paulmataruso/wazuh-docker-mirror
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-docker.git synced 2025-11-04 05:53:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Elastic 7-x Docker refactor (#257)

Browse Source
This commit is contained in:
AlfonsoRBJ
2019-10-01 13:10:01 +02:00
committed by Jesús Linares
parent 6d9595327d
commit d3220826fc
32 changed files with 793 additions and 501 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
docker-compose.yml
View File

@@ -39,26 +39,12 @@ services:
- "9200:9200"
environment:
- "ES_JAVA_OPTS=-Xms1g -Xmx1g"
- ELASTICSEARCH_PROTOCOL=https
- ELASTICSEARCH_PROTOCOL=http
- ELASTICSEARCH_IP=elasticsearch
- ELASTICSEARCH_PORT=9200
- SECURITY_ENABLED=yes
- SECURITY_ADMIN_USER=wazuh_admin
- SECURITY_ADMIN_PASS=admin_pass
- SECURITY_ENABLED=no
- SECURITY_ELASTIC_PASSWORD=elastic_pass
- SECURITY_KIBANA_USER=service_kibana
- SECURITY_KIBANA_PASS=kibana_pass
- SECURITY_LOGSTASH_USER=service_logstash
- SECURITY_LOGSTASH_PASS=logstash_pass
- SECURITY_CA_PASSPHRASE=ca_pass
- SECURITY_CERTIFICATE_DNS=elasticsearch
- SECURITY_CA_PEM=server.TEST-CA-signed.pem
- SECURITY_CA_KEY=server.TEST-CA.key
- SECURITY_CA_TRUST=server.TEST-CA-signed.pem
- SECURITY_MAIN_NODE=elasticsearch
- SECURITY_OPENSSL_CONF=TEST_openssl.cnf
- SECURITY_MONITORING_USER=service_monitoring
- SECURITY_MONITORING_PASS=monitoring_pass
- ELASTIC_CLUSTER=true
- CLUSTER_NODE_MASTER=true
- CLUSTER_MASTER_NODE_NAME=elasticsearch

42
elasticsearch/Dockerfile
View File

@@ -1,7 +1,7 @@
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
ARG ELASTIC_VERSION=7.2.1
ARG ELASTIC_VERSION=7.3.2
FROM docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION}
ARG TEMPLATE_VERSION=v3.9.5
ARG TEMPLATE_VERSION=v3.10.2
ENV ELASTICSEARCH_URL="http://elasticsearch:9200"
@@ -52,32 +52,36 @@ ADD $SECURITY_CA_KEY_LOCATION /usr/share/elasticsearch/config
ADD $SECURITY_OPENSSL_CONF_LOCATION /usr/share/elasticsearch/config
ADD $SECURITY_CA_TRUST_LOCATION /usr/share/elasticsearch/config
RUN yum install openssl -y && \
yum install unzip -y
RUN mkdir /entrypoint-scripts
COPY config/entrypoint.sh /entrypoint.sh
RUN chmod 755 /entrypoint.sh
COPY --chown=elasticsearch:elasticsearch ./config/load_settings.sh ./
RUN chmod +x ./load_settings.sh
RUN bin/elasticsearch-plugin install repository-s3 -b
COPY config/configure_s3.sh ./config/configure_s3.sh
RUN chmod 755 ./config/configure_s3.sh
COPY --chown=elasticsearch:elasticsearch ./config/10-config_cluster.sh /entrypoint-scripts/10-config_cluster.sh
RUN chmod +x /entrypoint-scripts/10-config_cluster.sh
COPY --chown=elasticsearch:elasticsearch ./config/20-config_secure.sh /entrypoint-scripts/20-config_secure.sh
RUN chmod +x /entrypoint-scripts/20-config_cluster.sh
COPY --chown=elasticsearch:elasticsearch ./config/30-entrypoint.sh /entrypoint-scripts/30-entrypoint.sh
RUN chmod +x /entrypoint-scripts/30-entrypoint.sh
COPY --chown=elasticsearch:elasticsearch ./config/15-get_CA_key.sh /entrypoint-scripts/15-get_CA_key.sh
COPY --chown=elasticsearch:elasticsearch ./config/20-security_instances.sh /entrypoint-scripts/20-security_instances.sh
COPY --chown=elasticsearch:elasticsearch ./config/22-security_certs.sh /entrypoint-scripts/22-security_certs.sh
COPY --chown=elasticsearch:elasticsearch ./config/24-security_configuration.sh /entrypoint-scripts/24-security_configuration.sh
COPY --chown=elasticsearch:elasticsearch ./config/26-security_keystore.sh /entrypoint-scripts/26-security_keystore.sh
COPY --chown=elasticsearch:elasticsearch ./config/30-decrypt_credentials.sh /entrypoint-scripts/30-decrypt_credentials.sh
COPY --chown=elasticsearch:elasticsearch ./config/35-entrypoint.sh /entrypoint-scripts/35-entrypoint.sh
COPY --chown=elasticsearch:elasticsearch ./config/35-entrypoint_load_settings.sh ./
COPY config/35-load_settings_configure_s3.sh ./config/35-load_settings_configure_s3.sh
COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_users_management.sh ./
RUN chmod +x /entrypoint-scripts/10-config_cluster.sh && \
chmod +x /entrypoint-scripts/15-get_CA_key.sh && \
chmod +x /entrypoint-scripts/20-security_instances.sh && \
chmod +x /entrypoint-scripts/22-security_certs.sh && \
chmod +x /entrypoint-scripts/24-security_configuration.sh && \
chmod +x /entrypoint-scripts/26-security_keystore.sh && \
chmod +x /entrypoint-scripts/30-decrypt_credentials.sh && \
chmod +x /entrypoint-scripts/35-entrypoint.sh && \
chmod +x ./35-entrypoint_load_settings.sh && \
chmod 755 ./config/35-load_settings_configure_s3.sh && \
chmod +x ./35-load_settings_users_management.sh
ENTRYPOINT ["/entrypoint.sh"]
CMD ["elasticsearch"]

11
elasticsearch/config/15-get_CA_key.sh Normal file
View File

@@ -0,0 +1,11 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Decrypt credentials.
# If the CA key is encrypted, it must be decrypted for later use.
##############################################################################
echo "TO DO"
# TO DO

