crappyrules
/
mistborn
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

piping

135-scirius
Steven Foerster 5 years ago
parent
0c65407388
commit
3968000c89
5 changed files with 106 additions and 14 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 38
      extra/scirius.yml
  2. 10
      scripts/services/Mistborn-scirius.service
  3. 61
      scripts/services/scirius/files/filebeat.docker.yml
  4. 4
      scripts/services/scirius/init.sh
  5. 5
      scripts/subinstallers/extra/scirius.sh

38
extra/scirius.yml
Unescape View File

@ -27,7 +27,45 @@ services: @@ -27,7 +27,45 @@ services:
- "traefik.http.services.scirius-service.loadbalancer.server.port=8000"
restart: unless-stopped
filebeat:
image: docker.elastic.co/beats/filebeat:${ELASTIC_VERSION:-7.9.1}
# https://github.com/docker/swarmkit/issues/1951
hostname: "{{.Node.Hostname}}-filebeat"
# Need to override user so we can access the log files, and docker.sock
user: root
configs:
- source: fb_config
target: /usr/share/filebeat/filebeat.yml
volumes:
- filebeat:/usr/share/filebeat/data
- /var/run/docker.sock:/var/run/docker.sock
# This is needed for filebeat to load container log path as specified in filebeat.yml
- /var/lib/docker/containers/:/var/lib/docker/containers/:ro
# # This is needed for filebeat to load jenkins build log path as specified in filebeat.yml
# - /var/lib/docker/volumes/jenkins_home/_data/jobs/:/var/lib/docker/volumes/jenkins_home/_data/jobs/:ro
# This is needed for filebeat to load logs for system and auth modules
- /var/log/:/var/log/:ro
# This is needed for filebeat to load logs for auditd module. you might have to install audit system
# on ubuntu first (sudo apt-get install -y auditd audispd-plugins)
- /var/log/audit/:/var/log/audit/:ro
environment:
- ELASTICSEARCH_HOST=${ELASTICSEARCH_HOST}
- KIBANA_HOST=${KIBANA_HOST}
- ELASTICSEARCH_USERNAME=${ELASTICSEARCH_USERNAME}
- ELASTICSEARCH_PASSWORD=${ELASTICSEARCH_PASSWORD}
# disable strict permission checks
command: ["--strict.perms=false"]
volumes:
filebeat:
networks:
default:
external:
name: mistborn_default
configs:
fb_config:
file: /opt/mistborn_volumes/scirius/init/filebeat.docker.yml

10
scripts/services/Mistborn-scirius.service
Unescape View File

@ -11,17 +11,17 @@ User=root @@ -11,17 +11,17 @@ User=root
Group=docker
PermissionsStartOnly=true
# Shutdown container (if running) when unit is stopped
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius docker-compose -f /opt/mistborn/extra/scirius.yml down
ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh,scirius docker-compose -f /opt/mistborn/extra/scirius.yml down
# Start container when unit is started
ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius docker-compose -f /opt/mistborn/extra/scirius.yml up --build
ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh,scirius docker-compose -f /opt/mistborn/extra/scirius.yml up --build
# Suricata
ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius /opt/mistborn/scripts/services/scirius/suricata_start.sh
ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh,scirius /opt/mistborn/scripts/services/scirius/suricata_start.sh
# Stop container when unit is stopped
ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius docker-compose -f /opt/mistborn/extra/scirius.yml down
ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh,scirius docker-compose -f /opt/mistborn/extra/scirius.yml down
# Post stop
ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh scirius /opt/mistborn/scripts/services/scirius/suricata_stop.sh
ExecStopPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh,scirius /opt/mistborn/scripts/services/scirius/suricata_stop.sh
[Install]
WantedBy=Mistborn-base.service

