Upgrade Wazuh Manager to 3.3.1

README.md

@@ -15,7 +15,7 @@ In addition, a docker-compose file is provided to launch the containers mentione
 
 ## Current release
 
-Containers are currently tested on Wazuh version 3.2.1 and Elastic Stack version 6.2.2. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.
+Containers are currently tested on Wazuh version 3.3.1 and Elastic Stack version 6.2.4. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.
 
 ## Installation notes
 
@@ -69,6 +69,10 @@ These Docker containers are based on:
 
 We thank you them and everyone else who has contributed to this project.
 
+## License and copyright
+
+Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+
 ## Wazuh official website
 
 [Wazuh website](http://wazuh.com)

docker-compose.yml

@@ -1,3 +1,4 @@
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 version: '2'
 
 services:
@@ -19,28 +20,25 @@ services:
 #      - my-path:/etc/filebeat
 #      - my-custom-config-path/ossec.conf:/wazuh-config-mount/etc/ossec.conf
     depends_on:
-      - elasticsearch
+      - logstash
   logstash:
     image: wazuh/wazuh-logstash
     hostname: logstash
     restart: always
-    command: -f /etc/logstash/conf.d/
 #    volumes:
 #      - my-path:/etc/logstash/conf.d:Z
     links:
-     - kibana
-     - elasticsearch:elasticsearch
+      - elasticsearch:elasticsearch
     ports:
       - "5000:5000"
     networks:
-        - docker_elk
+      - docker_elk
     depends_on:
       - elasticsearch
     environment:
       - LS_HEAP_SIZE=2048m
-      - XPACK_MONITORING_ENABLED=false
   elasticsearch:
-    image: docker.elastic.co/elasticsearch/elasticsearch:6.2.3
+    image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.2.4
     hostname: elasticsearch
     restart: always
     ports:
@@ -51,11 +49,6 @@ services:
       - cluster.name=wazuh
       - network.host=0.0.0.0
       - bootstrap.memory_lock=true
-      - xpack.security.enabled=false
-      - xpack.monitoring.enabled=false
-      - xpack.ml.enabled=false
-      - xpack.watcher.enabled=false
-      - xpack.graph.enabled=false
       - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
     ulimits:
       memlock:
@@ -72,21 +65,19 @@ services:
     restart: always
 #    ports:
 #      - "5601:5601"
-    environment:
-      - "NODE_OPTIONS=--max-old-space-size=3072"
+#    environment:
+#      - ELASTICSEARCH_URL=http://elasticsearch:9200
     networks:
       - docker_elk
     depends_on:
       - elasticsearch
     links:
       - elasticsearch:elasticsearch
-      - wazuh
-    entrypoint: /wait-for-it.sh elasticsearch
+      - wazuh:wazuh
   nginx:
     image: wazuh/wazuh-nginx
     hostname: nginx
     restart: always
-    entrypoint: /run.sh
     environment:
       - NGINX_PORT=443
     ports:
@@ -99,7 +90,7 @@ services:
     depends_on:
       - kibana
     links:
-      - kibana
+      - kibana:kibana
 
 networks:
   docker_elk:

kibana/Dockerfile

@@ -1,25 +1,19 @@
-FROM docker.elastic.co/kibana/kibana:6.2.3
-ARG WAZUH_APP_VERSION=3.2.1_6.2.3
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+FROM docker.elastic.co/kibana/kibana-oss:6.2.4
+ARG WAZUH_APP_VERSION=3.3.0_6.2.4
 USER root
 
-COPY ./config/kibana.yml /usr/share/kibana/config/kibana.yml
-
-COPY config/wait-for-it.sh /wait-for-it.sh
-
 ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
 
 ADD https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/wazuh-elastic6-template-alerts.json /usr/share/kibana/config
 
-ADD https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/wazuh-elastic6-template-monitoring.json /usr/share/kibana/config
+RUN NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip &&\
+    chown -R kibana.kibana /usr/share/kibana &&\
+    rm -rf /tmp/*
 
-ADD https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/alert_sample.json /usr/share/kibana/config
-
-RUN /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip
-
-RUN chown -R kibana.kibana /usr/share/kibana
-
-RUN rm -rf /tmp/*
-
-RUN chmod 755 /wait-for-it.sh
+COPY config/entrypoint.sh /entrypoint.sh
+RUN chmod 755 /entrypoint.sh
 
