Add Wazuh indexer cluster configuration

generate-indexer-verts.yml

@@ -0,0 +1,10 @@
+# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+version: '3'
+
+services:
+  generator:
+    image: wazuh/opendistro-certs-generator:0.1
+    hostname: opendistro-certs-generator
+    volumes:
+      - ./production_cluster/wazuh_indexer_ssl_certs/certs.yml:/usr/src/config/myconf.yml
+      - ./production_cluster/wazuh_indexer_ssl_certs/:/usr/src/certs/out/ 

indexer_certs_creator/Dockerfile

@@ -0,0 +1,20 @@
+# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+FROM centos:8
+
+ARG WAZUH_VERSION=4.3.0-1
+
+USER root
+
+# Update and install dependecies
+RUN yum install initscripts -y
+
+#Download and install Wazuh indexer
+RUN curl https://s3.amazonaws.com/warehouse.wazuh.com/stack/indexer/stable/wazuh-indexer-${WAZUH_VERSION}.x86_64.rpm --output wazuh-indexer-${WAZUH_VERSION}.x86_64.rpm && \
+    rpm -i wazuh-indexer-${WAZUH_VERSION}.x86_64.rpm && \
+    yum clean all && rm -rf /var/cache/yum && rm -rf wazuh-indexer-${WAZUH_VERSION}.x86_64.rpm
+
+COPY config/entrypoint.sh /
+
+RUN chmod 700 /entrypoint.sh
+
+ENTRYPOINT [ "/entrypoint.sh" ]

indexer_certs_creator/config/entrypoint.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+
+##############################################################################
+# Start Wazuh indexer
+##############################################################################
+
+/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-cert-tool.sh

production-cluster.yml

@@ -3,7 +3,7 @@ version: '3.7'
 
 services:
   wazuh-master:
-    image: wazuh/wazuh-odfe:4.3.0
+    image: wazuh/wazuh-odfe:4.2.5
     hostname: wazuh-master
     restart: always
     ports:
@@ -11,7 +11,7 @@ services:
       - "514:514/udp"
       - "55000:55000"
     environment:
-      - ELASTICSEARCH_URL=https://elasticsearch:9200
+      - ELASTICSEARCH_URL=https://elasticsearch:9700
       - ELASTIC_USERNAME=admin
       - ELASTIC_PASSWORD=SecretPassword
       - FILEBEAT_SSL_VERIFICATION_MODE=full
@@ -32,17 +32,17 @@ services:
       - ossec-wodles:/var/ossec/wodles
       - filebeat-etc:/etc/filebeat
       - filebeat-var:/var/lib/filebeat
-      - ./production_cluster/ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
-      - ./production_cluster/ssl_certs/filebeat.pem:/etc/ssl/filebeat.pem
-      - ./production_cluster/ssl_certs/filebeat.key:/etc/ssl/filebeat.key
+      - ./production_cluster/wazuh_indexer_ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
+      - ./production_cluster/wazuh_indexer_ssl_certs/filebeat.pem:/etc/ssl/filebeat.pem
+      - ./production_cluster/wazuh_indexer_ssl_certs/filebeat.key:/etc/ssl/filebeat.key
       - ./production_cluster/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
 
   wazuh-worker:
-    image: wazuh/wazuh-odfe:4.3.0
+    image: wazuh/wazuh-odfe:4.2.5
     hostname: wazuh-worker
     restart: always
     environment:
-      - ELASTICSEARCH_URL=https://elasticsearch:9200
+      - ELASTICSEARCH_URL=https://elasticsearch:9700
       - ELASTIC_USERNAME=admin
       - ELASTIC_PASSWORD=SecretPassword
       - FILEBEAT_SSL_VERIFICATION_MODE=full
@@ -61,17 +61,17 @@ services:
       - worker-ossec-wodles:/var/ossec/wodles
       - worker-filebeat-etc:/etc/filebeat
       - worker-filebeat-var:/var/lib/filebeat
-      - ./production_cluster/ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
-      - ./production_cluster/ssl_certs/filebeat.pem:/etc/ssl/filebeat.pem
-      - ./production_cluster/ssl_certs/filebeat.key:/etc/ssl/filebeat.key
+      - ./production_cluster/wazuh_indexer_ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
+      - ./production_cluster/wazuh_indexer_ssl_certs/filebeat.pem:/etc/ssl/filebeat.pem
+      - ./production_cluster/wazuh_indexer_ssl_certs/filebeat.key:/etc/ssl/filebeat.key
       - ./production_cluster/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf
 
