Skip to content

Commit

Permalink
Add Wazuh-Elasticsearch (#106)
Browse files Browse the repository at this point in the history
  • Loading branch information
AlfonsoRBJ authored and jesuslinares committed Feb 1, 2019
1 parent 046b2f0 commit cb2e49e
Show file tree
Hide file tree
Showing 8 changed files with 140 additions and 38 deletions.
2 changes: 1 addition & 1 deletion docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ services:
environment:
- LS_HEAP_SIZE=2048m
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:6.5.4
image: wazuh/wazuh-elasticsearch:3.8.2_6.5.4
hostname: elasticsearch
restart: always
ports:
Expand Down
23 changes: 23 additions & 0 deletions elasticsearch/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
FROM docker.elastic.co/elasticsearch/elasticsearch:6.5.4

ENV ALERTS_SHARDS="1" \
ALERTS_REPLICAS="0"

ENV API_USER="foo" \
API_PASS="bar"

ENV TEMPLATE_VERSION=v3.8.2

ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/wazuh-elastic6-template-alerts.json /usr/share/elasticsearch/config

COPY config/entrypoint.sh /entrypoint.sh

RUN chmod 755 /entrypoint.sh

COPY --chown=elasticsearch:elasticsearch ./config/load_settings.sh ./

RUN chmod +x ./load_settings.sh

ENTRYPOINT ["/entrypoint.sh"]
CMD ["elasticsearch"]
28 changes: 28 additions & 0 deletions elasticsearch/config/entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)

# For more information https://github.com/elastic/elasticsearch-docker/blob/6.5.4/build/elasticsearch/bin/docker-entrypoint.sh

set -e

# Files created by Elasticsearch should always be group writable too
umask 0002

run_as_other_user_if_needed() {
if [[ "$(id -u)" == "0" ]]; then
# If running as root, drop to specified UID and run command
exec chroot --userspec=1000 / "${@}"
else
# Either we are running in Openshift with random uid and are a member of the root group
# or with a custom --user
exec "${@}"
fi
}

# Run load settings script.

./load_settings.sh &

# Execute elasticsearch

run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch
71 changes: 71 additions & 0 deletions elasticsearch/config/load_settings.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)

set -e

if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_URL}"
fi

until curl -XGET $el_url; do
>&2 echo "Elastic is unavailable - sleeping"
sleep 5
done

>&2 echo "Elastic is up - executing command"

#Insert default templates

sed -i 's| "index.refresh_interval": "5s"| "index.refresh_interval": "5s", "number_of_shards" : '"${ALERTS_SHARDS}"', "number_of_replicas" : '"${ALERTS_REPLICAS}"'|' /usr/share/elasticsearch/config/wazuh-elastic6-template-alerts.json

cat /usr/share/elasticsearch/config/wazuh-elastic6-template-alerts.json | curl -XPUT "$el_url/_template/wazuh" -H 'Content-Type: application/json' -d @-
sleep 5


API_PASS_Q=`echo "$API_PASS" | tr -d '"'`
API_USER_Q=`echo "$API_USER" | tr -d '"'`
API_PASSWORD=`echo -n $API_PASS_Q | base64`

echo "Setting API credentials into Wazuh APP"
CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/wazuh-configuration/1513629884013)
if [ "x$CONFIG_CODE" = "x404" ]; then
curl -s -XPOST $el_url/.wazuh/wazuh-configuration/1513629884013 -H 'Content-Type: application/json' -d'
{
"api_user": "'"$API_USER_Q"'",
"api_password": "'"$API_PASSWORD"'",
"url": "https://wazuh",
"api_port": "55000",
"insecure": "true",
"component": "API",
"cluster_info": {
"manager": "wazuh-manager",
"cluster": "Disabled",
"status": "disabled"
},
"extensions": {
"oscap": true,
"audit": true,
"pci": true,
"aws": true,
"virustotal": true,
"gdpr": true,
"ciscat": true
}
}
' > /dev/null
else
echo "Wazuh APP already configured"
fi
sleep 5

curl -XPUT "$el_url/_cluster/settings" -H 'Content-Type: application/json' -d'
{
"persistent": {
"xpack.monitoring.collection.enabled": true
}
}
'

echo "Elasticsearch is ready."
2 changes: 0 additions & 2 deletions kibana/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,6 @@ USER root

ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp

ADD https://raw.githubusercontent.com/wazuh/wazuh/3.8/extensions/elasticsearch/wazuh-elastic6-template-alerts.json /usr/share/kibana/config

RUN NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip &&\
chown -R kibana:kibana /usr/share/kibana &&\
rm -rf /tmp/*
Expand Down
35 changes: 0 additions & 35 deletions kibana/config/entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -16,41 +16,6 @@ done

>&2 echo "Elastic is up - executing command"

#Insert default templates
cat /usr/share/kibana/config/wazuh-elastic6-template-alerts.json | curl -XPUT "$el_url/_template/wazuh" -H 'Content-Type: application/json' -d @-
sleep 5

echo "Setting API credentials into Wazuh APP"
CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/wazuh-configuration/1513629884013)
if [ "x$CONFIG_CODE" = "x404" ]; then
curl -s -XPOST $el_url/.wazuh/wazuh-configuration/1513629884013 -H 'Content-Type: application/json' -d'
{
"api_user": "foo",
"api_password": "YmFy",
"url": "https://wazuh",
"api_port": "55000",
"insecure": "true",
"component": "API",
"cluster_info": {
"manager": "wazuh-manager",
"cluster": "Disabled",
"status": "disabled"
},
"extensions": {
"oscap": true,
"audit": true,
"pci": true,
"aws": true,
"virustotal": true,
"gdpr": true,
"ciscat": true
}
}
' > /dev/null
else
echo "Wazuh APP already configured"
fi
sleep 5

./wazuh_app_config.sh

Expand Down
2 changes: 2 additions & 0 deletions wazuh/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ FROM phusion/baseimage:latest
ARG FILEBEAT_VERSION=6.5.4
ARG WAZUH_VERSION=3.8.2-1

ENV API_USER="foo" \
API_PASS="bar"

# Updating image
RUN apt-get update && apt-get upgrade -y -o Dpkg::Options::="--force-confold"
Expand Down
15 changes: 15 additions & 0 deletions wazuh/config/entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -129,4 +129,19 @@ do
exec_cmd_stdout "${CUSTOM_COMMAND}"
done


##############################################################################
# Change Wazuh API user credentials.
##############################################################################


pushd /var/ossec/api/configuration/auth/

echo "Change Wazuh API user credentials"
change_user="node htpasswd -b -c user $API_USER $API_PASS"
eval $change_user

popd


/sbin/my_init

0 comments on commit cb2e49e

Please sign in to comment.