Implement ElastAlert and enhance frontend navigation

Author: codeyourweb

.env

@@ -7,10 +7,10 @@ SENTINELKIT_KIBANA_HOSTNAME=kibana.sentinel-kit.local
 SENTINELKIT_GRAFANA_HOSTNAME=grafana.sentinel-kit.local
 SENTINELKIT_DATAMONITOR_SERVER_TOKEN=9561ffd1b6de615286b9e52a9d5bc3226970449700c9461bdbe4225730b47b20
 BACKEND_JWT_PASSPHRASE=f164cfc913d2faf65a1b7bc8ccd4aa8b11b5958bce7c20c8cf159a576f8a75f7
-MYSQL_ROOT_PASSWORD=sentinel-kit_r00tp4ssw0rd
-MYSQL_EXPORTER_PASSWORD=sentinel-kit_3xp0rt3rp4ssw0rd
-MYSQL_USER=sentinel-kit_user
-MYSQL_PASSWORD=sentinel-kit_passwd
+MYSQL_ROOT_PASSWORD=sentinel-kit_mysql_r00tp4ssw0rd
+MYSQL_EXPORTER_PASSWORD=sentinel-kit_mysql_3xp0rt3rp4ssw0rd
+MYSQL_USER=sentinel-kit_mysql_user
+MYSQL_PASSWORD=sentinel-kit_mysql_passwd
 MYSQL_DATABASE=sentinel-kit_db
 GF_SECURITY_ADMIN_USER=sentinel-kit_grafana_admin
 GF_SECURITY_ADMIN_PASSWORD=sentinel-kit_grafana_password

.gitignore

@@ -4,6 +4,7 @@
 /config/caddy_server/certificates/*
 /config/yara_ruleset/*
 /config/sigma_ruleset/*
+/config/elastalert_ruleset/*
 /config/backend/*
 /data/caddy_logs/*
 /data/ftp_data/*
@@ -19,6 +20,7 @@
 /sentinel-kit_server_frontend/node_modules/*
 /sentinel-kit_server_frontend/package-lock.json
 /sentinel-kit_server_backend/composer.lock
+/sentinel-kit_server_backend/.initial_setup_done
 /sentinel-kit_server_backend/migrations/*
 /sentinel-kit_server_backend/var/*
 /sentinel-kit_server_backend/vendor/*

clean-user-data.ps1

@@ -1,6 +1,7 @@
 Remove-Item ./config/backend/.initial_setup_done -Force
 Remove-Item ./config/caddy_server/certificates/* -Recurse -Force
 Remove-Item ./sentinel-kit_server_backend/config/jwt/*.pem -Force
+Remove-Item ./sentinel-kit_server_backend/.initial_setup_done -Force
 Remove-Item ./data/caddy_logs/* -Recurse -Force
 Remove-Item ./data/ftp_data/* -Recurse -Force
 Remove-Item ./data/grafana/* -Recurse -Force

clean-user-data.sh

@@ -1,6 +1,7 @@
 rm -f ./config/backend/.initial_setup_done
 rm -rf ./config/caddy_server/certificates/*
 rm -f ./sentinel-kit_server_backend/config/jwt/*.pem
+rm -f ./sentinel-kit_server_backend/.initial_setup_done
 rm -rf ./data/caddy_logs/*
 rm -rf ./data/ftp_data/*
 rm -rf ./data/grafana/*

config/docker-config/Dockerfile.backend

@@ -4,17 +4,26 @@ RUN apk update && \
     apk add --no-cache icu-dev zip libzip-dev bash && \
     docker-php-ext-install intl pdo pdo_mysql zip
 
-RUN apk add --no-cache libpng-dev libjpeg-turbo-dev libwebp-dev libxpm-dev freetype-dev && \
+RUN apk add --no-cache libpng-dev libjpeg-turbo-dev libwebp-dev libxpm-dev freetype-dev python3 pipx && \
     docker-php-ext-configure gd --with-freetype --with-jpeg --with-webp --with-xpm && \
     docker-php-ext-install gd
 
+RUN export PIPX_GLOBAL_HOME=/opt/pipx && export PIPX_GLOBAL_BIN_DIR=/usr/local/bin
+
+RUN pipx ensurepath && pipx install sigma-cli --global && \
+    /usr/local/bin/sigma plugin install elasticsearch
+
+RUN mkdir /detection-rules
+
 COPY config/docker-config/uploads.ini /usr/local/etc/php/conf.d/uploads.ini
 
 RUN curl -1sLf 'https://dl.cloudsmith.io/public/symfony/stable/setup.alpine.sh' | bash && \
     apk add symfony-cli
 
