Security for Elastic Stack (#196)

CHANGELOG.md

@@ -19,6 +19,7 @@ All notable changes to this project will be documented in this file.
 ### Added
 
 - Update to Wazuh version 3.9.1_6.8.0 ([#181](https://github.com/wazuh/wazuh-docker/pull/181))
+- Security for Elastic Stack in Docker implemented ([#186](https://github.com/wazuh/wazuh-docker/issues/186))
 
 ### Fixed
 

docker-compose.yml

@@ -25,6 +25,12 @@ services:
       - elasticsearch
     environment:
       - LS_HEAP_SIZE=2048m
+      - SECURITY_ENABLED=yes
+      - SECURITY_LOGSTASH_USER=service_logstash
+      - SECURITY_LOGSTASH_PASS=logstash_pass
+      - LOGSTASH_OUTPUT=https://elasticsearch:9200
+      - ELASTICSEARCH_URL=https://elasticsearch:9200
+      - SECURITY_CA_PEM=server.TEST-CA-signed.pem
   elasticsearch:
     image: wazuh/wazuh-elasticsearch:3.9.2_6.8.0
     hostname: elasticsearch
@@ -37,6 +43,26 @@ services:
       - network.host=0.0.0.0
       - bootstrap.memory_lock=true
       - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
+      - ELASTICSEARCH_PROTOCOL=https
+      - ELASTICSEARCH_IP=elasticsearch
+      - ELASTICSEARCH_PORT=9200
+      - SECURITY_ENABLED=yes
+      - SECURITY_ADMIN_USER=wazuh_admin
+      - SECURITY_ADMIN_PASS=admin_pass
+      - SECURITY_ELASTIC_PASSWORD=elastic_pass
+      - SECURITY_KIBANA_USER=service_kibana
+      - SECURITY_KIBANA_PASS=kibana_pass
+      - SECURITY_LOGSTASH_USER=service_logstash 
+      - SECURITY_LOGSTASH_PASS=logstash_pass
+      - SECURITY_CA_PASSPHRASE=ca_pass
+      - SECURITY_CERTIFICATE_DNS=elasticsearch
+      - SECURITY_CA_PEM=server.TEST-CA-signed.pem
+      - SECURITY_CA_KEY=server.TEST-CA.key
+      - SECURITY_CA_TRUST=server.TEST-CA-signed.pem
+      - SECURITY_MAIN_NODE=elasticsearch
+      - SECURITY_OPENSSL_CONF=TEST_openssl.cnf
+      - SECURITY_MONITORING_USER=service_monitoring
+      - SECURITY_MONITORING_PASS=monitoring_pass
     ulimits:
       memlock:
         soft: -1
@@ -51,17 +77,14 @@ services:
     links:
       - elasticsearch:elasticsearch
       - wazuh:wazuh
-  nginx:
-    image: wazuh/wazuh-nginx:3.9.2_6.8.0
-    hostname: nginx
-    restart: always
     environment:
-      - NGINX_PORT=443
-      - NGINX_CREDENTIALS
+      - ELASTICSEARCH_URL=https://elasticsearch:9200
+      - SECURITY_ENABLED=yes
+      - SECURITY_KIBANA_USER=service_kibana
+      - SECURITY_KIBANA_PASS=kibana_pass
+      - SECURITY_KIBANA_SSL_KEY_PATH=/usr/share/kibana/config/ssl/private
+      - SECURITY_KIBANA_SSL_CERT_PATH=/usr/share/kibana/config/ssl/certs
+      - ELASTICSEARCH_KIBANA_IP=https://elasticsearch:9200
+      - SECURITY_CA_PEM=server.TEST-CA-signed.pem
     ports:
-      - "80:80"
-      - "443:443"
-    depends_on:
-      - kibana
-    links:
-      - kibana:kibana
+      - "5601:5601"

elasticsearch/Dockerfile

@@ -1,8 +1,6 @@
 # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 FROM docker.elastic.co/elasticsearch/elasticsearch:6.8.0
 
-ENV ELASTICSEARCH_URL="http://elasticsearch:9200"
-
 ENV ALERTS_SHARDS="1" \
     ALERTS_REPLICAS="0"
 
@@ -15,6 +13,20 @@ ENV ENABLE_CONFIGURE_S3="false"
 
 ENV TEMPLATE_VERSION=v3.9.2
 
+
+# This CA is created for testing. Please set your own CA zip containing the key and the signed certificate. 
+# command: $ docker build <elasticsearch_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION> --build-arg SECURITY_CA_KEY_LOCATION=<CA_KEY_LOCATION>
+# ENV variables are necessary: SECURITY_CA_PEM, SECURITY_CA_KEY, SECURITY_CA_TRUST, SECURITY_OPENSSL_CONF 
+# Example:
+# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem"
+# ARG SECURITY_CA_KEY_LOCATION="config/server.TEST-CA.key"
+# ARG SECURITY_OPENSSL_CONF_LOCATION="config/TEST_openssl.cnf"
+# ARG SECURITY_CA_TRUST_LOCATION="config/server.TEST-CA-signed.pem"
+ARG SECURITY_CA_PEM_LOCATION=""
+ARG SECURITY_CA_KEY_LOCATION=""
+ARG SECURITY_OPENSSL_CONF_LOCATION=""
+ARG SECURITY_CA_TRUST_LOCATION=""
+
 # Elasticearch cluster configuration environment variables
 # If ELASTIC_CLUSTER is set to "true" the following variables will be added to the Elasticsearch configuration
 ENV ELASTIC_CLUSTER="false" \
@@ -31,6 +43,16 @@ ENV ELASTIC_CLUSTER="false" \
 
 ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/6.x/wazuh-template.json /usr/share/elasticsearch/config
 
+# CA cert for Transport SSL
+ADD $SECURITY_CA_PEM_LOCATION /usr/share/elasticsearch/config
+ADD $SECURITY_CA_KEY_LOCATION /usr/share/elasticsearch/config 
+ADD $SECURITY_OPENSSL_CONF_LOCATION /usr/share/elasticsearch/config 
+ADD $SECURITY_CA_TRUST_LOCATION /usr/share/elasticsearch/config 
+
+RUN yum install openssl -y
+
+RUN mkdir /entrypoint-scripts
+
 COPY config/entrypoint.sh /entrypoint.sh
 
