mirror of
				https://github.com/wazuh/wazuh-docker.git
				synced 2025-10-24 16:43:37 +00:00 
			
		
		
		
	Compare commits
	
		
			61 Commits
		
	
	
		
			2.0
			...
			3.2.1_6.2.
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
|  | f5fc982bf0 | ||
|  | 97c7b82aec | ||
|  | a9e16e79a9 | ||
|  | 9294617a0e | ||
|  | 8408f401d5 | ||
|  | 575708310b | ||
|  | 15f7ce98d9 | ||
|  | fd18a00429 | ||
|  | 9a4c409a0a | ||
|  | 57490a50bd | ||
|  | 62741c639f | ||
|  | 043f8f18de | ||
|  | ee74f01cba | ||
|  | e685128b51 | ||
|  | 8f40340dda | ||
|  | 76945a2698 | ||
|  | 98007ea2f4 | ||
|  | b081ff3bc7 | ||
|  | 716667be46 | ||
|  | 2b3f71aa10 | ||
|  | 74dd541bd8 | ||
|  | 8a051b67b0 | ||
|  | 7da29fa6a9 | ||
|  | ca1a1bd883 | ||
|  | d8fe59901a | ||
|  | 3cae6fe61d | ||
|  | a26f119c73 | ||
|  | 3d813cb2fe | ||
|  | 5c7454270e | ||
|  | b8ef822f85 | ||
|  | e341391201 | ||
|  | c42898e862 | ||
|  | 2663de28a6 | ||
|  | d1adafdcde | ||
|  | a866f41ecf | ||
|  | 97a042cfcd | ||
|  | 845398d7c7 | ||
|  | 6e6912c380 | ||
|  | a2ba029918 | ||
|  | 160bf4bbe9 | ||
|  | a70c127228 | ||
|  | c2213165f2 | ||
|  | d0565d913a | ||
|  | d1cb67a822 | ||
|  | e69d9d0efc | ||
|  | 08824ad4a9 | ||
|  | a4d4c40ad5 | ||
|  | 84005d8145 | ||
|  | aef418c75e | ||
|  | 5cffb99d67 | ||
|  | 1c935bbf07 | ||
|  | 38608d1f26 | ||
|  | eae7328f16 | ||
|  | 82ef76ed4d | ||
|  | 548a738d69 | ||
|  | bed3307dfc | ||
|  | 835466f25b | ||
|  | df7c963eab | ||
|  | f6ad536e99 | ||
|  | e6e30ab3aa | ||
|  | 754915cb35 | 
							
								
								
									
										81
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										81
									
								
								README.md
									
									
									
									
									