-RUN cd /var/www/html && \
-    curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
+RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
 
+RUN chown -R www-data:www-data /var/www/html && chown -R www-data:www-data /detection-rules
+# Note: We start as root to fix permissions of mounted volumes, then switch to www-data in entrypoint
 WORKDIR /var/www/html
-CMD ["php-fpm"]
+
+ENTRYPOINT ["/bin/sh", "-c", "/opt/server-backend/backend-entrypoint.sh"]

config/docker-config/Dockerfile.scanner

@@ -0,0 +1,35 @@
+FROM python:3.12-alpine
+
+RUN apk update \
+    && apk add --no-cache \
+       bash \
+       git \
+       pipx \
+       build-base \
+       mysql-client \
+       mysql-dev \
+    && rm -rf /var/cache/apk/*
+
+WORKDIR /app
+RUN adduser -D appuser
+
+RUN export PIPX_GLOBAL_HOME=/opt/pipx && export PIPX_GLOBAL_BIN_DIR=/usr/local/bin
+
+RUN pipx ensurepath && pipx install sigma-cli --global && \
+    /usr/local/bin/sigma plugin install elasticsearch && \
+    pip install --upgrade pip && \
+    pip install setuptools wheel PyYAML requests urllib3 && \
+    git clone https://github.com/jertel/elastalert2.git && \
+    cd elastalert2 && \
+    pip install -r requirements.txt && \
+    python setup.py install
+
+COPY ./config/docker-config/scanner-entrypoint.sh /usr/local/bin/scanner-entrypoint.sh
+
+RUN chmod +x /usr/local/bin/scanner-entrypoint.sh
+
+RUN chown -R appuser:appuser /app    
+
+USER appuser
+
+ENTRYPOINT ["/bin/bash", "/usr/local/bin/scanner-entrypoint.sh"]

config/docker-config/backend-entrypoint.sh

@@ -1,7 +1,12 @@
 #!/bin/sh
-MARKER_FILE="/opt/server-backend/.initial_setup_done"
+chown -R www-data:www-data /var/www/html
+chown -R www-data:www-data /detection-rules
+
+su -s /bin/sh www-data << 'EOF'
+MARKER_FILE="/var/www/html/.initial_setup_done"
 rm -rf /var/www/html/var/cache
 rm -rf /var/www/html/public/bundles
+rm -rf /detection-rules/elastalert/*
 composer install
 if [ ! -f "$MARKER_FILE" ]; then
 echo "Running initial setup..."
@@ -15,4 +20,5 @@ php /var/www/html/bin/console lexik:jwt:check-config
 touch "$MARKER_FILE"
 fi
 echo "Starting Symfony server..."
-symfony server:start --allow-http --port=8000 --listen-ip='0.0.0.0'
+symfony server:start --allow-http --port=8000 --listen-ip='0.0.0.0'
+EOF

