FROM amazonlinux:2 AS build # Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved. RUN amazon-linux-extras install -y epel && \ yum install -y \ autoconf \ automake \ bison \ bzip2 \ curl \ gcc-c++ \ glibc-devel \ glibc-headers \ java-latest-openjdk-devel \ libffi-devel \ libtool \ libyaml-devel \ make \ openssl-devel \ patch \ procps \ readline-devel \ tar \ wget \ which \ zlib-devel RUN /bin/bash -lc "command curl -sSL https://rvm.io/mpapis.asc | gpg2 --import -" && \ /bin/bash -lc "command curl -sSL https://rvm.io/pkuczynski.asc | gpg2 --import -" && \ /bin/bash -lc "curl -L get.rvm.io | bash -s stable" && \ /bin/bash -lc "rvm autolibs fail" && \ /bin/bash -lc "rvm install jruby-9.2.17.0" && \ /bin/bash -lc "rvm use jruby-9.2.17.0 --default" && \ /bin/bash -lc "gem install bundler --no-document" ENV OUIFILTER_URL "https://codeload.github.com/mmguero-dev/logstash-filter-ieee_oui/tar.gz/master" RUN cd /opt && \ mkdir -p ./logstash-filter-ieee_oui && \ curl -sSL "$OUIFILTER_URL" | tar xzvf - -C ./logstash-filter-ieee_oui --strip-components 1 && \ /bin/bash -lc "export JAVA_HOME=$(realpath $(dirname $(find /usr/lib/jvm -name javac -type f))/../) && cd /opt/logstash-filter-ieee_oui && ( bundle install || bundle install ) && gem build logstash-filter-ieee_oui.gemspec && bundle info logstash-filter-ieee_oui" FROM docker.elastic.co/logstash/logstash-oss:7.10.2 LABEL maintainer="malcolm.netsec@gmail.com" LABEL org.opencontainers.image.authors='malcolm.netsec@gmail.com' LABEL org.opencontainers.image.url='https://github.com/cisagov/Malcolm' LABEL org.opencontainers.image.documentation='https://github.com/cisagov/Malcolm/blob/master/README.md' LABEL org.opencontainers.image.source='https://github.com/cisagov/Malcolm' LABEL org.opencontainers.image.vendor='Cybersecurity and Infrastructure Security Agency' LABEL org.opencontainers.image.title='malcolmnetsec/logstash-oss' LABEL org.opencontainers.image.description='Malcolm container providing Logstash (the Apache-licensed variant)' ARG DEFAULT_UID=1000 ARG DEFAULT_GID=1000 ENV DEFAULT_UID $DEFAULT_UID ENV DEFAULT_GID $DEFAULT_GID ENV PUSER "logstash" ENV PGROUP "logstash" ENV PUSER_PRIV_DROP true ENV TERM xterm ARG LOGSTASH_ENRICHMENT_PIPELINE=enrichment ARG LOGSTASH_PARSE_PIPELINE_ADDRESSES=zeek-parse ARG LOGSTASH_ELASTICSEARCH_PIPELINE_ADDRESS_INTERNAL=internal-es ARG LOGSTASH_ELASTICSEARCH_PIPELINE_ADDRESS_EXTERNAL=external-es ARG LOGSTASH_ELASTICSEARCH_OUTPUT_PIPELINE_ADDRESSES=internal-es,external-es ENV LOGSTASH_ENRICHMENT_PIPELINE $LOGSTASH_ENRICHMENT_PIPELINE ENV LOGSTASH_PARSE_PIPELINE_ADDRESSES $LOGSTASH_PARSE_PIPELINE_ADDRESSES ENV LOGSTASH_ELASTICSEARCH_PIPELINE_ADDRESS_INTERNAL $LOGSTASH_ELASTICSEARCH_PIPELINE_ADDRESS_INTERNAL ENV LOGSTASH_ELASTICSEARCH_PIPELINE_ADDRESS_EXTERNAL $LOGSTASH_ELASTICSEARCH_PIPELINE_ADDRESS_EXTERNAL ENV LOGSTASH_ELASTICSEARCH_OUTPUT_PIPELINE_ADDRESSES $LOGSTASH_ELASTICSEARCH_OUTPUT_PIPELINE_ADDRESSES ENV JAVA_HOME=/usr/share/logstash/jdk USER root COPY --from=build /opt/logstash-filter-ieee_oui /opt/logstash-filter-ieee_oui RUN yum install -y epel-release && \ yum update -y && \ yum install -y curl gettext python-setuptools python-pip python-requests python-yaml openssl && \ yum clean all && \ pip install py2-ipaddress supervisor && \ logstash-plugin install logstash-filter-translate logstash-filter-cidr logstash-filter-dns \ logstash-filter-json logstash-filter-prune logstash-filter-http \ logstash-filter-grok logstash-filter-geoip logstash-filter-uuid \ logstash-filter-kv logstash-filter-mutate logstash-filter-dissect \ logstash-input-beats logstash-output-elasticsearch && \ logstash-plugin install /opt/logstash-filter-ieee_oui/logstash-filter-ieee_oui-1.0.6.gem && \ rm -rf /opt/logstash-filter-ieee_oui /root/.cache /root/.gem /root/.bundle ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ ADD shared/bin/jdk-cacerts-auto-import.sh /usr/local/bin/ ADD logstash/maps/*.yaml /etc/ ADD logstash/config/log4j2.properties /usr/share/logstash/config/ ADD logstash/config/logstash.yml /usr/share/logstash/config/ ADD logstash/pipelines/ /usr/share/logstash/malcolm-pipelines/ ADD logstash/scripts /usr/local/bin/ ADD logstash/supervisord.conf /etc/supervisord.conf RUN bash -c "chmod --silent 755 /usr/local/bin/*.sh /usr/local/bin/*.py || true" && \ usermod -a -G tty ${PUSER} && \ rm -f /usr/share/logstash/pipeline/logstash.conf && \ rmdir /usr/share/logstash/pipeline && \ mkdir /logstash-persistent-queue && \ chown --silent -R ${PUSER}:root /usr/share/logstash/malcolm-pipelines /logstash-persistent-queue && \ curl -sSL -o /usr/share/logstash/config/oui.txt "https://raw.githubusercontent.com/wireshark/wireshark/master/manuf" && \ ( awk -F '\t' '{gsub(":", "", $1); if (length($1) == 6) {if ($3) {print $1"\t"$3} else if ($2) {print $1"\t"$2}}}' /usr/share/logstash/config/oui.txt > /usr/share/logstash/config/oui-logstash.txt) && \ python /usr/local/bin/ja3_build_list.py -o /etc/ja3.yaml # As the keystore is encapsulated in logstash, this isn't really necessary. It's included # here just to suppress the prompt when creating the keystore. If you're concerned about it # you could change or remove this from the Dockerfile, and/or override it with your # own envrionment variable at runtime. ENV LOGSTASH_KEYSTORE_PASS "a410a267b1404c949284dee25518a917" VOLUME ["/logstash-persistent-queue"] EXPOSE 5044 EXPOSE 9001 EXPOSE 9600 ENTRYPOINT ["/usr/local/bin/docker-uid-gid-setup.sh"] CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf", "-n"] # to be populated at build-time: ARG BUILD_DATE ARG MALCOLM_VERSION ARG VCS_REVISION LABEL org.opencontainers.image.created=$BUILD_DATE LABEL org.opencontainers.image.version=$MALCOLM_VERSION LABEL org.opencontainers.image.revision=$VCS_REVISION