Merge pull request #615 from wazuh/510-wazuh-manager-ubuntu

Base Change for Wazuh Manager Docker Image
2025-10-23 04:51:57 +00:00 · 2022-04-13 19:05:21 +02:00
parent 23179bf155 ee1aae8f78
commit d11627bf89
5 changed files with 146 additions and 107 deletions
--- a/build-docker-images/wazuh-manager/Dockerfile
+++ b/build-docker-images/wazuh-manager/Dockerfile
@@ -1,27 +1,22 @@
 # Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
-FROM centos:7
+FROM ubuntu:focal

+ARG WAZUH_VERSION=4.3.0
+ARG TEMPLATE_VERSION=4.3
 ARG FILEBEAT_CHANNEL=filebeat-oss
 ARG FILEBEAT_VERSION=7.10.2
-ARG WAZUH_VERSION=4.3.0-1
-ARG TEMPLATE_VERSION="master"
 ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz"

-# Set repositories.
-RUN rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
+RUN apt-get update && apt install curl apt-transport-https lsb-release gnupg -y

-COPY config/wazuh.repo /etc/yum.repos.d/wazuh.repo
+RUN apt-key adv --fetch-keys https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH && \
+    echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list && \
+    apt-get update && \
+    apt-get install wazuh-manager=${WAZUH_VERSION}-1

-RUN yum --enablerepo=updates clean metadata && \
-  yum upgrade -y && \
-  yum -y install openssl which expect openssh-clients && yum install wazuh-manager-${WAZUH_VERSION} -y && \
-  sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo && \
-  yum clean all && rm -rf /var/cache/yum
-
-RUN curl -L -O https://packages.wazuh.com/4.x/yum/${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm &&\
-  rpm -i ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && rm -f ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm
-
-RUN curl -s https://packages.wazuh.com/4.x/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module
+RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-amd64.deb &&\
+    dpkg -i ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-amd64.deb && rm -f ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-amd64.deb && \
+    curl -s https://packages.wazuh.com/4.x/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module

 RUN curl -L https://github.com/aelsabbahy/goss/releases/latest/download/goss-linux-amd64 -o /usr/local/bin/goss && chmod +rx /usr/local/bin/goss

@@ -32,6 +27,9 @@ RUN curl --fail --silent -L https://github.com/just-containers/s6-overlay/releas
    tar xzf /tmp/s6-overlay-amd64.tar.gz -C /usr ./bin && \
    rm  /tmp/s6-overlay-amd64.tar.gz

+COPY config/etc/ /etc/
+COPY --chown=root:wazuh config/create_user.py /var/ossec/framework/scripts/create_user.py
+
 COPY config/filebeat.yml /etc/filebeat/

 RUN chmod go-w /etc/filebeat/filebeat.yml
@@ -39,11 +37,9 @@ RUN chmod go-w /etc/filebeat/filebeat.yml
 ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat
 RUN chmod go-w /etc/filebeat/wazuh-template.json

-COPY config/etc/ /etc/
-COPY --chown=root:1000 config/create_user.py /var/ossec/framework/scripts/create_user.py
-
 # Prepare permanent data
 # Sync calls are due to https://github.com/docker/docker/issues/9547
+
 COPY config/permanent_data.env config/permanent_data.sh /
 RUN chmod 755 /permanent_data.sh && \
    sync && /permanent_data.sh && \
--- a/build-docker-images/wazuh-manager/config/wazuh.repo
+++ b/build-docker-images/wazuh-manager/config/wazuh.repo
@@ -1,7 +0,0 @@
-[wazuh_repo]
-gpgcheck=1
-gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
-enabled=1
-name=Wazuh repository
-baseurl=https://packages.wazuh.com/4.x/yum/
-protect=1
--- a/multi-node/config/wazuh_cluster/wazuh_manager.conf
+++ b/multi-node/config/wazuh_cluster/wazuh_manager.conf
@@ -10,6 +10,8 @@
    <email_to>recipient@example.wazuh.com</email_to>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
+    <agents_disconnection_time>10m</agents_disconnection_time>
+    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
  </global>

  <alerts>
@@ -43,8 +45,8 @@
    <!-- Frequency that rootcheck is executed - every 12 hours -->
    <frequency>43200</frequency>

-    <rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
-    <rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
+    <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>

    <skip_nfs>yes</skip_nfs>
  </rootcheck>
@@ -79,6 +81,11 @@
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <max_eps>10</max_eps>
+    </synchronization>
  </wodle>