 USER kibana
+
+ENTRYPOINT /entrypoint.sh

kibana/config/entrypoint.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+
+set -e
+
+if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
+  el_url="http://elasticsearch:9200"
+else
+  el_url="${ELASTICSEARCH_URL}"
+fi
+
+until curl -XGET $el_url; do
+  >&2 echo "Elastic is unavailable - sleeping"
+  sleep 5
+done
+
+>&2 echo "Elastic is up - executing command"
+
+#Insert default templates
+cat /usr/share/kibana/config/wazuh-elastic6-template-alerts.json | curl -XPUT "$el_url/_template/wazuh" -H 'Content-Type: application/json' -d @-
+sleep 5
+
+echo "Setting API credentials into Wazuh APP"
+CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/wazuh-configuration/1513629884013)
+if [ "x$CONFIG_CODE" = "x404" ]; then
+  curl -s -XPOST $el_url/.wazuh/wazuh-configuration/1513629884013 -H 'Content-Type: application/json' -d'
+    {
+      "api_user": "foo",
+      "api_password": "YmFy",
+      "url": "https://wazuh",
+      "api_port": "55000",
+      "insecure": "true",
+      "component": "API",
+      "cluster_info": {
+        "manager": "wazuh-manager",
+        "cluster": "Disabled",
+        "status": "disabled"
+       },
+      "extensions": {
+        "oscap": true,
+        "audit": true,
+        "pci": true,
+        "aws": true,
+        "virustotal": true,
+        "gdpr": true
+      }
+    }
+    ' > /dev/null
+else
+  echo "Wazuh APP already configured"
+fi
+
+sleep 5
+
+/usr/local/bin/kibana-docker

kibana/config/wait-for-it.sh

@@ -1,60 +0,0 @@
-#!/bin/bash
-
-set -e
-
-host="$1"
-shift
-cmd="kibana"
-
-until curl -XGET $host:9200; do
-  >&2 echo "Elastic is unavailable - sleeping"
-  sleep 5
-done
-
->&2 echo "Elastic is up - executing command"
-
-sleep 5
-#Insert default templates
-cat /usr/share/kibana/config/wazuh-elastic6-template-alerts.json | curl -XPUT "http://$host:9200/_template/wazuh" -H 'Content-Type: application/json' -d @-
-
-sleep 5
-#Insert default templates
-cat /usr/share/kibana/config/wazuh-elastic6-template-monitoring.json | curl -XPUT "http://$host:9200/_template/wazuh-agent" -H 'Content-Type: application/json' -d @-
-
-#Insert sample alert:
-sleep 5
-cat /usr/share/kibana/config/alert_sample.json | curl -XPUT "http://$host:9200/wazuh-alerts-3.x-"`date +%Y.%m.%d`"/wazuh/sample" -H 'Content-Type: application/json' -d @-
-
-sleep 5
-echo "Setting API credentials into Wazuh APP"
-CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET http://$host:9200/.wazuh/wazuh-configuration/1513629884013)
-if [ "x$CONFIG_CODE" = "x404" ]; then
-  curl -s -XPOST http://$host:9200/.wazuh/wazuh-configuration/1513629884013 -H 'Content-Type: application/json' -d'
-    {
-      "api_user": "foo",
-      "api_password": "YmFy",
-      "url": "https://wazuh",
-      "api_port": "55000",
-      "insecure": "true",
-      "component": "API",
-      "cluster_info": {
-        "manager": "wazuh-manager",
-        "cluster": "Disabled",
-        "status": "disabled"
-       },
-      "extensions": {
-        "oscap": true,
-        "audit": true,
-        "pci": true,
-        "aws": true,
-        "virustotal": true
-      }
-    }
-    ' > /dev/null
-else
-  echo "Wazuh APP already configured"
-fi
-
-sleep 5
-
-exec $cmd

logstash/Dockerfile

@@ -1,3 +1,6 @@
-FROM docker.elastic.co/logstash/logstash:6.2.3
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+FROM docker.elastic.co/logstash/logstash-oss:6.2.4
 
-COPY config/logstash.conf /etc/logstash/conf.d/logstash.conf
+RUN rm -f /usr/share/logstash/pipeline/logstash.conf
+
+COPY config/01-wazuh.conf /usr/share/logstash/pipeline/01-wazuh.conf

logstash/config/01-wazuh.conf

@@ -1,3 +1,4 @@
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 # Wazuh - Logstash configuration file
 ## Remote Wazuh Manager - Filebeat input
 input {

logstash/config/run.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 #
 # OSSEC container bootstrap. See the README for information of the environment
 # variables expected by this script.