118
elasticsearch/config/20-config_secure.sh
View File

@@ -1,118 +0,0 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
##############################################################################
# Setup bootstrap password to chagne all Elastic Stack passwords.
# Set xpack.security.enabled to true. In Elastic 7 must add ssl options
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "Creating certificate."
pushd /usr/share/elasticsearch/config/
echo "Setting configuration options."
ELASTIC_HOSTNAME=`hostname`
POD_DNS="$ELASTIC_HOSTNAME.$NAMESPACE.pod.cluster.local"
SVC_DNS="elasticsearch.$NAMESPACE.svc.cluster.local"
# Create instances.yml for elasticsearch .p12 certificate and key
echo "
instances:
- name: \"elasticsearch\"
dns:
- \"$POD_DNS\"
- \"$SVC_DNS\"
" > instances.yml
cp instances.yml /usr/share/elasticsearch
# Change permissions and owner of ca
chown elasticsearch: /usr/share/elasticsearch/config/$SECURITY_CA_PEM
chmod 440 /usr/share/elasticsearch/config/$SECURITY_CA_PEM
# Genereate .p12 certificate and key
SECURITY_KEY_PASSPHRASE=`date +%s | sha256sum | base64 | head -c 32 ; echo`
/usr/share/elasticsearch/bin/elasticsearch-certutil csr --in instances.yml --out certs.zip --pass $SECURITY_KEY_PASSPHRASE
mv /usr/share/elasticsearch/certs.zip /usr/share/elasticsearch/config/certs.zip
unzip certs.zip
rm certs.zip
# Change permissions and owner of certificates
chown -R elasticsearch: /usr/share/elasticsearch/config/elasticsearch
chmod -R 770 /usr/share/elasticsearch/config/elasticsearch
chmod 400 /usr/share/elasticsearch/config/elasticsearch/elasticsearch.csr
# Prepare directories for openssl
mkdir /root/ca
mkdir /root/ca/certs /root/ca/crl /root/ca/newcerts /root/ca/private
chmod 700 /root/ca/private
touch /root/ca/index.txt
echo 1000 > /root/ca/serial
mkdir /root/ca/intermediate
mkdir /root/ca/intermediate/certs /root/ca/intermediate/crl /root/ca/intermediate/csr /root/ca/intermediate/newcerts /root/ca/intermediate/private
chmod 700 /root/ca/intermediate/private
touch /root/ca/intermediate/index.txt
echo 1000 > /root/ca/intermediate/serial
echo 1000 > /root/ca/intermediate/crlnumber
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
openssl ca -batch -config $SECURITY_OPENSSL_CONF -in elasticsearch/elasticsearch.csr -cert $SECURITY_CA_PEM -keyfile $SECURITY_CA_KEY -key $SECURITY_CA_PASSPHRASE -out elasticsearch.cert.pem
else
input=${SECURITY_CREDENTIALS_FILE}
CA_PASSPHRASE_FROM_FILE=""
while IFS= read -r line
do
if [[ $line == *"CA_PASSPHRASE"* ]]; then
arrIN=(${line//:/ })
CA_PASSPHRASE_FROM_FILE=${arrIN[1]}
fi
done < "$input"
openssl ca -batch -config $SECURITY_OPENSSL_CONF -in elasticsearch/elasticsearch.csr -cert $SECURITY_CA_PEM -keyfile $SECURITY_CA_KEY -key $CA_PASSPHRASE_FROM_FILE -out elasticsearch.cert.pem
fi
chmod 440 /usr/share/elasticsearch/config/elasticsearch.cert.pem
# remove CA key
rm $SECURITY_CA_KEY
popd
echo "Setting configuration options."
# Settings for elasticsearch.yml
echo "
# Required to set the passwords and TLS options
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
xpack.security.transport.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/$SECURITY_CA_TRUST\"]
# HTTP layer
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
xpack.security.http.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/$SECURITY_CA_TRUST\"]
" >> $elastic_config_file
# Create keystore
/usr/share/elasticsearch/bin/elasticsearch-keystore create
# Add keys to keystore
echo -e "$SECURITY_KEY_PASSPHRASE" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.secure_key_passphrase --stdin
echo -e "$SECURITY_KEY_PASSPHRASE" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase --stdin
fi

21
elasticsearch/config/20-security_instances.sh Normal file
View File

@@ -0,0 +1,21 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# instances.yml
# This file is necessary for the creation of the Elasticsaerch certificate.
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "SECURITY - Setting Elasticserach security."
# instance.yml to be added by the user.
# Example:
# echo "
# instances:
# - name: \"elasticsearch\"
# dns:
# - \"elasticsearch\"
# " > /user/share/elasticsearch/instances.yml
fi

16
elasticsearch/config/22-security_certs.sh Normal file
View File

@@ -0,0 +1,16 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Creation and management of certificates.
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "SECURITY - Elasticserach security certificates."
# Creation of the certificate for Elasticsearch.
# After the execution of this script will have generated
# the Elasticsearch certificate and related keys and passphrase.
# Example: TO DO
fi

32
elasticsearch/config/24-security_configuration.sh Normal file
View File

@@ -0,0 +1,32 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Adapt elasticsearch.yml configuration file
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "SECURITY - Elasticserach security configuration."
echo "SECURITY - Setting configuration options."
# Settings for elasticsearch.yml to be added by the user.
# Example:
# echo "
# # Required to set the passwords and TLS options
# xpack.security.enabled: true
# xpack.security.transport.ssl.enabled: true
# xpack.security.transport.ssl.verification_mode: certificate
# xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
# xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
# xpack.security.transport.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/ca.cert.pem\"]
# # HTTP layer
# xpack.security.http.ssl.enabled: true
# xpack.security.http.ssl.verification_mode: certificate
# xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
# xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
# xpack.security.http.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/ca.cert.pem\"]
# " >> /usr/share/elasticsearch/config/elasticsearch.yml
fi

21
elasticsearch/config/26-security_keystore.sh Normal file
View File

@@ -0,0 +1,21 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Adapt elasticsearch.yml keystore management
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "SECURITY - Elasticserach keystore management."
# Create keystore
# /usr/share/elasticsearch/bin/elasticsearch-keystore create
# Add keys to keystore by the user.
# Example
# echo -e "$abcd_1234" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.secure_key_passphrase --stdin
# echo -e "$abcd_1234" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase --stdin
else
echo "SECURITY - Elasticsearch security not established."
fi

15
elasticsearch/config/30-decrypt_credentials.sh Normal file
View File

@@ -0,0 +1,15 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Decrypt credentials.
# If the credentials of the users to be created are encrypted,
# they must be decrypted for later use.
##############################################################################
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "Security credentials file not used. Nothing to do."
else
echo "TO DO"
fi
# TO DO

2
elasticsearch/config/30-entrypoint.sh → elasticsearch/config/35-entrypoint.sh
View File

@@ -43,7 +43,7 @@ fi
# Run load settings script.
bash /usr/share/elasticsearch/load_settings.sh &
bash /usr/share/elasticsearch/35-entrypoint_load_settings.sh &
# Execute elasticsearch