								
							| @@ -1,21 +1,78 @@ | ||||
| # IMPORTANT NOTE | ||||
| # Wazuh containers for Docker | ||||
|  | ||||
| The first time than you runt this container can take a while until kibana finish the configuration, the Wazuh plugin can take a few minutes until finish the instalation, please be patient. | ||||
| [](https://goo.gl/forms/M2AoZC4b2R9A9Zy12) | ||||
| [](https://groups.google.com/forum/#!forum/wazuh) | ||||
| [](https://documentation.wazuh.com) | ||||
| [](https://wazuh.com) | ||||
|  | ||||
| # Docker container Wazuh + ELK(5.3.0) | ||||
| In this repository you will find the containers to run: | ||||
|  | ||||
| This Docker container source files can be found in our [Wazuh Github repository](https://github.com/wazuh/wazuh). It includes both an OSSEC manager and an Elasticsearch single-node cluster, with Logstash and Kibana. You can find more information on how these components work together in our documentation. | ||||
| * wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack) | ||||
| * wazuh-logstash: It is used to receive alerts generated by the manager and feed Elasticsearch using an alerts template | ||||
| * wazuh-kibana: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status. | ||||
|  | ||||
| ## Documentation | ||||
| In addition, a docker-compose file is provided to launch the containers mentioned above. It also launches an Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images. | ||||
|  | ||||
| * [Full documentation](http://documentation.wazuh.com) | ||||
| * [Wazug-docker module documentation](https://documentation.wazuh.com/current/docker/index.html) | ||||
| * [Hub docker](https://hub.docker.com/u/wazuh) | ||||
| ## Current release | ||||
|  | ||||
| ## Credits and thank you | ||||
| Containers are currently tested on Wazuh version 3.2.1 and Elastic Stack version 6.2.2. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack. | ||||
|  | ||||
| These Docker containers are based on "deviantony" dockerfiles which can be found at [https://github.com/deviantony/docker-elk] (https://github.com/deviantony/docker-elk), and "xetus-oss" dockerfiles, which can be found at [https://github.com/xetus-oss/docker-ossec-server](https://github.com/xetus-oss/docker-ossec-server). We created our own fork, which we test and maintain. Thank you Anthony Lapenna for your contribution to the community. | ||||
| ## Installation notes | ||||
|  | ||||
| ## References | ||||
| To run all docker instances you can just run ``docker-compose up``, from the directory where you have docker-compose.yml file. The following is part of the expected behavior when setting up the system: | ||||
|  | ||||
| * [Wazuh website](http://wazuh.com) | ||||
| * Both wazuh-kibana and wazuh-logstash containers will run multiple queries to Elasticsearch API using curl, to learn when Elasticsearch is up. It is expected to see several ``Failed to connect to elasticsearch port 9200`` log messages, until Elasticesearch is started. Then the set up process will continue normally. | ||||
| * Kibana container can take a few minutes to install Wazuh plugin, this takes place after ``Optimizing and caching browser bundles...`` is printed out. | ||||
| * It is recommended to set Docker host preferences to give at least 4GB memory per container (this doesn't necessarily mean they all will use it, but Elasticsearch requires them to work properly). | ||||
|  | ||||
| Once installed you can browse through the interface at: https://127.0.0.1. | ||||
|  | ||||
| ## Mount custom Wazuh configuration files | ||||
|  | ||||
| To mount custom Wazuh configuration files in the Wazuh manager container, mount them in the `/wazuh-config-mount` folder. For example, to mount a custom `ossec.conf` file, mount it in `/wazuh-config-mount/etc/ossec.conf` and the [run.sh](wazuh/config/run.sh) script will copy the file at the right place on boot while respecting the destination file permissions. | ||||
|  | ||||
| Here is an example of a `/wazuh-config-mount` folder used to mount some common custom configuration files: | ||||
| ``` | ||||
| root@wazuh-manager:/# tree /wazuh-config-mount/ | ||||
| /wazuh-config-mount/ | ||||
| └── etc | ||||
|     ├── ossec.conf | ||||
|     ├── rules | ||||
|     │   └── local_rules.xml | ||||
|     └── shared | ||||
|         └── default | ||||
|             └── agent.conf | ||||
|  | ||||
| 4 directories, 3 files | ||||
| ``` | ||||
|  | ||||
| In that case, you will see this in the Wazuh manager logs on boot: | ||||
| ``` | ||||
| Identified Wazuh configuration files to mount... | ||||
| '/wazuh-config-mount/etc/ossec.conf' -> '/var/ossec/data/etc/ossec.conf' | ||||
| '/wazuh-config-mount/etc/rules/local_rules.xml' -> '/var/ossec/data/etc/rules/local_rules.xml' | ||||
| '/wazuh-config-mount/etc/shared/default/agent.conf' -> '/var/ossec/data/etc/shared/default/agent.conf' | ||||
| ``` | ||||
|  | ||||
| ## More documentation | ||||
|  | ||||
| * [Wazuh full documentation](http://documentation.wazuh.com) | ||||
| * [Wazuh documentation for Docker](https://documentation.wazuh.com/current/docker/index.html) | ||||
| * [Docker hub](https://hub.docker.com/u/wazuh) | ||||
|  | ||||
| ## Credits | ||||
|  | ||||
| These Docker containers are based on: | ||||
|  | ||||
| *  "deviantony" dockerfiles which can be found at [https://github.com/deviantony/docker-elk](https://github.com/deviantony/docker-elk) | ||||
| *  "xetus-oss" dockerfiles, which can be found at [https://github.com/xetus-oss/docker-ossec-server](https://github.com/xetus-oss/docker-ossec-server) | ||||
|  | ||||
| We thank you them and everyone else who has contributed to this project. | ||||
|  | ||||
| ## License and copyright | ||||
|  | ||||
| Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) | ||||
|  | ||||
| ## Wazuh official website | ||||
|  | ||||
| [Wazuh website](http://wazuh.com) | ||||
|   | ||||
| @@ -1,3 +1,4 @@ | ||||
| # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) | ||||
| version: '2' | ||||
|  | ||||
| services: | ||||
| @@ -6,15 +7,18 @@ services: | ||||