 RUN chmod 755 /entrypoint.sh
@@ -44,8 +66,14 @@ RUN bin/elasticsearch-plugin install --batch https://artifacts.elastic.co/downlo
 COPY config/configure_s3.sh ./config/configure_s3.sh
 RUN chmod 755 ./config/configure_s3.sh
 
-COPY --chown=elasticsearch:elasticsearch ./config/config_cluster.sh ./
-RUN chmod +x ./config_cluster.sh
+COPY --chown=elasticsearch:elasticsearch ./config/10-config_cluster.sh /entrypoint-scripts/10-config_cluster.sh
+RUN chmod +x /entrypoint-scripts/10-config_cluster.sh
+
+COPY --chown=elasticsearch:elasticsearch ./config/20-config_secure.sh /entrypoint-scripts/20-config_secure.sh
+RUN chmod +x /entrypoint-scripts/10-config_cluster.sh
+
+COPY --chown=elasticsearch:elasticsearch ./config/30-entrypoint.sh /entrypoint-scripts/30-entrypoint.sh
+RUN chmod +x /entrypoint-scripts/30-entrypoint.sh
 
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["elasticsearch"]

elasticsearch/config/20-config_secure.sh

@@ -0,0 +1,111 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
+
+##############################################################################
+# Setup bootstrap password to chagne all Elastic Stack passwords.
+# Set xpack.security.enabled to true. In Elastic 7 must add ssl options
+##############################################################################
+
+if [[ $SECURITY_ENABLED == "yes" ]]; then
+
+  echo "Creating certificate."
+
+  pushd /usr/share/elasticsearch/config/
+
+  echo "Setting configuration options."
+
+  # Create instances.yml for elasticsearch .p12 certificate and key
+  echo "
+instances:
+- name: \"elasticsearch\"
+  dns: 
+    - $SECURITY_CERTIFICATE_DNS
+" > instances.yml
+
+  # Change permissions and owner of ca
+  chown elasticsearch: /usr/share/elasticsearch/config/$SECURITY_CA_PEM
+  chmod 440 /usr/share/elasticsearch/config/$SECURITY_CA_PEM
+ 
+
+  # Genereate .p12 certificate and key
+  SECURITY_KEY_PASSPHRASE=`date +%s | sha256sum | base64 | head -c 32 ; echo`
+  /usr/share/elasticsearch/bin/elasticsearch-certutil csr --in instances.yml --out certs.zip --pass $SECURITY_KEY_PASSPHRASE
+  unzip certs.zip
+  rm certs.zip 
+
+  # Change permissions and owner of certificates
+  chown -R elasticsearch: /usr/share/elasticsearch/config/elasticsearch
+  chmod -R 770 /usr/share/elasticsearch/config/elasticsearch
+  chmod 400 /usr/share/elasticsearch/config/elasticsearch/elasticsearch.csr
+
+  # Prepare directories for openssl
+  mkdir /root/ca
+  mkdir /root/ca/certs /root/ca/crl /root/ca/newcerts /root/ca/private
+  chmod 700 /root/ca/private
+  touch /root/ca/index.txt
+  echo 1000 > /root/ca/serial
+
+  mkdir /root/ca/intermediate
+  mkdir /root/ca/intermediate/certs /root/ca/intermediate/crl /root/ca/intermediate/csr /root/ca/intermediate/newcerts /root/ca/intermediate/private
+  chmod 700 /root/ca/intermediate/private
+  touch /root/ca/intermediate/index.txt
+  echo 1000 > /root/ca/intermediate/serial
+  echo 1000 > /root/ca/intermediate/crlnumber
+
+  if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+
+    openssl ca -batch -config $SECURITY_OPENSSL_CONF  -in elasticsearch/elasticsearch.csr -cert $SECURITY_CA_PEM  -keyfile $SECURITY_CA_KEY  -key $SECURITY_CA_PASSPHRASE -out elasticsearch.cert.pem
+  
+  else
+    input=${SECURITY_CREDENTIALS_FILE}
+    CA_PASSPHRASE_FROM_FILE=""
+    while IFS= read -r line
+    do
+      if [[ $line == *"CA_PASSPHRASE"* ]]; then
+        arrIN=(${line//:/ })
+        CA_PASSPHRASE_FROM_FILE=${arrIN[1]}
+      fi
+    done < "$input"
+    
+    openssl ca -batch -config $SECURITY_OPENSSL_CONF  -in elasticsearch/elasticsearch.csr -cert $SECURITY_CA_PEM  -keyfile $SECURITY_CA_KEY  -key $CA_PASSPHRASE_FROM_FILE -out elasticsearch.cert.pem 
+  
+  fi
+  
+  chmod 440 /usr/share/elasticsearch/config/elasticsearch.cert.pem
+
+  # remove CA key
+  rm $SECURITY_CA_KEY
+
+  popd
+
+  echo "Setting configuration options."
+  
+  # Settings for elasticsearch.yml
+  echo "
+# Required to set the passwords and TLS options
+xpack.security.enabled: true
+xpack.security.transport.ssl.enabled: true
+xpack.security.transport.ssl.verification_mode: certificate
+xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
+xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
+xpack.security.transport.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/$SECURITY_CA_TRUST\"]
+
+# HTTP layer
+xpack.security.http.ssl.enabled: true
+xpack.security.http.ssl.verification_mode: certificate
+xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
+xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
+xpack.security.http.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/$SECURITY_CA_TRUST\"]
+" >> $elastic_config_file
+
+  # Create keystore
+  /usr/share/elasticsearch/bin/elasticsearch-keystore create
+
+  # Add keys to keystore
+  echo -e "$SECURITY_KEY_PASSPHRASE" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.secure_key_passphrase --stdin
+  echo -e "$SECURITY_KEY_PASSPHRASE" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase --stdin
+
+fi
+

