From d5556eb3f16a68daf692485e1a744ec20a06341e Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Tue, 13 Apr 2021 10:43:39 -0400 Subject: [PATCH 01/33] initial --- extra/wazuh.yml | 101 ++++++++++++++++++++++++ scripts/services/Mistborn-wazuh.service | 22 ++++++ scripts/subinstallers/extra/wazuh.sh | 9 +++ 3 files changed, 132 insertions(+) create mode 100644 extra/wazuh.yml create mode 100644 scripts/services/Mistborn-wazuh.service create mode 100755 scripts/subinstallers/extra/wazuh.sh diff --git a/extra/wazuh.yml b/extra/wazuh.yml new file mode 100644 index 0000000..4270a16 --- /dev/null +++ b/extra/wazuh.yml @@ -0,0 +1,101 @@ +# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2) +version: '3.7' + +services: + wazuh: + image: wazuh/wazuh-odfe:4.1.4 + hostname: wazuh-manager + restart: unless-stopped + ports: + - "${MISTBORN_BIND_IP}:1514:1514" + - "${MISTBORN_BIND_IP}:1515:1515" + - "${MISTBORN_BIND_IP}:514:514/udp" + - "${MISTBORN_BIND_IP}:55000:55000" + environment: + - ELASTICSEARCH_URL=https://wazuhes.mistborn + - FILEBEAT_SSL_VERIFICATION_MODE=none + env_file: + - ../.envs/.production/.wazuh + volumes: + - ossec_api_configuration:/var/ossec/api/configuration + - ossec_etc:/var/ossec/etc + - ossec_logs:/var/ossec/logs + - ossec_queue:/var/ossec/queue + - ossec_var_multigroups:/var/ossec/var/multigroups + - ossec_integrations:/var/ossec/integrations + - ossec_active_response:/var/ossec/active-response/bin + - ossec_agentless:/var/ossec/agentless + - ossec_wodles:/var/ossec/wodles + - filebeat_etc:/etc/filebeat + - filebeat_var:/var/lib/filebeat + + wazuh-elasticsearch: + image: amazon/opendistro-for-elasticsearch:1.12.0 + hostname: wazuh-elasticsearch + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.wazuhes-http.rule=Host(`wazuhes.mistborn`)" + - "traefik.http.routers.wazuhes-http.entrypoints=web" + - "traefik.http.routers.wazuhes-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.wazuhes-https.rule=Host(`wazuhes.mistborn`)" + - "traefik.http.routers.wazuhes-https.entrypoints=websecure" + - "traefik.http.routers.wazuhes-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.wazuhes-https.tls.certresolver=basic" + - "traefik.http.services.wazuhes-service.loadbalancer.server.port=9200" + #ports: + # - "${MISTBORN_BIND_IP}:9200:9200" + environment: + - discovery.type=single-node + - cluster.name=wazuh-cluster + - network.host=0.0.0.0 + - "ES_JAVA_OPTS=-Xms512m -Xmx512m" + - bootstrap.memory_lock=true + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + + wazuh-kibana: + image: wazuh/wazuh-kibana-odfe:4.1.4 + hostname: wazuh-kibana + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.wazuhk-http.rule=Host(`wazuhk.mistborn`)" + - "traefik.http.routers.wazuhk-http.entrypoints=web" + - "traefik.http.routers.wazuhk-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.wazuhk-https.rule=Host(`wazuhk.mistborn`)" + - "traefik.http.routers.wazuhk-https.entrypoints=websecure" + - "traefik.http.routers.wazuhk-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.wazuhk-https.tls.certresolver=basic" + - "traefik.http.services.wazuhk-service.loadbalancer.server.port=5601" + #ports: + # - "${MISTBORN_BIND_IP}:5601:5601" + environment: + - SERVER_SSL_ENABLED=false + - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/opendistroforelasticsearch.example.org.cert + - SERVER_SSL_KEY=/usr/share/kibana/config/opendistroforelasticsearch.example.org.key + env_file: + - ../.envs/.production/.wazuh + depends_on: + - wazuh-elasticsearch + links: + - wazuh-elasticsearch:wazuh-elasticsearch + - wazuh:wazuh + +volumes: + ossec_api_configuration: + ossec_etc: + ossec_logs: + ossec_queue: + ossec_var_multigroups: + ossec_integrations: + ossec_active_response: + ossec_agentless: + ossec_wodles: + filebeat_etc: + filebeat_var: diff --git a/scripts/services/Mistborn-wazuh.service b/scripts/services/Mistborn-wazuh.service new file mode 100644 index 0000000..aaad8a7 --- /dev/null +++ b/scripts/services/Mistborn-wazuh.service @@ -0,0 +1,22 @@ +[Unit] +Description=Mistborn Wazuh Service +Requires=Mistborn-base.service +After=Mistborn-base.service +PartOf=Mistborn-base.service + +[Service] +Restart=always +RestartSec=15 +User=root +Group=docker +PermissionsStartOnly=true +# Shutdown container (if running) when unit is stopped +ExecStartPre=/usr/sbin/sysctl -w vm.max_map_count=262144 +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down +# Start container when unit is started +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml up --build +# Stop container when unit is stopped +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down + +[Install] +WantedBy=multi-user.target diff --git a/scripts/subinstallers/extra/wazuh.sh b/scripts/subinstallers/extra/wazuh.sh new file mode 100755 index 0000000..952b4ff --- /dev/null +++ b/scripts/subinstallers/extra/wazuh.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +# Wazuh +WAZUH_PROD_FILE="$1" +echo "ELASTIC_USERNAME=mistborn" > $WAZUH_PROD_FILE +echo "ELASTIC_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE +echo "ELASTICSEARCH_USERNAME=mistborn" >> $WAZUH_PROD_FILE +echo "ELASTICSEARCH_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE +chmod 600 $WAZUH_PROD_FILE \ No newline at end of file From 4c8b8e4ad74f27e7b1613f13cb759b21af37b130 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 14 Apr 2021 13:49:51 -0400 Subject: [PATCH 02/33] tweaks --- extra/wazuh.yml | 22 ++++++---------------- 1 file changed, 6 insertions(+), 16 deletions(-) diff --git a/extra/wazuh.yml b/extra/wazuh.yml index 4270a16..d086559 100644 --- a/extra/wazuh.yml +++ b/extra/wazuh.yml @@ -3,7 +3,7 @@ version: '3.7' services: wazuh: - image: wazuh/wazuh-odfe:4.1.4 + image: wazuh/wazuh-odfe:4.1.2 hostname: wazuh-manager restart: unless-stopped ports: @@ -12,7 +12,7 @@ services: - "${MISTBORN_BIND_IP}:514:514/udp" - "${MISTBORN_BIND_IP}:55000:55000" environment: - - ELASTICSEARCH_URL=https://wazuhes.mistborn + - ELASTICSEARCH_URL=https://wazuh-elasticsearch:9200 - FILEBEAT_SSL_VERIFICATION_MODE=none env_file: - ../.envs/.production/.wazuh @@ -33,18 +33,8 @@ services: image: amazon/opendistro-for-elasticsearch:1.12.0 hostname: wazuh-elasticsearch restart: unless-stopped - labels: - - "traefik.enable=true" - - "traefik.http.routers.wazuhes-http.rule=Host(`wazuhes.mistborn`)" - - "traefik.http.routers.wazuhes-http.entrypoints=web" - - "traefik.http.routers.wazuhes-http.middlewares=mistborn_auth@file" - - "traefik.http.routers.wazuhes-https.rule=Host(`wazuhes.mistborn`)" - - "traefik.http.routers.wazuhes-https.entrypoints=websecure" - - "traefik.http.routers.wazuhes-https.middlewares=mistborn_auth@file" - - "traefik.http.routers.wazuhes-https.tls.certresolver=basic" - - "traefik.http.services.wazuhes-service.loadbalancer.server.port=9200" - #ports: - # - "${MISTBORN_BIND_IP}:9200:9200" + ports: + - "${MISTBORN_BIND_IP}:9200:9200" environment: - discovery.type=single-node - cluster.name=wazuh-cluster @@ -60,7 +50,7 @@ services: hard: 65536 wazuh-kibana: - image: wazuh/wazuh-kibana-odfe:4.1.4 + image: wazuh/wazuh-kibana-odfe:4.1.2 hostname: wazuh-kibana restart: unless-stopped labels: @@ -84,7 +74,7 @@ services: depends_on: - wazuh-elasticsearch links: - - wazuh-elasticsearch:wazuh-elasticsearch + - wazuh-elasticsearch:elasticsearch - wazuh:wazuh volumes: From 51e75ce00fa21dc28d737a6fc3783ac3ba7fb18f Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 14 Apr 2021 21:32:46 -0400 Subject: [PATCH 03/33] internal_users --- extra/wazuh.yml | 8 +++++--- scripts/services/wazuh/files/internal_users.yml | 17 +++++++++++++++++ scripts/services/wazuh/init.sh | 14 ++++++++++++++ scripts/subinstallers/extra/wazuh.sh | 10 ++++++++++ 4 files changed, 46 insertions(+), 3 deletions(-) create mode 100644 scripts/services/wazuh/files/internal_users.yml create mode 100755 scripts/services/wazuh/init.sh diff --git a/extra/wazuh.yml b/extra/wazuh.yml index d086559..34eb064 100644 --- a/extra/wazuh.yml +++ b/extra/wazuh.yml @@ -41,6 +41,8 @@ services: - network.host=0.0.0.0 - "ES_JAVA_OPTS=-Xms512m -Xmx512m" - bootstrap.memory_lock=true + volumes: + - ../../mistborn_volumes/extra/wazuh/init/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml ulimits: memlock: soft: -1 @@ -73,9 +75,9 @@ services: - ../.envs/.production/.wazuh depends_on: - wazuh-elasticsearch - links: - - wazuh-elasticsearch:elasticsearch - - wazuh:wazuh + #links: + # - wazuh-elasticsearch:elasticsearch + # - wazuh:wazuh volumes: ossec_api_configuration: diff --git a/scripts/services/wazuh/files/internal_users.yml b/scripts/services/wazuh/files/internal_users.yml new file mode 100644 index 0000000..540eede --- /dev/null +++ b/scripts/services/wazuh/files/internal_users.yml @@ -0,0 +1,17 @@ +--- +# This is the internal user database +# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh + +_meta: + type: "internalusers" + config_version: 2 + +# Define your internal users here + +mistborn: + hash: "__MISTBORN_HASH__" + reserved: true + backend_roles: + - "admin" + description: "Mistborn user" + diff --git a/scripts/services/wazuh/init.sh b/scripts/services/wazuh/init.sh new file mode 100755 index 0000000..3055d87 --- /dev/null +++ b/scripts/services/wazuh/init.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +if [[ -f "/opt/mistborn_volumes/extra/wazuh/init/internal_users.yml" ]]; then + echo "internal_users.yml exists. Proceeding." + exit 0 +fi + +mkdir -p /opt/mistborn_volumes/extra/wazuh/init/ >/dev/null 2>&1 +chmod -R +x /opt/mistborn_volumes/extra/wazuh/init/ +cp /opt/mistborn/scripts/services/wazuh/files/internal_users.yml /opt/mistborn_volumes/extra/wazuh/init/ + +WAZUH_MISTBORN_HASHED=$(docker run --rm -ti amazon/opendistro-for-elasticsearch:1.12.0 bash /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh -p "${MISTBORN_DEFAULT_PASSWORD}") + +sed -i "s/__MISTBORN_HASH__/${WAZUH_MISTBORN_HASHED}/" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql \ No newline at end of file diff --git a/scripts/subinstallers/extra/wazuh.sh b/scripts/subinstallers/extra/wazuh.sh index 952b4ff..049afa0 100755 --- a/scripts/subinstallers/extra/wazuh.sh +++ b/scripts/subinstallers/extra/wazuh.sh @@ -4,6 +4,16 @@ WAZUH_PROD_FILE="$1" echo "ELASTIC_USERNAME=mistborn" > $WAZUH_PROD_FILE echo "ELASTIC_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE + echo "ELASTICSEARCH_USERNAME=mistborn" >> $WAZUH_PROD_FILE echo "ELASTICSEARCH_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE + +# kibana odfe +# kibana-odfe/config/wazuh_app_config.sh +#WAZUH_API_URL="https://wazuh" +#API_PORT="55000" + +# kibana-odfe/config/entrypoint.sh: +#ELASTICSEARCH_URL="https://elasticsearch:9200" + chmod 600 $WAZUH_PROD_FILE \ No newline at end of file From 093189b1d7349be88debb457a4ee1560b2f6ca01 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 14 Apr 2021 23:01:50 -0400 Subject: [PATCH 04/33] typo --- scripts/services/wazuh/init.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/services/wazuh/init.sh b/scripts/services/wazuh/init.sh index 3055d87..637da4b 100755 --- a/scripts/services/wazuh/init.sh +++ b/scripts/services/wazuh/init.sh @@ -11,4 +11,4 @@ cp /opt/mistborn/scripts/services/wazuh/files/internal_users.yml /opt/mistborn_v WAZUH_MISTBORN_HASHED=$(docker run --rm -ti amazon/opendistro-for-elasticsearch:1.12.0 bash /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh -p "${MISTBORN_DEFAULT_PASSWORD}") -sed -i "s/__MISTBORN_HASH__/${WAZUH_MISTBORN_HASHED}/" /opt/mistborn_volumes/extra/guacamole/init/initdb.sql \ No newline at end of file +sed -i "s/__MISTBORN_HASH__/${WAZUH_MISTBORN_HASHED}/" /opt/mistborn_volumes/extra/wazuh/init/internal_users.yml From fab092ad6c0394c0de1fdacdba54cb20f8f91029 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 14 Apr 2021 23:19:10 -0400 Subject: [PATCH 05/33] tweaks --- scripts/services/wazuh/init.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/services/wazuh/init.sh b/scripts/services/wazuh/init.sh index 637da4b..a1ad27d 100755 --- a/scripts/services/wazuh/init.sh +++ b/scripts/services/wazuh/init.sh @@ -9,6 +9,6 @@ mkdir -p /opt/mistborn_volumes/extra/wazuh/init/ >/dev/null 2>&1 chmod -R +x /opt/mistborn_volumes/extra/wazuh/init/ cp /opt/mistborn/scripts/services/wazuh/files/internal_users.yml /opt/mistborn_volumes/extra/wazuh/init/ -WAZUH_MISTBORN_HASHED=$(docker run --rm -ti amazon/opendistro-for-elasticsearch:1.12.0 bash /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh -p "${MISTBORN_DEFAULT_PASSWORD}") +WAZUH_MISTBORN_HASHED=$(docker run --rm -ti amazon/opendistro-for-elasticsearch:1.12.0 bash /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh -p "${MISTBORN_DEFAULT_PASSWORD}" | tr -d '\n') -sed -i "s/__MISTBORN_HASH__/${WAZUH_MISTBORN_HASHED}/" /opt/mistborn_volumes/extra/wazuh/init/internal_users.yml +sed -i "s|__MISTBORN_HASH__|${WAZUH_MISTBORN_HASHED}|" /opt/mistborn_volumes/extra/wazuh/init/internal_users.yml From e0cd4ee6cbcead9bf153e2eaac95b6ebc6a510f2 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 14 Apr 2021 23:25:06 -0400 Subject: [PATCH 06/33] tweaks --- scripts/services/wazuh/init.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scripts/services/wazuh/init.sh b/scripts/services/wazuh/init.sh index a1ad27d..1f35f52 100755 --- a/scripts/services/wazuh/init.sh +++ b/scripts/services/wazuh/init.sh @@ -1,5 +1,7 @@ #!/bin/bash +set -e + if [[ -f "/opt/mistborn_volumes/extra/wazuh/init/internal_users.yml" ]]; then echo "internal_users.yml exists. Proceeding." exit 0 @@ -9,6 +11,6 @@ mkdir -p /opt/mistborn_volumes/extra/wazuh/init/ >/dev/null 2>&1 chmod -R +x /opt/mistborn_volumes/extra/wazuh/init/ cp /opt/mistborn/scripts/services/wazuh/files/internal_users.yml /opt/mistborn_volumes/extra/wazuh/init/ -WAZUH_MISTBORN_HASHED=$(docker run --rm -ti amazon/opendistro-for-elasticsearch:1.12.0 bash /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh -p "${MISTBORN_DEFAULT_PASSWORD}" | tr -d '\n') +WAZUH_MISTBORN_HASHED=$(docker run --rm amazon/opendistro-for-elasticsearch:1.12.0 bash /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh -p ${MISTBORN_DEFAULT_PASSWORD} | tr -d '\n') sed -i "s|__MISTBORN_HASH__|${WAZUH_MISTBORN_HASHED}|" /opt/mistborn_volumes/extra/wazuh/init/internal_users.yml From 138b8fd3f6a6d23538e6168365b164227a20bd6e Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 14 Apr 2021 23:30:39 -0400 Subject: [PATCH 07/33] MDP --- scripts/subinstallers/extra/wazuh.