From d5dc67e9c37897c923b660596cbd1a510ed9d24a Mon Sep 17 00:00:00 2001 From: c-bordon Date: Thu, 28 Sep 2023 10:37:08 -0300 Subject: [PATCH 1/7] Fixing Wazuh indexer files permissions --- build-docker-images/wazuh-indexer/config/config.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/build-docker-images/wazuh-indexer/config/config.sh b/build-docker-images/wazuh-indexer/config/config.sh index adfae164..97fbac85 100644 --- a/build-docker-images/wazuh-indexer/config/config.sh +++ b/build-docker-images/wazuh-indexer/config/config.sh @@ -135,4 +135,10 @@ sed '/-Xms/d' -i ${TARGET_DIR}${CONFIG_DIR}/jvm.options sed '/-Xmx/d' -i ${TARGET_DIR}${CONFIG_DIR}/jvm.options chmod -R 500 ${TARGET_DIR}${CONFIG_DIR}/certs -chmod -R 400 ${TARGET_DIR}${CONFIG_DIR}/certs/* \ No newline at end of file +chmod -R 400 ${TARGET_DIR}${CONFIG_DIR}/certs/* + +find ${TARGET_DIR} -type d -exec chmod 750 {} \; +find ${TARGET_DIR} -type f -perm 644 -exec chmod 640 {} \; +find ${TARGET_DIR} -type f -perm 664 -exec chmod 660 {} \; +find ${TARGET_DIR} -type f -perm 755 -exec chmod 750 {} \; +find ${TARGET_DIR} -type f -perm 744 -exec chmod 740 {} \; \ No newline at end of file From d9b053caf46bdc538c7ab6360a897ed97c146c19 Mon Sep 17 00:00:00 2001 From: c-bordon Date: Thu, 28 Sep 2023 12:48:38 -0300 Subject: [PATCH 2/7] Testing with another dir for opensearch security policy --- build-docker-images/wazuh-indexer/config/config.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/build-docker-images/wazuh-indexer/config/config.sh b/build-docker-images/wazuh-indexer/config/config.sh index 97fbac85..24149002 100644 --- a/build-docker-images/wazuh-indexer/config/config.sh +++ b/build-docker-images/wazuh-indexer/config/config.sh @@ -133,6 +133,8 @@ cp -pr /wazuh-certificates/admin-key.pem ${TARGET_DIR}${CONFIG_DIR}/certs/admin- # Delete xms and xmx parameters in jvm.options sed '/-Xms/d' -i ${TARGET_DIR}${CONFIG_DIR}/jvm.options sed '/-Xmx/d' -i ${TARGET_DIR}${CONFIG_DIR}/jvm.options +sed -i '|-Djava.security.policy=file:\/\/\/etc\/wazuh-indexer\/opensearch-performance-analyzer\/opensearch_security.policy|-Djava.security.policy=file:\/\/\/usr\/share\/wazuh-indexer\/opensearch-performance-analyzer\/opensearch_security.policy|' ${TARGET_DIR}${CONFIG_DIR}/jvm.options + chmod -R 500 ${TARGET_DIR}${CONFIG_DIR}/certs chmod -R 400 ${TARGET_DIR}${CONFIG_DIR}/certs/* From 8fa20abbbd8c717d4ceadeda6fc089ac3160b090 Mon Sep 17 00:00:00 2001 From: c-bordon Date: Thu, 28 Sep 2023 14:29:53 -0300 Subject: [PATCH 3/7] Fixed sed command --- build-docker-images/wazuh-indexer/config/config.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build-docker-images/wazuh-indexer/config/config.sh b/build-docker-images/wazuh-indexer/config/config.sh index 24149002..00540eef 100644 --- a/build-docker-images/wazuh-indexer/config/config.sh +++ b/build-docker-images/wazuh-indexer/config/config.sh @@ -133,7 +133,7 @@ cp -pr /wazuh-certificates/admin-key.pem ${TARGET_DIR}${CONFIG_DIR}/certs/admin- # Delete xms and xmx parameters in jvm.options sed '/-Xms/d' -i ${TARGET_DIR}${CONFIG_DIR}/jvm.options sed '/-Xmx/d' -i ${TARGET_DIR}${CONFIG_DIR}/jvm.options -sed -i '|-Djava.security.policy=file:\/\/\/etc\/wazuh-indexer\/opensearch-performance-analyzer\/opensearch_security.policy|-Djava.security.policy=file:\/\/\/usr\/share\/wazuh-indexer\/opensearch-performance-analyzer\/opensearch_security.policy|' ${TARGET_DIR}${CONFIG_DIR}/jvm.options +sed -i 's/-Djava.security.policy=file:\/\/\/etc\/wazuh-indexer\/opensearch-performance-analyzer\/opensearch_security.policy/-Djava.security.policy=file:\/\/\/usr\/share\/wazuh-indexer\/opensearch-performance-analyzer\/opensearch_security.policy/g' ${TARGET_DIR}${CONFIG_DIR}/jvm.options chmod -R 500 ${TARGET_DIR}${CONFIG_DIR}/certs From 