From 6038525d4b2b44ed98136ae7c86e9d8802901261 Mon Sep 17 00:00:00 2001
From: Manuel Gutierrez <manuel.gutierrez@wazuh.com>
Date: Thu, 9 Jan 2020 18:07:33 +0100
Subject: [PATCH] Merge wazuh container from 3.10-refactor

---
 wazuh/Dockerfile                              | 85 ++++++++-----------
 wazuh/config/01-config_filebeat.sh            | 19 -----
 wazuh/config/entrypoint.sh                    | 14 ---
 .../cont-init.d/0-wazuh-init}                 | 43 ++--------
 .../config/etc/cont-init.d/1-config-filebeat  | 31 +++++++
 wazuh/config/etc/cont-init.d/2-manager        |  3 +
 wazuh/config/etc/services.d/api/finish        |  6 ++
 wazuh/config/etc/services.d/api/run           |  4 +
 wazuh/config/etc/services.d/filebeat/finish   |  6 ++
 wazuh/config/etc/services.d/filebeat/run      |  4 +
 wazuh/config/filebeat.runit.service           |  4 -
 wazuh/config/filebeat.yml                     | 15 ----
 wazuh/config/postfix.runit.service            |  4 -
 wazuh/config/wazuh-api.runit.service          |  5 --
 wazuh/config/wazuh.repo                       |  7 ++
 wazuh/config/wazuh.runit.service              |  5 --
 16 files changed, 102 insertions(+), 153 deletions(-)
 delete mode 100644 wazuh/config/01-config_filebeat.sh
 delete mode 100644 wazuh/config/entrypoint.sh
 rename wazuh/config/{00-wazuh.sh => etc/cont-init.d/0-wazuh-init} (67%)
 create mode 100644 wazuh/config/etc/cont-init.d/1-config-filebeat
 create mode 100644 wazuh/config/etc/cont-init.d/2-manager
 create mode 100644 wazuh/config/etc/services.d/api/finish
 create mode 100644 wazuh/config/etc/services.d/api/run
 create mode 100644 wazuh/config/etc/services.d/filebeat/finish
 create mode 100644 wazuh/config/etc/services.d/filebeat/run
 delete mode 100644 wazuh/config/filebeat.runit.service
 delete mode 100644 wazuh/config/filebeat.yml
 delete mode 100644 wazuh/config/postfix.runit.service
 delete mode 100644 wazuh/config/wazuh-api.runit.service
 create mode 100644 wazuh/config/wazuh.repo
 delete mode 100644 wazuh/config/wazuh.runit.service

diff --git a/wazuh/Dockerfile b/wazuh/Dockerfile
index cc813988..f3d36e52 100644
--- a/wazuh/Dockerfile
+++ b/wazuh/Dockerfile
@@ -1,51 +1,54 @@
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-FROM phusion/baseimage:latest
+FROM centos:7
 
-ARG FILEBEAT_VERSION=7.5.0
-
-ARG WAZUH_VERSION=3.10.2-1
+ARG FILEBEAT_VERSION=7.5.1
+ARG WAZUH_VERSION=3.11.1-1
+ARG TEMPLATE_VERSION="v3.11.1"
+ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz"
 
 ENV API_USER="foo" \
    API_PASS="bar"
 
-ARG TEMPLATE_VERSION="v3.10.2"
 
 # Set repositories.
-RUN set -x && echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list && \
-   curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - && \
-   curl --silent --location https://deb.nodesource.com/setup_8.x | bash - && \
-   echo "postfix postfix/mailname string wazuh-manager" | debconf-set-selections && \
-   echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections && \
-   groupadd -g 1000 ossec && useradd -u 1000 -g 1000 -d /var/ossec ossec
+RUN rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
 
