Compare commits

...

24 Commits

Author SHA1 Message Date
José Luis Ruiz
7da29fa6a9 Merge pull request #35 from FloThinksPi/master
docker-compose fix SELinux and NGINX
2018-02-07 19:06:07 +01:00
Florian Braun
ca1a1bd883 Added Proxy vars to kibana
Kibana needs to download a file when deployed. So there sould be a proxy variable as recommendation that this is what one need in the case of a proxy usage.
2018-02-07 18:22:14 +01:00
Florian Braun
d8fe59901a Added Persistent Volume for NGINX
Nginx should also have a persistent option, so that the .htaccess file gets saved correctly.
It also enables the file to be easily edited because the nginx container has no vi or nano.
2018-02-07 18:20:32 +01:00
Florian Braun
3cae6fe61d Automatically set SELinux
Fixes SELinux issues. Docker-Compose can do this on the fly https://github.com/docker/compose/issues/643
2018-02-07 18:18:58 +01:00
José Luis Ruiz Ruiz
a26f119c73 Upgrade containters to 3.1.0_6.1.2 2018-01-30 17:08:18 +01:00
José Luis Ruiz Ruiz
3d813cb2fe Upgrade containters to 3.1.0_6.1.1 2018-01-07 18:50:37 +01:00
José Luis Ruiz Ruiz
5c7454270e Upgrade to Wazuh 3.1.0 and Kibabna 6.1.0 2017-12-25 16:40:14 -08:00
Santiago Bassett
b8ef822f85 Added badges 2017-12-11 21:49:47 -08:00
José Luis Ruiz
e341391201 Merge pull request #29 from wazuh/2.1.1_5.6.4-remove-old-repo
Remove old Centos repo
2017-11-28 11:25:23 +01:00
Elías Méndez García
c42898e862 Remove old Centos repo 2017-11-28 11:22:15 +01:00
José Luis Ruiz
2663de28a6 Merge pull request #28 from wazuh/dev
Enhancements and fixes
2017-11-24 16:21:46 +01:00
Miguelangel Freitas
d1adafdcde Enabling ossec-authd by default. 2017-11-24 10:07:34 -05:00
Miguelangel Freitas
a866f41ecf Using phusion/baseimage for Wazuh manager, closes #19 2017-11-21 22:12:27 -05:00
Miguelangel Freitas
97a042cfcd Refactoring to new Elastic Stack versions. 2017-11-19 22:42:36 -05:00
Miguelangel Freitas
845398d7c7 Nginx start script path changed 2017-09-26 21:56:41 -04:00
Miguelangel Freitas
6e6912c380 Using Wazuh v2.1.0 2017-09-25 18:50:15 -04:00
Miguelangel Freitas
a2ba029918 Setting wazuh-nginx image 2017-09-25 18:50:02 -04:00
Miguelangel Freitas
160bf4bbe9 Adding Nginx container
* Setting Nginx with SSL and basic auth, closes #20
* Set Content-Type on Kibana API config.
2017-09-24 14:08:02 -04:00
Miguelangel Freitas
a70c127228 Set defaultIndex and API creeds for Kibana, closes #17 2017-09-12 18:28:41 -05:00
Miguelangel Freitas
c2213165f2 Quiet logging for Kibana 2017-09-12 11:14:28 -05:00
José Luis Ruiz
d0565d913a Elastic to version 5.5.2 2017-08-24 14:37:31 -04:00
José Luis Ruiz
d1cb67a822 Upgrade Wazuh version to 2.1.0 2017-08-17 18:46:27 -04:00
Jose Luis
e69d9d0efc Merge pull request #14 from peteralcock/patch-2
Fix ES hostname resolution for kibana/logstash
2017-08-17 15:03:42 -07:00
Peter Alcock
08824ad4a9 Fix ES hostname resolution for kibana/logstash
Without linking the containers with explicitly declared container name mappings, the "elasticsearch" hostname is not being resolved by the kibana or logstash containers. This fixes that.
2017-08-17 14:55:48 -04:00
13 changed files with 243 additions and 718 deletions

