mirror of
				https://github.com/wazuh/wazuh-docker.git
				synced 2025-10-25 00:53:37 +00:00 
			
		
		
		
	Compare commits
	
		
			68 Commits
		
	
	
		
			2.0
			...
			3.2.4_6.2.
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
|  | 2016322c0a | ||
|  | fec53979ea | ||
|  | ee3ff4847b | ||
|  | 290ea29c1d | ||
|  | 711c3c0f8e | ||
|  | 70171d490d | ||
|  | 0df2367e7a | ||
|  | efb5f9ef04 | ||
|  | 97c7b82aec | ||
|  | a9e16e79a9 | ||
|  | 9294617a0e | ||
|  | 8408f401d5 | ||
|  | 575708310b | ||
|  | 15f7ce98d9 | ||
|  | fd18a00429 | ||
|  | 9a4c409a0a | ||
|  | 57490a50bd | ||
|  | 62741c639f | ||
|  | 043f8f18de | ||
|  | ee74f01cba | ||
|  | e685128b51 | ||
|  | 8f40340dda | ||
|  | 76945a2698 | ||
|  | 98007ea2f4 | ||
|  | b081ff3bc7 | ||
|  | 716667be46 | ||
|  | 2b3f71aa10 | ||
|  | 74dd541bd8 | ||
|  | 8a051b67b0 | ||
|  | 7da29fa6a9 | ||
|  | ca1a1bd883 | ||
|  | d8fe59901a | ||
|  | 3cae6fe61d | ||
|  | a26f119c73 | ||
|  | 3d813cb2fe | ||
|  | 5c7454270e | ||
|  | b8ef822f85 | ||
|  | e341391201 | ||
|  | c42898e862 | ||
|  | 2663de28a6 | ||
|  | d1adafdcde | ||
|  | a866f41ecf | ||
|  | 97a042cfcd | ||
|  | 845398d7c7 | ||
|  | 6e6912c380 | ||
|  | a2ba029918 | ||
|  | 160bf4bbe9 | ||
|  | a70c127228 | ||
|  | c2213165f2 | ||
|  | d0565d913a | ||
|  | d1cb67a822 | ||
|  | e69d9d0efc | ||
|  | 08824ad4a9 | ||
|  | a4d4c40ad5 | ||
|  | 84005d8145 | ||
|  | aef418c75e | ||
|  | 5cffb99d67 | ||
|  | 1c935bbf07 | ||
|  | 38608d1f26 | ||
|  | eae7328f16 | ||
|  | 82ef76ed4d | ||
|  | 548a738d69 | ||
|  | bed3307dfc | ||
|  | 835466f25b | ||
|  | df7c963eab | ||
|  | f6ad536e99 | ||
|  | e6e30ab3aa | ||
|  | 754915cb35 | 
							
								
								
									
										81
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										81
									
								
								README.md
									
									
									
									
									