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scripts/subinstallers/extra/wazuh.sh b/scripts/subinstallers/extra/wazuh.sh index 049afa0..dd6c125 100755 --- a/scripts/subinstallers/extra/wazuh.sh +++ b/scripts/subinstallers/extra/wazuh.sh @@ -16,4 +16,6 @@ echo "ELASTICSEARCH_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE # kibana-odfe/config/entrypoint.sh: #ELASTICSEARCH_URL="https://elasticsearch:9200" -chmod 600 $WAZUH_PROD_FILE \ No newline at end of file +echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE + +chmod 600 $WAZUH_PROD_FILE From 0e138968d6e6a1d499ff720cb2c3bd16e7b59146 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 14 Apr 2021 23:37:42 -0400 Subject: [PATCH 08/33] links --- extra/wazuh.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/extra/wazuh.yml b/extra/wazuh.yml index 34eb064..d715b2a 100644 --- a/extra/wazuh.yml +++ b/extra/wazuh.yml @@ -75,9 +75,9 @@ services: - ../.envs/.production/.wazuh depends_on: - wazuh-elasticsearch - #links: - # - wazuh-elasticsearch:elasticsearch - # - wazuh:wazuh + links: + - wazuh-elasticsearch:elasticsearch + - wazuh:wazuh volumes: ossec_api_configuration: From 1120bc307089ac9b4a3f8f04db1caa17e1a70f48 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Thu, 15 Apr 2021 07:54:18 -0400 Subject: [PATCH 09/33] links --- extra/wazuh.yml | 6 +++--- scripts/subinstallers/extra/wazuh.sh | 8 +++++--- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/extra/wazuh.yml b/extra/wazuh.yml index d715b2a..34eb064 100644 --- a/extra/wazuh.yml +++ b/extra/wazuh.yml @@ -75,9 +75,9 @@ services: - ../.envs/.production/.wazuh depends_on: - wazuh-elasticsearch - links: - - wazuh-elasticsearch:elasticsearch - - wazuh:wazuh + #links: + # - wazuh-elasticsearch:elasticsearch + # - wazuh:wazuh volumes: ossec_api_configuration: diff --git a/scripts/subinstallers/extra/wazuh.sh b/scripts/subinstallers/extra/wazuh.sh index dd6c125..f68cfd4 100755 --- a/scripts/subinstallers/extra/wazuh.sh +++ b/scripts/subinstallers/extra/wazuh.sh @@ -10,11 +10,13 @@ echo "ELASTICSEARCH_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE # kibana odfe # kibana-odfe/config/wazuh_app_config.sh -#WAZUH_API_URL="https://wazuh" -#API_PORT="55000" +# https://wazuh +echo "WAZUH_API_URL=https://home.mistborn" >> $WAZUH_PROD_FILE +echo "API_PORT=55000" >> $WAZUH_PROD_FILE # kibana-odfe/config/entrypoint.sh: -#ELASTICSEARCH_URL="https://elasticsearch:9200" +# https://elasticsearch:9200 +echo "ELASTICSEARCH_URL=https://home.mistborn:9200" >> $WAZUH_PROD_FILE echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE From 21c1388c1d884dc9317c6a8b0fee1609c282c328 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Thu, 15 Apr 2021 08:52:19 -0400 Subject: [PATCH 10/33] ip --- scripts/subinstallers/extra/wazuh.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/subinstallers/extra/wazuh.sh b/scripts/subinstallers/extra/wazuh.sh index f68cfd4..ef343d1 100755 --- a/scripts/subinstallers/extra/wazuh.sh +++ b/scripts/subinstallers/extra/wazuh.sh @@ -11,12 +11,12 @@ echo "ELASTICSEARCH_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE # kibana odfe # kibana-odfe/config/wazuh_app_config.sh # https://wazuh -echo "WAZUH_API_URL=https://home.mistborn" >> $WAZUH_PROD_FILE +echo "WAZUH_API_URL=https://10.2.3.1" >> $WAZUH_PROD_FILE echo "API_PORT=55000" >> $WAZUH_PROD_FILE # kibana-odfe/config/entrypoint.sh: # https://elasticsearch:9200 -echo "ELASTICSEARCH_URL=https://home.mistborn:9200" >> $WAZUH_PROD_FILE +echo "ELASTICSEARCH_URL=https://10.2.3.1:9200" >> $WAZUH_PROD_FILE echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE From d6641f295bf1cf39601af2319e59c0a7b78e133c Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Thu, 15 Apr 2021 09:18:37 -0400 Subject: [PATCH 11/33] wazuh agent --- scripts/services/Mistborn-wazuh.service | 2 ++ scripts/services/wazuh/agent.sh | 25 +++++++++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100755 scripts/services/wazuh/agent.sh diff --git a/scripts/services/Mistborn-wazuh.service b/scripts/services/Mistborn-wazuh.service index aaad8a7..856bc57 100644 --- a/scripts/services/Mistborn-wazuh.service +++ b/scripts/services/Mistborn-wazuh.service @@ -15,6 +15,8 @@ ExecStartPre=/usr/sbin/sysctl -w vm.max_map_count=262144 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down # Start container when unit is started ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml up --build +# Agent install +ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent.sh # Stop container when unit is stopped ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down diff --git a/scripts/services/wazuh/agent.sh b/scripts/services/wazuh/agent.sh new file mode 100755 index 0000000..bc1aead --- /dev/null +++ b/scripts/services/wazuh/agent.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +# detect if already installed +if [ $(dpkg -s wazuh-agent &> /dev/null) -eq 0 ]; then + echo "Wazuh agent already installed" + exit 0 +fi + +# prepare repo +echo "Adding Wazuh Repository" +curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - +echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list + +apt-get update + +# wait for service to be listening +while ! nc -z 10.2.3.1 55000; do + WAIT_TIME=10 + echo "Waiting ${WAIT_TIME} seconds for Wazuh API..." + sleep ${WAIT_TIME} +done + +# install +echo "Installing Wazuh agent" +WAZUH_MANAGER="10.2.3.1" apt-get install wazuh-agent From b1106fb49c27433adfe56d41233356895b8ef5ac Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Thu, 15 Apr 2021 09:31:25 -0400 Subject: [PATCH 12/33] domain --- extra/wazuh.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/extra/wazuh.yml b/extra/wazuh.yml index 34eb064..7991665 100644 --- a/extra/wazuh.yml +++ b/extra/wazuh.yml @@ -57,10 +57,10 @@ services: restart: unless-stopped labels: - "traefik.enable=true" - - "traefik.http.routers.wazuhk-http.rule=Host(`wazuhk.mistborn`)" + - "traefik.http.routers.wazuhk-http.rule=Host(`wazuh.mistborn`)" - "traefik.http.routers.wazuhk-http.entrypoints=web" - "traefik.http.routers.wazuhk-http.middlewares=mistborn_auth@file" - - "traefik.http.routers.wazuhk-https.rule=Host(`wazuhk.mistborn`)" + - "traefik.http.routers.wazuhk-https.rule=Host(`wazuh.mistborn`)" - "traefik.http.routers.wazuhk-https.entrypoints=websecure" - "traefik.http.routers.wazuhk-https.middlewares=mistborn_auth@file" - "traefik.http.routers.wazuhk-https.tls.certresolver=basic" From 12f9d251a8b40f5ccf8d99677a7d8ae4f33d14eb Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Thu, 15 Apr 2021 09:58:51 -0400 Subject: [PATCH 13/33] api creds --- scripts/subinstallers/extra/wazuh.