|     hostname: wazuh-manager | ||||
|     restart: always | ||||
|     ports: | ||||
|       - "1514/udp:1514/udp" | ||||
|       - "1514:1514/udp" | ||||
|       - "1515:1515" | ||||
|       - "514/udp:514/udp" | ||||
|       - "514:514/udp" | ||||
|       - "55000:55000" | ||||
| #      - "1516:1516" | ||||
|     networks: | ||||
|         - docker_elk | ||||
| #    volumes: | ||||
| #      - my-path:/var/ossec/data | ||||
| #      - my-path:/etc/postfix | ||||
| #      - my-path:/var/ossec/data:Z | ||||
| #      - my-path:/etc/postfix:Z | ||||
| #      - my-path:/etc/filebeat | ||||
| #      - my-custom-config-path/ossec.conf:/wazuh-config-mount/etc/ossec.conf | ||||
|     depends_on: | ||||
|       - elasticsearch | ||||
|   logstash: | ||||
| @@ -23,10 +27,10 @@ services: | ||||
|     restart: always | ||||
|     command: -f /etc/logstash/conf.d/ | ||||
| #    volumes: | ||||
| #      - my-path:/etc/logstash/conf.d | ||||
| #      - my-path:/etc/logstash/conf.d:Z | ||||
|     links: | ||||
|      - kibana | ||||
|      - elasticsearch | ||||
|      - elasticsearch:elasticsearch | ||||
|     ports: | ||||
|       - "5000:5000" | ||||
|     networks: | ||||
| @@ -35,33 +39,68 @@ services: | ||||
|       - elasticsearch | ||||
|     environment: | ||||
|       - LS_HEAP_SIZE=2048m | ||||
|       - XPACK_MONITORING_ENABLED=false | ||||
|   elasticsearch: | ||||
|     image: elasticsearch:5.3.0 | ||||
|     image: docker.elastic.co/elasticsearch/elasticsearch:6.2.3 | ||||
|     hostname: elasticsearch | ||||
|     restart: always | ||||
|     command: elasticsearch -E node.name="node-1" -E cluster.name="wazuh" -E network.host=0.0.0.0 | ||||
|     ports: | ||||
|       - "9200:9200" | ||||
|       - "9300:9300" | ||||
| #      - "9300:9300" | ||||
|     environment: | ||||
|       ES_JAVA_OPTS: "-Xms2g -Xmx2g" | ||||
|       - node.name=node-1 | ||||
|       - cluster.name=wazuh | ||||
|       - network.host=0.0.0.0 | ||||
|       - bootstrap.memory_lock=true | ||||
|       - xpack.security.enabled=false | ||||
|       - xpack.monitoring.enabled=false | ||||
|       - xpack.ml.enabled=false | ||||
|       - xpack.watcher.enabled=false | ||||
|       - xpack.graph.enabled=false | ||||
|       - "ES_JAVA_OPTS=-Xms1g -Xmx1g" | ||||
|     ulimits: | ||||
|       memlock: | ||||
|         soft: -1 | ||||
|         hard: -1 | ||||
|     mem_limit: 2g | ||||
| #    volumes: | ||||
| #      - my-path:/usr/share/elasticsearch/data | ||||
| #      - my-path:/usr/share/elasticsearch/data:Z | ||||
|     networks: | ||||
|         - docker_elk | ||||
|   kibana: | ||||
|     image: wazuh/wazuh-kibana | ||||
|     hostname: kibana | ||||
|     restart: always | ||||
|     ports: | ||||
|       - "5601:5601" | ||||
| #    ports: | ||||
| #      - "5601:5601" | ||||
|     environment: | ||||
|       - "NODE_OPTIONS=--max-old-space-size=3072" | ||||
|     networks: | ||||
|       - docker_elk | ||||
|     depends_on: | ||||
|       - elasticsearch | ||||
|     entrypoint: sh wait-for-it.sh elasticsearch | ||||
| #    environment: | ||||
| #      - "WAZUH_KIBANA_PLUGIN_URL=http://your.repo/wazuhapp-2.0_5.3.0.zip" | ||||
|     links: | ||||
|       - elasticsearch:elasticsearch | ||||
|       - wazuh | ||||
|     entrypoint: /wait-for-it.sh elasticsearch | ||||
|   nginx: | ||||
|     image: wazuh/wazuh-nginx | ||||
|     hostname: nginx | ||||
|     restart: always | ||||
|     entrypoint: /run.sh | ||||
|     environment: | ||||
|       - NGINX_PORT=443 | ||||
|     ports: | ||||
|       - "80:80" | ||||
|       - "443:443" | ||||
| #    volumes: | ||||
| #      - my-path:/etc/nginx/conf.d:Z | ||||
|     networks: | ||||
|       - docker_elk | ||||
|     depends_on: | ||||
|       - kibana | ||||
|     links: | ||||
|       - kibana | ||||
|  | ||||
| networks: | ||||
|   docker_elk: | ||||
|   | ||||
| @@ -1,7 +1,26 @@ | ||||
| FROM kibana:5.3.0 | ||||
| # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) | ||||
| FROM docker.elastic.co/kibana/kibana:6.2.3 | ||||
| ARG WAZUH_APP_VERSION=3.2.1_6.2.3 | ||||
| USER root | ||||
|  | ||||
| RUN apt-get update && apt-get install -y curl | ||||
| COPY ./config/kibana.yml /usr/share/kibana/config/kibana.yml | ||||
|  | ||||
| COPY ./config/kibana.yml /opt/kibana/config/kibana.yml | ||||
| COPY config/wait-for-it.sh /wait-for-it.sh | ||||
|  | ||||
| COPY config/wait-for-it.sh / | ||||
| ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp | ||||
|  | ||||
| ADD https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/wazuh-elastic6-template-alerts.json /usr/share/kibana/config | ||||
|  | ||||
| ADD https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/wazuh-elastic6-template-monitoring.json /usr/share/kibana/config | ||||
|  | ||||
| ADD https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/alert_sample.json /usr/share/kibana/config | ||||
|  | ||||
| RUN /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip | ||||
|  | ||||
| RUN chown -R kibana.kibana /usr/share/kibana | ||||
|  | ||||
| RUN rm -rf /tmp/* | ||||
|  | ||||
| RUN chmod 755 /wait-for-it.sh | ||||
|  | ||||
| USER kibana | ||||
|   | ||||
| @@ -81,7 +81,7 @@ elasticsearch.url: "http://elasticsearch:9200" | ||||
| # logging.silent: false | ||||
|  | ||||
| # Set the value of this setting to true to suppress all logging output other than error messages. | ||||
| # logging.quiet: false | ||||
| logging.quiet: true | ||||
|  | ||||
| # Set the value of this setting to true to log all events, including system usage information | ||||
| # and all requests. | ||||
| @@ -90,3 +90,10 @@ elasticsearch.url: "http://elasticsearch:9200" | ||||
| # Set the interval in milliseconds to sample system and process performance | ||||
| # metrics. Minimum is 100ms. Defaults to 10000. | ||||
| # ops.interval: 10000 | ||||
|  | ||||
| xpack.security.enabled: false | ||||
| xpack.grokdebugger.enabled: false | ||||
| xpack.graph.enabled: false | ||||
| xpack.ml.enabled: false | ||||
| xpack.monitoring.enabled: false | ||||
| xpack.reporting.enabled: false | ||||