								
							| @@ -1,21 +1,78 @@ | ||||
| # IMPORTANT NOTE | ||||
| # Wazuh containers for Docker | ||||
|  | ||||
| The first time than you runt this container can take a while until kibana finish the configuration, the Wazuh plugin can take a few minutes until finish the instalation, please be patient. | ||||
| [](https://goo.gl/forms/M2AoZC4b2R9A9Zy12) | ||||
| [](https://groups.google.com/forum/#!forum/wazuh) | ||||
| [](https://documentation.wazuh.com) | ||||
| [](https://wazuh.com) | ||||
|  | ||||
| # Docker container Wazuh + ELK(5.3.0) | ||||
| In this repository you will find the containers to run: | ||||
|  | ||||
| This Docker container source files can be found in our [Wazuh Github repository](https://github.com/wazuh/wazuh). It includes both an OSSEC manager and an Elasticsearch single-node cluster, with Logstash and Kibana. You can find more information on how these components work together in our documentation. | ||||
| * wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack) | ||||
| * wazuh-logstash: It is used to receive alerts generated by the manager and feed Elasticsearch using an alerts template | ||||
| * wazuh-kibana: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status. | ||||
|  | ||||
| ## Documentation | ||||
| In addition, a docker-compose file is provided to launch the containers mentioned above. It also launches an Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images. | ||||
|  | ||||
| * [Full documentation](http://documentation.wazuh.com) | ||||
| * [Wazug-docker module documentation](https://documentation.wazuh.com/current/docker/index.html) | ||||
| * [Hub docker](https://hub.docker.com/u/wazuh) | ||||
| ## Current release | ||||
|  | ||||
| ## Credits and thank you | ||||
| Containers are currently tested on Wazuh version 3.2.4 and Elastic Stack version 6.2.4. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack. | ||||
|  | ||||
| These Docker containers are based on "deviantony" dockerfiles which can be found at [https://github.com/deviantony/docker-elk] (https://github.com/deviantony/docker-elk), and "xetus-oss" dockerfiles, which can be found at [https://github.com/xetus-oss/docker-ossec-server](https://github.com/xetus-oss/docker-ossec-server). We created our own fork, which we test and maintain. Thank you Anthony Lapenna for your contribution to the community. | ||||
| ## Installation notes | ||||
|  | ||||
| ## References | ||||
| To run all docker instances you can just run ``docker-compose up``, from the directory where you have docker-compose.yml file. The following is part of the expected behavior when setting up the system: | ||||
|  | ||||
| * [Wazuh website](http://wazuh.com) | ||||
| * Both wazuh-kibana and wazuh-logstash containers will run multiple queries to Elasticsearch API using curl, to learn when Elasticsearch is up. It is expected to see several ``Failed to connect to elasticsearch port 9200`` log messages, until Elasticesearch is started. Then the set up process will continue normally. | ||||
| * Kibana container can take a few minutes to install Wazuh plugin, this takes place after ``Optimizing and caching browser bundles...`` is printed out. | ||||
| * It is recommended to set Docker host preferences to give at least 4GB memory per container (this doesn't necessarily mean they all will use it, but Elasticsearch requires them to work properly). | ||||
|  | ||||
| Once installed you can browse through the interface at: https://127.0.0.1. | ||||
|  | ||||
| ## Mount custom Wazuh configuration files | ||||
|  | ||||
| To mount custom Wazuh configuration files in the Wazuh manager container, mount them in the `/wazuh-config-mount` folder. For example, to mount a custom `ossec.conf` file, mount it in `/wazuh-config-mount/etc/ossec.conf` and the [run.sh](wazuh/config/run.sh) script will copy the file at the right place on boot while respecting the destination file permissions. | ||||
|  | ||||
| Here is an example of a `/wazuh-config-mount` folder used to mount some common custom configuration files: | ||||
| ``` | ||||
| root@wazuh-manager:/# tree /wazuh-config-mount/ | ||||
| /wazuh-config-mount/ | ||||
| └── etc | ||||
|     ├── ossec.conf | ||||
|     ├── rules | ||||
|     │   └── local_rules.xml | ||||
|     └── shared | ||||
|         └── default | ||||
|             └── agent.conf | ||||
|  | ||||
| 4 directories, 3 files | ||||
| ``` | ||||
|  | ||||
| In that case, you will see this in the Wazuh manager logs on boot: | ||||
| ``` | ||||
| Identified Wazuh configuration files to mount... | ||||
| '/wazuh-config-mount/etc/ossec.conf' -> '/var/ossec/data/etc/ossec.conf' | ||||
| '/wazuh-config-mount/etc/rules/local_rules.xml' -> '/var/ossec/data/etc/rules/local_rules.xml' | ||||