View File

@@ -1,5 +1,10 @@
# Wazuh containers for Docker
[![Slack](https://img.shields.io/badge/slack-join-blue.svg)](https://goo.gl/forms/M2AoZC4b2R9A9Zy12)
[![Email](https://img.shields.io/badge/email-join-blue.svg)](https://groups.google.com/forum/#!forum/wazuh)
[![Documentation](https://img.shields.io/badge/docs-view-green.svg)](https://documentation.wazuh.com)
[![Documentation](https://img.shields.io/badge/web-view-green.svg)](https://wazuh.com)
In this repository you will find the containers to run:
* wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack)
@@ -10,7 +15,7 @@ In addition, a docker-compose file is provided to launch the containers mentione
## Current release
Containers are currently tested on Wazuh version 2.0 and Elastic Stack version 5.5.1. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.
Containers are currently tested on Wazuh version 3.1.0 and Elastic Stack version 6.1.0. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.
## Installation notes

View File

@@ -13,8 +13,8 @@ services:
networks:
- docker_elk
# volumes:
# - my-path:/var/ossec/data
# - my-path:/etc/postfix
# - my-path:/var/ossec/data:Z
# - my-path:/etc/postfix:Z
depends_on:
- elasticsearch
logstash:
@@ -23,10 +23,10 @@ services:
restart: always
command: -f /etc/logstash/conf.d/
# volumes:
# - my-path:/etc/logstash/conf.d
# - my-path:/etc/logstash/conf.d:Z
links:
- kibana
- elasticsearch
- elasticsearch:elasticsearch
ports:
- "5000:5000"
networks:
@@ -35,33 +35,70 @@ services:
- elasticsearch
environment:
- LS_HEAP_SIZE=2048m
- XPACK_MONITORING_ENABLED=false
elasticsearch:
image: elasticsearch:5.5.1
image: docker.elastic.co/elasticsearch/elasticsearch:6.1.2
hostname: elasticsearch
restart: always
command: elasticsearch -E node.name="node-1" -E cluster.name="wazuh" -E network.host=0.0.0.0
ports:
- "9200:9200"
- "9300:9300"
# - "9300:9300"
environment:
ES_JAVA_OPTS: "-Xms2g -Xmx2g"
- node.name=node-1
- cluster.name=wazuh
- network.host=0.0.0.0
- bootstrap.memory_lock=true
- xpack.security.enabled=false
- xpack.monitoring.enabled=false
- xpack.ml.enabled=false
- xpack.watcher.enabled=false
- xpack.graph.enabled=false
- "ES_JAVA_OPTS=-Xms1g -Xmx1g"
ulimits:
memlock:
soft: -1
hard: -1
mem_limit: 2g
# volumes:
# - my-path:/usr/share/elasticsearch/data
# - my-path:/usr/share/elasticsearch/data:Z
networks:
- docker_elk
kibana:
image: wazuh/wazuh-kibana
hostname: kibana
restart: always
ports:
- "5601:5601"
# ports:
# - "5601:5601"
networks:
- docker_elk
depends_on:
- elasticsearch
entrypoint: sh wait-for-it.sh elasticsearch
links:
- elasticsearch:elasticsearch
- wazuh
entrypoint: /wait-for-it.sh elasticsearch
# environment:
# - "WAZUH_KIBANA_PLUGIN_URL=http://your.repo/wazuhapp-2.0_5.4.2.zip"
# - http_proxy=yourproxy
# - https_proxy=yourproxy
# - "WAZUH_KIBANA_PLUGIN_URL=http://your.repo/wazuhapp-3.1.0-6.1.2.zip"
nginx:
image: wazuh/wazuh-nginx
hostname: nginx
restart: always
entrypoint: /run.sh
environment:
- NGINX_PORT=443
ports:
- "80:80"
- "443:443"
# volumes:
# - my-path:/etc/nginx/conf.d:Z
networks:
- docker_elk
depends_on:
- kibana
links:
- kibana
networks:
docker_elk:

View File

@@ -1,7 +1,9 @@
FROM kibana:5.5.1
FROM docker.elastic.co/kibana/kibana:6.1.2
RUN apt-get update && apt-get install -y curl
USER root
COPY ./config/kibana.yml /opt/kibana/config/kibana.yml
COPY ./config/kibana.yml /usr/share/kibana/config/kibana.yml
COPY config/wait-for-it.sh /
COPY config/wait-for-it.sh /wait-for-it.sh
RUN chmod 755 /wait-for-it.sh

