Merge pull request #22 from wazuh/revert-21-dev

Revert "Adding Nginx container"

README.md

@@ -1,10 +1,5 @@
 # Wazuh containers for Docker
 
-[![Slack](https://img.shields.io/badge/slack-join-blue.svg)](https://goo.gl/forms/M2AoZC4b2R9A9Zy12)
-[![Email](https://img.shields.io/badge/email-join-blue.svg)](https://groups.google.com/forum/#!forum/wazuh)
-[![Documentation](https://img.shields.io/badge/docs-view-green.svg)](https://documentation.wazuh.com)
-[![Documentation](https://img.shields.io/badge/web-view-green.svg)](https://wazuh.com)
-
 In this repository you will find the containers to run:
 
 * wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack)
@@ -15,7 +10,7 @@ In addition, a docker-compose file is provided to launch the containers mentione
 
 ## Current release
 
-Containers are currently tested on Wazuh version 3.2.1 and Elastic Stack version 6.2.4. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.
+Containers are currently tested on Wazuh version 2.0 and Elastic Stack version 5.5.2. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.
 
 ## Installation notes
 
@@ -25,34 +20,7 @@ To run all docker instances you can just run ``docker-compose up``, from the dir
 * Kibana container can take a few minutes to install Wazuh plugin, this takes place after ``Optimizing and caching browser bundles...`` is printed out.
 * It is recommended to set Docker host preferences to give at least 4GB memory per container (this doesn't necessarily mean they all will use it, but Elasticsearch requires them to work properly).
 
-Once installed you can browse through the interface at: https://127.0.0.1.
+Once installed you can browse through the interface at: http://127.0.0.1:5601
-
-## Mount custom Wazuh configuration files
-
-To mount custom Wazuh configuration files in the Wazuh manager container, mount them in the `/wazuh-config-mount` folder. For example, to mount a custom `ossec.conf` file, mount it in `/wazuh-config-mount/etc/ossec.conf` and the [run.sh](wazuh/config/run.sh) script will copy the file at the right place on boot while respecting the destination file permissions.
-
-Here is an example of a `/wazuh-config-mount` folder used to mount some common custom configuration files:
-```
-root@wazuh-manager:/# tree /wazuh-config-mount/
-/wazuh-config-mount/
-└── etc
-    ├── ossec.conf
-    ├── rules
-    │   └── local_rules.xml
-    └── shared
-        └── default
-            └── agent.conf
-
-4 directories, 3 files
-```
-
-In that case, you will see this in the Wazuh manager logs on boot:
-```
-Identified Wazuh configuration files to mount...
-'/wazuh-config-mount/etc/ossec.conf' -> '/var/ossec/data/etc/ossec.conf'
-'/wazuh-config-mount/etc/rules/local_rules.xml' -> '/var/ossec/data/etc/rules/local_rules.xml'
-'/wazuh-config-mount/etc/shared/default/agent.conf' -> '/var/ossec/data/etc/shared/default/agent.conf'
-```
 
 ## More documentation
 
@@ -69,10 +37,6 @@ These Docker containers are based on:
 
 We thank you them and everyone else who has contributed to this project.
 
-## License and copyright
-
-Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-
 ## Wazuh official website
 
 [Wazuh website](http://wazuh.com)

docker-compose.yml

@@ -1,4 +1,3 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 version: '2'
 