config/docker-config/scanner-entrypoint.sh

@@ -0,0 +1,91 @@
+#!/bin/bash
+
+echo "Starting ElastAlert with Prometheus monitoring..."
+
+export ELASTALERT_CONFIG_FILE="/app/elastalert_config.yml"
+export ELASTALERT_CONFIG_PROCESSED="/app/elastalert_config_processed.yml"
+export PROMETHEUS_PORT="9091"
+
+echo "Setting up SSL certificates..."
+mkdir -p /app/certs/ca
+
+if [ -f "/app/certs/ca/ca.crt" ]; then
+    echo "SSL certificate found, using verify_certs=true"
+else
+    echo "WARNING: SSL certificate not found, falling back to verify_certs=false"
+    sed 's/verify_certs: true/verify_certs: false/' "$ELASTALERT_CONFIG_FILE" > "$ELASTALERT_CONFIG_PROCESSED"
+    sed -i '/ca_certs:/d' "$ELASTALERT_CONFIG_PROCESSED"
+    export ELASTALERT_CONFIG_FILE="$ELASTALERT_CONFIG_PROCESSED"
+fi
+
+echo "Starting in daemon mode..."
+
+if [ ! -f "$ELASTALERT_CONFIG_FILE" ]; then
+    echo "ERROR: Configuration file not found: $ELASTALERT_CONFIG_FILE"
+    exit 1
+fi
+
+echo "Configuration file found: $ELASTALERT_CONFIG_FILE"
+echo "Testing Elasticsearch connectivity..."
+
+python3 -c "
+import yaml
+import requests
+import os
+from requests.auth import HTTPBasicAuth
+from urllib3 import disable_warnings
+from urllib3.exceptions import InsecureRequestWarning
+
+disable_warnings(InsecureRequestWarning)
+
+es_password_env = os.environ.get('ES_PASSWORD') 
+
+# Get config file path from shell argument
+config_file = '$ELASTALERT_CONFIG_FILE' 
+
+try:
+    with open(config_file, 'r') as f:
+        config = yaml.safe_load(f)
+except FileNotFoundError:
+    print(f'ERROR: Config file not found in Python: {config_file}')
+    exit(1)
+except Exception as e:
+    print(f'ERROR: Failed to load YAML: {e}')
+    exit(1)
+
+es_host = config.get('es_host')
+es_port = config.get('es_port')
+es_username = config.get('es_username')
+
+if not all([es_host, es_port, es_username, es_password_env]):
+    print('ERROR: Missing required configuration (host, port, username, or ES_PASSWORD environment variable).')
+    exit(1)
+
+url = f'https://{es_host}:{es_port}/_cluster/health'
+try:
+    # Use the password from the environment variable
+    response = requests.get(url, auth=HTTPBasicAuth(es_username, es_password_env), verify=False, timeout=10)
+    if response.status_code == 200:
+        print('SUCCESS: Elasticsearch connection successful')
+    else:
+        # Use a print statement that is compatible with older Python versions if needed
+        print('ERROR: Elasticsearch connection failed. Status code: ' + str(response.status_code))
+        exit(1)
+except Exception as e:
+    print('ERROR: Elasticsearch connection error: ' + str(e))
+    exit(1)
+"
+
+if [ $? -ne 0 ]; then
+    echo "ERROR: Elasticsearch connectivity test failed"
+    exit 1
+fi
+
+echo "Creating ElastAlert writeback index if needed..."
+elastalert-create-index --config "$ELASTALERT_CONFIG_FILE" --index elastalert_status || true
+
+echo "Starting ElastAlert daemon..."
+echo "Prometheus metrics will be available on port $PROMETHEUS_PORT"
+echo "ElastAlert UI accessible for monitoring"
+
+exec elastalert --config "$ELASTALERT_CONFIG_FILE" --verbose

config/elastalert/defaults.yml

@@ -0,0 +1,50 @@
+# Default shared configuration for all Elastalert rules
+# This file can be imported in other rules with "import:" 
+
+# Elasticsearch connection parameters
+es_conn_timeout: 30
+max_query_size: 1000
+
+# Timing parameters
+buffer_time:
+  minutes: 1
+realert:
+  minutes: 1
+
+# Index parameters
+use_strftime_index: false
+timestamp_field: '@timestamp'
+
+# Alert parameters
+priority: 1
+type: any
+
+# Fields to include in alerts
+include:
+  - _index
+  - _id
+  - '@timestamp'
+  - source
+  - message
+
+# Default alert template
+alert_text: |
+  🚨 Sentinel-Kit Alert
+  =====================
+  Rule: {rule_name}
+  Index: {0}
+  Document ID: {1}
+  Timestamp: {2}
+  Source: {3}
+  Message: {4}
+  
+alert_text_args:
+  - _index
+  - _id
+  - '@timestamp'
+  - source
+  - message
+
+# Configuration for debug alerts
+alert:
+  - debug

config/elastalert/elastalert_config.yml

@@ -0,0 +1,60 @@
+rules_folder: /app/elastalert_ruleset
+run_every:
+  seconds: 30
+buffer_time:
+  minutes: 15
+es_host: sentinel-kit-db-elasticsearch-es01
+es_port: 9200
+es_username: elastic
+use_ssl: true
+verify_certs: true
+ca_certs: /app/certs/ca/ca.crt
+writeback_index: elastalert_status
+alert_time_limit:
+  days: 2
+prometheus_port: 9091
+prometheus_host: 0.0.0.0
+
+es_conn_timeout: 60
+max_query_size: 10000
+max_aggregation: 10000
+scroll_keepalive: 1m
+
+# Default configuration for all rules
+global_defaults:
+  # Elasticsearch connection
+  es_conn_timeout: 30
+  max_query_size: 1000
+  
+  # Timing
+  buffer_time:
+    minutes: 1
+  realert:
+    minutes: 1
+    
+  # Index settings
+  use_strftime_index: false
+  timestamp_field: '@timestamp'
+  
+  # Alert settings
+  priority: 1
+  type: any
+  
+  # Fields to include in alerts
+  include:
+    - _index
+    - _id
+    - '@timestamp'
+    
+  # Default alert template
+  alert_text: |
+    Sentinel-Kit Alert
+    Rule: {rule_name}
+    Index: {0}
+    Document ID: {1}
+    Timestamp: {2}
+    
+  alert_text_args:
+    - _index
+    - _id
+    - '@timestamp'