paulmataruso/wazuh-docker-mirror
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-docker.git synced 2025-10-23 04:51:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

Wazuh server clean-up

Browse Source
This commit is contained in:
vcerenu
2025-10-01 13:30:25 -03:00
parent e6f077bb1f
commit cb6fa28bbc
12 changed files with 91 additions and 305 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
build-docker-images/build-images.yml
View File

@@ -27,9 +27,7 @@ services:
- wazuh_logs:/var/ossec/logs - wazuh_logs:/var/ossec/logs
- wazuh_queue:/var/ossec/queue - wazuh_queue:/var/ossec/queue
- wazuh_var_multigroups:/var/ossec/var/multigroups - wazuh_var_multigroups:/var/ossec/var/multigroups
- wazuh_integrations:/var/ossec/integrations
- wazuh_active_response:/var/ossec/active-response/bin - wazuh_active_response:/var/ossec/active-response/bin
- wazuh_agentless:/var/ossec/agentless
- wazuh_wodles:/var/ossec/wodles - wazuh_wodles:/var/ossec/wodles
- filebeat_etc:/etc/filebeat - filebeat_etc:/etc/filebeat
- filebeat_var:/var/lib/filebeat - filebeat_var:/var/lib/filebeat
@@ -94,9 +92,7 @@ volumes:
wazuh_logs: wazuh_logs:
wazuh_queue: wazuh_queue:
wazuh_var_multigroups: wazuh_var_multigroups:
wazuh_integrations:
wazuh_active_response: wazuh_active_response:
wazuh_agentless:
wazuh_wodles: wazuh_wodles:
filebeat_etc: filebeat_etc:
filebeat_var: filebeat_var:

3
build-docker-images/wazuh-manager/Dockerfile
View File

@@ -50,9 +50,6 @@ RUN chmod go-w /etc/filebeat/wazuh-template.json
RUN mkdir -p /var/ossec/var/multigroups && \ RUN mkdir -p /var/ossec/var/multigroups && \
chown root:wazuh /var/ossec/var/multigroups && \ chown root:wazuh /var/ossec/var/multigroups && \
chmod 770 /var/ossec/var/multigroups && \ chmod 770 /var/ossec/var/multigroups && \
mkdir -p /var/ossec/agentless && \
chown root:wazuh /var/ossec/agentless && \
chmod 770 /var/ossec/agentless && \
mkdir -p /var/ossec/active-response/bin && \ mkdir -p /var/ossec/active-response/bin && \
chown root:wazuh /var/ossec/active-response/bin && \ chown root:wazuh /var/ossec/active-response/bin && \
chmod 770 /var/ossec/active-response/bin && \ chmod 770 /var/ossec/active-response/bin && \

6
build-docker-images/wazuh-manager/config/etc/cont-init.d/2-manager
View File

@@ -60,12 +60,6 @@ function_wazuh_migration(){
chown wazuh:wazuh /var/ossec/etc/rules/* chown wazuh:wazuh /var/ossec/etc/rules/*
chmod 660 /var/ossec/etc/rules/* chmod 660 /var/ossec/etc/rules/*
if [ -e /wazuh-migration/data/agentless/.passlist ]; then
\cp -f /wazuh-migration/data/agentless/.passlist /var/ossec/agentless/.passlist
chown root:wazuh /var/ossec/agentless/.passlist
chmod 640 /var/ossec/agentless/.passlist
fi
\cp -f /wazuh-migration/global.db /var/ossec/queue/db/global.db \cp -f /wazuh-migration/global.db /var/ossec/queue/db/global.db
chown wazuh:wazuh /var/ossec/queue/db/global.db chown wazuh:wazuh /var/ossec/queue/db/global.db
chmod 640 /var/ossec/queue/db/global.db chmod 640 /var/ossec/queue/db/global.db