|   | ||||
| @@ -1,25 +1,61 @@ | ||||
| #!/bin/bash | ||||
| # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) | ||||
|  | ||||
| set -e | ||||
|  | ||||
| host="$1" | ||||
| shift | ||||
| cmd="kibana" | ||||
| WAZUH_KIBANA_PLUGIN_URL=${WAZUH_KIBANA_PLUGIN_URL:-https://packages.wazuh.com/wazuhapp/wazuhapp-2.0_5.3.0.zip} | ||||
|  | ||||
| until curl -XGET $host:9200; do | ||||
|   >&2 echo "Elastic is unavailable - sleeping" | ||||
|   sleep 1 | ||||
|   sleep 5 | ||||
| done | ||||
|  | ||||
| sleep 30 | ||||
|  | ||||
| >&2 echo "Elastic is up - executing command" | ||||
|  | ||||
| if /usr/share/kibana/bin/kibana-plugin list | grep wazuh; then | ||||
|   echo "Wazuh APP already installed" | ||||
| sleep 5 | ||||
| #Insert default templates | ||||
| cat /usr/share/kibana/config/wazuh-elastic6-template-alerts.json | curl -XPUT "http://$host:9200/_template/wazuh" -H 'Content-Type: application/json' -d @- | ||||
|  | ||||
| sleep 5 | ||||
| #Insert default templates | ||||
| cat /usr/share/kibana/config/wazuh-elastic6-template-monitoring.json | curl -XPUT "http://$host:9200/_template/wazuh-agent" -H 'Content-Type: application/json' -d @- | ||||
|  | ||||
| #Insert sample alert: | ||||
| sleep 5 | ||||
| cat /usr/share/kibana/config/alert_sample.json | curl -XPUT "http://$host:9200/wazuh-alerts-3.x-"`date +%Y.%m.%d`"/wazuh/sample" -H 'Content-Type: application/json' -d @- | ||||
|  | ||||
| sleep 5 | ||||
| echo "Setting API credentials into Wazuh APP" | ||||
| CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET http://$host:9200/.wazuh/wazuh-configuration/1513629884013) | ||||
| if [ "x$CONFIG_CODE" = "x404" ]; then | ||||
|   curl -s -XPOST http://$host:9200/.wazuh/wazuh-configuration/1513629884013 -H 'Content-Type: application/json' -d' | ||||
|     { | ||||
|       "api_user": "foo", | ||||
|       "api_password": "YmFy", | ||||
|       "url": "https://wazuh", | ||||
|       "api_port": "55000", | ||||
|       "insecure": "true", | ||||
|       "component": "API", | ||||
|       "cluster_info": { | ||||
|         "manager": "wazuh-manager", | ||||
|         "cluster": "Disabled", | ||||
|         "status": "disabled" | ||||
|        }, | ||||
|       "extensions": { | ||||
|         "oscap": true, | ||||
|         "audit": true, | ||||
|         "pci": true, | ||||
|         "aws": true, | ||||
|         "virustotal": true | ||||
|       } | ||||
|     } | ||||
|     ' > /dev/null | ||||
| else | ||||
|   /usr/share/kibana/bin/kibana-plugin install ${WAZUH_KIBANA_PLUGIN_URL} | ||||
|   echo "Wazuh APP already configured" | ||||
| fi | ||||
|  | ||||
| sleep 5 | ||||
|  | ||||
| exec $cmd | ||||
|   | ||||
| @@ -1,12 +1,4 @@ | ||||
| FROM logstash:5.3.0 | ||||
|  | ||||
| RUN apt-get update | ||||
| # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) | ||||
| FROM docker.elastic.co/logstash/logstash:6.2.3 | ||||
|  | ||||
| COPY config/logstash.conf /etc/logstash/conf.d/logstash.conf | ||||
| COPY config/wazuh-elastic5-template.json /etc/logstash/wazuh-elastic5-template.json | ||||
|  | ||||
|  | ||||
| ADD config/run.sh /tmp/run.sh | ||||
| RUN chmod 755 /tmp/run.sh | ||||
|  | ||||
| ENTRYPOINT ["/tmp/run.sh"] | ||||
|   | ||||
| @@ -1,3 +1,4 @@ | ||||
| # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) | ||||
| # Wazuh - Logstash configuration file | ||||
| ## Remote Wazuh Manager - Filebeat input | ||||
| input { | ||||
| @@ -9,34 +10,36 @@ input { | ||||
| #       ssl_key => "/etc/logstash/logstash.key" | ||||
|     } | ||||
| } | ||||
| ## Local Wazuh Manager - JSON file input | ||||
| #input { | ||||
| #   file { | ||||
| #       type => "wazuh-alerts" | ||||
| #       path => "/var/ossec/data/logs/alerts/alerts.json" | ||||
| #       codec => "json" | ||||
| #   } | ||||
| #} | ||||
| filter { | ||||
|     if [data][srcip] { | ||||
|         mutate { | ||||
|             add_field => [ "@src_ip", "%{[data][srcip]}" ] | ||||
|         } | ||||
|     } | ||||
|     if [data][aws][sourceIPAddress] { | ||||
|         mutate { | ||||
|             add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ] | ||||
|         } | ||||
|     } | ||||
| } | ||||
| filter { | ||||
|     geoip { | ||||
|         source => "srcip" | ||||
|         source => "@src_ip" | ||||
|         target => "GeoLocation" | ||||
|         fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"] | ||||
|     } | ||||
|     date { | ||||
|         match => ["timestamp", "ISO8601"] | ||||
|         target => "@timestamp" | ||||
|     } | ||||
|     mutate { | ||||
|         remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count" ] | ||||
|         remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type","@src_ip"] | ||||
|     } | ||||
| } | ||||
| output { | ||||
|     elasticsearch { | ||||
|         hosts => ["elasticsearch:9200"] | ||||
|         index => "wazuh-alerts-%{+YYYY.MM.dd}" | ||||
|         index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}" | ||||
|         document_type => "wazuh" | ||||
|         template => "/etc/logstash/wazuh-elastic5-template.json" | ||||
|         template_name => "wazuh" | ||||
|         template_overwrite => true | ||||
|     } | ||||
| } | ||||
|   | ||||
| @@ -1,12 +1,5 @@ | ||||
| #!/bin/bash | ||||
|  | ||||
| # | ||||
| # OSSEC container bootstrap. See the README for information of the environment | ||||
| # variables expected by this script. | ||||
| # | ||||
|  | ||||
| # | ||||
|  | ||||
| # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) | ||||
| # | ||||
| # Apply Templates | ||||
| # | ||||
|   | ||||
| @@ -1,620 +0,0 @@ | ||||
| { | ||||
|   "order": 0, | ||||
|   "template": "wazuh*", | ||||
|   "settings": { | ||||
|     "index.refresh_interval": "5s" | ||||
|   }, | ||||
|   "mappings": { | ||||
|     "wazuh": { | ||||
|       "dynamic_templates": [ | ||||
|         { | ||||
|           "string_as_keyword": { | ||||
|             "match_mapping_type": "string", | ||||
|             "mapping": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             } | ||||