201
elasticsearch/config/35-entrypoint_load_settings.sh Normal file
View File

@@ -0,0 +1,201 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
##############################################################################
# Set Elasticsearch API url and Wazuh API url.
##############################################################################
if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
fi
if [[ "x${WAZUH_API_URL}" = "x" ]]; then
wazuh_url="https://wazuh"
else
wazuh_url="${WAZUH_API_URL}"
fi
echo "LOAD SETTINGS - Elasticsearch url: $el_url"
##############################################################################
# If Elasticsearch security is enabled get the elastic user password and
# WAZUH API credentials.
##############################################################################
ELASTIC_PASS=""
WAZH_API_USER=""
WAZH_API_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
WAZH_API_USER=${API_USER}
WAZH_API_PASS=${API_PASS}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ELASTIC_PASS=${arrIN[1]}
elif [[ $line == *"WAZUH_API_USER"* ]]; then
arrIN=(${line//:/ })
WAZH_API_USER=${arrIN[1]}
elif [[ $line == *"WAZUH_API_PASSWORD"* ]]; then
arrIN=(${line//:/ })
WAZH_API_PASS=${arrIN[1]}
fi
done < "$input"
fi
##############################################################################
# Set authentication for curl if Elasticsearch security is enabled.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-uelastic:${ELASTIC_PASS} -k"
echo "LOAD SETTINGS - authentication for curl established."
elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
auth=""
echo "LOAD SETTINGS - authentication for curl not established."
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
echo "LOAD SETTINGS - authentication for curl established."
fi
##############################################################################
# Wait until Elasticsearch is active.
##############################################################################
until curl ${auth} -XGET $el_url; do
>&2 echo "LOAD SETTINGS - Elastic is unavailable - sleeping"
sleep 5
done
>&2 echo "LOAD SETTINGS - Elastic is up - executing command"
##############################################################################
# Configure S3 repository for Elasticsearch snapshots.
##############################################################################
if [ $ENABLE_CONFIGURE_S3 ]; then
#Wait for Elasticsearch to be ready to create the repository
sleep 10
>&2 echo "S3 - Configure S3"
if [ "x$S3_PATH" != "x" ]; then
>&2 echo "S3 - Path: $S3_PATH"
if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then
>&2 echo "S3 - Elasticsearch major version: $S3_ELASTIC_MAJOR"
echo "LOAD SETTINGS - Run 35-load_settings_configure_s3.sh."
bash /usr/share/elasticsearch/config/35-load_settings_configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR
else
>&2 echo "S3 - Elasticserach major version not given."
echo "LOAD SETTINGS - Run 35-load_settings_configure_s3.sh."
bash /usr/share/elasticsearch/config/35-load_settings_configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME
fi
fi
fi
##############################################################################
# Elastic Stack users creation.
# Only security main node can manage users.
##############################################################################
echo "LOAD SETTINGS - Run users_management.sh."
MY_HOSTNAME=`hostname`
echo "LOAD SETTINGS - Hostname: $MY_HOSTNAME"
if [[ $SECURITY_MAIN_NODE == $MY_HOSTNAME ]]; then
bash /usr/share/elasticsearch/35-load_settings_users_management.sh &
fi
##############################################################################
# Modify wazuh-alerts template shards and replicas
##############################################################################
echo "LOAD SETTINGS - Change shards and replicas of wazuh-alerts template."
sed -i 's:"index.number_of_shards"\: "3":"index.number_of_shards"\: "'$WAZUH_ALERTS_SHARDS'":g' /usr/share/elasticsearch/config/wazuh-template.json
sed -i 's:"index.number_of_replicas"\: "0":"index.number_of_replicas"\: "'$WAZUH_ALERTS_REPLICAS'":g' /usr/share/elasticsearch/config/wazuh-template.json
##############################################################################
# Load default templates
##############################################################################
echo "LOAD SETTINGS - Loading wazuh-alerts template."
cat /usr/share/elasticsearch/config/wazuh-template.json | curl -XPUT "$el_url/_template/wazuh" ${auth} -H 'Content-Type: application/json' -d @-
sleep 5
##############################################################################
# Prepare Wazuh API credentials
##############################################################################
API_PASS_Q=`echo "$WAZH_API_PASS" | tr -d '"'`
API_USER_Q=`echo "$WAZH_API_USER" | tr -d '"'`
API_PASSWORD=`echo -n $API_PASS_Q | base64`
echo "LOAD SETTINGS - Setting API credentials into Wazuh APP"
CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013 ${auth})
if [ "x$CONFIG_CODE" != "x200" ]; then
curl -s -XPOST $el_url/.wazuh/_doc/1513629884013 ${auth} -H 'Content-Type: application/json' -d'
{
"api_user": "'"$API_USER_Q"'",
"api_password": "'"$API_PASSWORD"'",
"url": "'"$wazuh_url"'",
"api_port": "55000",
"insecure": "true",
"component": "API",
"cluster_info": {
"manager": "wazuh-manager",
"cluster": "Disabled",
"status": "disabled"
},
"extensions": {
"oscap": true,
"audit": true,
"pci": true,
"aws": true,
"virustotal": true,
"gdpr": true,
"ciscat": true
}
}
' > /dev/null
else
echo "LOAD SETTINGS - Wazuh APP already configured"
fi
sleep 5
curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/json' -d'
{
"persistent": {
"xpack.monitoring.collection.enabled": true
}
}
'
##############################################################################
# Set cluster delayed timeout when node falls
##############################################################################
curl -X PUT "$el_url/_all/_settings" ${auth} -H 'Content-Type: application/json' -d'
{
"settings": {
"index.unassigned.node_left.delayed_timeout": "'"$CLUSTER_DELAYED_TIMEOUT"'"
}
}
'
echo "LOAD SETTINGS - cluster delayed timeout changed."
echo "LOAD SETTINGS - Elasticsearch is ready."

0
elasticsearch/config/configure_s3.sh → elasticsearch/config/35-load_settings_configure_s3.sh
View File

100
elasticsearch/config/35-load_settings_users_management.sh Normal file
View File

@@ -0,0 +1,100 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
##############################################################################
# Set Elasticsearch API url
##############################################################################
if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
fi
echo "USERS - Elasticsearch url: $el_url"
##############################################################################
# If Elasticsearch security is enabled get the elastic user password.
##############################################################################
ELASTIC_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ELASTIC_PASS=${arrIN[1]}
fi
done < "$input"
fi
##############################################################################
# If Elasticsearch security is enabled get the users credentials.
##############################################################################
# The user must get the credentials of the users.
# TO DO.
##############################################################################
# Set authentication for curl if Elasticsearch security is enabled.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-uelastic:${ELASTIC_PASS} -k"
echo "USERS - authentication for curl established."
elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
auth=""
echo "USERS - authentication for curl not established."
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
echo "USERS - authentication for curl established."
fi
##############################################################################
# Wait until Elasticsearch is active.
##############################################################################
until curl ${auth} -XGET $el_url; do
>&2 echo "USERS - Elastic is unavailable - sleeping"
sleep 5
done
>&2 echo "USERS - Elastic is up - executing command"
##############################################################################
# Setup passwords for Elastic Stack users.
##############################################################################
# The user must add the credentials of the users.
# TO DO.
# Example
# echo "USERS - Add custom_user password and role:"
# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/custom_user_role ' -d '
# { "indices": [ { "names": [ ".kibana*" ], "privileges": ["read"] }, { "names": [ "wazuh-monitoring*"], "privileges": ["all"] }] }'
# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/custom_user' -d '
# { "password":"'$CUSTOM_USER_PASSWORD'", "roles" : [ "kibana_system", "custom_user_role"], "full_name" : "Custom User" }'
##############################################################################
# Remove credentials file.
##############################################################################
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "USERS - Security credentials file not used. Nothing to do."
else
shred -zvu ${SECURITY_CREDENTIALS_FILE}
echo "USERS - Security credentials file removed."
fi