| '/wazuh-config-mount/etc/shared/default/agent.conf' -> '/var/ossec/data/etc/shared/default/agent.conf' | ||||
| ``` | ||||
|  | ||||
| ## More documentation | ||||
|  | ||||
| * [Wazuh full documentation](http://documentation.wazuh.com) | ||||
| * [Wazuh documentation for Docker](https://documentation.wazuh.com/current/docker/index.html) | ||||
| * [Docker hub](https://hub.docker.com/u/wazuh) | ||||
|  | ||||
| ## Credits | ||||
|  | ||||
| These Docker containers are based on: | ||||
|  | ||||
| *  "deviantony" dockerfiles which can be found at [https://github.com/deviantony/docker-elk](https://github.com/deviantony/docker-elk) | ||||
| *  "xetus-oss" dockerfiles, which can be found at [https://github.com/xetus-oss/docker-ossec-server](https://github.com/xetus-oss/docker-ossec-server) | ||||
|  | ||||
| We thank you them and everyone else who has contributed to this project. | ||||
|  | ||||
| ## License and copyright | ||||
|  | ||||
| Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) | ||||
|  | ||||
| ## Wazuh official website | ||||
|  | ||||
| [Wazuh website](http://wazuh.com) | ||||
|   | ||||
| @@ -1,3 +1,4 @@ | ||||
| # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) | ||||
| version: '2' | ||||
|  | ||||
| services: | ||||
| @@ -6,27 +7,28 @@ services: | ||||
|     hostname: wazuh-manager | ||||
|     restart: always | ||||
|     ports: | ||||
|       - "1514/udp:1514/udp" | ||||
|       - "1514:1514/udp" | ||||
|       - "1515:1515" | ||||
|       - "514/udp:514/udp" | ||||
|       - "514:514/udp" | ||||
|       - "55000:55000" | ||||
| #      - "1516:1516" | ||||
|     networks: | ||||
|         - docker_elk | ||||
| #    volumes: | ||||
| #      - my-path:/var/ossec/data | ||||
| #      - my-path:/etc/postfix | ||||
| #      - my-path:/var/ossec/data:Z | ||||
| #      - my-path:/etc/postfix:Z | ||||
| #      - my-path:/etc/filebeat | ||||
| #      - my-custom-config-path/ossec.conf:/wazuh-config-mount/etc/ossec.conf | ||||
|     depends_on: | ||||
|       - elasticsearch | ||||
|       - logstash | ||||
|   logstash: | ||||
|     image: wazuh/wazuh-logstash | ||||
|     hostname: logstash | ||||
|     restart: always | ||||
|     command: -f /etc/logstash/conf.d/ | ||||
| #    volumes: | ||||
| #      - my-path:/etc/logstash/conf.d | ||||
| #      - my-path:/etc/logstash/conf.d:Z | ||||
|     links: | ||||
|      - kibana | ||||
|      - elasticsearch | ||||
|       - elasticsearch:elasticsearch | ||||
|     ports: | ||||
|       - "5000:5000" | ||||
|     networks: | ||||
| @@ -36,32 +38,59 @@ services: | ||||
|     environment: | ||||
|       - LS_HEAP_SIZE=2048m | ||||
|   elasticsearch: | ||||
|     image: elasticsearch:5.3.0 | ||||
|     image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.2.4 | ||||
|     hostname: elasticsearch | ||||
|     restart: always | ||||
|     command: elasticsearch -E node.name="node-1" -E cluster.name="wazuh" -E network.host=0.0.0.0 | ||||
|     ports: | ||||
|       - "9200:9200" | ||||
|       - "9300:9300" | ||||
| #      - "9300:9300" | ||||
|     environment: | ||||
|       ES_JAVA_OPTS: "-Xms2g -Xmx2g" | ||||
|       - node.name=node-1 | ||||
|       - cluster.name=wazuh | ||||
|       - network.host=0.0.0.0 | ||||
|       - bootstrap.memory_lock=true | ||||
|       - "ES_JAVA_OPTS=-Xms1g -Xmx1g" | ||||
|     ulimits: | ||||
|       memlock: | ||||
|         soft: -1 | ||||
|         hard: -1 | ||||
|     mem_limit: 2g | ||||
| #    volumes: | ||||
| #      - my-path:/usr/share/elasticsearch/data | ||||
| #      - my-path:/usr/share/elasticsearch/data:Z | ||||
|     networks: | ||||
|         - docker_elk | ||||
|   kibana: | ||||
|     image: wazuh/wazuh-kibana | ||||
|     hostname: kibana | ||||
|     restart: always | ||||
|     ports: | ||||
|       - "5601:5601" | ||||
| #    ports: | ||||
| #      - "5601:5601" | ||||
| #    environment: | ||||
| #      - ELASTICSEARCH_URL=http://elasticsearch:9200 | ||||
|     networks: | ||||
|       - docker_elk | ||||
|     depends_on: | ||||
|       - elasticsearch | ||||
|     entrypoint: sh wait-for-it.sh elasticsearch | ||||
| #    environment: | ||||
| #      - "WAZUH_KIBANA_PLUGIN_URL=http://your.repo/wazuhapp-2.0_5.3.0.zip" | ||||
|     links: | ||||
|       - elasticsearch:elasticsearch | ||||
|       - wazuh:wazuh | ||||
|   nginx: | ||||
|     image: wazuh/wazuh-nginx | ||||
|     hostname: nginx | ||||
|     restart: always | ||||
|     environment: | ||||
|       - NGINX_PORT=443 | ||||
|     ports: | ||||
|       - "80:80" | ||||
|       - "443:443" | ||||
| #    volumes: | ||||
| #      - my-path:/etc/nginx/conf.d:Z | ||||
|     networks: | ||||
|       - docker_elk | ||||
|     depends_on: | ||||
|       - kibana | ||||
|     links: | ||||
|       - kibana:kibana | ||||
|  | ||||
| networks: | ||||
|   docker_elk: | ||||
|   | ||||
										
