diff --git a/CHANGELOG.md b/CHANGELOG.md index 527523a4..24374c7b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ All notable changes to this project will be documented in this file. ### Added - Update to Wazuh version 3.9.1_6.8.0 ([#181](https://github.com/wazuh/wazuh-docker/pull/181)) +- Security for Elastic Stack in Docker implemented ([#186](https://github.com/wazuh/wazuh-docker/issues/186)) ### Fixed diff --git a/docker-compose.yml b/docker-compose.yml index c74348d1..4a27bb84 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -25,6 +25,12 @@ services: - elasticsearch environment: - LS_HEAP_SIZE=2048m + - SECURITY_ENABLED=yes + - SECURITY_LOGSTASH_USER=service_logstash + - SECURITY_LOGSTASH_PASS=logstash_pass + - LOGSTASH_OUTPUT=https://elasticsearch:9200 + - ELASTICSEARCH_URL=https://elasticsearch:9200 + - SECURITY_CA_PEM=server.TEST-CA-signed.pem elasticsearch: image: wazuh/wazuh-elasticsearch:3.9.2_6.8.0 hostname: elasticsearch @@ -37,6 +43,26 @@ services: - network.host=0.0.0.0 - bootstrap.memory_lock=true - "ES_JAVA_OPTS=-Xms1g -Xmx1g" + - ELASTICSEARCH_PROTOCOL=https + - ELASTICSEARCH_IP=elasticsearch + - ELASTICSEARCH_PORT=9200 + - SECURITY_ENABLED=yes + - SECURITY_ADMIN_USER=wazuh_admin + - SECURITY_ADMIN_PASS=admin_pass + - SECURITY_ELASTIC_PASSWORD=elastic_pass + - SECURITY_KIBANA_USER=service_kibana + - SECURITY_KIBANA_PASS=kibana_pass + - SECURITY_LOGSTASH_USER=service_logstash + - SECURITY_LOGSTASH_PASS=logstash_pass + - SECURITY_CA_PASSPHRASE=ca_pass + - SECURITY_CERTIFICATE_DNS=elasticsearch + - SECURITY_CA_PEM=server.TEST-CA-signed.pem + - SECURITY_CA_KEY=server.TEST-CA.key + - SECURITY_CA_TRUST=server.TEST-CA-signed.pem + - SECURITY_MAIN_NODE=elasticsearch + - SECURITY_OPENSSL_CONF=TEST_openssl.cnf + - SECURITY_MONITORING_USER=service_monitoring + - SECURITY_MONITORING_PASS=monitoring_pass ulimits: memlock: soft: -1 @@ -51,17 +77,14 @@ services: links: - elasticsearch:elasticsearch - wazuh:wazuh - nginx: - image: wazuh/wazuh-nginx:3.9.2_6.8.0 - hostname: nginx - restart: always environment: - - NGINX_PORT=443 - - NGINX_CREDENTIALS + - ELASTICSEARCH_URL=https://elasticsearch:9200 + - SECURITY_ENABLED=yes + - SECURITY_KIBANA_USER=service_kibana + - SECURITY_KIBANA_PASS=kibana_pass + - SECURITY_KIBANA_SSL_KEY_PATH=/usr/share/kibana/config/ssl/private + - SECURITY_KIBANA_SSL_CERT_PATH=/usr/share/kibana/config/ssl/certs + - ELASTICSEARCH_KIBANA_IP=https://elasticsearch:9200 + - SECURITY_CA_PEM=server.TEST-CA-signed.pem ports: - - "80:80" - - "443:443" - depends_on: - - kibana - links: - - kibana:kibana + - "5601:5601" diff --git a/elasticsearch/Dockerfile b/elasticsearch/Dockerfile index 5832d8f3..9e697131 100644 --- a/elasticsearch/Dockerfile +++ b/elasticsearch/Dockerfile @@ -1,8 +1,6 @@ # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) FROM docker.elastic.co/elasticsearch/elasticsearch:6.8.0 -ENV ELASTICSEARCH_URL="http://elasticsearch:9200" - ENV ALERTS_SHARDS="1" \ ALERTS_REPLICAS="0" @@ -15,6 +13,20 @@ ENV ENABLE_CONFIGURE_S3="false" ENV TEMPLATE_VERSION=v3.9.2 + +# This CA is created for testing. Please set your own CA zip containing the key and the signed certificate. +# command: $ docker build --build-arg SECURITY_CA_PEM_LOCATION= --build-arg SECURITY_CA_KEY_LOCATION= +# ENV variables are necessary: SECURITY_CA_PEM, SECURITY_CA_KEY, SECURITY_CA_TRUST, SECURITY_OPENSSL_CONF +# Example: +# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem" +# ARG SECURITY_CA_KEY_LOCATION="config/server.TEST-CA.key" +# ARG SECURITY_OPENSSL_CONF_LOCATION="config/TEST_openssl.cnf" +# ARG SECURITY_CA_TRUST_LOCATION="config/server.TEST-CA-signed.pem" +ARG SECURITY_CA_PEM_LOCATION="" +ARG SECURITY_CA_KEY_LOCATION="" +ARG SECURITY_OPENSSL_CONF_LOCATION="" +ARG SECURITY_CA_TRUST_LOCATION="" + # Elasticearch cluster configuration environment variables # If ELASTIC_CLUSTER is set to "true" the following variables will be added to the Elasticsearch configuration ENV ELASTIC_CLUSTER="false" \ @@ -31,6 +43,16 @@ ENV ELASTIC_CLUSTER="false" \ ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/6.x/wazuh-template.json /usr/share/elasticsearch/config +# CA cert for Transport SSL +ADD $SECURITY_CA_PEM_LOCATION /usr/share/elasticsearch/config +ADD $SECURITY_CA_KEY_LOCATION /usr/share/elasticsearch/config +ADD $SECURITY_OPENSSL_CONF_LOCATION /usr/share/elasticsearch/config +ADD $SECURITY_CA_TRUST_LOCATION /usr/share/elasticsearch/config + +RUN yum install openssl -y + +RUN mkdir /entrypoint-scripts + COPY config/entrypoint.sh /entrypoint.sh RUN chmod 755 /entrypoint.sh @@ -44,8 +66,14 @@ RUN bin/elasticsearch-plugin install --batch https://artifacts.elastic.co/downlo COPY config/configure_s3.sh ./config/configure_s3.sh RUN chmod 755 ./config/configure_s3.sh -COPY --chown=elasticsearch:elasticsearch ./config/config_cluster.sh ./ -RUN chmod +x ./config_cluster.sh +COPY --chown=elasticsearch:elasticsearch ./config/10-config_cluster.sh /entrypoint-scripts/10-config_cluster.sh +RUN chmod +x /entrypoint-scripts/10-config_cluster.sh + +COPY --chown=elasticsearch:elasticsearch ./config/20-config_secure.sh /entrypoint-scripts/20-config_secure.sh +RUN chmod +x /entrypoint-scripts/10-config_cluster.sh + +COPY --chown=elasticsearch:elasticsearch ./config/30-entrypoint.sh /entrypoint-scripts/30-entrypoint.sh +RUN chmod +x /entrypoint-scripts/30-entrypoint.sh ENTRYPOINT ["/entrypoint.sh"] CMD ["elasticsearch"] diff --git a/elasticsearch/config/config_cluster.sh b/elasticsearch/config/10-config_cluster.sh similarity index 100% rename from elasticsearch/config/config_cluster.sh rename to elasticsearch/config/10-config_cluster.sh diff --git a/elasticsearch/config/20-config_secure.sh b/elasticsearch/config/20-config_secure.sh new file mode 100644 index 00000000..30d0f080 --- /dev/null +++ b/elasticsearch/config/20-config_secure.sh @@ -0,0 +1,111 @@ +#!