|           } | ||||
|         } | ||||
|       ], | ||||
|       "properties": { | ||||
|         "@timestamp": { | ||||
|           "type": "date", | ||||
|           "format": "dateOptionalTime" | ||||
|         }, | ||||
|         "@version": { | ||||
|           "type": "text" | ||||
|         }, | ||||
|         "agent": { | ||||
|           "properties": { | ||||
|             "ip": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "id": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "name": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             } | ||||
|           } | ||||
|         }, | ||||
|         "manager": { | ||||
|           "properties": { | ||||
|             "name": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             } | ||||
|           } | ||||
|         }, | ||||
|         "dstuser": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "AlertsFile": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "full_log": { | ||||
|           "type": "text" | ||||
|         }, | ||||
|         "previous_log": { | ||||
|           "type": "text" | ||||
|         }, | ||||
|         "GeoLocation": { | ||||
|           "properties": { | ||||
|             "area_code": { | ||||
|               "type": "long" | ||||
|             }, | ||||
|             "city_name": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "continent_code": { | ||||
|               "type": "text" | ||||
|             }, | ||||
|             "coordinates": { | ||||
|               "type": "double" | ||||
|             }, | ||||
|             "country_code2": { | ||||
|               "type": "text" | ||||
|             }, | ||||
|             "country_code3": { | ||||
|               "type": "text" | ||||
|             }, | ||||
|             "country_name": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "dma_code": { | ||||
|               "type": "long" | ||||
|             }, | ||||
|             "ip": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "latitude": { | ||||
|               "type": "double" | ||||
|             }, | ||||
|             "location": { | ||||
|               "type": "geo_point" | ||||
|             }, | ||||
|             "longitude": { | ||||
|               "type": "double" | ||||
|             }, | ||||
|             "postal_code": { | ||||
|               "type": "keyword" | ||||
|             }, | ||||
|             "real_region_name": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "region_name": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "timezone": { | ||||
|               "type": "text" | ||||
|             } | ||||
|           } | ||||
|         }, | ||||
|         "host": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "syscheck": { | ||||
|           "properties": { | ||||
|             "path": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "sha1_before": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "sha1_after": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "uid_before": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "uid_after": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "gid_before": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "gid_after": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "perm_before": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "perm_after": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "md5_after": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "md5_before": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "gname_after": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "gname_before": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "inode_after": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "inode_before": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "mtime_after": { | ||||
|               "type": "date", | ||||
|               "format": "dateOptionalTime", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "mtime_before": { | ||||
|               "type": "date", | ||||
|               "format": "dateOptionalTime", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "uname_after": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "uname_before": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "size_before": { | ||||
|               "type": "long", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "size_after": { | ||||
|               "type": "long", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "diff": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "event": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             } | ||||
|           } | ||||
|         }, | ||||
|         "location": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "message": { | ||||
|           "type": "text" | ||||
|         }, | ||||
|         "offset": { | ||||
|           "type": "keyword" | ||||
|         }, | ||||
|         "rule": { | ||||
|           "properties": { | ||||
|             "description": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "groups": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "level": { | ||||
|               "type": "long", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "id": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "cve": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "info": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "frequency": { | ||||
|               "type": "long", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "firedtimes": { | ||||
|               "type": "long", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "cis": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "pci_dss": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             } | ||||
|           } | ||||
|         }, | ||||
|         "decoder": { | ||||
|           "properties": { | ||||
|             "parent": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "name": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "ftscomment": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "fts": { | ||||