   elasticsearch:
-    image: amazon/opendistro-for-elasticsearch:1.13.2
+    image: wazuh/wazuh-indexer:4.3.0
     hostname: elasticsearch
     restart: always
     ports:
-      - "9200:9200"
+      - "9700:9700"
     environment:
       - "ES_JAVA_OPTS=-Xms512m -Xmx512m -Dlog4j2.formatMsgNoLookups=true"
     ulimits:
@@ -83,16 +83,16 @@ services:
         hard: 65536
     volumes:
       - elastic-data-1:/var/lib/wazuh-indexer
-      - ./production_cluster/ssl_certs/root-ca.pem:/etc/wazuh-indexer/certs/root-ca.pem
-      - ./production_cluster/ssl_certs/node1.key:/etc/wazuh-indexer/certs/node1.key
-      - ./production_cluster/ssl_certs/node1.pem:/etc/wazuh-indexer/certs/node1.pem
-      - ./production_cluster/ssl_certs/admin.pem:/etc/wazuh-indexer/certs/admin.pem
-      - ./production_cluster/ssl_certs/admin.key:/etc/wazuh-indexer/certs/admin.key
-      - ./production_cluster/elastic_opendistro/elasticsearch-node1.yml:/etc/wazuh-indexer/opensearch.yml
+      - ./production_cluster/wazuh_indexer_ssl_certs/root-ca.pem:/etc/wazuh-indexer/certs/root-ca.pem
+      - ./production_cluster/wazuh_indexer_ssl_certs/node1.key:/etc/wazuh-indexer/certs/node1.key
+      - ./production_cluster/wazuh_indexer_ssl_certs/node1.pem:/etc/wazuh-indexer/certs/node1.pem
+      - ./production_cluster/wazuh_indexer_ssl_certs/admin.pem:/etc/wazuh-indexer/certs/admin.pem
+      - ./production_cluster/wazuh_indexer_ssl_certs/admin.key:/etc/wazuh-indexer/certs/admin.key
+      - ./production_cluster/elastic_opendistro/wazuh-indexer-node1.yml:/etc/wazuh-indexer/opensearch.yml
       - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
 
   elasticsearch-2:
-    image: amazon/opendistro-for-elasticsearch:1.13.2
+    image: wazuh/wazuh-indexer:4.3.0
     hostname: elasticsearch-2
     restart: always
     environment:
@@ -106,14 +106,14 @@ services:
         hard: 65536
     volumes:
       - elastic-data-2:/var/lib/wazuh-indexer
-      - ./production_cluster/ssl_certs/root-ca.pem:/etc/wazuh-indexer/certs/root-ca.pem
-      - ./production_cluster/ssl_certs/node2.key:/etc/wazuh-indexer/certs/node2.key
-      - ./production_cluster/ssl_certs/node2.pem:/etc/wazuh-indexer/certs/node2.pem
-      - ./production_cluster/elastic_opendistro/elasticsearch-node2.yml:/etc/wazuh-indexer/elasticsearch.yml
+      - ./production_cluster/wazuh_indexer_ssl_certs/root-ca.pem:/etc/wazuh-indexer/certs/root-ca.pem
+      - ./production_cluster/wazuh_indexer_ssl_certs/node2.key:/etc/wazuh-indexer/certs/node2.key
+      - ./production_cluster/wazuh_indexer_ssl_certs/node2.pem:/etc/wazuh-indexer/certs/node2.pem
+      - ./production_cluster/elastic_opendistro/wazuh-indexer-node2.yml:/etc/wazuh-indexer/elasticsearch.yml
       - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
   
