wazuh · AlexRuiz7 · Nov 22, 2023 · Nov 22, 2023 · Nov 22, 2023
diff --git a/VERSION b/VERSION
@@ -0,0 +1 @@
+4.9.0
diff --git a/distribution/src/bin/indexer-init.sh b/distribution/src/bin/indexer-init.sh
@@ -0,0 +1,138 @@
+#!/bin/bash
+# Wazuh Copyright (C) 2023 Wazuh Inc. (License GPLv2)
+# Wazuh - indexer initialization script
+
+INSTALL_PATH="/usr/share/wazuh-indexer"
+BIN_PATH="${INSTALL_PATH}/bin"
+
+
+#########################################################################
+# Parse arguments for security init script.
+#########################################################################
+function parse_security_args() {
+    security_args=()
+
+    while [ -n "$1" ]; do
+        case "$1" in
+        "-h" | "--help")
+            security_args+=("${1}")
+            shift
+            ;;
+        "-ho" | "--host")
+            if [ -n "$2" ]; then
+                security_args+=("${1}" "${2}")
+                shift 2
+            fi
+            ;;
+        "--port")
+            if [ -n "$2" ]; then
+                security_args+=("${1}" "${2}")
+                shift 2
+            fi
+            ;;
+        "--options")
+            if [ -n "$2" ]; then
+                security_args+=("${1}" "${2}")
+                shift 2
+            fi
+            ;;
+        *)
+            shift
+            ;;
+        esac
+    done
+}
+
+
+#########################################################################
+# Run the security init script.
+#########################################################################
+function run_security_init() {
+    echo "Executing Wazuh indexer security init script..."
+    parse_security_args "$@"
+    /bin/bash "${BIN_PATH}/indexer-security-init.sh" "${security_args[@]}"
+}
+
+
+#########################################################################
+# Parse arguments for ISM init script.
+#########################################################################
+function parse_ism_args() {
+    ism_args=()
+
+    while [ -n "${1}" ]; do
+        case "${1}" in
+        "-a" | "--min-index-age")
+            if [ -n "${2}" ]; then
+                ism_args+=("${1}" "${2}")
+                shift 2
+            fi
+            ;;
+        "-d" | "--min-doc-count")
+            if [ -n "${2}" ]; then
+                ism_args+=("${1}" "${2}")
+                shift 2
+            fi
+            ;;
+        "-h" | "--help")
+            ism_args+=("${1}")
+            shift
+            ;;
+        "-i" | "--indexer-hostname")
+            if [ -n "${2}" ]; then
+                ism_args+=("${1}" "${2}")
+                shift 2
+            fi
+            ;;
+        "-p" | "--indexer-password")
+            if [ -n "${2}" ]; then
+                ism_args+=("${1}" "${2}")
+                shift 2
+            fi
+            ;;
+        "-s" | "--min-shard-size")
+            if [ -n "${2}" ]; then
+                ism_args+=("${1}" "${2}")
+                shift 2
+            fi
+            ;;
+        "-P" | "--priority")
+            if [ -n "${2}" ]; then
+                ism_args+=("${1}" "${2}")
+                shift 2
+            fi
+            ;;
+        "-v" | "--verbose")
+            ism_args+=("${1}")
+            shift
+            ;;
+        *)
+            shift
+            ;;
+        esac
+    done
+}
+
+
+#########################################################################
+# Run the ISM init script.
+#########################################################################
+function run_ism_init() {
+    echo "Executing Wazuh indexer ISM init script..."
+    parse_ism_args "$@"
+    /bin/bash "${BIN_PATH}/indexer-ism-init.sh" "${ism_args[@]}";
+}
+
+
+#########################################################################
+# Main function.