|               "type": "long", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "accumulate": { | ||||
|               "type": "long", | ||||
|               "doc_values": "true" | ||||
|             } | ||||
|           } | ||||
|         }, | ||||
|         "srcip": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "protocol": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "action": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "dstip": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "dstport": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "srcuser": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "program_name": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "id": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "status": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "command": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "url": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "data": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "system_name": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "type": { | ||||
|           "type": "text" | ||||
|         }, | ||||
|         "title": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "oscap": { | ||||
|           "properties": { | ||||
|             "check.title": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "check.id": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "check.result": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "check.severity": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "check.description": { | ||||
|               "type": "text" | ||||
|             }, | ||||
|             "check.rationale": { | ||||
|               "type": "text" | ||||
|             }, | ||||
|             "check.references": { | ||||
|               "type": "text" | ||||
|             }, | ||||
|             "check.identifiers": { | ||||
|               "type": "text" | ||||
|             }, | ||||
|             "check.oval.id": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "scan.id": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "scan.content": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "scan.benchmark.id": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "scan.profile.title": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "scan.profile.id": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "scan.score": { | ||||
|               "type": "double", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "scan.return_code": { | ||||
|               "type": "long", | ||||
|               "doc_values": "true" | ||||
|             } | ||||
|           } | ||||
|         }, | ||||
|         "audit": { | ||||
|           "properties": { | ||||
|             "type": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "id": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "syscall": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "exit": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "ppid": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "pid": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "auid": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "uid": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "gid": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "euid": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "suid": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "fsuid": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "egid": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "sgid": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "fsgid": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "tty": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "session": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "command": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "exe": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "key": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "cwd": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "directory.name": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "directory.inode": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "directory.mode": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "file.name": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "file.inode": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "file.mode": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "acct": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "dev": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "enforcing": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "list": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "old-auid": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "old-ses": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "old_enforcing": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "old_prom": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "op": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "prom": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "res": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "srcip": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "subj": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "success": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             } | ||||
|           } | ||||
|         } | ||||
|       } | ||||
|     }, | ||||
|     "agent": { | ||||
|       "properties": { | ||||
|         "@timestamp": { | ||||
|           "type": "date", | ||||
|           "format": "dateOptionalTime" | ||||
|         }, | ||||
|         "status": { | ||||
|           "type": "keyword" | ||||
|         }, | ||||
|         "ip": { | ||||
|           "type": "keyword" | ||||
|         }, | ||||
|         "host": { | ||||
|           "type": "keyword" | ||||
|         }, | ||||
|         "name": { | ||||
|           "type": "keyword" | ||||
|         }, | ||||
|         "id": { | ||||
|           "type": "keyword" | ||||
|         } | ||||
|       } | ||||
|     } | ||||
|   } | ||||
| } | ||||
							