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/subinstallers/extra/wazuh.sh b/scripts/subinstallers/extra/wazuh.sh index ef343d1..48269e4 100755 --- a/scripts/subinstallers/extra/wazuh.sh +++ b/scripts/subinstallers/extra/wazuh.sh @@ -13,6 +13,10 @@ echo "ELASTICSEARCH_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $WAZUH_PROD_FILE # https://wazuh echo "WAZUH_API_URL=https://10.2.3.1" >> $WAZUH_PROD_FILE echo "API_PORT=55000" >> $WAZUH_PROD_FILE +echo "API_USERNAME=wazuh-wui" >> $WAZUH_PROD_FILE + +API_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") +echo "API_PASSWORD=${API_PASSWORD}" >> $WAZUH_PROD_FILE # kibana-odfe/config/entrypoint.sh: # https://elasticsearch:9200 From 35e27d567666b0f185b4123ca05c415182a83015 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 16 Apr 2021 22:23:14 -0400 Subject: [PATCH 14/33] separate es --- extra/wazuh.yml | 5 ----- scripts/services/Mistborn-wazuh.service | 1 - scripts/services/wazuh/files/internal_users.yml | 17 ----------------- scripts/services/wazuh/init.sh | 16 ---------------- 4 files changed, 39 deletions(-) delete mode 100644 scripts/services/wazuh/files/internal_users.yml delete mode 100755 scripts/services/wazuh/init.sh diff --git a/extra/wazuh.yml b/extra/wazuh.yml index 7991665..49f0545 100644 --- a/extra/wazuh.yml +++ b/extra/wazuh.yml @@ -73,11 +73,6 @@ services: - SERVER_SSL_KEY=/usr/share/kibana/config/opendistroforelasticsearch.example.org.key env_file: - ../.envs/.production/.wazuh - depends_on: - - wazuh-elasticsearch - #links: - # - wazuh-elasticsearch:elasticsearch - # - wazuh:wazuh volumes: ossec_api_configuration: diff --git a/scripts/services/Mistborn-wazuh.service b/scripts/services/Mistborn-wazuh.service index 856bc57..7aaaea7 100644 --- a/scripts/services/Mistborn-wazuh.service +++ b/scripts/services/Mistborn-wazuh.service @@ -11,7 +11,6 @@ User=root Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped -ExecStartPre=/usr/sbin/sysctl -w vm.max_map_count=262144 ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down # Start container when unit is started ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml up --build diff --git a/scripts/services/wazuh/files/internal_users.yml b/scripts/services/wazuh/files/internal_users.yml deleted file mode 100644 index 540eede..0000000 --- a/scripts/services/wazuh/files/internal_users.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -# This is the internal user database -# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh - -_meta: - type: "internalusers" - config_version: 2 - -# Define your internal users here - -mistborn: - hash: "__MISTBORN_HASH__" - reserved: true - backend_roles: - - "admin" - description: "Mistborn user" - diff --git a/scripts/services/wazuh/init.sh b/scripts/services/wazuh/init.sh deleted file mode 100755 index 1f35f52..0000000 --- a/scripts/services/wazuh/init.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash - -set -e - -if [[ -f "/opt/mistborn_volumes/extra/wazuh/init/internal_users.yml" ]]; then - echo "internal_users.yml exists. Proceeding." - exit 0 -fi - -mkdir -p /opt/mistborn_volumes/extra/wazuh/init/ >/dev/null 2>&1 -chmod -R +x /opt/mistborn_volumes/extra/wazuh/init/ -cp /opt/mistborn/scripts/services/wazuh/files/internal_users.yml /opt/mistborn_volumes/extra/wazuh/init/ - -WAZUH_MISTBORN_HASHED=$(docker run --rm amazon/opendistro-for-elasticsearch:1.12.0 bash /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh -p ${MISTBORN_DEFAULT_PASSWORD} | tr -d '\n') - -sed -i "s|__MISTBORN_HASH__|${WAZUH_MISTBORN_HASHED}|" /opt/mistborn_volumes/extra/wazuh/init/internal_users.yml From ee4cd9f2e8b71fdd1246c5480e85478d1eb0d28d Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 16 Apr 2021 23:18:43 -0400 Subject: [PATCH 15/33] removing separated service --- extra/wazuh.yml | 23 ----------------------- 1 file changed, 23 deletions(-) diff --git a/extra/wazuh.yml b/extra/wazuh.yml index 49f0545..9a08e58 100644 --- a/extra/wazuh.yml +++ b/extra/wazuh.yml @@ -12,7 +12,6 @@ services: - "${MISTBORN_BIND_IP}:514:514/udp" - "${MISTBORN_BIND_IP}:55000:55000" environment: - - ELASTICSEARCH_URL=https://wazuh-elasticsearch:9200 - FILEBEAT_SSL_VERIFICATION_MODE=none env_file: - ../.envs/.production/.wazuh @@ -29,28 +28,6 @@ services: - filebeat_etc:/etc/filebeat - filebeat_var:/var/lib/filebeat - wazuh-elasticsearch: - image: amazon/opendistro-for-elasticsearch:1.12.0 - hostname: wazuh-elasticsearch - restart: unless-stopped - ports: - - "${MISTBORN_BIND_IP}:9200:9200" - environment: - - discovery.type=single-node - - cluster.name=wazuh-cluster - - network.host=0.0.0.0 - - "ES_JAVA_OPTS=-Xms512m -Xmx512m" - - bootstrap.memory_lock=true - volumes: - - ../../mistborn_volumes/extra/wazuh/init/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml - ulimits: - memlock: - soft: -1 - hard: -1 - nofile: - soft: 65536 - hard: 65536 - wazuh-kibana: image: wazuh/wazuh-kibana-odfe:4.1.2 hostname: wazuh-kibana From 834c176da55cf56652076cd8e7fa52f0f3d8bb63 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 16 Apr 2021 23:55:28 -0400 Subject: [PATCH 16/33] default network --- extra/wazuh.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/extra/wazuh.yml b/extra/wazuh.yml index 9a08e58..f7df12a 100644 --- a/extra/wazuh.yml +++ b/extra/wazuh.yml @@ -63,3 +63,8 @@ volumes: ossec_wodles: filebeat_etc: filebeat_var: + +networks: + default: + external: + name: mistborn_default From 5b35c3aaa787265843ac91f76c93b3d85d17da0c Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 17 Apr 2021 09:48:36 -0400 Subject: [PATCH 17/33] wazuh pass --- scripts/subinstallers/extra/wazuh.sh | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/scripts/subinstallers/extra/wazuh.sh b/scripts/subinstallers/extra/wazuh.sh index 48269e4..69bfc2d 100755 --- a/scripts/subinstallers/extra/wazuh.sh +++ b/scripts/subinstallers/extra/wazuh.sh @@ -15,7 +15,31 @@ echo "WAZUH_API_URL=https://10.2.3.1" >> $WAZUH_PROD_FILE echo "API_PORT=55000" >> $WAZUH_PROD_FILE echo "API_USERNAME=wazuh-wui" >> $WAZUH_PROD_FILE -API_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") +#API_PASSWORD=$(python3 -c "import secrets; import string; print(f''.join([secrets.choice(string.ascii_letters+string.digits) for x in range(32)]))") + +API_PASSWORD_PYTHON=$(cat << EOF + +import secrets +import string + +random_pass = ([secrets.choice("@$!%*?&-_"), + secrets.choice(string.digits), + secrets.choice(string.ascii_lowercase), + secrets.choice(string.ascii_uppercase), + ] + + [secrets.choice(string.ascii_lowercase + + string.ascii_uppercase + + "@$!%*?&-_" + + string.digits) for i in range(12)]) + +secrets.shuffle(random_pass) +random_pass = ''.join(random_pass) +print(random_pass) + +EOF) + +API_PASSWORD=$(python -c "${API_PASSWORD_PYTHON}) + echo "API_PASSWORD=${API_PASSWORD}" >> $WAZUH_PROD_FILE # kibana-odfe/config/entrypoint.sh: From 2bc89e88d6255b271bdc6e457dd0395a120ddf99 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 17 Apr 2021 09:56:47 -0400 Subject: [PATCH 18/33] tweaks --- scripts/subinstallers/extra/wazuh.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/scripts/subinstallers/extra/wazuh.sh b/scripts/subinstallers/extra/wazuh.sh index 69bfc2d..0d5c0ee 100755 --- a/scripts/subinstallers/extra/wazuh.sh +++ b/scripts/subinstallers/extra/wazuh.sh @@ -20,6 +20,7 @@ echo "API_USERNAME=wazuh-wui" >> $WAZUH_PROD_FILE API_PASSWORD_PYTHON=$(cat << EOF import secrets +import random import string random_pass = ([secrets.choice("@$!%*?&-_"), @@ -32,13 +33,14 @@ random_pass = ([secrets.choice("@$!%*?&-_"), + "@$!%*?