61
scripts/services/scirius/files/filebeat.docker.yml
Unescape View File

@ -1,17 +1,62 @@ @@ -1,17 +1,62 @@
filebeat.config:
modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
filebeat.modules:
- module: suricata
eve:
enabled: true
var.paths: ["/var/log/suricata/eve.json"]
# - module: system
# syslog:
# enabled: true
# auth:
# enabled: true
# - module: auditd
# log:
# # - Does not look like Auditd is supported in Alpine linux: https://github.com/linuxkit/linuxkit/issues/52
# # - CentOS does not need us to install the audit system, it ships as standard. If you are using Ubuntu, though,
# # this is probably something you would want to install. (sudo apt-get install -y auditd audispd-plugins)
# enabled: true
#filebeat.inputs:
#- type: container
# enabled: true
# paths:
# -/var/lib/docker/containers/*/*.log
# stream: all # can be all, stdout or stderr
#========================== Filebeat autodiscover ==============================
# See this URL on how to run Apache2 Filebeat module: # https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html
filebeat.autodiscover:
providers:
- type: docker
# https://www.elastic.co/guide/en/beats/filebeat/current/configuration-autodiscover-hints.html
# This URL alos contains instructions on multi-line logs
hints.enabled: true
#================================ Processors ===================================
processors:
- add_cloud_metadata: ~
#- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_locale:
format: offset
- add_host_metadata:
netinfo.enabled: true
#========================== Elasticsearch output ===============================
output.elasticsearch:
hosts: '${ELASTICSEARCH_HOSTS:elasticsearch:9200}'
username: '${ELASTICSEARCH_USERNAME:}'
password: '${ELASTICSEARCH_PASSWORD:}'
hosts: ["${ELASTICSEARCH_HOST}:9200"]
username: ${ELASTICSEARCH_USERNAME}
password: ${ELASTICSEARCH_PASSWORD}
#============================== Dashboards =====================================
setup.dashboards:
enabled: true
#============================== Kibana =========================================
setup.kibana:
host: "${KIBANA_HOST}:80"
username: ${ELASTICSEARCH_USERNAME}
password: ${ELASTICSEARCH_PASSWORD}
#============================== Xpack Monitoring ===============================
xpack.monitoring:
enabled: true
elasticsearch:

4
scripts/services/scirius/init.sh
Unescape View File

@ -58,3 +58,7 @@ fi @@ -58,3 +58,7 @@ fi
IFACE=$(ip -o -4 route show to default | awk 'NR==1{print $5}')
sudo sed -i "s/eth0/${IFACE}/g" /etc/suricata/suricata.yml
sudo sed -i "s/eth0/${IFACE}/g" /etc/default/suricata
mkdir -p /opt/mistborn_volumes/extra/scirius/init/ >/dev/null 2>&1
chmod -R +x /opt/mistborn_volumes/extra/scirius/init/
cp /opt/mistborn/scripts/services/scirius/files/filebeat.docker.yml /opt/mistborn_volumes/extra/scirius/init/

5
scripts/subinstallers/extra/scirius.sh
Unescape View File

@ -7,3 +7,8 @@ echo "SECRET_KEY=$SCIRIUS_SECRET_KEY" > $SCIRIUS_PROD_FILE @@ -7,3 +7,8 @@ echo "SECRET_KEY=$SCIRIUS_SECRET_KEY" > $SCIRIUS_PROD_FILE
echo "ALLOWED_HOSTS=scirius.mistborn" >> $SCIRIUS_PROD_FILE
echo "DJANGO_SUPERUSER_USERNAME=mistborn" >> $SCIRIUS_PROD_FILE
echo "DJANGO_SUPERUSER_EMAIL=mistborn@email.mistborn" >> $SCIRIUS_PROD_FILE
echo "ELASTICSEARCH_HOST=10.2.3.1" >> $SCIRIUS_PROD_FILE
echo "KIBANA_HOST=wazuh.mistborn" >> $SCIRIUS_PROD_FILE
chmod 600 $SCIRIUS_PROD_FILE
Write Preview
Loading…
Cancel
Save