfile +++ b/logstash/Dockerfile @@ -1,4 +1,3 @@ -FROM docker.elastic.co/logstash/logstash:5.6.4 +FROM docker.elastic.co/logstash/logstash:6.1.0 COPY config/logstash.conf /etc/logstash/conf.d/logstash.conf -COPY config/wazuh-elastic5-template.json /etc/logstash/wazuh-elastic5-template.json diff --git a/logstash/config/logstash.conf b/logstash/config/logstash.conf index cbbbf920..ed998448 100644 --- a/logstash/config/logstash.conf +++ b/logstash/config/logstash.conf @@ -4,22 +4,26 @@ input { beats { port => 5000 codec => "json_lines" -# ssl => true -# ssl_certificate => "/etc/logstash/logstash.crt" -# ssl_key => "/etc/logstash/logstash.key" +# ssl => true +# ssl_certificate => "/etc/logstash/logstash.crt" +# ssl_key => "/etc/logstash/logstash.key" + } +} +filter { + if [data][srcip] { + mutate { + add_field => [ "@src_ip", "%{[data][srcip]}" ] + } + } + if [data][aws][sourceIPAddress] { + mutate { + add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ] + } } } -## Local Wazuh Manager - JSON file input -#input { -# file { -# type => "wazuh-alerts" -# path => "/var/ossec/logs/alerts/alerts.json" -# codec => "json" -# } -#} filter { geoip { - source => "srcip" + source => "@src_ip" target => "GeoLocation" fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"] } @@ -28,16 +32,13 @@ filter { target => "@timestamp" } mutate { - remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count", "@version", "log", "offset", "type"] + remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type","@src_ip"] } } output { elasticsearch { hosts => ["elasticsearch:9200"] - index => "wazuh-alerts-%{+YYYY.MM.dd}" + index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}" document_type => "wazuh" - template => "/etc/logstash/wazuh-elastic5-template.json" - template_name => "wazuh" - template_overwrite => true } } diff --git a/logstash/config/wazuh-elastic5-template.json b/logstash/config/wazuh-elastic5-template.json deleted file mode 100644 index 2ec715f2..00000000 --- a/logstash/config/wazuh-elastic5-template.json +++ /dev/null @@ -1,620 +0,0 @@ -{ - "order": 0, - "template": "wazuh*", - "settings": { - "index.refresh_interval": "5s" - }, - "mappings": { - "wazuh": { - "dynamic_templates": [ - { - "string_as_keyword": { - "match_mapping_type": "string", - "mapping": { - "type": "keyword", - "doc_values": "true" - } - } - } - ], - "properties": { - "@timestamp": { - "type": "date", - "format": "dateOptionalTime" - }, - "@version": { - "type": "text" - }, - "agent": { - "properties": { - "ip": { - "type": "keyword", - "doc_values": "true" - }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "name": { - "type": "keyword", - "doc_values": "true" - } - } - }, - "manager": { - "properties": { - "name": { - "type": "keyword", - "doc_values": "true" - } - } - }, - "dstuser": { - "type": "keyword", - "doc_values": "true" - }, - "AlertsFile": { - "type": "keyword", - "doc_values": "true" - }, - "full_log": { - "type": "text" - }, - "previous_log": { - "type": "text" - }, - "GeoLocation": { - "properties": { - "area_code": { - "type": "long" - }, - "city_name": { - "type": "keyword", - "doc_values": "true" - }, - "continent_code": { - "type": "text" - }, - "coordinates": { - "type": "double" - }, - "country_code2": { - "type": "text" - }, - "country_code3": { - "type": "text" - }, - "country_name": { - "type": "keyword", - "doc_values": "true" - }, - "dma_code": { - "type": "long" - }, - "ip": { - "type": "keyword", - "doc_values": "true" - }, - "latitude": { - "type": "double" - }, - "location": { - "type": "geo_point" - }, - "longitude": { - "type": "double" - }, - "postal_code": { - "type": "keyword" - }, - "real_region_name": { - "type": "keyword", - "doc_values": "true" - }, - "region_name": { - "type": "keyword", - "doc_values": "true" - }, - "timezone": { - "type": "text" - } - } - }, - "host": { - "type": "keyword", - "doc_values": "true" - }, - "syscheck": { - "properties": { - "path": { - "type": "keyword", - "doc_values": "true" - }, - "sha1_before": { - "type": "keyword", - "doc_values": "true" - }, - "sha1_after": { - "type": "keyword", - "doc_values": "true" - }, - "uid_before": { - "type": "keyword", - "doc_values": "true" - }, - "uid_after": { - "type": "keyword", - "doc_values": "true" - }, - "gid_before": { - "type": "keyword", - "doc_values": "true" - }, - "gid_after": { - "type": "keyword", - "doc_values": "true" - }, - "perm_before": { - "type": "keyword", - "doc_values": "true" - }, - "perm_after": { - "type": "keyword", - "doc_values": "true" - }, - "md5_after": { - "type": "keyword", - "doc_values": "true" - }, - "md5_before": { - "type": "keyword", - "doc_values": "true" - }, - "gname_after": { - "type": "keyword", - "doc_values": "true" - }, - "gname_before": { - "type": "keyword", - "doc_values": "true" - }, - "inode_after": { - "type": "keyword", - "doc_values": "true" - }, - "inode_before": { - "type": "keyword", - "doc_values": "true" - }, - "mtime_after": { - "type": "date", - "format": "dateOptionalTime", - "doc_values": "true" - }, - "mtime_before": { - "type": "date", - "format": "dateOptionalTime", - "doc_values": "true" - }, - "uname_after": { - "type": "keyword", - "doc_values": "true" - }, - "uname_before": { - "type": "keyword", - "doc_values": "true" - }, - "size_before": { - "type": "long", - "doc_values": "true" - }, - "size_after": { - "type": "long", - "doc_values": "true" - }, - "diff": { - "type": "keyword", - "doc_values": "true" - }, - "event": { - "type": "keyword", - "doc_values": "true" - } - } - }, - "location": { - "type": "keyword", - "doc_values": "true" - }, - "message": { - "type": "text" - }, - "offset": { - "type": "keyword" - }, - "rule": { - "properties": { - "description": { - "type": "keyword", - "doc_values": "true" - }, - "groups": { - "type": "keyword", - "doc_values": "true" - }, - "level": { - "type": "long", - "doc_values": "true" - }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "cve": { - "type": "keyword", - "doc_values": "true" - }, - "info": { - "type": "keyword", - "doc_values": "true" - }, - "frequency": { - "type": "long", - "doc_values": "true" - }, - "firedtimes": { - "type": "long", - "doc_values": "true" - }, - "cis": { - "type": "keyword", - "doc_values": "true" - }, - "pci_dss": { - "type": "keyword", - "doc_values": "true" - } - } - }, - "decoder": { - "properties": { - "parent": { - "type": "keyword", - "doc_values": "true" - }, - "name": { - "type": "keyword", - "doc_values": "true" - }, - "ftscomment": { - "type": "keyword", - "doc_values": "true" - }, - "fts": { - "type": "long", - "doc_values": "true" - }, - "accumulate": { - "type": "long", - "doc_values": "true" - } - } - }, - "srcip": { - "type": "keyword", - "doc_values": "true" - }, - "protocol": { - "type": "keyword", - "doc_values": "true" - }, - "action": { - "type": "keyword", - "doc_values": "true" - }, - "dstip": { - "type": "keyword", - "doc_values": "true" - }, - "dstport": { - "type": "keyword", - "doc_values": "true" - }, - "srcuser": { - "type": "keyword", - "doc_values": "true" - }, - "program_name": { - "type": "keyword", - "doc_values": "true" - }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "status": { - "type": "keyword", - "doc_values": "true" - }, - "command": { - "type": "keyword", - "doc_values": "true" - }, - "url": { - "type": "keyword", - "doc_values": "true" - }, - "data": { - "type": "keyword", - "doc_values": "true" - }, - "system_name": { - "type": "keyword", - "doc_values": "true" - }, - "type": { - "type": "text" - }, - "title": { - "type": "keyword", - "doc_values": "true" - }, - "oscap": { - "properties": { - "check.title": { - "type": "keyword", - "doc_values": "true" - }, - "check.id": { - "type": "keyword", - "doc_values": "true" - }, - "check.result": { - "type": "keyword", - "doc_values": "true" - }, - "check.severity": { - "type": "keyword", - "doc_values": "true" - }, - "check.description": { - "type": "text" - }, - "check.rationale": { - "type": "text" - }, - "check.references": { - "type": "text" - }, - "check.identifiers": { - "type": "text" - }, - "check.oval.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.content": { - "type": "keyword", - "doc_values": "true" - }, - "scan.benchmark.