234
elasticsearch/config/load_settings.sh
View File

@@ -1,234 +0,0 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
fi
if [[ "x${WAZUH_API_URL}" = "x" ]]; then
wazuh_url="https://wazuh"
else
wazuh_url="${WAZUH_API_URL}"
fi
ELASTIC_PASS=""
KIBANA_USER=""
KIBANA_PASS=""
LOGSTASH_USER=""
LOGSTASH_PASS=""
ADMIN_USER=""
ADMIN_PASS=""
WAZH_API_USER=""
WAZH_API_PASS=""
MONITORING_USER=""
MONITORING_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
KIBANA_USER=${SECURITY_KIBANA_USER}
KIBANA_PASS=${SECURITY_KIBANA_PASS}
LOGSTASH_USER=${SECURITY_LOGSTASH_USER}
LOGSTASH_PASS=${SECURITY_LOGSTASH_PASS}
ADMIN_USER=${SECURITY_ADMIN_USER}
ADMIN_PASS=${SECURITY_ADMIN_PASS}
WAZH_API_USER=${API_USER}
WAZH_API_PASS=${API_PASS}
MONITORING_USER=${SECURITY_MONITORING_USER}
MONITORING_PASS=${SECURITY_MONITORING_PASS}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ELASTIC_PASS=${arrIN[1]}
elif [[ $line == *"KIBANA_USER"* ]]; then
arrIN=(${line//:/ })
KIBANA_USER=${arrIN[1]}
elif [[ $line == *"KIBANA_PASSWORD"* ]]; then
arrIN=(${line//:/ })
KIBANA_PASS=${arrIN[1]}
elif [[ $line == *"LOGSTASH_USER"* ]]; then
arrIN=(${line//:/ })
LOGSTASH_USER=${arrIN[1]}
elif [[ $line == *"LOGSTASH_PASSWORD"* ]]; then
arrIN=(${line//:/ })
LOGSTASH_PASS=${arrIN[1]}
elif [[ $line == *"ADMIN_USER"* ]]; then
arrIN=(${line//:/ })
ADMIN_USER=${arrIN[1]}
elif [[ $line == *"ADMIN_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ADMIN_PASS=${arrIN[1]}
elif [[ $line == *"WAZUH_API_USER"* ]]; then
arrIN=(${line//:/ })
WAZH_API_USER=${arrIN[1]}
elif [[ $line == *"WAZUH_API_PASSWORD"* ]]; then
arrIN=(${line//:/ })
WAZH_API_PASS=${arrIN[1]}
elif [[ $line == *"MONITORING_USER"* ]]; then
arrIN=(${line//:/ })
MONITORING_USER=${arrIN[1]}
elif [[ $line == *"MONITORING_PASSWORD"* ]]; then
arrIN=(${line//:/ })
MONITORING_PASS=${arrIN[1]}
fi
done < "$input"
fi
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-uelastic:${ELASTIC_PASS} -k"
elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
auth=""
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
fi
until curl ${auth} -XGET $el_url; do
>&2 echo "Elastic is unavailable - sleeping"
sleep 5
done
>&2 echo "Elastic is up - executing command"
if [ $ENABLE_CONFIGURE_S3 ]; then
#Wait for Elasticsearch to be ready to create the repository
sleep 10
>&2 echo "Configure S3"
if [ "x$S3_PATH" != "x" ]; then
>&2 echo "S3_PATH"
>&2 echo $S3_PATH
if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then
>&2 echo "Elasticsearch major version:"
>&2 echo $S3_ELASTIC_MAJOR
bash /usr/share/elasticsearch/config/configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR
else
>&2 echo "Elasticserach major version not given"
bash /usr/share/elasticsearch/config/configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME
fi
fi
fi
##############################################################################
# Setup passwords for Elastic Stack users
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
MY_HOSTNAME=`hostname`
echo "Hostname:"
echo $MY_HOSTNAME
if [[ $SECURITY_MAIN_NODE == $MY_HOSTNAME ]]; then
echo "Setting up passwords for all Elastic Stack users"
echo "Setting remote monitoring password"
SECURITY_REMOTE_USER_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo`
until curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/remote_monitoring_user/_password ' -d '{ "password":"'$SECURITY_REMOTE_USER_PASS'" }'; do
>&2 echo "Unavailable password seeting- sleeping"
sleep 2
done
echo "Setting Kibana password"
curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_wazuh_app ' -d ' { "indices": [ { "names": [ ".kibana*", ".reporting*", ".monitoring*" ], "privileges": ["read"] }, { "names": [ "wazuh-monitoring*", ".wazuh*" ], "privileges": ["all"] } , { "names": [ "wazuh-alerts*" ], "privileges": ["read", "view_index_metadata"] } ] }'
sleep 5
curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$KIBANA_USER" -d '{ "password":"'$KIBANA_PASS'", "roles" : [ "kibana_system", "service_wazuh_app"], "full_name" : "Service Internal Kibana User" }'
echo "Setting APM password"
SECURITY_APM_SYSTEM_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo`
curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/apm_system/_password ' -d '{ "password":"'$SECURITY_APM_SYSTEM_PASS'" }'
echo "Setting Beats password"
SECURITY_BEATS_SYSTEM_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo`
curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/beats_system/_password ' -d '{ "password":"'$SECURITY_BEATS_SYSTEM_PASS'" }'
echo "Setting Logstash password"
curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_logstash_writer ' -d '{ "cluster": ["manage_index_templates", "monitor", "manage_ilm"], "indices": [ { "names": [ "*" ], "privileges": ["write","delete","create_index","manage","manage_ilm"] } ] }'
sleep 5
curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$LOGSTASH_USER" -d '{ "password":"'$LOGSTASH_PASS'", "roles" : [ "service_logstash_writer", "logstash_system"], "full_name" : "Service Internal Logstash User" }'
echo "Passwords established for all Elastic Stack users"
echo "Creating Admin user"
curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$ADMIN_USER" -d '{ "password":"'$ADMIN_PASS'", "roles" : [ "superuser"], "full_name" : "Wazuh admin" }'
echo "Admin user created"
echo "Setting monitoring user"
curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_monitoring_reader ' -d '{ "cluster": ["manage", "monitor"], "indices": [ { "names": [ "*" ], "privileges": ["write","create_index","manage","read", "index"] } ] }'
sleep 5
curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$MONITORING_USER" -d '{ "password":"'$MONITORING_PASS'", "roles" : [ "service_monitoring_reader", "snapshot_user"], "full_name" : "Service Internal Monitoring User" }'
fi
fi
# Modify wazuh-alerts template shards and replicas
sed -i 's:"index.number_of_shards"\: "3":"index.number_of_shards"\: "'$WAZUH_ALERTS_SHARDS'":g' /usr/share/elasticsearch/config/wazuh-template.json
sed -i 's:"index.number_of_replicas"\: "0":"index.number_of_replicas"\: "'$WAZUH_ALERTS_REPLICAS'":g' /usr/share/elasticsearch/config/wazuh-template.json
# Insert default templates
cat /usr/share/elasticsearch/config/wazuh-template.json | curl -XPUT "$el_url/_template/wazuh" ${auth} -H 'Content-Type: application/json' -d @-
sleep 5
# Prepare Wazuh API credentials
API_PASS_Q=`echo "$WAZH_API_PASS" | tr -d '"'`
API_USER_Q=`echo "$WAZH_API_USER" | tr -d '"'`
API_PASSWORD=`echo -n $API_PASS_Q | base64`
echo "Setting API credentials into Wazuh APP"
CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013 ${auth})
if [ "x$CONFIG_CODE" != "x200" ]; then
curl -s -XPOST $el_url/.wazuh/_doc/1513629884013 ${auth} -H 'Content-Type: application/json' -d'
{
"api_user": "'"$API_USER_Q"'",
"api_password": "'"$API_PASSWORD"'",
"url": "'"$wazuh_url"'",
"api_port": "55000",
"insecure": "true",
"component": "API",
"cluster_info": {
"manager": "wazuh-manager",
"cluster": "Disabled",
"status": "disabled"
},
"extensions": {
"oscap": true,
"audit": true,
"pci": true,
"aws": true,
"virustotal": true,
"gdpr": true,
"ciscat": true
}
}
' > /dev/null
else
echo "Wazuh APP already configured"
fi
sleep 5
curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/json' -d'
{
"persistent": {
"xpack.monitoring.collection.enabled": true
}
}
'
# Set cluster delayed timeout when node falls
curl -X PUT "$el_url/_all/_settings" ${auth} -H 'Content-Type: application/json' -d'
{
"settings": {
"index.unassigned.node_left.delayed_timeout": "'"$CLUSTER_DELAYED_TIMEOUT"'"
}
}
'
# Remove credentials file.
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "Security credentials file not used. Nothing to do."
else
shred -zvu ${SECURITY_CREDENTIALS_FILE}
fi
echo "Elasticsearch is ready."