-RUN add-apt-repository universe && apt-get update && apt-get upgrade -y -o Dpkg::Options::="--force-confold" && \
-   apt-get --no-install-recommends --no-install-suggests -y install openssl postfix bsd-mailx python-boto python-pip  \
-   apt-transport-https vim expect nodejs python-cryptography mailutils libsasl2-modules wazuh-manager=${WAZUH_VERSION} \
-   wazuh-api=${WAZUH_VERSION} && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && rm -f \
-   /var/ossec/logs/alerts/*/*/*.log && rm -f /var/ossec/logs/alerts/*/*/*.json && rm -f \
-   /var/ossec/logs/archives/*/*/*.log && rm -f /var/ossec/logs/archives/*/*/*.json && rm -f \
-   /var/ossec/logs/firewall/*/*/*.log && rm -f /var/ossec/logs/firewall/*/*/*.json
+COPY config/wazuh.repo /etc/yum.repos.d/wazuh.repo
+
+RUN yum --enablerepo=updates clean metadata && \
+  yum -y install openssl && yum -y install wazuh-manager-${WAZUH_VERSION} -y && \
+  curl --silent --location https://rpm.nodesource.com/setup_8.x | bash - && \
+  yum -y install nodejs && yum -y install wazuh-api-${WAZUH_VERSION} && \
+  sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo && \
+  yum clean all && rm -rf /var/cache/yum
+
+RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm &&\
+  rpm -i filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm && rm -f filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm
+
+RUN curl -so /etc/filebeat/filebeat.yml https://raw.githubusercontent.com/wazuh/wazuh/${TEMPLATE_VERSION}/extensions/filebeat/7.x/filebeat.yml &&\
+  chmod go+r /etc/filebeat/filebeat.yml
+
+RUN curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/${TEMPLATE_VERSION}/extensions/elasticsearch/7.x/wazuh-template.json &&\
+  chmod go+r /etc/filebeat/wazuh-template.json
+
+RUN curl -s https://packages.wazuh.com/3.x/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module
+
+ARG S6_VERSION="v1.22.1.0"
+RUN curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \
+    -o /tmp/s6-overlay-amd64.tar.gz && \
+    tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" && \
+    tar xzf /tmp/s6-overlay-amd64.tar.gz -C /usr ./bin && \
+    rm  /tmp/s6-overlay-amd64.tar.gz
 
 # Adding first run script and entrypoint
-COPY config/data_dirs.env /data_dirs.env
-COPY config/init.bash /init.bash
-RUN mkdir /entrypoint-scripts
-COPY config/entrypoint.sh /entrypoint.sh
-COPY config/00-wazuh.sh /entrypoint-scripts/00-wazuh.sh
-COPY config/01-config_filebeat.sh /entrypoint-scripts/01-config_filebeat.sh
+COPY config/data_dirs.env config/init.bash /
 
 # Sync calls are due to https://github.com/docker/docker/issues/9547
 RUN chmod 755 /init.bash && \
    sync && /init.bash && \
-   sync && rm /init.bash && \
-   curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb &&\
-   dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm -f filebeat-${FILEBEAT_VERSION}-amd64.deb && \
-   chmod 755 /entrypoint.sh && \
-   chmod 755 /entrypoint-scripts/00-wazuh.sh && \
-   chmod 755 /entrypoint-scripts/01-config_filebeat.sh
+   sync && rm /init.bash
 
-COPY config/filebeat.yml /etc/filebeat/
-RUN chmod go-w /etc/filebeat/filebeat.yml
+COPY config/etc/ /etc/
 
 # Setting volumes
 VOLUME ["/var/ossec/data"]
@@ -56,25 +59,9 @@ VOLUME ["/var/lib/filebeat"]
 # Services ports
 EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp
 
-# Adding services
-RUN mkdir /etc/service/wazuh && \
-   mkdir /etc/service/wazuh-api && \
-   mkdir /etc/service/postfix && \
-   mkdir /etc/service/filebeat
-
-COPY config/wazuh.runit.service /etc/service/wazuh/run
-COPY config/wazuh-api.runit.service /etc/service/wazuh-api/run
-COPY config/postfix.runit.service /etc/service/postfix/run
-COPY config/filebeat.runit.service /etc/service/filebeat/run
-
-RUN chmod +x /etc/service/wazuh-api/run && \
-   chmod +x /etc/service/wazuh/run && \
-   chmod +x /etc/service/postfix/run && \
-   chmod +x /etc/service/filebeat/run 
-
 
 ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat
 RUN chmod go-w /etc/filebeat/wazuh-template.json 
 
 # Run all services
-ENTRYPOINT ["/entrypoint.sh"]
\ No newline at end of file
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/wazuh/config/01-config_filebeat.sh b/wazuh/config/01-config_filebeat.sh
deleted file mode 100644
index 818878c0..00000000
--- a/wazuh/config/01-config_filebeat.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-set -e
-
-WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.1.tar.gz
-
-# Modify the output to Elasticsearch if th ELASTICSEARCH_URL is set
-if [ "$ELASTICSEARCH_URL" != "" ]; then
-  >&2 echo "Customize Elasticsearch ouput IP."
-  sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_URL'|g' /etc/filebeat/filebeat.yml
-fi
-
-# Install Wazuh Filebeat Module
-
-curl -s "https://packages.wazuh.com/3.x/filebeat/${WAZUH_FILEBEAT_MODULE}" | tar -xvz -C /usr/share/filebeat/module
-mkdir -p /usr/share/filebeat/module/wazuh
-chmod 755 -R /usr/share/filebeat/module/wazuh
-
diff --git a/wazuh/config/entrypoint.sh b/wazuh/config/entrypoint.sh
deleted file mode 100644
index d8ae1163..00000000
--- a/wazuh/config/entrypoint.sh
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
-for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
-  bash "$script"
-
-done
-
-##############################################################################
-# Start Wazuh Server.
-##############################################################################
-
-/sbin/my_init 
diff --git a/wazuh/config/00-wazuh.sh b/wazuh/config/etc/cont-init.d/0-wazuh-init
similarity index 67%
rename from wazuh/config/00-wazuh.sh
rename to wazuh/config/etc/cont-init.d/0-wazuh-init
index 9d5614f9..ae1b4a89 100644
--- a/wazuh/config/00-wazuh.sh
+++ b/wazuh/config/etc/cont-init.d/0-wazuh-init
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/with-contenv bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 # Wazuh container bootstrap. See the README for information of the environment
@@ -7,7 +7,7 @@
 # Startup the services
 source /data_dirs.env
 