  <sca>
@@ -91,6 +98,7 @@
  <vulnerability-detector>
    <enabled>no</enabled>
    <interval>5m</interval>
+    <min_full_scan_interval>6h</min_full_scan_interval>
    <run_on_start>yes</run_on_start>

    <!-- Ubuntu OS vulnerabilities -->
@@ -108,6 +116,7 @@
      <enabled>no</enabled>
      <os>stretch</os>
      <os>buster</os>
+      <os>bullseye</os>
      <update_interval>1h</update_interval>
    </provider>

@@ -121,6 +130,20 @@
      <update_interval>1h</update_interval>
    </provider>

+    <!-- Amazon Linux OS vulnerabilities -->
+    <provider name="alas">
+      <enabled>no</enabled>
+      <os>amazon-linux</os>
+      <os>amazon-linux-2</os>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Arch OS vulnerabilities -->
+    <provider name="arch">
+      <enabled>no</enabled>
+      <update_interval>1h</update_interval>
+    </provider>
+
    <!-- Windows OS vulnerabilities -->
    <provider name="msu">
      <enabled>yes</enabled>
@@ -199,70 +222,47 @@
  <global>
    <white_list>127.0.0.1</white_list>
    <white_list>^localhost.localdomain$</white_list>
-    <white_list>4.3.0.1</white_list>
-    <white_list>4.3.0.2</white_list>
-    <white_list>208.67.220.220</white_list>
+    <white_list>127.0.0.53</white_list>
  </global>

  <command>
    <name>disable-account</name>
-    <executable>disable-account.sh</executable>
-    <expect>user</expect>
+    <executable>disable-account</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
-    <name>restart-ossec</name>
-    <executable>restart-ossec.sh</executable>
-    <expect></expect>
+    <name>restart-wazuh</name>
+    <executable>restart-wazuh</executable>
  </command>

  <command>
    <name>firewall-drop</name>
-    <executable>firewall-drop.sh</executable>
-    <expect>srcip</expect>
+    <executable>firewall-drop</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>host-deny</name>
-    <executable>host-deny.sh</executable>
-    <expect>srcip</expect>
+    <executable>host-deny</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>route-null</name>
-    <executable>route-null.sh</executable>
-    <expect>srcip</expect>
+    <executable>route-null</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>win_route-null</name>
-    <executable>route-null.cmd</executable>
-    <expect>srcip</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <command>
-    <name>win_route-null-2012</name>
-    <executable>route-null-2012.cmd</executable>
-    <expect>srcip</expect>
+    <executable>route-null.exe</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>netsh</name>
-    <executable>netsh.cmd</executable>
-    <expect>srcip</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <command>
-    <name>netsh-win-2016</name>
-    <executable>netsh-win-2016.cmd</executable>
-    <expect>srcip</expect>
+    <executable>netsh.exe</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

@@ -306,21 +306,25 @@
    <rule_dir>etc/rules</rule_dir>
  </ruleset>

+  <rule_test>
+    <enabled>yes</enabled>
+    <threads>1</threads>
+    <max_sessions>64</max_sessions>
+    <session_timeout>15m</session_timeout>
+  </rule_test>
+
  <!-- Configuration for wazuh-authd -->
  <auth>
    <disabled>no</disabled>
    <port>1515</port>
    <use_source_ip>no</use_source_ip>
-    <force_insert>yes</force_insert>
-    <force_time>0</force_time>
    <purge>yes</purge>
    <use_password>no</use_password>
-    <limit_maxagents>yes</limit_maxagents>
    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
    <!-- <ssl_agent_ca></ssl_agent_ca> -->
    <ssl_verify_host>no</ssl_verify_host>
-    <ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
-    <ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
+    <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
+    <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
    <ssl_auto_negotiate>no</ssl_auto_negotiate>
  </auth>

@@ -345,4 +349,25 @@
    <log_format>syslog</log_format>
    <location>/var/ossec/logs/active-responses.log</location>
  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/auth.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/syslog</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/dpkg.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/kern.log</location>
+  </localfile>
+
 </ossec_config>
--- a/multi-node/config/wazuh_cluster/wazuh_worker.conf
+++ b/multi-node/config/wazuh_cluster/wazuh_worker.conf
@@ -10,6 +10,8 @@
    <email_to>recipient@example.wazuh.com</email_to>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
+    <agents_disconnection_time>10m</agents_disconnection_time>
+    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
  </global>

  <alerts>
@@ -43,8 +45,8 @@
    <!-- Frequency that rootcheck is executed - every 12 hours -->
    <frequency>43200</frequency>