   elasticsearch-3:
-    image: amazon/opendistro-for-elasticsearch:1.13.2
+    image: wazuh/wazuh-indexer:4.3.0
     hostname: elasticsearch-3
     restart: always
     environment:
@@ -127,14 +127,14 @@ services:
         hard: 65536
     volumes:
       - elastic-data-3:/var/lib/wazuh-indexer
-      - ./production_cluster/ssl_certs/root-ca.pem:/etc/wazuh-indexer/certs/root-ca.pem
-      - ./production_cluster/ssl_certs/node3.key:/etc/wazuh-indexer/certs/node3.key
-      - ./production_cluster/ssl_certs/node3.pem:/etc/wazuh-indexer/certs/node3.pem
-      - ./production_cluster/elastic_opendistro/elasticsearch-node3.yml:/etc/wazuh-indexer/elasticsearch.yml
+      - ./production_cluster/wazuh_indexer_ssl_certs/root-ca.pem:/etc/wazuh-indexer/certs/root-ca.pem
+      - ./production_cluster/wazuh_indexer_ssl_certs/node3.key:/etc/wazuh-indexer/certs/node3.key
+      - ./production_cluster/wazuh_indexer_ssl_certs/node3.pem:/etc/wazuh-indexer/certs/node3.pem
+      - ./production_cluster/elastic_opendistro/wazuh-indexer-node3.yml:/etc/wazuh-indexer/elasticsearch.yml
       - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
  
   kibana:
-    image: wazuh/wazuh-kibana-odfe:4.3.0
+    image: wazuh/wazuh-dashboard:4.3.0
     hostname: kibana
     restart: always
     ports:
@@ -143,14 +143,14 @@ services:
       - ELASTICSEARCH_USERNAME=admin
       - ELASTICSEARCH_PASSWORD=SecretPassword
       - SERVER_SSL_ENABLED=true
-      - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/cert.pem
-      - SERVER_SSL_KEY=/usr/share/kibana/config/key.pem
+      - SERVER_SSL_CERTIFICATE=/etc/wazuh-dashboard/certs/cert.pem
+      - SERVER_SSL_KEY=/etc/wazuh-dashboard/certs/key.pem
       - WAZUH_API_URL="https://wazuh-master"
       - API_USERNAME=acme-user
       - API_PASSWORD=MyS3cr37P450r.*-
     volumes:
-      - ./production_cluster/kibana_ssl/cert.pem:/usr/share/kibana/config/cert.pem
-      - ./production_cluster/kibana_ssl/key.pem:/usr/share/kibana/config/key.pem
+      - ./production_cluster/kibana_ssl/cert.pem:/etc/wazuh-dashboard/certs/cert.pem
+      - ./production_cluster/kibana_ssl/key.pem:/etc/wazuh-dashboard/certs/key.pem
 
     depends_on:
       - elasticsearch

production_cluster/elastic_opendistro/wazuh-indexer-node1.yml

@@ -0,0 +1,31 @@
+network.host: elasticsearch
+cluster.name: wazuh-cluster
+node.name: elasticsearch
+discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
+cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
+bootstrap.memory_lock: true
+
+opendistro_security.ssl.transport.pemcert_filepath: node1.pem
+opendistro_security.ssl.transport.pemkey_filepath: node1.key
+opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
+opendistro_security.ssl.transport.enforce_hostname_verification: false
+opendistro_security.ssl.transport.resolve_hostname: false
+opendistro_security.ssl.http.enabled: true
+opendistro_security.ssl.http.pemcert_filepath: node1.pem
+opendistro_security.ssl.http.pemkey_filepath: node1.key
+opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
+opendistro_security.allow_default_init_securityindex: true
+opendistro_security.nodes_dn:
+    - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+opendistro_security.authcz.admin_dn: ['CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com']
+opendistro_security.audit.type: internal_elasticsearch
+opendistro_security.enable_snapshot_restore_privilege: true
+opendistro_security.check_snapshot_restore_write_privileges: true
+opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
+cluster.routing.allocation.disk.threshold_enabled: false
+#opendistro_security.audit.config.disabled_rest_categories: NONE
+#opendistro_security.audit.config.disabled_transport_categories: NONE
+opendistro_security.audit.log_request_body: false