&-_" + string.digits) for i in range(12)]) -secrets.shuffle(random_pass) +random.shuffle(random_pass) random_pass = ''.join(random_pass) print(random_pass) -EOF) +EOF +) -API_PASSWORD=$(python -c "${API_PASSWORD_PYTHON}) +API_PASSWORD=$(python3 -c "${API_PASSWORD_PYTHON}") echo "API_PASSWORD=${API_PASSWORD}" >> $WAZUH_PROD_FILE From d89aff602d3ebc889e8925361423faf2bb241351 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Mon, 19 Apr 2021 21:15:26 -0400 Subject: [PATCH 19/33] start and stop agent --- scripts/services/Mistborn-wazuh.service | 3 +++ scripts/services/wazuh/agent_start.sh | 3 +++ scripts/services/wazuh/agent_stop.sh | 3 +++ 3 files changed, 9 insertions(+) create mode 100755 scripts/services/wazuh/agent_start.sh create mode 100755 scripts/services/wazuh/agent_stop.sh diff --git a/scripts/services/Mistborn-wazuh.service b/scripts/services/Mistborn-wazuh.service index 7aaaea7..f91ae95 100644 --- a/scripts/services/Mistborn-wazuh.service +++ b/scripts/services/Mistborn-wazuh.service @@ -16,8 +16,11 @@ ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-comp ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml up --build # Agent install ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent.sh +ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_start.sh # Stop container when unit is stopped +ExecStopPre=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_stop.sh ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down + [Install] WantedBy=multi-user.target diff --git a/scripts/services/wazuh/agent_start.sh b/scripts/services/wazuh/agent_start.sh new file mode 100755 index 0000000..e243813 --- /dev/null +++ b/scripts/services/wazuh/agent_start.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +systemctl stop wazuh-agent diff --git a/scripts/services/wazuh/agent_stop.sh b/scripts/services/wazuh/agent_stop.sh new file mode 100755 index 0000000..2c98f40 --- /dev/null +++ b/scripts/services/wazuh/agent_stop.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +systemctl start wazuh-agent From 4814ed67bee3d6651f0c1450622aa989a85289a4 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Mon, 19 Apr 2021 22:05:21 -0400 Subject: [PATCH 20/33] elastic --- extra/elasticsearch.yml | 55 +++++++++++++++++ extra/wazuh.yml | 23 ------- .../services/Mistborn-elasticsearch.service | 22 +++++++ .../elasticsearch/files/internal_users.yml | 17 ++++++ scripts/services/elasticsearch/init.sh | 16 +++++ scripts/subinstallers/extra/elasticsearch.sh | 6 ++ scripts/wrappers/mistborn_docker.sh | 61 ++++++++++--------- 7 files changed, 149 insertions(+), 51 deletions(-) create mode 100644 extra/elasticsearch.yml create mode 100644 scripts/services/Mistborn-elasticsearch.service create mode 100644 scripts/services/elasticsearch/files/internal_users.yml create mode 100755 scripts/services/elasticsearch/init.sh create mode 100755 scripts/subinstallers/extra/elasticsearch.sh diff --git a/extra/elasticsearch.yml b/extra/elasticsearch.yml new file mode 100644 index 0000000..6ad7cb0 --- /dev/null +++ b/extra/elasticsearch.yml @@ -0,0 +1,55 @@ +version: '3.7' + +services: + + wazuh-elasticsearch: + image: amazon/opendistro-for-elasticsearch:1.12.0 + hostname: elasticsearch + restart: unless-stopped + ports: + - "${MISTBORN_BIND_IP}:9200:9200" + environment: + - discovery.type=single-node + - cluster.name=wazuh-cluster + - network.host=0.0.0.0 + - "ES_JAVA_OPTS=-Xms512m -Xmx512m" + - bootstrap.memory_lock=true + volumes: + - ../../mistborn_volumes/extra/elasticsearch/init/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + + wazuh-kibana: + image: wazuh/wazuh-kibana-odfe:4.1.2 + hostname: wazuh-kibana + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.wazuhk-http.rule=Host(`wazuh.mistborn`)" + - "traefik.http.routers.wazuhk-http.entrypoints=web" + - "traefik.http.routers.wazuhk-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.wazuhk-https.rule=Host(`wazuh.mistborn`)" + - "traefik.http.routers.wazuhk-https.entrypoints=websecure" + - "traefik.http.routers.wazuhk-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.wazuhk-https.tls.certresolver=basic" + - "traefik.http.services.wazuhk-service.loadbalancer.server.port=5601" + #ports: + # - "${MISTBORN_BIND_IP}:5601:5601" + depends_on: + - wazuh-elasticsearch + environment: + - SERVER_SSL_ENABLED=false + - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/opendistroforelasticsearch.example.org.cert + - SERVER_SSL_KEY=/usr/share/kibana/config/opendistroforelasticsearch.example.org.key + env_file: + - ../.envs/.production/.wazuh + +networks: + default: + external: + name: mistborn_default diff --git a/extra/wazuh.yml b/extra/wazuh.yml index f7df12a..b1bd859 100644 --- a/extra/wazuh.yml +++ b/extra/wazuh.yml @@ -28,29 +28,6 @@ services: - filebeat_etc:/etc/filebeat - filebeat_var:/var/lib/filebeat - wazuh-kibana: - image: wazuh/wazuh-kibana-odfe:4.1.2 - hostname: wazuh-kibana - restart: unless-stopped - labels: - - "traefik.enable=true" - - "traefik.http.routers.wazuhk-http.rule=Host(`wazuh.mistborn`)" - - "traefik.http.routers.wazuhk-http.entrypoints=web" - - "traefik.http.routers.wazuhk-http.middlewares=mistborn_auth@file" - - "traefik.http.routers.wazuhk-https.rule=Host(`wazuh.mistborn`)" - - "traefik.http.routers.wazuhk-https.entrypoints=websecure" - - "traefik.http.routers.wazuhk-https.middlewares=mistborn_auth@file" - - "traefik.http.routers.wazuhk-https.tls.certresolver=basic" - - "traefik.http.services.wazuhk-service.loadbalancer.server.port=5601" - #ports: - # - "${MISTBORN_BIND_IP}:5601:5601" - environment: - - SERVER_SSL_ENABLED=false - - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/opendistroforelasticsearch.example.org.cert - - SERVER_SSL_KEY=/usr/share/kibana/config/opendistroforelasticsearch.example.org.key - env_file: - - ../.envs/.production/.wazuh - volumes: ossec_api_configuration: ossec_etc: diff --git a/scripts/services/Mistborn-elasticsearch.service b/scripts/services/Mistborn-elasticsearch.service new file mode 100644 index 0000000..7e23145 --- /dev/null +++ b/scripts/services/Mistborn-elasticsearch.service @@ -0,0 +1,22 @@ +[Unit] +Description=Mistborn Elasticsearch Service +Requires=Mistborn-base.service +After=Mistborn-base.service +PartOf=Mistborn-base.service + +[Service] +Restart=always +RestartSec=15 +User=root +Group=docker +PermissionsStartOnly=true +# Shutdown container (if running) when unit is stopped +ExecStartPre=/usr/sbin/sysctl -w vm.max_map_count=262144 +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh elasticsearch,wazuh docker-compose -f /opt/mistborn/extra/elasticsearch.yml down +# Start container when unit is started +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh elasticsearch,wazuh docker-compose -f /opt/mistborn/extra/elasticsearch.yml up --build +# Stop container when unit is stopped +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh elasticsearch,wazuh docker-compose -f /opt/mistborn/extra/elasticsearch.yml down + +[Install] +WantedBy=multi-user.target diff --git a/scripts/services/elasticsearch/files/internal_users.yml b/scripts/services/elasticsearch/files/internal_users.yml new file mode 100644 index 0000000..540eede --- /dev/null +++ b/scripts/services/elasticsearch/files/internal_users.yml @@ -0,0 +1,17 @@ +--- +# This is the internal user database +# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh + +_meta: + type: "internalusers" + config_version: 2 + +# Define your internal users here + +mistborn: + hash: "__MISTBORN_HASH__" + reserved: true + backend_roles: + - "admin" + description: "Mistborn user" + diff --git a/scripts/services/elasticsearch/init.sh b/scripts/services/elasticsearch/init.sh new file mode 100755 index 0000000..c5ae89b --- /dev/null +++ b/scripts/services/elasticsearch/init.