elasticsearch/config/30-entrypoint.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+# For more information https://github.com/elastic/elasticsearch-docker/blob/6.8.0/build/elasticsearch/bin/docker-entrypoint.sh
+
+set -e
+
+# Files created by Elasticsearch should always be group writable too
+umask 0002
+
+run_as_other_user_if_needed() {
+  if [[ "$(id -u)" == "0" ]]; then
+    # If running as root, drop to specified UID and run command
+    exec chroot --userspec=1000 / "${@}"
+  else
+    # Either we are running in Openshift with random uid and are a member of the root group
+    # or with a custom --user
+    exec "${@}"
+  fi
+}
+
+
+#Disabling xpack features
+
+elasticsearch_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
+if grep -Fq  "#xpack features" "$elasticsearch_config_file" ;
+then 
+  declare -A CONFIG_MAP=(
+  [xpack.ml.enabled]=$XPACK_ML
+  )
+  for i in "${!CONFIG_MAP[@]}"
+  do
+    if [ "${CONFIG_MAP[$i]}" != "" ]; then
+      sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $elasticsearch_config_file
+    fi
+  done
+else
+  echo "
+#xpack features
+xpack.ml.enabled: $XPACK_ML
+ " >> $elasticsearch_config_file
+fi
+
+# Run load settings script.
+
+bash /usr/share/elasticsearch/load_settings.sh &
+
+# Execute elasticsearch
+
+
+if [[ $SECURITY_ENABLED == "yes" ]]; then
+  echo "Change Elastic password"
+  if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+    run_as_other_user_if_needed echo "$SECURITY_ELASTIC_PASSWORD" | elasticsearch-keystore add -xf 'bootstrap.password'
+  else
+    input=${SECURITY_CREDENTIALS_FILE}
+    ELASTIC_PASSWORD_FROM_FILE=""
+    while IFS= read -r line
+    do
+      if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
+        arrIN=(${line//:/ })
+        ELASTIC_PASSWORD_FROM_FILE=${arrIN[1]}
+      fi
+    done < "$input"
+    run_as_other_user_if_needed echo "$ELASTIC_PASSWORD_FROM_FILE" | elasticsearch-keystore add -xf 'bootstrap.password'
+  fi
+  echo "Elastic password changed"
+fi
+
+run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch 

elasticsearch/config/TEST_openssl.cnf

@@ -0,0 +1,132 @@
+# OpenSSL intermediate CA configuration file.
+# Copy to `/root/ca/intermediate/openssl.cnf`.
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = /root/ca/intermediate
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/private/.rand
+
+# The root key and root certificate.
+private_key       = $dir/private/intermediate.key.pem
+certificate       = $dir/certs/intermediate.cert.pem
+
+# For certificate revocation lists.
+crlnumber         = $dir/crlnumber
+crl               = $dir/crl/intermediate.crl.pem
+crl_extensions    = crl_ext
+default_crl_days  = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_loose
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+
+# Optionally, specify some defaults.
+countryName_default             = GB
+stateOrProvinceName_default     = England
+localityName_default            =
+0.organizationName_default      = Alice Ltd
+organizationalUnitName_default  =
+emailAddress_default            =
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning

elasticsearch/config/configure_s3.sh

@@ -2,6 +2,36 @@
 
 set -e
 
+
+##############################################################################
+# If Secure access to Kibana is enabled, we must set the credentials for 
+# monitoring
+##############################################################################
+
+ELASTIC_PASS=""
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
+
+else
+  input=${SECURITY_CREDENTIALS_FILE}
+  while IFS= read -r line
+  do
+    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      ELASTIC_PASS=${arrIN[1]}
+    fi
+  done < "$input"
+ 
+fi
+
+
+if [ ${SECURITY_ENABLED} != "no" ]; then
+  auth="-u elastic:${ELASTIC_PASS} -k"
+else
+  auth=""
+fi
+
 # Check number of arguments passed to configure_s3.sh. If it is different from 4 or 5, the process will finish with error.
 # param 1: number of arguments passed to configure_s3.sh
 
@@ -35,7 +65,7 @@ function CreateRepo()
     if [ $1 == 5 ];then
         version="$6"
     else
-        version=`curl -s $elastic_ip_port | grep number | cut -d"\"" -f4 | cut -c1`
+        version=`curl ${auth} -s $elastic_ip_port | grep number | cut -d"\"" -f4 | cut -c1`
     fi
 
     if ! [[ "$version" =~ ^[0-9]+$ ]];then
@@ -46,7 +76,7 @@ function CreateRepo()
     repository="$repository_name-$version"
     s3_path="$path/$version"
 
-    curl -X PUT "$elastic_ip_port/_snapshot/$repository" -H 'Content-Type: application/json' -d'
+    curl ${auth} -X PUT "$elastic_ip_port/_snapshot/$repository" -H 'Content-Type: application/json' -d'
         {
             "type": "s3",
             "settings": {

elasticsearch/config/entrypoint.sh

@@ -1,52 +1,8 @@
 #!/bin/bash
 # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
-# For more information https://github.com/elastic/elasticsearch-docker/blob/6.8.0/build/elasticsearch/bin/docker-entrypoint.sh
+# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
+for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
+  bash "$script"
 
-set -e
-
-# Files created by Elasticsearch should always be group writable too
-umask 0002
-
-run_as_other_user_if_needed() {
-  if [[ "$(id -u)" == "0" ]]; then
-    # If running as root, drop to specified UID and run command
-    exec chroot --userspec=1000 / "${@}"
-  else
-    # Either we are running in Openshift with random uid and are a member of the root group
-    # or with a custom --user
-    exec "${@}"
-  fi
-}
-
-
-#Disabling xpack features
-
-elasticsearch_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
-if grep -Fq  "#xpack features" "$elasticsearch_config_file";
-then 
-  declare -A CONFIG_MAP=(
-  [xpack.ml.enabled]=$XPACK_ML
-  )
-  for i in "${!CONFIG_MAP[@]}"
-  do
-    if [ "${CONFIG_MAP[$i]}" != "" ]; then
-      sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $elasticsearch_config_file
-    fi
 done
-else
-  echo "
-#xpack features
-xpack.ml.enabled: $XPACK_ML
- " >> $elasticsearch_config_file
-fi
-
-# Run load settings script.
-
-./config_cluster.sh
-
-./load_settings.sh &
-
-# Execute elasticsearch
-
-run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch 

elasticsearch/config/load_settings.sh

@@ -3,15 +3,88 @@
 
 set -e
 
-el_url=${ELASTICSEARCH_URL}
+if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
+  el_url="http://elasticsearch:9200"
+else
+  el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
+fi
 
