Setup certificates in Wazuh Indexer and Logstash containers (#166)

f-galland · AlexRuiz7 · web-flow · commit 90cb9abe7525 · 2024-02-29T17:10:58.000+01:00
* Add certificate generator service

* Add certificate config to docker compose file

* Use secrets for certificates

* Disable permission handling inside cert's generator entrypoint.sh

* Back to using a bind mount for certs

* Have entrypoint.sh generate certs with 1000:1000 ownership

* Correct certificate permissions and bind mounting

* Add security initialization variable to compose file

* Fix permissions on certs generator entrypoint

* Add cert generator config file

* Remove old cert generator dir

* Set indexer hostname right in pipeline file

* Roll back commented code

---------

Signed-off-by: Álex Ruiz &lt;alejandro.ruiz.becerra@wazuh.com&gt;
Co-authored-by: Álex Ruiz &lt;alejandro.ruiz.becerra@wazuh.com&gt;
diff --git a/integrations/.gitignore b/integrations/.gitignore
@@ -2,4 +2,5 @@ elastic
 opensearch
 splunk
 common
-config
+config
+docker/certs
diff --git a/integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-integrator.conf
@@ -1,9 +1,10 @@
 input {
    opensearch {
-      hosts =>  ["opensearch-node:9200"]
+      hosts =>  ["wazuh.indexer:9200"]
       user  =>  "${INDEXER_USERNAME}"
       password  =>  "${INDEXER_PASSWORD}"
-      ssl => false
+      ssl => true
+      ca_file => "/usr/share/logstash/root-ca.pem"
       index =>  "wazuh-alerts-4.x-*"
       query =>  '{
             "query": {
@@ -20,15 +21,10 @@ input {
 }
 
 output {
-
-	stdout { codec => rubydebug }
-
-	pipe
-	{
-		id => "securityLake"
-		message_format => "%{_source}"
-		ttl => "10"
-		command => "/usr/bin/env python3 /usr/local/bin/stdin_to_securitylake.py -d"
-	}
-
+    pipe {
+        id => "securityLake"
+        message_format => "%{_source}"
+        ttl => "10"
+        command => "/usr/bin/env python3 /usr/local/bin/stdin_to_securitylake.py -d"
+    }
 }
diff --git a/integrations/docker/amazon-security-lake.yml b/integrations/docker/amazon-security-lake.yml
@@ -1,4 +1,4 @@
-version: '3'
+version: "3.8"
 name: "amazon-security-lake"
 services:
   events-generator:
@@ -7,22 +7,35 @@ services:
       context: ../tools/events-generator
     container_name: events-generator
     depends_on:
-      - wazuh.indexer
-    networks:
-      - net
-    # TODO add healthcheck to indexer's service to avoid sending requests before API is ready.
-    command: bash -c "sleep 10 && echo 'Ey, wake up!' && python run.py -a wazuh.indexer"
+      wazuh.indexer:
+        condition: service_healthy
+    command: bash -c "python run.py -a wazuh.indexer"
 
   wazuh.indexer:
-    image: opensearchproject/opensearch:latest
+    image: opensearchproject/opensearch:2.11.1
     container_name: wazuh.indexer
+    depends_on:
+      wazuh-certs-generator:
+        condition: service_completed_successfully
     hostname: wazuh.indexer
+    ports:
+      - 9200:9200
     environment:
       # - cluster.name=opensearch-cluster
       - node.name=wazuh.indexer
       - discovery.type=single-node
       # - cluster.initial_cluster_manager_nodes=opensearch-node
       - bootstrap.memory_lock=true
+      - "DISABLE_INSTALL_DEMO_CONFIG=true"
+      - plugins.security.ssl.http.enabled=true
+      - plugins.security.allow_default_init_securityindex=true
+      - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem
+      - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem
+      - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem
+      - plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem
+      - plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem
+      - plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem
+      - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US"
       - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
     ulimits:
       memlock:
@@ -31,29 +44,36 @@ services:
       nofile:
         soft: 65536
         hard: 65536
+    healthcheck:
+      test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster
+      start_period: 10s
+      start_interval: 3s
     volumes:
       - data:/usr/share/opensearch/data
-    networks:
-      - net
+      - ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem
+      - ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem
+      - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem
 
   wazuh.dashboard:
-    image: opensearchproject/opensearch-dashboards:latest # Make sure the version of opensearch-dashboards matches the version of opensearch installed on other nodes
+    image: opensearchproject/opensearch-dashboards:2.11.1
     container_name: wazuh.dashboard
+    depends_on:
+      - wazuh.indexer
     hostname: wazuh.dashboard
     ports:
       - 5601:5601 # Map host port 5601 to container port 5601
     expose:
       - "5601" # Expose port 5601 for web access to OpenSearch Dashboards
     environment:
       OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query
-    networks:
-      - net
-  
+
   wazuh.integration.security.lake:
     image: wazuh/indexer-security-lake-integration
     build:
       context: ../amazon-security-lake
     container_name: wazuh.integration.security.lake
+    depends_on:
+      - wazuh.indexer
     hostname: wazuh.integration.security.lake
     environment:
       LOG_LEVEL: trace
@@ -68,12 +88,9 @@ services:
       - "9600:9600"
     volumes:
       - ../amazon-security-lake/logstash/pipeline:/usr/share/logstash/pipeline
-    depends_on:
-      - wazuh.indexer
-    networks:
-      - net
-    command: tail -f /dev/null
-    # command: /usr/share/logstash/bin/logstash -f /usr/share/logstash/pipeline/indexer-to-integrator.conf --path.settings /etc/logstash
+      - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem
+    # command: tail -f /dev/null
+    command: /usr/share/logstash/bin/logstash -f /usr/share/logstash/pipeline/indexer-to-integrator.conf --path.settings /etc/logstash --config.reload.automatic
 
   s3.ninja:
     image: scireum/s3-ninja:latest
@@ -83,12 +100,16 @@ services:
       - "9444:9000"
     volumes:
       - s3-data:/home/sirius/data
-    networks:
-      - net
+
+  wazuh-certs-generator:
+    image: wazuh/wazuh-certs-generator:0.0.1
+    hostname: wazuh-certs-generator
+    container_name: wazuh-certs-generator
+    entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*"
+    volumes:
+      - ./certs/:/certificates/
+      - ./config/certs.yml:/config/certs.yml
 
 volumes:
   data:
   s3-data:
-
-networks:
-  net:
diff --git a/integrations/docker/config/certs.yml b/integrations/docker/config/certs.yml
@@ -0,0 +1,16 @@
+nodes:
+  # Wazuh indexer server nodes
+  indexer:
+    - name: wazuh.indexer
+      ip: wazuh.indexer
+
+  # Wazuh server nodes
+  # Use node_type only with more than one Wazuh manager
+  server:
+    - name: wazuh.manager
+      ip: wazuh.manager
+
+  # Wazuh dashboard node
+  dashboard:
+    - name: wazuh.dashboard
+      ip: wazuh.dashboard