-    <rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
-    <rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
+    <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>

    <skip_nfs>yes</skip_nfs>
  </rootcheck>
@@ -79,6 +81,11 @@
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <max_eps>10</max_eps>
+    </synchronization>
  </wodle>

  <sca>
@@ -91,6 +98,7 @@
  <vulnerability-detector>
    <enabled>no</enabled>
    <interval>5m</interval>
+    <min_full_scan_interval>6h</min_full_scan_interval>
    <run_on_start>yes</run_on_start>

    <!-- Ubuntu OS vulnerabilities -->
@@ -108,6 +116,7 @@
      <enabled>no</enabled>
      <os>stretch</os>
      <os>buster</os>
+      <os>bullseye</os>
      <update_interval>1h</update_interval>
    </provider>

@@ -121,6 +130,20 @@
      <update_interval>1h</update_interval>
    </provider>

+    <!-- Amazon Linux OS vulnerabilities -->
+    <provider name="alas">
+      <enabled>no</enabled>
+      <os>amazon-linux</os>
+      <os>amazon-linux-2</os>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Arch OS vulnerabilities -->
+    <provider name="arch">
+      <enabled>no</enabled>
+      <update_interval>1h</update_interval>
+    </provider>
+
    <!-- Windows OS vulnerabilities -->
    <provider name="msu">
      <enabled>yes</enabled>
@@ -199,70 +222,47 @@
  <global>
    <white_list>127.0.0.1</white_list>
    <white_list>^localhost.localdomain$</white_list>
-    <white_list>4.3.0.1</white_list>
-    <white_list>4.3.0.2</white_list>
-    <white_list>208.67.220.220</white_list>
+    <white_list>127.0.0.53</white_list>
  </global>

  <command>
    <name>disable-account</name>
-    <executable>disable-account.sh</executable>
-    <expect>user</expect>
+    <executable>disable-account</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
-    <name>restart-ossec</name>
-    <executable>restart-ossec.sh</executable>
-    <expect></expect>
+    <name>restart-wazuh</name>
+    <executable>restart-wazuh</executable>
  </command>

  <command>
    <name>firewall-drop</name>
-    <executable>firewall-drop.sh</executable>
-    <expect>srcip</expect>
+    <executable>firewall-drop</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>host-deny</name>
-    <executable>host-deny.sh</executable>
-    <expect>srcip</expect>
+    <executable>host-deny</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>route-null</name>
-    <executable>route-null.sh</executable>
-    <expect>srcip</expect>
+    <executable>route-null</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>win_route-null</name>
-    <executable>route-null.cmd</executable>
-    <expect>srcip</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <command>
-    <name>win_route-null-2012</name>
-    <executable>route-null-2012.cmd</executable>
-    <expect>srcip</expect>
+    <executable>route-null.exe</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>netsh</name>
-    <executable>netsh.cmd</executable>
-    <expect>srcip</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <command>
-    <name>netsh-win-2016</name>
-    <executable>netsh-win-2016.cmd</executable>
-    <expect>srcip</expect>
+    <executable>netsh.exe</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

@@ -306,21 +306,25 @@
    <rule_dir>etc/rules</rule_dir>
  </ruleset>

+  <rule_test>
+    <enabled>yes</enabled>
+    <threads>1</threads>
+    <max_sessions>64</max_sessions>
+    <session_timeout>15m</session_timeout>
+  </rule_test>
+
  <!-- Configuration for wazuh-authd -->
  <auth>
    <disabled>no</disabled>
    <port>1515</port>
    <use_source_ip>no</use_source_ip>
-    <force_insert>yes</force_insert>
-    <force_time>0</force_time>
    <purge>yes</purge>
    <use_password>no</use_password>
-    <limit_maxagents>yes</limit_maxagents>
    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
    <!-- <ssl_agent_ca></ssl_agent_ca> -->
    <ssl_verify_host>no</ssl_verify_host>
-    <ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
-    <ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
+    <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
+    <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
    <ssl_auto_negotiate>no</ssl_auto_negotiate>
  </auth>

@@ -345,4 +349,25 @@
    <log_format>syslog</log_format>
    <location>/var/ossec/logs/active-responses.log</location>
  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/auth.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/syslog</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/dpkg.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/kern.log</location>
+  </localfile>
+
 </ossec_config>
--- a/single-node/config/wazuh_indexer_ssl_certs/certs.yml
+++ b/single-node/config/wazuh_indexer_ssl_certs/certs.yml