-if [ "x${WAZUH_API_URL}" = "x" ]; then
+if [[ "x${WAZUH_API_URL}" = "x" ]]; then
   wazuh_url="https://wazuh"
 else
   wazuh_url="${WAZUH_API_URL}"
 fi
 
-if [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
+ELASTIC_PASS=""
+KIBANA_USER=""
+KIBANA_PASS=""
+LOGSTASH_USER=""
+LOGSTASH_PASS=""
+ADMIN_USER=""
+ADMIN_PASS=""
+WAZH_API_USER=""
+WAZH_API_PASS=""
+MONITORING_USER=""
+MONITORING_PASS=""
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
+  KIBANA_USER=${SECURITY_KIBANA_USER}
+  KIBANA_PASS=${SECURITY_KIBANA_PASS}
+  LOGSTASH_USER=${SECURITY_LOGSTASH_USER}
+  LOGSTASH_PASS=${SECURITY_LOGSTASH_PASS}
+  ADMIN_USER=${SECURITY_ADMIN_USER}
+  ADMIN_PASS=${SECURITY_ADMIN_PASS}
+  WAZH_API_USER=${API_USER}
+  WAZH_API_PASS=${API_PASS}
+  MONITORING_USER=${SECURITY_MONITORING_USER}
+  MONITORING_PASS=${SECURITY_MONITORING_PASS}
+else
+  input=${SECURITY_CREDENTIALS_FILE}
+  while IFS= read -r line
+  do
+    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      ELASTIC_PASS=${arrIN[1]}
+    elif [[ $line == *"KIBANA_USER"* ]]; then
+      arrIN=(${line//:/ })
+      KIBANA_USER=${arrIN[1]}
+    elif [[ $line == *"KIBANA_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      KIBANA_PASS=${arrIN[1]}
+    elif [[ $line == *"LOGSTASH_USER"* ]]; then
+      arrIN=(${line//:/ })
+      LOGSTASH_USER=${arrIN[1]}
+    elif [[ $line == *"LOGSTASH_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      LOGSTASH_PASS=${arrIN[1]}
+    elif [[ $line == *"ADMIN_USER"* ]]; then
+      arrIN=(${line//:/ })
+      ADMIN_USER=${arrIN[1]}
+    elif [[ $line == *"ADMIN_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      ADMIN_PASS=${arrIN[1]}
+    elif [[ $line == *"WAZUH_API_USER"* ]]; then
+      arrIN=(${line//:/ })
+      WAZH_API_USER=${arrIN[1]}
+    elif [[ $line == *"WAZUH_API_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      WAZH_API_PASS=${arrIN[1]}
+    elif [[ $line == *"MONITORING_USER"* ]]; then
+      arrIN=(${line//:/ })
+      MONITORING_USER=${arrIN[1]}
+    elif [[ $line == *"MONITORING_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      MONITORING_PASS=${arrIN[1]}
+    fi
+  done < "$input"
+ 
+fi
+
+
+if [ ${SECURITY_ENABLED} != "no" ]; then
+  auth="-uelastic:${ELASTIC_PASS} -k"
+elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
   auth=""
 else
   auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
@@ -27,15 +100,14 @@ done
 if [ $ENABLE_CONFIGURE_S3 ]; then
   #Wait for Elasticsearch to be ready to create the repository
   sleep 10
-  IP_PORT="${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
 
   if [ "x$S3_PATH" != "x" ]; then
 
     if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then
-      ./config/configure_s3.sh $IP_PORT $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR 
+      bash /usr/share/elasticsearch/config/configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR
 
     else
-      ./config/configure_s3.sh $IP_PORT $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME 
+      bash /usr/share/elasticsearch/config/configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME
 
     fi
 
@@ -43,6 +115,48 @@ if [ $ENABLE_CONFIGURE_S3 ]; then
 
 fi
 
+##############################################################################
+# Setup passwords for Elastic Stack users
+##############################################################################
+
+if [[ $SECURITY_ENABLED == "yes" ]]; then
+  MY_HOSTNAME=`hostname`
+  echo "Hostname:"
+  echo $MY_HOSTNAME
+  if [[ $SECURITY_MAIN_NODE == $MY_HOSTNAME ]]; then
+    echo "Setting up passwords for all Elastic Stack users"
+
+    echo "Setting remote monitoring password"
+    SECURITY_REMOTE_USER_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo`
+    until curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/remote_monitoring_user/_password ' -d '{ "password":"'$SECURITY_REMOTE_USER_PASS'" }'; do
+      >&2 echo "Unavailable password seeting- sleeping"
+      sleep 2
+    done
+    echo "Setting Kibana password"
+    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_wazuh_app ' -d ' { "indices": [ { "names": [ ".kibana*", ".reporting*", ".monitoring*" ],  "privileges": ["read"] }, { "names": [ "wazuh-monitoring*", ".wazuh*" ],  "privileges": ["all"] } , { "names": [ "wazuh-alerts*" ],  "privileges": ["read", "view_index_metadata"] }  ] }'
+    sleep 5
+    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$KIBANA_USER"  -d '{ "password":"'$KIBANA_PASS'", "roles" : [ "kibana_system", "service_wazuh_app"],  "full_name" : "Service Internal Kibana User" }'
+    echo "Setting APM password"
+    SECURITY_APM_SYSTEM_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo`
+    curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/apm_system/_password ' -d '{ "password":"'$SECURITY_APM_SYSTEM_PASS'" }'
+    echo "Setting Beats password"
+    SECURITY_BEATS_SYSTEM_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo`
+    curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/beats_system/_password ' -d '{ "password":"'$SECURITY_BEATS_SYSTEM_PASS'" }'
+    echo "Setting Logstash password"
+    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_logstash_writer ' -d '{ "cluster": ["manage_index_templates", "monitor", "manage_ilm"], "indices": [ { "names": [ "*" ],  "privileges": ["write","delete","create_index","manage","manage_ilm"] } ] }'
+    sleep 5
+    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$LOGSTASH_USER" -d '{ "password":"'$LOGSTASH_PASS'", "roles" : [ "service_logstash_writer"],  "full_name" : "Service Internal Logstash User" }'
+    echo "Passwords established for all Elastic Stack users"
+    echo "Creating Admin user"
+    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$ADMIN_USER" -d '{ "password":"'$ADMIN_PASS'", "roles" : [ "superuser"],  "full_name" : "Wazuh admin" }'
+    echo "Admin user created"
+    echo "Setting monitoring user"
+    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_monitoring_reader ' -d '{ "cluster": ["manage", "monitor"], "indices": [ { "names": [ "*" ],  "privileges": ["write","create_index","manage","read", "index"] } ] }'
+    sleep 5
+    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$MONITORING_USER" -d '{ "password":"'$MONITORING_PASS'", "roles" : [ "service_monitoring_reader", "snapshot_user"],  "full_name" : "Service Internal Monitoring User" }'
+  fi
+fi
+
 #Insert default templates
 
