diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a80b025134de5..1483793de3f68 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,62 +1,60 @@ -name: Build slim packages +name: Build packages # This workflow runs when any of the following occur: - # - Run manually +# - Run manually on: workflow_dispatch: - - -# Used to run locally using https://github.com/nektos/act -env: - ACT: - VERSION: 2.11.0 - SNAPSHOT: false - PLATFORM: linux - BUILD: bash scripts/build.sh - + inputs: + revision: + # description: + default: "1" + required: false + type: string + +# ========================== +# Bibliography +# ========================== +# +# * Reusable workflows: limitations +# | https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations +# * Using matrix in reusable workflows: +# | https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-a-matrix-strategy-with-a-reusable-workflow +# * Reading input from the called workflow +# | https://docs.github.com/en/enterprise-cloud@latest/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_callinputs jobs: + version: + uses: ./.github/workflows/r_version.yml + build: - runs-on: ubuntu-latest - # Permissions to upload the package - permissions: - packages: write - contents: read + needs: version strategy: - matrix: - # act is resource-heavy. Avoid running parallel builds with it: - # DISTRIBUTION: [ rpm ] - # ARCHITECTURE: [ x64 ] - DISTRIBUTION: [ tar, rpm, deb ] - ARCHITECTURE: [ x64, arm64 ] - steps: - - uses: actions/checkout@v4 - - uses: actions/setup-java@v3 - with: - distribution: temurin - java-version: 11 - - - name: Setup Gradle - uses: gradle/gradle-build-action@v2.9.0 - - - name: Execute build script - run: | - $BUILD -v $VERSION -s $SNAPSHOT -p $PLATFORM -a ${{ matrix.ARCHITECTURE }} -d ${{ matrix.DISTRIBUTION }} - - # The package name is stored in the artifacts/artifact_name.txt file - - name: Read package name - id: package_name - run: | - echo $(ls -la) - echo "package_name=$(cat artifacts/artifact_name.txt)" >> $GITHUB_OUTPUT - echo "$(cat artifacts/artifact_name.txt)" - - - name: Upload artifact - uses: actions/upload-artifact@v3 - with: - name: ${{ steps.package_name.outputs.package_name }} - path: artifacts/dist/${{ steps.package_name.outputs.package_name }} - if-no-files-found: error - - # assemble: - # release: + matrix: + distribution: [tar, rpm, deb] + architecture: [x64, arm64] + uses: ./.github/workflows/r_build.yml + with: + architecture: ${{ matrix.architecture }} + distribution: ${{ matrix.distribution }} + name: wazuh-indexer-min_${{ needs.version.outputs.version }}-${{ inputs.revision }}-${{ matrix.architecture }}_${{ github.sha }}.${{ matrix.distribution }} + # wazuh-indexer-min_4.8.0-rc1_x64_ff98475f.deb + # TODO arm64 != amd64 (deb), x64 != x86_64 (rpm) + # TODO use short SHA https://stackoverflow.com/a/59819441/13918537 + + assemble: + needs: [version, build] + strategy: + matrix: + distribution: [tar, rpm, deb] + architecture: [x64, arm64] + exclude: + # skip arm64 until we have arm runners + - architecture: arm64 + - distribution: [tar, deb] # Exclude deb assembly until it's implemented + + uses: ./.github/workflows/r_assemble.yml + with: + architecture: ${{ matrix.architecture }} + distribution: ${{ matrix.distribution }} + min: wazuh-indexer-min_${{ needs.version.outputs.version }}-${{ inputs.revision }}-${{ matrix.architecture }}_${{ github.sha }}.${{ matrix.distribution }} + name: wazuh-indexer_${{ needs.version.outputs.version }}-${{ inputs.revision }}-${{ matrix.architecture }}_${{ github.sha }}.${{ matrix.distribution }} diff --git a/.github/workflows/r_assemble.yml b/.github/workflows/r_assemble.yml new file mode 100644 index 0000000000000..c807a58a4f781 --- /dev/null +++ b/.github/workflows/r_assemble.yml @@ -0,0 +1,58 @@ +name: Assemble (reusable) + +# This workflow runs when any of the following occur: +# - Run from another workflow +on: + workflow_call: + inputs: + distribution: + description: 'One of [ "tar", "rpm", "deb" ]' + default: "rpm" + required: false + type: string + architecture: + description: 'One of [ "x64", "arm64" ]' + default: "x64" + required: false + type: string + min: + description: The name of the package to download. + required: true + type: string + name: + description: The name of the package to upload. + required: true + type: string + +jobs: + r_assemble: + runs-on: ubuntu-latest + # Permissions to upload the package + permissions: + packages: write + contents: read + steps: + - uses: actions/checkout@v4 + - name: Download artifact + uses: actions/download-artifact@v4 + with: + name: ${{ inputs.min }} + path: artifacts/dist + + - name: Run `assemble.sh` + run: | + bash scripts/assemble.sh -v ${{ vars.OPENSEARCH_VERSION }} -p linux -a ${{ inputs.architecture }} -d ${{ inputs.distribution }} + + # The package's name is stored in artifacts/artifact_name.txt. + - name: Set package name + id: get_name + run: | + echo "name=$(cat artifacts/artifact_name.txt)" >> $GITHUB_OUTPUT + + - name: Upload artifact + uses: actions/upload-artifact@v4 + with: + name: ${{ inputs.name }} + path: artifacts/dist/${{ steps.get_name.outputs.name }} + if-no-files-found: error + diff --git a/.github/workflows/r_build.yml b/.github/workflows/r_build.yml new file mode 100644 index 0000000000000..50ddb9a75ae76 --- /dev/null +++ b/.github/workflows/r_build.yml @@ -0,0 +1,53 @@ +name: Build (reusable) + +# This workflow runs when any of the following occur: +# - Run from another workflow +on: + workflow_call: + inputs: + distribution: + description: 'One of [ "tar", "rpm", "deb" ]' + default: "rpm" + required: false + type: string + architecture: + description: 'One of [ "x64", "arm64" ]' + default: "x64" + required: false + type: string + name: + type: string + +jobs: + r_build: + runs-on: ubuntu-latest + # Permissions to upload the package + permissions: + packages: write + contents: read + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: 11 + + - name: Setup Gradle + uses: gradle/gradle-build-action@v2.9.0 + + - name: Run `build.sh` + run: | + bash scripts/build.sh -v ${{ vars.OPENSEARCH_VERSION }} -s false -p linux -a ${{ inputs.architecture }} -d ${{ inputs.distribution }} + + # The package's name is stored in artifacts/artifact_name.txt. + - name: Set package name + id: get_name + run: | + echo "name=$(cat artifacts/artifact_name.txt)" >> $GITHUB_OUTPUT + + - name: Upload artifact + uses: actions/upload-artifact@v4 + with: + name: ${{ inputs.name }} + path: artifacts/dist/${{ steps.get_name.outputs.name }} + if-no-files-found: error diff --git a/.github/workflows/r_version.yml b/.github/workflows/r_version.yml new file mode 100644 index 0000000000000..d3c01135a6c35 --- /dev/null +++ b/.github/workflows/r_version.yml @@ -0,0 +1,22 @@ +name: Version (reusable) + +# This workflow runs when any of the following occur: +# - Run from another workflow +on: + workflow_call: + outputs: + version: + description: "Returns the version of Wazuh" + value: ${{ jobs.r_version.outputs.version }} + +jobs: + r_version: + runs-on: ubuntu-latest + outputs: + version: ${{ steps.get_version.outputs.version }} + steps: + - uses: actions/checkout@v4 + - name: Read 'VERSION' + id: get_version + run: | + echo "version=$(cat VERSION)" >> $GITHUB_OUTPUT diff --git a/distribution/packages/build.gradle b/distribution/packages/build.gradle index c16a3e64901fa..90997fb401c0f 100644 --- a/distribution/packages/build.gradle +++ b/distribution/packages/build.gradle @@ -298,13 +298,13 @@ apply plugin: 'com.netflix.nebula.ospackage-base' // this is package indepdendent configuration ospackage { - maintainer 'OpenSearch Team ' + maintainer 'Wazuh, Inc ' summary 'Distributed RESTful search engine built for the cloud' packageDescription ''' Reference documentation can be found at - https://github.com/opensearch-project/OpenSearch + https://documentation.wazuh.com/current/getting-started/components/wazuh-indexer.html '''.stripIndent().trim() - url 'https://github.com/opensearch-project/OpenSearch' + url 'https://documentation.wazuh.com/current/getting-started/components/wazuh-indexer.html' // signing setup if (project.hasProperty('signing.password') && BuildParams.isSnapshotBuild() == false) { diff --git a/distribution/packages/src/rpm/wazuh-indexer-performance-analyzer.service b/distribution/packages/src/rpm/wazuh-indexer-performance-analyzer.service new file mode 100644 index 0000000000000..dfd3770f8300c --- /dev/null +++ b/distribution/packages/src/rpm/wazuh-indexer-performance-analyzer.service @@ -0,0 +1,21 @@ +# Copyright OpenSearch Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# The OpenSearch Contributors require contributions made to +# this file be licensed under the Apache-2.0 license or a +# compatible open source license. + +[Unit] +Description=wazuh-indexer Performance Analyzer + +[Service] +Type=simple +ExecStart=/usr/share/wazuh-indexer/bin/wazuh-indexer-performance-analyzer/performance-analyzer-agent-cli +Restart=on-failure +User=wazuh-indexer +Group=wazuh-indexer +EnvironmentFile=-/etc/sysconfig/wazuh-indexer +WorkingDirectory=/usr/share/wazuh-indexer + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/distribution/packages/src/rpm/wazuh-indexer.cicd.spec b/distribution/packages/src/rpm/wazuh-indexer.cicd.spec new file mode 100644 index 0000000000000..f17e6f7413aab --- /dev/null +++ b/distribution/packages/src/rpm/wazuh-indexer.cicd.spec @@ -0,0 +1,755 @@ +# Wazuh package SPEC +# Copyright (C) 2021, Wazuh Inc. +# +# This program is a free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation. +Summary: Wazuh indexer is a search and analytics engine for security-related data. Documentation can be found at https://documentation.wazuh.com/current/getting-started/components/wazuh-indexer.html +Name: wazuh-indexer +Version: %{_version} +Release: %{_release} +License: GPL +Group: System Environment/Daemons +Source0: %{name}-%{version}.tar.gz +URL: https://www.wazuh.com/ +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +Vendor: Wazuh, Inc +Packager: Wazuh, Inc +AutoReqProv: no +Requires: coreutils +ExclusiveOS: linux +BuildRequires: tar shadow-utils + +# ----------------------------------------------------------------------------- + +%global USER %{name} +%global GROUP %{name} +%global CONFIG_DIR /etc/%{name} +%global LOG_DIR /var/log/%{name} +%global LIB_DIR /var/lib/%{name} +%global SYS_DIR /usr/lib +%global INSTALL_DIR /usr/share/%{name} +%global REPO_DIR /root/unattended_installer +%global INDEXER_FILE wazuh-indexer-base-%{version}-%{release}-linux-x64.tar.xz + +# ----------------------------------------------------------------------------- + +%description +Wazuh indexer is a near real-time full-text search and analytics engine that gathers security-related data into one platform. This Wazuh central component indexes and stores alerts generated by the Wazuh server. Wazuh indexer can be configured as a single-node or multi-node cluster, providing scalability and high availability. Documentation can be found at https://documentation.wazuh.com/current/getting-started/components/wazuh-indexer.html + +# ----------------------------------------------------------------------------- + +%prep +# Clean BUILDROOT +rm -fr %{buildroot} + +# Create package group +getent group %{GROUP} || groupadd -r %{GROUP} + +# Create package user +if ! id %{USER} &> /dev/null; then + useradd --system \ + --no-create-home \ + --home-dir %{INSTALL_DIR} \ + --gid %{GROUP} \ + --shell /sbin/nologin \ + --comment "%{USER} user" \ + %{USER} +fi + +# ----------------------------------------------------------------------------- + +%install +# Create directories +mkdir -p ${RPM_BUILD_ROOT}%{INSTALL_DIR} +mkdir -p ${RPM_BUILD_ROOT}/etc +mkdir -p ${RPM_BUILD_ROOT}%{LOG_DIR} +mkdir -p ${RPM_BUILD_ROOT}%{LIB_DIR} +mkdir -p ${RPM_BUILD_ROOT}%{SYS_DIR} + +# Set up required files +cp /tmp/%{INDEXER_FILE} ./ + +tar -xf %{INDEXER_FILE} && rm -f %{INDEXER_FILE} +chown -R %{USER}:%{GROUP} wazuh-indexer-*/* + +# Copy base files into RPM_BUILD_ROOT directory +mv wazuh-indexer-*/etc ${RPM_BUILD_ROOT}/ +mv wazuh-indexer-*%{SYS_DIR}/* ${RPM_BUILD_ROOT}%{SYS_DIR}/ +rm -rf wazuh-indexer-*/etc +rm -rf wazuh-indexer-*/usr +cp -pr wazuh-indexer-*/* ${RPM_BUILD_ROOT}%{INSTALL_DIR}/ + +# Build wazuh-certs-tool +%{REPO_DIR}/builder.sh -c + +# Build wazuh-passwords-tool +%{REPO_DIR}/builder.sh -p + +# Copy the security tools +cp %{REPO_DIR}/wazuh-certs-tool.sh ${RPM_BUILD_ROOT}%{INSTALL_DIR}/plugins/opensearch-security/tools/ +cp %{REPO_DIR}/wazuh-passwords-tool.sh ${RPM_BUILD_ROOT}%{INSTALL_DIR}/plugins/opensearch-security/tools/ +cp /root/documentation-templates/wazuh/config.yml ${RPM_BUILD_ROOT}%{INSTALL_DIR}/plugins/opensearch-security/tools/config.yml + +# Copy Wazuh's config files for the security plugin +cp %{REPO_DIR}/config/indexer/roles/action_groups.yml ${RPM_BUILD_ROOT}%{CONFIG_DIR}/opensearch-security +cp %{REPO_DIR}/config/indexer/roles/internal_users.yml ${RPM_BUILD_ROOT}%{CONFIG_DIR}/opensearch-security +cp %{REPO_DIR}/config/indexer/roles/roles.yml ${RPM_BUILD_ROOT}%{CONFIG_DIR}/opensearch-security +cp %{REPO_DIR}/config/indexer/roles/roles_mapping.yml ${RPM_BUILD_ROOT}%{CONFIG_DIR}/opensearch-security + +cp /root/stack/indexer/indexer-security-init.sh ${RPM_BUILD_ROOT}%{INSTALL_DIR}/bin/ + +chmod 750 ${RPM_BUILD_ROOT}/etc/init.d/wazuh-indexer + +# ----------------------------------------------------------------------------- + +%pre +if [ $1 = 1 ];then # Install + # Create package group + getent group %{GROUP} > /dev/null 2>&1 || groupadd -r %{GROUP} + + if ! id %{USER} &> /dev/null; then + useradd --system \ + --no-create-home \ + --home-dir %{INSTALL_DIR} \ + --gid %{GROUP} \ + --shell /sbin/nologin \ + --comment "%{USER} user" \ + %{USER} > /dev/null 2>&1 + fi +fi + +# Stop the services to upgrade the package +if [ $1 = 2 ]; then + if command -v systemctl > /dev/null 2>&1 && systemctl > /dev/null 2>&1 && systemctl is-active --quiet %{name} > /dev/null 2>&1; then + systemctl stop %{name}.service > /dev/null 2>&1 + touch %{INSTALL_DIR}/%{name}.restart + # Check for SysV + elif command -v service > /dev/null 2>&1 && service %{name} status 2>/dev/null | grep "is running" > /dev/null 2>&1; then + service %{name} stop > /dev/null 2>&1 + touch %{INSTALL_DIR}/%{name}.restart + elif [ -x /etc/init.d/%{name} ]; then + if command -v invoke-rc.d >/dev/null && invoke-rc.d --quiet wazuh-indexer status > /dev/null 2>&1; then + invoke-rc.d %{name} stop > /dev/null 2>&1 + touch %{INSTALL_DIR}/%{name}.restart + fi + + # Older Suse linux distributions do not ship with systemd + # but do not have an /etc/init.d/ directory + # this tries to stop the %{name} service on these + # as well without failing this script + elif [ -x /etc/rc.d/init.d/%{name} ] ; then + /etc/rc.d/init.d/%{name} stop > /dev/null 2>&1 + touch %{INSTALL_DIR}/%{name}.restart + fi +fi + +# ----------------------------------------------------------------------------- + +%post + +export OPENSEARCH_PATH_CONF=${OPENSEARCH_PATH_CONF:-%{CONFIG_DIR}} + +if [ $1 = 1 ];then # Install + echo "%{USER} hard nproc 4096" >> /etc/security/limits.conf + echo "%{USER} soft nproc 4096" >> /etc/security/limits.conf + echo "%{USER} hard nofile 65535" >> /etc/security/limits.conf + echo "%{USER} soft nofile 65535" >> /etc/security/limits.conf + + # To pick up /usr/lib/sysctl.d/wazuh-indexer.conf + if command -v systemctl > /dev/null 2>&1; then + systemctl restart systemd-sysctl > /dev/null 2>&1 || true + fi + +fi + + +if [[ -d /run/systemd/system ]] ; then + rm -f /etc/init.d/%{name} +fi + +# If is an upgrade, move the securityconfig files if they exist (4.3.x versions) +if [ ${1} = 2 ]; then + if [ -d "%{INSTALL_DIR}"/plugins/opensearch-security/securityconfig ]; then + + if [ ! -d "%{CONFIG_DIR}"/opensearch-security ]; then + mkdir "%{CONFIG_DIR}"/opensearch-security + fi + + cp -r "%{INSTALL_DIR}"/plugins/opensearch-security/securityconfig/* "%{CONFIG_DIR}"/opensearch-security + fi +fi + +# If is an upgrade, move the securityconfig files if they exist (4.3.x versions) +if [ ${1} = 2 ]; then + if [ -d "%{INSTALL_DIR}"/plugins/opensearch-security/securityconfig ]; then + + if [ ! -d "%{CONFIG_DIR}"/opensearch-security ]; then + mkdir "%{CONFIG_DIR}"/opensearch-security + fi + + cp -r "%{INSTALL_DIR}"/plugins/opensearch-security/securityconfig/* "%{CONFIG_DIR}"/opensearch-security + fi +fi + +# ----------------------------------------------------------------------------- + +%preun + +export OPENSEARCH_PATH_CONF=${OPENSEARCH_PATH_CONF:-%{CONFIG_DIR}} + +if [ $1 = 0 ];then # Remove + echo -n "Stopping wazuh-indexer service..." + if command -v systemctl > /dev/null 2>&1 && systemctl is-active --quiet %{name} > /dev/null 2>&1; then + systemctl --no-reload stop %{name}.service > /dev/null 2>&1 + + # Check for SysV + elif command -v service > /dev/null 2>&1; then + service %{name} stop > /dev/null 2>&1 + elif [ -x /etc/init.d/%{name} ]; then + if command -v invoke-rc.d >/dev/null; then + invoke-rc.d %{name} stop > /dev/null 2>&1 + else + /etc/init.d/%{name} stop > /dev/null 2>&1 + fi + elif [ -x /etc/rc.d/init.d/%{name} ] ; then + /etc/rc.d/init.d/%{name} stop > /dev/null 2>&1 + else # Anything else + kill -15 `pgrep -f opensearch` > /dev/null 2>&1 + fi + echo " OK" + + # Check for systemd + if command -v systemctl > /dev/null 2>&1 && systemctl > /dev/null 2>&1; then + systemctl disable %{name} > /dev/null 2>&1 + systemctl daemon-reload > /dev/null 2>&1 + # Check for SysV + elif command -v service > /dev/null 2>&1 && command -v chkconfig > /dev/null 2>&1; then + chkconfig %{name} off > /dev/null 2>&1 + chkconfig --del %{name} > /dev/null 2>&1 + fi +fi + +# ----------------------------------------------------------------------------- + +%postun + +export OPENSEARCH_PATH_CONF=${OPENSEARCH_PATH_CONF:-%{CONFIG_DIR}} + +if [ $1 = 0 ];then + # Cleaning limits file + sed -i '/%{USER}/d' /etc/security/limits.conf + + # Remove the user if it exists + if getent passwd %{USER} > /dev/null 2>&1; then + userdel %{USER} >/dev/null 2>&1 + fi + + # Remove the group if it exists + if command -v getent > /dev/null 2>&1 && getent group %{GROUP} > /dev/null 2>&1; then + groupdel %{GROUP} >/dev/null 2>&1 + elif getent group %{GROUP} > /dev/null 2>&1; then + groupdel %{GROUP} >/dev/null 2>&1 + fi + + # Remove lingering folders and files + if [ -d /dev/shm/performanceanalyzer ]; then + rm -rf /dev/shm/performanceanalyzer + fi + rm -rf %{INSTALL_DIR} +fi + +# ----------------------------------------------------------------------------- + +%posttrans + +export OPENSEARCH_PATH_CONF=${OPENSEARCH_PATH_CONF:-%{CONFIG_DIR}} + +if [ -f %{INSTALL_DIR}/%{name}.restart ]; then + echo -n "Starting wazuh-indexer service..." + rm -f %{INSTALL_DIR}/%{name}.restart + if command -v systemctl > /dev/null 2>&1; then + systemctl daemon-reload > /dev/null 2>&1 + systemctl restart %{name}.service > /dev/null 2>&1 + + # Check for SysV + elif command -v service > /dev/null 2>&1; then + service %{name} restart > /dev/null 2>&1 + elif [ -x /etc/init.d/%{name} ]; then + if command -v invoke-rc.d >/dev/null; then + invoke-rc.d %{name} restart > /dev/null 2>&1 + else + /etc/init.d/%{name} restart > /dev/null 2>&1 + fi + elif [ -x /etc/rc.d/init.d/%{name} ] ; then + /etc/rc.d/init.d/%{name} restart > /dev/null 2>&1 + fi + echo " OK" +fi + +if [ ! -f "%{CONFIG_DIR}"/opensearch.keystore ]; then + "%{INSTALL_DIR}"/bin/opensearch-keystore create + chown %{USER}:%{GROUP} "%{CONFIG_DIR}"/opensearch.keystore + chmod 660 "%{CONFIG_DIR}"/opensearch.keystore + md5sum "%{CONFIG_DIR}"/opensearch.keystore > "%{CONFIG_DIR}"/.opensearch.keystore.initial_md5sum + chown %{USER}:%{GROUP} "%{CONFIG_DIR}"/.opensearch.keystore.initial_md5sum + chmod 600 "%{CONFIG_DIR}"/.opensearch.keystore.initial_md5sum +else + chown %{USER}:%{GROUP} "%{CONFIG_DIR}"/opensearch.keystore + chmod 660 "%{CONFIG_DIR}"/opensearch.keystore + if "%{INSTALL_DIR}"/bin/opensearch-keystore has-passwd --silent ; then + echo "### Warning: unable to upgrade encrypted keystore" 1>&2 + echo " Please run opensearch-keystore upgrade and enter password" 1>&2 + else + "%{INSTALL_DIR}"/bin/opensearch-keystore upgrade + fi +fi + +# ----------------------------------------------------------------------------- + +%clean +rm -fr %{buildroot} + +# ----------------------------------------------------------------------------- + +%files +%defattr(-, %{USER}, %{GROUP}) +%dir %attr(750, %{USER}, %{GROUP}) %{CONFIG_DIR} +%dir %attr(750, %{USER}, %{GROUP}) %{LIB_DIR} +%dir %attr(750, %{USER}, %{GROUP}) %{LOG_DIR} + +%config(noreplace) %attr(0660, root, %{GROUP}) "/etc/sysconfig/%{name}" + +%config(missingok) /etc/init.d/%{name} +%attr(0640, root, root) %{SYS_DIR}/sysctl.d/%{name}.conf +%attr(0640, root, root) %{SYS_DIR}/systemd/system/%{name}.service +%attr(0640, root, root) %{SYS_DIR}/systemd/system/%{name}-performance-analyzer.service +%attr(0640, root, root) %{SYS_DIR}/tmpfiles.d/%{name}.conf + + +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/*.txt +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-job-scheduler/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-job-scheduler/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-job-scheduler/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-ml/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-ml/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-ml/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-ml/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security/*.jar +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security/tools/ +%attr(740, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security/tools/*.sh +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security/tools/*.md +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security/tools/*.yml +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-index-management/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-index-management/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-index-management/*.txt +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-index-management/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-index-management/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-neural-search/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-neural-search/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-neural-search/*.txt +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-neural-search/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-neural-search/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-notifications/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-notifications/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-notifications/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-notifications/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-asynchronous-search/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-asynchronous-search/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-asynchronous-search/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-asynchronous-search/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-alerting/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-alerting/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-alerting/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-alerting/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-sql/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-sql/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-sql/*.txt +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-sql/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-sql/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-geospatial/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-geospatial/*.txt +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-geospatial/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-geospatial/*.properties +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-geospatial/*.policy +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-reports-scheduler/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-reports-scheduler/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-reports-scheduler/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-reports-scheduler/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-cross-cluster-replication/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-cross-cluster-replication/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-cross-cluster-replication/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-custom-codecs/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-custom-codecs/*.txt +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-custom-codecs/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-custom-codecs/*.properties +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-custom-codecs/*.policy +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-knn/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-knn/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-knn/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-knn/*.properties +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-knn/*.txt +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-knn/lib/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-knn/lib/*.so.1 +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-knn/lib/*.so +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-anomaly-detection/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-anomaly-detection/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-anomaly-detection/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-anomaly-detection/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-notifications-core/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-notifications-core/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-notifications-core/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-notifications-core/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security-analytics/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security-analytics/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security-analytics/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security-analytics/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-observability/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-observability/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-observability/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-observability/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-performance-analyzer/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-performance-analyzer/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-performance-analyzer/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-performance-analyzer/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/ingest-common/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/ingest-common/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/ingest-common/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/repository-url/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/repository-url/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/repository-url/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/repository-url/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/percolator/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/percolator/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/percolator/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/search-pipeline-common/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/search-pipeline-common/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/search-pipeline-common/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/opensearch-dashboards/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/opensearch-dashboards/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/opensearch-dashboards/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/lang-painless/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/lang-painless/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/lang-painless/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/lang-painless/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/analysis-common/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/analysis-common/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/analysis-common/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/rank-eval/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/rank-eval/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/rank-eval/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/aggs-matrix-stats/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/aggs-matrix-stats/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/aggs-matrix-stats/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/geo/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/geo/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/geo/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/mapper-extras/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/mapper-extras/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/mapper-extras/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/ingest-user-agent/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/ingest-user-agent/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/ingest-user-agent/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/systemd/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/systemd/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/systemd/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/systemd/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/transport-netty4/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/transport-netty4/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/transport-netty4/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/transport-netty4/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/parent-join/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/parent-join/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/parent-join/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/lang-mustache/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/lang-mustache/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/lang-mustache/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/lang-mustache/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/ingest-geoip/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/ingest-geoip/*.mmdb +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/ingest-geoip/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/ingest-geoip/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/ingest-geoip/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/reindex/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/reindex/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/reindex/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/reindex/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/reindex/transport-netty4/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/reindex/transport-netty4/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/reindex/transport-netty4/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/reindex/parent-join/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/reindex/parent-join/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/lang-expression/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/lang-expression/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/lang-expression/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/lang-expression/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/lib/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/lib/tools/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/lib/tools/upgrade-cli/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/lib/tools/upgrade-cli/*.jar +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/lib/tools/plugin-cli/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/lib/tools/plugin-cli/*.jar +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/lib/tools/keystore-cli/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/lib/tools/keystore-cli/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/lib/*.jar +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/man/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/man/man1/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/man/man1/*.1 +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/jmods/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/jmods/*.jmod +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/NOTICE +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/include/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/include/*.h +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/include/linux/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/include/linux/*.h +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/*.cfg +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/*.so +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/jspawnhelper +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/*.properties.ja +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/*.dat +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/*.properties +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/*.sym +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/classlist +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/jexec +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/security/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/security/*.certs +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/security/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/security/cacerts +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/security/*.dat +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/modules +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/server/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/server/*.so +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/server/*.jsa +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/jfr/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/jfr/*.jfc +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/bin/ +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/bin/* +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/release +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.instrument/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.net/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.crypto.cryptoki/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.crypto.cryptoki/*.md +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.security.auth/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.smartcardio/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.smartcardio/*.md +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.zipfs/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.localedata/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.localedata/*.md +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.prefs/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.dynalink/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.dynalink/*.md +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.jpackage/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.management/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.internal.jvmstat/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.xml.crypto/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.xml.crypto/*.md +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.net.http/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.unsupported/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.datatransfer/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.jdi/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.incubator.vector/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.charsets/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.management.jfr/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.accessibility/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.jartool/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.security.sasl/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.internal.ed/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.editpad/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.httpserver/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.base/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.base/*.md +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.base/ASSEMBLY_EXCEPTION +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.base/ADDITIONAL_LICENSE_INFO +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.base/LICENSE +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.jcmd/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.internal.opt/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.internal.opt/*.md +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.scripting/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.xml/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.xml/*.md +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.jdeps/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.jstatd/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.management.agent/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.random/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.sctp/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.sql/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.nio.mapmode/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.hotspot.agent/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.attach/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.naming/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.management/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.sql.rowset/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.rmi/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.internal.vm.compiler/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.unsupported.desktop/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.logging/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.security.jgss/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.internal.vm.compiler.management/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.jfr/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.transaction.xa/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.crypto.ec/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.internal.vm.ci/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.naming.rmi/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.xml.dom/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.internal.le/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.internal.le/*.md +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.jsobject/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.jdwp.agent/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.se/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.compiler/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.incubator.foreign/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.jshell/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.javadoc/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.javadoc/*.md +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.compiler/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.security.jgss/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.jconsole/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.naming.dns/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.management.rmi/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.desktop/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.desktop/*.md +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.jlink/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/security/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/security/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/security/*.security +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/security/policy/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/security/policy/limited/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/security/policy/limited/*.policy +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/security/policy/unlimited/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/security/policy/unlimited/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/security/policy/*.txt +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/sdp/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/sdp/*.template +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/management/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/management/*.access +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/management/*.properties +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/management/*.template +%dir %attr(750, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-security/ +%config(noreplace) %attr(640, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-security/*.yml +%config(noreplace) %attr(640, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-security/*.example +%dir %attr(750, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-notifications/ +%attr(640, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-notifications/*.yml +%config(noreplace) %attr(660, %{USER}, %{GROUP}) %{CONFIG_DIR}/jvm.options +%dir %attr(750, %{USER}, %{GROUP}) %{CONFIG_DIR}/jvm.options.d/ +%dir %attr(750, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-reports-scheduler/ +%attr(660, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-reports-scheduler/*.yml +%config(noreplace) %attr(660, %{USER}, %{GROUP}) %{CONFIG_DIR}/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-notifications-core/ +%attr(640, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-notifications-core/*.yml +%config(noreplace) %attr(660, %{USER}, %{GROUP}) %{CONFIG_DIR}/*.yml +%dir %attr(750, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-observability/ +%attr(660, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-observability/*.yml +%dir %attr(750, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-performance-analyzer/ +%attr(640, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-performance-analyzer/agent-stats-metadata +%attr(640, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-performance-analyzer/*.conf +%attr(640, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-performance-analyzer/*.xml +%attr(640, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-performance-analyzer/*.properties +%attr(640, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-performance-analyzer/plugin-stats-metadata +%attr(640, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-performance-analyzer/*.policy +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/performance-analyzer-rca/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/performance-analyzer-rca/config/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/performance-analyzer-rca/config/agent-stats-metadata +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/performance-analyzer-rca/config/*.conf +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/performance-analyzer-rca/config/*.xml +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/performance-analyzer-rca/config/*.properties +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/performance-analyzer-rca/config/plugin-stats-metadata +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/performance-analyzer-rca/config/*.policy +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/performance-analyzer-rca/lib/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/performance-analyzer-rca/lib/*.jar +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/performance-analyzer-rca/bin/ +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/performance-analyzer-rca/bin/performance-analyzer-agent +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/performance-analyzer-rca/bin/performance-analyzer-rca +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/ +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/opensearch-cli +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/systemd-entrypoint +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/opensearch-upgrade +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/opensearch-shard +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/opensearch +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/opensearch-plugin +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/opensearch-node +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/opensearch-env +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/opensearch-env-from-file +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/indexer-security-init.sh +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/opensearch-keystore +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/opensearch-performance-analyzer/ +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/opensearch-performance-analyzer/performance-analyzer-agent-cli +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/opensearch-performance-analyzer/performance-analyzer-agent +%attr(440, %{USER}, %{GROUP}) %{INSTALL_DIR}/VERSION +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/indexer-security-init.sh +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/indexer-ism-init.sh +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/indexer-init.sh +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security/tools/config.yml +%attr(740, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security/tools/wazuh-certs-tool.sh +%attr(740, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security/tools/wazuh-passwords-tool.sh + + +%changelog +* Thu Mar 28 2024 support - 4.9.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-9-0.html +* Tue Jan 30 2024 support - 4.8.1 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-8-1.html +* Fri Dec 15 2023 support - 4.8.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-8-0.html +* Tue Dec 05 2023 support - 4.7.1 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-7-1.html +* Tue Nov 21 2023 support - 4.7.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-7-0.html +* Tue Oct 31 2023 support - 4.6.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-6-0.html +* Tue Oct 24 2023 support - 4.5.4 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-5-4.html +* Tue Oct 10 2023 support - 4.5.3 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-5-3.html +* Thu Aug 31 2023 support - 4.5.2 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-5-2.html +* Thu Aug 24 2023 support - 4.5.1 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-5.1.html +* Thu Aug 10 2023 support - 4.5.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-5-0.html +* Mon Jul 10 2023 support - 4.4.5 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-5.html +* Tue Jun 13 2023 support - 4.4.4 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-4.html +* Thu May 25 2023 support - 4.4.3 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-3.html +* Mon May 08 2023 support - 4.4.2 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-2.html +* Mon Apr 17 2023 support - 4.4.1 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-1.html +* Wed Jan 18 2023 support - 4.4.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-0.html +* Thu Nov 10 2022 support - 4.3.10 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-10.html +* Mon Oct 03 2022 support - 4.3.9 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-9.html +* Mon Sep 19 2022 support - 4.3.8 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-8.html +* Mon Aug 08 2022 support - 4.3.7 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-7.html +* Thu Jul 07 2022 support - 4.3.6 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-6.html +* Wed Jun 29 2022 support - 4.3.5 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-5.html +* Tue Jun 07 2022 support - 4.3.4 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-4.html +* Tue May 31 2022 support - 4.3.3 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-3.html +* Mon May 30 2022 support - 4.3.2 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-2.html +* Wed May 18 2022 support - 4.3.1 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-1.html +* Thu May 05 2022 support - 4.3.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-0.html \ No newline at end of file diff --git a/distribution/packages/src/rpm/wazuh-indexer.rpm.spec b/distribution/packages/src/rpm/wazuh-indexer.rpm.spec new file mode 100644 index 0000000000000..c1f196577212a --- /dev/null +++ b/distribution/packages/src/rpm/wazuh-indexer.rpm.spec @@ -0,0 +1,274 @@ +# Copyright OpenSearch Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# The OpenSearch Contributors require contributions made to +# this file be licensed under the Apache-2.0 license or a +# compatible open source license. + +# No build, no debuginfo +%define debug_package %{nil} + +# Disable brp-java-repack-jars, so jars will not be decompressed and repackaged +%define __jar_repack 0 + +# Generate digests, 8 means algorithm of sha256 +# This is different from rpm sig algorithm +# Requires rpm version 4.12 + to generate but b/c run on older versions +%define _source_filedigest_algorithm 8 +%define _binary_filedigest_algorithm 8 + +# Fixed in Fedora: +# https://www.endpointdev.com/blog/2011/10/rpm-building-fedoras-sharedstatedir/ +%define _sharedstatedir /var/lib + +# User Define Variables +%define product_dir %{_datadir}/%{name} +%define config_dir %{_sysconfdir}/%{name} +%define data_dir %{_sharedstatedir}/%{name} +%define log_dir %{_localstatedir}/log/%{name} +%define pid_dir %{_localstatedir}/run/%{name} +%{!?_version: %define _version 0.0.0 } +%{!?_architecture: %define _architecture x86_64 } + +Name: wazuh-indexer +Version: %{_version} +Release: 1 +License: Apache-2.0 +Summary: An open source distributed and RESTful search engine +URL: https://www.wazuh.com/ +Vendor: Wazuh, Inc +Packager: Wazuh, Inc +Group: Application/Internet +ExclusiveArch: %{_architecture} +AutoReqProv: no + +%description +Wazuh indexer is a near real-time full-text search and analytics engine that +gathers security-related data into one platform. This Wazuh central component +indexes and stores alerts generated by the Wazuh server. Wazuh indexer can be +configured as a single-node or multi-node cluster, providing scalability and +high availability. +For more information, see: https://www.wazuh.com/ + +%prep +# No-op. We are using dir so no need to setup. + +%build +# No-op. This is all pre-built Java. Nothing to do here. + +%install +set -e +cd %{_topdir} && pwd +# Create necessary directories +mkdir -p %{buildroot}%{pid_dir} +mkdir -p %{buildroot}%{product_dir}/plugins +# Install directories/files +cp -a etc usr var %{buildroot} +chmod 0755 %{buildroot}%{product_dir}/bin/* +if [ -d %{buildroot}%{product_dir}/plugins/opensearch-security ]; then + chmod 0755 %{buildroot}%{product_dir}/plugins/opensearch-security/tools/* +fi +# Pre-populate the folders to ensure rpm build success even without all plugins +mkdir -p %{buildroot}%{config_dir}/opensearch-observability +mkdir -p %{buildroot}%{config_dir}/opensearch-reports-scheduler +mkdir -p %{buildroot}%{product_dir}/performance-analyzer-rca +# Symlinks (do not symlink config dir as security demo installer has dependency, if no presense it will switch to rpm/deb mode) +ln -s %{data_dir} %{buildroot}%{product_dir}/data +ln -s %{log_dir} %{buildroot}%{product_dir}/logs +# Pre-populate PA configs if not present +if [ ! -f %{buildroot}%{data_dir}/rca_enabled.conf ]; then + echo 'true' > %{buildroot}%{data_dir}/rca_enabled.conf +fi +if [ ! -f %{buildroot}%{data_dir}/performance_analyzer_enabled.conf ]; then + echo 'true' > %{buildroot}%{data_dir}/performance_analyzer_enabled.conf +fi +# Change Permissions +chmod -Rf a+rX,u+w,g-w,o-w %{buildroot}/* +exit 0 + +%pre +set -e +# Stop existing service +if command -v systemctl >/dev/null && systemctl is-active %{name}.service >/dev/null; then + echo "Stop existing %{name}.service" + systemctl --no-reload stop %{name}.service +fi +if command -v systemctl >/dev/null && systemctl is-active %{name}-performance-analyzer.service >/dev/null; then + echo "Stop existing %{name}-performance-analyzer.service" + systemctl --no-reload stop %{name}-performance-analyzer.service +fi +# Create user and group if they do not already exist. +getent group %{name} > /dev/null 2>&1 || groupadd -r %{name} +getent passwd %{name} > /dev/null 2>&1 || \ + useradd -r -g %{name} -M -s /sbin/nologin \ + -c "%{name} user/group" %{name} +exit 0 + +%post +set -e +# Apply Security Settings +if [ -d %{product_dir}/plugins/opensearch-security ]; then + sh %{product_dir}/plugins/opensearch-security/tools/install_demo_configuration.sh -y -i -s > %{log_dir}/install_demo_configuration.log 2>&1 +fi +chown -R %{name}.