 services:
@@ -11,14 +10,11 @@ services:
       - "1515:1515"
       - "514:514/udp"
       - "55000:55000"
-#      - "1516:1516"
     networks:
         - docker_elk
 #    volumes:
-#      - my-path:/var/ossec/data:Z
+#      - my-path:/var/ossec/data
-#      - my-path:/etc/postfix:Z
+#      - my-path:/etc/postfix
-#      - my-path:/etc/filebeat
-#      - my-custom-config-path/ossec.conf:/wazuh-config-mount/etc/ossec.conf
     depends_on:
       - elasticsearch
   logstash:
@@ -27,7 +23,7 @@ services:
     restart: always
     command: -f /etc/logstash/conf.d/
 #    volumes:
-#      - my-path:/etc/logstash/conf.d:Z
+#      - my-path:/etc/logstash/conf.d
     links:
      - kibana
      - elasticsearch:elasticsearch
@@ -39,42 +35,26 @@ services:
       - elasticsearch
     environment:
       - LS_HEAP_SIZE=2048m
-      - XPACK_MONITORING_ENABLED=false
   elasticsearch:
-    image: docker.elastic.co/elasticsearch/elasticsearch:6.2.4
+    image: elasticsearch:5.5.2
     hostname: elasticsearch
     restart: always
+    command: elasticsearch -E node.name="node-1" -E cluster.name="wazuh" -E network.host=0.0.0.0
     ports:
       - "9200:9200"
-#      - "9300:9300"
+      - "9300:9300"
     environment:
-      - node.name=node-1
+      ES_JAVA_OPTS: "-Xms2g -Xmx2g"
-      - cluster.name=wazuh
-      - network.host=0.0.0.0
-      - bootstrap.memory_lock=true
-      - xpack.security.enabled=false
-      - xpack.monitoring.enabled=false
-      - xpack.ml.enabled=false
-      - xpack.watcher.enabled=false
-      - xpack.graph.enabled=false
-      - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
-    ulimits:
-      memlock:
-        soft: -1
-        hard: -1
-    mem_limit: 2g
 #    volumes:
-#      - my-path:/usr/share/elasticsearch/data:Z
+#      - my-path:/usr/share/elasticsearch/data
     networks:
         - docker_elk
   kibana:
     image: wazuh/wazuh-kibana
     hostname: kibana
     restart: always
-#    ports:
+    ports:
-#      - "5601:5601"
+      - "5601:5601"
-    environment:
-      - "NODE_OPTIONS=--max-old-space-size=3072"
     networks:
         - docker_elk
     depends_on:
@@ -82,25 +62,9 @@ services:
     links:
       - elasticsearch:elasticsearch
       - wazuh
-    entrypoint: /wait-for-it.sh elasticsearch
+    entrypoint: sh wait-for-it.sh elasticsearch
-  nginx:
+#    environment:
-    image: wazuh/wazuh-nginx
+#      - "WAZUH_KIBANA_PLUGIN_URL=http://your.repo/wazuhapp-2.1.0-5.5.1.zip"
-    hostname: nginx
-    restart: always
-    entrypoint: /run.sh
-    environment:
-      - NGINX_PORT=443
-    ports:
-      - "80:80"
-      - "443:443"
-#    volumes:
-#      - my-path:/etc/nginx/conf.d:Z
-    networks:
-      - docker_elk
-    depends_on:
-      - kibana
-    links:
-      - kibana
 
 networks:
   docker_elk:

kibana/Dockerfile

@@ -1,22 +1,7 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+FROM kibana:5.5.2
-FROM docker.elastic.co/kibana/kibana:6.2.4
-ARG WAZUH_APP_VERSION=3.2.1_6.2.4
-USER root
 
-COPY ./config/kibana.yml /usr/share/kibana/config/kibana.yml
+RUN apt-get update && apt-get install -y curl
 
-COPY config/wait-for-it.sh /wait-for-it.sh
+COPY ./config/kibana.yml /opt/kibana/config/kibana.yml
 
-ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
+COPY config/wait-for-it.sh /
-
-ADD https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/wazuh-elastic6-template-alerts.json /usr/share/kibana/config
-
-RUN /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip
-
-RUN chown -R kibana.kibana /usr/share/kibana
-
-RUN rm -rf /tmp/*
-
-RUN chmod 755 /wait-for-it.sh
-
-USER kibana

kibana/config/kibana.yml

@@ -90,10 +90,3 @@ logging.quiet: true
 # Set the interval in milliseconds to sample system and process performance
 # metrics. Minimum is 100ms. Defaults to 10000.
 # ops.interval: 10000
-
-xpack.security.enabled: false
-xpack.grokdebugger.enabled: false
-xpack.graph.enabled: false
-xpack.ml.enabled: false
-xpack.monitoring.enabled: false
-xpack.reporting.enabled: false

kibana/config/wait-for-it.sh

@@ -1,46 +1,53 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 
 set -e
 
 host="$1"
 shift
 cmd="kibana"
+WAZUH_KIBANA_PLUGIN_URL=${WAZUH_KIBANA_PLUGIN_URL:-https://packages.wazuh.com/wazuhapp/wazuhapp-2.1.0_5.5.2.zip}
 
 until curl -XGET $host:9200; do
   >&2 echo "Elastic is unavailable - sleeping"
-  sleep 5
+  sleep 1
 done
 
+sleep 30
+
 >&2 echo "Elastic is up - executing command"
 
