From 3968000c89e9d7706111f8f9ae1e817362c1b318 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Mon, 3 May 2021 21:11:19 -0400 Subject: [PATCH] piping --- extra/scirius.yml | 38 ++++++++++++ scripts/services/Mistborn-scirius.service | 10 +-- .../scirius/files/filebeat.docker.yml | 61 ++++++++++++++++--- scripts/services/scirius/init.sh | 4 ++ scripts/subinstallers/extra/scirius.sh | 7 ++- 5 files changed, 106 insertions(+), 14 deletions(-) diff --git a/extra/scirius.yml b/extra/scirius.yml index a4200db..442bd82 100644 --- a/extra/scirius.yml +++ b/extra/scirius.yml @@ -27,7 +27,45 @@ services: - "traefik.http.services.scirius-service.loadbalancer.server.port=8000" restart: unless-stopped + filebeat: + image: docker.elastic.co/beats/filebeat:${ELASTIC_VERSION:-7.9.1} + # https://github.com/docker/swarmkit/issues/1951 + hostname: "{{.Node.Hostname}}-filebeat" + # Need to override user so we can access the log files, and docker.sock + user: root + configs: + - source: fb_config + target: /usr/share/filebeat/filebeat.yml + volumes: + - filebeat:/usr/share/filebeat/data + - /var/run/docker.sock:/var/run/docker.sock + # This is needed for filebeat to load container log path as specified in filebeat.yml + - /var/lib/docker/containers/:/var/lib/docker/containers/:ro + + # # This is needed for filebeat to load jenkins build log path as specified in filebeat.yml + # - /var/lib/docker/volumes/jenkins_home/_data/jobs/:/var/lib/docker/volumes/jenkins_home/_data/jobs/:ro + + # This is needed for filebeat to load logs for system and auth modules + - /var/log/:/var/log/:ro + # This is needed for filebeat to load logs for auditd module. you might have to install audit system + # on ubuntu first (sudo apt-get install -y auditd audispd-plugins) + - /var/log/audit/:/var/log/audit/:ro + environment: + - ELASTICSEARCH_HOST=${ELASTICSEARCH_HOST} + - KIBANA_HOST=${KIBANA_HOST} + - ELASTICSEARCH_USERNAME=${ELASTICSEARCH_USERNAME} + - ELASTICSEARCH_PASSWORD=${ELASTICSEARCH_PASSWORD} + # disable strict permission checks + command: ["--strict.perms=false"] + +volumes: + filebeat: + networks: default: external: name: mistborn_default + +configs: + fb_config: + file: /opt/mistborn_volumes/scirius/init/filebeat.docker.yml \ No newline at end of file diff --git a/scripts/services/Mistborn-scirius.service b/scripts/services/Mistborn-scirius.service index 7c9a274..f80d80b 100644 --- a/scripts/services/Mistborn-scirius.service +++ b/scripts/services/Mistborn-scirius.service @@ -11,17 +11,17 @@ User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius docker-compose -f /opt/mistborn/extra/scirius.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh,scirius docker-compose -f /opt/mistborn/extra/scirius.yml down # Start container when unit is started -ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius docker-compose -f /opt/mistborn/extra/scirius.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh,scirius docker-compose -f /opt/mistborn/extra/scirius.yml up --build # Suricata -ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius /opt/mistborn/scripts/services/scirius/suricata_start.sh +ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh,scirius /opt/mistborn/scripts/services/scirius/suricata_start.sh # Stop container when unit is stopped -ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius docker-compose -f /opt/mistborn/extra/scirius.