nginx/Dockerfile

@@ -1,7 +1,16 @@
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 FROM nginx:latest
 
+ENV DEBIAN_FRONTEND noninteractive
+
 RUN apt-get update && apt-get install -y openssl apache2-utils
 
-COPY config/run.sh /run.sh
+COPY config/entrypoint.sh /entrypoint.sh
 
-RUN chmod 755 /run.sh
+RUN chmod 755 /entrypoint.sh
+
+RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+VOLUME ["/etc/nginx/conf.d"]
+
+ENTRYPOINT /entrypoint.sh

nginx/config/entrypoint.sh

@@ -0,0 +1,54 @@
+#!/bin/sh
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+
+set -e
+
+# Generating certificates.
+if [ ! -d /etc/nginx/conf.d/ssl ]; then
+  echo "Generating SSL certificates"
+  mkdir -p /etc/nginx/conf.d/ssl/certs /etc/nginx/conf.d/ssl/private
+  openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/conf.d/ssl/private/kibana-access.key -out /etc/nginx/conf.d/ssl/certs/kibana-access.pem >/dev/null
+else
+  echo "SSL certificates already present"
+fi
+
+# Configuring default credentiales.
+if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then
+  echo "Setting Nginx credentials"
+  echo bar|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd foo >/dev/null
+else
+  echo "Kibana credentials already configured"
+fi
+
+
+if [ "x${NGINX_PORT}" = "x" ]; then
+  NGINX_PORT=443
+fi
+
+if [ "x${KIBANA_HOST}" = "x" ]; then
+  KIBANA_HOST="kibana:5601"
+fi
+
+echo "Configuring NGINX"
+cat > /etc/nginx/conf.d/default.conf <<EOF
+server {
+    listen 80;
+    listen [::]:80;
+    return 301 https://\$host:${NGINX_PORT}\$request_uri;
+}
+
+server {
+    listen ${NGINX_PORT} default_server;
+    listen [::]:${NGINX_PORT};
+    ssl on;
+    ssl_certificate /etc/nginx/conf.d/ssl/certs/kibana-access.pem;
+    ssl_certificate_key /etc/nginx/conf.d/ssl/private/kibana-access.key;
+    location / {
+        auth_basic "Restricted";
+        auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
+        proxy_pass http://${KIBANA_HOST}/;
+    }
+}
+EOF
+
+nginx -g 'daemon off;'

nginx/config/run.sh

@@ -1,43 +0,0 @@
-#!/bin/bash
-
-set -e
-
-if [ ! -d /etc/pki/tls/certs ]; then
-  echo "Generating SSL certificates"
-  mkdir -p /etc/pki/tls/certs /etc/pki/tls/private
-  openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/kibana-access.key -out /etc/pki/tls/certs/kibana-access.pem >/dev/null
-else
-  echo "SSL certificates already present"
-fi
-
-if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then
-  echo "Setting Nginx credentials"
-  echo bar|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd foo >/dev/null
-else
-  echo "Kibana credentials already configured"
-fi
-
-echo "Configuring NGINX"
-cat > /etc/nginx/conf.d/default.conf <<EOF
-server {
-    listen 80;
-    listen [::]:80;
-    return 301 https://\$host:$NGINX_PORT\$request_uri;
-}
-
-server {
-    listen $NGINX_PORT default_server;
-    listen [::]:$NGINX_PORT;
-    ssl on;
-    ssl_certificate /etc/pki/tls/certs/kibana-access.pem;
-    ssl_certificate_key /etc/pki/tls/private/kibana-access.key;
-    location / {
-        auth_basic "Restricted";
-        auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
-        proxy_pass http://kibana:5601/;
-    }
-}
-EOF
-
-echo "Starting Nginx"
-nginx -g 'daemon off; error_log /dev/stdout info;'

wazuh/Dockerfile

@@ -1,38 +1,76 @@
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 FROM phusion/baseimage:latest
-ARG FILEBEAT_VERSION=6.2.3
-ARG WAZUH_VERSION=3.2.1-1
+ARG FILEBEAT_VERSION=6.2.4
+ARG WAZUH_VERSION=3.3.1-1
 