%{name} %{config_dir} +chown -R %{name}.%{name} %{log_dir} +# Apply PerformanceAnalyzer Settings +chmod a+rw /tmp +if ! grep -q '## OpenSearch Performance Analyzer' %{config_dir}/jvm.options; then + # Add Performance Analyzer settings in %{config_dir}/jvm.options + CLK_TCK=`/usr/bin/getconf CLK_TCK` + echo >> %{config_dir}/jvm.options + echo '## OpenSearch Performance Analyzer' >> %{config_dir}/jvm.options + echo "-Dclk.tck=$CLK_TCK" >> %{config_dir}/jvm.options + echo "-Djdk.attach.allowAttachSelf=true" >> %{config_dir}/jvm.options + echo "-Djava.security.policy=file://%{config_dir}/opensearch-performance-analyzer/opensearch_security.policy" >> %{config_dir}/jvm.options + echo "--add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED" >> %{config_dir}/jvm.options +fi +# Reload systemctl daemon +if command -v systemctl > /dev/null; then + systemctl daemon-reload +fi +# Reload other configs +if command -v systemctl > /dev/null; then + systemctl restart systemd-sysctl.service || true +fi + +if command -v systemd-tmpfiles > /dev/null; then + systemd-tmpfiles --create %{name}.conf +fi + +# Messages +echo "### NOT starting on installation, please execute the following statements to configure opensearch service to start automatically using systemd" +echo " sudo systemctl daemon-reload" +echo " sudo systemctl enable opensearch.service" +echo "### You can start opensearch service by executing" +echo " sudo systemctl start opensearch.service" +if [ -d %{product_dir}/plugins/opensearch-security ]; then + echo "### Create opensearch demo certificates in %{config_dir}/" + echo " See demo certs creation log in %{log_dir}/install_demo_configuration.log" +fi +echo "### Upcoming breaking change in packaging" +echo " In a future release of OpenSearch, we plan to change the permissions associated with access to installed files" +echo " If you are configuring tools that require read access to the OpenSearch configuration files, we recommend you add the user that runs these tools to the 'opensearch' group" +echo " For more information, see https://github.com/opensearch-project/opensearch-build/pull/4043" +exit 0 + +%preun +set -e +if command -v systemctl >/dev/null && systemctl is-active %{name}.service >/dev/null; then + echo "Stop existing %{name}.service" + systemctl --no-reload stop %{name}.service +fi +if command -v systemctl >/dev/null && systemctl is-active %{name}-performance-analyzer.service >/dev/null; then + echo "Stop existing %{name}-performance-analyzer.service" + systemctl --no-reload stop %{name}-performance-analyzer.service +fi +exit 0 + +%files +# Permissions +%defattr(-, %{name}, %{name}) + +# Root dirs/docs/licenses +%dir %{product_dir} +%doc %{product_dir}/NOTICE.txt +%doc %{product_dir}/README.md +%license %{product_dir}/LICENSE.txt + +# Config dirs/files +%dir %{config_dir} +%{config_dir}/jvm.options.d +%{config_dir}/opensearch-* +%config(noreplace) %{config_dir}/opensearch.yml +%config(noreplace) %{config_dir}/jvm.options +%config(noreplace) %{config_dir}/log4j2.properties +%config(noreplace) %{data_dir}/rca_enabled.conf +%config(noreplace) %{data_dir}/performance_analyzer_enabled.conf + +# Service files +%attr(0644, root, root) %{_prefix}/lib/systemd/system/%{name}.service +%attr(0644, root, root) %{_prefix}/lib/systemd/system/%{name}-performance-analyzer.service +%attr(0644, root, root) %{_sysconfdir}/init.d/%{name} +%attr(0644, root, root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} +%attr(0644, root, root) %config(noreplace) %{_prefix}/lib/sysctl.d/%{name}.conf +%attr(0644, root, root) %config(noreplace) %{_prefix}/lib/tmpfiles.d/%{name}.conf + +# Main dirs +%{product_dir}/bin +%{product_dir}/jdk +%{product_dir}/lib +%{product_dir}/modules +%{product_dir}/performance-analyzer-rca +%{product_dir}/plugins +%{log_dir} +%{pid_dir} +%dir %{data_dir} + +# Symlinks +%{product_dir}/data +%{product_dir}/logs + +# Wazuh additional files +%attr(440, %{name}, %{name}) %{product_dir}/VERSION +%attr(750, %{name}, %{name}) %{product_dir}/bin/indexer-security-init.sh +%attr(750, %{name}, %{name}) %{product_dir}/bin/indexer-ism-init.sh +%attr(750, %{name}, %{name}) %{product_dir}/bin/indexer-init.sh + +%changelog +* Thu Mar 28 2024 support - 4.9.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-9-0.html +* Tue Jan 30 2024 support - 4.8.1 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-8-1.html +* Fri Dec 15 2023 support - 4.8.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-8-0.html +* Tue Dec 05 2023 support - 4.7.1 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-7-1.html +* Tue Nov 21 2023 support - 4.7.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-7-0.html +* Tue Oct 31 2023 support - 4.6.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-6-0.html +* Tue Oct 24 2023 support - 4.5.4 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-5-4.html +* Tue Oct 10 2023 support - 4.5.3 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-5-3.html +* Thu Aug 31 2023 support - 4.5.2 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-5-2.html +* Thu Aug 24 2023 support - 4.5.1 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-5.1.html +* Thu Aug 10 2023 support - 4.5.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-5-0.html +* Mon Jul 10 2023 support - 4.4.5 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-5.html +* Tue Jun 13 2023 support - 4.4.4 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-4.html +* Thu May 25 2023 support - 4.4.3 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-3.html +* Mon May 08 2023 support - 4.4.2 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-2.html +* Mon Apr 17 2023 support - 4.4.1 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-1.html +* Wed Jan 18 2023 support - 4.4.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-0.html +* Thu Nov 10 2022 support - 4.3.10 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-10.html +* Mon Oct 03 2022 support - 4.3.9 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-9.html +* Mon Sep 19 2022 support - 4.3.8 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-8.html +* Mon Aug 08 2022 support - 4.3.7 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-7.html +* Thu Jul 07 2022 support - 4.3.6 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-6.html +* Wed Jun 29 2022 support - 4.3.5 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-5.html +* Tue Jun 07 2022 support - 4.3.4 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-4.html +* Tue May 31 2022 support - 4.3.3 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-3.html +* Mon May 30 2022 support - 4.3.2 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-2.html +* Wed May 18 2022 support - 4.3.1 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-1.html +* Thu May 05 2022 support - 4.3.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-0.html +- Initial package \ No newline at end of file diff --git a/distribution/src/config/jvm.prod.options b/distribution/src/config/jvm.prod.options index a9949d48cf3be..9a116b52d314c 100644 --- a/distribution/src/config/jvm.prod.options +++ b/distribution/src/config/jvm.prod.options @@ -79,6 +79,13 @@ # Explicitly allow security manager (https://bugs.openjdk.java.net/browse/JDK-8270380) 18-:-Djava.security.manager=allow +# JDK 20+ Incubating Vector Module for SIMD optimizations; +# disabling may reduce performance on vector optimized lucene +20:--add-modules=jdk.incubator.vector + +# HDFS ForkJoinPool.common() support by SecurityManager +-Djava.util.concurrent.ForkJoinPool.common.threadFactory=org.opensearch.secure_sm.SecuredForkJoinWorkerThreadFactory + ## OpenSearch Performance Analyzer -Dclk.tck=100 -Djdk.attach.allowAttachSelf=true diff --git a/distribution/src/config/security/internal_users.yml b/distribution/src/config/security/internal_users.yml index 1ff2c8c23a151..44ae613e8bb19 100644 --- a/distribution/src/config/security/internal_users.yml +++ b/distribution/src/config/security/internal_users.yml @@ -17,10 +17,17 @@ admin: - "admin" description: "Demo admin user" +anomalyadmin: + hash: "$2y$12$TRwAAJgnNo67w3rVUz4FIeLx9Dy/llB79zf9I15CKJ9vkM4ZzAd3." + reserved: false + opendistro_security_roles: + - "anomaly_full_access" + description: "Demo anomaly admin user, using internal role" + kibanaserver: hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H." reserved: true - description: "Demo kibanaserver user" + description: "Demo OpenSearch Dashboards user" kibanaro: hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC" @@ -32,25 +39,25 @@ kibanaro: attribute1: "value1" attribute2: "value2" attribute3: "value3" - description: "Demo kibanaro user" + description: "Demo read only user, using external role mapping" logstash: hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2" reserved: false backend_roles: - "logstash" - description: "Demo logstash user" + description: "Demo logstash user, using external role mapping" readall: hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2" reserved: false backend_roles: - "readall" - description: "Demo readall user" + description: "Demo readall user, using external role mapping" snapshotrestore: hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W" reserved: false backend_roles: - "snapshotrestore" - description: "Demo snapshotrestore user" + description: "Demo snapshotrestore user, using external role mapping" diff --git a/distribution/src/config/security/roles.yml b/distribution/src/config/security/roles.yml index d64d6228ec29e..de6c91906fd1d 100644 --- a/distribution/src/config/security/roles.yml +++ b/distribution/src/config/security/roles.yml @@ -2,7 +2,7 @@ _meta: type: "roles" config_version: 2 -# Restrict users so they can only view visualization and dashboard on kibana +# Restrict users so they can only view visualization and dashboard on OpenSearchDashboards kibana_read_only: reserved: true @@ -10,6 +10,20 @@ kibana_read_only: security_rest_api_access: reserved: true +security_rest_api_full_access: + reserved: true + cluster_permissions: + - 'restapi:admin/actiongroups' + - 'restapi:admin/allowlist' + - 