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh,scirius docker-compose -f /opt/mistborn/extra/scirius.yml down # Post stop -ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius /opt/mistborn/scripts/services/scirius/suricata_stop.sh +ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh,scirius /opt/mistborn/scripts/services/scirius/suricata_stop.sh [Install] WantedBy=Mistborn-base.service diff --git a/scripts/services/scirius/files/filebeat.docker.yml b/scripts/services/scirius/files/filebeat.docker.yml index b7b6dc6..3108711 100644 --- a/scripts/services/scirius/files/filebeat.docker.yml +++ b/scripts/services/scirius/files/filebeat.docker.yml @@ -1,17 +1,62 @@ -filebeat.config: - modules: - path: ${path.config}/modules.d/*.yml - reload.enabled: false +filebeat.modules: +- module: suricata + eve: + enabled: true + var.paths: ["/var/log/suricata/eve.json"] +# - module: system +# syslog: +# enabled: true +# auth: +# enabled: true +# - module: auditd +# log: +# # - Does not look like Auditd is supported in Alpine linux: https://github.com/linuxkit/linuxkit/issues/52 +# # - CentOS does not need us to install the audit system, it ships as standard. If you are using Ubuntu, though, +# # this is probably something you would want to install. (sudo apt-get install -y auditd audispd-plugins) +# enabled: true +#filebeat.inputs: +#- type: container +# enabled: true +# paths: +# -/var/lib/docker/containers/*/*.log +# stream: all # can be all, stdout or stderr + +#========================== Filebeat autodiscover ============================== +# See this URL on how to run Apache2 Filebeat module: # https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html filebeat.autodiscover: providers: - type: docker + # https://www.elastic.co/guide/en/beats/filebeat/current/configuration-autodiscover-hints.html + # This URL alos contains instructions on multi-line logs hints.enabled: true +#================================ Processors =================================== processors: -- add_cloud_metadata: ~ +#- add_cloud_metadata: ~ +- add_docker_metadata: ~ +- add_locale: + format: offset +- add_host_metadata: + netinfo.enabled: true +#========================== Elasticsearch output =============================== output.elasticsearch: - hosts: '${ELASTICSEARCH_HOSTS:elasticsearch:9200}' - username: '${ELASTICSEARCH_USERNAME:}' - password: '${ELASTICSEARCH_PASSWORD:}' + hosts: ["${ELASTICSEARCH_HOST}:9200"] + username: ${ELASTICSEARCH_USERNAME} + password: ${ELASTICSEARCH_PASSWORD} + +#============================== Dashboards ===================================== +setup.dashboards: + enabled: true + +#============================== Kibana ========================================= +setup.kibana: + host: "${KIBANA_HOST}:80" + username: ${ELASTICSEARCH_USERNAME} + password: ${ELASTICSEARCH_PASSWORD} + +#============================== Xpack Monitoring =============================== +xpack.monitoring: + enabled: true + elasticsearch: \ No newline at end of file diff --git a/scripts/services/scirius/init.sh b/scripts/services/scirius/init.sh index 7fae11f..45de3d4 100755 --- a/scripts/services/scirius/init.sh +++ b/scripts/services/scirius/init.sh @@ -58,3 +58,7 @@ fi IFACE=$(ip -o -4 route show to default | awk 'NR==1{print $5}') sudo sed -i "s/eth0/${IFACE}/g" /etc/suricata/suricata.yml sudo sed -i "s/eth0/${IFACE}/g" /etc/default/suricata + +mkdir -p /opt/mistborn_volumes/extra/scirius/init/ >/dev/null 2>&1 +chmod -R +x /opt/mistborn_volumes/extra/scirius/init/ +cp /opt/mistborn/scripts/services/scirius/files/filebeat.docker.yml /opt/mistborn_volumes/extra/scirius/init/ \ No newline at end of file diff --git a/scripts/subinstallers/extra/scirius.sh b/scripts/subinstallers/extra/scirius.sh index 6c51d91..420f2e0 100644 --- a/scripts/subinstallers/extra/scirius.sh +++ b/scripts/subinstallers/extra/scirius.sh @@ -6,4 +6,9 @@ SCIRIUS_SECRET_KEY=$(python3 -c "import secrets; import string; print(f''.join([ echo "SECRET_KEY=$SCIRIUS_SECRET_KEY" > $SCIRIUS_PROD_FILE echo "ALLOWED_HOSTS=scirius.mistborn" >> $SCIRIUS_PROD_FILE echo "DJANGO_SUPERUSER_USERNAME=mistborn" >> $SCIRIUS_PROD_FILE -echo "DJANGO_SUPERUSER_EMAIL=mistborn@email.mistborn" >> $SCIRIUS_PROD_FILE \ No newline at end of file +echo "DJANGO_SUPERUSER_EMAIL=mistborn@email.mistborn" >> $SCIRIUS_PROD_FILE + +echo "ELASTICSEARCH_HOST=10.2.3.1" >> $SCIRIUS_PROD_FILE +echo "KIBANA_HOST=wazuh.mistborn" >> $SCIRIUS_PROD_FILE + +chmod 600 $SCIRIUS_PROD_FILE \ No newline at end of file