 sed -i 's|    "index.refresh_interval": "5s"|    "index.refresh_interval": "5s",    "number_of_shards" :   '"${ALERTS_SHARDS}"',    "number_of_replicas" : '"${ALERTS_REPLICAS}"'|' /usr/share/elasticsearch/config/wazuh-template.json
@@ -51,8 +165,8 @@ cat /usr/share/elasticsearch/config/wazuh-template.json | curl -XPUT "$el_url/_t
 sleep 5
 
 
-API_PASS_Q=`echo "$API_PASS" | tr -d '"'`
-API_USER_Q=`echo "$API_USER" | tr -d '"'`
+API_PASS_Q=`echo "$WAZH_API_PASS" | tr -d '"'`
+API_USER_Q=`echo "$WAZH_API_USER" | tr -d '"'`
 API_PASSWORD=`echo -n $API_PASS_Q | base64`
 
 echo "Setting API credentials into Wazuh APP"
@@ -96,7 +210,7 @@ curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/jso
 '
 
 # Set cluster delayed timeout when node falls
-curl -X PUT "$el_url/_all/_settings" -H 'Content-Type: application/json' -d'
+curl -X PUT "$el_url/_all/_settings" ${auth} -H 'Content-Type: application/json' -d'
 {
   "settings": {
     "index.unassigned.node_left.delayed_timeout": "'"$CLUSTER_DELAYED_TIMEOUT"'"
@@ -104,5 +218,12 @@ curl -X PUT "$el_url/_all/_settings" -H 'Content-Type: application/json' -d'
 }
 '
 
+# Remove credentials file.
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  echo "Security credentials file not used. Nothing to do."
+else
+  shred -zvu ${SECURITY_CREDENTIALS_FILE}
+fi
 
 echo "Elasticsearch is ready."

kibana/Dockerfile

@@ -5,12 +5,25 @@ USER root
 
 ADD https://packages-dev.wazuh.com/pre-release/app/kibana/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
 
+# This CA is created for testing. Please set your own CA pem signed certificate. 
+# command: $ docker build <kibana_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION>
+# ENV variables are necessary: SECURITY_CA_PEM 
+# Sample:
+# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem"
+ARG SECURITY_CA_PEM_LOCATION=""
+
+# CA for secure communication with Elastic
+ADD $SECURITY_CA_PEM_LOCATION /usr/share/kibana/config
+
 RUN NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip &&\
     chown -R kibana:kibana /usr/share/kibana &&\
     rm -rf /tmp/*
 
+RUN yum install openssl -y
+
 COPY config/entrypoint.sh ./entrypoint.sh
 RUN chmod 755 ./entrypoint.sh
+RUN mkdir /entrypoint-scripts
 
 USER kibana
 
@@ -53,9 +66,11 @@ ARG XPACK_UPTIME="false"
 
 ARG CHANGE_WELCOME="true"
 
-COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./
+COPY --chown=kibana:kibana ./config/10-wazuh_app_config.sh /entrypoint-scripts/10-wazuh_app_config.sh
+RUN chmod +x /entrypoint-scripts/10-wazuh_app_config.sh
 
-RUN chmod +x ./wazuh_app_config.sh
+COPY --chown=kibana:kibana ./config/20-entrypoint.sh /entrypoint-scripts/20-entrypoint.sh
+RUN chmod +x /entrypoint-scripts/20-entrypoint.sh
 