											Binary file not shown.
										
									
								
							| Before Width: | Height: | Size: 81 KiB | 
										
											Binary file not shown.
										
									
								
							| Before Width: | Height: | Size: 86 KiB | 
| @@ -1,7 +1,19 @@ | ||||
| FROM kibana:5.3.0 | ||||
| # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) | ||||
| FROM docker.elastic.co/kibana/kibana-oss:6.2.4 | ||||
| ARG WAZUH_APP_VERSION=3.2.3_6.2.4 | ||||
| USER root | ||||
|  | ||||
| RUN apt-get update && apt-get install -y curl | ||||
| ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp | ||||
|  | ||||
| COPY ./config/kibana.yml /opt/kibana/config/kibana.yml | ||||
| ADD https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/wazuh-elastic6-template-alerts.json /usr/share/kibana/config | ||||
|  | ||||
| COPY config/wait-for-it.sh / | ||||
| RUN NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip &&\ | ||||
|     chown -R kibana.kibana /usr/share/kibana &&\ | ||||
|     rm -rf /tmp/* | ||||
|  | ||||
| COPY config/entrypoint.sh /entrypoint.sh | ||||
| RUN chmod 755 /entrypoint.sh | ||||
|  | ||||
| USER kibana | ||||
|  | ||||
| ENTRYPOINT /entrypoint.sh | ||||
|   | ||||
							
								
								
									
										54
									
								
								kibana/config/entrypoint.sh
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										54
									
								
								kibana/config/entrypoint.sh
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,54 @@ | ||||
| #!/bin/bash | ||||
| # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) | ||||
|  | ||||
| set -e | ||||
|  | ||||
| if [ "x${ELASTICSEARCH_URL}" = "x" ]; then | ||||
|   el_url="http://elasticsearch:9200" | ||||
| else | ||||
|   el_url="${ELASTICSEARCH_URL}" | ||||
| fi | ||||
|  | ||||
| until curl -XGET $el_url; do | ||||
|   >&2 echo "Elastic is unavailable - sleeping" | ||||
|   sleep 5 | ||||
| done | ||||
|  | ||||
| >&2 echo "Elastic is up - executing command" | ||||
|  | ||||
| #Insert default templates | ||||
| cat /usr/share/kibana/config/wazuh-elastic6-template-alerts.json | curl -XPUT "$el_url/_template/wazuh" -H 'Content-Type: application/json' -d @- | ||||
| sleep 5 | ||||
|  | ||||
| echo "Setting API credentials into Wazuh APP" | ||||
| CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/wazuh-configuration/1513629884013) | ||||
| if [ "x$CONFIG_CODE" = "x404" ]; then | ||||
|   curl -s -XPOST $el_url/.wazuh/wazuh-configuration/1513629884013 -H 'Content-Type: application/json' -d' | ||||
|     { | ||||
|       "api_user": "foo", | ||||
|       "api_password": "YmFy", | ||||
|       "url": "https://wazuh", | ||||
|       "api_port": "55000", | ||||
|       "insecure": "true", | ||||
|       "component": "API", | ||||
|       "cluster_info": { | ||||
|         "manager": "wazuh-manager", | ||||
|         "cluster": "Disabled", | ||||
|         "status": "disabled" | ||||
|        }, | ||||
|       "extensions": { | ||||
|         "oscap": true, | ||||
|         "audit": true, | ||||
|         "pci": true, | ||||
|         "aws": true, | ||||
|         "virustotal": true | ||||
|       } | ||||
|     } | ||||
|     ' > /dev/null | ||||
| else | ||||
|   echo "Wazuh APP already configured" | ||||
| fi | ||||
|  | ||||
| sleep 5 | ||||
|  | ||||
| /usr/local/bin/kibana-docker | ||||
| @@ -81,7 +81,7 @@ elasticsearch.url: "http://elasticsearch:9200" | ||||
| # logging.silent: false | ||||
|  | ||||
| # Set the value of this setting to true to suppress all logging output other than error messages. | ||||
| # logging.quiet: false | ||||
| logging.quiet: true | ||||
|  | ||||
| # Set the value of this setting to true to log all events, including system usage information | ||||
| # and all requests. | ||||
| @@ -90,3 +90,10 @@ elasticsearch.url: "http://elasticsearch:9200" | ||||
| # Set the interval in milliseconds to sample system and process performance | ||||
| # metrics. Minimum is 100ms. Defaults to 10000. | ||||
| # ops.interval: 10000 | ||||
|  | ||||
| xpack.security.enabled: false | ||||
| xpack.grokdebugger.enabled: false | ||||
| xpack.graph.enabled: false | ||||
| xpack.ml.enabled: false | ||||
| xpack.monitoring.enabled: false | ||||
| xpack.reporting.enabled: false | ||||
|   | ||||
| @@ -1,25 +0,0 @@ | ||||
| #!/bin/bash | ||||
|  | ||||
| set -e | ||||
|  | ||||
| host="$1" | ||||
| shift | ||||
| cmd="kibana" | ||||
| WAZUH_KIBANA_PLUGIN_URL=${WAZUH_KIBANA_PLUGIN_URL:-https://packages.wazuh.com/wazuhapp/wazuhapp-2.0_5.3.0.zip} | ||||
|  | ||||
| until curl -XGET $host:9200; do | ||||
|   >&2 echo "Elastic is unavailable - sleeping" | ||||
|   sleep 1 | ||||
| done | ||||
|  | ||||
| sleep 30 | ||||
|  | ||||
| >&2 echo "Elastic is up - executing command" | ||||
|  | ||||
| if /usr/share/kibana/bin/kibana-plugin list | grep wazuh; then | ||||
|   echo "Wazuh APP already installed" | ||||
| else | ||||
|   /usr/share/kibana/bin/kibana-plugin install ${WAZUH_KIBANA_PLUGIN_URL} | ||||
| fi | ||||
|  | ||||
| exec $cmd | ||||
| @@ -1,12 +1,6 @@ | ||||
| FROM logstash:5.3.0 | ||||
| # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) | ||||
| FROM docker.elastic.co/logstash/logstash-oss:6.2.4 | ||||
|  | ||||
| RUN apt-get update | ||||
| RUN rm -f /usr/share/logstash/pipeline/logstash.conf | ||||
|  | ||||
| COPY config/logstash.conf /etc/logstash/conf.d/logstash.conf | ||||
| COPY config/wazuh-elastic5-template.json /etc/logstash/wazuh-elastic5-template.json | ||||
|  | ||||
|  | ||||
| ADD config/run.sh /tmp/run.sh | ||||
| RUN chmod 755 /tmp/run.sh | ||||
|  | ||||
| ENTRYPOINT ["/tmp/run.sh"] | ||||
| COPY config/01-wazuh.conf /usr/share/logstash/pipeline/01-wazuh.conf | ||||
|   | ||||
							