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +set -e + +if [[ -f "/opt/mistborn_volumes/extra/elasticsearch/init/internal_users.yml" ]]; then + echo "internal_users.yml exists. Proceeding." + exit 0 +fi + +mkdir -p /opt/mistborn_volumes/extra/elasticsearch/init/ >/dev/null 2>&1 +chmod -R +x /opt/mistborn_volumes/extra/elasticsearch/init/ +cp /opt/mistborn-internal/security_center/services/elasticsearch/files/internal_users.yml /opt/mistborn_volumes/extra/elasticsearch/init/ + +ELASTICSEARCH_MISTBORN_HASHED=$(docker run --rm amazon/opendistro-for-elasticsearch:1.12.0 bash /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh -p ${MISTBORN_DEFAULT_PASSWORD} | tr -d '\n') + +sed -i "s|__MISTBORN_HASH__|${ELASTICSEARCH_MISTBORN_HASHED}|" /opt/mistborn_volumes/extra/elasticsearch/init/internal_users.yml diff --git a/scripts/subinstallers/extra/elasticsearch.sh b/scripts/subinstallers/extra/elasticsearch.sh new file mode 100755 index 0000000..e7547ae --- /dev/null +++ b/scripts/subinstallers/extra/elasticsearch.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +# Elasticsearch +ELASTICSEARCH_PROD_FILE="$1" +echo "MISTBORN_DEFAULT_PASSWORD=$MISTBORN_DEFAULT_PASSWORD" >> $ELASTICSEARCH_PROD_FILE +chmod 600 $ELASTICSEARCH_PROD_FILE diff --git a/scripts/wrappers/mistborn_docker.sh b/scripts/wrappers/mistborn_docker.sh index bb33894..a5fa403 100755 --- a/scripts/wrappers/mistborn_docker.sh +++ b/scripts/wrappers/mistborn_docker.sh @@ -2,38 +2,43 @@ set -e -SERVICE="$1" +MISTBORN_HOME="/opt/mistborn" + +SERVICES="$1" shift -export MISTBORN_HOME="/opt/mistborn" -export MISTBORN_SERVICE_FILE=${MISTBORN_HOME}/.envs/.production/.${SERVICE} -export MISTBORN_SERVICE_INIT=${MISTBORN_HOME}/scripts/services/${SERVICE}/init.sh - -# check and create file if needed -${MISTBORN_HOME}/scripts/env/check_env_file.sh ${SERVICE} - -# read in variables -set -a -source ${MISTBORN_HOME}/.env - -if [[ -f "${MISTBORN_SERVICE_FILE}" ]]; then - echo "Loading service variables" - source ${MISTBORN_SERVICE_FILE} -else - echo "No service variables to load. Proceeding." -fi -set +a - -# init script -if [[ -f "${MISTBORN_SERVICE_INIT}" ]]; then - echo "Running init script" - ${MISTBORN_SERVICE_INIT} -else - echo "No init script. Proceeding." -fi +IFS=',' +read -ra SERVICES_ARRAY <<< "${SERVICES}" +for SERVICE in "${SERVICES_ARRAY[@]}"; do + MISTBORN_SERVICE_FILE=${MISTBORN_HOME}/.envs/.production/.${SERVICE} + MISTBORN_SERVICE_INIT=${MISTBORN_HOME}/scripts/services/${SERVICE}/init.sh + + # check and create file if needed + ${MISTBORN_HOME}/scripts/env/check_env_file.sh ${SERVICE} + + # read in variables + set -a + source ${MISTBORN_HOME}/.env + + if [[ -f "${MISTBORN_SERVICE_FILE}" ]]; then + echo "Loading service variables" + source ${MISTBORN_SERVICE_FILE} + else + echo "No service variables to load. Proceeding." + fi + set +a + + # init script + if [[ -f "${MISTBORN_SERVICE_INIT}" ]]; then + echo "Running init script" + ${MISTBORN_SERVICE_INIT} + else + echo "No init script. Proceeding." + fi +done # ensure base is up and listening -echo "Waiting for Mistborn-base to finish starting up..." +echo "Checking that Mistborn-base has finished starting up..." while ! nc -z 10.2.3.1 5000; do WAIT_TIME=$((5 + $RANDOM % 15)) From 652538267fc1d6d4fd8d601ab16feb113cf525c1 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Mon, 19 Apr 2021 22:08:47 -0400 Subject: [PATCH 21/33] path --- scripts/services/elasticsearch/init.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/services/elasticsearch/init.sh b/scripts/services/elasticsearch/init.sh index c5ae89b..1b3d21b 100755 --- a/scripts/services/elasticsearch/init.sh +++ b/scripts/services/elasticsearch/init.sh @@ -9,7 +9,7 @@ fi mkdir -p /opt/mistborn_volumes/extra/elasticsearch/init/ >/dev/null 2>&1 chmod -R +x /opt/mistborn_volumes/extra/elasticsearch/init/ -cp /opt/mistborn-internal/security_center/services/elasticsearch/files/internal_users.yml /opt/mistborn_volumes/extra/elasticsearch/init/ +cp /opt/mistborn/scripts/services/elasticsearch/files/internal_users.yml /opt/mistborn_volumes/extra/elasticsearch/init/ ELASTICSEARCH_MISTBORN_HASHED=$(docker run --rm amazon/opendistro-for-elasticsearch:1.12.0 bash /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh -p ${MISTBORN_DEFAULT_PASSWORD} | tr -d '\n') From 30f1023fa007f0a1a05c6d4e6ee5946fb90ce52a Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Mon, 19 Apr 2021 22:27:22 -0400 Subject: [PATCH 22/33] typo --- scripts/services/Mistborn-wazuh.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/services/Mistborn-wazuh.service b/scripts/services/Mistborn-wazuh.service index f91ae95..67ccfcd 100644 --- a/scripts/services/Mistborn-wazuh.service +++ b/scripts/services/Mistborn-wazuh.service @@ -18,7 +18,7 @@ ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose ExecStartPost=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent.sh ExecStartPost=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_start.sh # Stop container when unit is stopped -ExecStopPre=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_stop.sh +ExecStop=-/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh /opt/mistborn/scripts/services/wazuh/agent_stop.sh ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh wazuh docker-compose -f /opt/mistborn/extra/wazuh.yml down From ab0153578eb1495b295a69d0bce8a49c4577c3a9 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Mon, 19 Apr 2021 22:35:11 -0400 Subject: [PATCH 23/33] agent name --- scripts/services/wazuh/agent.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/services/wazuh/agent.sh b/scripts/services/wazuh/agent.sh index bc1aead..f1c6647 100755 --- a/scripts/services/wazuh/agent.sh +++ b/scripts/services/wazuh/agent.sh @@ -22,4 +22,4 @@ done # install echo "Installing Wazuh agent" -WAZUH_MANAGER="10.2.3.1" apt-get install wazuh-agent +WAZUH_MANAGER="10.2.3.1" WAZUH_AGENT_NAME="mistborn" apt-get install wazuh-agent From e5f75dd8808836b7e621ba5ce99cf38ba3efe80c Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Mon, 19 Apr 2021 22:39:45 -0400 Subject: [PATCH 24/33] undo --- scripts/services/wazuh/agent.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/services/wazuh/agent.sh b/scripts/services/wazuh/agent.sh index f1c6647..bc1aead 100755 --- a/scripts/services/wazuh/agent.sh +++ b/scripts/services/wazuh/agent.sh @@ -22,4 +22,4 @@ done # install echo "Installing Wazuh agent" -WAZUH_MANAGER="10.2.3.1" WAZUH_AGENT_NAME="mistborn" apt-get install wazuh-agent +WAZUH_MANAGER="10.2.3.1" apt-get install wazuh-agent From 0a5de6d968963b4c3a8339f003b3bd7bda917dd6 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Mon, 19 Apr 2021 22:43:11 -0400 Subject: [PATCH 25/33] start and enable wazuh-agent --- scripts/services/wazuh/agent.