24
build-docker-images/wazuh-manager/config/permanent_data.env
View File

@@ -4,9 +4,7 @@ PERMANENT_DATA[((i++))]="/var/ossec/api/configuration"
PERMANENT_DATA[((i++))]="/var/ossec/etc" PERMANENT_DATA[((i++))]="/var/ossec/etc"
PERMANENT_DATA[((i++))]="/var/ossec/logs" PERMANENT_DATA[((i++))]="/var/ossec/logs"
PERMANENT_DATA[((i++))]="/var/ossec/queue" PERMANENT_DATA[((i++))]="/var/ossec/queue"
PERMANENT_DATA[((i++))]="/var/ossec/agentless"
PERMANENT_DATA[((i++))]="/var/ossec/var/multigroups" PERMANENT_DATA[((i++))]="/var/ossec/var/multigroups"
PERMANENT_DATA[((i++))]="/var/ossec/integrations"
PERMANENT_DATA[((i++))]="/var/ossec/active-response/bin" PERMANENT_DATA[((i++))]="/var/ossec/active-response/bin"
PERMANENT_DATA[((i++))]="/var/ossec/wodles" PERMANENT_DATA[((i++))]="/var/ossec/wodles"
PERMANENT_DATA[((i++))]="/etc/filebeat" PERMANENT_DATA[((i++))]="/etc/filebeat"
@@ -16,16 +14,6 @@ export PERMANENT_DATA
# Files mounted in a volume that should not be permanent # Files mounted in a volume that should not be permanent
i=0 i=0
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/etc/internal_options.conf" PERMANENT_DATA_EXCP[((i++))]="/var/ossec/etc/internal_options.conf"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/shuffle"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/shuffle.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/pagerduty"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/pagerduty.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/maltiverse"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/maltiverse.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/default-firewall-drop" PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/default-firewall-drop"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/disable-account" PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/disable-account"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewalld-drop" PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewalld-drop"
@@ -41,18 +29,6 @@ PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/pf"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-wazuh" PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-wazuh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart.sh" PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null" PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/sshlogin.exp"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_pixconfig_diff"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_asa-fwsmconfig_diff"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_bsd"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/main.exp"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/su.exp"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_linux"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/register_host.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_generic_diff"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_foundry_diff"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_nopass.exp"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh.exp"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/utils.py" PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/utils.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3" PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3.py" PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3.py"

2
docs/ref/configuration/configuration-files.md
View File

@@ -2,7 +2,7 @@
### 1. Wazuh Manager Configuration ### 1. Wazuh Manager Configuration
* **`ossec.conf`**: The main configuration file for the Wazuh manager. It controls rules, decoders, agent enrollment, active responses, integrations, clustering, and more. * **`ossec.conf`**: The main configuration file for the Wazuh manager. It controls rules, decoders, agent enrollment, active responses, clustering, and more.
* **Customization**: Mount a custom `ossec.conf` or specific configuration snippets (e.g., local rules in `local_rules.xml`) into the manager container at `/wazuh-mount-point/`, which will be copied to the path `/var/ossec` (e.g., the file `/var/ossec/etc/ossec.conf` must be mounted at `/wazuh-mount-point/etc/ossec.conf`) . * **Customization**: Mount a custom `ossec.conf` or specific configuration snippets (e.g., local rules in `local_rules.xml`) into the manager container at `/wazuh-mount-point/`, which will be copied to the path `/var/ossec` (e.g., the file `/var/ossec/etc/ossec.conf` must be mounted at `/wazuh-mount-point/etc/ossec.conf`) .
### 2. Wazuh Indexer Configuration ### 2. Wazuh Indexer Configuration

