crappyrules
/
mistborn
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

piping

135-scirius
Steven Foerster 5 years ago
parent
0c65407388
commit
3968000c89
5 changed files with 106 additions and 14 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 38
      extra/scirius.yml
  2. 10
      scripts/services/Mistborn-scirius.service
  3. 61
      scripts/services/scirius/files/filebeat.docker.yml
  4. 4
      scripts/services/scirius/init.sh
  5. 5
      scripts/subinstallers/extra/scirius.sh

38
extra/scirius.yml
Unescape View File

@ -27,7 +27,45 @@ services:
- "traefik.http.services.scirius-service.loadbalancer.server.port=8000" - "traefik.http.services.scirius-service.loadbalancer.server.port=8000"
restart: unless-stopped restart: unless-stopped
filebeat:
image: docker.elastic.co/beats/filebeat:${ELASTIC_VERSION:-7.9.1}
# https://github.com/docker/swarmkit/issues/1951
hostname: "{{.Node.Hostname}}-filebeat"
# Need to override user so we can access the log files, and docker.sock
user: root
configs:
- source: fb_config
target: /usr/share/filebeat/filebeat.yml
volumes:
- filebeat:/usr/share/filebeat/data
- /var/run/docker.sock:/var/run/docker.sock
# This is needed for filebeat to load container log path as specified in filebeat.yml
- /var/lib/docker/containers/:/var/lib/docker/containers/:ro
# # This is needed for filebeat to load jenkins build log path as specified in filebeat.yml
# - /var/lib/docker/volumes/jenkins_home/_data/jobs/:/var/lib/docker/volumes/jenkins_home/_data/jobs/:ro
# This is needed for filebeat to load logs for system and auth modules
- /var/log/:/var/log/:ro
# This is needed for filebeat to load logs for auditd module. you might have to install audit system
# on ubuntu first (sudo apt-get install -y auditd audispd-plugins)
- /var/log/audit/:/var/log/audit/:ro
environment:
- ELASTICSEARCH_HOST=${ELASTICSEARCH_HOST}
- KIBANA_HOST=${KIBANA_HOST}
- ELASTICSEARCH_USERNAME=${ELASTICSEARCH_USERNAME}
- ELASTICSEARCH_PASSWORD=${ELASTICSEARCH_PASSWORD}
# disable strict permission checks
command: ["--strict.perms=false"]
volumes:
filebeat:
networks: networks:
default: default:
external: external:
name: mistborn_default name: mistborn_default
configs:
fb_config:
file: /opt/mistborn_volumes/scirius/init/filebeat.docker.yml

10
scripts/services/Mistborn-scirius.service
Unescape View File

@ -11,17 +11,17 @@ User=root
Group=docker Group=docker
PermissionsStartOnly=true PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped # Shutdown container (if running) when unit is stopped
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius docker-compose -f /opt/mistborn/extra/scirius.yml down ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh,scirius docker-compose -f /opt/mistborn/extra/scirius.yml down
# Start container when unit is started # Start container when unit is started
ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius docker-compose -f /opt/mistborn/extra/scirius.yml up --build ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh,scirius docker-compose -f /opt/mistborn/extra/scirius.yml up --build
# Suricata # Suricata
ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius /opt/mistborn/scripts/services/scirius/suricata_start.sh ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh,scirius /opt/mistborn/scripts/services/scirius/suricata_start.sh
# Stop container when unit is stopped # Stop container when unit is stopped
ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius docker-compose -f /opt/mistborn/extra/scirius.yml down ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh,scirius docker-compose -f /opt/mistborn/extra/scirius.yml down
# Post stop # Post stop
ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius /opt/mistborn/scripts/services/scirius/suricata_stop.sh ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh,scirius /opt/mistborn/scripts/services/scirius/suricata_stop.sh
[Install] [Install]
WantedBy=Mistborn-base.service WantedBy=Mistborn-base.service