26
kibana/Dockerfile
View File

@@ -1,7 +1,7 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
FROM docker.elastic.co/kibana/kibana:7.2.1
ARG ELASTIC_VERSION=7.2.1
ARG WAZUH_VERSION=3.9.5
FROM docker.elastic.co/kibana/kibana:7.3.2
ARG ELASTIC_VERSION=7.3.2
ARG WAZUH_VERSION=3.10.2
ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
USER root
@@ -21,8 +21,6 @@ ADD $SECURITY_CA_PEM_LOCATION /usr/share/kibana/config
RUN /usr/share/kibana/bin/kibana-plugin install --allow-root file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip
RUN rm -rf /tmp/wazuhapp-${WAZUH_APP_VERSION}.zip
RUN yum install openssl -y
COPY config/entrypoint.sh ./entrypoint.sh
RUN chmod 755 ./entrypoint.sh
RUN mkdir /entrypoint-scripts
@@ -65,18 +63,22 @@ ARG XPACK_MONITORING="false"
ARG XPACK_APM="false"
ARG XPACK_MAPS="false"
ARG XPACK_UPTIME="false"
ARG XPACK_SIEM="false"
ARG CHANGE_WELCOME="true"
COPY --chown=kibana:kibana ./config/10-wazuh_app_config.sh /entrypoint-scripts/10-wazuh_app_config.sh
RUN chmod +x /entrypoint-scripts/10-wazuh_app_config.sh
COPY --chown=kibana:kibana ./config/15-decrypt_credentials.sh /entrypoint-scripts/15-decrypt_credentials.sh
COPY --chown=kibana:kibana ./config/20-entrypoint.sh /entrypoint-scripts/20-entrypoint.sh
RUN chmod +x /entrypoint-scripts/20-entrypoint.sh
COPY --chown=kibana:kibana ./config/kibana_settings.sh ./
RUN chmod +x ./kibana_settings.sh
COPY --chown=kibana:kibana ./config/20-entrypoint_kibana_settings.sh ./
COPY --chown=kibana:kibana ./config/20-entrypoint_certs_management.sh ./
COPY --chown=kibana:kibana ./config/20-entrypoint_security_configuration.sh ./
RUN chmod +x /entrypoint-scripts/10-wazuh_app_config.sh && \
chmod +x /entrypoint-scripts/15-decrypt_credentials.sh && \
chmod +x /entrypoint-scripts/20-entrypoint.sh && \
chmod +x ./20-entrypoint_kibana_settings.sh && \
chmod +x ./20-entrypoint_certs_management.sh && \
chmod +x ./20-entrypoint_security_configuration.sh
COPY --chown=kibana:kibana ./config/xpack_config.sh ./

15
kibana/config/15-decrypt_credentials.sh Normal file
View File

@@ -0,0 +1,15 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Decrypt credentials.
# If the credentials of the users to be created are encrypted,
# they must be decrypted for later use.
##############################################################################
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "Security credentials file not used. Nothing to do."
else
echo "TO DO"
fi
# TO DO

