Skip to content
This repository has been archived by the owner on Jul 26, 2023. It is now read-only.

Commit

Permalink
Merge pull request #82 from wazuh/feature-unattended-installation
Browse files Browse the repository at this point in the history
Customize feature unattended all-in-one and distributed instalatation
  • Loading branch information
Sergio García Prados authored Mar 5, 2021
2 parents 2743073 + 87fd766 commit 0b93353
Show file tree
Hide file tree
Showing 12 changed files with 1,268 additions and 0 deletions.
10 changes: 10 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# Change Log
All notable changes to this project will be documented in this file.

## [v4.1.1]

### Added

- All-in-one and distributred unattended installation ([@sergiogp98](https://github.com/sergiogp98)) [PR#82](https://github.com/wazuh/wazuh-cloudformation/pull/82)
- Update to [Wazuh v4.1.1](https://github.com/wazuh/wazuh/blob/v4.1.1/CHANGELOG.md#v411)

39 changes: 39 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,3 +27,42 @@ This repository contains CloudFormation templates and provision scripts to deplo
* Kibana server seats behind an internet facing load balancer, that optionally loads an SSL Certificate for HTTPS
* A Splunk Indexer instance with a Splunk app for Wazuh installed on it.
* Six Wazuh agents installed on different operating systems: Red Hat 7, CentOS 7, Ubuntu, Debian, Amazon Linux and Windows.

## Unattendend all-in-one

* Install scipt following [Wazuh unattended all-in-one installation](https://documentation.wazuh.com/current/installation-guide/open-distro/all-in-one-deployment/unattended-installation.html)
* Resources:
- WazuhAIO: EC2 instance
- SecurityGroup: EC2 Security Group. It enables the following ports:
- 443 ( HTTPS) -> 0.0.0.0
- 22 (SSH) -> 0.0.0.0

## Unattended distributed
* Install scipt following [Wazuh unattended distributed installation](https://documentation.wazuh.com/current/installation-guide/open-distro/distributed-deployment/unattended/index.html)
* Reosurces:
- WazuhVPC: EC2 VPC
- SubnetWazuh: EC2 Subnet over WazuhVPC
- SubnetElasticsearch: EC2 Subnet over WazuhVPC
- InternetGateway: EC2 InternetGateway between WazuhVPC and public network
- GatewayToInternet: EC2 VPCGatewayAttachment attached to WazuhVPC
- PublicRouteTable: EC2 RouteTable for WazuhVPC
- PublicRoute: EC2 Route of PublicRouteTable with a specific destination CIDR
- SubnetWazuhPublicRouteTable: EC2 SubnetRouteTableAssociation attached to SubnetWazuh
- SubnetElasticPublicRouteTable: EC2 SubnetRouteTableAssociation attached to SubnetElasticsearch
- WazuhSecurityGroup: EC2 SecurityGroup over WazuhVPC. It enables the following ports and protocols:
- 22 (SSH) -> 0.0.0.0
- ICMP -> 0.0.0.0
- 1514-1516 (Wazuh manager) -> WazuhVPC
- 55000 (Wazuh API) -> WazuhVPC
- ElasticSecurityGroup: EC2 SecurityGroup over WazuhVPC. It enables the following ports and protocols:
- 22 (SSH) -> 0.0.0.0
- ICMP -> 0.0.0.0
- 443 (HTTPS) -> 0.0.0.0
- 9200-9400 (Wazuh manager) -> WazuhVPC
- 5000 (wazuh manager) -> WazuhVPC
- Elastic1: EC2 Instance Elasticsearch initial node (with Kibana)
- Elastic2: EC2 Instance Elasticsearch node
- Elastic3: EC2 Instance Elasticsearch node
- WazuhMaster: EC2 Instance Wazuh master node
- WazuhWorker: EC2 Instance Wazuh worker node

13 changes: 13 additions & 0 deletions all-in-one/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# Wazuh for Amazon AWS Cloudformation