-RUN apt-get update; apt-get -y dist-upgrade
-RUN apt-get -y install openssl postfix bsd-mailx curl apt-transport-https lsb-release
+# Updating image
+RUN apt-get update && apt-get upgrade -y -o Dpkg::Options::="--force-confold"
+
+# Set Wazuh repository.
+RUN echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
+RUN curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
+
+# Set nodejs repository.
+RUN curl --silent --location https://deb.nodesource.com/setup_8.x | bash -
+
+# Creating ossec user as uid:gid 1000:1000
 RUN groupadd -g 1000 ossec
 RUN useradd -u 1000 -g 1000 ossec
-RUN curl --silent --location https://deb.nodesource.com/setup_6.x | bash - &&\
-    apt-get install -y nodejs
-RUN curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
-RUN echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
-RUN apt-get update && apt-get -y install wazuh-manager=${WAZUH_VERSION} wazuh-api=${WAZUH_VERSION} expect && apt-get clean
 
+# Configure postfix
+RUN echo "postfix postfix/mailname string wazuh-manager" | debconf-set-selections
+RUN echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
+
+# Install packages
+RUN apt-get update && apt-get -y install openssl postfix bsd-mailx   \
+    apt-transport-https vim expect nodejs python-cryptography wazuh-manager=${WAZUH_VERSION} \
+    wazuh-api=${WAZUH_VERSION}
+
+# Adding first run script.
 ADD config/data_dirs.env /data_dirs.env
 ADD config/init.bash /init.bash
 
 # Sync calls are due to https://github.com/docker/docker/issues/9547
 RUN chmod 755 /init.bash &&\
-  sync && /init.bash &&\
-  sync && rm /init.bash
+    sync && /init.bash &&\
+    sync && rm /init.bash
 
+# Installing and configuring fiebeat
 RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb &&\
-    dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm filebeat-${FILEBEAT_VERSION}-amd64.deb
-
+    dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm -f filebeat-${FILEBEAT_VERSION}-amd64.deb
 COPY config/filebeat.yml /etc/filebeat/
 
-ADD config/run.sh /tmp/run.sh
-RUN chmod 755 /tmp/run.sh
+# Adding entrypoint
+ADD config/entrypoint.sh /entrypoint.sh
+RUN chmod 755 /entrypoint.sh
 
+# Setting volumes
 VOLUME ["/var/ossec/data"]
 VOLUME ["/etc/filebeat"]
+VOLUME ["/etc/postfix"]
 
+# Services ports
 EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp
 
-# Run supervisord so that the container will stay alive
+# Clean up
+RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
-ENTRYPOINT ["/tmp/run.sh"]
+# Adding services
+RUN mkdir /etc/service/wazuh
+COPY config/wazuh.runit.service /etc/service/wazuh/run
+RUN chmod +x /etc/service/wazuh/run
+
+RUN mkdir /etc/service/wazuh-api
+COPY config/wazuh-api.runit.service /etc/service/wazuh-api/run
+RUN chmod +x /etc/service/wazuh-api/run
+
+RUN mkdir /etc/service/postfix
+COPY config/postfix.runit.service /etc/service/postfix/run
+RUN chmod +x /etc/service/postfix/run
+
+RUN mkdir /etc/service/filebeat
+COPY config/filebeat.runit.service /etc/service/filebeat/run
+RUN chmod +x /etc/service/filebeat/run
+
+# Run all services
+ENTRYPOINT ["/entrypoint.sh"]

wazuh/config/entrypoint.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 
 #
 # OSSEC container bootstrap. See the README for information of the environment
@@ -112,9 +113,4 @@ trap "ossec_shutdown; exit" SIGINT SIGTERM
 
 chmod -R g+rw ${DATA_PATH}
 
-service postfix start
-service wazuh-api start
-service wazuh-manager start
-service filebeat start
-
-tail -f /var/ossec/logs/ossec.log
+/sbin/my_init 

wazuh/config/filebeat.runit.service

@@ -0,0 +1,3 @@
+#!/bin/sh
+service filebeat start
+tail -f /var/log/filebeat/filebeat

wazuh/config/filebeat.yml

@@ -1,3 +1,4 @@
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 filebeat:
  prospectors:
   - input_type: log

wazuh/config/init.bash

@@ -1,4 +1,5 @@
 #!/bin/bash
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 
 #
 # Initialize the custom data directory layout

wazuh/config/postfix.runit.service

@@ -0,0 +1,3 @@
+#!/bin/sh
+service postfix start
+tail -f /var/log/mail.log

wazuh/config/wazuh-api.runit.service

@@ -0,0 +1,4 @@
+#!/bin/sh
+service wazuh-api start
+tail -f /var/ossec/data/logs/api.log
+

wazuh/config/wazuh.runit.service

@@ -0,0 +1,4 @@
+#!/bin/sh
+service wazuh-manager start
+tail -f /var/ossec/data/logs/ossec.log
+