52
multi-node/Migration-to-Wazuh-4.4.md
View File

@@ -80,13 +80,6 @@ docker volume create \
multi-node_master-wazuh-var-multigroups multi-node_master-wazuh-var-multigroups
``` ```
``` ```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-integrations \
multi-node_master-wazuh-integrations
```
```
docker volume create \ docker volume create \
--label com.docker.compose.project=multi-node \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
@@ -94,13 +87,6 @@ docker volume create \
multi-node_master-wazuh-active-response multi-node_master-wazuh-active-response
``` ```
``` ```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-agentless \
multi-node_master-wazuh-agentless
```
```
docker volume create \ docker volume create \
--label com.docker.compose.project=multi-node \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
@@ -157,13 +143,6 @@ docker volume create \
multi-node_worker-wazuh-var-multigroups multi-node_worker-wazuh-var-multigroups
``` ```
``` ```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-integrations \
multi-node_worker-wazuh-integrations
```
```
docker volume create \ docker volume create \
--label com.docker.compose.project=multi-node \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
@@ -171,13 +150,6 @@ docker volume create \
multi-node_worker-wazuh-active-response multi-node_worker-wazuh-active-response
``` ```
``` ```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-agentless \
multi-node_worker-wazuh-agentless
```
```
docker volume create \ docker volume create \
--label com.docker.compose.project=multi-node \ --label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \ --label com.docker.compose.version=1.25.0 \
@@ -248,24 +220,12 @@ docker container run --rm -it \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
``` ```
docker container run --rm -it \
-v wazuh-docker_ossec-integrations:/from \
-v multi-node_master-wazuh-integrations:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_ossec-active-response:/from \ -v wazuh-docker_ossec-active-response:/from \
-v multi-node_master-wazuh-active-response:/to \ -v multi-node_master-wazuh-active-response:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
``` ```
docker container run --rm -it \
-v wazuh-docker_ossec-agentless:/from \
-v multi-node_master-wazuh-agentless:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_ossec-wodles:/from \ -v wazuh-docker_ossec-wodles:/from \
-v multi-node_master-wazuh-wodles:/to \ -v multi-node_master-wazuh-wodles:/to \
@@ -314,24 +274,12 @@ docker container run --rm -it \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
``` ```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-integrations:/from \
-v multi-node_worker-wazuh-integrations:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_worker-ossec-active-response:/from \ -v wazuh-docker_worker-ossec-active-response:/from \
-v multi-node_worker-wazuh-active-response:/to \ -v multi-node_worker-wazuh-active-response:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
``` ```
``` ```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-agentless:/from \
-v multi-node_worker-wazuh-agentless:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_worker-ossec-wodles:/from \ -v wazuh-docker_worker-ossec-wodles:/from \
-v multi-node_worker-wazuh-wodles:/to \ -v multi-node_worker-wazuh-wodles:/to \

81
multi-node/config/wazuh_cluster/wazuh_manager.conf
View File

@@ -1,24 +1,10 @@
<ossec_config> <ossec_config>
<global> <global>
<jsonout_output>yes</jsonout_output> <agents_disconnection_time>15m</agents_disconnection_time>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wazuh@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time> <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
<update_check>yes</update_check>
</global> </global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs --> <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging> <logging>
<log_format>plain</log_format> <log_format>plain</log_format>
@@ -34,8 +20,6 @@
<!-- Policy monitoring --> <!-- Policy monitoring -->
<rootcheck> <rootcheck>
<disabled>no</disabled> <disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev> <check_dev>yes</check_dev>
<check_sys>yes</check_sys> <check_sys>yes</check_sys>
<check_pids>yes</check_pids> <check_pids>yes</check_pids>
@@ -45,31 +29,12 @@
<!-- Frequency that rootcheck is executed - every 12 hours --> <!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency> <frequency>43200</frequency>
