From 60a8c777341388db78ba93e2243cda10f71b4f0d Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Wed, 12 Feb 2020 03:51:26 -0500 Subject: [PATCH] fixing helk-logstash permissions bug https://github.com/hunters-forge/Blacksmith/issues/4 https://github.com/Cyb3rWard0g/HELK/issues/430 https://github.com/Cyb3rWard0g/HELK/issues/423 --- docker/helk-kibana-analysis-alert-basic.yml | 3 +-- docker/helk-kibana-analysis-alert-trial.yml | 3 +-- docker/helk-kibana-analysis-basic.yml | 3 +-- docker/helk-kibana-analysis-trial.yml | 3 +-- ...k-kibana-notebook-analysis-alert-basic.yml | 3 +-- ...k-kibana-notebook-analysis-alert-trial.yml | 3 +-- .../helk-kibana-notebook-analysis-basic.yml | 3 +-- .../helk-kibana-notebook-analysis-trial.yml | 3 +-- docker/helk-logstash/Dockerfile | 19 ++++++++----------- 9 files changed, 16 insertions(+), 27 deletions(-) diff --git a/docker/helk-kibana-analysis-alert-basic.yml b/docker/helk-kibana-analysis-alert-basic.yml index 81e7663..fedf975 100644 --- a/docker/helk-kibana-analysis-alert-basic.yml +++ b/docker/helk-kibana-analysis-alert-basic.yml @@ -34,7 +34,7 @@ services: networks: helk: helk-logstash: - image: otrf/helk-logstash:7.5.2.1 + image: otrf/helk-logstash:7.5.2.2 container_name: helk-logstash logging: driver: "json-file" @@ -46,7 +46,6 @@ services: - ./helk-logstash/mordor_pipeline:/usr/share/logstash/mordor_pipeline - ./helk-logstash/output_templates:/usr/share/logstash/output_templates - ./helk-logstash/plugins:/usr/share/logstash/plugins - - ./helk-logstash/config:/usr/share/logstash/config - ./helk-logstash/enrichments/cti:/usr/share/logstash/cti - ./helk-logstash/scripts:/usr/share/logstash/scripts entrypoint: /usr/share/logstash/scripts/logstash-entrypoint.sh diff --git a/docker/helk-kibana-analysis-alert-trial.yml b/docker/helk-kibana-analysis-alert-trial.yml index 0815c53..203f771 100644 --- a/docker/helk-kibana-analysis-alert-trial.yml +++ b/docker/helk-kibana-analysis-alert-trial.yml @@ -35,7 +35,7 @@ services: networks: helk: helk-logstash: - image: otrf/helk-logstash:7.5.2.1 + image: otrf/helk-logstash:7.5.2.2 container_name: helk-logstash logging: driver: "json-file" @@ -47,7 +47,6 @@ services: - ./helk-logstash/mordor_pipeline:/usr/share/logstash/mordor_pipeline - ./helk-logstash/output_templates:/usr/share/logstash/output_templates - ./helk-logstash/plugins:/usr/share/logstash/plugins - - ./helk-logstash/config:/usr/share/logstash/config - ./helk-logstash/enrichments/cti:/usr/share/logstash/cti - ./helk-logstash/scripts:/usr/share/logstash/scripts entrypoint: /usr/share/logstash/scripts/logstash-entrypoint.sh diff --git a/docker/helk-kibana-analysis-basic.yml b/docker/helk-kibana-analysis-basic.yml index aae6829..d015689 100644 --- a/docker/helk-kibana-analysis-basic.yml +++ b/docker/helk-kibana-analysis-basic.yml @@ -34,7 +34,7 @@ services: networks: helk: helk-logstash: - image: otrf/helk-logstash:7.5.2.1 + image: otrf/helk-logstash:7.5.2.2 container_name: helk-logstash logging: driver: "json-file" @@ -46,7 +46,6 @@ services: - ./helk-logstash/mordor_pipeline:/usr/share/logstash/mordor_pipeline - ./helk-logstash/output_templates:/usr/share/logstash/output_templates - ./helk-logstash/plugins:/usr/share/logstash/plugins - - ./helk-logstash/config:/usr/share/logstash/config - ./helk-logstash/enrichments/cti:/usr/share/logstash/cti - ./helk-logstash/scripts:/usr/share/logstash/scripts entrypoint: /usr/share/logstash/scripts/logstash-entrypoint.sh diff --git a/docker/helk-kibana-analysis-trial.yml b/docker/helk-kibana-analysis-trial.yml index 6d38223..0945783 100644 --- a/docker/helk-kibana-analysis-trial.yml +++ b/docker/helk-kibana-analysis-trial.yml @@ -35,7 +35,7 @@ services: networks: helk: helk-logstash: - image: otrf/helk-logstash:7.5.2.1 + image: otrf/helk-logstash:7.5.2.2 container_name: helk-logstash logging: driver: "json-file" @@ -47,7 +47,6 @@ services: - ./helk-logstash/mordor_pipeline:/usr/share/logstash/mordor_pipeline - ./helk-logstash/output_templates:/usr/share/logstash/output_templates - ./helk-logstash/plugins:/usr/share/logstash/plugins - - ./helk-logstash/config:/usr/share/logstash/config - ./helk-logstash/enrichments/cti:/usr/share/logstash/cti - ./helk-logstash/scripts:/usr/share/logstash/scripts entrypoint: /usr/share/logstash/scripts/logstash-entrypoint.sh diff --git a/docker/helk-kibana-notebook-analysis-alert-basic.yml b/docker/helk-kibana-notebook-analysis-alert-basic.yml index 05d4694..1f62d4e 100644 --- a/docker/helk-kibana-notebook-analysis-alert-basic.yml +++ b/docker/helk-kibana-notebook-analysis-alert-basic.yml @@ -34,7 +34,7 @@ services: networks: helk: helk-logstash: - image: otrf/helk-logstash:7.5.2.1 + image: otrf/helk-logstash:7.5.2.2 container_name: helk-logstash logging: driver: "json-file" @@ -46,7 +46,6 @@ services: - ./helk-logstash/mordor_pipeline:/usr/share/logstash/mordor_pipeline - ./helk-logstash/output_templates:/usr/share/logstash/output_templates - ./helk-logstash/plugins:/usr/share/logstash/plugins - - ./helk-logstash/config:/usr/share/logstash/config - ./helk-logstash/enrichments/cti:/usr/share/logstash/cti - ./helk-logstash/scripts:/usr/share/logstash/scripts entrypoint: /usr/share/logstash/scripts/logstash-entrypoint.sh diff --git a/docker/helk-kibana-notebook-analysis-alert-trial.yml b/docker/helk-kibana-notebook-analysis-alert-trial.yml index a867394..52bdccb 100644 --- a/docker/helk-kibana-notebook-analysis-alert-trial.yml +++ b/docker/helk-kibana-notebook-analysis-alert-trial.yml @@ -35,7 +35,7 @@ services: networks: helk: helk-logstash: - image: otrf/helk-logstash:7.5.2.1 + image: otrf/helk-logstash:7.5.2.2 container_name: helk-logstash logging: driver: "json-file" @@ -47,7 +47,6 @@ services: - ./helk-logstash/mordor_pipeline:/usr/share/logstash/mordor_pipeline - ./helk-logstash/output_templates:/usr/share/logstash/output_templates - ./helk-logstash/plugins:/usr/share/logstash/plugins - - ./helk-logstash/config:/usr/share/logstash/config - ./helk-logstash/enrichments/cti:/usr/share/logstash/cti - ./helk-logstash/scripts:/usr/share/logstash/scripts entrypoint: /usr/share/logstash/scripts/logstash-entrypoint.sh diff --git a/docker/helk-kibana-notebook-analysis-basic.yml b/docker/helk-kibana-notebook-analysis-basic.yml index cdab0bb..b611f64 100644 --- a/docker/helk-kibana-notebook-analysis-basic.yml +++ b/docker/helk-kibana-notebook-analysis-basic.yml @@ -34,7 +34,7 @@ services: networks: helk: helk-logstash: - image: otrf/helk-logstash:7.5.2.1 + image: otrf/helk-logstash:7.5.2.2 container_name: helk-logstash logging: driver: "json-file" @@ -46,7 +46,6 @@ services: - ./helk-logstash/mordor_pipeline:/usr/share/logstash/mordor_pipeline - ./helk-logstash/output_templates:/usr/share/logstash/output_templates - ./helk-logstash/plugins:/usr/share/logstash/plugins - - ./helk-logstash/config:/usr/share/logstash/config - ./helk-logstash/enrichments/cti:/usr/share/logstash/cti - ./helk-logstash/scripts:/usr/share/logstash/scripts entrypoint: /usr/share/logstash/scripts/logstash-entrypoint.sh diff --git a/docker/helk-kibana-notebook-analysis-trial.yml b/docker/helk-kibana-notebook-analysis-trial.yml index 3dd670c..e5c3493 100644 --- a/docker/helk-kibana-notebook-analysis-trial.yml +++ b/docker/helk-kibana-notebook-analysis-trial.yml @@ -35,7 +35,7 @@ services: networks: helk: helk-logstash: - image: otrf/helk-logstash:7.5.2.1 + image: otrf/helk-logstash:7.5.2.2 container_name: helk-logstash logging: driver: "json-file" @@ -47,7 +47,6 @@ services: - ./helk-logstash/mordor_pipeline:/usr/share/logstash/mordor_pipeline - ./helk-logstash/output_templates:/usr/share/logstash/output_templates - ./helk-logstash/plugins:/usr/share/logstash/plugins - - ./helk-logstash/config:/usr/share/logstash/config - ./helk-logstash/enrichments/cti:/usr/share/logstash/cti - ./helk-logstash/scripts:/usr/share/logstash/scripts entrypoint: /usr/share/logstash/scripts/logstash-entrypoint.sh diff --git a/docker/helk-logstash/Dockerfile b/docker/helk-logstash/Dockerfile index ed8c38c..6a8dc5d 100644 --- a/docker/helk-logstash/Dockerfile +++ b/docker/helk-logstash/Dockerfile @@ -10,21 +10,18 @@ FROM docker.elastic.co/logstash/logstash:7.5.2 LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g" LABEL description="Dockerfile base for the HELK Logstash." -RUN mv /usr/share/logstash/config/logstash.yml /usr/share/logstash/config/logstash.yml.bak -RUN mv /usr/share/logstash/config/pipelines.yml /usr/share/logstash/config/pipelines.yml.bak -COPY --chown=logstash:logstash config/logstash.yml /usr/share/logstash/config/logstash.yml -COPY --chown=logstash:logstash config/pipelines.yml /usr/share/logstash/config/pipelines.yml -RUN rm -f /usr/share/logstash/pipeline/logstash.conf +COPY --chown=logstash:logstash config /usr/share/logstash/config # Build with plugins baked in ENV plugins_time_file="/usr/share/logstash/helk-plugins-updated-timestamp.txt" RUN printf "%s" "$(date +"%Y-%m-%d %T")" > "${plugins_time_file}" RUN chown logstash:logstash "${plugins_time_file}" -#RUN echo"$(date +"%Y-%m-%d %T")" > "${plugins_time_file}" + COPY --chown=logstash:logstash plugins/helk-offline-logstash-codec_and_filter_plugins.zip /usr/share/logstash/plugins/helk-offline-logstash-codec_and_filter_plugins.zip COPY --chown=logstash:logstash plugins/helk-offline-logstash-input_and_output-plugins.zip /usr/share/logstash/plugins/helk-offline-logstash-input_and_output-plugins.zip -RUN logstash-plugin update -RUN logstash-plugin install file:///usr/share/logstash/plugins/helk-offline-logstash-codec_and_filter_plugins.zip -RUN logstash-plugin install file:///usr/share/logstash/plugins/helk-offline-logstash-input_and_output-plugins.zip -RUN rm /usr/share/logstash/plugins/helk-offline-logstash-codec_and_filter_plugins.zip -RUN rm /usr/share/logstash/plugins/helk-offline-logstash-input_and_output-plugins.zip \ No newline at end of file +RUN logstash-plugin update \ + && logstash-plugin install file:///usr/share/logstash/plugins/helk-offline-logstash-codec_and_filter_plugins.zip \ + && logstash-plugin install file:///usr/share/logstash/plugins/helk-offline-logstash-input_and_output-plugins.zip \ + && rm /usr/share/logstash/plugins/helk-offline-logstash-codec_and_filter_plugins.zip \ + && rm /usr/share/logstash/plugins/helk-offline-logstash-input_and_output-plugins.zip \ + && rm -f /usr/share/logstash/pipeline/logstash.conf \ No newline at end of file