production_cluster/elastic_opendistro/wazuh-indexer-node2.yml

@@ -0,0 +1,31 @@
+network.host: elasticsearch-2
+cluster.name: wazuh-cluster
+node.name: elasticsearch-2
+discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
+cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
+bootstrap.memory_lock: true
+
+opendistro_security.ssl.transport.pemcert_filepath: node2.pem
+opendistro_security.ssl.transport.pemkey_filepath: node2.key
+opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
+opendistro_security.ssl.transport.enforce_hostname_verification: false
+opendistro_security.ssl.transport.resolve_hostname: false
+opendistro_security.ssl.http.enabled: true
+opendistro_security.ssl.http.pemcert_filepath: node2.pem
+opendistro_security.ssl.http.pemkey_filepath: node2.key
+opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
+opendistro_security.allow_default_init_securityindex: true
+opendistro_security.nodes_dn:
+    - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+opendistro_security.authcz.admin_dn: ['CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com']
+opendistro_security.audit.type: internal_elasticsearch
+opendistro_security.enable_snapshot_restore_privilege: true
+opendistro_security.check_snapshot_restore_write_privileges: true
+opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
+cluster.routing.allocation.disk.threshold_enabled: false
+#opendistro_security.audit.config.disabled_rest_categories: NONE
+#opendistro_security.audit.config.disabled_transport_categories: NONE
+opendistro_security.audit.log_request_body: false

production_cluster/elastic_opendistro/wazuh-indexer-node3.yml

@@ -0,0 +1,31 @@
+network.host: elasticsearch-3
+cluster.name: wazuh-cluster
+node.name: elasticsearch-3
+discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
+cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
+bootstrap.memory_lock: true
+
+opendistro_security.ssl.transport.pemcert_filepath: node3.pem
+opendistro_security.ssl.transport.pemkey_filepath: node3.key
+opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
+opendistro_security.ssl.transport.enforce_hostname_verification: false
+opendistro_security.ssl.transport.resolve_hostname: false
+opendistro_security.ssl.http.enabled: true
+opendistro_security.ssl.http.pemcert_filepath: node3.pem
+opendistro_security.ssl.http.pemkey_filepath: node3.key
+opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
+opendistro_security.allow_default_init_securityindex: true
+opendistro_security.nodes_dn:
+    - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+opendistro_security.authcz.admin_dn: ['CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com']
+opendistro_security.audit.type: internal_elasticsearch
+opendistro_security.enable_snapshot_restore_privilege: true
+opendistro_security.check_snapshot_restore_write_privileges: true
+opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
+cluster.routing.allocation.disk.threshold_enabled: false
+#opendistro_security.audit.config.disabled_rest_categories: NONE
+#opendistro_security.audit.config.disabled_transport_categories: NONE
+opendistro_security.audit.log_request_body: false

production_cluster/ssl_certs/certs.yml

@@ -0,0 +1,35 @@
+ca:
+   root:
+      dn: CN=root-ca,OU=CA,O=Example\, Inc.,DC=example,DC=com
+      pkPassword: none
+      keysize: 2048
+      file: root-ca.pem 
+   intermediate:
+      dn: CN=intermediate,OU=CA,O=Example\, Inc.,DC=example,DC=com
+      keysize: 2048
+      validityDays: 3650  
+      pkPassword: intermediate-ca-password
+      file: intermediate-ca.pem
+
+nodes:
+  - name: node1
+    dn: CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com
+    dns: 
+      - elasticsearch
+  - name: node2
+    dn: CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com
+    dns: 
+      - elasticsearch-2
+  - name: node3
+    dn: CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com
+    dns: 
+      - elasticsearch-3
+  - name: filebeat
+    dn: CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com
+    dns: 
+      - wazuh
+
+clients:
+  - name: admin
+    dn: CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com
+    admin: true