								
								
									
										45
									
								
								logstash/config/01-wazuh.conf
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										45
									
								
								logstash/config/01-wazuh.conf
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,45 @@ | ||||
| # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) | ||||
| # Wazuh - Logstash configuration file | ||||
| ## Remote Wazuh Manager - Filebeat input | ||||
| input { | ||||
|     beats { | ||||
|         port => 5000 | ||||
|         codec => "json_lines" | ||||
| #       ssl => true | ||||
| #       ssl_certificate => "/etc/logstash/logstash.crt" | ||||
| #       ssl_key => "/etc/logstash/logstash.key" | ||||
|     } | ||||
| } | ||||
| filter { | ||||
|     if [data][srcip] { | ||||
|         mutate { | ||||
|             add_field => [ "@src_ip", "%{[data][srcip]}" ] | ||||
|         } | ||||
|     } | ||||
|     if [data][aws][sourceIPAddress] { | ||||
|         mutate { | ||||
|             add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ] | ||||
|         } | ||||
|     } | ||||
| } | ||||
| filter { | ||||
|     geoip { | ||||
|         source => "@src_ip" | ||||
|         target => "GeoLocation" | ||||
|         fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"] | ||||
|     } | ||||
|     date { | ||||
|         match => ["timestamp", "ISO8601"] | ||||
|         target => "@timestamp" | ||||
|     } | ||||
|     mutate { | ||||
|         remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type","@src_ip"] | ||||
|     } | ||||
| } | ||||
| output { | ||||
|     elasticsearch { | ||||
|         hosts => ["elasticsearch:9200"] | ||||
|         index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}" | ||||
|         document_type => "wazuh" | ||||
|     } | ||||
| } | ||||
| @@ -1,42 +0,0 @@ | ||||
| # Wazuh - Logstash configuration file | ||||
| ## Remote Wazuh Manager - Filebeat input | ||||
| input { | ||||
|     beats { | ||||
|         port => 5000 | ||||
|         codec => "json_lines" | ||||
| #        ssl => true | ||||
| #        ssl_certificate => "/etc/logstash/logstash.crt" | ||||
| #        ssl_key => "/etc/logstash/logstash.key" | ||||
|     } | ||||
| } | ||||
| ## Local Wazuh Manager - JSON file input | ||||
| #input { | ||||
| #   file { | ||||
| #       type => "wazuh-alerts" | ||||
| #       path => "/var/ossec/data/logs/alerts/alerts.json" | ||||
| #       codec => "json" | ||||
| #   } | ||||
| #} | ||||
| filter { | ||||
|     geoip { | ||||
|         source => "srcip" | ||||
|         target => "GeoLocation" | ||||
|     } | ||||
|     date { | ||||
|         match => ["timestamp", "ISO8601"] | ||||
|         target => "@timestamp" | ||||
|     } | ||||
|     mutate { | ||||
|         remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count" ] | ||||
|     } | ||||
| } | ||||
| output { | ||||
|     elasticsearch { | ||||
|         hosts => ["elasticsearch:9200"] | ||||
|         index => "wazuh-alerts-%{+YYYY.MM.dd}" | ||||
|         document_type => "wazuh" | ||||
|         template => "/etc/logstash/wazuh-elastic5-template.json" | ||||
|         template_name => "wazuh" | ||||
|         template_overwrite => true | ||||
|     } | ||||
| } | ||||
| @@ -1,5 +1,5 @@ | ||||
| #!/bin/bash | ||||
|  | ||||
| # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) | ||||
| # | ||||
| # OSSEC container bootstrap. See the README for information of the environment | ||||
| # variables expected by this script. | ||||
|   | ||||
| @@ -1,620 +0,0 @@ | ||||
| { | ||||
|   "order": 0, | ||||
|   "template": "wazuh*", | ||||
|   "settings": { | ||||
|     "index.refresh_interval": "5s" | ||||
|   }, | ||||
|   "mappings": { | ||||
|     "wazuh": { | ||||
|       "dynamic_templates": [ | ||||
|         { | ||||
|           "string_as_keyword": { | ||||
|             "match_mapping_type": "string", | ||||
|             "mapping": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             } | ||||
|           } | ||||
|         } | ||||
|       ], | ||||
|       "properties": { | ||||
|         "@timestamp": { | ||||
|           "type": "date", | ||||
|           "format": "dateOptionalTime" | ||||
|         }, | ||||
|         "@version": { | ||||
|           "type": "text" | ||||
|         }, | ||||
|         "agent": { | ||||
|           "properties": { | ||||
|             "ip": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "id": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "name": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             } | ||||
|           } | ||||
|         }, | ||||
|         "manager": { | ||||
|           "properties": { | ||||
|             "name": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             } | ||||
|           } | ||||
|         }, | ||||
|         "dstuser": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "AlertsFile": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "full_log": { | ||||
|           "type": "text" | ||||
|         }, | ||||
|         "previous_log": { | ||||
|           "type": "text" | ||||
|         }, | ||||
|         "GeoLocation": { | ||||
|           "properties": { | ||||
|             "area_code": { | ||||
|               "type": "long" | ||||
|             }, | ||||
|             "city_name": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "continent_code": { | ||||
|               "type": "text" | ||||
|             }, | ||||
|             "coordinates": { | ||||
|               "type": "double" | ||||
|             }, | ||||
|             "country_code2": { | ||||
|               "type": "text" | ||||
|             }, | ||||
|             "country_code3": { | ||||
|               "type": "text" | ||||
|             }, | ||||
|             "country_name": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "dma_code": { | ||||
|               "type": "long" | ||||
|             }, | ||||
|             "ip": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "latitude": { | ||||
|               "type": "double" | ||||
|             }, | ||||
|             "location": { | ||||
|               "type": "geo_point" | ||||
|             }, | ||||
|             "longitude": { | ||||
|               "type": "double" | ||||
|             }, | ||||
|             "postal_code": { | ||||
|               "type": "keyword" | ||||
|             }, | ||||
|             "real_region_name": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "region_name": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "timezone": { | ||||
|               "type": "text" | ||||
|             } | ||||
|           } | ||||
|         }, | ||||
|         "host": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "syscheck": { | ||||
|           "properties": { | ||||
|             "path": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "sha1_before": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "sha1_after": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "uid_before": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "uid_after": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "gid_before": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "gid_after": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "perm_before": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "perm_after": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "md5_after": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "md5_before": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "gname_after": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "gname_before": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "inode_after": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "inode_before": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "mtime_after": { | ||||
|               "type": "date", | ||||
|               "format": "dateOptionalTime", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "mtime_before": { | ||||
|               "type": "date", | ||||
|               "format": "dateOptionalTime", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "uname_after": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "uname_before": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "size_before": { | ||||
|               "type": "long", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "size_after": { | ||||
|               "type": "long", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "diff": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "event": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             } | ||||
|           } | ||||
|         }, | ||||
|         "location": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "message": { | ||||
|           "type": "text" | ||||
|         }, | ||||
|         "offset": { | ||||
|           "type": "keyword" | ||||
|         }, | ||||
|         "rule": { | ||||
|           "properties": { | ||||
|             "description": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "groups": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "level": { | ||||
|               "type": "long", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "id": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "cve": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "info": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "frequency": { | ||||
|               "type": "long", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "firedtimes": { | ||||
|               "type": "long", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "cis": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "pci_dss": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             } | ||||
|           } | ||||
|         }, | ||||
|         "decoder": { | ||||
|           "properties": { | ||||
|             "parent": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "name": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "ftscomment": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "fts": { | ||||
|               "type": "long", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "accumulate": { | ||||
|               "type": "long", | ||||
|               "doc_values": "true" | ||||
|             } | ||||
|           } | ||||
|         }, | ||||
|         "srcip": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "protocol": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "action": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "dstip": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "dstport": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "srcuser": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "program_name": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "id": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "status": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "command": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "url": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "data": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "system_name": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "type": { | ||||
|           "type": "text" | ||||
|         }, | ||||
|         "title": { | ||||
|           "type": "keyword", | ||||
|           "doc_values": "true" | ||||
|         }, | ||||
|         "oscap": { | ||||
|           "properties": { | ||||
|             "check.title": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "check.id": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "check.result": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "check.severity": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "check.description": { | ||||
|               "type": "text" | ||||
|             }, | ||||
|             "check.rationale": { | ||||
|               "type": "text" | ||||
|             }, | ||||
|             "check.references": { | ||||
|               "type": "text" | ||||
|             }, | ||||
|             "check.identifiers": { | ||||
|               "type": "text" | ||||
|             }, | ||||
|             "check.oval.id": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "scan.id": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "scan.content": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "scan.benchmark.id": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "scan.profile.title": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "scan.profile.id": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "scan.score": { | ||||
|               "type": "double", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "scan.return_code": { | ||||
|               "type": "long", | ||||
|               "doc_values": "true" | ||||
|             } | ||||
|           } | ||||
|         }, | ||||
|         "audit": { | ||||
|           "properties": { | ||||
|             "type": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "id": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "syscall": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "exit": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "ppid": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "pid": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "auid": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "uid": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "gid": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "euid": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "suid": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "fsuid": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "egid": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "sgid": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "fsgid": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "tty": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "session": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "command": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "exe": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "key": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "cwd": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "directory.name": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "directory.inode": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "directory.mode": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "file.name": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "file.inode": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "file.mode": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "acct": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "dev": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "enforcing": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "list": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "old-auid": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "old-ses": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "old_enforcing": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "old_prom": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "op": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "prom": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "res": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "srcip": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "subj": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             }, | ||||
|             "success": { | ||||
|               "type": "keyword", | ||||
|               "doc_values": "true" | ||||
|             } | ||||
|           } | ||||
|         } | ||||
|       } | ||||
|     }, | ||||
|     "agent": { | ||||
|       "properties": { | ||||
|         "@timestamp": { | ||||
|           "type": "date", | ||||
|           "format": "dateOptionalTime" | ||||
|         }, | ||||
|         "status": { | ||||
|           "type": "keyword" | ||||
|         }, | ||||
|         "ip": { | ||||
|           "type": "keyword" | ||||
|         }, | ||||
|         "host": { | ||||
|           "type": "keyword" | ||||
|         }, | ||||
|         "name": { | ||||
|           "type": "keyword" | ||||
|         }, | ||||
|         "id": { | ||||
|           "type": "keyword" | ||||
|         } | ||||
|       } | ||||
|     } | ||||
|   } | ||||
| } | ||||
							
								
								
