wazuh/wazuh-docker
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-docker.git synced 2025-12-11 12:09:39 -06:00
Code Issues Packages Projects Releases 118 Wiki Activity

rollback uid and gid for Wazuh indexer and dashboard owner

Browse Source
This commit is contained in:
vcerenu 2024-03-11 10:05:53 -03:00
parent b4af946000
commit 387727d496
No known key found for this signature in database
GPG Key ID: 4D7B159107F1244A
4 changed files with 28 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
build-docker-images/wazuh-dashboard/Dockerfile
View File

@ -84,9 +84,9 @@ ENV PATTERN="" \
RUN yum install shadow-utils -y RUN yum install shadow-utils -y
# Create wazuh-dashboard user and group # Create wazuh-dashboard user and group
RUN getent group $GROUP || groupadd -r -g 999 $GROUP RUN getent group $GROUP || groupadd -r -g 1000 $GROUP
RUN useradd --system \ RUN useradd --system \
--uid 999 \ --uid 1000 \
--no-create-home \ --no-create-home \
--home-dir $INSTALL_DIR \ --home-dir $INSTALL_DIR \
--gid $GROUP \ --gid $GROUP \
@ -99,14 +99,14 @@ COPY config/entrypoint.sh /
COPY config/wazuh_app_config.sh / COPY config/wazuh_app_config.sh /
RUN chmod 700 /entrypoint.sh RUN chmod 700 /entrypoint.sh
RUN chmod 700 /wazuh_app_config.sh RUN chmod 700 /wazuh_app_config.sh
RUN chown 999:999 /*.sh RUN chown 1000:1000 /*.sh
# Copy Install dir from builder to current image # Copy Install dir from builder to current image
COPY --from=builder --chown=999:999 $INSTALL_DIR $INSTALL_DIR COPY --from=builder --chown=1000:1000 $INSTALL_DIR $INSTALL_DIR
# Create custom directory # Create custom directory
RUN mkdir -p /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom RUN mkdir -p /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
RUN chown 999:999 /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom RUN chown 1000:1000 /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
# Set workdir and user # Set workdir and user
WORKDIR $INSTALL_DIR WORKDIR $INSTALL_DIR

18
build-docker-images/wazuh-indexer/Dockerfile
View File

@ -38,10 +38,10 @@ ENV USER="wazuh-indexer" \
RUN yum install curl-minimal shadow-utils findutils hostname -y RUN yum install curl-minimal shadow-utils findutils hostname -y
RUN getent group $GROUP || groupadd -r -g 999 $GROUP RUN getent group $GROUP || groupadd -r -g 1000 $GROUP
RUN useradd --system \ RUN useradd --system \
--uid 999 \ --uid 1000 \
--no-create-home \ --no-create-home \
--home-dir $INSTALL_DIR \ --home-dir $INSTALL_DIR \
--gid $GROUP \ --gid $GROUP \
@ -57,19 +57,19 @@ COPY config/securityadmin.sh /
RUN chmod 700 /entrypoint.sh && chmod 700 /securityadmin.sh RUN chmod 700 /entrypoint.sh && chmod 700 /securityadmin.sh
RUN chown 999:999 /*.sh RUN chown 1000:1000 /*.sh
COPY --from=builder --chown=999:999 /debian/wazuh-indexer/usr/share/wazuh-indexer /usr/share/wazuh-indexer COPY --from=builder --chown=1000:1000 /debian/wazuh-indexer/usr/share/wazuh-indexer /usr/share/wazuh-indexer
COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/systemd /usr/lib/systemd COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/systemd /usr/lib/systemd
COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/sysctl.d /usr/lib/sysctl.d COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/sysctl.d /usr/lib/sysctl.d
COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/tmpfiles.d /usr/lib/tmpfiles.d COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/tmpfiles.d /usr/lib/tmpfiles.d
RUN chown -R 999:999 /usr/share/wazuh-indexer RUN chown -R 1000:1000 /usr/share/wazuh-indexer
RUN mkdir -p /var/lib/wazuh-indexer && chown 999:999 /var/lib/wazuh-indexer && \ RUN mkdir -p /var/lib/wazuh-indexer && chown 1000:1000 /var/lib/wazuh-indexer && \
mkdir -p /usr/share/wazuh-indexer/logs && chown 999:999 /usr/share/wazuh-indexer/logs && \ mkdir -p /usr/share/wazuh-indexer/logs && chown 1000:1000 /usr/share/wazuh-indexer/logs && \
mkdir -p /run/wazuh-indexer && chown 999:999 /run/wazuh-indexer && \ mkdir -p /run/wazuh-indexer && chown 1000:1000 /run/wazuh-indexer && \
mkdir -p /var/log/wazuh-indexer && chown 999:999 /var/log/wazuh-indexer && \ mkdir -p /var/log/wazuh-indexer && chown 1000:1000 /var/log/wazuh-indexer && \
chmod 700 /usr/share/wazuh-indexer && \ chmod 700 /usr/share/wazuh-indexer && \
chmod 600 /usr/share/wazuh-indexer/jvm.options && \ chmod 600 /usr/share/wazuh-indexer/jvm.options && \
chmod 600 /usr/share/wazuh-indexer/opensearch.yml chmod 600 /usr/share/wazuh-indexer/opensearch.yml

4
build-docker-images/wazuh-indexer/config/entrypoint.sh
View File

@ -34,7 +34,7 @@ if [[ "$1" != "opensearchwrapper" ]]; then
# `bin/opensearch -E x.y=z` would not work. # `bin/opensearch -E x.y=z` would not work.
set -- "opensearch" "${@:2}" set -- "opensearch" "${@:2}"
# Use chroot to switch to UID 1000 / GID 0 # Use chroot to switch to UID 1000 / GID 0
exec chroot --userspec=999:0 / "$@" exec chroot --userspec=1000:0 / "$@"
else else
# User probably wants to run something else, like /bin/bash, with another uid forced (Openshift?) # User probably wants to run something else, like /bin/bash, with another uid forced (Openshift?)
exec "$@" exec "$@"
@ -79,7 +79,7 @@ fi
if [[ "$(id -u)" == "0" ]]; then if [[ "$(id -u)" == "0" ]]; then
# If requested and running as root, mutate the ownership of bind-mounts # If requested and running as root, mutate the ownership of bind-mounts
if [[ -n "$TAKE_FILE_OWNERSHIP" ]]; then if [[ -n "$TAKE_FILE_OWNERSHIP" ]]; then
chown -R 999:0 /usr/share/wazuh-indexer/{data,logs} chown -R 1000:0 /usr/share/wazuh-indexer/{data,logs}
fi fi
fi fi

13
indexer-certs-creator/config/entrypoint.sh
View File

@ -47,5 +47,16 @@ echo "Changing certificate permissions"
chmod -R 500 /certificates chmod -R 500 /certificates
chmod -R 400 /certificates/* chmod -R 400 /certificates/*
echo "Setting UID indexer and dashboard" echo "Setting UID indexer and dashboard"
chown 999:999 /certificates/* chown 1000:1000 /certificates/*
echo "Setting UID for wazuh manager and worker"
cp /certificates/root-ca.pem /certificates/root-ca-manager.pem
cp /certificates/root-ca.key /certificates/root-ca-manager.key
chown 999:999 /certificates/root-ca-manager.pem
chown 999:999 /certificates/root-ca-manager.key
for i in ${node_names[@]};
do
chown 999:999 "/certificates/${i}.pem"
chown 999:999 "/certificates/${i}-key.pem"
done