[![Slack](https://img.shields.io/badge/slack-join-blue.svg)](https://goo.gl/forms/M2AoZC4b2R9A9Zy12)
[![Email](https://img.shields.io/badge/email-join-blue.svg)](https://groups.google.com/forum/#!forum/wazuh)
[![Documentation](https://img.shields.io/badge/docs-view-green.svg)](https://documentation.wazuh.com)
[![Web](https://img.shields.io/badge/web-view-green.svg)](https://wazuh.com)

The all-in-one environment has the following structure:

* One EC2 instance where all components will be installed on
* Follow the [all-in-one unattended](https://documentation.wazuh.com/current/installation-guide/open-distro/all-in-one-deployment/unattended-installation.html) installation method
* Components: Elasticsearch node, Wazuh server set to one master node and a Kibana
node
123 changes: 123 additions & 0 deletions all-in-one/unattended/template.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
AWSTemplateFormatVersion: 2010-09-09
Description: Provides an unattended all-in-one Wazuh installation
Parameters:
InstanceType:
AllowedValues:
- t2.small
- t2.medium
- t2.large
- t2.xlarge
ConstraintDescription: must be a valid EC2 instance type.
Default: t2.large
Description: EC2 instance type
Type: String
KeyName:
ConstraintDescription: Can contain only ASCII characters.
Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
Type: AWS::EC2::KeyPair::KeyName
SSHLocation:
AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})
ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x
Default: 0.0.0.0/0
Description: The IP address range that can be used to SSH to the EC2 instances
MaxLength: '18'
MinLength: '9'
Type: String
WazuhVersion:
AllowedValues:
- "v4.0.1"
- "v4.0.2"
- "v4.0.3"
- "v4.0.4"
- "v4.1.0"
- "v4.1.1"
Description: Wazuh version
Default: "v4.1.1"
Type: String
LogFile:
Description: Log file path to keep track of actions
Type: String
Default: /var/log/wazuh-cloudformation.log
Mappings:
AWSInstanceType2Arch:
t2.large:
Arch: HVM64
t2.medium:
Arch: HVM64
t2.micro:
Arch: HVM64
t2.xlarge:
Arch: HVM64
t2.small:
Arch: HVM64

AWSRegionArch2AMI:
us-east-1:
HVM64: ami-0c6b1d09930fac512
HVMCENTOS7: ami-02eac2c0129f6376b
HVMUBUNTU64: ami-024a64a6685d05041
HVMREDHAT7: ami-6871a115
HVMDEBIAN: ami-0357081a1383dc76b
HVMWINDOWS: ami-0a9ca0496f746e6e0
us-east-2:
HVM64: ami-0ebbf2179e615c338
HVMCENTOS7: ami-0f2b4fc905b0bd1f1
HVMUBUNTU64: ami-097ebb39620d8d54b
HVMREDHAT7: ami-03291866
HVMDEBIAN: ami-09c10a66337c79669
HVMWINDOWS: ami-0087a83ed4a60d1e9
us-west-1:
HVM64: ami-015954d5e5548d13b
HVMUBUNTU64: ami-040dfc3ebf1bfc4f6
HVMCENTOS7: ami-074e2d6769f445be5
HVMREDHAT7: ami-18726478
HVMDEBIAN: ami-0adbaf2e0ce044437
HVMWINDOWS: ami-05bf35c67c02cd868
us-west-2:
HVM64: ami-0cb72367e98845d43
HVMUBUNTU64: ami-0196ce5c34425a906
HVMCENTOS7: ami-01ed306a12b7d1c96
HVMREDHAT7: ami-28e07e50
HVMDEBIAN: ami-05a3ef6744aa96514
HVMWINDOWS: ami-04ad37d2932b886c0

Resources:
WazuhAIO:
Properties:
ImageId:
Fn::FindInMap:
- AWSRegionArch2AMI
- Ref: AWS::Region
- Fn::FindInMap:
- AWSInstanceType2Arch
- Ref: InstanceType
- Arch
InstanceType:
Ref: InstanceType
KeyName:
Ref: KeyName
SecurityGroups:
- Ref: SecurityGroup
UserData:
Fn::Base64: !Sub |
#!/bin/bash
echo "Downloading script..." > ${LogFile}
curl -so ~/all-in-one-installation.sh https://raw.githubusercontent.com/wazuh/wazuh-documentation/${WazuhVersion}/resources/open-distro/unattended-installation/all-in-one-installation.sh
echo "Installing script..." > ${LogFile}
bash ~/all-in-one-installation.sh > ${LogFile}
Type: AWS::EC2::Instance

