Static versions for wazuh-manager and wazuh-api

Add a mount point for custom Wazuh configuration files

README.md

@@ -15,7 +15,7 @@ In addition, a docker-compose file is provided to launch the containers mentione
 
 ## Current release
 
-Containers are currently tested on Wazuh version 3.1.0 and Elastic Stack version 6.1.0. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.
+Containers are currently tested on Wazuh version 3.2.0 and Elastic Stack version 6.2.1. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.
 
 ## Installation notes
 
@@ -27,6 +27,33 @@ To run all docker instances you can just run ``docker-compose up``, from the dir
 
 Once installed you can browse through the interface at: http://127.0.0.1:5601
 
+## Mount custom Wazuh configuration files
+
+To mount custom Wazuh configuration files in the Wazuh manager container, mount them in the `/wazuh-config-mount` folder. For example, to mount a custom `ossec.conf` file, mount it in `/wazuh-config-mount/etc/ossec.conf` and the [run.sh](wazuh/config/run.sh) script will copy the file at the right place on boot while respecting the destination file permissions.
+
+Here is an example of a `/wazuh-config-mount` folder used to mount some common custom configuration files:
+```
+root@wazuh-manager:/# tree /wazuh-config-mount/
+/wazuh-config-mount/
+└── etc
+    ├── ossec.conf
+    ├── rules
+    │   └── local_rules.xml
+    └── shared
+        └── default
+            └── agent.conf
+
+4 directories, 3 files
+```
+
+In that case, you will see this in the Wazuh manager logs on boot:
+```
+Identified Wazuh configuration files to mount...
+'/wazuh-config-mount/etc/ossec.conf' -> '/var/ossec/data/etc/ossec.conf'
+'/wazuh-config-mount/etc/rules/local_rules.xml' -> '/var/ossec/data/etc/rules/local_rules.xml'
+'/wazuh-config-mount/etc/shared/default/agent.conf' -> '/var/ossec/data/etc/shared/default/agent.conf'
+```
+
 ## More documentation
 
 * [Wazuh full documentation](http://documentation.wazuh.com)

docker-compose.yml

@@ -13,8 +13,10 @@ services:
     networks:
         - docker_elk
 #    volumes:
-#      - my-path:/var/ossec/data
+#      - my-path:/var/ossec/data:Z
-#      - my-path:/etc/postfix
+#      - my-path:/etc/postfix:Z
+#      - my-path:/etc/filebeat
+#      - my-custom-config-path/ossec.conf:/wazuh-config-mount/etc/ossec.conf
     depends_on:
       - elasticsearch
   logstash:
@@ -23,7 +25,7 @@ services:
     restart: always
     command: -f /etc/logstash/conf.d/
 #    volumes:
-#      - my-path:/etc/logstash/conf.d
+#      - my-path:/etc/logstash/conf.d:Z
     links:
      - kibana
      - elasticsearch:elasticsearch
@@ -37,7 +39,7 @@ services:
       - LS_HEAP_SIZE=2048m
       - XPACK_MONITORING_ENABLED=false
   elasticsearch:
-    image: docker.elastic.co/elasticsearch/elasticsearch:6.1.0
+    image: docker.elastic.co/elasticsearch/elasticsearch:6.2.1
     hostname: elasticsearch
     restart: always
     ports:
@@ -60,7 +62,7 @@ services:
         hard: -1
     mem_limit: 2g
 #    volumes:
-#      - my-path:/usr/share/elasticsearch/data
+#      - my-path:/usr/share/elasticsearch/data:Z
     networks:
         - docker_elk
   kibana:
@@ -69,16 +71,16 @@ services:
     restart: always
 #    ports:
 #      - "5601:5601"
+    environment:
+      - "NODE_OPTIONS=--max-old-space-size=3072"
     networks:
-        - docker_elk
+      - docker_elk
     depends_on:
       - elasticsearch
     links:
       - elasticsearch:elasticsearch
       - wazuh
     entrypoint: /wait-for-it.sh elasticsearch
-#    environment:
-#      - "WAZUH_KIBANA_PLUGIN_URL=http://your.repo/wazuhapp-3.1.0-6.1.0.zip"
   nginx:
     image: wazuh/wazuh-nginx
     hostname: nginx
@@ -89,6 +91,8 @@ services:
     ports:
       - "80:80"
       - "443:443"
+#    volumes:
+#      - my-path:/etc/nginx/conf.d:Z
     networks:
       - docker_elk
     depends_on:

kibana/Dockerfile

@@ -1,4 +1,4 @@
-FROM docker.elastic.co/kibana/kibana:6.1.0
+FROM docker.elastic.co/kibana/kibana:6.2.1
 
 USER root
 
@@ -6,4 +6,16 @@ COPY ./config/kibana.yml /usr/share/kibana/config/kibana.yml
 
 COPY config/wait-for-it.sh /wait-for-it.sh
 
+ADD https://packages.wazuh.com/wazuhapp/wazuhapp-3.2.0_6.2.1.zip /tmp
+
+ADD https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/wazuh-elastic6-template-alerts.json /usr/share/kibana/config
+
+ADD https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/wazuh-elastic6-template-monitoring.json /usr/share/kibana/config
+
+ADD https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/alert_sample.json /usr/share/kibana/config
+
+RUN /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-3.2.0_6.2.1.zip
+
+RUN rm -rf /tmp/*
+
 RUN chmod 755 /wait-for-it.sh

kibana/config/wait-for-it.sh

@@ -5,7 +5,6 @@ set -e
 host="$1"
 shift
 cmd="kibana"
-WAZUH_KIBANA_PLUGIN_URL=${WAZUH_KIBANA_PLUGIN_URL:-https://packages.wazuh.com/wazuhapp/wazuhapp-3.1.0_6.1.0.zip}
 
 until curl -XGET $host:9200; do
   >&2 echo "Elastic is unavailable - sleeping"
@@ -14,28 +13,20 @@ done
 
 >&2 echo "Elastic is up - executing command"
 
-#Insert default templates
-curl https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -XPUT 'http://elasticsearch:9200/_template/wazuh' -H 'Content-Type: application/json' -d @-
 sleep 5
+#Insert default templates
+cat /usr/share/kibana/config/wazuh-elastic6-template-alerts.json | curl -XPUT 'http://elasticsearch:9200/_template/wazuh' -H 'Content-Type: application/json' -d @-
 
-curl https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/elasticsearch/wazuh-elastic6-template-monitoring.json | curl -XPUT 'http://elasticsearch:9200/_template/wazuh-agent' -H 'Content-Type: application/json' -d @-
+sleep 5
+#Insert default templates
+cat /usr/share/kibana/config/wazuh-elastic6-template-monitoring.json | curl -XPUT 'http://elasticsearch:9200/_template/wazuh-agent' -H 'Content-Type: application/json' -d @-
 
 #Insert sample alert:
 sleep 5
-curl https://raw.githubusercontent.com/wazuh/wazuh/3.0/extensions/elasticsearch/alert_sample.json | curl -XPUT "http://elasticsearch:9200/wazuh-alerts-3.x-"`date +%Y.%m.%d`"/wazuh/sample" -H 'Content-Type: application/json' -d @-
+cat /usr/share/kibana/config/alert_sample.json | curl -XPUT "http://elasticsearch:9200/wazuh-alerts-3.x-"`date +%Y.%m.%d`"/wazuh/sample" -H 'Content-Type: application/json' -d @-
+
 sleep 5
-
-
-if /usr/share/kibana/bin/kibana-plugin list | grep wazuh; then
-  echo "Wazuh APP already installed"
-else
-  /usr/share/kibana/bin/kibana-plugin install ${WAZUH_KIBANA_PLUGIN_URL}
-fi
-
-sleep 30
-
 echo "Setting API credentials into Wazuh APP"
-
 CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET http://$host:9200/.wazuh/wazuh-configuration/1513629884013)
 if [ "x$CONFIG_CODE" = "x404" ]; then
   curl -s -XPOST http://$host:9200/.wazuh/wazuh-configuration/1513629884013 -H 'Content-Type: application/json' -d'