View File

@@ -81,7 +81,7 @@ elasticsearch.url: "http://elasticsearch:9200"
# logging.silent: false
# Set the value of this setting to true to suppress all logging output other than error messages.
# logging.quiet: false
logging.quiet: true
# Set the value of this setting to true to log all events, including system usage information
# and all requests.
@@ -90,3 +90,10 @@ elasticsearch.url: "http://elasticsearch:9200"
# Set the interval in milliseconds to sample system and process performance
# metrics. Minimum is 100ms. Defaults to 10000.
# ops.interval: 10000
xpack.security.enabled: false
xpack.grokdebugger.enabled: false
xpack.graph.enabled: false
xpack.ml.enabled: false
xpack.monitoring.enabled: false
xpack.reporting.enabled: false

View File

@@ -5,21 +5,63 @@ set -e
host="$1"
shift
cmd="kibana"
WAZUH_KIBANA_PLUGIN_URL=${WAZUH_KIBANA_PLUGIN_URL:-https://packages.wazuh.com/wazuhapp/wazuhapp-2.0.1_5.5.1.zip}
WAZUH_KIBANA_PLUGIN_URL=${WAZUH_KIBANA_PLUGIN_URL:-https://packages.wazuh.com/wazuhapp/wazuhapp-3.1.0_6.1.2.zip}
until curl -XGET $host:9200; do
>&2 echo "Elastic is unavailable - sleeping"
sleep 1
sleep 5
done
sleep 30
>&2 echo "Elastic is up - executing command"
sleep 5
#Insert default templates
curl https://raw.githubusercontent.com/wazuh/wazuh/3.1/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -XPUT 'http://elasticsearch:9200/_template/wazuh' -H 'Content-Type: application/json' -d @-
sleep 5
#Insert default templates
curl https://raw.githubusercontent.com/wazuh/wazuh/3.1/extensions/elasticsearch/wazuh-elastic6-template-monitoring.json | curl -XPUT 'http://elasticsearch:9200/_template/wazuh-agent' -H 'Content-Type: application/json' -d @-
#Insert sample alert:
sleep 5
curl https://raw.githubusercontent.com/wazuh/wazuh/3.1/extensions/elasticsearch/alert_sample.json | curl -XPUT "http://elasticsearch:9200/wazuh-alerts-3.x-"`date +%Y.%m.%d`"/wazuh/sample" -H 'Content-Type: application/json' -d @-
if /usr/share/kibana/bin/kibana-plugin list | grep wazuh; then
echo "Wazuh APP already installed"
else
/usr/share/kibana/bin/kibana-plugin install ${WAZUH_KIBANA_PLUGIN_URL}
fi
sleep 30
echo "Setting API credentials into Wazuh APP"
CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET http://$host:9200/.wazuh/wazuh-configuration/1513629884013)
if [ "x$CONFIG_CODE" = "x404" ]; then
curl -s -XPOST http://$host:9200/.wazuh/wazuh-configuration/1513629884013 -H 'Content-Type: application/json' -d'
{
"api_user": "foo",
"api_password": "YmFy",
"url": "https://wazuh",
"api_port": "55000",
"insecure": "true",
"component": "API",
"cluster_info": {
"manager": "wazuh-manager",
"cluster": "Disabled",
"status": "disabled"
},
"extensions": {
"oscap": true,
"audit": true,
"pci": true
}
}
' > /dev/null
else
echo "Wazuh APP already configured"
fi
sleep 5
exec $cmd

View File

@@ -1,12 +1,3 @@
FROM logstash:5.5.1
RUN apt-get update
FROM docker.elastic.co/logstash/logstash:6.1.2
COPY config/logstash.conf /etc/logstash/conf.d/logstash.conf
COPY config/wazuh-elastic5-template.json /etc/logstash/wazuh-elastic5-template.json
ADD config/run.sh /tmp/run.sh
RUN chmod 755 /tmp/run.sh
ENTRYPOINT ["/tmp/run.sh"]