production_cluster/wazuh_indexer_ssl_certs/certs.yml

@@ -0,0 +1,35 @@
+ca:
+   root:
+      dn: CN=root-ca,OU=CA,O=Example\, Inc.,DC=example,DC=com
+      pkPassword: none
+      keysize: 2048
+      file: root-ca.pem 
+   intermediate:
+      dn: CN=intermediate,OU=CA,O=Example\, Inc.,DC=example,DC=com
+      keysize: 2048
+      validityDays: 3650  
+      pkPassword: intermediate-ca-password
+      file: intermediate-ca.pem
+
+nodes:
+  - name: node1
+    dn: CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com
+    dns: 
+      - elasticsearch
+  - name: node2
+    dn: CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com
+    dns: 
+      - elasticsearch-2
+  - name: node3
+    dn: CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com
+    dns: 
+      - elasticsearch-3
+  - name: filebeat
+    dn: CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com
+    dns: 
+      - wazuh
+
+clients:
+  - name: admin
+    dn: CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com
+    admin: true

wazuh-dashboard/config/entrypoint_prueba.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+
+set -e
+
+##############################################################################
+# Waiting for indexer
+##############################################################################
+
+if [ "x${ELASTICSEARCH_URL}" == "x" ]; then
+  if [[ ${ENABLED_SECURITY} == "false" ]]; then
+    export el_url="http://elasticsearch:9200"
+  else
+    export el_url="https://elasticsearch:9200"
+  fi
+else
+  export el_url="${ELASTICSEARCH_URL}"
+fi
+
+if [[ ${ENABLED_SECURITY} == "false" || "x${ELASTICSEARCH_USERNAME}" == "x" || "x${ELASTICSEARCH_PASSWORD}" == "x" ]]; then
+  auth=""
+  # remove security plugin from kibana if elasticsearch is not using it either
+  /usr/share/kibana/bin/kibana-plugin remove opendistro_security
+else
+  export auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} -k"
+fi
+
+until curl -XGET $el_url ${auth}; do
+  >&2 echo "Elastic is unavailable - sleeping"
+  sleep 5
+done
+
+sleep 2
+
+>&2 echo "Elasticsearch is up."
+
+
+##############################################################################
+# Waiting for wazuh alerts template
+##############################################################################
+
+strlen=0
+
+while [[ $strlen -eq 0 ]]
+do
+  template=$(curl ${auth} $el_url/_cat/templates/wazuh -s)
+  strlen=${#template}
+  >&2 echo "Wazuh alerts template not loaded - sleeping."
+  sleep 2
+done
+
+chown wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs/*
+
+sleep 5
+
+./wazuh_app_config.sh
+
+
+while true; do sleep 1000; done

wazuh-dashboard/config/wazuh-dashboard.yml

@@ -0,0 +1,14 @@
+server.host: 0.0.0.0
+server.port: 443
+opensearch.hosts: https://localhost:9700
+opensearch.ssl.verificationMode: certificate
+opensearch.username: kibanaserver
+opensearch.password: kibanaserver
+opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
+opensearch_security.multitenancy.enabled: false
+opensearch_security.readonly_mode.roles: ["kibana_read_only"]
+server.ssl.enabled: true
+server.ssl.key: "/etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
+server.ssl.certificate: "/etc/wazuh-dashboard/certs/wazuh-dashboard.pem"
+opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
+logging.dest: "/var/log/wazuh-dashboard/wazuh-dashboard.log"