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.profile.title": { - "type": "keyword", - "doc_values": "true" - }, - "scan.profile.id": { - "type": "keyword", - "doc_values": "true" - }, - "scan.score": { - "type": "double", - "doc_values": "true" - }, - "scan.return_code": { - "type": "long", - "doc_values": "true" - } - } - }, - "audit": { - "properties": { - "type": { - "type": "keyword", - "doc_values": "true" - }, - "id": { - "type": "keyword", - "doc_values": "true" - }, - "syscall": { - "type": "keyword", - "doc_values": "true" - }, - "exit": { - "type": "keyword", - "doc_values": "true" - }, - "ppid": { - "type": "keyword", - "doc_values": "true" - }, - "pid": { - "type": "keyword", - "doc_values": "true" - }, - "auid": { - "type": "keyword", - "doc_values": "true" - }, - "uid": { - "type": "keyword", - "doc_values": "true" - }, - "gid": { - "type": "keyword", - "doc_values": "true" - }, - "euid": { - "type": "keyword", - "doc_values": "true" - }, - "suid": { - "type": "keyword", - "doc_values": "true" - }, - "fsuid": { - "type": "keyword", - "doc_values": "true" - }, - "egid": { - "type": "keyword", - "doc_values": "true" - }, - "sgid": { - "type": "keyword", - "doc_values": "true" - }, - "fsgid": { - "type": "keyword", - "doc_values": "true" - }, - "tty": { - "type": "keyword", - "doc_values": "true" - }, - "session": { - "type": "keyword", - "doc_values": "true" - }, - "command": { - "type": "keyword", - "doc_values": "true" - }, - "exe": { - "type": "keyword", - "doc_values": "true" - }, - "key": { - "type": "keyword", - "doc_values": "true" - }, - "cwd": { - "type": "keyword", - "doc_values": "true" - }, - "directory.name": { - "type": "keyword", - "doc_values": "true" - }, - "directory.inode": { - "type": "keyword", - "doc_values": "true" - }, - "directory.mode": { - "type": "keyword", - "doc_values": "true" - }, - "file.name": { - "type": "keyword", - "doc_values": "true" - }, - "file.inode": { - "type": "keyword", - "doc_values": "true" - }, - "file.mode": { - "type": "keyword", - "doc_values": "true" - }, - "acct": { - "type": "keyword", - "doc_values": "true" - }, - "dev": { - "type": "keyword", - "doc_values": "true" - }, - "enforcing": { - "type": "keyword", - "doc_values": "true" - }, - "list": { - "type": "keyword", - "doc_values": "true" - }, - "old-auid": { - "type": "keyword", - "doc_values": "true" - }, - "old-ses": { - "type": "keyword", - "doc_values": "true" - }, - "old_enforcing": { - "type": "keyword", - "doc_values": "true" - }, - "old_prom": { - "type": "keyword", - "doc_values": "true" - }, - "op": { - "type": "keyword", - "doc_values": "true" - }, - "prom": { - "type": "keyword", - "doc_values": "true" - }, - "res": { - "type": "keyword", - "doc_values": "true" - }, - "srcip": { - "type": "keyword", - "doc_values": "true" - }, - "subj": { - "type": "keyword", - "doc_values": "true" - }, - "success": { - "type": "keyword", - "doc_values": "true" - } - } - } - } - }, - "agent": { - "properties": { - "@timestamp": { - "type": "date", - "format": "dateOptionalTime" - }, - "status": { - "type": "keyword" - }, - "ip": { - "type": "keyword" - }, - "host": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "id": { - "type": "keyword" - } - } - } - } -} diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index b6de3168..39610a62 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -1,5 +1,5 @@ FROM phusion/baseimage:latest -ARG FILEBEAT_VERSION=5.6.4 +ARG FILEBEAT_VERSION=6.1.0 RUN apt-get update; apt-get -y dist-upgrade RUN apt-get -y install openssl postfix bsd-mailx curl apt-transport-https lsb-release @@ -8,11 +8,12 @@ RUN useradd -u 1000 -g 1000 ossec RUN curl --silent --location https://deb.nodesource.com/setup_6.x | bash - &&\ apt-get install -y nodejs RUN curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - -RUN echo "deb https://packages.wazuh.com/apt $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/wazuh.list +RUN echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list RUN apt-get update && apt-get -y install wazuh-manager wazuh-api expect ADD config/data_dirs.env /data_dirs.env ADD config/init.bash /init.bash + # Sync calls are due to https://github.com/docker/docker/issues/9547 RUN chmod 755 /init.bash &&\ sync && /init.bash &&\