diff --git a/docker-compose.yml b/docker-compose.yml index 3bac019c..e537c5f5 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -23,21 +23,24 @@ services: - ossec_wodles:/var/ossec/wodles - filebeat_etc:/etc/filebeat - filebeat_var:/var/lib/filebeat + elasticsearch: - build: elasticsearch + image: docker.elastic.co/elasticsearch/elasticsearch:7.7.1 hostname: elasticsearch restart: always ports: - "9200:9200" environment: - "ES_JAVA_OPTS=-Xms1g -Xmx1g" - - ELASTIC_CLUSTER=true - - CLUSTER_NODE_MASTER=true - - CLUSTER_MASTER_NODE_NAME=es01 + - bootstrap.memory_lock=true + - discovery.type=single-node ulimits: memlock: soft: -1 hard: -1 + volumes: + - ./elastic_conf/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml + kibana: build: kibana hostname: kibana @@ -47,6 +50,7 @@ services: links: - elasticsearch:elasticsearch - wazuh:wazuh + nginx: image: nginx:stable hostname: nginx diff --git a/elastic_conf/elasticsearch.yml b/elastic_conf/elasticsearch.yml new file mode 100644 index 00000000..a7b1d6a5 --- /dev/null +++ b/elastic_conf/elasticsearch.yml @@ -0,0 +1,3 @@ +cluster.name: wazuh-elastic +network.host: 0.0.0.0 + diff --git a/elasticsearch/Dockerfile b/elasticsearch/Dockerfile deleted file mode 100644 index 13656b2d..00000000 --- a/elasticsearch/Dockerfile +++ /dev/null @@ -1,54 +0,0 @@ -# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) -ARG ELASTIC_VERSION=7.6.2 -FROM docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION} -ARG S3_PLUGIN_URL="https://artifacts.elastic.co/downloads/elasticsearch-plugins/repository-s3/repository-s3-${ELASTIC_VERSION}.zip" - -ENV ELASTICSEARCH_URL="http://elasticsearch:9200" - -ENV ALERTS_SHARDS="1" \ - ALERTS_REPLICAS="0" - -ENV API_USER="foo" \ - API_PASS="bar" - -ENV XPACK_ML="true" - -ENV ENABLE_CONFIGURE_S3="false" - -ARG TEMPLATE_VERSION=v3.12.2 - -# Elasticearch cluster configuration environment variables -# If ELASTIC_CLUSTER is set to "true" the following variables will be added to the Elasticsearch configuration -# CLUSTER_INITIAL_MASTER_NODES set to own node by default. -ENV ELASTIC_CLUSTER="false" \ - CLUSTER_NAME="wazuh" \ - CLUSTER_NODE_MASTER="false" \ - CLUSTER_NODE_DATA="true" \ - CLUSTER_NODE_INGEST="true" \ - CLUSTER_NODE_NAME="wazuh-elasticsearch" \ - CLUSTER_MASTER_NODE_NAME="master-node" \ - CLUSTER_MEMORY_LOCK="true" \ - CLUSTER_DISCOVERY_SERVICE="wazuh-elasticsearch" \ - CLUSTER_NUMBER_OF_MASTERS="2" \ - CLUSTER_MAX_NODES="1" \ - CLUSTER_DELAYED_TIMEOUT="1m" \ - CLUSTER_INITIAL_MASTER_NODES="wazuh-elasticsearch" - -COPY config/entrypoint.sh /entrypoint.sh - -RUN chmod 755 /entrypoint.sh - -COPY --chown=elasticsearch:elasticsearch ./config/load_settings.sh ./ - -RUN chmod +x ./load_settings.sh - -RUN ${bin/elasticsearch-plugin install --batch S3_PLUGIN_URL} - -COPY config/configure_s3.sh ./config/configure_s3.sh -RUN chmod 755 ./config/configure_s3.sh - -COPY --chown=elasticsearch:elasticsearch ./config/config_cluster.sh ./ -RUN chmod +x ./config_cluster.sh - -ENTRYPOINT ["/entrypoint.sh"] -CMD ["elasticsearch"] diff --git a/elasticsearch/config/config_cluster.sh b/elasticsearch/config/config_cluster.sh deleted file mode 100644 index e58b423c..00000000 --- a/elasticsearch/config/config_cluster.sh +++ /dev/null @@ -1,57 +0,0 @@ -#!