-sleep 5
+if /usr/share/kibana/bin/kibana-plugin list | grep wazuh; then
-#Insert default templates
+  echo "Wazuh APP already installed"
-cat /usr/share/kibana/config/wazuh-elastic6-template-alerts.json | curl -XPUT "http://$host:9200/_template/wazuh" -H 'Content-Type: application/json' -d @-
+else
+  /usr/share/kibana/bin/kibana-plugin install ${WAZUH_KIBANA_PLUGIN_URL}
+fi
+
+sleep 30
+
+echo "Configuring defaultIndex to wazuh-alerts-*"
+
+curl -s -XPUT http://$host:9200/.kibana/config/5.5.2 -d '{"defaultIndex" : "wazuh-alerts-*"}' > /dev/null
+
+sleep 30
 
-sleep 5
 echo "Setting API credentials into Wazuh APP"
-CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET http://$host:9200/.wazuh/wazuh-configuration/1513629884013)
+
+CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET http://$host:9200/.wazuh/wazuh-configuration/apiconfig)
 if [ "x$CONFIG_CODE" = "x404" ]; then
-  curl -s -XPOST http://$host:9200/.wazuh/wazuh-configuration/1513629884013 -H 'Content-Type: application/json' -d'
+  curl -s -XPOST http://$host:9200/.wazuh/wazuh-configuration/apiconfig -H 'Content-Type: application/json' -d'
   {
     "api_user": "foo",
     "api_password": "YmFy",
-      "url": "https://wazuh",
+    "url": "http://wazuh",
     "api_port": "55000",
     "insecure": "true",
     "component": "API",
-      "cluster_info": {
+    "active": "true",
     "manager": "wazuh-manager",
-        "cluster": "Disabled",
-        "status": "disabled"
-       },
     "extensions": {
       "oscap": true,
       "audit": true,
-        "pci": true,
+      "pci": true
-        "aws": true,
-        "virustotal": true
     }
   }
   ' > /dev/null
@@ -48,6 +55,4 @@ else
   echo "Wazuh APP already configured"
 fi
 
-sleep 5
-
 exec $cmd

logstash/Dockerfile

@@ -1,4 +1,12 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+FROM logstash:5.5.2
-FROM docker.elastic.co/logstash/logstash:6.2.4
+
+RUN apt-get update
 
 COPY config/logstash.conf /etc/logstash/conf.d/logstash.conf
+COPY config/wazuh-elastic5-template.json /etc/logstash/wazuh-elastic5-template.json
+
+
+ADD config/run.sh /tmp/run.sh
+RUN chmod 755 /tmp/run.sh
+
+ENTRYPOINT ["/tmp/run.sh"]

logstash/config/logstash.conf

@@ -1,4 +1,3 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 # Wazuh - Logstash configuration file
 ## Remote Wazuh Manager - Filebeat input
 input {
@@ -10,21 +9,17 @@ input {
 #        ssl_key => "/etc/logstash/logstash.key"
     }
 }
-filter {
+## Local Wazuh Manager - JSON file input
-    if [data][srcip] {
+#input {
-        mutate {
+#   file {
-            add_field => [ "@src_ip", "%{[data][srcip]}" ]
+#       type => "wazuh-alerts"
-        }
+#       path => "/var/ossec/logs/alerts/alerts.json"
-    }
+#       codec => "json"
-    if [data][aws][sourceIPAddress] {
+#   }
-        mutate {
+#}
-            add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
-        }
-    }
-}
 filter {
     geoip {
-        source => "@src_ip"
+        source => "srcip"
         target => "GeoLocation"
         fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"]
     }
@@ -33,13 +28,16 @@ filter {
         target => "@timestamp"
     }
     mutate {
-        remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type","@src_ip"]
+        remove_field => [ "timestamp", "beat", "fields", "input_type", "tags", "count", "@version", "log", "offset", "type"]
     }
 }
 output {
     elasticsearch {
         hosts => ["elasticsearch:9200"]
-        index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
+        index => "wazuh-alerts-%{+YYYY.MM.dd}"
         document_type => "wazuh"
+        template => "/etc/logstash/wazuh-elastic5-template.json"
+        template_name => "wazuh"
+        template_overwrite => true
     }
 }

logstash/config/run.sh

@@ -1,5 +1,12 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+
+#
+# OSSEC container bootstrap. See the README for information of the environment
+# variables expected by this script.
+#
+
+#
+
 #
 # Apply Templates
 #