'restapi:admin/config/update' + - 'restapi:admin/internalusers' + - 'restapi:admin/nodesdn' + - 'restapi:admin/roles' + - 'restapi:admin/rolesmapping' + - 'restapi:admin/ssl/certs/info' + - 'restapi:admin/ssl/certs/reload' + - 'restapi:admin/tenants' + # Allows users to view monitors, destinations and alerts alerting_read_access: reserved: true @@ -18,12 +32,17 @@ alerting_read_access: - 'cluster:admin/opendistro/alerting/destination/get' - 'cluster:admin/opendistro/alerting/monitor/get' - 'cluster:admin/opendistro/alerting/monitor/search' + - 'cluster:admin/opensearch/alerting/findings/get' + - 'cluster:admin/opensearch/alerting/workflow/get' + - 'cluster:admin/opensearch/alerting/workflow_alerts/get' # Allows users to view and acknowledge alerts alerting_ack_alerts: reserved: true cluster_permissions: - 'cluster:admin/opendistro/alerting/alerts/*' + - 'cluster:admin/opendistro/alerting/chained_alerts/*' + - 'cluster:admin/opendistro/alerting/workflow_alerts/*' # Allows users to use all alerting functionality alerting_full_access: @@ -31,6 +50,8 @@ alerting_full_access: cluster_permissions: - 'cluster_monitor' - 'cluster:admin/opendistro/alerting/*' + - 'cluster:admin/opensearch/alerting/*' + - 'cluster:admin/opensearch/notifications/feature/publish' index_permissions: - index_patterns: - '*' @@ -48,6 +69,8 @@ anomaly_read_access: - 'cluster:admin/opendistro/ad/detectors/get' - 'cluster:admin/opendistro/ad/result/search' - 'cluster:admin/opendistro/ad/tasks/search' + - 'cluster:admin/opendistro/ad/detector/validate' + - 'cluster:admin/opendistro/ad/result/topAnomalies' # Allows users to use all Anomaly Detection functionality anomaly_full_access: @@ -63,6 +86,41 @@ anomaly_full_access: - 'indices:admin/aliases/get' - 'indices:admin/mappings/get' +# Allow users to execute read only k-NN actions +knn_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/knn_search_model_action' + - 'cluster:admin/knn_get_model_action' + - 'cluster:admin/knn_stats_action' + +# Allow users to use all k-NN functionality +knn_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/knn_training_model_action' + - 'cluster:admin/knn_training_job_router_action' + - 'cluster:admin/knn_training_job_route_decision_info_action' + - 'cluster:admin/knn_warmup_action' + - 'cluster:admin/knn_delete_model_action' + - 'cluster:admin/knn_remove_model_from_cache_action' + - 'cluster:admin/knn_update_model_graveyard_action' + - 'cluster:admin/knn_search_model_action' + - 'cluster:admin/knn_get_model_action' + - 'cluster:admin/knn_stats_action' + +# Allow users to execute read only ip2geo datasource action +ip2geo_datasource_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/geospatial/datasource/get' + +# Allow users to use all ip2geo datasource action +ip2geo_datasource_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/geospatial/datasource/*' + # Allows users to read Notebooks notebooks_read_access: reserved: true @@ -80,6 +138,34 @@ notebooks_full_access: - 'cluster:admin/opendistro/notebooks/get' - 'cluster:admin/opendistro/notebooks/list' +# Allows users to read observability objects +observability_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/observability/get' + +# Allows users to all Observability functionality +observability_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/observability/create' + - 'cluster:admin/opensearch/observability/update' + - 'cluster:admin/opensearch/observability/delete' + - 'cluster:admin/opensearch/observability/get' + +# Allows users to all PPL functionality +ppl_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/ppl' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:admin/mappings/get' + - 'indices:data/read/search*' + - 'indices:monitor/settings/get' + # Allows users to read and download Reports reports_instances_read_access: reserved: true @@ -129,6 +215,164 @@ asynchronous_search_read_access: cluster_permissions: - 'cluster:admin/opendistro/asynchronous_search/get' +# Allows user to use all index_management actions - ism policies, rollups, transforms +index_management_full_access: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/ism/*" + - "cluster:admin/opendistro/rollup/*" + - "cluster:admin/opendistro/transform/*" + - "cluster:admin/opensearch/controlcenter/lron/*" + - "cluster:admin/opensearch/notifications/channels/get" + - "cluster:admin/opensearch/notifications/feature/publish" + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:admin/opensearch/ism/*' + +# Allows users to use all cross cluster replication functionality at leader cluster +cross_cluster_replication_leader_full_access: + reserved: true + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - "indices:admin/plugins/replication/index/setup/validate" + - "indices:data/read/plugins/replication/changes" + - "indices:data/read/plugins/replication/file_chunk" + +# Allows users to use all cross cluster replication functionality at follower cluster +cross_cluster_replication_follower_full_access: + reserved: true + cluster_permissions: + - "cluster:admin/plugins/replication/autofollow/update" + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - "indices:admin/plugins/replication/index/setup/validate" + - "indices:data/write/plugins/replication/changes" + - "indices:admin/plugins/replication/index/start" + - "indices:admin/plugins/replication/index/pause" + - "indices:admin/plugins/replication/index/resume" + - "indices:admin/plugins/replication/index/stop" + - "indices:admin/plugins/replication/index/update" + - "indices:admin/plugins/replication/index/status_check" + +# Allows users to use all cross cluster search functionality at remote cluster +cross_cluster_search_remote_full_access: + reserved: true + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:admin/shards/search_shards' + - 'indices:data/read/search' + +# Allow users to read ML stats/models/tasks +ml_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/ml/stats/nodes' + - 'cluster:admin/opensearch/ml/model_groups/search' + - 'cluster:admin/opensearch/ml/models/get' + - 'cluster:admin/opensearch/ml/models/search' + - 'cluster:admin/opensearch/ml/tasks/get' + - 'cluster:admin/opensearch/ml/tasks/search' + +# Allows users to use all ML functionality +ml_full_access: + reserved: true + cluster_permissions: + - 'cluster_monitor' + - 'cluster:admin/opensearch/ml/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices_monitor' + +# Allows users to use all Notifications functionality +notifications_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/notifications/*' + +# Allows users to read Notifications config/channels +notifications_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/notifications/configs/get' + - 'cluster:admin/opensearch/notifications/features' + - 'cluster:admin/opensearch/notifications/channels/get' + +# Allows users to use all snapshot management functionality +snapshot_management_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/snapshot_management/*' + - 'cluster:admin/opensearch/notifications/feature/publish' + - 'cluster:admin/repository/*' + - 'cluster:admin/snapshot/*' + +# Allows users to see snapshots, repositories, and snapshot management policies +snapshot_management_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/snapshot_management/policy/get' + - 'cluster:admin/opensearch/snapshot_management/policy/search' + - 'cluster:admin/opensearch/snapshot_management/policy/explain' + - 'cluster:admin/repository/get' + - 'cluster:admin/snapshot/get' + +# Allows user to use point in time functionality +point_in_time_full_access: + reserved: true + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'manage_point_in_time' + +# Allows users to see security analytics detectors and others +security_analytics_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/securityanalytics/alerts/get' + - 'cluster:admin/opensearch/securityanalytics/correlations/findings' + - 'cluster:admin/opensearch/securityanalytics/correlations/list' + - 'cluster:admin/opensearch/securityanalytics/detector/get' + - 'cluster:admin/opensearch/securityanalytics/detector/search' + - 'cluster:admin/opensearch/securityanalytics/findings/get' + - 'cluster:admin/opensearch/securityanalytics/mapping/get' + - 'cluster:admin/opensearch/securityanalytics/mapping/view/get' + - 'cluster:admin/opensearch/securityanalytics/rule/get' + - 'cluster:admin/opensearch/securityanalytics/rule/search' + +# Allows users to use all security analytics functionality +security_analytics_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/securityanalytics/alerts/*' + - 'cluster:admin/opensearch/securityanalytics/correlations/*' + - 'cluster:admin/opensearch/securityanalytics/detector/*' + - 'cluster:admin/opensearch/securityanalytics/findings/*' + - 'cluster:admin/opensearch/securityanalytics/mapping/*' + - 'cluster:admin/opensearch/securityanalytics/rule/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:admin/mapping/put' + - 'indices:admin/mappings/get' + +# Allows users to view and acknowledge alerts +security_analytics_ack_alerts: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/securityanalytics/alerts/*' + # Wazuh monitoring and statistics index permissions manage_wazuh_index: reserved: true diff --git a/docker/images/.dockerignore b/docker/images/.dockerignore index 058a889d5f239..96d12ad527ea5 100644 --- a/docker/images/.dockerignore +++ b/docker/images/.dockerignore @@ -1,4 +1,5 @@ artifacts/ +.git/ # intellij files .idea/ diff --git a/scripts/README.md b/scripts/README.md new file mode 100644 index 0000000000000..e71941bed4085 --- /dev/null +++ b/scripts/README.md @@ -0,0 +1,124 @@ +# `wazuh-indexer` packages generation guide + +The packages' generation process consists on 2 steps: + +* **Build**: compiles the Java application and bundles it into a package. +* **Assembly**: uses the package from the previous step and inflates it with plugins and +configuration files, ready for production deployment. + +We usually generate the packages using GitHub Actions, however, the process is designed to +be independent enough for maximum portability. GitHub Actions provides infrastructure, while +the building process is self-contained in the application code. + +Each section includes instructions to generate packages locally, using Act or Docker. + +- [Install Act](https://github.com/nektos/act) + +## Build + +... +... + +#### Act (GitHub Workflow locally) + +```console +act -j build -W .github/workflows/build.yml --artifact-server-path ./artifacts + +[Build slim packages/build] 🏁 Job succeeded +``` + + +#### Running in