 COPY --chown=kibana:kibana ./config/kibana_settings.sh ./
 

kibana/config/20-entrypoint.sh

@@ -0,0 +1,130 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+set -e
+
+##############################################################################
+# Waiting for elasticsearch
+##############################################################################
+
+if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
+  el_url="http://elasticsearch:9200"
+else
+  el_url="${ELASTICSEARCH_URL}"
+fi
+
+KIBANA_USER=""
+KIBANA_PASS=""
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  KIBANA_USER=${SECURITY_KIBANA_USER}
+  KIBANA_PASS=${SECURITY_KIBANA_PASS}
+else
+  input=${SECURITY_CREDENTIALS_FILE}
+  while IFS= read -r line
+  do
+    if [[ $line == *"KIBANA_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      KIBANA_PASS=${arrIN[1]}
+    elif [[ $line == *"KIBANA_USER"* ]]; then
+      arrIN=(${line//:/ })
+      KIBANA_USER=${arrIN[1]}
+    fi
+  done < "$input"
+ 
+fi
+
+
+if [ ${SECURITY_ENABLED} != "no" ]; then
+  auth="-u ${KIBANA_USER}:${KIBANA_PASS} -k"
+elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
+  auth=""
+else
+  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
+fi
+
+until curl -XGET $el_url ${auth}; do
+  >&2 echo "Elastic is unavailable - sleeping"
+  sleep 5
+done
+
+sleep 2
+
+>&2 echo "Elasticsearch is up."
+
+
+##############################################################################
+# Waiting for wazuh alerts template
+##############################################################################
+
+strlen=0
+
+while [[ $strlen -eq 0 ]]
+do
+  template=$(curl $auth $el_url/_cat/templates/wazuh -s)
+  strlen=${#template}
+  >&2 echo "Wazuh alerts template not loaded - sleeping."
+  sleep 2
+done
+
+sleep 2
+
+>&2 echo "Wazuh alerts template is loaded."
+
+
+##############################################################################
+# If Secure access to Kibana is enabled, we must set the credentials.
+# We must create the ssl certificate.
+##############################################################################
+
+if [[ $SECURITY_ENABLED == "yes" ]]; then
+
+
+  # Create keystore
+  /usr/share/kibana/bin/kibana-keystore create
+  
+  echo "Setting security Kibana configuiration options."
+
+  echo "
+# Elasticsearch from/to Kibana
+elasticsearch.ssl.certificateAuthorities: [\"/usr/share/kibana/config/$SECURITY_CA_PEM\"]
+
+server.ssl.enabled: true
+server.ssl.certificate: $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem
+server.ssl.key: $SECURITY_KIBANA_SSL_KEY_PATH/kibana-access.key
+" >> /usr/share/kibana/config/kibana.yml
+
+  echo "Create SSL directories."
+
+  mkdir -p $SECURITY_KIBANA_SSL_KEY_PATH $SECURITY_KIBANA_SSL_CERT_PATH
+  CA_PATH="/usr/share/kibana/config"
+
+  echo "Creating SSL certificates."
+  
+  pushd $CA_PATH
+
+  chown kibana: $CA_PATH/$SECURITY_CA_PEM
+  chmod 400 $CA_PATH/$SECURITY_CA_PEM
+  SECURITY_KEY_PASS=`openssl rand -base64 32`
+  openssl req -batch -x509 -days 18250 -newkey rsa:2048 -keyout $SECURITY_KIBANA_SSL_KEY_PATH/kibana-access.key -out $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem -passout pass:"$SECURITY_KEY_PASS" >/dev/null
+  chown -R kibana: $CA_PATH/ssl
+  chmod -R 770 $CA_PATH/ssl
+  chmod 440 $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem
+
+  popd
+  echo "SSL certificates created."
+
+  # Add keys to keystore
+  echo -e "$KIBANA_PASS" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.password --stdin
+  echo -e "$SECURITY_KEY_PASS" | /usr/share/kibana/bin/kibana-keystore add server.ssl.keyPassphrase --stdin
+  echo -e "$KIBANA_USER" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.username --stdin
+
+fi
+
+##############################################################################
+# Run more configuration scripts.
+##############################################################################
+
+bash /usr/share/kibana/kibana_settings.sh &
+
+/usr/local/bin/kibana-docker

kibana/config/entrypoint.sh

@@ -1,57 +1,8 @@
 #!/bin/bash
 # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
-set -e
+# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
+for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
+  bash "$script"
 
-##############################################################################
-# Waiting for elasticsearch
-##############################################################################
-
-if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
-  el_url="http://elasticsearch:9200"
-else
-  el_url="${ELASTICSEARCH_URL}"
-fi
-
-if [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
-  auth=""
-else
-  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
-fi
-
-until curl -XGET $el_url ${auth}; do
-  >&2 echo "Elastic is unavailable - sleeping"
-  sleep 5
 done
-
-sleep 2
-
->&2 echo "Elasticsearch is up."
-
-
-##############################################################################
-# Waiting for wazuh alerts template
-##############################################################################
-
-strlen=0
-
-while [[ $strlen -eq 0 ]]
-do
-  template=$(curl $el_url/_cat/templates/wazuh -s)
-  strlen=${#template}
-  >&2 echo "Wazuh alerts template not loaded - sleeping."
-  sleep 2
-done
-
-sleep 2
-
->&2 echo "Wazuh alerts template is loaded."
-
-
-./wazuh_app_config.sh
-
-sleep 5
-
-./kibana_settings.sh &
-
-/usr/local/bin/kibana-docker

kibana/config/kibana_settings.sh

@@ -20,7 +20,6 @@ WAZUH_MAJOR=3
 ##############################################################################
 if [ "$ELASTICSEARCH_KIBANA_IP" != "" ]; then
   sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml
-
 fi
 
 if [ "$KIBANA_IP" != "" ]; then
@@ -29,7 +28,38 @@ else
   kibana_ip="kibana"
 fi
 
-while [[ "$(curl -XGET -I  -s -o /dev/null -w ''%{http_code}'' $kibana_ip:5601/status)" != "200" ]]; do
+KIBANA_USER=""
+KIBANA_PASS=""
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  KIBANA_USER=${SECURITY_KIBANA_USER}
+  KIBANA_PASS=${SECURITY_KIBANA_PASS}
+else
+  input=${SECURITY_CREDENTIALS_FILE}
+  while IFS= read -r line
+  do
+    if [[ $line == *"KIBANA_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      KIBANA_PASS=${arrIN[1]}
+    elif [[ $line == *"KIBANA_USER"* ]]; then
+      arrIN=(${line//:/ })
+      KIBANA_USER=${arrIN[1]}
+    fi
+  done < "$input"
+ 
+fi
+
+
+if [ ${SECURITY_ENABLED} != "no" ]; then
+  auth="-u $KIBANA_USER:${KIBANA_PASS}"
+  kibana_secure_ip="https://$kibana_ip"
+else
+  auth=""
+  kibana_secure_ip="http://$kibana_ip"
+fi
+
+
+while [[ "$(curl $auth -k -XGET -I  -s -o /dev/null -w ''%{http_code}'' $kibana_secure_ip:5601/status)" != "200" ]]; do
   echo "Waiting for Kibana API. Sleeping 5 seconds"
   sleep 5
 done
@@ -49,16 +79,23 @@ EOF
 
 sleep 5
 # Add the wazuh alerts index as default.
-curl -POST "http://$kibana_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
+curl $auth -k -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
 rm -f ${default_index}
 
 sleep 5
 # Configuring Kibana TimePicker.
-curl -POST "http://$kibana_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
+curl $auth -k -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
 '{"changes":{"timepicker:timeDefaults":"{\n  \"from\": \"now-24h\",\n  \"to\": \"now\",\n  \"mode\": \"quick\"}"}}'
 
