added kibaba + elasticsearch support via filebeat

Author: stellarsquall

.gitignore

@@ -0,0 +1,5 @@
+.DS_Store
+terraform/.DS_Store
+terraform/.terraform/*
+bins/
+*.log

compose/auth-sink auditlogs/.keep

@@ -0,0 +1,16 @@
+# Password for the 'elastic' user (at least 6 characters)
+export ELASTIC_PASSWORD=elastic
+# Password for the 'kibana_system' user (at least 6 characters)
+export KIBANA_PASSWORD=kibana
+# Version of Elastic products
+export STACK_VERSION=8.1.2
+# Set the cluster name
+export CLUSTER_NAME=boundary-docker-cluster
+# Set to 'basic' or 'trial' to automatically start the 30-day trial
+export LICENSE=basic
+# Port to expose Elasticsearch HTTP API to the host
+export ES_PORT=127.0.0.1:19200
+# Port to expose Kibana to the host
+export KIBANA_PORT=5601
+# Increase or decrease based on the available host memory (in bytes)
+export MEM_LIMIT=1073741824

compose/.env

@@ -10,7 +10,7 @@ controller {
 }
 
 listener "tcp" {
-  address = "boundary"
+  address = "0.0.0.0:9200"
   purpose = "api"
   tls_disable = true
   cors_enabled = true
@@ -45,36 +45,47 @@ kms "aead" {
 }
 
 events {
-  audit_enabled = false
-  observation_enabled = true
-  sysevents_enabled = true
+  audit_enabled        = true
+  observations_enabled = true
+  sysevents_enabled    = true
+
   sink "stderr" {
-    name = "all-events"
+    name        = "all-events"
     description = "All events sent to stderr"
     event_types = ["*"]
-    format = "cloudevents-json"
+    format      = "cloudevents-json"
   }
+
   sink {
-    name = "all-events"
-    description = "All events sent to file"
-    event_types = ["*"]
-    format = "cloudevents-json"
+    name        = "audit-sink"
+    description = "Audit sent to a file"
+    event_types = ["audit"]
+    format      = "cloudevents-json"
+
     file {
-      path = "/tmp/"
-      file_name = "all-events"
+      path      = "/logs"
+      file_name = "audit.log"
     }
-  }
-  sink {
-    name = "auth-sink"
-    description = "Authentications sent to a file"
-    event_types = ["observation"]
-    format = "cloudevents-json"
-    allow_filters = [
-      "\"/Data/request_info/Path\" contains \":authenticate\""
-    ]
-    file {
-      path = "/tmp/"
-      file_name = "auth-sink"
+
+    audit_config {
+      audit_filter_overrides {
+        secret    = "encrypt"
+        sensitive = "hmac-sha256"
+      }
     }
   }
-}
+
+  // sink {
+  //   name = "auth-sink"
+  //   description = "Authentications sent to a file"
+  //   event_types = ["observation"]
+  //   format = "cloudevents-json"
+  //   allow_filters = [
+  //     "\"/Data/request_info/Path\" contains \":authenticate\""
+  //   ]
+  //   file {
+  //     path = "./"
+  //     file_name = "auth-sink.log"
+  //   }
+  // }
+}

compose/all-events

@@ -18,9 +18,13 @@ services:
       interval: 3s
       timeout: 10s
       retries: 5
+    volumes:
+      - type: bind
+        source: ../postgres
+        target: /etc/postgresql/
 
   db-init:
-    image: hashicorp/boundary:0.6.2
+    image: hashicorp/boundary:latest-89196f2ce
     command: ["database", "init", "-config", "/boundary/controller.hcl"]
     volumes:
       - "${PWD}/:/boundary/"
@@ -31,35 +35,183 @@ services:
         condition: service_healthy
 
   controller:
-    image: hashicorp/boundary:0.6.2
+    image: hashicorp/boundary:latest-89196f2ce
+    cap_add:
+      - IPC_LOCK
     # command: ["server", "-config", "/boundary/controller.hcl"]
     entrypoint: sh -c "sleep 3 && exec boundary server -config /boundary/controller.hcl"
     volumes:
       - "${PWD}/:/boundary/"
+      - "../auditlogs/:/logs/"
     hostname: boundary
     ports:
       - "9200:9200"
       - "9201:9201"
+      - "9202:9202"
+      - "9203:9203"
     environment:
       - BOUNDARY_PG_URL=postgresql://postgres:postgres@db/boundary?sslmode=disable
+      - SKIP_CHOWN=true
     depends_on:
       - db-init
     networks:
       - default
       - worker
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://boundary:9200"]
+      interval: 3s
+      timeout: 5s
+      retries: 5
 