View File

@@ -9,17 +9,21 @@ input {
# ssl_key => "/etc/logstash/logstash.key"
}
}
## Local Wazuh Manager - JSON file input
#input {
# file {
# type => "wazuh-alerts"
# path => "/var/ossec/logs/alerts/alerts.json"
# codec => "json"
# }
#}
filter {
if [data][srcip] {
mutate {
add_field => [ "@src_ip", "%{[data][srcip]}" ]
}
}
if [data][aws][sourceIPAddress] {
mutate {
add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
}
}
}
filter {
geoip {
source => "srcip"
source => "@src_ip"
target => "GeoLocation"
fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"]
}
@@ -28,16 +32,13 @@ filter {
target => "@timestamp"
}
mutate {
remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count", "@version", "log", "offset", "type"]
remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type","@src_ip"]
}
}
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
index => "wazuh-alerts-%{+YYYY.MM.dd}"
index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
document_type => "wazuh"
template => "/etc/logstash/wazuh-elastic5-template.json"
template_name => "wazuh"
template_overwrite => true
}
}

View File

@@ -1,620 +0,0 @@
{
"order": 0,
"template": "wazuh*",
"settings": {
"index.refresh_interval": "5s"
},
"mappings": {
"wazuh": {
"dynamic_templates": [
{
"string_as_keyword": {
"match_mapping_type": "string",
"mapping": {
"type": "keyword",
"doc_values": "true"
}
}
}
],
"properties": {
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"@version": {
"type": "text"
},
"agent": {
"properties": {
"ip": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"name": {
"type": "keyword",
"doc_values": "true"
}
}
},
"manager": {
"properties": {
"name": {
"type": "keyword",
"doc_values": "true"
}
}
},
"dstuser": {
"type": "keyword",
"doc_values": "true"
},
"AlertsFile": {
"type": "keyword",
"doc_values": "true"
},
"full_log": {
"type": "text"
},
"previous_log": {
"type": "text"
},
"GeoLocation": {
"properties": {
"area_code": {
"type": "long"
},
"city_name": {
"type": "keyword",
"doc_values": "true"
},
"continent_code": {
"type": "text"
},
"coordinates": {
"type": "double"
},
"country_code2": {
"type": "text"
},
"country_code3": {
"type": "text"
},
"country_name": {
"type": "keyword",
"doc_values": "true"
},
"dma_code": {
"type": "long"
},
"ip": {
"type": "keyword",
"doc_values": "true"
},
"latitude": {
"type": "double"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "double"
},
"postal_code": {
"type": "keyword"
},
"real_region_name": {
"type": "keyword",
"doc_values": "true"
},
"region_name": {
"type": "keyword",
"doc_values": "true"
},
"timezone": {
"type": "text"
}
}
},
"host": {
"type": "keyword",
"doc_values": "true"
},
"syscheck": {
"properties": {
"path": {
"type": "keyword",
"doc_values": "true"
},
"sha1_before": {
"type": "keyword",
"doc_values": "true"
},
"sha1_after": {
"type": "keyword",
"doc_values": "true"
},
"uid_before": {
"type": "keyword",
"doc_values": "true"
},
"uid_after": {
"type": "keyword",
"doc_values": "true"
},
"gid_before": {
"type": "keyword",
"doc_values": "true"
},
"gid_after": {
"type": "keyword",
"doc_values": "true"
},
"perm_before": {
"type": "keyword",
"doc_values": "true"
},
"perm_after": {
"type": "keyword",
"doc_values": "true"
},
"md5_after": {
"type": "keyword",
"doc_values": "true"
},
"md5_before": {
"type": "keyword",
"doc_values": "true"
},
"gname_after": {
"type": "keyword",
"doc_values": "true"
},
"gname_before": {
"type": "keyword",
"doc_values": "true"
},
"inode_after": {
"type": "keyword",
"doc_values": "true"
},
"inode_before": {
"type": "keyword",
"doc_values": "true"
},
"mtime_after": {
"type": "date",
"format": "dateOptionalTime",
"doc_values": "true"
},
"mtime_before": {
"type": "date",
"format": "dateOptionalTime",
"doc_values": "true"
},
"uname_after": {
"type": "keyword",
"doc_values": "true"
},
"uname_before": {
"type": "keyword",
"doc_values": "true"
},
"size_before": {
"type": "long",
"doc_values": "true"
},
"size_after": {
"type": "long",
"doc_values": "true"
},
"diff": {
"type": "keyword",
"doc_values": "true"
},
"event": {
"type": "keyword",
"doc_values": "true"
}
}
},
"location": {
"type": "keyword",
"doc_values": "true"
},
"message": {
"type": "text"
},
"offset": {
"type": "keyword"
},
"rule": {
"properties": {
"description": {
"type": "keyword",
"doc_values": "true"
},
"groups": {
"type": "keyword",
"doc_values": "true"
},
"level": {
"type": "long",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"cve": {
"type": "keyword",
"doc_values": "true"
},
"info": {
"type": "keyword",
"doc_values": "true"
},
"frequency": {
"type": "long",
"doc_values": "true"
},
"firedtimes": {