SecurityGroup:
Properties:
GroupDescription: Enable HTTPS access via port 443
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
FromPort: '443'
IpProtocol: tcp
ToPort: '443'
- CidrIp:
Ref: SSHLocation
FromPort: '22'
IpProtocol: tcp
ToPort: '22'
Type: AWS::EC2::SecurityGroup
14 changes: 14 additions & 0 deletions distributed/README.MD
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# Wazuh for Amazon AWS Cloudformation

[![Slack](https://img.shields.io/badge/slack-join-blue.svg)](https://goo.gl/forms/M2AoZC4b2R9A9Zy12)
[![Email](https://img.shields.io/badge/email-join-blue.svg)](https://groups.google.com/forum/#!forum/wazuh)
[![Documentation](https://img.shields.io/badge/docs-view-green.svg)](https://documentation.wazuh.com)
[![Web](https://img.shields.io/badge/web-view-green.svg)](https://wazuh.com)

The distributed environment has the following structure:

* A VPC with two subnets, one for Wazuh servers, and another for Elastic Stack
* Wazuh managers cluster with two nodes, a master and a worker
* Elasticsearch cluster with 3 data nodes
* Kibana nodes installed among Elasticsearch initial node
* Follow the [distributed unattended](https://documentation.wazuh.com/current/installation-guide/open-distro/distributed-deployment/unattended/index.html) installation method
20 changes: 20 additions & 0 deletions distributed/unattended/scripts/check_certs.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
#!/bin/bash

CERTS_FILE={{src}}/certs.tar
find=0
while [ $find -eq 0 ]
do
if [[ -f "{{dst}}/certs.tar" ]]
then
find=1
echo "Cert files already in /root"
elif [[ -f "$CERTS_FILE" ]]
then
find=1
echo "Cert files found. Moving them to {{dst}}..."
mv $CERTS_FILE {{dst}}
else
echo "Cert files not found. Sleeping 60 seconds..."
sleep 60
fi
done
21 changes: 21 additions & 0 deletions distributed/unattended/scripts/check_ports.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
#!/bin/bash

USER=$1
IP=$2
PORT=$3

open=0
while [ $open -eq 0 ]
do
ssh -i ~/.ssh/ssh.key $USER@$IP "sudo netstat -tulnp" | grep $PORT &> /dev/null
if [[ $? -eq 0 ]] # Open
then
open=1
echo "Port $PORT open in $IP"
else # Close
echo "Port $PORT close in $IP. Sleeping 60 seconds..."
sleep 60
fi
done


15 changes: 15 additions & 0 deletions distributed/unattended/scripts/initialize_kibana.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
#!/bin/bash

echo "Linking 443 port to Kibana socket..."
setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
echo "Starting kibana service..."
systemctl daemon-reload
systemctl enable kibana.service
systemctl restart kibana.service
echo "Initializing Kibana (this may take a while)"
until [[ "$(curl -XGET https://{{kibana_ip}}/status -I -uadmin:admin -k -s --max-time 300 | grep "200 OK")" ]]; do
sleep 10
done
conf="$(awk '{sub("url: https://localhost", "url: https://{{wazuh_master_ip}}")}1' /usr/share/kibana/data/wazuh/config/wazuh.yml)"
echo "${conf}" > /usr/share/kibana/data/wazuh/config/wazuh.yml
echo "You can access the web interface https://{{kibana_ip}}. The credentials are admin:admin"
6 changes: 6 additions & 0 deletions distributed/unattended/scripts/update_ossec_conf.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
#!/bin/bash

logger -s "Updating {{ossec_conf}}..." 2>> {{log_file}}
cat ~/cluster.conf | logger -s 2>> {{log_file}}
sed -i '/<cluster>/,/<\/cluster>/d' {{ossec_conf}}
cat ~/cluster.conf >> {{ossec_conf}}
Loading

0 comments on commit 0b93353

Please sign in to comment.