									
										16
									
								
								nginx/Dockerfile
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										16
									
								
								nginx/Dockerfile
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,16 @@ | ||||
| # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) | ||||
| FROM nginx:latest | ||||
|  | ||||
| ENV DEBIAN_FRONTEND noninteractive | ||||
|  | ||||
| RUN apt-get update && apt-get install -y openssl apache2-utils | ||||
|  | ||||
| COPY config/entrypoint.sh /entrypoint.sh | ||||
|  | ||||
| RUN chmod 755 /entrypoint.sh | ||||
|  | ||||
| RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* | ||||
|  | ||||
| VOLUME ["/etc/nginx/conf.d"] | ||||
|  | ||||
| ENTRYPOINT /entrypoint.sh | ||||
							
								
								
									
										54
									
								
								nginx/config/entrypoint.sh
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										54
									
								
								nginx/config/entrypoint.sh
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,54 @@ | ||||
| #!/bin/sh | ||||
| # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) | ||||
|  | ||||
| set -e | ||||
|  | ||||
| # Generating certificates. | ||||
| if [ ! -d /etc/nginx/conf.d/ssl ]; then | ||||
|   echo "Generating SSL certificates" | ||||
|   mkdir -p /etc/nginx/conf.d/ssl/certs /etc/nginx/conf.d/ssl/private | ||||
|   openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/conf.d/ssl/private/kibana-access.key -out /etc/nginx/conf.d/ssl/certs/kibana-access.pem >/dev/null | ||||
| else | ||||
|   echo "SSL certificates already present" | ||||
| fi | ||||
|  | ||||
| # Configuring default credentiales. | ||||
| if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then | ||||
|   echo "Setting Nginx credentials" | ||||
|   echo bar|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd foo >/dev/null | ||||
| else | ||||
|   echo "Kibana credentials already configured" | ||||
| fi | ||||
|  | ||||
|  | ||||
| if [ "x${NGINX_PORT}" = "x" ]; then | ||||
|   NGINX_PORT=443 | ||||
| fi | ||||
|  | ||||
| if [ "x${KIBANA_HOST}" = "x" ]; then | ||||
|   KIBANA_HOST="kibana:5601" | ||||
| fi | ||||
|  | ||||
| echo "Configuring NGINX" | ||||
| cat > /etc/nginx/conf.d/default.conf <<EOF | ||||
| server { | ||||
|     listen 80; | ||||
|     listen [::]:80; | ||||
|     return 301 https://\$host:${NGINX_PORT}\$request_uri; | ||||
| } | ||||
|  | ||||
| server { | ||||
|     listen ${NGINX_PORT} default_server; | ||||
|     listen [::]:${NGINX_PORT}; | ||||
|     ssl on; | ||||
|     ssl_certificate /etc/nginx/conf.d/ssl/certs/kibana-access.pem; | ||||
|     ssl_certificate_key /etc/nginx/conf.d/ssl/private/kibana-access.key; | ||||
|     location / { | ||||
|         auth_basic "Restricted"; | ||||
|         auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd; | ||||
|         proxy_pass http://${KIBANA_HOST}/; | ||||
|     } | ||||
| } | ||||
| EOF | ||||
|  | ||||
| nginx -g 'daemon off;' | ||||
| @@ -1,35 +1,76 @@ | ||||
| FROM centos:latest | ||||
| # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) | ||||
| FROM phusion/baseimage:latest | ||||
| ARG FILEBEAT_VERSION=6.2.4 | ||||
| ARG WAZUH_VERSION=3.2.4-1 | ||||
|  | ||||
| COPY config/*.repo /etc/yum.repos.d/ | ||||
| # Updating image | ||||
| RUN apt-get update && apt-get upgrade -y -o Dpkg::Options::="--force-confold" | ||||
|  | ||||
| RUN yum -y update; yum clean all; | ||||
| RUN yum -y install epel-release openssl useradd; yum clean all | ||||
| RUN yum -y install postfix mailx cyrus-sasl cyrus-sasl-plain; yum clean all | ||||
| # Set Wazuh repository. | ||||
| RUN echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list | ||||
| RUN curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - | ||||
|  | ||||
| # Set nodejs repository. | ||||
| RUN curl --silent --location https://deb.nodesource.com/setup_8.x | bash - | ||||
|  | ||||
| # Creating ossec user as uid:gid 1000:1000 | ||||
| RUN groupadd -g 1000 ossec | ||||
| RUN useradd -u 1000 -g 1000 ossec | ||||
| RUN yum install -y wazuh-manager wazuh-api | ||||
|  | ||||
| # Configure postfix | ||||
| RUN echo "postfix postfix/mailname string wazuh-manager" | debconf-set-selections | ||||
| RUN echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections | ||||
|  | ||||
| # Install packages | ||||
| RUN apt-get update && apt-get -y install openssl postfix bsd-mailx   \ | ||||
|     apt-transport-https vim expect nodejs python-cryptography wazuh-manager=${WAZUH_VERSION} \ | ||||
|     wazuh-api=${WAZUH_VERSION} | ||||
|  | ||||
| # Adding first run script. | ||||
| ADD config/data_dirs.env /data_dirs.env | ||||
| ADD config/init.bash /init.bash | ||||
|  | ||||
| # Sync calls are due to https://github.com/docker/docker/issues/9547 | ||||
| RUN chmod 755 /init.bash &&\ | ||||
|     sync && /init.bash &&\ | ||||
|     sync && rm /init.bash | ||||
|  | ||||
|  | ||||
| RUN  curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-5.1.2-x86_64.rpm &&\ | ||||
|   rpm -vi filebeat-5.1.2-x86_64.rpm && rm filebeat-5.1.2-x86_64.rpm | ||||
|  | ||||
| # Installing and configuring fiebeat | ||||
| RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb &&\ | ||||
|     dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm -f filebeat-${FILEBEAT_VERSION}-amd64.deb | ||||
| COPY config/filebeat.yml /etc/filebeat/ | ||||
|  | ||||
| ADD config/run.sh /tmp/run.sh | ||||
| RUN chmod 755 /tmp/run.sh | ||||
| # Adding entrypoint | ||||
| ADD config/entrypoint.sh /entrypoint.sh | ||||
| RUN chmod 755 /entrypoint.sh | ||||
|  | ||||
| # Setting volumes | ||||
| VOLUME ["/var/ossec/data"] | ||||
| VOLUME ["/etc/filebeat"] | ||||
| VOLUME ["/etc/postfix"] | ||||
|  | ||||
| EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp | ||||
| # Services ports | ||||
| EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp | ||||
|  | ||||
| # Run supervisord so that the container will stay alive | ||||
| # Clean up | ||||
| RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* | ||||
|  | ||||
| ENTRYPOINT ["/tmp/run.sh"] | ||||
| # Adding services | ||||
| RUN mkdir /etc/service/wazuh | ||||
| COPY config/wazuh.runit.service /etc/service/wazuh/run | ||||
| RUN chmod +x /etc/service/wazuh/run | ||||
|  | ||||
| RUN mkdir /etc/service/wazuh-api | ||||
| COPY config/wazuh-api.runit.service /etc/service/wazuh-api/run | ||||
| RUN chmod +x /etc/service/wazuh-api/run | ||||
|  | ||||
| RUN mkdir /etc/service/postfix | ||||
| COPY config/postfix.runit.service /etc/service/postfix/run | ||||
| RUN chmod +x /etc/service/postfix/run | ||||
|  | ||||
| RUN mkdir /etc/service/filebeat | ||||
| COPY config/filebeat.runit.service /etc/service/filebeat/run | ||||
| RUN chmod +x /etc/service/filebeat/run | ||||
|  | ||||
| # Run all services | ||||
| ENTRYPOINT ["/entrypoint.sh"] | ||||
|   | ||||
							