90
kibana/config/20-entrypoint.sh
View File

@@ -4,7 +4,7 @@
set -e
##############################################################################
# Waiting for elasticsearch
# Set Elasticsearch API url.
##############################################################################
if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
@@ -13,6 +13,13 @@ else
el_url="${ELASTICSEARCH_URL}"
fi
echo "ENTRYPOINT - Set Elasticsearc url:${ELASTICSEARCH_URL}"
##############################################################################
# If there are credentials for Kibana they are obtained.
##############################################################################
KIBANA_USER=""
KIBANA_PASS=""
@@ -34,6 +41,11 @@ else
fi
echo "ENTRYPOINT - Kibana credentials obtained."
##############################################################################
# Establish the way to run the curl command, with or without authentication.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-u ${KIBANA_USER}:${KIBANA_PASS} -k"
@@ -43,18 +55,24 @@ else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
fi
echo "ENTRYPOINT - Kibana authentication established."
##############################################################################
# Waiting for elasticsearch.
##############################################################################
until curl -XGET $el_url ${auth}; do
>&2 echo "Elastic is unavailable - sleeping"
>&2 echo "ENTRYPOINT - Elastic is unavailable: sleeping"
sleep 5
done
sleep 2
>&2 echo "Elasticsearch is up."
>&2 echo "ENTRYPOINT - Elasticsearch is up."
##############################################################################
# Waiting for wazuh alerts template
# Waiting for wazuh alerts template.
##############################################################################
strlen=0
@@ -63,71 +81,47 @@ while [[ $strlen -eq 0 ]]
do
template=$(curl $auth $el_url/_cat/templates/wazuh -s)
strlen=${#template}
>&2 echo "Wazuh alerts template not loaded - sleeping."
>&2 echo "ENTRYPOINT - Wazuh alerts template not loaded - sleeping."
sleep 2
done
sleep 2
>&2 echo "Wazuh alerts template is loaded."
>&2 echo "ENTRYPOINT - Wazuh alerts template is loaded."
##############################################################################
# If Secure access to Kibana is enabled, we must set the credentials.
# We must create the ssl certificate.
# Create keystore if security is enabled.
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
# Create keystore
echo "ENTRYPOINT - Create Keystore."
/usr/share/kibana/bin/kibana-keystore create
echo "Setting security Kibana configuiration options."
echo "
# Elasticsearch from/to Kibana
elasticsearch.ssl.certificateAuthorities: [\"/usr/share/kibana/config/$SECURITY_CA_PEM\"]
server.ssl.enabled: true
server.ssl.certificate: $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem
server.ssl.key: $SECURITY_KIBANA_SSL_KEY_PATH/kibana-access.key
server.ssl.supportedProtocols:
- TLSv1.1
- TLSv1.2
" >> /usr/share/kibana/config/kibana.yml
echo "Create SSL directories."
mkdir -p $SECURITY_KIBANA_SSL_KEY_PATH $SECURITY_KIBANA_SSL_CERT_PATH
CA_PATH="/usr/share/kibana/config"
echo "Creating SSL certificates."
pushd $CA_PATH
# chown kibana: $CA_PATH/$SECURITY_CA_PEM
# chmod 400 $CA_PATH/$SECURITY_CA_PEM
SECURITY_KEY_PASS=`openssl rand -base64 32`
openssl req -batch -x509 -days 18250 -newkey rsa:2048 -keyout $SECURITY_KIBANA_SSL_KEY_PATH/kibana-access.key -out $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem -passout pass:"$SECURITY_KEY_PASS" >/dev/null
# chown -R kibana: $CA_PATH/ssl
chmod -R 770 $CA_PATH/ssl
chmod 440 $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem
popd
echo "SSL certificates created."
# Add keys to keystore
echo -e "$KIBANA_PASS" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.password --stdin
echo -e "$SECURITY_KEY_PASS" | /usr/share/kibana/bin/kibana-keystore add server.ssl.keyPassphrase --stdin
echo -e "$KIBANA_USER" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.username --stdin
echo "ENTRYPOINT - Keystore created."
fi
##############################################################################
# Run more configuration scripts.
# If security is enabled set Kibana configuration.
# Create the ssl certificate.
##############################################################################
bash /usr/share/kibana/kibana_settings.sh &
if [[ $SECURITY_ENABLED == "yes" ]]; then
bash /usr/share/kibana/20-entrypoint_certs_management.sh
bash /usr/share/kibana/20-entrypoint_security_configuration.sh
fi
##############################################################################
# Run kibana_settings.sh script.
##############################################################################
bash /usr/share/kibana/20-entrypoint_kibana_settings.sh &
/usr/local/bin/kibana-docker

14
kibana/config/20-entrypoint_certs_management.sh Normal file
View File

@@ -0,0 +1,14 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Kibana certs and keystore management
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "CERTS_MANAGEMENT - Create certificates. TO DO."
# TO DO
fi

57
kibana/config/kibana_settings.sh → kibana/config/20-entrypoint_kibana_settings.sh
View File

@@ -22,6 +22,8 @@ if [ "$ELASTICSEARCH_KIBANA_IP" != "" ]; then
sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml
fi
echo "SETTINGS - Update Elasticsearch host."
# If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate.
if [ "$KIBANA_INDEX" != "" ]; then
if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then
@@ -39,7 +41,7 @@ if [ "$XPACK_SECURITY_ENABLED" != "" ]; then
fi
##############################################################################
# Set url and credentials
# Get Kibana credentials
##############################################################################
if [ "$KIBANA_IP" != "" ]; then
@@ -69,6 +71,12 @@ else
fi
echo "SETTINGS - Kibana credentials obtained."
##############################################################################
# Set url authentication.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-k -u $KIBANA_USER:${KIBANA_PASS}"
@@ -78,14 +86,26 @@ else
kibana_secure_ip="http://$kibana_ip"
fi
echo "SETTINGS - Kibana authentication established."
##############################################################################
# Waiting for Kibana.
##############################################################################
while [[ "$(curl $auth -XGET -I -s -o /dev/null -w ''%{http_code}'' $kibana_secure_ip:5601/status)" != "200" ]]; do
echo "Waiting for Kibana API. Sleeping 5 seconds"
echo "SETTINGS - Waiting for Kibana API. Sleeping 5 seconds"
sleep 5
done
echo "SETTINGS - Kibana API is running"
##############################################################################
# Prepare index selection.
echo "Kibana API is running"
##############################################################################
echo "SETTINGS - Prepare index selection."
default_index="/tmp/default_index.json"
@@ -98,20 +118,47 @@ cat > ${default_index} << EOF
EOF
sleep 5
##############################################################################
# Add the wazuh alerts index as default.
##############################################################################
echo "SETTINGS - Add the wazuh alerts index as default."
curl $auth -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
rm -f ${default_index}
sleep 5
##############################################################################
# Configuring Kibana TimePicker.
##############################################################################
echo "SETTINGS - Configuring Kibana TimePicker."
curl $auth -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
'{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}'
sleep 5
# Do not ask user to help providing usage statistics to Elastic
##############################################################################
# Do not ask user to help providing usage statistics to Elastic.
##############################################################################
echo "SETTINGS - Do not ask user to help providing usage statistics to Elastic."
curl $auth -POST "$kibana_secure_ip:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'
# Remove credentials file
##############################################################################
# Remove credentials file.
##############################################################################
echo "SETTINGS - Remove credentials file."
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "Security credentials file not used. Nothing to do."
else