logstash/Dockerfile

@@ -1,3 +1,3 @@
-FROM docker.elastic.co/logstash/logstash:6.1.0
+FROM docker.elastic.co/logstash/logstash:6.2.1
 
 COPY config/logstash.conf /etc/logstash/conf.d/logstash.conf

wazuh/Dockerfile

@@ -1,5 +1,5 @@
 FROM phusion/baseimage:latest
-ARG FILEBEAT_VERSION=6.1.0
+ARG FILEBEAT_VERSION=6.2.1
 
 RUN apt-get update; apt-get -y dist-upgrade
 RUN apt-get -y install openssl postfix bsd-mailx curl apt-transport-https lsb-release
@@ -9,7 +9,7 @@ RUN curl --silent --location https://deb.nodesource.com/setup_6.x | bash - &&\
     apt-get install -y nodejs
 RUN curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
 RUN echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
-RUN apt-get update && apt-get -y install wazuh-manager wazuh-api expect
+RUN apt-get update && apt-get -y install wazuh-manager=3.2.0-1 wazuh-api=3.2.0-1 expect
 
 ADD config/data_dirs.env /data_dirs.env
 ADD config/init.bash /init.bash
@@ -28,6 +28,7 @@ ADD config/run.sh /tmp/run.sh
 RUN chmod 755 /tmp/run.sh
 
 VOLUME ["/var/ossec/data"]
+VOLUME ["/etc/filebeat"]
 
 EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp
 

wazuh/config/run.sh

@@ -12,8 +12,13 @@
 #
 
 source /data_dirs.env
+
 FIRST_TIME_INSTALLATION=false
-DATA_PATH=/var/ossec/data
+
+WAZUH_INSTALL_PATH=/var/ossec
+DATA_PATH=${WAZUH_INSTALL_PATH}/data
+
+WAZUH_CONFIG_MOUNT=/wazuh-config-mount
 
 print() {
     echo -e $1
@@ -29,6 +34,9 @@ exec_cmd() {
     eval $1 > /dev/null 2>&1 || error_and_exit "$1"
 }
 
+exec_cmd_stdout() {
+    eval $1 2>&1 || error_and_exit "$1"
+}
 
 edit_configuration() { # $1 -> setting,  $2 -> value
     sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${DATA_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)"
@@ -75,11 +83,28 @@ then
   fi
 fi
 
-#Enabling ossec-authd.
+##############################################################################
+# Copy all files from $WAZUH_CONFIG_MOUNT to $DATA_PATH and respect
+# destination files permissions
+#
+# For example, to mount the file /var/ossec/data/etc/ossec.conf, mount it at
+# $WAZUH_CONFIG_MOUNT/etc/ossec.conf in your container and this code will
+# replace the ossec.conf file in /var/ossec/data/etc with yours.
+##############################################################################
+if [ -e "$WAZUH_CONFIG_MOUNT" ]
+then
+  print "Identified Wazuh configuration files to mount..."
+
+  exec_cmd_stdout "cp --verbose -r $WAZUH_CONFIG_MOUNT/* $DATA_PATH"
+else
+  print "No Wazuh configuration files to mount..."
+fi
+
+# Enabling ossec-authd.
 exec_cmd "/var/ossec/bin/ossec-control enable auth"
 
 function ossec_shutdown(){
-  ${DATA_PATH}/bin/ossec-control stop;
+  ${WAZUH_INSTALL_PATH}/bin/ossec-control stop;
 }
 
 # Trap exit signals and do a proper shutdown