Docker + +Within the [Docker environment](../docker): + +```console +bash scripts/build.sh -v 2.11.0 -s false -p linux -a {x64|arm64} -d {rpm|deb|tar} +``` + +The generated package is sent to `artifacts/` + + +## Assemble + + + +### RPM + +The `assemble.sh` script will use the output from the `build.sh` script and use it as a +base to bundle together a final package containing the plugins, the production configuration +and the service files. + +The script will: + +- Extract the rpm package using `rpm2cpio` and `cpio` tools. + + > By default, `rpm2cpio` and `cpio` tools expect the package to be in `wazuh-indexer/artifacts/tmp/rpm`. The script takes care of creating the required folder structure, copying also the min package and the SPEC file. + + Current folder loadout at this stage: + ``` + /rpm/$ARCH + /etc + /usr + /var + wazuh-indexer-min-*.rpm + wazuh-indexer.rpm.spec + ``` + + `usr`, `etc` and `var` folders contain `wazuh-indexer` files, extracted from `wazuh-indexer-min-*.rpm`. + `wazuh-indexer.rpm.spec` is copied over from `wazuh-indexer/distribution/packages/src/rpm/wazuh-indexer.rpm.spec`. + The `wazuh-indexer-performance-analyzer.service` file is also copied from the same folder. It is a dependency of the SPEC file. + +- Install the plugins using the `opensearch-plugin` CLI tool. +- Set up configuration files. + + > Included in `min-package`. Default files are overwritten. + +- Bundle an RPM file with `rpmbuild` and the SPEC file `wazuh-indexer.rpm.spec`. + - `rpmbuild` is part of the `rpm` OS package. + + > `rpmbuild` is invoked from `wazuh-indexer/artifacts/tmp/rpm`. It creates the {BUILD,RPMS,SOURCES,SRPMS,SPECS,TMP} folders and applies the rules in the SPEC file. If successful, `rpmbuild` will generate the package in the `RPMS/` folder. The script will copy it to `wazuh-indexer/artifacts/dist` and clean: remove the `tmp\` folder and its contents. + + Current folder loadout at this stage: + ``` + /rpm/$ARCH + /{BUILD,RPMS,SOURCES,SRPMS,SPECS,TMP} + /etc + /usr + /var + wazuh-indexer-min-*.rpm + wazuh-indexer.rpm.spec + ``` + +### Running in Act + +```console +act -j assemble -W .github/workflows/build.yml --artifact-server-path ./artifacts --matrix distribution:rpm --matrix architecture:x64 --var OPENSEARCH_VERSION=2.11.0 + +[Build slim packages/build] 🏁 Job succeeded +``` + +#### Running in Docker + +Pre-requisites: + +* Current directory: `wazuh-indexer/` +* Existing rpm package in `wazuh-indexer/artifacts/dist/rpm`, as a result of the _Build_ stage. + +```console +MIN_PKG_PATH="./artifacts" +docker run --rm \ + -v ./scripts/:/home/wazuh-indexer/scripts \ + -v $MIN_PKG_PATH:/home/wazuh-indexer/artifacts \ + -v ./distribution/packages/src:/home/wazuh-indexer/distribution/packages/src \ + -w /home/wazuh-indexer \ + -it ubuntu:jammy /bin/bash + +apt-get update +apt-get install -y rpm2cpio rpm cpio +bash scripts/assemble.sh -v 2.11.0 -p linux -a x64 -d rpm +``` + diff --git a/scripts/assemble.sh b/scripts/assemble.sh new file mode 100755 index 0000000000000..dba52e4181d8c --- /dev/null +++ b/scripts/assemble.sh @@ -0,0 +1,283 @@ +#!/bin/bash + +# Copyright OpenSearch Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# The OpenSearch Contributors require contributions made to +# this file be licensed under the Apache-2.0 license or a +# compatible open source license. + +set -ex + +plugins=( + "alerting" # "opensearch-alerting" + "opensearch-job-scheduler" + "opensearch-anomaly-detection" # requires "opensearch-job-scheduler" + "asynchronous-search" # "opensearch-asynchronous-search" + "opensearch-cross-cluster-replication" + "geospatial" # "opensearch-geospatial" + "opensearch-index-management" + "opensearch-knn" + "opensearch-ml-plugin" # "opensearch-ml" + "neural-search" # "opensearch-neural-search" + "opensearch-notifications-core" + "notifications" # "opensearch-notifications" requires "opensearch-notifications-core" + "opensearch-observability" + "performance-analyzer" # "opensearch-performance-analyzer" + "opensearch-reports-scheduler" + "opensearch-security" + "opensearch-security-analytics" + "opensearch-sql-plugin" # "opensearch-sql" +) + +function usage() { + echo "Usage: $0 [args]" + echo "" + echo "Arguments:" + echo -e "-v VERSION\t[Required] OpenSearch version." + echo -e "-q QUALIFIER\t[Optional] Version qualifier." + echo -e "-p PLATFORM\t[Optional] Platform, default is 'uname -s'." + echo -e "-a ARCHITECTURE\t[Optional] Build architecture, default is 'uname -m'." + echo -e "-d DISTRIBUTION\t[Optional] Distribution, default is 'tar'." + echo -e "-o OUTPUT\t[Optional] Output path, default is 'artifacts'." + echo -e "-h help" +} + +while getopts ":h:v:q:o:p:a:d:" arg; do + case $arg in + h) + usage + exit 1 + ;; + v) + VERSION=$OPTARG + ;; + q) + QUALIFIER=$OPTARG + ;; + o) + OUTPUT=$OPTARG + ;; + p) + PLATFORM=$OPTARG + ;; + a) + ARCHITECTURE=$OPTARG + ;; + d) + DISTRIBUTION=$OPTARG + ;; + :) + echo "Error: -${OPTARG} requires an argument" + usage + exit 1 + ;; + ?) + echo "Invalid option: -${arg}" + exit 1 + ;; + esac +done + +if [ -z "$VERSION" ]; then + echo "Error: You must specify the OpenSearch version" + usage + exit 1 +fi + +[ -z "$OUTPUT" ] && OUTPUT=artifacts + +# Assemble distribution artifact +# see https://github.com/opensearch-project/OpenSearch/blob/main/settings.gradle#L34 for other distribution targets + +[ -z "$PLATFORM" ] && PLATFORM=$(uname -s | awk '{print tolower($0)}') +[ -z "$ARCHITECTURE" ] && ARCHITECTURE=$(uname -m) +[ -z "$DISTRIBUTION" ] && DISTRIBUTION="tar" + +case $PLATFORM-$DISTRIBUTION-$ARCHITECTURE in + linux-tar-x64 | darwin-tar-x64) + PACKAGE="tar" + EXT="tar.gz" + # TYPE="archives" + TARGET="$PLATFORM-$PACKAGE" + SUFFIX="$PLATFORM-x64" + ;; + linux-tar-arm64 | darwin-tar-arm64) + PACKAGE="tar" + EXT="tar.gz" + # TYPE="archives" + TARGET="$PLATFORM-arm64-$PACKAGE" + SUFFIX="$PLATFORM-arm64" + ;; + linux-deb-x64) + PACKAGE="deb" + EXT="deb" + # TYPE="packages" + TARGET="deb" + SUFFIX="amd64" + ;; + linux-deb-arm64) + PACKAGE="deb" + EXT="deb" + # TYPE="packages" + TARGET="arm64-deb" + SUFFIX="arm64" + ;; + linux-rpm-x64) + PACKAGE="rpm" + EXT="rpm" + # TYPE="packages" + TARGET="rpm" + SUFFIX="x86_64" + ;; + linux-rpm-arm64) + PACKAGE="rpm" + EXT="rpm" + # TYPE="packages" + TARGET="arm64-rpm" + SUFFIX="aarch64" + ;; + # windows-zip-x64) + # PACKAGE="zip" + # EXT="zip" + # # TYPE="archives" + # TARGET="$PLATFORM-$PACKAGE" + # SUFFIX="$PLATFORM-x64" + # ;; + # windows-zip-arm64) + # PACKAGE="zip" + # EXT="zip" + # # TYPE="archives" + # TARGET="$PLATFORM-arm64-$PACKAGE" + # SUFFIX="$PLATFORM-arm64" + # ;; + *) + echo "Unsupported platform-distribution-architecture combination: $PLATFORM-$DISTRIBUTION-$ARCHITECTURE" + exit 1 + ;; +esac + +echo "Assembling OpenSearch for $PLATFORM-$DISTRIBUTION-$ARCHITECTURE" +# wazuh-indexer-min_4.9.0-1-x64_78fcc3db6a5b470294319e48b58c3d715bee39d1.rpm +ARTIFACT_BUILD_NAME=$(ls "${OUTPUT}/dist/" | grep "wazuh-indexer-min.*.$EXT") + +# Create temporal directory and copy the min package there for extraction +TMP_DIR="${OUTPUT}/tmp/${TARGET}" +mkdir -p "$TMP_DIR" +cp "${OUTPUT}/dist/$ARTIFACT_BUILD_NAME" "${TMP_DIR}" + +function assemble_tar() { + cd "${TMP_DIR}" + PATH_CONF="./config" + PATH_BIN="./bin" + + # Step 1: extract + echo "Extract ${ARTIFACT_BUILD_NAME} archive" + tar -zvxf "${ARTIFACT_BUILD_NAME}" + cd "$(ls -d wazuh-indexer-*/)" + + # Step 2: install plugins + echo "Install plugins" + for plugin in "${plugins[@]}"; do + plugin_from_maven="org.opensearch.plugin:${plugin}:$VERSION.0" + "${PATH_BIN}/opensearch-plugin" install --batch --verbose "${plugin_from_maven}" + done + + # Step 3: swap configuration files + cp $PATH_CONF/security/* $PATH_CONF/opensearch-security/ + cp $PATH_CONF/jvm.prod.options $PATH_CONF/jvm.options + cp $PATH_CONF/opensearch.prod.yml $PATH_CONF/opensearch.yml + + rm -r $PATH_CONF/security + rm $PATH_CONF/jvm.prod.options $PATH_CONF/opensearch.prod.yml + + # Step 4: pack + archive_name="wazuh-indexer-$(cat VERSION)" + cd .. + tar -cvf "${archive_name}-${SUFFIX}.${EXT}" "${archive_name}" + cd ../../.. + cp "${TMP_DIR}/${archive_name}-${SUFFIX}.${EXT}" "${OUTPUT}/dist/" + + echo "Cleaning temporary ${TMP_DIR} folder" + rm -r "${TMP_DIR}" + echo "After execution, shell path is $(pwd)" +} + + +function assemble_rpm() { + # Copy spec + cp "distribution/packages/src/rpm/wazuh-indexer.rpm.spec" "${TMP_DIR}" + # Copy performance analyzer service file + mkdir -p "${TMP_DIR}"/usr/lib/systemd/system + cp "distribution/packages/src/rpm/wazuh-indexer-performance-analyzer.service" "${TMP_DIR}"/usr/lib/systemd/system + + cd "${TMP_DIR}" + PATH_CONF="./etc/wazuh-indexer" + PATH_BIN="./usr/share/wazuh-indexer/bin" + + # Extract min-package. Creates usr/, etc/ and var/ in the current directory + echo "Extract ${ARTIFACT_BUILD_NAME} archive" + rpm2cpio "${ARTIFACT_BUILD_NAME}" | cpio -imdv + + # Install plugins from Maven repository + echo "Install plugins" + for plugin in "${plugins[@]}"; do + plugin_from_maven="org.opensearch.plugin:${plugin}:$VERSION.0" + OPENSEARCH_PATH_CONF=$PATH_CONF "${PATH_BIN}/opensearch-plugin" install --batch --verbose "${plugin_from_maven}" + done + + # Set up configuration files + cp $PATH_CONF/security/* $PATH_CONF/opensearch-security/ + cp $PATH_CONF/jvm.prod.options $PATH_CONF/jvm.options + cp $PATH_CONF/opensearch.prod.yml $PATH_CONF/opensearch.yml + + rm -r $PATH_CONF/security + rm $PATH_CONF/jvm.prod.options $PATH_CONF/opensearch.prod.yml + + # Remove symbolic links and bat files + find . -type l -exec rm -rf {} \; + find . -name "*.bat" -exec rm -rf {} \; + + # Generate final package + local topdir + local version + local spec_file="wazuh-indexer.rpm.spec" + topdir=$(pwd) + version=$(cat ./usr/share/wazuh-indexer/VERSION) + # TODO validate architecture + rpmbuild --bb \ + --define "_topdir ${topdir}" \ + --define "_version ${version}" \ + --define "_architecture ${SUFFIX}" \ + ${spec_file} + + # Move to the root folder, copy the package and clean. + cd ../../.. + package_name="wazuh-indexer-${version}-1.${SUFFIX}.${EXT}" + cp "${TMP_DIR}/RPMS/${SUFFIX}/${package_name}" "${OUTPUT}/dist/" + + echo "Cleaning temporary ${TMP_DIR} folder" + rm -r "${TMP_DIR}" + echo "After execution, shell path is $(pwd)" + # Store package's name to file. Used by GH Action. + echo "${package_name}" > "${OUTPUT}/artifact_name.txt" +} + +case $SUFFIX.$EXT in + linux-arm64.tar.gz) + assemble_tar + ;; + linux-x64.tar.gz) + assemble_tar + ;; + aarch64.rpm) + assemble_rpm + ;; + x86_64.rpm) + assemble_rpm + ;; + amd64.deb) + ;; + arm64.deb) + ;; +esac