+#########################################################################
+function main() {
+    # If run_security_init returns 0, then run_ism_init
+    if run_security_init "$@" -gt 0; then
+        run_ism_init "$@"
+    fi
+}
+
+
+main "$@"
diff --git a/scripts/indexer-ism-init.sh → distribution/src/bin/indexer-ism-init.sh b/scripts/indexer-ism-init.sh → distribution/src/bin/indexer-ism-init.sh
diff --git a/distribution/src/bin/indexer-security-init.sh b/distribution/src/bin/indexer-security-init.sh
@@ -0,0 +1,189 @@
+#!/bin/bash
+
+# Wazuh-indexer securityadmin wrapper
+# Copyright (C) 2022, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+CONFIG_PATH="/etc/wazuh-indexer"
+
+if [ ! -d "${CONFIG_PATH}" ]; then
+    echo "ERROR: it was not possible to find ${CONFIG_PATH}"
+    exit 1
+fi
+
+CONFIG_FILE="${CONFIG_PATH}/opensearch.yml"
+
+if [ ! -f "${CONFIG_FILE}" ]; then
+    echo "ERROR: it was not possible to find ${CONFIG_FILE}"
+    exit 1
+fi
+
+INSTALL_PATH="/usr/share/wazuh-indexer"
+
+if [ ! -d "${INSTALL_PATH}" ]; then
+        echo "ERROR: it was not possible to find ${INSTALL_PATH}"
+        exit 1
+fi
+
+HOST=""
+OPTIONS="-icl -nhnv"
+WAZUH_INDEXER_ROOT_CA="$(cat ${CONFIG_FILE} 2>&1 | grep http.pemtrustedcas | sed 's/.*: //' | tr -d "[\"\']")"
+WAZUH_INDEXER_ADMIN_PATH="$(dirname "${WAZUH_INDEXER_ROOT_CA}" 2>&1)"
+SECURITY_PATH="${INSTALL_PATH}/plugins/opensearch-security"
+SECURITY_CONFIG_PATH="${CONFIG_PATH}/opensearch-security"
+
+# -----------------------------------------------------------------------------
+
+trap ctrl_c INT
+
+clean(){
+
+    exit_code=$1
+    indexer_process_id=$(pgrep -f wazuh-indexer -c)
+    if [ "${indexer_process_id}" -gt 1 ]; then
+        pkill -n -f wazuh-indexer
+    fi
+    exit "${exit_code}"
+
+}
+
+ctrl_c() {
+    clean 1
+}
+
+# -----------------------------------------------------------------------------
+
+getNetworkHost() {
+
+    HOST=$(grep -hr "network.host:" "${CONFIG_FILE}" 2>&1)
+    NH="network.host: "
+    HOST="${HOST//$NH}"
+    HOST=$(echo "${HOST}" | tr -d "[\"\']")
+
+    isIP=$(echo "${HOST}" | grep -P "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$")
+    isDNS=$(echo "${HOST}" | grep -P "^[a-zA-Z0-9][a-zA-Z0-9-]{1,61}[a-zA-Z0-9](?:\.[a-zA-Z]{2,})+$")
+
+    # Allow to find ip with an interface
+    if [ -z "${isIP}" ] && [ -z "${isDNS}" ]; then
+        interface="${HOST//_}"
+        HOST=$(ip -o -4 addr list "${interface}" | awk '{print $4}' | cut -d/ -f1) 
+    fi
+
+    if [ "${HOST}" = "0.0.0.0" ]; then
+        HOST="127.0.0.1"
+    fi
+
+    if [ -z "${HOST}" ]; then
+        echo "ERROR: network host not valid, check ${CONFIG_FILE}"
+        exit 1
+    fi
+
+}
+
+# -----------------------------------------------------------------------------
+getPort() {
+
+    PORT=$(grep -hr 'transport.tcp.port' "${CONFIG_FILE}" 2>&1)
+    if [ "${PORT}" ]; then
+        PORT=$(echo "${PORT}" | cut -d' ' -f2 | cut -d'-' -f1)
+    else
+        PORT="9200"
+    fi
+    PORT=$(echo "${PORT}" | tr -d "[\"\']")
+
+}
+# -----------------------------------------------------------------------------
+
+securityadmin() {
+
+    if [ ! -d "${SECURITY_PATH}" ]; then
+        echo "ERROR: it was not possible to find ${SECURITY_PATH}"
+        exit 1
+    elif [ ! -d "${INSTALL_PATH}/jdk" ]; then
+        echo "ERROR: it was not possible to find ${INSTALL_PATH}/jdk"
+        exit 1
+    fi
+
+    if [ -f "${WAZUH_INDEXER_ADMIN_PATH}/admin.pem" ] && [ -f "${WAZUH_INDEXER_ADMIN_PATH}/admin-key.pem" ] && [ -f "${WAZUH_INDEXER_ROOT_CA}" ]; then
+        OPENSEARCH_CONF_DIR="${CONFIG_PATH}" JAVA_HOME="${INSTALL_PATH}/jdk" runuser wazuh-indexer --shell="/bin/bash" --command="${SECURITY_PATH}/tools/securityadmin.sh -cd ${SECURITY_CONFIG_PATH} -cacert ${WAZUH_INDEXER_ROOT_CA} -cert ${WAZUH_INDEXER_ADMIN_PATH}/admin.pem -key ${WAZUH_INDEXER_ADMIN_PATH}/admin-key.pem -h ${HOST} -p ${PORT} ${OPTIONS}"
+    else
+        echo "ERROR: this tool try to find admin.pem and admin-key.pem in ${WAZUH_INDEXER_ADMIN_PATH} but it couldn't. In this case, you must run manually the Indexer security initializer by running the command: JAVA_HOME="/usr/share/wazuh-indexer/jdk" runuser wazuh-indexer --shell="/bin/bash" --command="/usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /etc/wazuh-indexer/opensearch-security -cacert /path/to/root-ca.pem -cert /path/to/admin.pem -key /path/to/admin-key.pem -h ${HOST} -p ${PORT} ${OPTIONS}" replacing /path/to/ by your certificates path."