/bin/bash +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml" + +############################################################################## +# Setup bootstrap password to chagne all Elastic Stack passwords. +# Set xpack.security.enabled to true. In Elastic 7 must add ssl options +############################################################################## + +if [[ $SECURITY_ENABLED == "yes" ]]; then + + echo "Creating certificate." + + pushd /usr/share/elasticsearch/config/ + + echo "Setting configuration options." + + # Create instances.yml for elasticsearch .p12 certificate and key + echo " +instances: +- name: \"elasticsearch\" + dns: + - $SECURITY_CERTIFICATE_DNS +" > instances.yml + + # Change permissions and owner of ca + chown elasticsearch: /usr/share/elasticsearch/config/$SECURITY_CA_PEM + chmod 440 /usr/share/elasticsearch/config/$SECURITY_CA_PEM + + + # Genereate .p12 certificate and key + SECURITY_KEY_PASSPHRASE=`date +%s | sha256sum | base64 | head -c 32 ; echo` + /usr/share/elasticsearch/bin/elasticsearch-certutil csr --in instances.yml --out certs.zip --pass $SECURITY_KEY_PASSPHRASE + unzip certs.zip + rm certs.zip + + # Change permissions and owner of certificates + chown -R elasticsearch: /usr/share/elasticsearch/config/elasticsearch + chmod -R 770 /usr/share/elasticsearch/config/elasticsearch + chmod 400 /usr/share/elasticsearch/config/elasticsearch/elasticsearch.csr + + # Prepare directories for openssl + mkdir /root/ca + mkdir /root/ca/certs /root/ca/crl /root/ca/newcerts /root/ca/private + chmod 700 /root/ca/private + touch /root/ca/index.txt + echo 1000 > /root/ca/serial + + mkdir /root/ca/intermediate + mkdir /root/ca/intermediate/certs /root/ca/intermediate/crl /root/ca/intermediate/csr /root/ca/intermediate/newcerts /root/ca/intermediate/private + chmod 700 /root/ca/intermediate/private + touch /root/ca/intermediate/index.txt + echo 1000 > /root/ca/intermediate/serial + echo 1000 > /root/ca/intermediate/crlnumber + + if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then + + openssl ca -batch -config $SECURITY_OPENSSL_CONF -in elasticsearch/elasticsearch.csr -cert $SECURITY_CA_PEM -keyfile $SECURITY_CA_KEY -key $SECURITY_CA_PASSPHRASE -out elasticsearch.cert.pem + + else + input=${SECURITY_CREDENTIALS_FILE} + CA_PASSPHRASE_FROM_FILE="" + while IFS= read -r line + do + if [[ $line == *"CA_PASSPHRASE"* ]]; then + arrIN=(${line//:/ }) + CA_PASSPHRASE_FROM_FILE=${arrIN[1]} + fi + done < "$input" + + openssl ca -batch -config $SECURITY_OPENSSL_CONF -in elasticsearch/elasticsearch.csr -cert $SECURITY_CA_PEM -keyfile $SECURITY_CA_KEY -key $CA_PASSPHRASE_FROM_FILE -out elasticsearch.cert.pem + + fi + + chmod 440 /usr/share/elasticsearch/config/elasticsearch.cert.pem + + # remove CA key + rm $SECURITY_CA_KEY + + popd + + echo "Setting configuration options." + + # Settings for elasticsearch.yml + echo " +# Required to set the passwords and TLS options +xpack.security.enabled: true +xpack.security.transport.ssl.enabled: true +xpack.security.transport.ssl.verification_mode: certificate +xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key +xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem +xpack.security.transport.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/$SECURITY_CA_TRUST\"] + +# HTTP layer +xpack.security.http.ssl.enabled: true +xpack.security.http.ssl.verification_mode: certificate +xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key +xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem +xpack.security.http.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/$SECURITY_CA_TRUST\"] +" >> $elastic_config_file + + # Create keystore + /usr/share/elasticsearch/bin/elasticsearch-keystore create + + # Add keys to keystore + echo -e "$SECURITY_KEY_PASSPHRASE" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.secure_key_passphrase --stdin + echo -e "$SECURITY_KEY_PASSPHRASE" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase --stdin + +fi + diff --git a/elasticsearch/config/30-entrypoint.sh b/elasticsearch/config/30-entrypoint.sh new file mode 100644 index 00000000..74317a5a --- /dev/null +++ b/elasticsearch/config/30-entrypoint.sh @@ -0,0 +1,70 @@ +#!/bin/bash +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +# For more information https://github.com/elastic/elasticsearch-docker/blob/6.8.0/build/elasticsearch/bin/docker-entrypoint.sh + +set -e + +# Files created by Elasticsearch should always be group writable too +umask 0002 + +run_as_other_user_if_needed() { + if [[ "$(id -u)" == "0" ]]; then + # If running as root, drop to specified UID and run command + exec chroot --userspec=1000 / "${@}" + else + # Either we are running in Openshift with random uid and are a member of the root group + # or with a custom --user + exec "${@}" + fi +} + + +#Disabling xpack features + +elasticsearch_config_file="/usr/share/elasticsearch/config/elasticsearch.yml" +if grep -Fq "#xpack features" "$elasticsearch_config_file" ; +then + declare -A CONFIG_MAP=( + [xpack.ml.enabled]=$XPACK_ML + ) + for i in "${!CONFIG_MAP[@]}" + do + if [ "${CONFIG_MAP[$i]}" != "" ]; then + sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $elasticsearch_config_file + fi + done +else + echo " +#xpack features +xpack.ml.enabled: $XPACK_ML + " >> $elasticsearch_config_file +fi + +# Run load settings script. + +bash /usr/share/elasticsearch/load_settings.sh & + +# Execute elasticsearch + + +if [[ $SECURITY_ENABLED == "yes" ]]; then + echo "Change Elastic password" + if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then + run_as_other_user_if_needed echo "$SECURITY_ELASTIC_PASSWORD" | elasticsearch-keystore add -xf 'bootstrap.password' + else + input=${SECURITY_CREDENTIALS_FILE} + ELASTIC_PASSWORD_FROM_FILE="" + while IFS= read -r line + do + if [[ $line == *"ELASTIC_PASSWORD"* ]]; then + arrIN=(${line//:/ }) + ELASTIC_PASSWORD_FROM_FILE=${arrIN[1]} + fi + done < "$input" + run_as_other_user_if_needed echo "$ELASTIC_PASSWORD_FROM_FILE" | elasticsearch-keystore add -xf 'bootstrap.password' + fi + echo "Elastic password changed" +fi + +run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch \ No newline at end of file diff --git a/elasticsearch/config/TEST_openssl.cnf b/elasticsearch/config/TEST_openssl.cnf new file mode 100644 index 00000000..f6d58fc7 --- /dev/null +++ b/elasticsearch/config/TEST_openssl.cnf @@ -0,0 +1,132 @@ +# OpenSSL intermediate CA configuration file. +# Copy to `/root/ca/intermediate/openssl.cnf`. + +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = /root/ca/intermediate +certs = $dir/certs +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index.txt +serial = $dir/serial +RANDFILE = $dir/private/.rand + +# The root key and root certificate. +private_key = $dir/private/intermediate.key.pem +certificate = $dir/certs/intermediate.cert.pem + +# For certificate revocation lists. +crlnumber = $dir/crlnumber +crl = $dir/crl/intermediate.crl.pem +crl_extensions = crl_ext +default_crl_days = 30 + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +name_opt = ca_default +cert_opt = ca_default +default_days = 375 +preserve = no +policy = policy_loose + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 2048 +distinguished_name = req_distinguished_name +string_mask = utf8only + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +x509_extensions = v3_ca + +[ req_distinguished_name ] +# See . +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name +localityName = Locality Name +0.organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +commonName = Common Name +emailAddress = Email Address + +# Optionally, specify some defaults. +countryName_default = GB +stateOrProvinceName_default = England +localityName_default = +0.organizationName_default = Alice Ltd +organizationalUnitName_default = +emailAddress_default = + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "OpenSSL Generated Client Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection + +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth + +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). +authorityKeyIdentifier=keyid:always + +[ ocsp ] +# Extension for OCSP signing certificates (`man ocsp`). +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, digitalSignature +extendedKeyUsage = critical, OCSPSigning \ No newline at end of file diff --git a/elasticsearch/config/configure_s3.sh b/elasticsearch/config/configure_s3.sh index 49c88a25..1a160f8e 100644 --- a/elasticsearch/config/configure_s3.sh +++ b/elasticsearch/config/configure_s3.sh @@ -2,6 +2,36 @@ set -e + +############################################################################## +# If Secure access to Kibana is enabled, we must set the credentials for +# monitoring +############################################################################## + +ELASTIC_PASS="" + +if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then + ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD} + +else + input=${SECURITY_CREDENTIALS_FILE} + while IFS= read -r line + do + if [[ $line == *"ELASTIC_PASSWORD"* ]]; then + arrIN=(${line//:/ }) + ELASTIC_PASS=${arrIN[1]} + fi + done < "$input" + +fi + + +if [ ${SECURITY_ENABLED} != "no" ]; then + auth="-u elastic:${ELASTIC_PASS} -k" +else + auth="" +fi + # Check number of arguments passed to configure_s3.sh. If it is different from 4 or 5, the process will finish with error. # param 1: number of arguments passed to configure_s3.sh @@ -35,7 +65,7 @@ function CreateRepo() if [ $1 == 5 ];then version="$6" else - version=`curl -s $elastic_ip_port | grep number | cut -d"\"" -f4 | cut -c1` + version=`curl ${auth} -s $elastic_ip_port | grep number | cut -d"\"" -f4 | cut -c1` fi if ! [[ "$version" =~ ^[0-9]+$ ]];then @@ -46,7 +76,7 @@ function CreateRepo() repository="$repository_name-$version" s3_path="$path/$version" - curl -X PUT "$elastic_ip_port/_snapshot/$repository" -H 'Content-Type: application/json' -d' + curl ${auth} -X PUT "$elastic_ip_port/_snapshot/$repository" -H 'Content-Type: application/json' -d' { "type": "s3", "settings": { diff --git a/elasticsearch/config/entrypoint.sh b/elasticsearch/config/entrypoint.sh index 9c799812..333cc951 100644 --- a/elasticsearch/config/entrypoint.sh +++ b/elasticsearch/config/entrypoint.sh @@ -1,52 +1,8 @@ #!/bin/bash # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) -# For more information https://github.com/elastic/elasticsearch-docker/blob/6.8.0/build/elasticsearch/bin/docker-entrypoint.sh +# It will run every .sh script located in entrypoint-scripts folder in lexicographical order +for script in `ls /entrypoint-scripts/*.sh | sort -n`; do + bash "$script" -set -e - -# Files created by Elasticsearch should always be group writable too -umask 0002 - -run_as_other_user_if_needed() { - if [[ "$(id -u)" == "0" ]]; then - # If running as root, drop to specified UID and run command - exec chroot --userspec=1000 / "${@}" - else - # Either we are running in Openshift with random uid and are a member of the root group - # or with a custom --user - exec "${@}" - fi -} - - -#Disabling xpack features - -elasticsearch_config_file="/usr/share/elasticsearch/config/elasticsearch.yml" -if grep -Fq "#xpack features" "$elasticsearch_config_file"; -then - declare -A CONFIG_MAP=( - [xpack.ml.enabled]=$XPACK_ML - ) - for i in "${!CONFIG_MAP[@]}" - do - if [ "${CONFIG_MAP[$i]}" != "" ]; then - sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $elasticsearch_config_file - fi - done -else - echo " -#xpack features -xpack.ml.enabled: $XPACK_ML - " >> $elasticsearch_config_file -fi - -# Run load settings script. - -./config_cluster.sh - -./load_settings.sh & - -# Execute elasticsearch - -run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch +done \ No newline at end of file diff --git a/elasticsearch/config/load_settings.sh b/elasticsearch/config/load_settings.sh index 23fabd6c..9b39390d 100644 --- a/elasticsearch/config/load_settings.sh +++ b/elasticsearch/config/load_settings.sh @@ -3,15 +3,88 @@ set -e -el_url=${ELASTICSEARCH_URL} +if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then + el_url="http://elasticsearch:9200" +else + el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}" +fi -if [ "x${WAZUH_API_URL}" = "x" ]; then +if [[ "x${WAZUH_API_URL}" = "x" ]]; then wazuh_url="https://wazuh" else wazuh_url="${WAZUH_API_URL}" fi -if [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then +ELASTIC_PASS="" +KIBANA_USER="" +KIBANA_PASS="" +LOGSTASH_USER="" +LOGSTASH_PASS="" +ADMIN_USER="" +ADMIN_PASS="" +WAZH_API_USER="" +WAZH_API_PASS="" +MONITORING_USER="" +MONITORING_PASS="" + +if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then + ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD} + KIBANA_USER=${SECURITY_KIBANA_USER} + KIBANA_PASS=${SECURITY_KIBANA_PASS} + LOGSTASH_USER=${SECURITY_LOGSTASH_USER} + LOGSTASH_PASS=${SECURITY_LOGSTASH_PASS} + ADMIN_USER=${SECURITY_ADMIN_USER} + ADMIN_PASS=${SECURITY_ADMIN_PASS} + WAZH_API_USER=${API_USER} + WAZH_API_PASS=${API_PASS} + MONITORING_USER=${SECURITY_MONITORING_USER} + MONITORING_PASS=${SECURITY_MONITORING_PASS} +else + input=${SECURITY_CREDENTIALS_FILE} + while IFS= read -r line + do + if [[ $line == *"ELASTIC_PASSWORD"* ]]; then + arrIN=(${line//:/ }) + ELASTIC_PASS=${arrIN[1]} + elif [[ $line == *"KIBANA_USER"* ]]; then + arrIN=(${line//:/ }) + KIBANA_USER=${arrIN[1]} + elif [[ $line == *"KIBANA_PASSWORD"* ]]; then + arrIN=(${line//:/ }) + KIBANA_PASS=${arrIN[1]} + elif [[ $line == *"LOGSTASH_USER"* ]]; then + arrIN=(${line//:/ }) + LOGSTASH_USER=${arrIN[1]} + elif [[ $line == *"LOGSTASH_PASSWORD"* ]]; then + arrIN=(${line//:/ }) + LOGSTASH_PASS=${arrIN[1]} + elif [[ $line == *"ADMIN_USER"* ]]; then + arrIN=(${line//:/ }) + ADMIN_USER=${arrIN[1]} + elif [[ $line == *"ADMIN_PASSWORD"* ]]; then + arrIN=(${line//:/ }) + ADMIN_PASS=${arrIN[1]} + elif [[ $line == *"WAZUH_API_USER"* ]]; then + arrIN=(${line//:/ }) + WAZH_API_USER=${arrIN[1]} + elif [[ $line == *"WAZUH_API_PASSWORD"* ]]; then + arrIN=(${line//:/ }) + WAZH_API_PASS=${arrIN[1]} + elif [[ $line == *"MONITORING_USER"* ]]; then + arrIN=(${line//:/ }) + MONITORING_USER=${arrIN[1]} + elif [[ $line == *"MONITORING_PASSWORD"* ]]; then + arrIN=(${line//:/ }) + MONITORING_PASS=${arrIN[1]} + fi + done < "$input" + +fi + + +if [ ${SECURITY_ENABLED} != "no" ]; then + auth="-uelastic:${ELASTIC_PASS} -k" +elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then auth="" else auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" @@ -27,15 +100,14 @@ done if [ $ENABLE_CONFIGURE_S3 ]; then #Wait for Elasticsearch to be ready to create the repository sleep 10 - IP_PORT="${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}" - if [ "x$S3_PATH" != "x" ]; then + if [ "x$S3_PATH" != "x" ]; then - if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then - ./config/configure_s3.sh $IP_PORT $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR + if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then + bash /usr/share/elasticsearch/config/configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR else - ./config/configure_s3.sh $IP_PORT $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME + bash /usr/share/elasticsearch/config/configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME fi @@ -43,6 +115,48 @@ if [ $ENABLE_CONFIGURE_S3 ]; then fi +############################################################################## +# Setup passwords for Elastic Stack users +############################################################################## + +if [[ $SECURITY_ENABLED == "yes" ]]; then + MY_HOSTNAME=`hostname` + echo "Hostname:" + echo $MY_HOSTNAME + if [[ $SECURITY_MAIN_NODE == $MY_HOSTNAME ]]; then + echo "Setting up passwords for all Elastic Stack users" + + echo "Setting remote monitoring password" + SECURITY_REMOTE_USER_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo` + until curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/remote_monitoring_user/_password ' -d '{ "password":"'$SECURITY_REMOTE_USER_PASS'" }'; do + >&2 echo "Unavailable password seeting- sleeping" + sleep 2 + done + echo "Setting Kibana password" + curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_wazuh_app ' -d ' { "indices": [ { "names": [ ".kibana*", ".reporting*", ".monitoring*" ], "privileges": ["read"] }, { "names": [ "wazuh-monitoring*", ".wazuh*" ], "privileges": ["all"] } , { "names": [ "wazuh-alerts*" ], "privileges": ["read", "view_index_metadata"] } ] }' + sleep 5 + curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$KIBANA_USER" -d '{ "password":"'$KIBANA_PASS'", "roles" : [ "kibana_system", "service_wazuh_app"], "full_name" : "Service Internal Kibana User" }' + echo "Setting APM password" + SECURITY_APM_SYSTEM_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo` + curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/apm_system/_password ' -d '{ "password":"'$SECURITY_APM_SYSTEM_PASS'" }' + echo "Setting Beats password" + SECURITY_BEATS_SYSTEM_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo` + curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/beats_system/_password ' -d '{ "password":"'$SECURITY_BEATS_SYSTEM_PASS'" }' + echo "Setting Logstash password" + curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_logstash_writer ' -d '{ "cluster": ["manage_index_templates", "monitor", "manage_ilm"], "indices": [ { "names": [ "*" ], "privileges": ["write","delete","create_index","manage","manage_ilm"] } ] }' + sleep 5 + curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$LOGSTASH_USER" -d '{ "password":"'$LOGSTASH_PASS'", "roles" : [ "service_logstash_writer"], "full_name" : "Service Internal Logstash User" }' + echo "Passwords established for all Elastic Stack users" + echo "Creating Admin user" + curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$ADMIN_USER" -d '{ "password":"'$ADMIN_PASS'", "roles" : [ "superuser"], "full_name" : "Wazuh admin" }' + echo "Admin user created" + echo "Setting monitoring user" + curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_monitoring_reader ' -d '{ "cluster": ["manage", "monitor"], "indices": [ { "names": [ "*" ], "privileges": ["write","create_index","manage","read", "index"] } ] }' + sleep 5 + curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$MONITORING_USER" -d '{ "password":"'$MONITORING_PASS'", "roles" : [ "service_monitoring_reader", "snapshot_user"], "full_name" : "Service Internal Monitoring User" }' + fi +fi + #Insert default templates sed -i 's| "index.refresh_interval": "5s"| "index.refresh_interval": "5s", "number_of_shards" : '"${ALERTS_SHARDS}"', "number_of_replicas" : '"${ALERTS_REPLICAS}"'|' /usr/share/elasticsearch/config/wazuh-template.json @@ -51,8 +165,8 @@ cat /usr/share/elasticsearch/config/wazuh-template.json | curl -XPUT "$el_url/_t sleep 5 -API_PASS_Q=`echo "$API_PASS" | tr -d '"'` -API_USER_Q=`echo "$API_USER" | tr -d '"'` +API_PASS_Q=`echo "$WAZH_API_PASS" | tr -d '"'` +API_USER_Q=`echo "$WAZH_API_USER" | tr -d '"'` API_PASSWORD=`echo -n $API_PASS_Q | base64` echo "Setting API credentials into Wazuh APP" @@ -96,7 +210,7 @@ curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/jso ' # Set cluster delayed timeout when node falls -curl -X PUT "$el_url/_all/_settings" -H 'Content-Type: application/json' -d' +curl -X PUT "$el_url/_all/_settings" ${auth} -H 'Content-Type: application/json' -d' { "settings": { "index.unassigned.node_left.delayed_timeout": "'"$CLUSTER_DELAYED_TIMEOUT"'" @@ -104,5 +218,12 @@ curl -X PUT "$el_url/_all/_settings" -H 'Content-Type: application/json' -d' } ' +# Remove credentials file. + +if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then + echo "Security credentials file not used. Nothing to do." +else + shred -zvu ${SECURITY_CREDENTIALS_FILE} +fi echo "Elasticsearch is ready." diff --git a/kibana/Dockerfile b/kibana/Dockerfile index 39d820e7..005371da 100644 --- a/kibana/Dockerfile +++ b/kibana/Dockerfile @@ -5,12 +5,25 @@ USER root ADD https://packages-dev.wazuh.com/pre-release/app/kibana/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp +# This CA is created for testing. Please set your own CA pem signed certificate. +# command: $ docker build --build-arg SECURITY_CA_PEM_LOCATION= +# ENV variables are necessary: SECURITY_CA_PEM +# Sample: +# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem" +ARG SECURITY_CA_PEM_LOCATION="" + +# CA for secure communication with Elastic +ADD $SECURITY_CA_PEM_LOCATION /usr/share/kibana/config + RUN NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip &&\ chown -R kibana:kibana /usr/share/kibana &&\ rm -rf /tmp/* +RUN yum install openssl -y + COPY config/entrypoint.sh ./entrypoint.sh RUN chmod 755 ./entrypoint.sh +RUN mkdir /entrypoint-scripts USER kibana @@ -53,9 +66,11 @@ ARG XPACK_UPTIME="false" ARG CHANGE_WELCOME="true" -COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./ +COPY --chown=kibana:kibana ./config/10-wazuh_app_config.sh /entrypoint-scripts/10-wazuh_app_config.sh +RUN chmod +x /entrypoint-scripts/10-wazuh_app_config.sh -RUN chmod +x ./wazuh_app_config.sh +COPY --chown=kibana:kibana ./config/20-entrypoint.sh /entrypoint-scripts/20-entrypoint.sh +RUN chmod +x /entrypoint-scripts/20-entrypoint.sh COPY --chown=kibana:kibana ./config/kibana_settings.sh ./ diff --git a/kibana/config/wazuh_app_config.sh b/kibana/config/10-wazuh_app_config.sh similarity index 100% rename from kibana/config/wazuh_app_config.sh rename to kibana/config/10-wazuh_app_config.sh diff --git a/kibana/config/20-entrypoint.sh b/kibana/config/20-entrypoint.sh new file mode 100644 index 00000000..771fc673 --- /dev/null +++ b/kibana/config/20-entrypoint.sh @@ -0,0 +1,130 @@ +#!/bin/bash +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +set -e + +############################################################################## +# Waiting for elasticsearch +############################################################################## + +if [ "x${ELASTICSEARCH_URL}" = "x" ]; then + el_url="http://elasticsearch:9200" +else + el_url="${ELASTICSEARCH_URL}" +fi + +KIBANA_USER="" +KIBANA_PASS="" + +if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then + KIBANA_USER=${SECURITY_KIBANA_USER} + KIBANA_PASS=${SECURITY_KIBANA_PASS} +else + input=${SECURITY_CREDENTIALS_FILE} + while IFS= read -r line + do + if [[ $line == *"KIBANA_PASSWORD"* ]]; then + arrIN=(${line//:/ }) + KIBANA_PASS=${arrIN[1]} + elif [[ $line == *"KIBANA_USER"* ]]; then + arrIN=(${line//:/ }) + KIBANA_USER=${arrIN[1]} + fi + done < "$input" + +fi + + +if [ ${SECURITY_ENABLED} != "no" ]; then + auth="-u ${KIBANA_USER}:${KIBANA_PASS} -k" +elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then + auth="" +else + auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" +fi + +until curl -XGET $el_url ${auth}; do + >&2 echo "Elastic is unavailable - sleeping" + sleep 5 +done + +sleep 2 + +>&2 echo "Elasticsearch is up." + + +############################################################################## +# Waiting for wazuh alerts template +############################################################################## + +strlen=0 + +while [[ $strlen -eq 0 ]] +do + template=$(curl $auth $el_url/_cat/templates/wazuh -s) + strlen=${#template} + >&2 echo "Wazuh alerts template not loaded - sleeping." + sleep 2 +done + +sleep 2 + +>&2 echo "Wazuh alerts template is loaded." + + +############################################################################## +# If Secure access to Kibana is enabled, we must set the credentials. +# We must create the ssl certificate. +############################################################################## + +if [[ $SECURITY_ENABLED == "yes" ]]; then + + + # Create keystore + /usr/share/kibana/bin/kibana-keystore create + + echo "Setting security Kibana configuiration options." + + echo " +# Elasticsearch from/to Kibana +elasticsearch.ssl.certificateAuthorities: [\"/usr/share/kibana/config/$SECURITY_CA_PEM\"] + +server.ssl.enabled: true +server.ssl.certificate: $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem +server.ssl.key: $SECURITY_KIBANA_SSL_KEY_PATH/kibana-access.key +" >> /usr/share/kibana/config/kibana.yml + + echo "Create SSL directories." + + mkdir -p $SECURITY_KIBANA_SSL_KEY_PATH $SECURITY_KIBANA_SSL_CERT_PATH + CA_PATH="/usr/share/kibana/config" + + echo "Creating SSL certificates." + + pushd $CA_PATH + + chown kibana: $CA_PATH/$SECURITY_CA_PEM + chmod 400 $CA_PATH/$SECURITY_CA_PEM + SECURITY_KEY_PASS=`openssl rand -base64 32` + openssl req -batch -x509 -days 18250 -newkey rsa:2048 -keyout $SECURITY_KIBANA_SSL_KEY_PATH/kibana-access.key -out $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem -passout pass:"$SECURITY_KEY_PASS" >/dev/null + chown -R kibana: $CA_PATH/ssl + chmod -R 770 $CA_PATH/ssl + chmod 440 $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem + + popd + echo "SSL certificates created." + + # Add keys to keystore + echo -e "$KIBANA_PASS" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.password --stdin + echo -e "$SECURITY_KEY_PASS" | /usr/share/kibana/bin/kibana-keystore add server.ssl.keyPassphrase --stdin + echo -e "$KIBANA_USER" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.username --stdin + +fi + +############################################################################## +# Run more configuration scripts. +############################################################################## + +bash /usr/share/kibana/kibana_settings.sh & + +/usr/local/bin/kibana-docker diff --git a/kibana/config/entrypoint.sh b/kibana/config/entrypoint.sh index f171374f..333cc951 100644 --- a/kibana/config/entrypoint.sh +++ b/kibana/config/entrypoint.sh @@ -1,57 +1,8 @@ #!/bin/bash # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) -set -e +# It will run every .sh script located in entrypoint-scripts folder in lexicographical order +for script in `ls /entrypoint-scripts/*.sh | sort -n`; do + bash "$script" -############################################################################## -# Waiting for elasticsearch -############################################################################## - -if [ "x${ELASTICSEARCH_URL}" = "x" ]; then - el_url="http://elasticsearch:9200" -else - el_url="${ELASTICSEARCH_URL}" -fi - -if [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then - auth="" -else - auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" -fi - -until curl -XGET $el_url ${auth}; do - >&2 echo "Elastic is unavailable - sleeping" - sleep 5 -done - -sleep 2 - ->&2 echo "Elasticsearch is up." - - -############################################################################## -# Waiting for wazuh alerts template -############################################################################## - -strlen=0 - -while [[ $strlen -eq 0 ]] -do - template=$(curl $el_url/_cat/templates/wazuh -s) - strlen=${#template} - >&2 echo "Wazuh alerts template not loaded - sleeping." - sleep 2 -done - -sleep 2 - ->&2 echo "Wazuh alerts template is loaded." - - -./wazuh_app_config.sh - -sleep 5 - -./kibana_settings.sh & - -/usr/local/bin/kibana-docker +done \ No newline at end of file diff --git a/kibana/config/kibana_settings.sh b/kibana/config/kibana_settings.sh index 96e5f35b..ce21430d 100644 --- a/kibana/config/kibana_settings.sh +++ b/kibana/config/kibana_settings.sh @@ -6,8 +6,8 @@ WAZUH_MAJOR=3 ############################################################################## # Wait for the Kibana API to start. It is necessary to do it in this container -# because the others are running Elastic Stack and we can not interrupt them. -# +# because the others are running Elastic Stack and we can not interrupt them. +# # The following actions are performed: # # Add the wazuh alerts index as default. @@ -20,7 +20,6 @@ WAZUH_MAJOR=3 ############################################################################## if [ "$ELASTICSEARCH_KIBANA_IP" != "" ]; then sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml - fi if [ "$KIBANA_IP" != "" ]; then @@ -29,12 +28,43 @@ else kibana_ip="kibana" fi -while [[ "$(curl -XGET -I -s -o /dev/null -w ''%{http_code}'' $kibana_ip:5601/status)" != "200" ]]; do +KIBANA_USER="" +KIBANA_PASS="" + +if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then + KIBANA_USER=${SECURITY_KIBANA_USER} + KIBANA_PASS=${SECURITY_KIBANA_PASS} +else + input=${SECURITY_CREDENTIALS_FILE} + while IFS= read -r line + do + if [[ $line == *"KIBANA_PASSWORD"* ]]; then + arrIN=(${line//:/ }) + KIBANA_PASS=${arrIN[1]} + elif [[ $line == *"KIBANA_USER"* ]]; then + arrIN=(${line//:/ }) + KIBANA_USER=${arrIN[1]} + fi + done < "$input" + +fi + + +if [ ${SECURITY_ENABLED} != "no" ]; then + auth="-u $KIBANA_USER:${KIBANA_PASS}" + kibana_secure_ip="https://$kibana_ip" +else + auth="" + kibana_secure_ip="http://$kibana_ip" +fi + + +while [[ "$(curl $auth -k -XGET -I -s -o /dev/null -w ''%{http_code}'' $kibana_secure_ip:5601/status)" != "200" ]]; do echo "Waiting for Kibana API. Sleeping 5 seconds" sleep 5 done -# Prepare index selection. +# Prepare index selection. echo "Kibana API is running" default_index="/tmp/default_index.json" @@ -49,16 +79,23 @@ EOF sleep 5 # Add the wazuh alerts index as default. -curl -POST "http://$kibana_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index} +curl $auth -k -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index} rm -f ${default_index} sleep 5 # Configuring Kibana TimePicker. -curl -POST "http://$kibana_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \ +curl $auth -k -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \ '{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}' sleep 5 # Do not ask user to help providing usage statistics to Elastic -curl -POST "http://$kibana_ip:5601/api/telemetry/v1/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}' +curl $auth -k -POST "$kibana_secure_ip:5601/api/telemetry/v1/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}' + +# Remove credentials file +if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then + echo "Security credentials file not used. Nothing to do." +else + shred -zvu ${SECURITY_CREDENTIALS_FILE} +fi echo "End settings" diff --git a/logstash/Dockerfile b/logstash/Dockerfile index 404b7b9d..70ab4799 100644 --- a/logstash/Dockerfile +++ b/logstash/Dockerfile @@ -9,4 +9,29 @@ RUN rm -f /usr/share/logstash/pipeline/logstash.conf COPY config/01-wazuh.conf /usr/share/logstash/pipeline/01-wazuh.conf +# This CA is created for testing. Please set your own CA pem signed certificate. +# command: $ docker build --build-arg SECURITY_CA_PEM_LOCATION= --build-arg SECURITY_CA_PEM_ARG= +# ENV variables are necessary: SECURITY_CA_PEM +# Sample: +# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem" +# ARG SECURITY_CA_PEM_ARG="server.TEST-CA-signed.pem" +ARG SECURITY_CA_PEM_LOCATION="" +ARG SECURITY_CA_PEM_ARG="" + +# CA for secure communication with Elastic +ADD $SECURITY_CA_PEM_LOCATION /usr/share/logstash/config + +# Set permissions for CA +USER root +RUN if [[ "x$SECURITY_CA_PEM_LOCATION" == x ]] ; then echo Nothing to do ; else chown logstash: /usr/share/logstash/config/$SECURITY_CA_PEM_ARG ; fi +RUN if [[ "x$SECURITY_CA_PEM_LOCATION" == x ]] ; then echo Nothing to do ; else chmod 400 /usr/share/logstash/config/$SECURITY_CA_PEM_ARG ; fi + +# Add entrypoint scripts +RUN mkdir /entrypoint-scripts +RUN chmod -R 774 /entrypoint-scripts +RUN chown -R logstash:logstash /entrypoint-scripts +COPY --chown=logstash:logstash ./config/10-entrypoint.sh /entrypoint-scripts/10-entrypoint.sh +RUN chmod +x /entrypoint-scripts/10-entrypoint.sh +USER logstash + ENTRYPOINT /entrypoint.sh diff --git a/logstash/config/01-wazuh.conf b/logstash/config/01-wazuh.conf index 791cfd3f..5b0dc1bc 100644 --- a/logstash/config/01-wazuh.conf +++ b/logstash/config/01-wazuh.conf @@ -41,5 +41,9 @@ output { hosts => ["elasticsearch:9200"] index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}" document_type => "wazuh" + #user => service_logstash + #password => service_logstash_internal_password + #ssl => true + #cacert => "/path/to/cert.pem" } } diff --git a/logstash/config/10-entrypoint.sh b/logstash/config/10-entrypoint.sh new file mode 100644 index 00000000..8aa90b7b --- /dev/null +++ b/logstash/config/10-entrypoint.sh @@ -0,0 +1,154 @@ +#!/bin/bash +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +# +# OSSEC container bootstrap. See the README for information of the environment +# variables expected by this script. +# + +set -e + +############################################################################## +# Waiting for elasticsearch +############################################################################## + +if [ "x${ELASTICSEARCH_URL}" = "x" ]; then + el_url="http://elasticsearch:9200" +else + el_url="${ELASTICSEARCH_URL}" +fi + +LOGSTASH_USER="" +LOGSTASH_PASS="" + +if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then + LOGSTASH_USER=${SECURITY_LOGSTASH_USER} + LOGSTASH_PASS=${SECURITY_LOGSTASH_PASS} +else + input=${SECURITY_CREDENTIALS_FILE} + while IFS= read -r line + do + if [[ $line == *"LOGSTASH_PASSWORD"* ]]; then + arrIN=(${line//:/ }) + LOGSTASH_PASS=${arrIN[1]} + elif [[ $line == *"LOGSTASH_USER"* ]]; then + arrIN=(${line//:/ }) + LOGSTASH_USER=${arrIN[1]} + fi + done < "$input" + +fi + +if [ ${SECURITY_ENABLED} != "no" ]; then + auth="-u ${LOGSTASH_USER}:${LOGSTASH_PASS} -k" +elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then + auth="" +else + auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}" +fi + + +############################################################################## +# Customize logstash output ip +############################################################################## + +if [ "$LOGSTASH_OUTPUT" != "" ]; then + >&2 echo "Customize Logstash ouput ip." + sed -i 's|elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/pipeline/01-wazuh.conf + sed -i 's|http://elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/config/logstash.yml +fi + +until curl $auth -XGET $el_url; do + >&2 echo "Elastic is unavailable - sleeping." + sleep 5 +done + +sleep 2 + +>&2 echo "Elasticsearch is up." + + +############################################################################## +# Set Logstash password +############################################################################## + +############################################################################## +# If Secure access to Kibana is enabled, we must set the credentials. +############################################################################## + +if [[ $SECURITY_ENABLED == "yes" ]]; then + + ## Create secure keystore + SECURITY_RANDOM_PASS=`date +%s | sha256sum | base64 | head -c 32 ; echo` + export LOGSTASH_KEYSTORE_PASS=$SECURITY_RANDOM_PASS + /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config create + + ## Settings for logstash.yml + echo " +# Required set the passwords +xpack.monitoring.enabled: true +xpack.monitoring.elasticsearch.username: \${LOGSTASH_KS_USER} +xpack.monitoring.elasticsearch.password: \${LOGSTASH_KS_PASS} +xpack.management.elasticsearch.username: \${LOGSTASH_KS_USER} +xpack.management.elasticsearch.password: \${LOGSTASH_KS_PASS} +" >> /usr/share/logstash/config/logstash.yml + + ## Settings for 01-wazuh.conf + sed -i 's:#user => service_logstash:user => "${LOGSTASH_KS_USER}":g' /usr/share/logstash/pipeline/01-wazuh.conf + sed -i 's:#password => service_logstash_internal_password:password => "${LOGSTASH_KS_PASS}":g' /usr/share/logstash/pipeline/01-wazuh.conf + sed -i 's:#ssl => true:ssl => true:g' /usr/share/logstash/pipeline/01-wazuh.conf + sed -i 's:#cacert => "/path/to/cert.pem":cacert => "/usr/share/logstash/config/'$SECURITY_CA_PEM'":g' /usr/share/logstash/pipeline/01-wazuh.conf + + ## Add keys to the keystore + echo -e "$LOGSTASH_USER" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_USER + echo -e "$LOGSTASH_PASS" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_PASS + + +fi + + +############################################################################## +# Waiting for wazuh alerts template +############################################################################## + +strlen=0 + +while [[ $strlen -eq 0 ]] +do + template=$(curl $auth $el_url/_cat/templates/wazuh -s) + strlen=${#template} + >&2 echo "Wazuh alerts template not loaded - sleeping." + sleep 2 +done + +sleep 2 + +>&2 echo "Wazuh alerts template is loaded." + + +############################################################################## +# Remove credentials file +############################################################################## + +if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then + echo "Security credentials file not used. Nothing to do." +else + shred -zvu ${SECURITY_CREDENTIALS_FILE} +fi + + +############################################################################## +# Map environment variables to entries in logstash.yml. +# Note that this will mutate logstash.yml in place if any such settings are found. +# This may be undesirable, especially if logstash.yml is bind-mounted from the +# host system. +############################################################################## + +env2yaml /usr/share/logstash/config/logstash.yml + +export LS_JAVA_OPTS="-Dls.cgroup.cpuacct.path.override=/ -Dls.cgroup.cpu.path.override=/ $LS_JAVA_OPTS" + +if [[ -z $1 ]] || [[ ${1:0:1} == '-' ]] ; then + exec logstash "$@" +else + exec "$@" +fi diff --git a/logstash/config/entrypoint.sh b/logstash/config/entrypoint.sh index 4aaff056..333cc951 100644 --- a/logstash/config/entrypoint.sh +++ b/logstash/config/entrypoint.sh @@ -1,72 +1,8 @@ #!/bin/bash # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) -# -# OSSEC container bootstrap. See the README for information of the environment -# variables expected by this script. -# -set -e +# It will run every .sh script located in entrypoint-scripts folder in lexicographical order +for script in `ls /entrypoint-scripts/*.sh | sort -n`; do + bash "$script" -############################################################################## -# Waiting for elasticsearch -############################################################################## - -if [ "x${ELASTICSEARCH_URL}" = "x" ]; then - el_url="http://elasticsearch:9200" -else - el_url="${ELASTICSEARCH_URL}" -fi - -############################################################################## -# Customize logstash output ip -############################################################################## - -if [ "$LOGSTASH_OUTPUT" != "" ]; then - >&2 echo "Customize Logstash ouput ip." - sed -i 's|elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/pipeline/01-wazuh.conf - sed -i 's|http://elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/config/logstash.yml -fi - -until curl -XGET $el_url; do - >&2 echo "Elastic is unavailable - sleeping." - sleep 5 -done - -sleep 2 - ->&2 echo "Elasticsearch is up." - -############################################################################## -# Waiting for wazuh alerts template -############################################################################## - -strlen=0 - -while [[ $strlen -eq 0 ]] -do - template=$(curl $el_url/_cat/templates/wazuh -s) - strlen=${#template} - >&2 echo "Wazuh alerts template not loaded - sleeping." - sleep 2 -done - -sleep 2 - ->&2 echo "Wazuh alerts template is loaded." - -############################################################################## -# Map environment variables to entries in logstash.yml. -# Note that this will mutate logstash.yml in place if any such settings are found. -# This may be undesirable, especially if logstash.yml is bind-mounted from the -# host system. -############################################################################## - -env2yaml /usr/share/logstash/config/logstash.yml - -export LS_JAVA_OPTS="-Dls.cgroup.cpuacct.path.override=/ -Dls.cgroup.cpu.path.override=/ $LS_JAVA_OPTS" - -if [[ -z $1 ]] || [[ ${1:0:1} == '-' ]] ; then - exec logstash "$@" -else - exec "$@" -fi +done \ No newline at end of file diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index 9abc14bf..1bac9008 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -87,10 +87,10 @@ VOLUME ["/var/lib/filebeat"] RUN mkdir /entrypoint-scripts COPY config/entrypoint.sh /entrypoint.sh -COPY config/00-wazuh.sh /entrypoint-scripts/00-wazuh.sh +COPY config/01-wazuh.sh /entrypoint-scripts/01-wazuh.sh RUN chmod 755 /entrypoint.sh && \ - chmod 755 /entrypoint-scripts/00-wazuh.sh + chmod 755 /entrypoint-scripts/01-wazuh.sh # Run all services ENTRYPOINT ["/entrypoint.sh"] diff --git a/wazuh/config/00-wazuh.sh b/wazuh/config/01-wazuh.sh similarity index 93% rename from wazuh/config/00-wazuh.sh rename to wazuh/config/01-wazuh.sh index a0cfbc00..beb8d1e6 100644 --- a/wazuh/config/00-wazuh.sh +++ b/wazuh/config/01-wazuh.sh @@ -164,16 +164,37 @@ docker_custom_args() { change_api_user_credentials() { pushd /var/ossec/api/configuration/auth/ + if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then + WAZUH_API_USER=${API_USER} + WAZUH_API_PASS=${API_PASS} + else + input=${SECURITY_CREDENTIALS_FILE} + while IFS= read -r line + do + if [[ $line == *"WAZUH_API_USER"* ]]; then + arrIN=(${line//:/ }) + WAZUH_API_USER=${arrIN[1]} + elif [[ $line == *"WAZUH_API_PASS"* ]]; then + arrIN=(${line//:/ }) + WAZUH_API_PASS=${arrIN[1]} + fi + done < "$input" + fi + echo "Change Wazuh API user credentials" - change_user="node htpasswd -b -c user $API_USER $API_PASS" + change_user="node htpasswd -b -c user $WAZUH_API_USER $WAZUH_API_PASS" eval $change_user popd } + + + ############################################################################## # Customize filebeat output ip ############################################################################## + custom_filebeat_output_ip() { if [ "$FILEBEAT_OUTPUT" != "" ]; then sed -i "s/logstash:5000/$FILEBEAT_OUTPUT:5000/" /etc/filebeat/filebeat.yml