   worker:
-    image: hashicorp/boundary:0.6.2
+    image: hashicorp/boundary:latest-89196f2ce
     command: ["server", "-config", "/boundary/worker.hcl"]
     volumes:
       - "${PWD}/:/boundary/"
+      - "../auditlogs/:/logs/"
     hostname: worker
     ports:
-      - "9202:9202"
+      - "9204:9202"
     environment:
       - HOSTNAME=worker
     depends_on:
       - controller
     networks:
       - default
-      - worker
+      - worker
+
+  # Filebeat, Elastic, Kibana for visualizing audit events
+  # Based on: https://www.elastic.co/guide/en/elasticsearch/reference/current/docker.html#docker-compose-file
+  setup-elastic:
+    image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
+    volumes:
+      - certs:/usr/share/elasticsearch/config/certs
+    user: "0"
+    command: >
+      bash -c '
+        if [ x${ELASTIC_PASSWORD} == x ]; then
+          echo "Set the ELASTIC_PASSWORD environment variable in the .env file";
+          exit 1;
+        elif [ x${KIBANA_PASSWORD} == x ]; then
+          echo "Set the KIBANA_PASSWORD environment variable in the .env file";
+          exit 1;
+        fi;
+        if [ ! -f certs/ca.zip ]; then
+          echo "Creating CA";
+          bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip;
+          unzip config/certs/ca.zip -d config/certs;
+        fi;
+        if [ ! -f certs/certs.zip ]; then
+          echo "Creating certs";
+          echo -ne \
+          "instances:\n"\
+          "  - name: elasticsearch\n"\
+          "    dns:\n"\
+          "      - elasticsearch\n"\
+          "      - localhost\n"\
+          "    ip:\n"\
+          "      - 127.0.0.1\n"\
+          > config/certs/instances.yml;
+          bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key;
+          unzip config/certs/certs.zip -d config/certs;
+        fi;
+        echo "Setting file permissions"
+        chown -R root:root config/certs;
+        find . -type d -exec chmod 750 \{\} \;;
+        find . -type f -exec chmod 640 \{\} \;;
+        echo "Waiting for Elasticsearch availability";
+        until curl -s --cacert config/certs/ca/ca.crt https://elasticsearch:9200 | grep -q "missing authentication credentials"; do sleep 30; done;
+        echo "Setting kibana_system password";
+        until curl -s -X POST --cacert config/certs/ca/ca.crt -u elastic:${ELASTIC_PASSWORD} -H "Content-Type: application/json" https://elasticsearch:9200/_security/user/kibana_system/_password -d "{\"password\":\"${KIBANA_PASSWORD}\"}" | grep -q "^{}"; do sleep 10; done;
+        echo "All done!";
+      '
+    healthcheck:
+      test: ["CMD-SHELL", "[ -f config/certs/elasticsearch/elasticsearch.crt ]"]
+      interval: 1s
+      timeout: 5s
+      retries: 120
+
+  elasticsearch:
+    depends_on:
+      setup-elastic:
+        condition: service_healthy
+    image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
+    volumes:
+      - certs:/usr/share/elasticsearch/config/certs
+      - esdata01:/usr/share/elasticsearch/data
+    ports:
+      - ${ES_PORT}:9200
+    environment:
+      - node.name=elasticsearch
+      - cluster.name=${CLUSTER_NAME}
+      - cluster.initial_master_nodes=elasticsearch
+      - ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
+      - bootstrap.memory_lock=true
+      - xpack.security.enabled=true
+      - xpack.security.http.ssl.enabled=true
+      - xpack.security.http.ssl.key=certs/elasticsearch/elasticsearch.key
+      - xpack.security.http.ssl.certificate=certs/elasticsearch/elasticsearch.crt
+      - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
+      - xpack.security.http.ssl.verification_mode=certificate
+      - xpack.security.transport.ssl.enabled=true
+      - xpack.security.transport.ssl.key=certs/elasticsearch/elasticsearch.key
+      - xpack.security.transport.ssl.certificate=certs/elasticsearch/elasticsearch.crt
+      - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
+      - xpack.security.transport.ssl.verification_mode=certificate
+      - xpack.license.self_generated.type=${LICENSE}
+    mem_limit: ${MEM_LIMIT}
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+    healthcheck:
+      test:
+        [
+          "CMD-SHELL",
+          "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'",
+        ]
+      interval: 10s
+      timeout: 10s
+      retries: 120
+
+  kibana:
+    depends_on:
+      elasticsearch:
+        condition: service_healthy
+    image: docker.elastic.co/kibana/kibana:${STACK_VERSION}
+    volumes:
+      - certs:/usr/share/kibana/config/certs
+      - kibanadata:/usr/share/kibana/data
+    ports:
+      - ${KIBANA_PORT}:5601
+    environment:
+      - SERVERNAME=kibana
+      - ELASTICSEARCH_HOSTS=https://elasticsearch:9200
+      - ELASTICSEARCH_USERNAME=kibana_system
+      - ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD}
+      - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt
+    mem_limit: ${MEM_LIMIT}
+    healthcheck:
+      test:
+        [
+          "CMD-SHELL",
+          "curl -s -I http://localhost:5601 | grep -q 'HTTP/1.1 302 Found'",
+        ]
+      interval: 10s
+      timeout: 10s
+      retries: 120
+
+  filebeat:
+    image: docker.elastic.co/beats/filebeat:${STACK_VERSION}
+    volumes:
+      - "../filebeat.docker.yml:/usr/share/filebeat/filebeat.yml"
+      - "../auditlogs/:/source"
+      - certs:/certs
+
+volumes:
+  certs:
+    driver: local
+  esdata01:
+    driver: local
+  kibanadata:
+    driver: local

compose/controller.hcl

@@ -14,11 +14,6 @@ worker {
   address     = "worker"
   public_addr = "localhost:9202"
   controllers = ["boundary"]
-  // tags {
-  //   region    = ["us-east-1"],
-  //   // type      = ["prod"]
-  //   type      = ["prod", "database", "postgres", "mysql"]
-  // }
 }
 
 kms "aead" {

compose/docker-compose.yml

@@ -1,5 +1,26 @@
 #!/bin/bash
 
+# fix permissions on local dirs
+chmod 777 ./auditlogs
+chmod 666 ./auditlogs/audit.log
+
+# # Password for the 'elastic' user (at least 6 characters)
+# export ELASTIC_PASSWORD=elastic
+# # Password for the 'kibana_system' user (at least 6 characters)
+# export KIBANA_PASSWORD=kibana
+# # Version of Elastic products
+# export STACK_VERSION=8.1.2
+# # Set the cluster name
+# export CLUSTER_NAME=boundary-docker-cluster
+# # Set to 'basic' or 'trial' to automatically start the 30-day trial
+# export LICENSE=basic
+# # Port to expose Elasticsearch HTTP API to the host
+# export ES_PORT=127.0.0.1:19200
+# # Port to expose Kibana to the host
+# export KIBANA_PORT=5601
+# # Increase or decrease based on the available host memory (in bytes)
+# export MEM_LIMIT=1073741824
+
 function cleanup() {
   pushd compose
   docker compose -p boundary rm -fs 

compose/worker-sink

@@ -0,0 +1,12 @@
+filebeat.inputs:
+- type: log
+  paths:
+    - /source/*.log
+  json.add_error_key: true
+
+output.elasticsearch:
+  hosts: ["https://elasticsearch:9200"]
+  ssl.certificate_authorities:
+    - /certs/ca/ca.crt
+  username: "elastic"
+  password: "elastic"

compose/worker.hcl

@@ -0,0 +1,14 @@
+listen_addresses           = '*'
+max_connections            = 100
+work_mem                   = 50000kB
+shared_buffers             = 64MB
+log_destination            = 'stderr'
+deadlock_timeout           = 100
+log_min_messages           = info
+log_min_error_statement    = error
+log_error_verbosity        = verbose
+log_lock_waits             = true
+log_statement              = all
+log_duration               = on
+log_min_duration_statement = 0
+log_line_prefix            = '%m [%p] (%x) %i '