From cb2e49eb5401a31aaab765f03ecb1d86b3a503e5 Mon Sep 17 00:00:00 2001 From: AlfonsoRBJ Date: Fri, 1 Feb 2019 18:43:51 +0100 Subject: [PATCH] Add Wazuh-Elasticsearch (#106) --- docker-compose.yml | 2 +- elasticsearch/Dockerfile | 23 +++++++++ elasticsearch/config/entrypoint.sh | 28 +++++++++++ elasticsearch/config/load_settings.sh | 71 +++++++++++++++++++++++++++ kibana/Dockerfile | 2 - kibana/config/entrypoint.sh | 35 ------------- wazuh/Dockerfile | 2 + wazuh/config/entrypoint.sh | 15 ++++++ 8 files changed, 140 insertions(+), 38 deletions(-) create mode 100644 elasticsearch/Dockerfile create mode 100644 elasticsearch/config/entrypoint.sh create mode 100644 elasticsearch/config/load_settings.sh diff --git a/docker-compose.yml b/docker-compose.yml index a98090ad..5df0c9b1 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -39,7 +39,7 @@ services: environment: - LS_HEAP_SIZE=2048m elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:6.5.4 + image: wazuh/wazuh-elasticsearch:3.8.2_6.5.4 hostname: elasticsearch restart: always ports: diff --git a/elasticsearch/Dockerfile b/elasticsearch/Dockerfile new file mode 100644 index 00000000..08f772f3 --- /dev/null +++ b/elasticsearch/Dockerfile @@ -0,0 +1,23 @@ +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) +FROM docker.elastic.co/elasticsearch/elasticsearch:6.5.4 + +ENV ALERTS_SHARDS="1" \ + ALERTS_REPLICAS="0" + +ENV API_USER="foo" \ + API_PASS="bar" + +ENV TEMPLATE_VERSION=v3.8.2 + +ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/wazuh-elastic6-template-alerts.json /usr/share/elasticsearch/config + +COPY config/entrypoint.sh /entrypoint.sh + +RUN chmod 755 /entrypoint.sh + +COPY --chown=elasticsearch:elasticsearch ./config/load_settings.sh ./ + +RUN chmod +x ./load_settings.sh + +ENTRYPOINT ["/entrypoint.sh"] +CMD ["elasticsearch"] diff --git a/elasticsearch/config/entrypoint.sh b/elasticsearch/config/entrypoint.sh new file mode 100644 index 00000000..525549cd --- /dev/null +++ b/elasticsearch/config/entrypoint.sh @@ -0,0 +1,28 @@ +#!/bin/bash +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +# For more information https://github.com/elastic/elasticsearch-docker/blob/6.5.4/build/elasticsearch/bin/docker-entrypoint.sh + +set -e + +# Files created by Elasticsearch should always be group writable too +umask 0002 + +run_as_other_user_if_needed() { + if [[ "$(id -u)" == "0" ]]; then + # If running as root, drop to specified UID and run command + exec chroot --userspec=1000 / "${@}" + else + # Either we are running in Openshift with random uid and are a member of the root group + # or with a custom --user + exec "${@}" + fi +} + +# Run load settings script. + +./load_settings.sh & + +# Execute elasticsearch + +run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch diff --git a/elasticsearch/config/load_settings.sh b/elasticsearch/config/load_settings.sh new file mode 100644 index 00000000..282d8b0d --- /dev/null +++ b/elasticsearch/config/load_settings.sh @@ -0,0 +1,71 @@ +#!/bin/bash +# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2) + +set -e + +if [ "x${ELASTICSEARCH_URL}" = "x" ]; then + el_url="http://elasticsearch:9200" +else + el_url="${ELASTICSEARCH_URL}" +fi + +until curl -XGET $el_url; do + >&2 echo "Elastic is unavailable - sleeping" + sleep 5 +done + +>&2 echo "Elastic is up - executing command" + +#Insert default templates + +sed -i 's| "index.refresh_interval": "5s"| "index.refresh_interval": "5s", "number_of_shards" : '"${ALERTS_SHARDS}"', "number_of_replicas" : '"${ALERTS_REPLICAS}"'|' /usr/share/elasticsearch/config/wazuh-elastic6-template-alerts.json + +cat /usr/share/elasticsearch/config/wazuh-elastic6-template-alerts.json | curl -XPUT "$el_url/_template/wazuh" -H 'Content-Type: application/json' -d @- +sleep 5 + + +API_PASS_Q=`echo "$API_PASS" | tr -d '"'` +API_USER_Q=`echo "$API_USER" | tr -d '"'` +API_PASSWORD=`echo -n $API_PASS_Q | base64` + +echo "Setting API credentials into Wazuh APP" +CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/wazuh-configuration/1513629884013) +if [ "x$CONFIG_CODE" = "x404" ]; then + curl -s -XPOST $el_url/.wazuh/wazuh-configuration/1513629884013 -H 'Content-Type: application/json' -d' + { + "api_user": "'"$API_USER_Q"'", + "api_password": "'"$API_PASSWORD"'", + "url": "https://wazuh", + "api_port": "55000", + "insecure": "true", + "component": "API", + "cluster_info": { + "manager": "wazuh-manager", + "cluster": "Disabled", + "status": "disabled" + }, + "extensions": { + "oscap": true, + "audit": true, + "pci": true, + "aws": true, + "virustotal": true, + "gdpr": true, + "ciscat": true + } + } + ' > /dev/null +else + echo "Wazuh APP already configured" +fi +sleep 5 + +curl -XPUT "$el_url/_cluster/settings" -H 'Content-Type: application/json' -d' +{ + "persistent": { + "xpack.monitoring.collection.enabled": true + } +} +' + +echo "Elasticsearch is ready." diff --git a/kibana/Dockerfile b/kibana/Dockerfile index 910992b2..e80bc53b 100644 --- a/kibana/Dockerfile +++ b/kibana/Dockerfile @@ -5,8 +5,6 @@ USER root ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp -ADD https://raw.githubusercontent.com/wazuh/wazuh/3.8/extensions/elasticsearch/wazuh-elastic6-template-alerts.json /usr/share/kibana/config - RUN NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip &&\ chown -R kibana:kibana /usr/share/kibana &&\ rm -rf /tmp/* diff --git a/kibana/config/entrypoint.sh b/kibana/config/entrypoint.sh index 6d622876..5db721f4 100644 --- a/kibana/config/entrypoint.sh +++ b/kibana/config/entrypoint.sh @@ -16,41 +16,6 @@ done >&2 echo "Elastic is up - executing command" -#Insert default templates -cat /usr/share/kibana/config/wazuh-elastic6-template-alerts.json | curl -XPUT "$el_url/_template/wazuh" -H 'Content-Type: application/json' -d @- -sleep 5 - -echo "Setting API credentials into Wazuh APP" -CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/wazuh-configuration/1513629884013) -if [ "x$CONFIG_CODE" = "x404" ]; then - curl -s -XPOST $el_url/.wazuh/wazuh-configuration/1513629884013 -H 'Content-Type: application/json' -d' - { - "api_user": "foo", - "api_password": "YmFy", - "url": "https://wazuh", - "api_port": "55000", - "insecure": "true", - "component": "API", - "cluster_info": { - "manager": "wazuh-manager", - "cluster": "Disabled", - "status": "disabled" - }, - "extensions": { - "oscap": true, - "audit": true, - "pci": true, - "aws": true, - "virustotal": true, - "gdpr": true, - "ciscat": true - } - } - ' > /dev/null -else - echo "Wazuh APP already configured" -fi -sleep 5 ./wazuh_app_config.sh diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile index 16f87ec3..65d30fac 100644 --- a/wazuh/Dockerfile +++ b/wazuh/Dockerfile @@ -3,6 +3,8 @@ FROM phusion/baseimage:latest ARG FILEBEAT_VERSION=6.5.4 ARG WAZUH_VERSION=3.8.2-1 +ENV API_USER="foo" \ + API_PASS="bar" # Updating image RUN apt-get update && apt-get upgrade -y -o Dpkg::Options::="--force-confold" diff --git a/wazuh/config/entrypoint.sh b/wazuh/config/entrypoint.sh index 9ee42aec..0163320f 100644 --- a/wazuh/config/entrypoint.sh +++ b/wazuh/config/entrypoint.sh @@ -129,4 +129,19 @@ do exec_cmd_stdout "${CUSTOM_COMMAND}" done + +############################################################################## +# Change Wazuh API user credentials. +############################################################################## + + +pushd /var/ossec/api/configuration/auth/ + +echo "Change Wazuh API user credentials" +change_user="node htpasswd -b -c user $API_USER $API_PASS" +eval $change_user + +popd + + /sbin/my_init