wazuh-dashboard/config/wazuh_app_config.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+
+wazuh_url="${WAZUH_API_URL:-https://wazuh}"
+wazuh_port="${API_PORT:-55000}"
+api_username="${API_USERNAME:-wazuh-wui}"
+api_password="${API_PASSWORD:-wazuh-wui}"
+
+kibana_config_file="/etc/wazuh-dashboard/wazuh-dashboard.yml"
+
+sed 's/9700/9200/' /etc/wazuh-dashboard/wazuh-dashboard.yml
+
+declare -A CONFIG_MAP=(
+  [pattern]=$PATTERN
+  [checks.pattern]=$CHECKS_PATTERN
+  [checks.template]=$CHECKS_TEMPLATE
+  [checks.api]=$CHECKS_API
+  [checks.setup]=$CHECKS_SETUP
+  [extensions.pci]=$EXTENSIONS_PCI
+  [extensions.gdpr]=$EXTENSIONS_GDPR
+  [extensions.hipaa]=$EXTENSIONS_HIPAA
+  [extensions.nist]=$EXTENSIONS_NIST
+  [extensions.tsc]=$EXTENSIONS_TSC
+  [extensions.audit]=$EXTENSIONS_AUDIT
+  [extensions.oscap]=$EXTENSIONS_OSCAP
+  [extensions.ciscat]=$EXTENSIONS_CISCAT
+  [extensions.aws]=$EXTENSIONS_AWS
+  [extensions.gcp]=$EXTENSIONS_GCP
+  [extensions.virustotal]=$EXTENSIONS_VIRUSTOTAL
+  [extensions.osquery]=$EXTENSIONS_OSQUERY
+  [extensions.docker]=$EXTENSIONS_DOCKER
+  [timeout]=$APP_TIMEOUT
+  [api.selector]=$API_SELECTOR
+  [ip.selector]=$IP_SELECTOR
+  [ip.ignore]=$IP_IGNORE
+  [wazuh.monitoring.enabled]=$WAZUH_MONITORING_ENABLED
+  [wazuh.monitoring.creation]=$WAZUH_MONITORING_CREATION
+  [wazuh.monitoring.frequency]=$WAZUH_MONITORING_FREQUENCY
+  [wazuh.monitoring.shards]=$WAZUH_MONITORING_SHARDS
+  [wazuh.monitoring.replicas]=$WAZUH_MONITORING_REPLICAS
+  [admin]=$ADMIN_PRIVILEGES
+)
+
+for i in "${!CONFIG_MAP[@]}"
+do
+    if [ "${CONFIG_MAP[$i]}" != "" ]; then
+        sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
+    fi
+done
+
+CONFIG_CODE=$(curl ${auth} -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013)
+
+if [[ "x$CONFIG_CODE" != "x200" ]] && ! grep -q 1513629884013 $kibana_config_file ; then
+cat << EOF >> $kibana_config_file
+hosts:
+  - 1513629884013:
+      url: $wazuh_url
+      port: $wazuh_port
+      username: $api_username
+      password: $api_password
+EOF
+else
+  echo "Wazuh APP already configured"
+fi