 sleep 5
 # Do not ask user to help providing usage statistics to Elastic
-curl -POST "http://$kibana_ip:5601/api/telemetry/v1/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'
+curl $auth -k -POST "$kibana_secure_ip:5601/api/telemetry/v1/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'
+
+# Remove credentials file
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  echo "Security credentials file not used. Nothing to do."
+else
+  shred -zvu ${SECURITY_CREDENTIALS_FILE}
+fi
 
 echo "End settings"

logstash/Dockerfile

@@ -9,4 +9,29 @@ RUN rm -f /usr/share/logstash/pipeline/logstash.conf
 
 COPY config/01-wazuh.conf /usr/share/logstash/pipeline/01-wazuh.conf
 
+# This CA is created for testing. Please set your own CA pem signed certificate. 
+# command: $ docker build <logstash_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION> --build-arg SECURITY_CA_PEM_ARG=<CA_PEM_NAME>
+# ENV variables are necessary: SECURITY_CA_PEM 
+# Sample:
+# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem"
+# ARG SECURITY_CA_PEM_ARG="server.TEST-CA-signed.pem"
+ARG SECURITY_CA_PEM_LOCATION=""
+ARG SECURITY_CA_PEM_ARG=""
+
+# CA for secure communication with Elastic
+ADD $SECURITY_CA_PEM_LOCATION /usr/share/logstash/config
+
+# Set permissions for CA
+USER root
+RUN if [[ "x$SECURITY_CA_PEM_LOCATION" == x ]] ; then echo Nothing to do ; else chown logstash: /usr/share/logstash/config/$SECURITY_CA_PEM_ARG ; fi
+RUN if [[ "x$SECURITY_CA_PEM_LOCATION" == x ]] ; then echo Nothing to do ; else chmod 400 /usr/share/logstash/config/$SECURITY_CA_PEM_ARG ; fi
+
+# Add entrypoint scripts
+RUN mkdir /entrypoint-scripts
+RUN chmod -R 774 /entrypoint-scripts
+RUN chown -R logstash:logstash /entrypoint-scripts
+COPY --chown=logstash:logstash ./config/10-entrypoint.sh /entrypoint-scripts/10-entrypoint.sh
+RUN chmod +x /entrypoint-scripts/10-entrypoint.sh
+USER logstash
+
 ENTRYPOINT /entrypoint.sh

logstash/config/01-wazuh.conf

@@ -41,5 +41,9 @@ output {
         hosts => ["elasticsearch:9200"]
         index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
         document_type => "wazuh"
+        #user => service_logstash
+        #password => service_logstash_internal_password
+        #ssl => true
+        #cacert => "/path/to/cert.pem"
     }
 }

logstash/config/10-entrypoint.sh

@@ -0,0 +1,154 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+#
+# OSSEC container bootstrap. See the README for information of the environment
+# variables expected by this script.
+#
+
+set -e
+
+##############################################################################
+# Waiting for elasticsearch
+##############################################################################
+
+if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
+  el_url="http://elasticsearch:9200"
+else
+  el_url="${ELASTICSEARCH_URL}"
+fi
+
+LOGSTASH_USER=""
+LOGSTASH_PASS=""
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  LOGSTASH_USER=${SECURITY_LOGSTASH_USER}
+  LOGSTASH_PASS=${SECURITY_LOGSTASH_PASS}
+else
+  input=${SECURITY_CREDENTIALS_FILE}
+  while IFS= read -r line
+  do
+    if [[ $line == *"LOGSTASH_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      LOGSTASH_PASS=${arrIN[1]}
+    elif [[ $line == *"LOGSTASH_USER"* ]]; then
+      arrIN=(${line//:/ })
+      LOGSTASH_USER=${arrIN[1]}
+    fi
+  done < "$input"
+ 
+fi
+
+if [ ${SECURITY_ENABLED} != "no" ]; then
+  auth="-u ${LOGSTASH_USER}:${LOGSTASH_PASS} -k"
+elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
+  auth=""
+else
+  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
+fi
+
+
+##############################################################################
+# Customize logstash output ip
+##############################################################################
+
+if [ "$LOGSTASH_OUTPUT" != "" ]; then
+  >&2 echo "Customize Logstash ouput ip."
+  sed -i 's|elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/pipeline/01-wazuh.conf
+  sed -i 's|http://elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/config/logstash.yml
+fi
+
+until curl $auth -XGET $el_url; do
+  >&2 echo "Elastic is unavailable - sleeping."
+  sleep 5
+done
+
+sleep 2
+
+>&2 echo "Elasticsearch is up."
+
+
+##############################################################################
+# Set Logstash password
+##############################################################################
+
+##############################################################################
+# If Secure access to Kibana is enabled, we must set the credentials.
+##############################################################################
+
+if [[ $SECURITY_ENABLED == "yes" ]]; then
+
+  ## Create secure keystore
+  SECURITY_RANDOM_PASS=`date +%s | sha256sum | base64 | head -c 32 ; echo`
+  export LOGSTASH_KEYSTORE_PASS=$SECURITY_RANDOM_PASS
+  /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config create
+
+  ## Settings for logstash.yml
+  echo "
+# Required set the passwords
+xpack.monitoring.enabled: true
+xpack.monitoring.elasticsearch.username: \${LOGSTASH_KS_USER}
+xpack.monitoring.elasticsearch.password: \${LOGSTASH_KS_PASS}
+xpack.management.elasticsearch.username: \${LOGSTASH_KS_USER}
+xpack.management.elasticsearch.password: \${LOGSTASH_KS_PASS}
+" >> /usr/share/logstash/config/logstash.yml
+
+  ## Settings for 01-wazuh.conf
+  sed -i 's:#user => service_logstash:user => "${LOGSTASH_KS_USER}":g' /usr/share/logstash/pipeline/01-wazuh.conf
+  sed -i 's:#password => service_logstash_internal_password:password => "${LOGSTASH_KS_PASS}":g' /usr/share/logstash/pipeline/01-wazuh.conf
+  sed -i 's:#ssl => true:ssl => true:g' /usr/share/logstash/pipeline/01-wazuh.conf
+  sed -i 's:#cacert => "/path/to/cert.pem":cacert => "/usr/share/logstash/config/'$SECURITY_CA_PEM'":g' /usr/share/logstash/pipeline/01-wazuh.conf 
+
+  ## Add keys to the keystore
+  echo -e "$LOGSTASH_USER" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_USER
+  echo -e "$LOGSTASH_PASS" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_PASS
+  
+  
+fi
+  
+
+##############################################################################
+# Waiting for wazuh alerts template
+##############################################################################
+
+strlen=0
+
+while [[ $strlen -eq 0 ]]
+do
+  template=$(curl $auth $el_url/_cat/templates/wazuh -s)
+  strlen=${#template}
+  >&2 echo "Wazuh alerts template not loaded - sleeping."
+  sleep 2
+done
+
+sleep 2
+
+>&2 echo "Wazuh alerts template is loaded."
+
+
+##############################################################################
+# Remove credentials file
+##############################################################################
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  echo "Security credentials file not used. Nothing to do."
+else
+  shred -zvu ${SECURITY_CREDENTIALS_FILE}
+fi
+
+
+##############################################################################
+# Map environment variables to entries in logstash.yml.
+# Note that this will mutate logstash.yml in place if any such settings are found.
+# This may be undesirable, especially if logstash.yml is bind-mounted from the
+# host system.
+##############################################################################
+
+env2yaml /usr/share/logstash/config/logstash.yml
+
+export LS_JAVA_OPTS="-Dls.cgroup.cpuacct.path.override=/ -Dls.cgroup.cpu.path.override=/ $LS_JAVA_OPTS"
+
+if [[ -z $1 ]] || [[ ${1:0:1} == '-' ]] ; then
+  exec logstash "$@"
+else
+  exec "$@"
+fi