-FIRST_TIME_INSTALLATION=false
+FIRST_TIME_INSTALLATION=true
 
 WAZUH_INSTALL_PATH=/var/ossec
 DATA_PATH=${WAZUH_INSTALL_PATH}/data
@@ -59,30 +59,6 @@ chmod g+rw ${DATA_PATH}/process_list
 AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
 API_GENERATE_CERTS=${API_GENERATE_CERTS:-true}
 
-if [ $FIRST_TIME_INSTALLATION == true ]
-then
-  if [ $AUTO_ENROLLMENT_ENABLED == true ]
-  then
-    if [ ! -e ${DATA_PATH}/etc/sslmanager.key ]
-    then
-      print "Creating ossec-authd key and cert"
-      exec_cmd "openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096"
-      exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key -out ${DATA_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/"
-    fi
-  fi
-  if [ $API_GENERATE_CERTS == true ]
-  then
-    if [ ! -e ${DATA_PATH}/api/configuration/ssl/server.crt ]
-    then
-      print "Enabling Wazuh API HTTPS"
-      edit_configuration "https" "yes"
-      print "Create Wazuh API key and cert"
-      exec_cmd "openssl genrsa -out ${DATA_PATH}/api/configuration/ssl/server.key 4096"
-      exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/api/configuration/ssl/server.key -out ${DATA_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/"
-    fi
-  fi
-fi
-
 ##############################################################################
 # Copy all files from $WAZUH_CONFIG_MOUNT to $DATA_PATH and respect
 # destination files permissions
@@ -104,17 +80,6 @@ function ossec_shutdown(){
   ${WAZUH_INSTALL_PATH}/bin/ossec-control stop;
 }
 
-##############################################################################
-# Allow users to set the container hostname as <node_name> dynamically on
-# container start.
-#
-# To use this:
-# 1. Create your own ossec.conf file
-# 2. In your ossec.conf file, set to_be_replaced_by_hostname as your node_name
-# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf
-##############################################################################
-sed -i 's/<node_name>to_be_replaced_by_hostname<\/node_name>/<node_name>'"${HOSTNAME}"'<\/node_name>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf
-
 # Trap exit signals and do a proper shutdown
 trap "ossec_shutdown; exit" SIGINT SIGTERM
 
@@ -139,8 +104,10 @@ done
 
 pushd /var/ossec/api/configuration/auth/
 
+env
+
 echo "Change Wazuh API user credentials"
 change_user="node htpasswd -b -c user $API_USER $API_PASS"
 eval $change_user
 