28
kibana/config/20-entrypoint_security_configuration.sh Normal file
View File

@@ -0,0 +1,28 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
##############################################################################
# Adapt kibana.yml configuration file
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "CONFIGURATION - Setting security Kibana configuiration options."
# Example:
# echo "
# # Elasticsearch from/to Kibana
# elasticsearch.ssl.certificateAuthorities: [\"/usr/share/kibana/config/CA.pem\"]
# server.ssl.enabled: true
# server.ssl.certificate: /usr/share/kibana/config/ssl/certs/cert.pem
# server.ssl.key: /usr/share/kibana/config/ssl/private/cert.key
# server.ssl.supportedProtocols:
# - TLSv1.1
# - TLSv1.2
# " >> /usr/share/kibana/config/kibana.yml
fi

16
kibana/config/welcome_wazuh.sh
View File

@@ -13,15 +13,17 @@ then
# Redirect Kibana welcome screen to Discover
echo "Redirect Kibana welcome screen to Discover"
sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/legacy/ui/public/chrome/directives/header_global_nav/header_global_nav.js
sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/core/public/chrome/chrome_service.js
# Hide management undesired links
echo "Hide management undesired links"
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/plugins/rollup/public/crud_app/index.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/plugins/license_management/public/management_section.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/plugins/index_lifecycle_management/public/register_management_section.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/plugins/cross_cluster_replication/public/register_routes.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/plugins/remote_clusters/public/index.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/plugins/upgrade_assistant/public/index.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/rollup/public/crud_app/index.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/license_management/public/management_section.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/index_lifecycle_management/public/register_management_section.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/cross_cluster_replication/public/register_routes.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/remote_clusters/public/index.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/upgrade_assistant/public/index.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/snapshot_restore/public/plugin.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/remote_clusters/public/plugin.js
fi

2
kibana/config/xpack_config.sh
View File

@@ -14,6 +14,7 @@ then
[xpack.monitoring.enabled]=$XPACK_MONITORING
[xpack.maps.enabled]=$XPACK_MAPS
[xpack.uptime.enabled]=$XPACK_UPTIME
[xpack.siem.enabled]=$XPACK_SIEM
[console.enabled]=$XPACK_DEVTOOLS
)
for i in "${!CONFIG_MAP[@]}"
@@ -34,6 +35,7 @@ xpack.infra.enabled: $XPACK_INFRA
xpack.monitoring.enabled: $XPACK_MONITORING
xpack.maps.enabled: $XPACK_MAPS
xpack.uptime.enabled: $XPACK_UPTIME
xpack.siem.enabled: $XPACK_SIEM
console.enabled: $XPACK_DEVTOOLS
" >> $kibana_config_file
fi

12
logstash/Dockerfile
View File

@@ -1,6 +1,6 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
ARG LOGSTASH_VERSION=7.2.1
ARG LOGSTASH_VERSION=7.3.2
FROM docker.elastic.co/logstash/logstash:${LOGSTASH_VERSION}
COPY --chown=logstash:logstash config/entrypoint.sh /entrypoint.sh
@@ -32,8 +32,16 @@ RUN if [[ "x$SECURITY_CA_PEM_LOCATION" == x ]] ; then echo Nothing to do ; else
RUN mkdir /entrypoint-scripts
RUN chmod -R 774 /entrypoint-scripts
RUN chown -R logstash:logstash /entrypoint-scripts
COPY --chown=logstash:logstash ./config/05-decrypt_credentials.sh /entrypoint-scripts/05-decrypt_credentials.sh
COPY --chown=logstash:logstash ./config/10-entrypoint.sh /entrypoint-scripts/10-entrypoint.sh
RUN chmod +x /entrypoint-scripts/10-entrypoint.sh
COPY --chown=logstash:logstash ./config/10-entrypoint_configuration.sh ./config/10-entrypoint_configuration.sh
COPY --chown=logstash:logstash ./config/10-entrypoint_pipeline.sh ./config/10-entrypoint_pipeline.sh
RUN chmod +x /entrypoint-scripts/05-decrypt_credentials.sh && \
chmod +x /entrypoint-scripts/10-entrypoint.sh && \
chmod +x ./config/10-entrypoint_configuration.sh && \
chmod +x ./config/10-entrypoint_pipeline.sh
USER logstash
ENTRYPOINT /entrypoint.sh

15
logstash/config/05-decrypt_credentials.sh Normal file
View File

@@ -0,0 +1,15 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Decrypt credentials.
# If the credentials of the users to be created are encrypted,
# they must be decrypted for later use.
##############################################################################
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "Security credentials file not used. Nothing to do."
else
echo "TO DO"
fi
# TO DO