+        exit 1
+    fi
+
+}
+
+help() {
+    echo
+    echo "Usage: $0 [OPTIONS]"
+    echo
+    echo "    -ho, --host <host>    [Optional] Target IP or DNS to configure security."
+    echo "    --port <port>         [Optional] wazuh-indexer security port."
+    echo "    --options <options>   [Optional] Custom securityadmin options."
+    echo "    -h, --help            Show this help."
+    echo
+    exit "$1"
+}
+
+
+main() {
+
+    getNetworkHost
+    getPort
+
+    while [ -n "$1" ]
+    do
+        case "$1" in
+        "-h"|"--help")
+            help 0
+            ;;
+        "-ho"|"--host")
+            if [ -n "$2" ]; then
+                HOST="$2"
+                HOST=$(echo "${HOST}" | tr -d "[\"\']")
+                isIP=$(echo "${2}" | grep -P "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$")
+                isDNS=$(echo "${2}" | grep -P "^[a-zA-Z0-9][a-zA-Z0-9-]{1,61}[a-zA-Z0-9](?:\.[a-zA-Z]{2,})+$")
+                if [[ -z "${isIP}" ]] &&  [[ -z "${isDNS}" ]]; then
+                    echo "The given information does not match with an IP address or a DNS."
+                    exit 1
+                fi
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "--port")
+            if [ -n "$2" ]; then
+                PORT="$2"
+                PORT=$(echo "${PORT}" | tr -d "[\"\']")
+                if [[ -z $(echo "${2}" | grep -P "^([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$") ]]; then
+                    echo "The given information does not match with a valid PORT number."
+                    exit 1
+                fi
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        "--options")
+            if [ -n "$2" ]; then
+                OPTIONS="$2"
+                shift 2
+            else
+                help 1
+            fi
+            ;;
+        *)
+            help 1
+        esac
+    done
+
+    securityadmin
+
+}
+
+main "$@"
diff --git a/distribution/src/config/security/action_groups.yml b/distribution/src/config/security/action_groups.yml
@@ -0,0 +1,12 @@
+---
+_meta:
+  type: "actiongroups"
+  config_version: 2
+
+# ISM API permissions group
+manage_ism:
+  reserved: true
+  hidden: false
+  allowed_actions:
+  - "cluster:admin/opendistro/ism/*"
+  static: false
diff --git a/distribution/src/config/security/internal_users.yml b/distribution/src/config/security/internal_users.yml
@@ -53,4 +53,4 @@ snapshotrestore:
   reserved: false
   backend_roles:
   - "snapshotrestore"
-  description: "Demo snapshotrestore user"
+  description: "Demo snapshotrestore user"
diff --git a/distribution/src/config/security/roles.yml b/distribution/src/config/security/roles.yml
@@ -146,4 +146,12 @@ manage_wazuh_index:
     - "manage"
     - "index"
   tenant_permissions: []
-  static: false
+  static: false
+
+# ISM API permissions role
+manage_ism:
+  reserved: true
+  hidden: false
+  cluster_permissions:
+  - "manage_ism"
+  static: false
diff --git a/distribution/src/config/security/roles_mapping.yml b/distribution/src/config/security/roles_mapping.yml
@@ -76,12 +76,19 @@ kibana_user:
   and_backend_roles: []
   description: "Maps kibanauser to kibana_user"
 
-  # Wazuh monitoring and statistics index permissions
+# Wazuh monitoring and statistics index permissions
 manage_wazuh_index:
   reserved: true
   hidden: false
   backend_roles: []
   hosts: []
   users:
   - "kibanaserver"
-  and_backend_roles: []
+  and_backend_roles: []
+
+# ISM API permissions role mapping
+manage_ism:
+  reserved: true
+  hidden: false
+  users:
+  - "kibanaserver"