"type": "long",
"doc_values": "true"
},
"cis": {
"type": "keyword",
"doc_values": "true"
},
"pci_dss": {
"type": "keyword",
"doc_values": "true"
}
}
},
"decoder": {
"properties": {
"parent": {
"type": "keyword",
"doc_values": "true"
},
"name": {
"type": "keyword",
"doc_values": "true"
},
"ftscomment": {
"type": "keyword",
"doc_values": "true"
},
"fts": {
"type": "long",
"doc_values": "true"
},
"accumulate": {
"type": "long",
"doc_values": "true"
}
}
},
"srcip": {
"type": "keyword",
"doc_values": "true"
},
"protocol": {
"type": "keyword",
"doc_values": "true"
},
"action": {
"type": "keyword",
"doc_values": "true"
},
"dstip": {
"type": "keyword",
"doc_values": "true"
},
"dstport": {
"type": "keyword",
"doc_values": "true"
},
"srcuser": {
"type": "keyword",
"doc_values": "true"
},
"program_name": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"status": {
"type": "keyword",
"doc_values": "true"
},
"command": {
"type": "keyword",
"doc_values": "true"
},
"url": {
"type": "keyword",
"doc_values": "true"
},
"data": {
"type": "keyword",
"doc_values": "true"
},
"system_name": {
"type": "keyword",
"doc_values": "true"
},
"type": {
"type": "text"
},
"title": {
"type": "keyword",
"doc_values": "true"
},
"oscap": {
"properties": {
"check.title": {
"type": "keyword",
"doc_values": "true"
},
"check.id": {
"type": "keyword",
"doc_values": "true"
},
"check.result": {
"type": "keyword",
"doc_values": "true"
},
"check.severity": {
"type": "keyword",
"doc_values": "true"
},
"check.description": {
"type": "text"
},
"check.rationale": {
"type": "text"
},
"check.references": {
"type": "text"
},
"check.identifiers": {
"type": "text"
},
"check.oval.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.content": {
"type": "keyword",
"doc_values": "true"
},
"scan.benchmark.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.title": {
"type": "keyword",
"doc_values": "true"
},
"scan.profile.id": {
"type": "keyword",
"doc_values": "true"
},
"scan.score": {
"type": "double",
"doc_values": "true"
},
"scan.return_code": {
"type": "long",
"doc_values": "true"
}
}
},
"audit": {
"properties": {
"type": {
"type": "keyword",
"doc_values": "true"
},
"id": {
"type": "keyword",
"doc_values": "true"
},
"syscall": {
"type": "keyword",
"doc_values": "true"
},
"exit": {
"type": "keyword",
"doc_values": "true"
},
"ppid": {
"type": "keyword",
"doc_values": "true"
},
"pid": {
"type": "keyword",
"doc_values": "true"
},
"auid": {
"type": "keyword",
"doc_values": "true"
},
"uid": {
"type": "keyword",
"doc_values": "true"
},
"gid": {
"type": "keyword",
"doc_values": "true"
},
"euid": {
"type": "keyword",
"doc_values": "true"
},
"suid": {
"type": "keyword",
"doc_values": "true"
},
"fsuid": {
"type": "keyword",
"doc_values": "true"
},
"egid": {
"type": "keyword",
"doc_values": "true"
},
"sgid": {
"type": "keyword",
"doc_values": "true"
},
"fsgid": {
"type": "keyword",
"doc_values": "true"
},
"tty": {
"type": "keyword",
"doc_values": "true"
},
"session": {
"type": "keyword",
"doc_values": "true"
},
"command": {
"type": "keyword",
"doc_values": "true"
},
"exe": {
"type": "keyword",
"doc_values": "true"
},
"key": {
"type": "keyword",
"doc_values": "true"
},
"cwd": {
"type": "keyword",
"doc_values": "true"
},
"directory.name": {
"type": "keyword",
"doc_values": "true"
},
"directory.inode": {
"type": "keyword",
"doc_values": "true"
},
"directory.mode": {
"type": "keyword",
"doc_values": "true"
},
"file.name": {
"type": "keyword",
"doc_values": "true"
},
"file.inode": {
"type": "keyword",
"doc_values": "true"
},
"file.mode": {
"type": "keyword",
"doc_values": "true"
},
"acct": {
"type": "keyword",
"doc_values": "true"
},
"dev": {
"type": "keyword",
"doc_values": "true"
},
"enforcing": {
"type": "keyword",
"doc_values": "true"
},
"list": {
"type": "keyword",
"doc_values": "true"
},
"old-auid": {
"type": "keyword",
"doc_values": "true"
},
"old-ses": {
"type": "keyword",
"doc_values": "true"
},
"old_enforcing": {
"type": "keyword",
"doc_values": "true"
},
"old_prom": {
"type": "keyword",
"doc_values": "true"
},
"op": {
"type": "keyword",
"doc_values": "true"
},
"prom": {
"type": "keyword",
"doc_values": "true"
},
"res": {
"type": "keyword",
"doc_values": "true"
},
"srcip": {
"type": "keyword",
"doc_values": "true"
},
"subj": {
"type": "keyword",
"doc_values": "true"
},
"success": {
"type": "keyword",
"doc_values": "true"
}
}
}
}
},
"agent": {
"properties": {
"@timestamp": {
"type": "date",
"format": "dateOptionalTime"
},
"status": {
"type": "keyword"
},
"ip": {
"type": "keyword"
},
"host": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"id": {
"type": "keyword"
}
}
}
}
}