<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs> <skip_nfs>yes</skip_nfs>
<ignore>/var/lib/containerd</ignore>
<ignore>/var/lib/docker/overlay2</ignore>
</rootcheck> </rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory --> <!-- System inventory -->
<wodle name="syscollector"> <wodle name="syscollector">
<disabled>no</disabled> <disabled>no</disabled>
@@ -81,9 +46,15 @@
<packages>yes</packages> <packages>yes</packages>
<ports all="yes">yes</ports> <ports all="yes">yes</ports>
<processes>yes</processes> <processes>yes</processes>
<users>yes</users>
<groups>yes</groups>
<services>yes</services>
<browser_extensions>yes</browser_extensions>
<!-- Database synchronization settings --> <!-- Database synchronization settings -->
<synchronization> <synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_eps>10</max_eps> <max_eps>10</max_eps>
</synchronization> </synchronization>
</wodle> </wodle>
@@ -92,7 +63,13 @@
<enabled>yes</enabled> <enabled>yes</enabled>
<scan_on_start>yes</scan_on_start> <scan_on_start>yes</scan_on_start>
<interval>12h</interval> <interval>12h</interval>
<skip_nfs>yes</skip_nfs>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_eps>10</max_eps>
</synchronization>
</sca> </sca>
<vulnerability-detection> <vulnerability-detection>
@@ -124,8 +101,6 @@
<!-- Frequency that syscheck is executed default every 12 hours --> <!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency> <frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected --> <!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files> <alert_new_files>yes</alert_new_files>
@@ -165,13 +140,12 @@
<process_priority>10</process_priority> <process_priority>10</process_priority>
<!-- Maximum output throughput --> <!-- Maximum output throughput -->
<max_eps>100</max_eps> <max_eps>50</max_eps>
<!-- Database synchronization settings --> <!-- Database synchronization settings -->
<synchronization> <synchronization>
<enabled>yes</enabled> <enabled>yes</enabled>
<interval>5m</interval> <interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps> <max_eps>10</max_eps>
</synchronization> </synchronization>
</syscheck> </syscheck>
@@ -266,13 +240,6 @@
<rule_dir>etc/rules</rule_dir> <rule_dir>etc/rules</rule_dir>
</ruleset> </ruleset>
<rule_test>
<enabled>yes</enabled>
<threads>1</threads>
<max_sessions>64</max_sessions>
<session_timeout>15m</session_timeout>
</rule_test>
<!-- Configuration for wazuh-authd --> <!-- Configuration for wazuh-authd -->
<auth> <auth>
<disabled>no</disabled> <disabled>no</disabled>
@@ -305,6 +272,16 @@
</ossec_config> </ossec_config>
<ossec_config> <ossec_config>
<localfile>
<log_format>journald</log_format>
<location>journald</location>
</localfile>
<localfile>
<log_format>audit</log_format>
<location>/var/log/audit/audit.log</location>
</localfile>
<localfile> <localfile>
<log_format>syslog</log_format> <log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location> <location>/var/ossec/logs/active-responses.log</location>

81
multi-node/config/wazuh_cluster/wazuh_worker.conf
View File

@@ -1,24 +1,10 @@
<ossec_config> <ossec_config>
<global> <global>
<jsonout_output>yes</jsonout_output> <agents_disconnection_time>15m</agents_disconnection_time>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wazuh@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time> <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
<update_check>yes</update_check>
</global> </global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs --> <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging> <logging>
<log_format>plain</log_format> <log_format>plain</log_format>
@@ -34,8 +20,6 @@
<!-- Policy monitoring --> <!-- Policy monitoring -->
<rootcheck> <rootcheck>
<disabled>no</disabled> <disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev> <check_dev>yes</check_dev>
<check_sys>yes</check_sys> <check_sys>yes</check_sys>
<check_pids>yes</check_pids> <check_pids>yes</check_pids>
@@ -45,31 +29,12 @@
<!-- Frequency that rootcheck is executed - every 12 hours --> <!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency> <frequency>43200</frequency>
<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs> <skip_nfs>yes</skip_nfs>
<ignore>/var/lib/containerd</ignore>
<ignore>/var/lib/docker/overlay2</ignore>
</rootcheck> </rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory --> <!-- System inventory -->
<wodle name="syscollector"> <wodle name="syscollector">
<disabled>no</disabled> <disabled>no</disabled>
@@ -81,9 +46,15 @@
<packages>yes</packages> <packages>yes</packages>