-popd
\ No newline at end of file
+popd
diff --git a/wazuh/config/etc/cont-init.d/1-config-filebeat b/wazuh/config/etc/cont-init.d/1-config-filebeat
new file mode 100644
index 00000000..f968f638
--- /dev/null
+++ b/wazuh/config/etc/cont-init.d/1-config-filebeat
@@ -0,0 +1,31 @@
+#!/usr/bin/with-contenv bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+set -e
+
+WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.1.tar.gz
+
+if [ "$ELASTICSEARCH_URL" != "" ]; then
+  >&2 echo "Customize Elasticsearch ouput IP"
+  sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_URL'|g' /etc/filebeat/filebeat.yml
+fi
+
+# Configure filebeat.yml security settings
+
+if [ "$SSL_CERTIFICATE_AUTHORITIES" != "" ]; then
+  >&2 echo "Configuring Certificate Authorities."
+  sed -i 's|#ssl.certificate_authorities:|'ssl.certificate_authorities:\ [\"$SSL_CERTIFICATE_AUTHORITIES\"]'|g' /etc/filebeat/filebeat.yml
+fi
+
+if [ "$USERNAME" != "" ]; then
+  >&2 echo "Configuring username."
+  sed -i 's|#username:|'username:\ \"$USERNAME\"'|g' /etc/filebeat/filebeat.yml
+fi
+
+if [ "$PASSWORD" != "" ]; then
+  >&2 echo "Configuring password."
+  sed -i 's|#password:|'password:\ \"$PASSWORD\"'|g' /etc/filebeat/filebeat.yml
+fi
+
+chmod go-w /etc/filebeat/filebeat.yml || true
+chown root: /etc/filebeat/filebeat.yml || true
diff --git a/wazuh/config/etc/cont-init.d/2-manager b/wazuh/config/etc/cont-init.d/2-manager
new file mode 100644
index 00000000..e548e8b1
--- /dev/null
+++ b/wazuh/config/etc/cont-init.d/2-manager
@@ -0,0 +1,3 @@
+#!/usr/bin/with-contenv bash
+
+/var/ossec/bin/ossec-control start 
diff --git a/wazuh/config/etc/services.d/api/finish b/wazuh/config/etc/services.d/api/finish
new file mode 100644
index 00000000..38d744d1
--- /dev/null
+++ b/wazuh/config/etc/services.d/api/finish
@@ -0,0 +1,6 @@
+#!/usr/bin/env sh
+echo >&2 "API exited. code=${1}"
+
+# terminate other services to exit from the container
+exec s6-svscanctl -t /var/run/s6/services
+
diff --git a/wazuh/config/etc/services.d/api/run b/wazuh/config/etc/services.d/api/run
new file mode 100644
index 00000000..e6e3e831
--- /dev/null
+++ b/wazuh/config/etc/services.d/api/run
@@ -0,0 +1,4 @@
+#!/usr/bin/with-contenv sh
+echo >&2 "starting API"
+
+exec /bin/node /var/ossec/api/app.js
diff --git a/wazuh/config/etc/services.d/filebeat/finish b/wazuh/config/etc/services.d/filebeat/finish
new file mode 100644
index 00000000..8813eb67
--- /dev/null
+++ b/wazuh/config/etc/services.d/filebeat/finish
@@ -0,0 +1,6 @@
+#!/usr/bin/env sh
+echo >&2 "Filebeat exited. code=${1}"
+
+# terminate other services to exit from the container
+exec s6-svscanctl -t /var/run/s6/services
+
diff --git a/wazuh/config/etc/services.d/filebeat/run b/wazuh/config/etc/services.d/filebeat/run
new file mode 100644
index 00000000..706ee5af
--- /dev/null
+++ b/wazuh/config/etc/services.d/filebeat/run
@@ -0,0 +1,4 @@
+#!/usr/bin/with-contenv sh
+echo >&2 "starting Filebeat"
+
+exec /usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat
diff --git a/wazuh/config/filebeat.runit.service b/wazuh/config/filebeat.runit.service
deleted file mode 100644
index 9b048caa..00000000
--- a/wazuh/config/filebeat.runit.service
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-service filebeat start
-tail -f /var/log/filebeat/filebeat
diff --git a/wazuh/config/filebeat.yml b/wazuh/config/filebeat.yml
deleted file mode 100644
index 46600662..00000000
--- a/wazuh/config/filebeat.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-# Wazuh - Filebeat configuration file
-filebeat.modules:
-  - module: wazuh
-    alerts:
-      enabled: true
-    archives:
-      enabled: false
-
-setup.template.json.enabled: true
-setup.template.json.path: '/etc/filebeat/wazuh-template.json'
-setup.template.json.name: 'wazuh'
-setup.template.overwrite: true
-setup.ilm.enabled: false
-
-output.elasticsearch.hosts: ['http://elasticsearch:9200']
\ No newline at end of file
diff --git a/wazuh/config/postfix.runit.service b/wazuh/config/postfix.runit.service
deleted file mode 100644
index e900b5e5..00000000
--- a/wazuh/config/postfix.runit.service
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-service postfix start
-tail -f /var/log/mail.log
diff --git a/wazuh/config/wazuh-api.runit.service b/wazuh/config/wazuh-api.runit.service
deleted file mode 100644
index 198fa4a1..00000000
--- a/wazuh/config/wazuh-api.runit.service
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/sh
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-service wazuh-api start
-tail -f /var/ossec/data/logs/api.log
-
diff --git a/wazuh/config/wazuh.repo b/wazuh/config/wazuh.repo
new file mode 100644
index 00000000..ae462c62
--- /dev/null
+++ b/wazuh/config/wazuh.repo
@@ -0,0 +1,7 @@
+[wazuh_repo]
+gpgcheck=1
+gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
+enabled=1
+name=Wazuh repository
+baseurl=https://packages.wazuh.com/3.x/yum/
+protect=1
diff --git a/wazuh/config/wazuh.runit.service b/wazuh/config/wazuh.runit.service
deleted file mode 100644
index 7ab6f1e1..00000000
--- a/wazuh/config/wazuh.runit.service
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/sh
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-service wazuh-manager start
-tail -f /var/ossec/data/logs/ossec.log
-