7
nginx/Dockerfile Normal file
View File

@@ -0,0 +1,7 @@
FROM nginx:latest
RUN apt-get update && apt-get install -y openssl apache2-utils
COPY ./config/run.sh /run.sh
RUN chmod 755 /run.sh

43
nginx/config/run.sh Normal file
View File

@@ -0,0 +1,43 @@
#!/bin/bash
set -e
if [ ! -d /etc/pki/tls/certs ]; then
echo "Generating SSL certificates"
mkdir -p /etc/pki/tls/certs /etc/pki/tls/private
openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/kibana-access.key -out /etc/pki/tls/certs/kibana-access.pem >/dev/null
else
echo "SSL certificates already present"
fi
if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then
echo "Setting Nginx credentials"
echo bar|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd foo >/dev/null
else
echo "Kibana credentials already configured"
fi
echo "Configuring NGINX"
cat > /etc/nginx/conf.d/default.conf <<EOF
server {
listen 80;
listen [::]:80;
return 301 https://\$host:$NGINX_PORT\$request_uri;
}
server {
listen $NGINX_PORT default_server;
listen [::]:$NGINX_PORT;
ssl on;
ssl_certificate /etc/pki/tls/certs/kibana-access.pem;
ssl_certificate_key /etc/pki/tls/private/kibana-access.key;
location / {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
proxy_pass http://kibana:5601/;
}
}
EOF
echo "Starting Nginx"
nginx -g 'daemon off; error_log /dev/stdout info;'

View File

@@ -1,25 +1,26 @@
FROM centos:latest
ARG FILEBEAT_VERSION=5.5.1
COPY config/*.repo /etc/yum.repos.d/
FROM phusion/baseimage:latest
ARG FILEBEAT_VERSION=6.1.2
RUN yum -y update; yum clean all;
RUN yum -y install epel-release openssl useradd; yum clean all
RUN yum -y install postfix mailx cyrus-sasl cyrus-sasl-plain; yum clean all
RUN apt-get update; apt-get -y dist-upgrade
RUN apt-get -y install openssl postfix bsd-mailx curl apt-transport-https lsb-release
RUN groupadd -g 1000 ossec
RUN useradd -u 1000 -g 1000 ossec
RUN yum install -y wazuh-manager wazuh-api
RUN curl --silent --location https://deb.nodesource.com/setup_6.x | bash - &&\
apt-get install -y nodejs
RUN curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
RUN echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
RUN apt-get update && apt-get -y install wazuh-manager wazuh-api expect
ADD config/data_dirs.env /data_dirs.env
ADD config/init.bash /init.bash
# Sync calls are due to https://github.com/docker/docker/issues/9547
RUN chmod 755 /init.bash &&\
sync && /init.bash &&\
sync && rm /init.bash
RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-x86_64.rpm &&\
rpm -vi filebeat-${FILEBEAT_VERSION}-x86_64.rpm && rm filebeat-${FILEBEAT_VERSION}-x86_64.rpm
RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb &&\
dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm filebeat-${FILEBEAT_VERSION}-amd64.deb
COPY config/filebeat.yml /etc/filebeat/