61
scripts/services/scirius/files/filebeat.docker.yml
Unescape View File

@ -1,17 +1,62 @@
filebeat.config: filebeat.modules:
modules: - module: suricata
path: ${path.config}/modules.d/*.yml eve:
reload.enabled: false enabled: true
var.paths: ["/var/log/suricata/eve.json"]
# - module: system
# syslog:
# enabled: true
# auth:
# enabled: true
# - module: auditd
# log:
# # - Does not look like Auditd is supported in Alpine linux: https://github.com/linuxkit/linuxkit/issues/52
# # - CentOS does not need us to install the audit system, it ships as standard. If you are using Ubuntu, though,
# # this is probably something you would want to install. (sudo apt-get install -y auditd audispd-plugins)
# enabled: true
#filebeat.inputs:
#- type: container
# enabled: true
# paths:
# -/var/lib/docker/containers/*/*.log
# stream: all # can be all, stdout or stderr
#========================== Filebeat autodiscover ==============================
# See this URL on how to run Apache2 Filebeat module: # https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html
filebeat.autodiscover: filebeat.autodiscover:
providers: providers:
- type: docker - type: docker
# https://www.elastic.co/guide/en/beats/filebeat/current/configuration-autodiscover-hints.html
# This URL alos contains instructions on multi-line logs
hints.enabled: true hints.enabled: true
#================================ Processors ===================================
processors: processors:
- add_cloud_metadata: ~ #- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_locale:
format: offset
- add_host_metadata:
netinfo.enabled: true
#========================== Elasticsearch output ===============================
output.elasticsearch: output.elasticsearch:
hosts: '${ELASTICSEARCH_HOSTS:elasticsearch:9200}' hosts: ["${ELASTICSEARCH_HOST}:9200"]
username: '${ELASTICSEARCH_USERNAME:}' username: ${ELASTICSEARCH_USERNAME}
password: '${ELASTICSEARCH_PASSWORD:}' password: ${ELASTICSEARCH_PASSWORD}
#============================== Dashboards =====================================
setup.dashboards:
enabled: true
#============================== Kibana =========================================
setup.kibana:
host: "${KIBANA_HOST}:80"
username: ${ELASTICSEARCH_USERNAME}
password: ${ELASTICSEARCH_PASSWORD}
#============================== Xpack Monitoring ===============================
xpack.monitoring:
enabled: true
elasticsearch:

4
scripts/services/scirius/init.sh
Unescape View File

@ -58,3 +58,7 @@ fi
IFACE=$(ip -o -4 route show to default | awk 'NR==1{print $5}') IFACE=$(ip -o -4 route show to default | awk 'NR==1{print $5}')
sudo sed -i "s/eth0/${IFACE}/g" /etc/suricata/suricata.yml sudo sed -i "s/eth0/${IFACE}/g" /etc/suricata/suricata.yml
sudo sed -i "s/eth0/${IFACE}/g" /etc/default/suricata sudo sed -i "s/eth0/${IFACE}/g" /etc/default/suricata
mkdir -p /opt/mistborn_volumes/extra/scirius/init/ >/dev/null 2>&1
chmod -R +x /opt/mistborn_volumes/extra/scirius/init/
cp /opt/mistborn/scripts/services/scirius/files/filebeat.docker.yml /opt/mistborn_volumes/extra/scirius/init/

5
scripts/subinstallers/extra/scirius.sh
Unescape View File

@ -7,3 +7,8 @@ echo "SECRET_KEY=$SCIRIUS_SECRET_KEY" > $SCIRIUS_PROD_FILE
echo "ALLOWED_HOSTS=scirius.mistborn" >> $SCIRIUS_PROD_FILE echo "ALLOWED_HOSTS=scirius.mistborn" >> $SCIRIUS_PROD_FILE
echo "DJANGO_SUPERUSER_USERNAME=mistborn" >> $SCIRIUS_PROD_FILE echo "DJANGO_SUPERUSER_USERNAME=mistborn" >> $SCIRIUS_PROD_FILE
echo "DJANGO_SUPERUSER_EMAIL=mistborn@email.mistborn" >> $SCIRIUS_PROD_FILE echo "DJANGO_SUPERUSER_EMAIL=mistborn@email.mistborn" >> $SCIRIUS_PROD_FILE
echo "ELASTICSEARCH_HOST=10.2.3.1" >> $SCIRIUS_PROD_FILE
echo "KIBANA_HOST=wazuh.mistborn" >> $SCIRIUS_PROD_FILE
chmod 600 $SCIRIUS_PROD_FILE
Write Preview
Loading…
Cancel
Save