67
logstash/config/10-entrypoint.sh
View File

@@ -8,7 +8,7 @@
set -e
##############################################################################
# Waiting for elasticsearch
# Set elasticsearch url.
##############################################################################
if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
@@ -17,6 +17,12 @@ else
el_url="${ELASTICSEARCH_URL}"
fi
echo "ENTRYPOINT - Elasticsearch url: $el_url"
##############################################################################
# Get Logstash credentials.
##############################################################################
LOGSTASH_USER=""
LOGSTASH_PASS=""
@@ -38,6 +44,12 @@ else
fi
echo "ENTRYPOINT - Logstash credentials obtained."
##############################################################################
# Set authentication for curl command.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-u ${LOGSTASH_USER}:${LOGSTASH_PASS} -k"
elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
@@ -46,67 +58,58 @@ else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
fi
echo "ENTRYPOINT - curl authentication established"
##############################################################################
# Customize logstash output ip
# Customize logstash output ip.
##############################################################################
if [ "$LOGSTASH_OUTPUT" != "" ]; then
>&2 echo "Customize Logstash ouput ip."
>&2 echo "ENTRYPOINT - Customize Logstash ouput ip."
sed -i 's|elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/pipeline/01-wazuh.conf
sed -i 's|http://elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/config/logstash.yml
fi
##############################################################################
# Waiting for elasticsearch.
##############################################################################
until curl $auth -XGET $el_url; do
>&2 echo "Elastic is unavailable - sleeping."
>&2 echo "ENTRYPOINT - Elastic is unavailable - sleeping."
sleep 5
done
sleep 2
>&2 echo "Elasticsearch is up."
>&2 echo "ENTRYPOINT - Elasticsearch is up."
##############################################################################
# Set Logstash password
##############################################################################
##############################################################################
# If Secure access to Kibana is enabled, we must set the credentials.
# Create keystore if security is enabled.
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "ENTRYPOINT - Create Keystore."
## Create secure keystore
SECURITY_RANDOM_PASS=`date +%s | sha256sum | base64 | head -c 32 ; echo`
export LOGSTASH_KEYSTORE_PASS=$SECURITY_RANDOM_PASS
/usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config create
## Settings for logstash.yml
echo "
# Required set the passwords
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: \${LOGSTASH_KS_USER}
xpack.monitoring.elasticsearch.password: \${LOGSTASH_KS_PASS}
xpack.monitoring.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/$SECURITY_CA_PEM
xpack.management.elasticsearch.hosts: \"$LOGSTASH_OUTPUT/\"
xpack.management.elasticsearch.username: \${LOGSTASH_KS_USER}
xpack.management.elasticsearch.password: \${LOGSTASH_KS_PASS}
xpack.management.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/$SECURITY_CA_PEM
" >> /usr/share/logstash/config/logstash.yml
bash /usr/share/logstash/config/10-entrypoint_configuration.sh
## Settings for 01-wazuh.conf
sed -i 's:#user => service_logstash:user => "${LOGSTASH_KS_USER}":g' /usr/share/logstash/pipeline/01-wazuh.conf
sed -i 's:#password => service_logstash_internal_password:password => "${LOGSTASH_KS_PASS}":g' /usr/share/logstash/pipeline/01-wazuh.conf
sed -i 's:#ssl => true:ssl => true:g' /usr/share/logstash/pipeline/01-wazuh.conf
sed -i 's:#cacert => "/path/to/cert.pem":cacert => "/usr/share/logstash/config/'$SECURITY_CA_PEM'":g' /usr/share/logstash/pipeline/01-wazuh.conf
bash /usr/share/logstash/config/10-entrypoint_pipeline.sh
## Add keys to the keystore
echo -e "$LOGSTASH_USER" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_USER
echo -e "$LOGSTASH_PASS" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_PASS
fi
@@ -120,28 +123,28 @@ while [[ $strlen -eq 0 ]]
do
template=$(curl $auth $el_url/_cat/templates/wazuh -s)
strlen=${#template}
>&2 echo "Wazuh alerts template not loaded - sleeping."
>&2 echo "ENTRYPOINT - Wazuh alerts template not loaded - sleeping."
sleep 2
done
sleep 2
>&2 echo "Wazuh alerts template is loaded."
>&2 echo "ENTRYPOINT - Wazuh alerts template is loaded."
##############################################################################
# Remove credentials file
##############################################################################
>&2 echo "Removing unnecessary files."
>&2 echo "ENTRYPOINT - Removing unnecessary files."
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "Security credentials file not used. Nothing to do."
echo "ENTRYPOINT - Security credentials file not used. Nothing to do."
else
shred -zvu ${SECURITY_CREDENTIALS_FILE}
fi
>&2 echo "Unnecessary files removed."
>&2 echo "ENTRYPOINT - Unnecessary files removed."
##############################################################################
# Map environment variables to entries in logstash.yml.

27
logstash/config/10-entrypoint_configuration.sh Normal file
View File

@@ -0,0 +1,27 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
#
# OSSEC container bootstrap. See the README for information of the environment
# variables expected by this script.
#
set -e
##############################################################################
# Adapt logstash.yml configuration.
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "CONFIGURATION - TO DO"
# Settings for logstash.yml
# Example:
# echo "
# xpack.monitoring.enabled: true
# xpack.monitoring.elasticsearch.username: LOGSTASH_USER
# xpack.monitoring.elasticsearch.password: LOGSTASH_PASS
# xpack.monitoring.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/CA.pem
# " >> /usr/share/logstash/config/logstash.yml
fi

21
logstash/config/10-entrypoint_pipeline.sh Normal file
View File

@@ -0,0 +1,21 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
#
# OSSEC container bootstrap. See the README for information of the environment
# variables expected by this script.
#
set -e
##############################################################################
# Adapt 01-wazuh.conf pipeline. Adapt pipeline if it is necessary.
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "PIPELINE - TO DO"
# Settings for 01-wazuh.conf
# TO DO
fi

17
wazuh/Dockerfile
View File

@@ -2,14 +2,14 @@
FROM phusion/baseimage:latest
# Arguments
ARG FILEBEAT_VERSION=7.2.1
ARG WAZUH_VERSION=3.9.5-1
ARG FILEBEAT_VERSION=7.3.2
ARG WAZUH_VERSION=3.10.2-1
# Environment variables
ENV API_USER="foo" \
API_PASS="bar"
ARG TEMPLATE_VERSION="v3.9.5"
ARG TEMPLATE_VERSION="v3.10.2"
# Install packages
RUN set -x && \
@@ -92,10 +92,17 @@ VOLUME ["/var/lib/filebeat"]
RUN mkdir /entrypoint-scripts
COPY config/entrypoint.sh /entrypoint.sh
COPY config/00-decrypt_credentials.sh /entrypoint-scripts/00-decrypt_credentials.sh
COPY config/01-wazuh.sh /entrypoint-scripts/01-wazuh.sh
COPY config/05-remove_credentials_file.sh /entrypoint-scripts/05-remove_credentials_file.sh
COPY config/10-backups.sh /entrypoint-scripts/10-backups.sh
COPY config/20-ossec-configuration.sh /entrypoint-scripts/20-ossec-configuration.sh
RUN chmod 755 /entrypoint.sh && \
chmod 755 /entrypoint-scripts/01-wazuh.sh
chmod 755 /entrypoint-scripts/01-wazuh.sh && \
chmod 755 /entrypoint-scripts/00-decrypt_credentials.sh && \
chmod 755 /entrypoint-scripts/05-remove_credentials_file.sh && \
chmod 755 /entrypoint-scripts/10-backups.sh && \
chmod 755 /entrypoint-scripts/20-ossec-configuration.sh
# Workaround.
# Issues: Wazuh-api

15
wazuh/config/00-decrypt_credentials.sh Normal file
View File

@@ -0,0 +1,15 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Decrypt credentials.
# If the credentials of the API user to be created are encrypted,
# it must be decrypted for later use.
##############################################################################
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "CREDENTIALS - Security credentials file not used. Nothing to do."
else
echo "CREDENTIALS - TO DO"
fi
# TO DO

14
wazuh/config/05-remove_credentials_file.sh Normal file
View File

@@ -0,0 +1,14 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Decrypt credentials.
# Remove the credentials file for security reasons.
##############################################################################
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "CREDENTIALS - Security credentials file not used. Nothing to do."
else
echo "CREDENTIALS - Remove credentiasl file."
shred -zvu ${SECURITY_CREDENTIALS_FILE}
fi

10
wazuh/config/10-backups.sh Normal file
View File

@@ -0,0 +1,10 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Enable Wazuh backups and store them in a repository.
##############################################################################
# TO DO
echo "BACKUPS - TO DO"

13
wazuh/config/20-ossec-configuration.sh Normal file
View File

@@ -0,0 +1,13 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Change Wazuh manager configuration.
##############################################################################
# # Example:
# # Change remote protocol from udp to tcp
# PROTOCOL="tcp"
# sed -i -e '/<remote>/,/<\/remote>/ s|<protocol>udp</protocol>|<protocol>'$PROTOCOL'</protocol>|g' /var/ossec/etc/ossec.conf
# # It is necessary to restart the service in order to apply the new configuration.
# service wazuh-manager restart