logstash/config/entrypoint.sh

@@ -1,72 +1,8 @@
 #!/bin/bash
 # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-#
-# OSSEC container bootstrap. See the README for information of the environment
-# variables expected by this script.
-#
 
-set -e
+# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
+for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
+  bash "$script"
 
-##############################################################################
-# Waiting for elasticsearch
-##############################################################################
-
-if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
-  el_url="http://elasticsearch:9200"
-else
-  el_url="${ELASTICSEARCH_URL}"
-fi
-
-##############################################################################
-# Customize logstash output ip
-##############################################################################
-
-if [ "$LOGSTASH_OUTPUT" != "" ]; then
-  >&2 echo "Customize Logstash ouput ip."
-  sed -i 's|elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/pipeline/01-wazuh.conf
-  sed -i 's|http://elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/config/logstash.yml 
-fi
-
-until curl -XGET $el_url; do
-  >&2 echo "Elastic is unavailable - sleeping."
-  sleep 5
 done
-
-sleep 2
-
->&2 echo "Elasticsearch is up."
-
-##############################################################################
-# Waiting for wazuh alerts template
-##############################################################################
-
-strlen=0
-
-while [[ $strlen -eq 0 ]]
-do
-  template=$(curl $el_url/_cat/templates/wazuh -s)
-  strlen=${#template}
-  >&2 echo "Wazuh alerts template not loaded - sleeping."
-  sleep 2
-done
-
-sleep 2
-
->&2 echo "Wazuh alerts template is loaded."
-
-##############################################################################
-# Map environment variables to entries in logstash.yml.
-# Note that this will mutate logstash.yml in place if any such settings are found.
-# This may be undesirable, especially if logstash.yml is bind-mounted from the
-# host system.
-##############################################################################
-
-env2yaml /usr/share/logstash/config/logstash.yml
-
-export LS_JAVA_OPTS="-Dls.cgroup.cpuacct.path.override=/ -Dls.cgroup.cpu.path.override=/ $LS_JAVA_OPTS"
-
-if [[ -z $1 ]] || [[ ${1:0:1} == '-' ]] ; then
-  exec logstash "$@"
-else
-  exec "$@"
-fi

wazuh/Dockerfile

@@ -87,10 +87,10 @@ VOLUME ["/var/lib/filebeat"]
 RUN mkdir /entrypoint-scripts
 
 COPY config/entrypoint.sh /entrypoint.sh
-COPY config/00-wazuh.sh /entrypoint-scripts/00-wazuh.sh
+COPY config/01-wazuh.sh /entrypoint-scripts/01-wazuh.sh
 
 RUN chmod 755 /entrypoint.sh && \
-    chmod 755 /entrypoint-scripts/00-wazuh.sh
+    chmod 755 /entrypoint-scripts/01-wazuh.sh
 
 # Run all services
 ENTRYPOINT ["/entrypoint.sh"]

wazuh/config/01-wazuh.sh

@@ -164,16 +164,37 @@ docker_custom_args() {
 
 change_api_user_credentials() {
   pushd /var/ossec/api/configuration/auth/
+  if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+    WAZUH_API_USER=${API_USER}
+    WAZUH_API_PASS=${API_PASS}
+  else
+    input=${SECURITY_CREDENTIALS_FILE}
+    while IFS= read -r line
+    do
+      if [[ $line == *"WAZUH_API_USER"* ]]; then
+        arrIN=(${line//:/ })
+        WAZUH_API_USER=${arrIN[1]}
+      elif [[ $line == *"WAZUH_API_PASS"* ]]; then
+        arrIN=(${line//:/ })
+        WAZUH_API_PASS=${arrIN[1]}
+      fi
+    done < "$input"
+  fi
+
   echo "Change Wazuh API user credentials"
-  change_user="node htpasswd -b -c user $API_USER $API_PASS"
+  change_user="node htpasswd -b -c user $WAZUH_API_USER $WAZUH_API_PASS"
   eval $change_user
   popd
 }
 
+
+
+
 ##############################################################################
 # Customize filebeat output ip
 ##############################################################################
 
+
 custom_filebeat_output_ip() {
   if [ "$FILEBEAT_OUTPUT" != "" ]; then
     sed -i "s/logstash:5000/$FILEBEAT_OUTPUT:5000/" /etc/filebeat/filebeat.yml