								
								
									
										8
									
								
								nginx/Dockerfile
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										8
									
								
								nginx/Dockerfile
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,8 @@ | ||||
| # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) | ||||
| FROM nginx:latest | ||||
|  | ||||
| RUN apt-get update && apt-get install -y openssl apache2-utils | ||||
|  | ||||
| COPY config/run.sh /run.sh | ||||
|  | ||||
| RUN chmod 755 /run.sh | ||||
							
								
								
									
										43
									
								
								nginx/config/run.sh
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										43
									
								
								nginx/config/run.sh
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,43 @@ | ||||
| #!/bin/bash | ||||
| # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) | ||||
| set -e | ||||
|  | ||||
| if [ ! -d /etc/pki/tls/certs ]; then | ||||
|   echo "Generating SSL certificates" | ||||
|   mkdir -p /etc/pki/tls/certs /etc/pki/tls/private | ||||
|   openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/kibana-access.key -out /etc/pki/tls/certs/kibana-access.pem >/dev/null | ||||
| else | ||||
|   echo "SSL certificates already present" | ||||
| fi | ||||
|  | ||||
| if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then | ||||
|   echo "Setting Nginx credentials" | ||||
|   echo bar|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd foo >/dev/null | ||||
| else | ||||
|   echo "Kibana credentials already configured" | ||||
| fi | ||||
|  | ||||
| echo "Configuring NGINX" | ||||
| cat > /etc/nginx/conf.d/default.conf <<EOF | ||||
| server { | ||||
|     listen 80; | ||||
|     listen [::]:80; | ||||
|     return 301 https://\$host:$NGINX_PORT\$request_uri; | ||||
| } | ||||
|  | ||||
| server { | ||||
|     listen $NGINX_PORT default_server; | ||||
|     listen [::]:$NGINX_PORT; | ||||
|     ssl on; | ||||
|     ssl_certificate /etc/pki/tls/certs/kibana-access.pem; | ||||
|     ssl_certificate_key /etc/pki/tls/private/kibana-access.key; | ||||
|     location / { | ||||
|         auth_basic "Restricted"; | ||||
|         auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd; | ||||
|         proxy_pass http://kibana:5601/; | ||||
|     } | ||||
| } | ||||
| EOF | ||||
|  | ||||
| echo "Starting Nginx" | ||||
| nginx -g 'daemon off; error_log /dev/stdout info;' | ||||
| @@ -1,25 +1,28 @@ | ||||
| FROM centos:latest | ||||
| # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) | ||||
| FROM phusion/baseimage:latest | ||||
| ARG FILEBEAT_VERSION=6.2.3 | ||||
| ARG WAZUH_VERSION=3.2.1-1 | ||||
|  | ||||
| COPY config/*.repo /etc/yum.repos.d/ | ||||
|  | ||||
| RUN yum -y update; yum clean all; | ||||
| RUN yum -y install epel-release openssl useradd; yum clean all | ||||
| RUN yum -y install postfix mailx cyrus-sasl cyrus-sasl-plain; yum clean all | ||||
| RUN apt-get update; apt-get -y dist-upgrade | ||||
| RUN apt-get -y install openssl postfix bsd-mailx curl apt-transport-https lsb-release | ||||
| RUN groupadd -g 1000 ossec | ||||
| RUN useradd -u 1000 -g 1000 ossec | ||||
| RUN yum install -y wazuh-manager wazuh-api | ||||
|  | ||||
| RUN curl --silent --location https://deb.nodesource.com/setup_6.x | bash - &&\ | ||||
|     apt-get install -y nodejs | ||||
| RUN curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - | ||||
| RUN echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list | ||||
| RUN apt-get update && apt-get -y install wazuh-manager=${WAZUH_VERSION} wazuh-api=${WAZUH_VERSION} expect && apt-get clean | ||||
|  | ||||
| ADD config/data_dirs.env /data_dirs.env | ||||
| ADD config/init.bash /init.bash | ||||
|  | ||||
| # Sync calls are due to https://github.com/docker/docker/issues/9547 | ||||
| RUN chmod 755 /init.bash &&\ | ||||
|   sync && /init.bash &&\ | ||||
|   sync && rm /init.bash | ||||
|  | ||||
|  | ||||
| RUN  curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-5.1.2-x86_64.rpm &&\ | ||||
|   rpm -vi filebeat-5.1.2-x86_64.rpm && rm filebeat-5.1.2-x86_64.rpm | ||||
| RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb &&\ | ||||
|     dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm filebeat-${FILEBEAT_VERSION}-amd64.deb | ||||
|  | ||||
| COPY config/filebeat.yml /etc/filebeat/ | ||||
|  | ||||
| @@ -27,8 +30,9 @@ ADD config/run.sh /tmp/run.sh | ||||
| RUN chmod 755 /tmp/run.sh | ||||
|  | ||||
| VOLUME ["/var/ossec/data"] | ||||
| VOLUME ["/etc/filebeat"] | ||||
|  | ||||
| EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp | ||||
| EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp | ||||
|  | ||||
| # Run supervisord so that the container will stay alive | ||||
|  | ||||
|   | ||||
| @@ -1,3 +1,4 @@ | ||||
| # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) | ||||
| filebeat: | ||||
|  prospectors: | ||||
|   - input_type: log | ||||
|   | ||||
| @@ -1,5 +1,5 @@ | ||||
| #!/bin/bash | ||||
|  | ||||
| # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) | ||||
| # | ||||
| # Initialize the custom data directory layout | ||||
| # | ||||
|   | ||||
| @@ -1,26 +1,45 @@ | ||||
| #!/bin/bash | ||||
|  | ||||
| # | ||||
| # OSSEC container bootstrap. See the README for information of the environment | ||||
| # variables expected by this script. | ||||
| # | ||||
|  | ||||
| # | ||||
|  | ||||
| # | ||||
| # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) | ||||
| # Startup the services | ||||
| # | ||||
|  | ||||
| source /data_dirs.env | ||||
|  | ||||
| FIRST_TIME_INSTALLATION=false | ||||