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/services/wazuh/agent.sh b/scripts/services/wazuh/agent.sh index bc1aead..b930ec8 100755 --- a/scripts/services/wazuh/agent.sh +++ b/scripts/services/wazuh/agent.sh @@ -23,3 +23,6 @@ done # install echo "Installing Wazuh agent" WAZUH_MANAGER="10.2.3.1" apt-get install wazuh-agent + +systemctl enable wazuh-agent +systemctl start wazuh-agent From 04c715c5011a66773252769eba8df4501aedaffc Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Tue, 20 Apr 2021 10:49:35 -0400 Subject: [PATCH 26/33] refactor --- extra/elasticsearch.yml | 25 ------------------- extra/wazuh.yml | 25 +++++++++++++++++++ .../services/Mistborn-elasticsearch.service | 6 ++--- scripts/services/wazuh/agent.sh | 2 -- scripts/services/wazuh/agent_start.sh | 3 ++- scripts/services/wazuh/agent_stop.sh | 3 ++- 6 files changed, 32 insertions(+), 32 deletions(-) diff --git a/extra/elasticsearch.yml b/extra/elasticsearch.yml index 6ad7cb0..a4eaf5c 100644 --- a/extra/elasticsearch.yml +++ b/extra/elasticsearch.yml @@ -23,31 +23,6 @@ services: nofile: soft: 65536 hard: 65536 - - wazuh-kibana: - image: wazuh/wazuh-kibana-odfe:4.1.2 - hostname: wazuh-kibana - restart: unless-stopped - labels: - - "traefik.enable=true" - - "traefik.http.routers.wazuhk-http.rule=Host(`wazuh.mistborn`)" - - "traefik.http.routers.wazuhk-http.entrypoints=web" - - "traefik.http.routers.wazuhk-http.middlewares=mistborn_auth@file" - - "traefik.http.routers.wazuhk-https.rule=Host(`wazuh.mistborn`)" - - "traefik.http.routers.wazuhk-https.entrypoints=websecure" - - "traefik.http.routers.wazuhk-https.middlewares=mistborn_auth@file" - - "traefik.http.routers.wazuhk-https.tls.certresolver=basic" - - "traefik.http.services.wazuhk-service.loadbalancer.server.port=5601" - #ports: - # - "${MISTBORN_BIND_IP}:5601:5601" - depends_on: - - wazuh-elasticsearch - environment: - - SERVER_SSL_ENABLED=false - - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/opendistroforelasticsearch.example.org.cert - - SERVER_SSL_KEY=/usr/share/kibana/config/opendistroforelasticsearch.example.org.key - env_file: - - ../.envs/.production/.wazuh networks: default: diff --git a/extra/wazuh.yml b/extra/wazuh.yml index b1bd859..778ab2e 100644 --- a/extra/wazuh.yml +++ b/extra/wazuh.yml @@ -28,6 +28,31 @@ services: - filebeat_etc:/etc/filebeat - filebeat_var:/var/lib/filebeat + wazuh-kibana: + image: wazuh/wazuh-kibana-odfe:4.1.2 + hostname: wazuh-kibana + restart: unless-stopped + labels: + - "traefik.enable=true" + - "traefik.http.routers.wazuhk-http.rule=Host(`wazuh.mistborn`)" + - "traefik.http.routers.wazuhk-http.entrypoints=web" + - "traefik.http.routers.wazuhk-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.wazuhk-https.rule=Host(`wazuh.mistborn`)" + - "traefik.http.routers.wazuhk-https.entrypoints=websecure" + - "traefik.http.routers.wazuhk-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.wazuhk-https.tls.certresolver=basic" + - "traefik.http.services.wazuhk-service.loadbalancer.server.port=5601" + #ports: + # - "${MISTBORN_BIND_IP}:5601:5601" + depends_on: + - wazuh-elasticsearch + environment: + - SERVER_SSL_ENABLED=false + - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/opendistroforelasticsearch.example.org.cert + - SERVER_SSL_KEY=/usr/share/kibana/config/opendistroforelasticsearch.example.org.key + env_file: + - ../.envs/.production/.wazuh + volumes: ossec_api_configuration: ossec_etc: diff --git a/scripts/services/Mistborn-elasticsearch.service b/scripts/services/Mistborn-elasticsearch.service index 7e23145..63933c7 100644 --- a/scripts/services/Mistborn-elasticsearch.service +++ b/scripts/services/Mistborn-elasticsearch.service @@ -12,11 +12,11 @@ Group=docker PermissionsStartOnly=true # Shutdown container (if running) when unit is stopped ExecStartPre=/usr/sbin/sysctl -w vm.max_map_count=262144 -ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh elasticsearch,wazuh docker-compose -f /opt/mistborn/extra/elasticsearch.yml down +ExecStartPre=/opt/mistborn/scripts/wrappers/mistborn_docker.sh elasticsearch docker-compose -f /opt/mistborn/extra/elasticsearch.yml down # Start container when unit is started -ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh elasticsearch,wazuh docker-compose -f /opt/mistborn/extra/elasticsearch.yml up --build +ExecStart=/opt/mistborn/scripts/wrappers/mistborn_docker.sh elasticsearch docker-compose -f /opt/mistborn/extra/elasticsearch.yml up --build # Stop container when unit is stopped -ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh elasticsearch,wazuh docker-compose -f /opt/mistborn/extra/elasticsearch.yml down +ExecStop=/opt/mistborn/scripts/wrappers/mistborn_docker.sh elasticsearch docker-compose -f /opt/mistborn/extra/elasticsearch.yml down [Install] WantedBy=multi-user.target diff --git a/scripts/services/wazuh/agent.sh b/scripts/services/wazuh/agent.sh index b930ec8..b478fa4 100755 --- a/scripts/services/wazuh/agent.sh +++ b/scripts/services/wazuh/agent.sh @@ -24,5 +24,3 @@ done echo "Installing Wazuh agent" WAZUH_MANAGER="10.2.3.1" apt-get install wazuh-agent -systemctl enable wazuh-agent -systemctl start wazuh-agent diff --git a/scripts/services/wazuh/agent_start.sh b/scripts/services/wazuh/agent_start.sh index e243813..5996970 100755 --- a/scripts/services/wazuh/agent_start.sh +++ b/scripts/services/wazuh/agent_start.sh @@ -1,3 +1,4 @@ #!/bin/bash -systemctl stop wazuh-agent +systemctl start wazuh-agent +systemctl enable wazuh-agent diff --git a/scripts/services/wazuh/agent_stop.sh b/scripts/services/wazuh/agent_stop.sh index 2c98f40..19cf173 100755 --- a/scripts/services/wazuh/agent_stop.sh +++ b/scripts/services/wazuh/agent_stop.sh @@ -1,3 +1,4 @@ #!/bin/bash -systemctl start wazuh-agent +systemctl stop wazuh-agent +systemctl disable wazuh-agent From aeab39ce1aa1b1a9bf075efd19c6d72fb81c054c Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Tue, 20 Apr 2021 11:03:34 -0400 Subject: [PATCH 27/33] dependency --- extra/wazuh.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/extra/wazuh.yml b/extra/wazuh.yml index 778ab2e..f7df12a 100644 --- a/extra/wazuh.yml +++ b/extra/wazuh.yml @@ -44,8 +44,6 @@ services: - "traefik.http.services.wazuhk-service.loadbalancer.server.port=5601" #ports: # - "${MISTBORN_BIND_IP}:5601:5601" - depends_on: - - wazuh-elasticsearch environment: - SERVER_SSL_ENABLED=false - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/opendistroforelasticsearch.example.org.cert From de302479b1f2a8c35b0cf181b563a7681edec6b0 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Tue, 20 Apr 2021 19:33:09 -0400 Subject: [PATCH 28/33] renaming --- extra/elasticsearch.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/extra/elasticsearch.yml b/extra/elasticsearch.yml index a4eaf5c..c1a3a70 100644 --- a/extra/elasticsearch.yml +++ b/extra/elasticsearch.yml @@ -2,7 +2,7 @@ version: '3.7' services: - wazuh-elasticsearch: + elasticsearch: image: amazon/opendistro-for-elasticsearch:1.12.0 hostname: elasticsearch restart: unless-stopped @@ -10,7 +10,7 @@ services: - "${MISTBORN_BIND_IP}:9200:9200" environment: - discovery.type=single-node - - cluster.name=wazuh-cluster + - cluster.name=mistborn-cluster - network.host=0.0.0.0 - "ES_JAVA_OPTS=-Xms512m -Xmx512m" - bootstrap.memory_lock=true From 907bb961f313c430bfd69bf46de73a42f44642a3 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 21 Apr 2021 17:00:35 -0400 Subject: [PATCH 29/33] dependency --- scripts/services/Mistborn-wazuh.service | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/services/Mistborn-wazuh.service b/scripts/services/Mistborn-wazuh.service index 67ccfcd..b4cac82 100644 --- a/scripts/services/Mistborn-wazuh.service +++ b/scripts/services/Mistborn-wazuh.service @@ -1,7 +1,7 @@ [Unit] Description=Mistborn Wazuh Service -Requires=Mistborn-base.service -After=Mistborn-base.service +Requires=Mistborn-elasticsearch.service +After=Mistborn-elasticsearch.service PartOf=Mistborn-base.service [Service] From 8d69516ab308c33b82a37b6618d9498af948d70d Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 21 Apr 2021 19:43:54 -0400 Subject: [PATCH 30/33] api password --- scripts/subinstallers/extra/wazuh.