								
								
									
										116
									
								
								wazuh/config/entrypoint.sh
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										116
									
								
								wazuh/config/entrypoint.sh
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,116 @@ | ||||
| #!/bin/bash | ||||
| # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) | ||||
|  | ||||
| # | ||||
| # OSSEC container bootstrap. See the README for information of the environment | ||||
| # variables expected by this script. | ||||
| # | ||||
|  | ||||
| # | ||||
|  | ||||
| # | ||||
| # Startup the services | ||||
| # | ||||
|  | ||||
| source /data_dirs.env | ||||
|  | ||||
| FIRST_TIME_INSTALLATION=false | ||||
|  | ||||
| WAZUH_INSTALL_PATH=/var/ossec | ||||
| DATA_PATH=${WAZUH_INSTALL_PATH}/data | ||||
|  | ||||
| WAZUH_CONFIG_MOUNT=/wazuh-config-mount | ||||
|  | ||||
| print() { | ||||
|     echo -e $1 | ||||
| } | ||||
|  | ||||
| error_and_exit() { | ||||
|     echo "Error executing command: '$1'." | ||||
|     echo 'Exiting.' | ||||
|     exit 1 | ||||
| } | ||||
|  | ||||
| exec_cmd() { | ||||
|     eval $1 > /dev/null 2>&1 || error_and_exit "$1" | ||||
| } | ||||
|  | ||||
| exec_cmd_stdout() { | ||||
|     eval $1 2>&1 || error_and_exit "$1" | ||||
| } | ||||
|  | ||||
| edit_configuration() { # $1 -> setting,  $2 -> value | ||||
|     sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${DATA_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)" | ||||
| } | ||||
|  | ||||
| for ossecdir in "${DATA_DIRS[@]}"; do | ||||
|   if [ ! -e "${DATA_PATH}/${ossecdir}" ] | ||||
|   then | ||||
|     print "Installing ${ossecdir}" | ||||
|     exec_cmd "mkdir -p $(dirname ${DATA_PATH}/${ossecdir})" | ||||
|     exec_cmd "cp -pr /var/ossec/${ossecdir}-template ${DATA_PATH}/${ossecdir}" | ||||
|     FIRST_TIME_INSTALLATION=true | ||||
|   fi | ||||
| done | ||||
|  | ||||
| touch ${DATA_PATH}/process_list | ||||
| chgrp ossec ${DATA_PATH}/process_list | ||||
| chmod g+rw ${DATA_PATH}/process_list | ||||
|  | ||||
| AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true} | ||||
| API_GENERATE_CERTS=${API_GENERATE_CERTS:-true} | ||||
|  | ||||
| if [ $FIRST_TIME_INSTALLATION == true ] | ||||
| then | ||||
|   if [ $AUTO_ENROLLMENT_ENABLED == true ] | ||||
|   then | ||||
|     if [ ! -e ${DATA_PATH}/etc/sslmanager.key ] | ||||
|     then | ||||
|       print "Creating ossec-authd key and cert" | ||||
|       exec_cmd "openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096" | ||||
|       exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key -out ${DATA_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/" | ||||
|     fi | ||||
|   fi | ||||
|   if [ $API_GENERATE_CERTS == true ] | ||||
|   then | ||||
|     if [ ! -e ${DATA_PATH}/api/configuration/ssl/server.crt ] | ||||
|     then | ||||
|       print "Enabling Wazuh API HTTPS" | ||||
|       edit_configuration "https" "yes" | ||||
|       print "Create Wazuh API key and cert" | ||||
|       exec_cmd "openssl genrsa -out ${DATA_PATH}/api/configuration/ssl/server.key 4096" | ||||
|       exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/api/configuration/ssl/server.key -out ${DATA_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/" | ||||
|     fi | ||||
|   fi | ||||
| fi | ||||
|  | ||||
| ############################################################################## | ||||
| # Copy all files from $WAZUH_CONFIG_MOUNT to $DATA_PATH and respect | ||||
| # destination files permissions | ||||
| # | ||||
| # For example, to mount the file /var/ossec/data/etc/ossec.conf, mount it at | ||||
| # $WAZUH_CONFIG_MOUNT/etc/ossec.conf in your container and this code will | ||||
| # replace the ossec.conf file in /var/ossec/data/etc with yours. | ||||
| ############################################################################## | ||||
| if [ -e "$WAZUH_CONFIG_MOUNT" ] | ||||
| then | ||||
|   print "Identified Wazuh configuration files to mount..." | ||||
|  | ||||
|   exec_cmd_stdout "cp --verbose -r $WAZUH_CONFIG_MOUNT/* $DATA_PATH" | ||||
| else | ||||
|   print "No Wazuh configuration files to mount..." | ||||
| fi | ||||
|  | ||||
| # Enabling ossec-authd. | ||||
| exec_cmd "/var/ossec/bin/ossec-control enable auth" | ||||
|  | ||||
| function ossec_shutdown(){ | ||||
|   ${WAZUH_INSTALL_PATH}/bin/ossec-control stop; | ||||
| } | ||||
|  | ||||
| # Trap exit signals and do a proper shutdown | ||||
| trap "ossec_shutdown; exit" SIGINT SIGTERM | ||||
|  | ||||
| chmod -R g+rw ${DATA_PATH} | ||||
|  | ||||
| /sbin/my_init  | ||||
							