<ports all="yes">yes</ports> <ports all="yes">yes</ports>
<processes>yes</processes> <processes>yes</processes>
<users>yes</users>
<groups>yes</groups>
<services>yes</services>
<browser_extensions>yes</browser_extensions>
<!-- Database synchronization settings --> <!-- Database synchronization settings -->
<synchronization> <synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_eps>10</max_eps> <max_eps>10</max_eps>
</synchronization> </synchronization>
</wodle> </wodle>
@@ -92,7 +63,13 @@
<enabled>yes</enabled> <enabled>yes</enabled>
<scan_on_start>yes</scan_on_start> <scan_on_start>yes</scan_on_start>
<interval>12h</interval> <interval>12h</interval>
<skip_nfs>yes</skip_nfs>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_eps>10</max_eps>
</synchronization>
</sca> </sca>
<vulnerability-detection> <vulnerability-detection>
@@ -124,8 +101,6 @@
<!-- Frequency that syscheck is executed default every 12 hours --> <!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency> <frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected --> <!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files> <alert_new_files>yes</alert_new_files>
@@ -165,13 +140,12 @@
<process_priority>10</process_priority> <process_priority>10</process_priority>
<!-- Maximum output throughput --> <!-- Maximum output throughput -->
<max_eps>100</max_eps> <max_eps>50</max_eps>
<!-- Database synchronization settings --> <!-- Database synchronization settings -->
<synchronization> <synchronization>
<enabled>yes</enabled> <enabled>yes</enabled>
<interval>5m</interval> <interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps> <max_eps>10</max_eps>
</synchronization> </synchronization>
</syscheck> </syscheck>
@@ -266,13 +240,6 @@
<rule_dir>etc/rules</rule_dir> <rule_dir>etc/rules</rule_dir>
</ruleset> </ruleset>
<rule_test>
<enabled>yes</enabled>
<threads>1</threads>
<max_sessions>64</max_sessions>
<session_timeout>15m</session_timeout>
</rule_test>
<!-- Configuration for wazuh-authd --> <!-- Configuration for wazuh-authd -->
<auth> <auth>
<disabled>no</disabled> <disabled>no</disabled>
@@ -305,6 +272,16 @@
</ossec_config> </ossec_config>
<ossec_config> <ossec_config>
<localfile>
<log_format>journald</log_format>
<location>journald</location>
</localfile>
<localfile>
<log_format>audit</log_format>
<location>/var/log/audit/audit.log</location>
</localfile>
<localfile> <localfile>
<log_format>syslog</log_format> <log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location> <location>/var/ossec/logs/active-responses.log</location>

8
multi-node/docker-compose.yml
View File

@@ -31,9 +31,7 @@ services:
- master-wazuh-logs:/var/ossec/logs - master-wazuh-logs:/var/ossec/logs
- master-wazuh-queue:/var/ossec/queue - master-wazuh-queue:/var/ossec/queue
- master-wazuh-var-multigroups:/var/ossec/var/multigroups - master-wazuh-var-multigroups:/var/ossec/var/multigroups
- master-wazuh-integrations:/var/ossec/integrations
- master-wazuh-active-response:/var/ossec/active-response/bin - master-wazuh-active-response:/var/ossec/active-response/bin
- master-wazuh-agentless:/var/ossec/agentless
- master-wazuh-wodles:/var/ossec/wodles - master-wazuh-wodles:/var/ossec/wodles
- master-filebeat-etc:/etc/filebeat - master-filebeat-etc:/etc/filebeat
- master-filebeat-var:/var/lib/filebeat - master-filebeat-var:/var/lib/filebeat
@@ -67,9 +65,7 @@ services:
- worker-wazuh-logs:/var/ossec/logs - worker-wazuh-logs:/var/ossec/logs
- worker-wazuh-queue:/var/ossec/queue - worker-wazuh-queue:/var/ossec/queue
- worker-wazuh-var-multigroups:/var/ossec/var/multigroups - worker-wazuh-var-multigroups:/var/ossec/var/multigroups
- worker-wazuh-integrations:/var/ossec/integrations
- worker-wazuh-active-response:/var/ossec/active-response/bin - worker-wazuh-active-response:/var/ossec/active-response/bin
- worker-wazuh-agentless:/var/ossec/agentless
- worker-wazuh-wodles:/var/ossec/wodles - worker-wazuh-wodles:/var/ossec/wodles
- worker-filebeat-etc:/etc/filebeat - worker-filebeat-etc:/etc/filebeat
- worker-filebeat-var:/var/lib/filebeat - worker-filebeat-var:/var/lib/filebeat
@@ -198,9 +194,7 @@ volumes:
master-wazuh-logs: master-wazuh-logs:
master-wazuh-queue: master-wazuh-queue:
master-wazuh-var-multigroups: master-wazuh-var-multigroups:
master-wazuh-integrations:
master-wazuh-active-response: master-wazuh-active-response:
master-wazuh-agentless:
master-wazuh-wodles: master-wazuh-wodles:
master-filebeat-etc: master-filebeat-etc:
master-filebeat-var: master-filebeat-var:
@@ -209,9 +203,7 @@ volumes:
worker-wazuh-logs: worker-wazuh-logs:
worker-wazuh-queue: worker-wazuh-queue:
worker-wazuh-var-multigroups: worker-wazuh-var-multigroups:
worker-wazuh-integrations:
worker-wazuh-active-response: worker-wazuh-active-response:
worker-wazuh-agentless:
worker-wazuh-wodles: worker-wazuh-wodles:
worker-filebeat-etc: worker-filebeat-etc:
worker-filebeat-var: worker-filebeat-var:

44
multi-node/volume-migrator.sh
View File

@@ -46,24 +46,12 @@ docker volume create \
--label com.docker.compose.volume=master-wazuh-var-multigroups \ --label com.docker.compose.volume=master-wazuh-var-multigroups \
$2_master-wazuh-var-multigroups $2_master-wazuh-var-multigroups
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-integrations \
$2_master-wazuh-integrations
docker volume create \ docker volume create \
--label com.docker.compose.project=$2 \ --label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \ --label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-active-response \ --label com.docker.compose.volume=master-wazuh-active-response \
$2_master-wazuh-active-response $2_master-wazuh-active-response
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-agentless \
$2_master-wazuh-agentless
docker volume create \ docker volume create \
--label com.docker.compose.project=$2 \ --label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \ --label com.docker.compose.version=$1 \
@@ -112,24 +100,12 @@ docker volume create \
--label com.docker.compose.volume=worker-wazuh-var-multigroups \ --label com.docker.compose.volume=worker-wazuh-var-multigroups \
$2_worker-wazuh-var-multigroups $2_worker-wazuh-var-multigroups
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-integrations \
$2_worker-wazuh-integrations
docker volume create \ docker volume create \
--label com.docker.compose.project=$2 \ --label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \ --label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-active-response \ --label com.docker.compose.volume=worker-wazuh-active-response \
$2_worker-wazuh-active-response $2_worker-wazuh-active-response
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-agentless \
$2_worker-wazuh-agentless
docker volume create \ docker volume create \
--label com.docker.compose.project=$2 \ --label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \ --label com.docker.compose.version=$1 \
@@ -193,21 +169,11 @@ docker container run --rm -it \
-v $2_master-wazuh-var-multigroups:/to \ -v $2_master-wazuh-var-multigroups:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-integrations:/from \
-v $2_master-wazuh-integrations:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_ossec-active-response:/from \ -v wazuh-docker_ossec-active-response:/from \
-v $2_master-wazuh-active-response:/to \ -v $2_master-wazuh-active-response:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-agentless:/from \
-v $2_master-wazuh-agentless:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_ossec-wodles:/from \ -v wazuh-docker_ossec-wodles:/from \
-v $2_master-wazuh-wodles:/to \ -v $2_master-wazuh-wodles:/to \
@@ -248,21 +214,11 @@ docker container run --rm -it \
-v $2_worker-wazuh-var-multigroups:/to \ -v $2_worker-wazuh-var-multigroups:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-integrations:/from \
-v $2_worker-wazuh-integrations:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_worker-ossec-active-response:/from \ -v wazuh-docker_worker-ossec-active-response:/from \
-v $2_worker-wazuh-active-response:/to \ -v $2_worker-wazuh-active-response:/to \
alpine ash -c "cd /from ; cp -avp . /to" alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-agentless:/from \
-v $2_worker-wazuh-agentless:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \ docker container run --rm -it \
-v wazuh-docker_worker-ossec-wodles:/from \ -v wazuh-docker_worker-ossec-wodles:/from \
-v $2_worker-wazuh-wodles:/to \ -v $2_worker-wazuh-wodles:/to \

81
single-node/config/wazuh_cluster/wazuh_manager.conf
View File

@@ -1,24 +1,10 @@
<ossec_config> <ossec_config>
<global> <global>
<jsonout_output>yes</jsonout_output> <agents_disconnection_time>15m</agents_disconnection_time>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wazuh@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time> <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
<update_check>yes</update_check>
</global> </global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs --> <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging> <logging>