| DATA_PATH=/var/ossec/data | ||||
|  | ||||
| WAZUH_INSTALL_PATH=/var/ossec | ||||
| DATA_PATH=${WAZUH_INSTALL_PATH}/data | ||||
|  | ||||
| WAZUH_CONFIG_MOUNT=/wazuh-config-mount | ||||
|  | ||||
| print() { | ||||
|     echo -e $1 | ||||
| } | ||||
|  | ||||
| error_and_exit() { | ||||
|     echo "Error executing command: '$1'." | ||||
|     echo 'Exiting.' | ||||
|     exit 1 | ||||
| } | ||||
|  | ||||
| exec_cmd() { | ||||
|     eval $1 > /dev/null 2>&1 || error_and_exit "$1" | ||||
| } | ||||
|  | ||||
| exec_cmd_stdout() { | ||||
|     eval $1 2>&1 || error_and_exit "$1" | ||||
| } | ||||
|  | ||||
| edit_configuration() { # $1 -> setting,  $2 -> value | ||||
|     sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${DATA_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)" | ||||
| } | ||||
|  | ||||
| for ossecdir in "${DATA_DIRS[@]}"; do | ||||
|   if [ ! -e "${DATA_PATH}/${ossecdir}" ] | ||||
|   then | ||||
|     echo "Installing ${ossecdir}" | ||||
|     mkdir -p $(dirname ${DATA_PATH}/${ossecdir}) | ||||
|     cp -pr /var/ossec/${ossecdir}-template ${DATA_PATH}/${ossecdir} | ||||
|     print "Installing ${ossecdir}" | ||||
|     exec_cmd "mkdir -p $(dirname ${DATA_PATH}/${ossecdir})" | ||||
|     exec_cmd "cp -pr /var/ossec/${ossecdir}-template ${DATA_PATH}/${ossecdir}" | ||||
|     FIRST_TIME_INSTALLATION=true | ||||
|   fi | ||||
| done | ||||
| @@ -30,29 +49,54 @@ chgrp ossec ${DATA_PATH}/process_list | ||||
| chmod g+rw ${DATA_PATH}/process_list | ||||
|  | ||||
| AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true} | ||||
| API_GENERATE_CERTS=${API_GENERATE_CERTS:-true} | ||||
|  | ||||
| if [ $FIRST_TIME_INSTALLATION == true ] | ||||
| then | ||||
|  | ||||
|   if [ $AUTO_ENROLLMENT_ENABLED == true ] | ||||
|   then | ||||
|     if [ ! -e ${DATA_PATH}/etc/sslmanager.key ] | ||||
|     then | ||||
|       echo "Creating ossec-authd key and cert" | ||||
|       openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096 | ||||
|       openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key\ | ||||
|         -out ${DATA_PATH}/etc/sslmanager.cert -days 3650\ | ||||
|         -subj /CN=${HOSTNAME}/ | ||||
|       print "Creating ossec-authd key and cert" | ||||
|       exec_cmd "openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096" | ||||
|       exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key -out ${DATA_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/" | ||||
|     fi | ||||
|   fi | ||||
|   if [ $API_GENERATE_CERTS == true ] | ||||
|   then | ||||
|     if [ ! -e ${DATA_PATH}/api/configuration/ssl/server.crt ] | ||||
|     then | ||||
|       print "Enabling Wazuh API HTTPS" | ||||
|       edit_configuration "https" "yes" | ||||
|       print "Create Wazuh API key and cert" | ||||
|       exec_cmd "openssl genrsa -out ${DATA_PATH}/api/configuration/ssl/server.key 4096" | ||||
|       exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/api/configuration/ssl/server.key -out ${DATA_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/" | ||||
|     fi | ||||
|   fi | ||||
| fi | ||||
|  | ||||
| ############################################################################## | ||||
| # Copy all files from $WAZUH_CONFIG_MOUNT to $DATA_PATH and respect | ||||
| # destination files permissions | ||||
| # | ||||
| # For example, to mount the file /var/ossec/data/etc/ossec.conf, mount it at | ||||
| # $WAZUH_CONFIG_MOUNT/etc/ossec.conf in your container and this code will | ||||
| # replace the ossec.conf file in /var/ossec/data/etc with yours. | ||||
| ############################################################################## | ||||
| if [ -e "$WAZUH_CONFIG_MOUNT" ] | ||||
| then | ||||
|   print "Identified Wazuh configuration files to mount..." | ||||
|  | ||||
|   exec_cmd_stdout "cp --verbose -r $WAZUH_CONFIG_MOUNT/* $DATA_PATH" | ||||
| else | ||||
|   print "No Wazuh configuration files to mount..." | ||||
| fi | ||||
|  | ||||
| # Enabling ossec-authd. | ||||
| exec_cmd "/var/ossec/bin/ossec-control enable auth" | ||||
|  | ||||
| function ossec_shutdown(){ | ||||
|   /var/ossec/bin/ossec-control stop; | ||||
|   if [ $AUTO_ENROLLMENT_ENABLED == true ] | ||||
|   then | ||||
|      kill $AUTHD_PID | ||||
|   fi | ||||
|   ${WAZUH_INSTALL_PATH}/bin/ossec-control stop; | ||||
| } | ||||
|  | ||||
| # Trap exit signals and do a proper shutdown | ||||
| @@ -60,20 +104,9 @@ trap "ossec_shutdown; exit" SIGINT SIGTERM | ||||
|  | ||||
| chmod -R g+rw ${DATA_PATH} | ||||
|  | ||||
| if [ $AUTO_ENROLLMENT_ENABLED == true ] | ||||
| then | ||||
|   echo "Starting ossec-authd..." | ||||
|   /var/ossec/bin/ossec-authd -p 1515 -g ossec $AUTHD_OPTIONS >/dev/null 2>&1 & | ||||
|   AUTHD_PID=$! | ||||
| fi | ||||
| sleep 15 # give ossec a reasonable amount of time to start before checking status | ||||
| LAST_OK_DATE=`date +%s` | ||||
|  | ||||
| ## Start services | ||||
| /usr/sbin/postfix start | ||||
| /bin/node /var/ossec/api/app.js & | ||||
| /usr/bin/filebeat.sh & | ||||
| /var/ossec/bin/ossec-control restart | ||||
|  | ||||
| service postfix start | ||||
| service wazuh-api start | ||||
| service wazuh-manager start | ||||
| service filebeat start | ||||
|  | ||||
| tail -f /var/ossec/logs/ossec.log | ||||
|   | ||||
| @@ -1,7 +0,0 @@ | ||||
| [wazuh_repo] | ||||
| gpgcheck=1 | ||||
| gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH | ||||
| enabled=1 | ||||
| name=CENTOS-$releasever - Wazuh | ||||
| baseurl=https://packages.wazuh.com/yum/el/$releasever/$basearch | ||||
| protect=1 | ||||
		Reference in New Issue
	
	Block a user