wazuh-indexer/config/entrypoint_odfe.sh

@@ -0,0 +1,103 @@
+#!/bin/bash
+set -e
+
+# Files created by OpenDistroForElasticsearch should always be group writable too
+umask 0002
+
+run_as_other_user_if_needed() {
+    if [[ "$(id -u)" == "0" ]]; then
+        # If running as root, drop to specified UID and run command
+        exec chroot --userspec=1000 / "${@}"
+    else
+        # Either we are running in Openshift with random uid and are a member of the root group
+        # or with a custom --user
+        exec "${@}"
+    fi
+}
+
+# Allow user specify custom CMD, maybe bin/elasticsearch itself
+# for example to directly specify `-E` style parameters for elasticsearch on k8s
+# or simply to run /bin/bash to check the image
+if [[ "$1" != "eswrapper" ]]; then
+    if [[ "$(id -u)" == "0" && $(basename "$1") == "elasticsearch" ]]; then
+        # centos:7 chroot doesn't have the `--skip-chdir` option and
+        # changes our CWD.
+        # Rewrite CMD args to replace $1 with `elasticsearch` explicitly,
+        # so that we are backwards compatible with the docs
+        # from the previous Elasticsearch versions<6
+        # and configuration option D:
+        # https://www.elastic.co/guide/en/elasticsearch/reference/5.6/docker.html#_d_override_the_image_8217_s_default_ulink_url_https_docs_docker_com_engine_reference_run_cmd_default_command_or_options_cmd_ulink
+        # Without this, user could specify `elasticsearch -E x.y=z` but
+        # `bin/elasticsearch -E x.y=z` would not work.
+        set -- "elasticsearch" "${@:2}"
+        # Use chroot to switch to UID 1000
+        exec chroot --userspec=1000 / "$@"
+    else
+        # User probably wants to run something else, like /bin/bash, with another uid forced (Openshift?)
+        exec "$@"
+    fi
+fi
+
+# Parse Docker env vars to customize Elasticsearch
+#
+# e.g. Setting the env var cluster.name=testcluster
+#
+# will cause Elasticsearch to be invoked with -Ecluster.name=testcluster
+#
+# see https://www.elastic.co/guide/en/elasticsearch/reference/current/settings.html#_setting_default_settings
+
+declare -a es_opts
+
+while IFS='=' read -r envvar_key envvar_value
+do
+    # Elasticsearch settings need to have at least two dot separated lowercase
+    # words, e.g. `cluster.name`, except for `processors` which we handle
+    # specially
+    if [[ "$envvar_key" =~ ^[a-z0-9_]+\.[a-z0-9_]+ || "$envvar_key" == "processors" ]]; then
+        if [[ ! -z $envvar_value ]]; then
+          es_opt="-E${envvar_key}=${envvar_value}"
+          es_opts+=("${es_opt}")
+        fi
+    fi
+done < <(env)
+
+# The virtual file /proc/self/cgroup should list the current cgroup
+# membership. For each hierarchy, you can follow the cgroup path from
+# this file to the cgroup filesystem (usually /sys/fs/cgroup/) and
+# introspect the statistics for the cgroup for the given
+# hierarchy. Alas, Docker breaks this by mounting the container
+# statistics at the root while leaving the cgroup paths as the actual
+# paths. Therefore, Elasticsearch provides a mechanism to override
+# reading the cgroup path from /proc/self/cgroup and instead uses the
+# cgroup path defined the JVM system property
+# es.cgroups.hierarchy.override. Therefore, we set this value here so
+# that cgroup statistics are available for the container this process
+# will run in.
+export ES_JAVA_OPTS="-Des.cgroups.hierarchy.override=/ $ES_JAVA_OPTS"
+
+if [[ "$(id -u)" == "0" ]]; then
+    # If requested and running as root, mutate the ownership of bind-mounts
+    if [[ -n "$TAKE_FILE_OWNERSHIP" ]]; then
+        chown -R 1000:0 /usr/share/elasticsearch/{data,logs}
+    fi
+fi
+
+if [[ -d "/usr/share/elasticsearch/plugins/opendistro_security" && "$DISABLE_INSTALL_DEMO_CONFIG" != "true" ]]; then
+    # Install Demo certifactes for Security Plugin and update the elasticsearch.yml
+    # file to use those certificates.
+    /usr/share/elasticsearch/plugins/opendistro_security/tools/install_demo_configuration.sh -y -i -s
+fi
+
+if [[ -d "/usr/share/elasticsearch/plugins/opendistro-performance-analyzer" ]]; then
+    CLK_TCK=`/usr/bin/getconf CLK_TCK`
+    ES_JAVA_OPTS="-Dclk.tck=$CLK_TCK -Djdk.attach.allowAttachSelf=true $ES_JAVA_OPTS"
+    if [[ -d "/usr/share/elasticsearch/performance-analyzer-rca" ]]; then
+        ES_JAVA_OPTS="-Djava.security.policy=file:///usr/share/elasticsearch/performance-analyzer-rca/pa_config/es_security.policy $ES_JAVA_OPTS"
+        /usr/bin/supervisord -c /usr/share/elasticsearch/performance-analyzer-rca/pa_config/supervisord.conf
+    else
+        ES_JAVA_OPTS="-Djava.security.policy=file:///usr/share/elasticsearch/plugins/opendistro-performance-analyzer/pa_config/es_security.policy $ES_JAVA_OPTS"
+        /usr/bin/supervisord -c /usr/share/elasticsearch/plugins/opendistro-performance-analyzer/pa_config/supervisord.conf
+    fi
+fi
+
+run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch "${es_opts[@]}"