Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Setup certificates in Wazuh Indexer and Logstash containers #166

Merged
merged 15 commits into from
Feb 29, 2024
Merged

Setup certificates in Wazuh Indexer and Logstash containers #166

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
bf3f1ff
Add certificate generator service
f-galland Feb 22, 2024
4279b6e
Add certificate config to docker compose file
f-galland Feb 22, 2024
65b3b10
Use secrets for certificates
f-galland Feb 22, 2024
c0d6d2c
Disable permission handling inside cert's generator entrypoint.sh
f-galland Feb 22, 2024
017a908
Back to using a bind mount for certs
f-galland Feb 22, 2024
2a60c41
Have entrypoint.sh generate certs with 1000:1000 ownership
f-galland Feb 22, 2024
91da2c2
Correct certificate permissions and bind mounting
f-galland Feb 23, 2024
55f0726
Add security initialization variable to compose file
f-galland Feb 23, 2024
a9f9572
Fix permissions on certs generator entrypoint
f-galland Feb 23, 2024
c854dc5
Add cert generator config file
f-galland Feb 23, 2024
422cf1c
Remove old cert generator dir
f-galland Feb 23, 2024
21f89f8
Set indexer hostname right in pipeline file
f-galland Feb 23, 2024
29d3c89
Merge branch '4.9.0' into 160-security-lake-logstash-certificates
AlexRuiz7 Feb 29, 2024
bcd60d5
Merge branch '156-ocsf-compliant-events' into 160-security-lake-logst…
AlexRuiz7 Feb 29, 2024
27d6634
Roll back commented code
AlexRuiz7 Feb 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion integrations/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,5 @@ elastic
opensearch
splunk
common
config
config
docker/certs
22 changes: 9 additions & 13 deletions integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
input {
opensearch {
hosts => ["opensearch-node:9200"]
hosts => ["wazuh.indexer:9200"]
user => "${INDEXER_USERNAME}"
password => "${INDEXER_PASSWORD}"
ssl => false
ssl => true
ca_file => "/usr/share/logstash/root-ca.pem"
index => "wazuh-alerts-4.x-*"
query => '{
"query": {
Expand All @@ -20,15 +21,10 @@ input {
}

output {

stdout { codec => rubydebug }

pipe
{
id => "securityLake"
message_format => "%{_source}"
ttl => "10"
command => "/usr/bin/env python3 /usr/local/bin/stdin_to_securitylake.py -d"
}

pipe {
id => "securityLake"
message_format => "%{_source}"
ttl => "10"
command => "/usr/bin/env python3 /usr/local/bin/stdin_to_securitylake.py -d"
}
}
69 changes: 45 additions & 24 deletions integrations/docker/amazon-security-lake.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
version: '3'
version: "3.8"
name: "amazon-security-lake"
services:
events-generator:
Expand All @@ -7,22 +7,35 @@ services:
context: ../tools/events-generator
container_name: events-generator
depends_on:
- wazuh.indexer
networks:
- net
# TODO add healthcheck to indexer's service to avoid sending requests before API is ready.
command: bash -c "sleep 10 && echo 'Ey, wake up!' && python run.py -a wazuh.indexer"
wazuh.indexer:
condition: service_healthy
command: bash -c "python run.py -a wazuh.indexer"

wazuh.indexer:
image: opensearchproject/opensearch:latest
image: opensearchproject/opensearch:2.11.1
container_name: wazuh.indexer
depends_on:
wazuh-certs-generator:
condition: service_completed_successfully
hostname: wazuh.indexer
ports:
- 9200:9200
environment:
# - cluster.name=opensearch-cluster
- node.name=wazuh.indexer
- discovery.type=single-node
# - cluster.initial_cluster_manager_nodes=opensearch-node
- bootstrap.memory_lock=true
- "DISABLE_INSTALL_DEMO_CONFIG=true"
- plugins.security.ssl.http.enabled=true
- plugins.security.allow_default_init_securityindex=true
- plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem
- plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem
- plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem
- plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem
- plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem
- plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem
- plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US"
- "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
Expand All @@ -31,29 +44,36 @@ services:
nofile:
soft: 65536
hard: 65536
healthcheck:
test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster
start_period: 10s
start_interval: 3s
volumes:
- data:/usr/share/opensearch/data
networks:
- net
- ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem
- ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem
- ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem

wazuh.dashboard:
image: opensearchproject/opensearch-dashboards:latest # Make sure the version of opensearch-dashboards matches the version of opensearch installed on other nodes
image: opensearchproject/opensearch-dashboards:2.11.1
container_name: wazuh.dashboard
depends_on:
- wazuh.indexer
hostname: wazuh.dashboard
ports:
- 5601:5601 # Map host port 5601 to container port 5601
expose:
- "5601" # Expose port 5601 for web access to OpenSearch Dashboards
environment:
OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query
networks:
- net


wazuh.integration.security.lake:
image: wazuh/indexer-security-lake-integration
build:
context: ../amazon-security-lake
container_name: wazuh.integration.security.lake
depends_on:
- wazuh.indexer
hostname: wazuh.integration.security.lake
environment:
LOG_LEVEL: trace
Expand All @@ -68,12 +88,9 @@ services:
- "9600:9600"
volumes:
- ../amazon-security-lake/logstash/pipeline:/usr/share/logstash/pipeline
depends_on:
- wazuh.indexer
networks:
- net
command: tail -f /dev/null
# command: /usr/share/logstash/bin/logstash -f /usr/share/logstash/pipeline/indexer-to-integrator.conf --path.settings /etc/logstash
- ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem
# command: tail -f /dev/null
command: /usr/share/logstash/bin/logstash -f /usr/share/logstash/pipeline/indexer-to-integrator.conf --path.settings /etc/logstash --config.reload.automatic

s3.ninja:
image: scireum/s3-ninja:latest
Expand All @@ -83,12 +100,16 @@ services:
- "9444:9000"
volumes:
- s3-data:/home/sirius/data
networks:
- net

wazuh-certs-generator:
image: wazuh/wazuh-certs-generator:0.0.1
hostname: wazuh-certs-generator
container_name: wazuh-certs-generator
entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*"
volumes:
- ./certs/:/certificates/
- ./config/certs.yml:/config/certs.yml

volumes:
data:
s3-data:

networks:
net:
16 changes: 16 additions & 0 deletions integrations/docker/config/certs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
nodes:
# Wazuh indexer server nodes
indexer:
- name: wazuh.indexer
ip: wazuh.indexer

# Wazuh server nodes
# Use node_type only with more than one Wazuh manager
server:
- name: wazuh.manager
ip: wazuh.manager

# Wazuh dashboard node
dashboard:
- name: wazuh.dashboard
ip: wazuh.dashboard