23d34f6a8988099887a02f76c881133bf290feb4 Mon Sep 17 00:00:00 2001 From: c-bordon Date: Mon, 2 Oct 2023 08:27:49 -0300 Subject: [PATCH 4/7] Fixed OpenSearch security plugin warnings --- build-docker-images/wazuh-indexer/config/config.sh | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/build-docker-images/wazuh-indexer/config/config.sh b/build-docker-images/wazuh-indexer/config/config.sh index 00540eef..7d9dc129 100644 --- a/build-docker-images/wazuh-indexer/config/config.sh +++ b/build-docker-images/wazuh-indexer/config/config.sh @@ -143,4 +143,14 @@ find ${TARGET_DIR} -type d -exec chmod 750 {} \; find ${TARGET_DIR} -type f -perm 644 -exec chmod 640 {} \; find ${TARGET_DIR} -type f -perm 664 -exec chmod 660 {} \; find ${TARGET_DIR} -type f -perm 755 -exec chmod 750 {} \; -find ${TARGET_DIR} -type f -perm 744 -exec chmod 740 {} \; \ No newline at end of file +find ${TARGET_DIR} -type f -perm 744 -exec chmod 740 {} \; + +chmod -R 0700 ${TARGET_DIR}/.cache +chmod 0700 ${TARGET_DIR}/extensions +chmod 0700 ${TARGET_DIR}/logs +chmod 0600 ${TARGET_DIR}/opensearch.yml +find ${TARGET_DIR}/bin -type f -exec chmod 0600 {} \; +find ${TARGET_DIR}/jdk/bin -type f -exec chmod 0600 {} \; +chmod 0600 ${TARGET_DIR}/opensearch-security/internal_users.yml +find ${TARGET_DIR}/performance-analyzer-rca/bin -type f -exec chmod 0600 {} \; +chmod 0600 ${TARGET_DIR}/plugins/opensearch-security/tools/wazuh-certs-tool.sh From 905b4de859b01ee7ef557e0143d7f4b53a3524cc Mon Sep 17 00:00:00 2001 From: c-bordon Date: Mon, 2 Oct 2023 08:49:17 -0300 Subject: [PATCH 5/7] Testing change permissions in entrypoint --- build-docker-images/wazuh-indexer/config/config.sh | 10 ---------- .../wazuh-indexer/config/entrypoint.sh | 14 ++++++++++++++ 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/build-docker-images/wazuh-indexer/config/config.sh b/build-docker-images/wazuh-indexer/config/config.sh index 7d9dc129..30f5d1f2 100644 --- a/build-docker-images/wazuh-indexer/config/config.sh +++ b/build-docker-images/wazuh-indexer/config/config.sh @@ -144,13 +144,3 @@ find ${TARGET_DIR} -type f -perm 644 -exec chmod 640 {} \; find ${TARGET_DIR} -type f -perm 664 -exec chmod 660 {} \; find ${TARGET_DIR} -type f -perm 755 -exec chmod 750 {} \; find ${TARGET_DIR} -type f -perm 744 -exec chmod 740 {} \; - -chmod -R 0700 ${TARGET_DIR}/.cache -chmod 0700 ${TARGET_DIR}/extensions -chmod 0700 ${TARGET_DIR}/logs -chmod 0600 ${TARGET_DIR}/opensearch.yml -find ${TARGET_DIR}/bin -type f -exec chmod 0600 {} \; -find ${TARGET_DIR}/jdk/bin -type f -exec chmod 0600 {} \; -chmod 0600 ${TARGET_DIR}/opensearch-security/internal_users.yml -find ${TARGET_DIR}/performance-analyzer-rca/bin -type f -exec chmod 0600 {} \; -chmod 0600 ${TARGET_DIR}/plugins/opensearch-security/tools/wazuh-certs-tool.sh diff --git a/build-docker-images/wazuh-indexer/config/entrypoint.sh b/build-docker-images/wazuh-indexer/config/entrypoint.sh index 2acb4aa0..e4ff811e 100644 --- a/build-docker-images/wazuh-indexer/config/entrypoint.sh +++ b/build-docker-images/wazuh-indexer/config/entrypoint.sh @@ -13,6 +13,20 @@ export CACERT=$(grep -oP "(?<=plugins.security.ssl.transport.pemtrustedcas_filep export CERT="${OPENSEARCH_PATH_CONF}/certs/admin.pem" export KEY="${OPENSEARCH_PATH_CONF}/certs/admin-key.pem" + +# Fix OpenSearch security plugin permissions + +chmod -R 0700 ${TARGET_DIR}/.cache +chmod 0700 ${TARGET_DIR}/extensions +chmod 0700 ${TARGET_DIR}/logs +chmod 0600 ${TARGET_DIR}/opensearch.yml +find ${TARGET_DIR}/bin -type f -exec chmod 0600 {} \; +find ${TARGET_DIR}/jdk/bin -type f -exec chmod 0600 {} \; +chmod 0600 ${TARGET_DIR}/opensearch-security/internal_users.yml +find ${TARGET_DIR}/performance-analyzer-rca/bin -type f -exec chmod 0600 {} \; +chmod 0600 ${TARGET_DIR}/plugins/opensearch-security/tools/wazuh-certs-tool.sh + + run_as_other_user_if_needed() { if [[ "$(id -u)" == "0" ]]; then # If running as root, drop to specified UID and run command From c3c8ea3d0235996b5b3c05bf5a0c77d0fadd02e4 Mon Sep 17 00:00:00 2001 From: c-bordon Date: Tue, 3 Oct 2023 12:20:17 -0300 Subject: [PATCH 6/7] Changing files permissions --- build-docker-images/wazuh-indexer/config/config.sh | 7 +++++++ .../wazuh-indexer/config/entrypoint.sh | 14 -------------- 2 files changed, 7 insertions(+), 14 deletions(-) diff --git a/build-docker-images/wazuh-indexer/config/config.sh b/build-docker-images/wazuh-indexer/config/config.sh index 30f5d1f2..4d51efc3 100644 --- a/build-docker-images/wazuh-indexer/config/config.sh +++ b/build-docker-images/wazuh-indexer/config/config.sh @@ -144,3 +144,10 @@ find ${TARGET_DIR} -type f -perm 644 -exec chmod 640 {} \; find ${TARGET_DIR} -type f -perm 664 -exec chmod 660 {} \; find ${TARGET_DIR} -type f -perm 755 -exec chmod 750 {} \; find ${TARGET_DIR} -type f -perm 744 -exec chmod 740 {} \; + + +# Fix OpenSearch security plugin permissions +chown ${USER}:${GROUP} ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/internal_users.yml +chown ${USER}:${GROUP} ${TARGET_DIR}${CONFIG_DIR}/opensearch.yml +chmod 0600 ${TARGET_DIR}${CONFIG_DIR}/opensearch.yml +chmod 0600 ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/internal_users.yml \ No newline at end of file diff --git a/build-docker-images/wazuh-indexer/config/entrypoint.sh b/build-docker-images/wazuh-indexer/config/entrypoint.sh index e4ff811e..2acb4aa0 100644 --- a/build-docker-images/wazuh-indexer/config/entrypoint.sh +++ b/build-docker-images/wazuh-indexer/config/entrypoint.sh @@ -13,20 +13,6 @@ export CACERT=$(grep -oP "(?<=plugins.security.ssl.transport.pemtrustedcas_filep export CERT="${OPENSEARCH_PATH_CONF}/certs/admin.pem" export KEY="${OPENSEARCH_PATH_CONF}/certs/admin-key.pem" - -# Fix OpenSearch security plugin permissions - -chmod -R 0700 ${TARGET_DIR}/.cache -chmod 0700 ${TARGET_DIR}/extensions -chmod 0700 ${TARGET_DIR}/logs -chmod 0600 ${TARGET_DIR}/opensearch.yml -find ${TARGET_DIR}/bin -type f -exec chmod 0600 {} \; -find ${TARGET_DIR}/jdk/bin -type f -exec chmod 0600 {} \; -chmod 0600 ${TARGET_DIR}/opensearch-security/internal_users.yml -find ${TARGET_DIR}/performance-analyzer-rca/bin -type f -exec chmod 0600 {} \; -chmod 0600 ${TARGET_DIR}/plugins/opensearch-security/tools/wazuh-certs-tool.sh - - run_as_other_user_if_needed() { if [[ "$(id -u)" == "0" ]]; then # If running as root, drop to specified UID and run command From a2ee29bfd33824826c455007c5cd16187da5c89c Mon Sep 17 00:00:00 2001 From: c-bordon Date: Wed, 4 Oct 2023 09:36:08 -0300 Subject: [PATCH 7/7] Updated file permissions to have the same permissions as in package installation in Wazuh indexer --- build-docker-images/wazuh-indexer/config/config.sh | 7 ------- 1 file changed, 7 deletions(-) diff --git a/build-docker-images/wazuh-indexer/config/config.sh b/build-docker-images/wazuh-indexer/config/config.sh index 4d51efc3..30f5d1f2 100644 --- a/build-docker-images/wazuh-indexer/config/config.sh +++ b/build-docker-images/wazuh-indexer/config/config.sh @@ -144,10 +144,3 @@ find ${TARGET_DIR} -type f -perm 644 -exec chmod 640 {} \; find ${TARGET_DIR} -type f -perm 664 -exec chmod 660 {} \; find ${TARGET_DIR} -type f -perm 755 -exec chmod 750 {} \; find ${TARGET_DIR} -type f -perm 744 -exec chmod 740 {} \; - - -# Fix OpenSearch security plugin permissions -chown ${USER}:${GROUP} ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/internal_users.yml -chown ${USER}:${GROUP} ${TARGET_DIR}${CONFIG_DIR}/opensearch.yml -chmod 0600 ${TARGET_DIR}${CONFIG_DIR}/opensearch.yml -chmod 0600 ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/internal_users.yml \ No newline at end of file