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/subinstallers/extra/wazuh.sh b/scripts/subinstallers/extra/wazuh.sh index 0d5c0ee..b8e0227 100755 --- a/scripts/subinstallers/extra/wazuh.sh +++ b/scripts/subinstallers/extra/wazuh.sh @@ -42,7 +42,7 @@ EOF API_PASSWORD=$(python3 -c "${API_PASSWORD_PYTHON}") -echo "API_PASSWORD=${API_PASSWORD}" >> $WAZUH_PROD_FILE +echo "API_PASSWORD=\"${API_PASSWORD}\"" >> $WAZUH_PROD_FILE # kibana-odfe/config/entrypoint.sh: # https://elasticsearch:9200 From 26cf62f461834756a78afafa66af66464bb077da Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 21 Apr 2021 20:34:46 -0400 Subject: [PATCH 31/33] removing escape --- scripts/subinstallers/extra/wazuh.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/subinstallers/extra/wazuh.sh b/scripts/subinstallers/extra/wazuh.sh index b8e0227..0d5c0ee 100755 --- a/scripts/subinstallers/extra/wazuh.sh +++ b/scripts/subinstallers/extra/wazuh.sh @@ -42,7 +42,7 @@ EOF API_PASSWORD=$(python3 -c "${API_PASSWORD_PYTHON}") -echo "API_PASSWORD=\"${API_PASSWORD}\"" >> $WAZUH_PROD_FILE +echo "API_PASSWORD=${API_PASSWORD}" >> $WAZUH_PROD_FILE # kibana-odfe/config/entrypoint.sh: # https://elasticsearch:9200 From 409d814a113fbfb0e3912b0ef036c48aa9a3503b Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 21 Apr 2021 21:13:11 -0400 Subject: [PATCH 32/33] README --- README.md | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7ca1b26..3d24142 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,7 @@ These tools are not vital to Mistborn itself but are integrated to enhance secur - [Pi-hole](https://pi-hole.net): A DNS server for network-wide ad blocking, etc - [DNScrypt](https://www.dnscrypt.org): prevents DNS spoofing via cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered - [Traefik](https://docs.traefik.io): A modern, efficient reverse-proxy +- [Wazuh](https://wazuh.com/): Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance. Within Mistborn is a panel to enable and manage these free extra services (off by default), locally hosted in Docker containers: - [Home Assistant](https://www.home-assistant.io): Open source home automation that puts local control and privacy first @@ -109,6 +110,16 @@ Mistborn protects your data in a variety of ways: See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/Mistborn-Network-Security) wiki page to see more network diagrams and the network scan results for Mistborn. +# Security Information & Event Management (SIEM) + +The Mistborn Security Operations Center provides SIEM services with Wazuh. The Wazuh Manager requires an Open Distro for Elasticsearch backend. When the Mistborn host has >8 GB RAM the provided Elasticsearch backend can be used. Just click "Start Wazuh" on the `Security Center` page and enjoy your Enterprise-grade SIEM. Wazuh agents can be installed on just about any OS and all Wazuh agent traffic is communicated over the Wireguard connections. Instructions for adding endpoint agents can be found within Wazuh itself. + +![Mistborn Security Center: Wazuh Modules](https://gitlab.com/cyber5k/public/-/raw/master/graphics/wazuh_modules.png) + +The Wazuh Kibana plugin leverages the power of Elasticsearch: + +![Mistborn Security Center: Wazuh Dashboard](https://gitlab.com/cyber5k/public/-/raw/master/graphics/wazuh_se_dashboard.png) + # Coppercloud Pihole provides a way to block outgoing DNS requests for given lists of blocked domains. Coppercloud provides a way to block outgoing network calls of all types to given lists of IP addresses (IPv4 only for now). This is especially useful for blocking outgoing telemetry (data and state sharing) to owners of software running on all of your devices. @@ -290,6 +301,7 @@ Mistborn uses the following domains (that can be reached by all Wireguard client | Jitsi | jitsi.mistborn | Off | | Guacamole | guac.mistborn | Off | | RaspAP | raspap.mistborn | Off | +| Wazuh | wazuh.mistborn | Off | # Default Credentials These are the default credentials to use in the services you choose to use: @@ -298,6 +310,7 @@ These are the default credentials to use in the services you choose to use: | ------- | -------- | -------- | | Pihole | | {{default mistborn password}} | | Cockpit | cockpit | {{default mistborn password}} | +| Wazuh | mistborn | {{default mistborn password}} | | Nextcloud | mistborn | {{default mistborn password}} | | Guacamole | mistborn | {{default mistborn password }} | | RaspAP | mistborn | {{default mistborn password}} | @@ -464,6 +477,8 @@ sudo journalctl -xfu Mistborn-guacamole sudo journalctl -xfu Mistborn-rocketchat sudo journalctl -xfu Mistborn-onlyoffice sudo journalctl -xfu Mistborn-tor +sudo journalctl -xfu Mistborn-raspap +sudo journalctl -xfu Mistborn-wazuh ``` ## Troubleshooting Docker @@ -529,8 +544,6 @@ Many features and refinements are in the works at various stages including: - Plugins for Extra Services (enabling third-party development) - Plugin repository - IPv6 support -- Integration with RaspAP to enable managing an Access Point for local network connections -- Internal network scan tool and feedback - Anomaly detection in network traffic # Featured In From 29bf68e10d33253dc880c566525f9482e0ed88ff Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 21 Apr 2021 22:08:36 -0400 Subject: [PATCH 33/33] README --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 3d24142..1ad2195 100644 --- a/README.md +++ b/README.md @@ -83,6 +83,7 @@ Recommended System Specifications: | Default | Bare bones + Cockpit | 2 GB+ | 15 GB | | Low-resource services | Default + Bitwarden, Tor, Syncthing | 4 GB | 20 GB | | High-resource services | Default + Jitsi, Nextcloud, Jellyfin, Rocket.Chat, Home Assistant, OnlyOffice | 6 GB+ | 25 GB+ | +| SIEM | Default + Wazuh + Extras | 16 GB+ | 100 GB+ | Starting from base installation ``` @@ -112,6 +113,8 @@ See the [Mistborn Network Security](https://gitlab.com/cyber5k/mistborn/-/wikis/ # Security Information & Event Management (SIEM) +![Mistborn Security Center](https://gitlab.com/cyber5k/public/-/raw/master/graphics/home.mistborn_soc.png) + The Mistborn Security Operations Center provides SIEM services with Wazuh. The Wazuh Manager requires an Open Distro for Elasticsearch backend. When the Mistborn host has >8 GB RAM the provided Elasticsearch backend can be used. Just click "Start Wazuh" on the `Security Center` page and enjoy your Enterprise-grade SIEM. Wazuh agents can be installed on just about any OS and all Wazuh agent traffic is communicated over the Wireguard connections. Instructions for adding endpoint agents can be found within Wazuh itself. ![Mistborn Security Center: Wazuh Modules](https://gitlab.com/cyber5k/public/-/raw/master/graphics/wazuh_modules.png)