View File

@@ -15,12 +15,31 @@ source /data_dirs.env
FIRST_TIME_INSTALLATION=false
DATA_PATH=/var/ossec/data
print() {
echo -e $1
}
error_and_exit() {
echo "Error executing command: '$1'."
echo 'Exiting.'
exit 1
}
exec_cmd() {
eval $1 > /dev/null 2>&1 || error_and_exit "$1"
}
edit_configuration() { # $1 -> setting, $2 -> value
sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${DATA_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)"
}
for ossecdir in "${DATA_DIRS[@]}"; do
if [ ! -e "${DATA_PATH}/${ossecdir}" ]
then
echo "Installing ${ossecdir}"
mkdir -p $(dirname ${DATA_PATH}/${ossecdir})
cp -pr /var/ossec/${ossecdir}-template ${DATA_PATH}/${ossecdir}
print "Installing ${ossecdir}"
exec_cmd "mkdir -p $(dirname ${DATA_PATH}/${ossecdir})"
exec_cmd "cp -pr /var/ossec/${ossecdir}-template ${DATA_PATH}/${ossecdir}"
FIRST_TIME_INSTALLATION=true
fi
done
@@ -30,29 +49,37 @@ chgrp ossec ${DATA_PATH}/process_list
chmod g+rw ${DATA_PATH}/process_list
AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
API_GENERATE_CERTS=${API_GENERATE_CERTS:-true}
if [ $FIRST_TIME_INSTALLATION == true ]
then
if [ $AUTO_ENROLLMENT_ENABLED == true ]
then
if [ ! -e ${DATA_PATH}/etc/sslmanager.key ]
then
echo "Creating ossec-authd key and cert"
openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096
openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key\
-out ${DATA_PATH}/etc/sslmanager.cert -days 3650\
-subj /CN=${HOSTNAME}/
print "Creating ossec-authd key and cert"
exec_cmd "openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096"
exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key -out ${DATA_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/"
fi
fi
if [ $API_GENERATE_CERTS == true ]
then
if [ ! -e ${DATA_PATH}/api/configuration/ssl/server.crt ]
then
print "Enabling Wazuh API HTTPS"
edit_configuration "https" "yes"
print "Create Wazuh API key and cert"
exec_cmd "openssl genrsa -out ${DATA_PATH}/api/configuration/ssl/server.key 4096"
exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/api/configuration/ssl/server.key -out ${DATA_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/"
fi
fi
fi
#Enabling ossec-authd.
exec_cmd "/var/ossec/bin/ossec-control enable auth"
function ossec_shutdown(){
/var/ossec/bin/ossec-control stop;
if [ $AUTO_ENROLLMENT_ENABLED == true ]
then
kill $AUTHD_PID
fi
${DATA_PATH}/bin/ossec-control stop;
}
# Trap exit signals and do a proper shutdown
@@ -60,20 +87,9 @@ trap "ossec_shutdown; exit" SIGINT SIGTERM
chmod -R g+rw ${DATA_PATH}
if [ $AUTO_ENROLLMENT_ENABLED == true ]
then
echo "Starting ossec-authd..."
/var/ossec/bin/ossec-authd -p 1515 -g ossec $AUTHD_OPTIONS >/dev/null 2>&1 &
AUTHD_PID=$!
fi
sleep 15 # give ossec a reasonable amount of time to start before checking status
LAST_OK_DATE=`date +%s`
## Start services
/usr/sbin/postfix start
/bin/node /var/ossec/api/app.js &
/usr/bin/filebeat.sh &
/var/ossec/bin/ossec-control restart
service postfix start
service wazuh-api start
service wazuh-manager start
service filebeat start
tail -f /var/ossec/logs/ossec.log

View File

@@ -1,7 +0,0 @@
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=CENTOS-$releasever - Wazuh
baseurl=https://packages.wazuh.com/yum/el/$releasever/$basearch
protect=1