/bin/bash -# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) - -elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml" - -remove_single_node_conf(){ - if grep -Fq "discovery.type" $1; then - sed -i '/discovery.type\: /d' $1 - fi -} - -remove_cluster_config(){ - sed -i '/# cluster node/,/# end cluster config/d' $1 -} - -# If Elasticsearch cluster is enabled, then set up the elasticsearch.yml -if [[ $ELASTIC_CLUSTER == "true" && $CLUSTER_NODE_MASTER != "" && $CLUSTER_NODE_DATA != "" && $CLUSTER_NODE_INGEST != "" && $CLUSTER_MASTER_NODE_NAME != "" ]]; then - # Remove the old configuration - remove_single_node_conf $elastic_config_file - remove_cluster_config $elastic_config_file - -if [[ $CLUSTER_NODE_MASTER == "true" ]]; then -# Add the master configuration -# cluster.initial_master_nodes for bootstrap the cluster -cat > $elastic_config_file << EOF -# cluster node -network.host: 0.0.0.0 -node.name: $CLUSTER_MASTER_NODE_NAME -node.master: $CLUSTER_NODE_MASTER -cluster.initial_master_nodes: - - $CLUSTER_MASTER_NODE_NAME -# end cluster config" -EOF - -elif [[ $CLUSTER_NODE_NAME != "" ]];then -# Remove the old configuration -remove_single_node_conf $elastic_config_file -remove_cluster_config $elastic_config_file - -cat > $elastic_config_file << EOF -# cluster node -network.host: 0.0.0.0 -node.name: $CLUSTER_NODE_NAME -node.master: false -discovery.seed_hosts: - - $CLUSTER_MASTER_NODE_NAME - - $CLUSTER_NODE_NAME -# end cluster config" -EOF -fi -# If the cluster is disabled, then set a single-node configuration -else - # Remove the old configuration - remove_single_node_conf $elastic_config_file - remove_cluster_config $elastic_config_file - echo "discovery.type: single-node" >> $elastic_config_file -fi diff --git a/elasticsearch/config/configure_s3.sh b/elasticsearch/config/configure_s3.sh deleted file mode 100644 index 010236ce..00000000 --- a/elasticsearch/config/configure_s3.sh +++ /dev/null @@ -1,77 +0,0 @@ -#!/bin/bash -# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) - -set -e - -# Check number of arguments passed to configure_s3.sh. If it is different from 4 or 5, the process will finish with error. -# param 1: number of arguments passed to configure_s3.sh - -function CheckArgs() -{ - if [ $1 != 4 ] && [ $1 != 5 ];then - echo "Use: configure_s3.sh (By default is added to the path and the repository name)" - echo "or use: configure_s3.sh " - exit 1 - - fi -} - -# Create S3 repository from base_path / (if there is no argument, current version is added) -# Repository name would be - (if there is no argument, current version is added) -# param 1: -# param 2: -# param 3: -# param 4: -# param 5: Optional -# output: It will show "acknowledged" if the repository has been successfully created - -function CreateRepo() -{ - - elastic_ip_port="$2" - bucket_name="$3" - path="$4" - repository_name="$5" - - if [ $1 == 5 ];then - version="$6" - else - version=`curl -s $elastic_ip_port | grep number | cut -d"\"" -f4 | cut -c1` - fi - - if ! [[ "$version" =~ ^[0-9]+$ ]];then - echo "Elasticsearch major version must be an integer" - exit 1 - fi - - repository="$repository_name-$version" - s3_path="$path/$version" - - curl -X PUT "$elastic_ip_port/_snapshot/$repository" -H 'Content-Type: application/json' -d' - { - "type": "s3", - "settings": { - "bucket": "'$bucket_name'", - "base_path": "'$s3_path'" - } - } - ' - -} - -# Run functions CheckArgs and CreateRepo -# param 1: number of arguments passed to configure_s3.sh -# param 2: -# param 3: -# param 4: -# param 5: -# param 6: Optional - -function Main() -{ - CheckArgs $1 - - CreateRepo $1 $2 $3 $4 $5 $6 -} - -Main $# $1 $2 $3 $4 $5 diff --git a/elasticsearch/config/entrypoint.sh b/elasticsearch/config/entrypoint.sh deleted file mode 100644 index cfeb7705..00000000 --- a/elasticsearch/config/entrypoint.sh +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/bash -# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) - -# For more information https://github.com/elastic/elasticsearch-docker/blob/6.8.0/build/elasticsearch/bin/docker-entrypoint.sh - -set -e - -# Files created by Elasticsearch should always be group writable too -umask 0002 - -run_as_other_user_if_needed() { - if [[ "$(id -u)" == "0" ]]; then - # If running as root, drop to specified UID and run command - exec chroot --userspec=1000 / "${@}" - else - # Either we are running in Openshift with random uid and are a member of the root group - # or with a custom --user - exec "${@}" - fi -} - - -#Disabling xpack features - -elasticsearch_config_file="/usr/share/elasticsearch/config/elasticsearch.yml" -if grep -Fq "#xpack features" "$elasticsearch_config_file"; -then - declare -A CONFIG_MAP=( - [xpack.ml.enabled]=$XPACK_ML - ) - for i in "${!CONFIG_MAP[@]}" - do - if [ "${CONFIG_MAP[$i]}" != "" ]; then - sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $elasticsearch_config_file - fi - done -else - echo " -#xpack features -xpack.ml.enabled: $XPACK_ML - " >> $elasticsearch_config_file -fi - -# Run load settings script. - -./config_cluster.sh - -./load_settings.sh & - -# Execute elasticsearch - -run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch diff --git a/elasticsearch/config/load_settings.sh b/elasticsearch/config/load_settings.sh deleted file mode 100644 index 2754b84f..00000000 --- a/elasticsearch/config/load_settings.sh +++ /dev/null @@ -1,103 +0,0 @@ -#!/bin/bash -# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) - -set -e - -el_url=${ELASTICSEARCH_URL} - -if [ "x${WAZUH_API_URL}" = "x" ]; then - wazuh_url="https://wazuh" -else - wazuh_url="${WAZUH_API_URL}" -fi - -if [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then - auth="" -else - auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" -fi - -until curl ${auth} -XGET $el_url; do - >&2 echo "Elastic is unavailable - sleeping" - sleep 5 -done - ->&2 echo "Elastic is up - executing command" - -if [ $ENABLE_CONFIGURE_S3 ]; then - #Wait for Elasticsearch to be ready to create the repository - sleep 10 - IP_PORT="${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}" - - if [ "x$S3_PATH" != "x" ]; then - - if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then - ./config/configure_s3.sh $IP_PORT $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR - - else - ./config/configure_s3.sh $IP_PORT $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME - - fi - - fi - -fi - -#Insert default templates - -API_PASS_Q=`echo "$API_PASS" | tr -d '"'` -API_USER_Q=`echo "$API_USER" | tr -d '"'` -API_PASSWORD=`echo -n $API_PASS_Q | base64` - -echo "Setting API credentials into Wazuh APP" -CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013 ${auth}) - -if [ "x$CONFIG_CODE" != "x200" ]; then - curl -s -XPOST $el_url/.wazuh/_doc/1513629884013 ${auth} -H 'Content-Type: application/json' -d' - { - "api_user": "'"$API_USER_Q"'", - "api_password": "'"$API_PASSWORD"'", - "url": "'"$wazuh_url"'", - "api_port": "55000", - "insecure": "true", - "component": "API", - "cluster_info": { - "manager": "wazuh-manager", - "cluster": "Disabled", - "status": "disabled" - }, - "extensions": { - "oscap": true, - "audit": true, - "pci": true, - "aws": true, - "virustotal": true, - "gdpr": true, - "ciscat": true - } - } - ' > /dev/null -else - echo "Wazuh APP already configured" -fi -sleep 5 - -curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/json' -d' -{ - "persistent": { - "xpack.monitoring.collection.enabled": true - } -} -' - -# Set cluster delayed timeout when node falls -curl -X PUT "$el_url/_all/_settings" -H 'Content-Type: application/json' -d' -{ - "settings": { - "index.unassigned.node_left.delayed_timeout": "'"$CLUSTER_DELAYED_TIMEOUT"'" - } -} -' - - -echo "Elasticsearch is ready." diff --git a/kibana/Dockerfile b/kibana/Dockerfile index 5e7c2f58..38bfdded 100644 --- a/kibana/Dockerfile +++ b/kibana/Dockerfile @@ -1,8 +1,8 @@ # Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) -FROM docker.elastic.co/kibana/kibana:7.6.2 +FROM docker.elastic.co/kibana/kibana:7.7.1 USER kibana -ARG ELASTIC_VERSION=7.6.2 -ARG WAZUH_VERSION=3.12.2 +ARG ELASTIC_VERSION=7.7.1 +ARG WAZUH_VERSION=3.12.3 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}" WORKDIR /usr/share/kibana diff --git a/kibana/config/kibana_settings.sh b/kibana/config/kibana_settings.sh index adb968e0..2e53037d 100644 --- a/kibana/config/kibana_settings.sh +++ b/kibana/config/kibana_settings.sh @@ -44,7 +44,12 @@ else kibana_ip="kibana" fi -while [[ "$(curl -XGET -I -s -o /dev/null -w ''%{http_code}'' $kibana_ip:5601/status)" != "200" ]]; do +# Add auth headers if required +if [ "$ELASTICSEARCH_USERNAME" != "" ] && [ "$ELASTICSEARCH_PASSWORD" != "" ]; then + curl_auth="-u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD" +fi + +while [[ "$(curl $curl_auth -XGET -I -s -o /dev/null -w ''%{http_code}'' $kibana_ip:5601/status)" != "200" ]]; do echo "Waiting for Kibana API. Sleeping 5 seconds" sleep 5 done diff --git a/kibana/config/wazuh_app_config.sh b/kibana/config/wazuh_app_config.sh index ea09b23d..cae2dcef 100644 --- a/kibana/config/wazuh_app_config.sh +++ b/kibana/config/wazuh_app_config.sh @@ -6,7 +6,9 @@ wazuh_port="${API_PORT:-55000}" api_user="${API_USER:-foo}" api_password="${API_PASS:-bar}" -kibana_config_file="/usr/share/kibana/plugins/wazuh/wazuh.yml" +kibana_config_file="/usr/share/kibana/optimize/wazuh/config/wazuh.yml" +mkdir -p /usr/share/kibana/optimize/wazuh/config/ +touch $kibana_config_file declare -A CONFIG_MAP=( [pattern]=$PATTERN @@ -53,7 +55,8 @@ grep -q 1513629884013 $kibana_config_file _config_exists=$? if [[ "x$CONFIG_CODE" != "x200" && $_config_exists -ne 0 ]]; then -cat << EOF >> $kibana_config_file +cat << EOF > $kibana_config_file +hosts: - 1513629884013: url: $wazuh_url port: $wazuh_port diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index c1d7fa89..d21c43c4 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -1,9 +1,9 @@ # Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2) FROM centos:7 -ARG FILEBEAT_VERSION=7.6.2 -ARG WAZUH_VERSION=3.12.2-1 -ARG TEMPLATE_VERSION="v3.12.2" +ARG FILEBEAT_VERSION=7.7.1 +ARG WAZUH_VERSION=3.12.3-1 +ARG TEMPLATE_VERSION="v3.12.3" ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz" ENV API_USER="foo" \