<log_format>plain</log_format> <log_format>plain</log_format>
@@ -34,8 +20,6 @@
<!-- Policy monitoring --> <!-- Policy monitoring -->
<rootcheck> <rootcheck>
<disabled>no</disabled> <disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev> <check_dev>yes</check_dev>
<check_sys>yes</check_sys> <check_sys>yes</check_sys>
<check_pids>yes</check_pids> <check_pids>yes</check_pids>
@@ -45,31 +29,12 @@
<!-- Frequency that rootcheck is executed - every 12 hours --> <!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency> <frequency>43200</frequency>
<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs> <skip_nfs>yes</skip_nfs>
<ignore>/var/lib/containerd</ignore>
<ignore>/var/lib/docker/overlay2</ignore>
</rootcheck> </rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory --> <!-- System inventory -->
<wodle name="syscollector"> <wodle name="syscollector">
<disabled>no</disabled> <disabled>no</disabled>
@@ -81,9 +46,15 @@
<packages>yes</packages> <packages>yes</packages>
<ports all="yes">yes</ports> <ports all="yes">yes</ports>
<processes>yes</processes> <processes>yes</processes>
<users>yes</users>
<groups>yes</groups>
<services>yes</services>
<browser_extensions>yes</browser_extensions>
<!-- Database synchronization settings --> <!-- Database synchronization settings -->
<synchronization> <synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_eps>10</max_eps> <max_eps>10</max_eps>
</synchronization> </synchronization>
</wodle> </wodle>
@@ -92,7 +63,13 @@
<enabled>yes</enabled> <enabled>yes</enabled>
<scan_on_start>yes</scan_on_start> <scan_on_start>yes</scan_on_start>
<interval>12h</interval> <interval>12h</interval>
<skip_nfs>yes</skip_nfs>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_eps>10</max_eps>
</synchronization>
</sca> </sca>
<vulnerability-detection> <vulnerability-detection>
@@ -122,8 +99,6 @@
<!-- Frequency that syscheck is executed default every 12 hours --> <!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency> <frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected --> <!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files> <alert_new_files>yes</alert_new_files>
@@ -163,13 +138,12 @@
<process_priority>10</process_priority> <process_priority>10</process_priority>
<!-- Maximum output throughput --> <!-- Maximum output throughput -->
<max_eps>100</max_eps> <max_eps>50</max_eps>
<!-- Database synchronization settings --> <!-- Database synchronization settings -->
<synchronization> <synchronization>
<enabled>yes</enabled> <enabled>yes</enabled>
<interval>5m</interval> <interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps> <max_eps>10</max_eps>
</synchronization> </synchronization>
</syscheck> </syscheck>
@@ -264,13 +238,6 @@
<rule_dir>etc/rules</rule_dir> <rule_dir>etc/rules</rule_dir>
</ruleset> </ruleset>
<rule_test>
<enabled>yes</enabled>
<threads>1</threads>
<max_sessions>64</max_sessions>
<session_timeout>15m</session_timeout>
</rule_test>
<!-- Configuration for wazuh-authd --> <!-- Configuration for wazuh-authd -->
<auth> <auth>
<disabled>no</disabled> <disabled>no</disabled>
@@ -303,6 +270,16 @@
</ossec_config> </ossec_config>
<ossec_config> <ossec_config>
<localfile>
<log_format>journald</log_format>
<location>journald</location>
</localfile>
<localfile>
<log_format>audit</log_format>
<location>/var/log/audit/audit.log</location>
</localfile>
<localfile> <localfile>
<log_format>syslog</log_format> <log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location> <location>/var/ossec/logs/active-responses.log</location>

4
single-node/docker-compose.yml
View File

@@ -32,9 +32,7 @@ services:
- wazuh_logs:/var/ossec/logs - wazuh_logs:/var/ossec/logs
- wazuh_queue:/var/ossec/queue - wazuh_queue:/var/ossec/queue
- wazuh_var_multigroups:/var/ossec/var/multigroups - wazuh_var_multigroups:/var/ossec/var/multigroups
- wazuh_integrations:/var/ossec/integrations
- wazuh_active_response:/var/ossec/active-response/bin - wazuh_active_response:/var/ossec/active-response/bin
- wazuh_agentless:/var/ossec/agentless
- wazuh_wodles:/var/ossec/wodles - wazuh_wodles:/var/ossec/wodles
- filebeat_etc:/etc/filebeat - filebeat_etc:/etc/filebeat
- filebeat_var:/var/lib/filebeat - filebeat_var:/var/lib/filebeat
@@ -102,9 +100,7 @@ volumes:
wazuh_logs: wazuh_logs:
wazuh_queue: wazuh_queue:
wazuh_var_multigroups: wazuh_var_multigroups:
wazuh_integrations:
wazuh_active_response: wazuh_active_response:
wazuh_agentless:
wazuh_wodles: wazuh_wodles:
filebeat_etc: filebeat_etc:
filebeat_var: filebeat_var: