diff --git a/docker-compose.yml b/docker-compose.yml index 73d82ce4..58513581 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,7 +3,7 @@ version: '3.7' services: wazuh: - image: wazuh/wazuh-odfe:4.2.5 + image: wazuh/wazuh-odfe:4.3.0 hostname: wazuh-manager restart: always ports: @@ -30,7 +30,7 @@ services: - filebeat_var:/var/lib/filebeat wazuh-indexer: - image: wazuh-indexer + image: test-indexer hostname: node1 restart: always ports: @@ -39,7 +39,8 @@ services: - discovery.type=single-node - cluster.name=wazuh-cluster - network.host=0.0.0.0 - - "ES_JAVA_OPTS=-Xms512m -Xmx512m" + - plugins.security.allow_default_init_securityindex=true + - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" - bootstrap.memory_lock=true ulimits: memlock: diff --git a/generate-indexer-certs.yml b/generate-indexer-certs.yml index acc05e81..01503c55 100644 --- a/generate-indexer-certs.yml +++ b/generate-indexer-certs.yml @@ -3,8 +3,8 @@ version: '3' services: generator: - image: certs_creator #wazuh/opendistro-certs-generator:0.1 + image: wazuh/opendistro-certs-generator:0.1 hostname: opendistro-certs-generator volumes: - - ./production_cluster/wazuh_indexer_ssl_certs/certs.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/tools/config.yml + - ./production_cluster/wazuh_indexer_ssl_certs/certs.yml:/usr/src/config/myconf.yml - ./production_cluster/wazuh_indexer_ssl_certs/:/usr/src/certs/out/ \ No newline at end of file diff --git a/production-cluster.yml b/production-cluster.yml index e5248381..ae431ba2 100644 --- a/production-cluster.yml +++ b/production-cluster.yml @@ -73,8 +73,9 @@ services: ports: - "9700:9700" environment: - - "ES_JAVA_OPTS=-Xms1g -Xmx1g" + - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g" - "NODE_TYPE=master" + - "bootstrap.memory_lock=true" ulimits: memlock: soft: -1 @@ -97,8 +98,9 @@ services: hostname: wazuh-indexer-2 restart: always environment: - - "ES_JAVA_OPTS=-Xms1g -Xmx1g" + - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g" - "NODE_TYPE=worker" + - "bootstrap.memory_lock=true" ulimits: memlock: soft: -1 @@ -113,14 +115,15 @@ services: - ./production_cluster/wazuh_indexer_ssl_certs/wazuh-indexer-2.pem:/etc/wazuh-indexer/certs/wazuh-indexer-2.pem - ./production_cluster/wazuh-indexer/opensearch-node2.yml:/etc/wazuh-indexer/opensearch.yml - ./production_cluster/wazuh-indexer/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml - + wazuh-indexer-3: image: wazuh-indexer hostname: wazuh-indexer-3 restart: always environment: - - "ES_JAVA_OPTS=-Xms1g -Xmx1g" + - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g" - "NODE_TYPE=worker" + - "bootstrap.memory_lock=true" ulimits: memlock: soft: -1 @@ -135,7 +138,7 @@ services: - ./production_cluster/wazuh_indexer_ssl_certs/wazuh-indexer-3.pem:/etc/wazuh-indexer/certs/wazuh-indexer-3.pem - ./production_cluster/wazuh-indexer/opensearch-node3.yml:/etc/wazuh-indexer/opensearch.yml - ./production_cluster/wazuh-indexer/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml - + kibana: image: wazuh/wazuh-dashboard:4.3.0 hostname: kibana diff --git a/production_cluster/kibana_ssl/cert.pem b/production_cluster/kibana_ssl/cert.pem deleted file mode 100644 index 92da3280..00000000 --- a/production_cluster/kibana_ssl/cert.pem +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDazCCAlOgAwIBAgIUaIlPP3pCoqvkHYK4/3ATalS/l4MwDQYJKoZIhvcNAQEL -BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM -GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMjAxMjgxODE1MDRaFw0yMzAx -MjgxODE1MDRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw -HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDtxUl6m3HlUPeTIXQu+BVCOiscwtVXTlSaIlOhz/cu -Py5ptLRMHdO1vTIawPag9Y1bLaLpkPuGSVUIXFhhfvc20OlQ0HaHMVu+zA6B+pV0 -uZTg4HAX7NJhGMh9qv1APtoeTx7wbG48f6+udV2bbay4a/+jQ8wkYeeTcRNSs7cz -zN30ToPUul/41ekROqvCwl7ss7BF0V/9V2ZgMnwdix7ogEZckYEvDkDccud+cF+f -CRBABKlueFL5C2+d5AkhQef8BqzjnwsRSlWSRulfcU4G0pkmVG+v59PnGaOuKVs/ -g6zOfvCmb3nKSMmJJs5sJfEN0JD1Xir6nJlEQMukRBKZAgMBAAGjUzBRMB0GA1Ud -DgQWBBRH3Gak7M/uyi4SvAv8sd3oX3uHADAfBgNVHSMEGDAWgBRH3Gak7M/uyi4S -vAv8sd3oX3uHADAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBv -1wBbjz5JSBU9UfJh5IPxTudOTtHQgU1N55M8Qz0cNBpc6dtyL/+xc85UoTKo9BEH -ZluycPDyFeIjEyvCTLTdJLkRY4gqKGgnI9JtR4nOGLjX2le1o78uL6aayYTHaQVF -Q/5K7q+JOwDXu4haBupKl43fZSFQhMQOpsKt9+PHymBXSxP35FrLNVG+UQcQNiwT -2u9Vm0K36TEmTc+eeVPo6L2bTqhWbURSJpsnMXEGssIUVuzHu2iPjsJpf6rW93DD -ZI41gjPBBuDrOPxuNQ5M9wz5j9Ckv3CHBXwg868qUAklv6tj+7bovbngof67HL4W -GzUBqvUWcjo4dV/ZkA1Z ------END CERTIFICATE----- diff --git a/production_cluster/kibana_ssl/key.pem b/production_cluster/kibana_ssl/key.pem deleted file mode 100644 index 9fd51c8a..00000000 --- a/production_cluster/kibana_ssl/key.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDtxUl6m3HlUPeT -IXQu+BVCOiscwtVXTlSaIlOhz/cuPy5ptLRMHdO1vTIawPag9Y1bLaLpkPuGSVUI -XFhhfvc20OlQ0HaHMVu+zA6B+pV0uZTg4HAX7NJhGMh9qv1APtoeTx7wbG48f6+u -dV2bbay4a/+jQ8wkYeeTcRNSs7czzN30ToPUul/41ekROqvCwl7ss7BF0V/9V2Zg -Mnwdix7ogEZckYEvDkDccud+cF+fCRBABKlueFL5C2+d5AkhQef8BqzjnwsRSlWS -RulfcU4G0pkmVG+v59PnGaOuKVs/g6zOfvCmb3nKSMmJJs5sJfEN0JD1Xir6nJlE -QMukRBKZAgMBAAECggEANp+sUc6ES/pd5h85YdD8kUprvR/Fg1krdn2MWRA96RH6 -x64L/bCcgpQEfsD15+SBpQDG/IGiRydxsYoFg+B3StCTyU0a7dQZD6wxaQr4auh3 -m3H0TorJiiT3amdt5uSJl4z1vqYqbRuocJvl9V8s3vFwuUFKFNGpMeY4WjePTwbA -SoVvXHsatA6QPNfIYJXIdWD5DdPMIABWuFThm/hDfq1n57DsKQa3/pvyj4tMqKw9 -K0cgVJWqCFqAlza7WErn9NDvGOZxJqzmgAbjnj9l18VRHp1uzKn0oZBM50zuvykU -HpEoe+GCktNy8PhDx3w60gxftKgFilgRyHvVNYwAAQKBgQD/IghMwhWTrNlzxj20 -oQ2NwUnPNJjsu0ZklAAp4axekipu3kI5bNyoBBBTg1uJwHnfLOJxmCPuCBzvqcA+ -kr8jUH7DuKAHEdDyt6rGAyAnLHKI9+WRztXJqBwhk/CmHoxM/cT5sdEog3Z8WAes -sm7IPnI1J/0BevrcmDDwrot2AQKBgQDulCY3lZgpWj9PSKzkwxBYMGwVDKYwin38 -NY4a/jf+PzIXVrZSeLDmSgkNqgvsHCnjrzfI6dC+wG3wjblgM4ocAM3C6eG8Obnp -Bv+llfDGsndO9VO0oLeycyPkukrVBnG90KL+FEdJleLMb8Zcw8f8xF09lks5gmSX -ZEfv4mKMmQKBgQC9Csp7lZPHSFwXnNw76tnQH1hBYAev4VPXUpKMddryd/tZCvam -9jLJi7lNKBe7ihLDes6OvNxik0BdlLoNo05dLFfBThvFIT5hmhW/grFgVV7IfmZs -E4X1VcsCVkwJyrjKk35QRaFlE4PHvrJxFAVh+mNFX8voPOeEbIBW1f4gAQKBgBK1 -NUX4igT8GajK5xvNG/P+YAtKgaGeyoBDZtBBDPz30aK43vUal6yHM6yJoAO0tagv -7izoAMFkb3qEcnvTrsnBWmElW9kZobVfIh7G4imChw5++EBatezdUHw4C3Qm3DZp -LM7Fok1n3m/vd9uAUqdEcpdIuL9atS6V43oxA09JAoGBALO0H5n/jQxfzS1FzAR8 -ywA093adt4v84C8BsVj/nsMk56mqTquWtAuEgur7sWk2sBosb9qKsN0VmWG8h4nk -aV/nJopx77c8GAWzyiJ5W34mhS0LiTfax8L0FBx79eis+/lXr2bujgNJkGE7JHOu -zNDYtcVvKModj/du4hXIKExr ------END PRIVATE KEY----- diff --git a/production_cluster/nginx/ssl/cert.pem b/production_cluster/nginx/ssl/cert.pem deleted file mode 100644 index 25dfcf89..00000000 --- a/production_cluster/nginx/ssl/cert.pem +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDazCCAlOgAwIBAgIUKLi6nm5vryQ/9xCQOJsSZpsxT5MwDQYJKoZIhvcNAQEL -BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM -GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMjAxMjcxOTQ3MDhaFw0yMzAx -MjcxOTQ3MDhaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw -HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQCbp1+YDLidHAF/7qfVN8kLixNgclux6FNcupmSo7om -gtS42zAfimDvlukhRTL/keV4yis2WwhLq/CP/FGvPVoSLnqXUx9oyW4X7zCHastq -dHj62wI+SgcbqTZidTqFdPt4WnJ17UauUuBGLqeDZALwUD2l45aYPPj6N+LjjdBW -Ag2Q6g3iWJM2uAY3Qu5IHf8yngkGWuFsKYleyGSdRWzSr6OUKsDj0ZljD3fKhWB1 -5+KFL/n9uRoHGrT/1O1FJFxUzX7PCO+6c16NN9tO1BP4dwiP+u8kORiiVoJ7xWlU -BJd88rfIV1Rds94nBGAl1H9eJMEe0dbdFCQEzhPf0KB3AgMBAAGjUzBRMB0GA1Ud -DgQWBBTRbzcDxJ1bHGdtqtvYUAGAV1xFGzAfBgNVHSMEGDAWgBTRbzcDxJ1bHGdt -qtvYUAGAV1xFGzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBr -uuCdm/zj5BfGD6Dg3V0nPOHeHv4b4UN4husPFRSb0YanZWTHpENfrbhRFknM9Ut1 -k6ces6c0m9UvDJQtIGkXQM57EXe2PYbDhPeP3GWvc1ymQoPoHwPmKtnrd2vTV0ni -MxAkr2BwX9Az0NrEef0ccAgyYXm+JBnQK4ZxTln4bBkK6+aZ34w9lGUSql33pdk4 -v9wySOffEOkaCFqXH6xZ1P4pJqcydaM75JXMuMg8DteSixARjuI5Ce6cyiki1Yte -nK8GqZC8lsM/s8ag3dHq0FT9gP0VGonKATqdknGa5bxCo/NolUhcyPgYPiTpz4s9 -w8668jDUM62W84lvKa6P ------END CERTIFICATE----- diff --git a/production_cluster/nginx/ssl/key.pem b/production_cluster/nginx/ssl/key.pem deleted file mode 100644 index 8f62f328..00000000 --- a/production_cluster/nginx/ssl/key.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCbp1+YDLidHAF/ -7qfVN8kLixNgclux6FNcupmSo7omgtS42zAfimDvlukhRTL/keV4yis2WwhLq/CP -/FGvPVoSLnqXUx9oyW4X7zCHastqdHj62wI+SgcbqTZidTqFdPt4WnJ17UauUuBG -LqeDZALwUD2l45aYPPj6N+LjjdBWAg2Q6g3iWJM2uAY3Qu5IHf8yngkGWuFsKYle -yGSdRWzSr6OUKsDj0ZljD3fKhWB15+KFL/n9uRoHGrT/1O1FJFxUzX7PCO+6c16N -N9tO1BP4dwiP+u8kORiiVoJ7xWlUBJd88rfIV1Rds94nBGAl1H9eJMEe0dbdFCQE -zhPf0KB3AgMBAAECggEAFJRvnjHoYtVmGV0bkaRbj4wm1rSoDQCzrOn7DhlZrmfT -6lEIrtLj+CmSz1RP5tyKY4sPZZNpqF+mYdMxlaLd+tNsX/+cgoVHaiC04OKs3Hlj -2X8Fb+jnwa+AwknPn/+UlBgZVCA4HSpV/tGCUmvxu4ZQcFOEAMLnBGZJOF7ysbxE -9Q08spPjQQgYfScS9pRhKRj8PG+qepifpMAg4GtiT9u70r2DC+IbxmE15MUtA/qM -vqHhGLaH3LiuEI0sBEvU95mgQAGaScDiJR1uQ7VrRHQJlxYnxoNywe+8cvpi+qjK -E3NvQpI0NP1/BroDMP2je2FYedWipolR9vNpRK5FyQKBgQDLnI1jqMyl86xMzePi -G7gp/9IAi+5xwCs4o8THmozi3ktn0ma5hlg2RjP19tdslr39I47L9RMPnis+SYIE -Qzdol+wV0VhQmBt7yot+EnPgPqz1zxhGmeji+wImGgV+1acBV++YaDYimI8Ux1uG -Z4faczDrhpAG8TaECr5PCcieFQKBgQDDs/MzI0hVs+xzgLlcTrA7jgZnCVxtAVBa -NAEN0tJ1AC2lL5nYlcfd0x2ebRmluRCGmS8HfZ/3lTTARTE+HED/Vf2C0svStSwx -aDEu9zFYgxCI5ZYzwxcubvlpoEUaLS9jJPAiW/rSuImAinA3hDDq92VJwcr4qFu0 -WrB7iMlzWwKBgQCwkEZvmI42jnLoe1ZU2dK+4O87uByCmbEhQaq/qH7psPjUxDh+ -Q0i1b/VZIr+2k5WXMUGADjqEPZWkQtwzVBJ1aeC5Hrulz/FtTLvgDKJdYBxeYELd -3lN8mUxIvCHt1donqRjFIgFnyMGytBnjGF5PibpvU1YMHxo2MJbNNV+57QKBgQCo -nly2O/kwNqVNY6TSHs6Dkbx8fLlRBmfIQLSDx5kjzDKH+DqTPYKG40bK4O/PNWRC -xKubxabV+I4J99QU0t1B40JZvOx3MTjRnRd7gurWe578hOxkzvwjOuTVGI1Rn4sL -3qC0yhGUDAIVabKEcvZ/DQgNg9cxZkYVYGpdFh+UrwKBgGGb0yr7dBuvzVaJ5fLj -ITwJr6kqD41JVd0MKpGzIDGubMaGTtdc6N6GjIyNzgJAQ9VDv0l45BUYfjKtNp90 -al8RIfH0xUdPGHT/7JBgyEWZqBF88dC9Kn4JVfKzoaQK89a2RM554MxKuQOKw2Yr -q6EnyW8xKHg3z06lzZeFF51C ------END PRIVATE KEY----- diff --git a/production_cluster/wazuh-indexer/opensearch-node1.yml b/production_cluster/wazuh-indexer/opensearch-node1.yml index 3ef82d19..aba06f5c 100644 --- a/production_cluster/wazuh-indexer/opensearch-node1.yml +++ b/production_cluster/wazuh-indexer/opensearch-node1.yml @@ -1,8 +1,14 @@ network.host: wazuh-indexer node.name: wazuh-indexer -cluster.initial_master_nodes: wazuh-indexer,wazuh-indexer-2,wazuh-indexer-3 +cluster.initial_master_nodes: + - wazuh-indexer + - wazuh-indexer-2 + - wazuh-indexer-3 cluster.name: "wazuh-cluster" -discovery.seed_hosts: wazuh-indexer,wazuh-indexer-2,wazuh-indexer-3 +discovery.seed_hosts: + - wazuh-indexer + - wazuh-indexer-2 + - wazuh-indexer-3 http.port: 9700-9799 transport.tcp.port: 9800-9899 node.max_local_storage_nodes: "3" @@ -36,5 +42,7 @@ plugins.security.nodes_dn: plugins.security.restapi.roles_enabled: - "all_access" - "security_rest_api_access" -plugins.security.system_indices.enabled: true -plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"] +plugins.security.allow_default_init_securityindex: true +cluster.routing.allocation.disk.threshold_enabled: false +opendistro_security.audit.config.disabled_rest_categories: NONE +opendistro_security.audit.config.disabled_transport_categories: NONE diff --git a/production_cluster/wazuh-indexer/opensearch-node2 copy.yml b/production_cluster/wazuh-indexer/opensearch-node2 copy.yml deleted file mode 100644 index 3a57f906..00000000 --- a/production_cluster/wazuh-indexer/opensearch-node2 copy.yml +++ /dev/null @@ -1,40 +0,0 @@ -network.host: wazuh-indexer-2 -node.name: wazuh-indexer-2 -cluster.initial_master_nodes: wazuh-indexer,wazuh-indexer-2,wazuh-indexer-3 -cluster.name: "wazuh-cluster" -discovery.seed_hosts: wazuh-indexer,wazuh-indexer-2,wazuh-indexer-3 -http.port: 9700-9799 -transport.tcp.port: 9800-9899 -node.max_local_storage_nodes: "3" -path.data: /var/lib/wazuh-indexer -path.logs: /var/log/wazuh-indexer -############################################################################### -# # -# WARNING: Insecure demo certificates set up in this file. # -# Please change on production cluster! # -# # -############################################################################### -plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/wazuh-indexer-2.pem -plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/wazuh-indexer-2.key -plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem -plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/wazuh-indexer-2.pem -plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/wazuh-indexer-2.key -plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem -plugins.security.ssl.http.enabled: true -plugins.security.ssl.transport.enforce_hostname_verification: false -plugins.security.ssl.transport.resolve_hostname: false -plugins.security.audit.type: internal_opensearch -plugins.security.authcz.admin_dn: -- 'CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com' -plugins.security.check_snapshot_restore_write_privileges: true -plugins.security.enable_snapshot_restore_privilege: true -plugins.security.nodes_dn: -- 'CN=wazuh-indexer,OU=Ops,O=Example\, Inc.,DC=example,DC=com' -- 'CN=wazuh-indexer-2,OU=Ops,O=Example\, Inc.,DC=example,DC=com' -- 'CN=wazuh-indexer-3,OU=Ops,O=Example\, Inc.,DC=example,DC=com' -- 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com' -plugins.security.restapi.roles_enabled: -- "all_access" -- "security_rest_api_access" -plugins.security.system_indices.enabled: true -plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"] diff --git a/production_cluster/wazuh-indexer/opensearch-node2.yml b/production_cluster/wazuh-indexer/opensearch-node2.yml index a20cbf57..7e4e1db7 100644 --- a/production_cluster/wazuh-indexer/opensearch-node2.yml +++ b/production_cluster/wazuh-indexer/opensearch-node2.yml @@ -1,8 +1,14 @@ network.host: wazuh-indexer-2 node.name: wazuh-indexer-2 -cluster.initial_master_nodes: wazuh-indexer,wazuh-indexer-2,wazuh-indexer-3 +cluster.initial_master_nodes: + - wazuh-indexer + - wazuh-indexer-2 + - wazuh-indexer-3 cluster.name: "wazuh-cluster" -discovery.seed_hosts: wazuh-indexer,wazuh-indexer-2,wazuh-indexer-3 +discovery.seed_hosts: + - wazuh-indexer + - wazuh-indexer-2 + - wazuh-indexer-3 http.port: 9700-9799 transport.tcp.port: 9800-9899 node.max_local_storage_nodes: "3" @@ -36,5 +42,7 @@ plugins.security.nodes_dn: plugins.security.restapi.roles_enabled: - "all_access" - "security_rest_api_access" -plugins.security.system_indices.enabled: true -plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"] +plugins.security.allow_default_init_securityindex: true +cluster.routing.allocation.disk.threshold_enabled: false +opendistro_security.audit.config.disabled_rest_categories: NONE +opendistro_security.audit.config.disabled_transport_categories: NONE \ No newline at end of file diff --git a/production_cluster/wazuh-indexer/opensearch-node3.yml b/production_cluster/wazuh-indexer/opensearch-node3.yml index 49257c7f..96d840e9 100644 --- a/production_cluster/wazuh-indexer/opensearch-node3.yml +++ b/production_cluster/wazuh-indexer/opensearch-node3.yml @@ -1,8 +1,14 @@ network.host: wazuh-indexer-3 node.name: wazuh-indexer-3 -cluster.initial_master_nodes: wazuh-indexer,wazuh-indexer-2,wazuh-indexer-3 +cluster.initial_master_nodes: + - wazuh-indexer + - wazuh-indexer-2 + - wazuh-indexer-3 cluster.name: "wazuh-cluster" -discovery.seed_hosts: wazuh-indexer,wazuh-indexer-2,wazuh-indexer-3 +discovery.seed_hosts: + - wazuh-indexer + - wazuh-indexer-2 + - wazuh-indexer-3 http.port: 9700-9799 transport.tcp.port: 9800-9899 node.max_local_storage_nodes: "3" @@ -36,5 +42,7 @@ plugins.security.nodes_dn: plugins.security.restapi.roles_enabled: - "all_access" - "security_rest_api_access" -plugins.security.system_indices.enabled: true -plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"] +plugins.security.allow_default_init_securityindex: true +cluster.routing.allocation.disk.threshold_enabled: false +opendistro_security.audit.config.disabled_rest_categories: NONE +opendistro_security.audit.config.disabled_transport_categories: NONE \ No newline at end of file diff --git a/test-cluster.yml.yml b/test-cluster.yml.yml new file mode 100644 index 00000000..7069fae0 --- /dev/null +++ b/test-cluster.yml.yml @@ -0,0 +1,209 @@ +# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2) +version: '3.7' + +services: + wazuh-master: + image: wazuh/wazuh-odfe:4.3.0 + hostname: wazuh-master + restart: always + ports: + - "1515:1515" + - "514:514/udp" + - "55000:55000" + environment: + - ELASTICSEARCH_URL=https://wazuh-indexer:9700 + - ELASTIC_USERNAME=admin + - ELASTIC_PASSWORD=admin + - FILEBEAT_SSL_VERIFICATION_MODE=full + - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem + - SSL_CERTIFICATE=/etc/ssl/filebeat.pem + - SSL_KEY=/etc/ssl/filebeat.key + - API_USERNAME=acme-user + - API_PASSWORD=MyS3cr37P450r.*- + volumes: + - ossec-api-configuration:/var/ossec/api/configuration + - ossec-etc:/var/ossec/etc + - ossec-logs:/var/ossec/logs + - ossec-queue:/var/ossec/queue + - ossec-var-multigroups:/var/ossec/var/multigroups + - ossec-integrations:/var/ossec/integrations + - ossec-active-response:/var/ossec/active-response/bin + - ossec-agentless:/var/ossec/agentless + - ossec-wodles:/var/ossec/wodles + - filebeat-etc:/etc/filebeat + - filebeat-var:/var/lib/filebeat + - ./production_cluster/wazuh_indexer_ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem + - ./production_cluster/wazuh_indexer_ssl_certs/filebeat.pem:/etc/ssl/filebeat.pem + - ./production_cluster/wazuh_indexer_ssl_certs/filebeat.key:/etc/ssl/filebeat.key + - ./production_cluster/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf + + wazuh-worker: + image: wazuh/wazuh-odfe:4.3.0 + hostname: wazuh-worker + restart: always + environment: + - ELASTICSEARCH_URL=https://wazuh-indexer:9700 + - ELASTIC_USERNAME=admin + - ELASTIC_PASSWORD=admin + - FILEBEAT_SSL_VERIFICATION_MODE=full + - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem + - SSL_CERTIFICATE=/etc/ssl/filebeat.pem + - SSL_KEY=/etc/ssl/filebeat.key + volumes: + - worker-ossec-api-configuration:/var/ossec/api/configuration + - worker-ossec-etc:/var/ossec/etc + - worker-ossec-logs:/var/ossec/logs + - worker-ossec-queue:/var/ossec/queue + - worker-ossec-var-multigroups:/var/ossec/var/multigroups + - worker-ossec-integrations:/var/ossec/integrations + - worker-ossec-active-response:/var/ossec/active-response/bin + - worker-ossec-agentless:/var/ossec/agentless + - worker-ossec-wodles:/var/ossec/wodles + - worker-filebeat-etc:/etc/filebeat + - worker-filebeat-var:/var/lib/filebeat + - ./production_cluster/wazuh_indexer_ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem + - ./production_cluster/wazuh_indexer_ssl_certs/filebeat.pem:/etc/ssl/filebeat.pem + - ./production_cluster/wazuh_indexer_ssl_certs/filebeat.key:/etc/ssl/filebeat.key + - ./production_cluster/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf + + wazuh-indexer: + image: test-indexer + hostname: wazuh-indexer + restart: always + ports: + - "9700:9700" + environment: + - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g" + - "bootstrap.memory_lock=true" + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + volumes: + - wazuh-indexer-data-1:/var/lib/wazuh-indexer + - ./production_cluster/wazuh_indexer_ssl_certs/root-ca.pem:/etc/wazuh-indexer/certs/root-ca.pem + - ./production_cluster/wazuh_indexer_ssl_certs/wazuh-indexer.key:/etc/wazuh-indexer/certs/wazuh-indexer.key + - ./production_cluster/wazuh_indexer_ssl_certs/wazuh-indexer.pem:/etc/wazuh-indexer/certs/wazuh-indexer.pem + - ./production_cluster/wazuh_indexer_ssl_certs/admin.pem:/etc/wazuh-indexer/certs/admin.pem + - ./production_cluster/wazuh_indexer_ssl_certs/admin.key:/etc/wazuh-indexer/certs/admin-key.pem + - ./production_cluster/wazuh-indexer/opensearch-node1.yml:/etc/wazuh-indexer/opensearch.yml + - ./production_cluster/wazuh-indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml + + wazuh-indexer-2: + image: test-indexer + hostname: wazuh-indexer-2 + restart: always + environment: + - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g" + - "bootstrap.memory_lock=true" + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + volumes: + - wazuh-indexer-data-2:/var/lib/wazuh-indexer + - ./production_cluster/wazuh_indexer_ssl_certs/root-ca.pem:/etc/wazuh-indexer/certs/root-ca.pem + - ./production_cluster/wazuh_indexer_ssl_certs/wazuh-indexer-2.key:/etc/wazuh-indexer/certs/wazuh-indexer-2.key + - ./production_cluster/wazuh_indexer_ssl_certs/wazuh-indexer-2.pem:/etc/wazuh-indexer/certs/wazuh-indexer-2.pem + - ./production_cluster/wazuh-indexer/opensearch-node2.yml:/etc/wazuh-indexer/opensearch.yml + - ./production_cluster/wazuh-indexer/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml + + wazuh-indexer-3: + image: test-indexer + hostname: wazuh-indexer-3 + restart: always + environment: + - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g" + - "bootstrap.memory_lock=true" + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + volumes: + - wazuh-indexer-data-3:/var/lib/wazuh-indexer + - ./production_cluster/wazuh_indexer_ssl_certs/root-ca.pem:/etc/wazuh-indexer/certs/root-ca.pem + - ./production_cluster/wazuh_indexer_ssl_certs/wazuh-indexer-3.key:/etc/wazuh-indexer/certs/wazuh-indexer-3.key + - ./production_cluster/wazuh_indexer_ssl_certs/wazuh-indexer-3.pem:/etc/wazuh-indexer/certs/wazuh-indexer-3.pem + - ./production_cluster/wazuh-indexer/opensearch-node3.yml:/etc/wazuh-indexer/opensearch.yml + - ./production_cluster/wazuh-indexer/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml + + kibana: + image: wazuh/wazuh-dashboard:4.3.0 + hostname: kibana + restart: always + ports: + - 5601:5601 + environment: + - ELASTICSEARCH_USERNAME=admin + - ELASTICSEARCH_PASSWORD=admin + - SERVER_SSL_ENABLED=true + - SERVER_SSL_CERTIFICATE=/etc/wazuh-dashboard/certs/cert.pem + - SERVER_SSL_KEY=/etc/wazuh-dashboard/certs/key.pem + - WAZUH_API_URL="https://wazuh-master" + - API_USERNAME=acme-user + - API_PASSWORD=MyS3cr37P450r.*- + volumes: + - ./production_cluster/wazuh_dashboard_ssl/cert.pem:/etc/wazuh-dashboard/certs/cert.pem + - ./production_cluster/wazuh_dashboard_ssl/key.pem:/etc/wazuh-dashboard/certs/key.pem + + depends_on: + - wazuh-indexer + links: + - wazuh-indexer:wazuh-indexer + - wazuh-master:wazuh-master + + nginx: + image: nginx:stable + hostname: nginx + restart: always + ports: + - "80:80" + - "443:443" + - "1514:1514" + depends_on: + - wazuh-master + - wazuh-worker + - kibana + links: + - wazuh-master:wazuh-master + - wazuh-worker:wazuh-worker + - kibana:kibana + volumes: + - ./production_cluster/nginx/nginx.conf:/etc/nginx/nginx.conf:ro + - ./production_cluster/nginx/ssl:/etc/nginx/ssl:ro + +volumes: + ossec-api-configuration: + ossec-etc: + ossec-logs: + ossec-queue: + ossec-var-multigroups: + ossec-integrations: + ossec-active-response: + ossec-agentless: + ossec-wodles: + filebeat-etc: + filebeat-var: + worker-ossec-api-configuration: + worker-ossec-etc: + worker-ossec-logs: + worker-ossec-queue: + worker-ossec-var-multigroups: + worker-ossec-integrations: + worker-ossec-active-response: + worker-ossec-agentless: + worker-ossec-wodles: + worker-filebeat-etc: + worker-filebeat-var: + wazuh-indexer-data-1: + wazuh-indexer-data-2: + wazuh-indexer-data-3: diff --git a/wazuh-dashboard/config/entrypoint.sh b/wazuh-dashboard/config/entrypoint.sh index 0169fb29..c0d98a53 100644 --- a/wazuh-dashboard/config/entrypoint.sh +++ b/wazuh-dashboard/config/entrypoint.sh @@ -5,7 +5,7 @@ # Start Wazuh dashboard ############################################################################## -sed -i 's/:9700/wazuh-indexer:9700/' /etc/wazuh-dashboard/dashboard.yml +sed -i 's/localhost:9700/wazuh-indexer:9700/' /etc/wazuh-dashboard/dashboard.yml sed -i 's//0.0.0.0/' /etc/wazuh-dashboard/dashboard.yml sed -i '/logging.dest:/d' /etc/wazuh-dashboard/dashboard.yml diff --git a/wazuh-dashboard/config/entrypoint_prueba.sh b/wazuh-dashboard/config/entrypoint_prueba.sh deleted file mode 100644 index 91e44dc1..00000000 --- a/wazuh-dashboard/config/entrypoint_prueba.sh +++ /dev/null @@ -1,59 +0,0 @@ -#!/bin/bash -# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2) - -set -e - -############################################################################## -# Waiting for indexer -############################################################################## - -if [ "x${ELASTICSEARCH_URL}" == "x" ]; then - if [[ ${ENABLED_SECURITY} == "false" ]]; then - export el_url="http://elasticsearch:9200" - else - export el_url="https://elasticsearch:9200" - fi -else - export el_url="${ELASTICSEARCH_URL}" -fi - -if [[ ${ENABLED_SECURITY} == "false" || "x${ELASTICSEARCH_USERNAME}" == "x" || "x${ELASTICSEARCH_PASSWORD}" == "x" ]]; then - auth="" - # remove security plugin from kibana if elasticsearch is not using it either - /usr/share/kibana/bin/kibana-plugin remove opendistro_security -else - export auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} -k" -fi - -until curl -XGET $el_url ${auth}; do - >&2 echo "Elastic is unavailable - sleeping" - sleep 5 -done - -sleep 2 - ->&2 echo "Elasticsearch is up." - - -############################################################################## -# Waiting for wazuh alerts template -############################################################################## - -strlen=0 - -while [[ $strlen -eq 0 ]] -do - template=$(curl ${auth} $el_url/_cat/templates/wazuh -s) - strlen=${#template} - >&2 echo "Wazuh alerts template not loaded - sleeping." - sleep 2 -done - -chown wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs/* - -sleep 5 - -./wazuh_app_config.sh - - -while true; do sleep 1000; done diff --git a/wazuh-dashboard/config/wazuh-dashboard.yml b/wazuh-dashboard/config/wazuh-dashboard.yml deleted file mode 100644 index 8786ea4c..00000000 --- a/wazuh-dashboard/config/wazuh-dashboard.yml +++ /dev/null @@ -1,14 +0,0 @@ -server.host: 0.0.0.0 -server.port: 443 -opensearch.hosts: https://localhost:9700 -opensearch.ssl.verificationMode: certificate -opensearch.username: kibanaserver -opensearch.password: kibanaserver -opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"] -opensearch_security.multitenancy.enabled: false -opensearch_security.readonly_mode.roles: ["kibana_read_only"] -server.ssl.enabled: true -server.ssl.key: "/etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem" -server.ssl.certificate: "/etc/wazuh-dashboard/certs/wazuh-dashboard.pem" -opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"] -logging.dest: "/var/log/wazuh-dashboard/wazuh-dashboard.log" \ No newline at end of file diff --git a/wazuh-indexer/Dockerfile_new b/wazuh-indexer/Dockerfile_new index 63276d9b..cbfe2087 100644 --- a/wazuh-indexer/Dockerfile_new +++ b/wazuh-indexer/Dockerfile_new @@ -1,8 +1,8 @@ -FROM centos:7 AS builder +FROM ubuntu:focal AS builder ENV tini_bin="tini-amd64" -RUN yum install initscripts curl -y +RUN apt-get update -y && apt-get install curl -y RUN curl --retry 8 -S -L -O https://github.com/krallin/tini/releases/download/v0.19.0/${tini_bin} RUN curl --retry 8 -S -L -O https://github.com/krallin/tini/releases/download/v0.19.0/${tini_bin}.sha256sum @@ -19,8 +19,10 @@ RUN sha256sum -c ${tini_bin}.sha256sum && \ #RUN chmod 0775 config config/jvm.options.d data logs #COPY config/opensearch.yml config/log4j2.properties config/ #RUN chmod 0660 config/opensearch.yml config/log4j2.properties -COPY config/config.sh . -RUN bash config.sh +COPY config/unattended_installer.tar.gz / +COPY config/config2.sh . +RUN tar -xzvf /unattended_installer.tar.gz +RUN bash config2.sh ################################################################################ # Build stage 1 (the actual OpenSearch image): @@ -28,15 +30,48 @@ RUN bash config.sh # Copy opensearch from stage 0 # Add entrypoint ################################################################################ -FROM alpine +FROM ubuntu:focal + ENV USER="wazuh-indexer" \ GROUP="wazuh-indexer" \ NAME="wazuh-indexer" \ INSTALL_DIR="/usr/share/wazuh-indexer" -RUN addgroup --system --gid 1000 $GROUP && \ - adduser -u 1000 -G $GROUP -D -h $INSTALL_DIR $USER && \ - chmod 0775 $INSTALL_DIR - #chown -R 1000:0 $INSTALL_DIR + +RUN getent group $GROUP || groupadd -r -g 1000 $GROUP + +RUN useradd --system \ + --uid 1000 \ + --no-create-home \ + --home-dir $INSTALL_DIR \ + --gid $GROUP \ + --shell /sbin/nologin \ + --comment "$USER user" \ + $USER + WORKDIR $INSTALL_DIR -COPY --from=builder --chown=1000:0 /usr/share/wazuh-indexer /usr/share/wazuh-indexer -COPY --from=builder --chown=0:0 /tini /tini \ No newline at end of file + +COPY config/entrypoint_OS.sh / + +RUN chmod 700 /entrypoint_OS.sh + +COPY --from=builder --chown=1000:1000 /debian/wazuh-indexer/usr/share/wazuh-indexer /usr/share/wazuh-indexer +COPY --from=builder --chown=0:0 /tini /tini +COPY --from=builder --chown=0:0 /debian/wazuh-indexer/etc/init.d/wazuh-indexer /etc/init.d/wazuh-indexer +COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/systemd /usr/lib/systemd +COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/sysctl.d /usr/lib/sysctl.d +COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/tmpfiles.d /usr/lib/tmpfiles.d +COPY --from=builder --chown=1000:10000 /debian/wazuh-indexer/etc/wazuh-indexer /etc/wazuh-indexer + +RUN mkdir -p /var/lib/wazuh-indexer && chown 1000:1000 /var/lib/wazuh-indexer && \ + mkdir -p /usr/share/wazuh-indexer/logs && chown 1000:1000 /usr/share/wazuh-indexer/logs && \ + mkdir -p /run/wazuh-indexer && chown 1000:1000 /run/wazuh-indexer && \ + mkdir -p /var/log/wazuh-indexer && chown 1000:1000 /var/log/wazuh-indexer + +# Services ports +EXPOSE 9700 + +#ENTRYPOINT [ "/entrypoint.sh" ] + +ENTRYPOINT ["/tini", "--", "/entrypoint_OS.sh"] +# Dummy overridable parameter parsed by entrypoint +CMD ["opensearchwrapper"] \ No newline at end of file diff --git a/wazuh-indexer/config/config.sh b/wazuh-indexer/config/config.sh index 93bb459a..d803a536 100644 --- a/wazuh-indexer/config/config.sh +++ b/wazuh-indexer/config/config.sh @@ -26,44 +26,46 @@ if ! id $USER &> /dev/null; then fi # Create directories -mkdir -p ${RPM_BUILD_ROOT}${INSTALL_DIR} -mkdir -p ${RPM_BUILD_ROOT}/etc -mkdir -p ${RPM_BUILD_ROOT}${LOG_DIR} -mkdir -p ${RPM_BUILD_ROOT}${LIB_DIR} -mkdir -p ${RPM_BUILD_ROOT}${SYS_DIR} +mkdir -p ${INSTALL_DIR} +mkdir -p /etc +mkdir -p ${LOG_DIR} +mkdir -p ${LIB_DIR} +mkdir -p ${SYS_DIR} # Download required sources curl -kOL https://s3.amazonaws.com/warehouse.wazuh.com/stack/indexer/wazuh-indexer-base-linux-x64.tar.gz tar -xzf wazuh-indexer-*.tar.gz && rm -f wazuh-indexer-*.tar.gz chown -R ${USER}:${GROUP} wazuh-indexer-*/* -# Copy base files into RPM_BUILD_ROOT directory -mv wazuh-indexer-*/etc/ ${RPM_BUILD_ROOT}/etc/ -cp -r wazuh-indexer-*${SYS_DIR}/* ${RPM_BUILD_ROOT}${SYS_DIR}/ -rm -rf wazuh-indexer-*/etc -rm -rf wazuh-indexer-*/usr -cp -pr wazuh-indexer-*/* ${RPM_BUILD_ROOT}${INSTALL_DIR}/ +# Copy base files into directories +cp -rf wazuh-indexer-*/etc/wazuh.indexer /etc/ +cp -rf wazuh-indexer-*/etc/init.d/* /etc/init.d/ +cp -rf wazuh-indexer-*/etc/sysconfig/* /etc/sysconfig/ +cp -rf wazuh-indexer-*${SYS_DIR}/* ${SYS_DIR}/ +#rm -rf wazuh-indexer-*/etc +#rm -rf wazuh-indexer-*/usr +cp -pr wazuh-indexer-*/* ${INSTALL_DIR}/ # Download demo certificates curl -kOL https://s3.amazonaws.com/warehouse.wazuh.com/stack/demo-certs.tar.gz tar xzf demo-certs.tar.gz && rm -f demo-certs.tar.gz chown -R ${USER}:${GROUP} certs -mkdir -p ${RPM_BUILD_ROOT}${CONFIG_DIR}/certs/ -cp certs/admin.pem ${RPM_BUILD_ROOT}${CONFIG_DIR}/certs/ -cp certs/admin-key.pem ${RPM_BUILD_ROOT}${CONFIG_DIR}/certs/ -cp certs/demo-indexer.pem ${RPM_BUILD_ROOT}${CONFIG_DIR}/certs/ -cp certs/demo-indexer-key.pem ${RPM_BUILD_ROOT}${CONFIG_DIR}/certs/ -cp certs/root-ca.pem ${RPM_BUILD_ROOT}${CONFIG_DIR}/certs/ +mkdir -p ${CONFIG_DIR}/certs/ +cp certs/admin.pem ${CONFIG_DIR}/certs/ +cp certs/admin-key.pem ${CONFIG_DIR}/certs/ +cp certs/demo-indexer.pem ${CONFIG_DIR}/certs/ +cp certs/demo-indexer-key.pem ${CONFIG_DIR}/certs/ +cp certs/root-ca.pem ${CONFIG_DIR}/certs/ -#cp ${REPO_DIR}/install_functions/wazuh-cert-tool.sh ${RPM_BUILD_ROOT}${INSTALL_DIR}/plugins/opensearch-security/tools/ -#cp ${REPO_DIR}/install_functions/wazuh-passwords-tool.sh ${RPM_BUILD_ROOT}${INSTALL_DIR}/plugins/opensearch-security/tools/ -#cp ${REPO_DIR}/config/opensearch/certificate/config_aio.yml ${RPM_BUILD_ROOT}${INSTALL_DIR}/plugins/opensearch-security/tools/config.yml +#cp ${REPO_DIR}/install_functions/wazuh-cert-tool.sh ${INSTALL_DIR}/plugins/opensearch-security/tools/ +#cp ${REPO_DIR}/install_functions/wazuh-passwords-tool.sh ${INSTALL_DIR}/plugins/opensearch-security/tools/ +#cp ${REPO_DIR}/config/opensearch/certificate/config_aio.yml ${INSTALL_DIR}/plugins/opensearch-security/tools/config.yml -#cp ${REPO_DIR}/config/opensearch/roles/internal_users.yml ${RPM_BUILD_ROOT}${INSTALL_DIR}/plugins/opensearch-security/securityconfig/ -#cp ${REPO_DIR}/config/opensearch/roles/roles.yml ${RPM_BUILD_ROOT}${INSTALL_DIR}/plugins/opensearch-security/securityconfig/ -#cp ${REPO_DIR}/config/opensearch/roles/roles_mapping.yml ${RPM_BUILD_ROOT}${INSTALL_DIR}/plugins/opensearch-security/securityconfig/ +#cp ${REPO_DIR}/config/opensearch/roles/internal_users.yml ${INSTALL_DIR}/plugins/opensearch-security/securityconfig/ +#cp ${REPO_DIR}/config/opensearch/roles/roles.yml ${INSTALL_DIR}/plugins/opensearch-security/securityconfig/ +#cp ${REPO_DIR}/config/opensearch/roles/roles_mapping.yml ${INSTALL_DIR}/plugins/opensearch-security/securityconfig/ -#chmod 0660 "/etc/sysconfig/${NAME}" && chown root:${GROUP} "/etc/sysconfig/${NAME}" +chmod 0660 "/etc/sysconfig/${NAME}" && chown root:${GROUP} "/etc/sysconfig/${NAME}" chmod 400 ${CONFIG_DIR}/certs/admin.pem && chown ${USER}:${GROUP} ${CONFIG_DIR}/certs/admin.pem chmod 400 ${CONFIG_DIR}/certs/admin-key.pem && chown ${USER}:${GROUP} ${CONFIG_DIR}/certs/admin-key.pem chmod 400 ${CONFIG_DIR}/certs/demo-indexer.pem && chown ${USER}:${GROUP} ${CONFIG_DIR}/certs/demo-indexer.pem diff --git a/wazuh-indexer/config/config2.sh b/wazuh-indexer/config/config2.sh new file mode 100644 index 00000000..93aa41ee --- /dev/null +++ b/wazuh-indexer/config/config2.sh @@ -0,0 +1,53 @@ +# This has to be exported to make some magic below work. +export DH_OPTIONS + +export NAME=wazuh-indexer +export TARGET_DIR=${CURDIR}/debian/${NAME} + +# Package build options +export USER=${NAME} +export GROUP=${NAME} +export CONFIG_DIR=/etc/${NAME} +export LOG_DIR=/var/log/${NAME} +export LIB_DIR=/var/lib/${NAME} +export PID_DIR=/run/${NAME} +export INSTALLATION_DIR=/usr/share/${NAME} +export BASE_DIR=${NAME}-* +export INDEXER_FILE=wazuh-indexer-base-linux-x64.tar.gz +export REPO_DIR=/unattended_installer + + +rm -rf ${INSTALLATION_DIR}/ + +curl -o ${INDEXER_FILE} https://s3.amazonaws.com/warehouse.wazuh.com/indexer/${INDEXER_FILE} +tar -zvxf ${INDEXER_FILE} + +# copy to target +mkdir -p ${TARGET_DIR}${INSTALLATION_DIR} +mkdir -p ${TARGET_DIR}${CONFIG_DIR} +mkdir -p ${TARGET_DIR}${LIB_DIR} +mkdir -p ${TARGET_DIR}${LOG_DIR} +mkdir -p ${TARGET_DIR}/etc/init.d +mkdir -p ${TARGET_DIR}/etc/default +mkdir -p ${TARGET_DIR}/usr/lib/tmpfiles.d +mkdir -p ${TARGET_DIR}/usr/lib/sysctl.d +mkdir -p ${TARGET_DIR}/usr/lib/systemd/system +# Move configuration files for wazuh-indexer +mv -f ${BASE_DIR}/etc/init.d/${NAME} ${TARGET_DIR}/etc/init.d/${NAME} +mv -f ${BASE_DIR}/etc/wazuh-indexer/* ${TARGET_DIR}${CONFIG_DIR} +mv -f ${BASE_DIR}/etc/sysconfig/${NAME} ${TARGET_DIR}/etc/default/ +mv -f ${BASE_DIR}/usr/lib/tmpfiles.d/* ${TARGET_DIR}/usr/lib/tmpfiles.d/ +mv -f ${BASE_DIR}/usr/lib/sysctl.d/* ${TARGET_DIR}/usr/lib/sysctl.d/ +mv -f ${BASE_DIR}/usr/lib/systemd/system/* ${TARGET_DIR}/usr/lib/systemd/system/ +rm -rf ${BASE_DIR}/etc +rm -rf ${BASE_DIR}/usr +# Copy installation files to final location +cp -pr ${BASE_DIR}/* ${TARGET_DIR}${INSTALLATION_DIR} +# Copy the security tools +cp ${REPO_DIR}/install_functions/wazuh-cert-tool.sh ${TARGET_DIR}${INSTALLATION_DIR}/plugins/opensearch-security/tools/ +cp ${REPO_DIR}/install_functions/wazuh-passwords-tool.sh ${TARGET_DIR}${INSTALLATION_DIR}/plugins/opensearch-security/tools/ +cp ${REPO_DIR}/config/opensearch/certificate/config_aio.yml ${TARGET_DIR}${INSTALLATION_DIR}/plugins/opensearch-security/tools/config.yml +# Copy Wazuh's config files for the security plugin +cp -pr ${REPO_DIR}/config/opensearch/roles/roles_mapping.yml ${TARGET_DIR}${INSTALLATION_DIR}/plugins/opensearch-security/securityconfig/ +cp -pr ${REPO_DIR}/config/opensearch/roles/roles.yml ${TARGET_DIR}${INSTALLATION_DIR}/plugins/opensearch-security/securityconfig/ +cp -pr ${REPO_DIR}/config/opensearch/roles/internal_users.yml ${TARGET_DIR}${INSTALLATION_DIR}/plugins/opensearch-security/securityconfig/ diff --git a/wazuh-indexer/config/entrypoint.sh b/wazuh-indexer/config/entrypoint.sh index 9b0ec833..30bccb0b 100644 --- a/wazuh-indexer/config/entrypoint.sh +++ b/wazuh-indexer/config/entrypoint.sh @@ -6,16 +6,18 @@ ############################################################################## export USER=wazuh-indexer -export OPENSEARCH_PATH_CONF=/etc/wazuh-indexer export INSTALLATION_DIR=/usr/share/wazuh-indexer +export OPENSEARCH_PATH_CONF=/etc/wazuh-indexer export JAVA_HOME=${INSTALLATION_DIR}/jdk export FILE=${INSTALLATION_DIR}/start +sed -i '/path.logs:/d' /etc/wazuh-indexer/opensearch.yml + if [ -f $FILE ] then echo "second or more start" else - if [ $NODE_TYPE == "worker" ] + if [ "$NODE_TYPE" == "worker" ] then echo "node_type start" echo $NODE_TYPE @@ -31,24 +33,21 @@ if [ -f $FILE ] echo "node_type start" echo $NODE_TYPE echo "node_type end" - service wazuh-indexer start - sleep 5 - service wazuh-indexer status - sleep 55 - /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig -icl -p 9800 -cd /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig -nhnv -cacert /etc/wazuh-indexer/certs/root-ca.pem -cert /etc/wazuh-indexer/certs/admin.pem -key /etc/wazuh-indexer/certs/admin-key.pem -h $HOSTNAME + runuser wazuh-indexer --shell="/bin/bash" --command="/usr/share/wazuh-indexer/bin/opensearch -p /run/wazuh-indexer/wazuh-indexer.pid -d" + sleep 60 + bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig -icl -p 9800 -cd /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig -nhnv -cacert /etc/wazuh-indexer/certs/root-ca.pem -cert /etc/wazuh-indexer/certs/admin.pem -key /etc/wazuh-indexer/certs/admin-key.pem -h $HOSTNAME + tail -100f /usr/share/wazuh-indexer/logs/wazuh-cluster.log touch $FILE fi fi -sed -i '/path.logs:/d' /etc/wazuh-indexer/opensearch.yml +#sed -i '/path.logs:/d' /etc/wazuh-indexer/opensearch.yml -service wazuh-indexer stop -service wazuh-indexer start #CLK_TK=`getconf CLK_TCK` runuser ${USER} --shell="/bin/bash" --command="${INSTALLATION_DIR}/bin/opensearch" -if [ -f /var/log/wazuh-indexer/wazuh-cluster.log ] +if [ -f /var/log/wazuh-indexer/wazuh-cluster.log ] then tail -f /var/log/wazuh-indexer/wazuh-cluster.log else diff --git a/wazuh-indexer/config/entrypoint_OS.sh b/wazuh-indexer/config/entrypoint_OS.sh new file mode 100644 index 00000000..69736c1e --- /dev/null +++ b/wazuh-indexer/config/entrypoint_OS.sh @@ -0,0 +1,89 @@ +#!/usr/bin/env bash +set -e + +# Files created by Elasticsearch should always be group writable too +umask 0002 + +export USER=wazuh-indexer +export INSTALLATION_DIR=/usr/share/wazuh-indexer +export OPENSEARCH_PATH_CONF=/etc/wazuh-indexer +export JAVA_HOME=${INSTALLATION_DIR}/jdk +export FILE=${INSTALLATION_DIR}/start + +run_as_other_user_if_needed() { + if [[ "$(id -u)" == "0" ]]; then + # If running as root, drop to specified UID and run command + exec chroot --userspec=1000:0 / "${@}" + else + # Either we are running in Openshift with random uid and are a member of the root group + # or with a custom --user + exec "${@}" + fi +} + +# Allow user specify custom CMD, maybe bin/opensearch itself +# for example to directly specify `-E` style parameters for opensearch on k8s +# or simply to run /bin/bash to check the image +if [[ "$1" != "opensearchwrapper" ]]; then + if [[ "$(id -u)" == "0" && $(basename "$1") == "opensearch" ]]; then + # centos:7 chroot doesn't have the `--skip-chdir` option and + # changes our CWD. + # Rewrite CMD args to replace $1 with `opensearch` explicitly, + # so that we are backwards compatible with the docs + # from the previous Elasticsearch versions<6 + # and configuration option D: + # https://www.elastic.co/guide/en/elasticsearch/reference/5.6/docker.html#_d_override_the_image_8217_s_default_ulink_url_https_docs_docker_com_engine_reference_run_cmd_default_command_or_options_cmd_ulink + # Without this, user could specify `opensearch -E x.y=z` but + # `bin/opensearch -E x.y=z` would not work. + set -- "opensearch" "${@:2}" + # Use chroot to switch to UID 1000 / GID 0 + exec chroot --userspec=1000:0 / "$@" + else + # User probably wants to run something else, like /bin/bash, with another uid forced (Openshift?) + exec "$@" + fi +fi + +# Allow environment variables to be set by creating a file with the +# contents, and setting an environment variable with the suffix _FILE to +# point to it. This can be used to provide secrets to a container, without +# the values being specified explicitly when running the container. +# +# This is also sourced in opensearch-env, and is only needed here +# as well because we use ELASTIC_PASSWORD below. Sourcing this script +# is idempotent. +source /usr/share/wazuh-indexer/bin/opensearch-env-from-file + +if [[ -f bin/opensearch-users ]]; then + # Check for the ELASTIC_PASSWORD environment variable to set the + # bootstrap password for Security. + # + # This is only required for the first node in a cluster with Security + # enabled, but we have no way of knowing which node we are yet. We'll just + # honor the variable if it's present. + if [[ -n "$ELASTIC_PASSWORD" ]]; then + [[ -f /usr/share/wazuh-indexer/config/opensearch.keystore ]] || (run_as_other_user_if_needed opensearch-keystore create) + if ! (run_as_other_user_if_needed opensearch-keystore has-passwd --silent) ; then + # keystore is unencrypted + if ! (run_as_other_user_if_needed opensearch-keystore list | grep -q '^bootstrap.password$'); then + (run_as_other_user_if_needed echo "$ELASTIC_PASSWORD" | opensearch-keystore add -x 'bootstrap.password') + fi + else + # keystore requires password + if ! (run_as_other_user_if_needed echo "$KEYSTORE_PASSWORD" \ + | opensearch-keystore list | grep -q '^bootstrap.password$') ; then + COMMANDS="$(printf "%s\n%s" "$KEYSTORE_PASSWORD" "$ELASTIC_PASSWORD")" + (run_as_other_user_if_needed echo "$COMMANDS" | opensearch-keystore add -x 'bootstrap.password') + fi + fi + fi +fi + +if [[ "$(id -u)" == "0" ]]; then + # If requested and running as root, mutate the ownership of bind-mounts + if [[ -n "$TAKE_FILE_OWNERSHIP" ]]; then + chown -R 1000:0 /usr/share/wazuh-indexer/{data,logs} + fi +fi + +run_as_other_user_if_needed /usr/share/wazuh-indexer/bin/opensearch <<<"$KEYSTORE_PASSWORD" \ No newline at end of file diff --git a/wazuh-indexer/config/entrypoint_odfe.sh b/wazuh-indexer/config/entrypoint_odfe.sh deleted file mode 100644 index 0519f90c..00000000 --- a/wazuh-indexer/config/entrypoint_odfe.sh +++ /dev/null @@ -1,103 +0,0 @@ -#!/bin/bash -set -e - -# Files created by OpenDistroForElasticsearch should always be group writable too -umask 0002 - -run_as_other_user_if_needed() { - if [[ "$(id -u)" == "0" ]]; then - # If running as root, drop to specified UID and run command - exec chroot --userspec=1000 / "${@}" - else - # Either we are running in Openshift with random uid and are a member of the root group - # or with a custom --user - exec "${@}" - fi -} - -# Allow user specify custom CMD, maybe bin/elasticsearch itself -# for example to directly specify `-E` style parameters for elasticsearch on k8s -# or simply to run /bin/bash to check the image -if [[ "$1" != "eswrapper" ]]; then - if [[ "$(id -u)" == "0" && $(basename "$1") == "elasticsearch" ]]; then - # centos:7 chroot doesn't have the `--skip-chdir` option and - # changes our CWD. - # Rewrite CMD args to replace $1 with `elasticsearch` explicitly, - # so that we are backwards compatible with the docs - # from the previous Elasticsearch versions<6 - # and configuration option D: - # https://www.elastic.co/guide/en/elasticsearch/reference/5.6/docker.html#_d_override_the_image_8217_s_default_ulink_url_https_docs_docker_com_engine_reference_run_cmd_default_command_or_options_cmd_ulink - # Without this, user could specify `elasticsearch -E x.y=z` but - # `bin/elasticsearch -E x.y=z` would not work. - set -- "elasticsearch" "${@:2}" - # Use chroot to switch to UID 1000 - exec chroot --userspec=1000 / "$@" - else - # User probably wants to run something else, like /bin/bash, with another uid forced (Openshift?) - exec "$@" - fi -fi - -# Parse Docker env vars to customize Elasticsearch -# -# e.g. Setting the env var cluster.name=testcluster -# -# will cause Elasticsearch to be invoked with -Ecluster.name=testcluster -# -# see https://www.elastic.co/guide/en/elasticsearch/reference/current/settings.html#_setting_default_settings - -declare -a es_opts - -while IFS='=' read -r envvar_key envvar_value -do - # Elasticsearch settings need to have at least two dot separated lowercase - # words, e.g. `cluster.name`, except for `processors` which we handle - # specially - if [[ "$envvar_key" =~ ^[a-z0-9_]+\.[a-z0-9_]+ || "$envvar_key" == "processors" ]]; then - if [[ ! -z $envvar_value ]]; then - es_opt="-E${envvar_key}=${envvar_value}" - es_opts+=("${es_opt}") - fi - fi -done < <(env) - -# The virtual file /proc/self/cgroup should list the current cgroup -# membership. For each hierarchy, you can follow the cgroup path from -# this file to the cgroup filesystem (usually /sys/fs/cgroup/) and -# introspect the statistics for the cgroup for the given -# hierarchy. Alas, Docker breaks this by mounting the container -# statistics at the root while leaving the cgroup paths as the actual -# paths. Therefore, Elasticsearch provides a mechanism to override -# reading the cgroup path from /proc/self/cgroup and instead uses the -# cgroup path defined the JVM system property -# es.cgroups.hierarchy.override. Therefore, we set this value here so -# that cgroup statistics are available for the container this process -# will run in. -export ES_JAVA_OPTS="-Des.cgroups.hierarchy.override=/ $ES_JAVA_OPTS" - -if [[ "$(id -u)" == "0" ]]; then - # If requested and running as root, mutate the ownership of bind-mounts - if [[ -n "$TAKE_FILE_OWNERSHIP" ]]; then - chown -R 1000:0 /usr/share/elasticsearch/{data,logs} - fi -fi - -if [[ -d "/usr/share/elasticsearch/plugins/opendistro_security" && "$DISABLE_INSTALL_DEMO_CONFIG" != "true" ]]; then - # Install Demo certifactes for Security Plugin and update the elasticsearch.yml - # file to use those certificates. - /usr/share/elasticsearch/plugins/opendistro_security/tools/install_demo_configuration.sh -y -i -s -fi - -if [[ -d "/usr/share/elasticsearch/plugins/opendistro-performance-analyzer" ]]; then - CLK_TCK=`/usr/bin/getconf CLK_TCK` - ES_JAVA_OPTS="-Dclk.tck=$CLK_TCK -Djdk.attach.allowAttachSelf=true $ES_JAVA_OPTS" - if [[ -d "/usr/share/elasticsearch/performance-analyzer-rca" ]]; then - ES_JAVA_OPTS="-Djava.security.policy=file:///usr/share/elasticsearch/performance-analyzer-rca/pa_config/es_security.policy $ES_JAVA_OPTS" - /usr/bin/supervisord -c /usr/share/elasticsearch/performance-analyzer-rca/pa_config/supervisord.conf - else - ES_JAVA_OPTS="-Djava.security.policy=file:///usr/share/elasticsearch/plugins/opendistro-performance-analyzer/pa_config/es_security.policy $ES_JAVA_OPTS" - /usr/bin/supervisord -c /usr/share/elasticsearch/plugins/opendistro-performance-analyzer/pa_config/supervisord.conf - fi -fi - -run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch "${es_opts[@]}" \ No newline at end of file diff --git a/wazuh-indexer/config/tarball.sh b/wazuh-indexer/config/tarball.sh deleted file mode 100644 index 2cb1dd64..00000000 --- a/wazuh-indexer/config/tarball.sh +++ /dev/null @@ -1,33 +0,0 @@ -export NAME=wazuh-indexer -export VERSION=4.3.0 -export RELEASE=1 -export USER=$NAME -export GROUP=$NAME -export CONFIG_DIR=/etc/$NAME -export LOG_DIR=/var/log/$NAME -export LIB_DIR=/var/lib/$NAME -export SYS_DIR=/usr/lib -export INSTALL_DIR=/usr/share/$NAME -export REPO_DIR=/root/unattended_installer - -mkdir -p ${INSTALL_DIR} -mkdir -p /etc -mkdir -p ${LOG_DIR} -mkdir -p ${LIB_DIR} -mkdir -p ${SYS_DIR} - -curl -kOL https://artifacts.opensearch.org/releases/bundle/opensearch/1.2.4/opensearch-${1}-linux-x64.tar.gz -tar zxf opensearch-${1}-linux-x64.tar.gz && rm -f opensearch-${1}.tar.gz -chown -R ${USER}:${GROUP} opensearch-${1}/* -mkdir -p /etc/wazuh-indexer && chown -R ${USER}:${GROUP} /etc/wazuh-indexer && cp opensearch-${1}/config/* /etc/wazuh-indexer/ -#etc/init.d directory not found -#etc/sysconfig directory not found -#usr directory not found -cp -pr opensearch-*/LICENSE.txt ${RPM_BUILD_ROOT}${INSTALL_DIR}/ -cp -pr opensearch-*/NOTICE.txt ${RPM_BUILD_ROOT}${INSTALL_DIR}/ -cp -pr opensearch-*/jdk ${RPM_BUILD_ROOT}${INSTALL_DIR}/ -cp -pr opensearch-*/plugins ${RPM_BUILD_ROOT}${INSTALL_DIR}/ -cp -pr opensearch-*/performance-analyzer-rca ${RPM_BUILD_ROOT}${INSTALL_DIR}/ -cp -pr opensearch-*/modules ${RPM_BUILD_ROOT}${INSTALL_DIR}/ -cp -pr opensearch-*/lib ${RPM_BUILD_ROOT}${INSTALL_DIR}/ -cp -pr opensearch-*/bin ${RPM_BUILD_ROOT}${INSTALL_DIR}/ diff --git a/wazuh-indexer/config/unattended_installer.tar.gz b/wazuh-indexer/config/unattended_installer.tar.gz new file mode 100644 index 00000000..e3b05292 Binary files /dev/null and b/wazuh-indexer/config/unattended_installer.tar.gz differ