								
								
									
										3
									
								
								wazuh/config/filebeat.runit.service
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								wazuh/config/filebeat.runit.service
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,3 @@ | ||||
| #!/bin/sh | ||||
| service filebeat start | ||||
| tail -f /var/log/filebeat/filebeat | ||||
| @@ -1,3 +1,4 @@ | ||||
| # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) | ||||
| filebeat: | ||||
|  prospectors: | ||||
|   - input_type: log | ||||
|   | ||||
| @@ -1,4 +1,5 @@ | ||||
| #!/bin/bash | ||||
| # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2) | ||||
|  | ||||
| # | ||||
| # Initialize the custom data directory layout | ||||
|   | ||||
							
								
								
									
										3
									
								
								wazuh/config/postfix.runit.service
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								wazuh/config/postfix.runit.service
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,3 @@ | ||||
| #!/bin/sh | ||||
| service postfix start | ||||
| tail -f /var/log/mail.log | ||||
| @@ -1,79 +0,0 @@ | ||||
| #!/bin/bash | ||||
|  | ||||
| # | ||||
| # OSSEC container bootstrap. See the README for information of the environment | ||||
| # variables expected by this script. | ||||
| # | ||||
|  | ||||
| # | ||||
|  | ||||
| # | ||||
| # Startup the services | ||||
| # | ||||
|  | ||||
| source /data_dirs.env | ||||
| FIRST_TIME_INSTALLATION=false | ||||
| DATA_PATH=/var/ossec/data | ||||
|  | ||||
| for ossecdir in "${DATA_DIRS[@]}"; do | ||||
|   if [ ! -e "${DATA_PATH}/${ossecdir}" ] | ||||
|   then | ||||
|     echo "Installing ${ossecdir}" | ||||
|     mkdir -p $(dirname ${DATA_PATH}/${ossecdir}) | ||||
|     cp -pr /var/ossec/${ossecdir}-template ${DATA_PATH}/${ossecdir} | ||||
|     FIRST_TIME_INSTALLATION=true | ||||
|   fi | ||||
| done | ||||
|  | ||||
| touch ${DATA_PATH}/process_list | ||||
| chgrp ossec ${DATA_PATH}/process_list | ||||
| chmod g+rw ${DATA_PATH}/process_list | ||||
|  | ||||
| AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true} | ||||
|  | ||||
| if [ $FIRST_TIME_INSTALLATION == true ] | ||||
| then | ||||
|  | ||||
|   if [ $AUTO_ENROLLMENT_ENABLED == true ] | ||||
|   then | ||||
|     if [ ! -e ${DATA_PATH}/etc/sslmanager.key ] | ||||
|     then | ||||
|       echo "Creating ossec-authd key and cert" | ||||
|       openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096 | ||||
|       openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key\ | ||||
|         -out ${DATA_PATH}/etc/sslmanager.cert -days 3650\ | ||||
|         -subj /CN=${HOSTNAME}/ | ||||
|     fi | ||||
|   fi | ||||
| fi | ||||
|  | ||||
| function ossec_shutdown(){ | ||||
|   /var/ossec/bin/ossec-control stop; | ||||
|   if [ $AUTO_ENROLLMENT_ENABLED == true ] | ||||
|   then | ||||
|      kill $AUTHD_PID | ||||
|   fi | ||||
| } | ||||
|  | ||||
| # Trap exit signals and do a proper shutdown | ||||
| trap "ossec_shutdown; exit" SIGINT SIGTERM | ||||
|  | ||||
| chmod -R g+rw ${DATA_PATH} | ||||
|  | ||||
| if [ $AUTO_ENROLLMENT_ENABLED == true ] | ||||
| then | ||||
|   echo "Starting ossec-authd..." | ||||
|   /var/ossec/bin/ossec-authd -p 1515 -g ossec $AUTHD_OPTIONS >/dev/null 2>&1 & | ||||
|   AUTHD_PID=$! | ||||
| fi | ||||
| sleep 15 # give ossec a reasonable amount of time to start before checking status | ||||
| LAST_OK_DATE=`date +%s` | ||||
|  | ||||
| ## Start services | ||||
| /usr/sbin/postfix start | ||||
| /bin/node /var/ossec/api/app.js & | ||||
| /usr/bin/filebeat.sh & | ||||
| /var/ossec/bin/ossec-control restart | ||||
|  | ||||
|  | ||||
| tail -f /var/ossec/logs/ossec.log | ||||
							
								
								
									
										4
									
								
								wazuh/config/wazuh-api.runit.service
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										4
									
								
								wazuh/config/wazuh-api.runit.service
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,4 @@ | ||||
| #!/bin/sh | ||||
| service wazuh-api start | ||||
| tail -f /var/ossec/data/logs/api.log | ||||
|  | ||||
| @@ -1,7 +0,0 @@ | ||||
| [wazuh_repo] | ||||
| gpgcheck=1 | ||||
| gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH | ||||
| enabled=1 | ||||
| name=CENTOS-$releasever - Wazuh | ||||
| baseurl=https://packages.wazuh.com/yum/el/$releasever/$basearch | ||||
| protect=1 | ||||
							
								
								
									
										4
									
								
								wazuh/config/wazuh.runit.service
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										4
									
								
								wazuh/config/wazuh.runit.service
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,4 @@ | ||||
| #!/bin/sh | ||||
| service wazuh-manager start | ||||
| tail -f /var/ossec/data/logs/ossec.log | ||||
|  | ||||
		Reference in New Issue
	
	Block a user