logstash/config/wazuh-elastic5-template.json

@@ -0,0 +1,620 @@
+{
+  "order": 0,
+  "template": "wazuh*",
+  "settings": {
+    "index.refresh_interval": "5s"
+  },
+  "mappings": {
+    "wazuh": {
+      "dynamic_templates": [
+        {
+          "string_as_keyword": {
+            "match_mapping_type": "string",
+            "mapping": {
+              "type": "keyword",
+              "doc_values": "true"
+            }
+          }
+        }
+      ],
+      "properties": {
+        "@timestamp": {
+          "type": "date",
+          "format": "dateOptionalTime"
+        },
+        "@version": {
+          "type": "text"
+        },
+        "agent": {
+          "properties": {
+            "ip": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "id": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "name": {
+              "type": "keyword",
+              "doc_values": "true"
+            }
+          }
+        },
+        "manager": {
+          "properties": {
+            "name": {
+              "type": "keyword",
+              "doc_values": "true"
+            }
+          }
+        },
+        "dstuser": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "AlertsFile": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "full_log": {
+          "type": "text"
+        },
+        "previous_log": {
+          "type": "text"
+        },
+        "GeoLocation": {
+          "properties": {
+            "area_code": {
+              "type": "long"
+            },
+            "city_name": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "continent_code": {
+              "type": "text"
+            },
+            "coordinates": {
+              "type": "double"
+            },
+            "country_code2": {
+              "type": "text"
+            },
+            "country_code3": {
+              "type": "text"
+            },
+            "country_name": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "dma_code": {
+              "type": "long"
+            },
+            "ip": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "latitude": {
+              "type": "double"
+            },
+            "location": {
+              "type": "geo_point"
+            },
+            "longitude": {
+              "type": "double"
+            },
+            "postal_code": {
+              "type": "keyword"
+            },
+            "real_region_name": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "region_name": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "timezone": {
+              "type": "text"
+            }
+          }
+        },
+        "host": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "syscheck": {
+          "properties": {
+            "path": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "sha1_before": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "sha1_after": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "uid_before": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "uid_after": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "gid_before": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "gid_after": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "perm_before": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "perm_after": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "md5_after": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "md5_before": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "gname_after": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "gname_before": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "inode_after": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "inode_before": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "mtime_after": {
+              "type": "date",
+              "format": "dateOptionalTime",
+              "doc_values": "true"
+            },
+            "mtime_before": {
+              "type": "date",
+              "format": "dateOptionalTime",
+              "doc_values": "true"
+            },
+            "uname_after": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "uname_before": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "size_before": {
+              "type": "long",
+              "doc_values": "true"
+            },
+            "size_after": {
+              "type": "long",
+              "doc_values": "true"
+            },
+            "diff": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "event": {
+              "type": "keyword",
+              "doc_values": "true"
+            }
+          }
+        },
+        "location": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "message": {
+          "type": "text"
+        },
+        "offset": {
+          "type": "keyword"
+        },
+        "rule": {
+          "properties": {
+            "description": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "groups": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "level": {
+              "type": "long",
+              "doc_values": "true"
+            },
+            "id": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "cve": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "info": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "frequency": {
+              "type": "long",
+              "doc_values": "true"
+            },
+            "firedtimes": {
+              "type": "long",
+              "doc_values": "true"
+            },
+            "cis": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "pci_dss": {
+              "type": "keyword",
+              "doc_values": "true"
+            }
+          }
+        },
+        "decoder": {
+          "properties": {
+            "parent": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "name": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "ftscomment": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "fts": {
+              "type": "long",
+              "doc_values": "true"
+            },
+            "accumulate": {
+              "type": "long",
+              "doc_values": "true"
+            }
+          }
+        },
+        "srcip": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "protocol": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "action": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "dstip": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "dstport": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "srcuser": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "program_name": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "id": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "status": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "command": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "url": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "data": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "system_name": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "type": {
+          "type": "text"
+        },
+        "title": {
+          "type": "keyword",
+          "doc_values": "true"
+        },
+        "oscap": {
+          "properties": {
+            "check.title": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "check.id": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "check.result": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "check.severity": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "check.description": {
+              "type": "text"
+            },
+            "check.rationale": {
+              "type": "text"
+            },
+            "check.references": {
+              "type": "text"
+            },
+            "check.identifiers": {
+              "type": "text"
+            },
+            "check.oval.id": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "scan.id": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "scan.content": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "scan.benchmark.id": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "scan.profile.title": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "scan.profile.id": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "scan.score": {
+              "type": "double",
+              "doc_values": "true"
+            },
+            "scan.return_code": {
+              "type": "long",
+              "doc_values": "true"
+            }
+          }
+        },
+        "audit": {
+          "properties": {
+            "type": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "id": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "syscall": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "exit": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "ppid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "pid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "auid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "uid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "gid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "euid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "suid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "fsuid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "egid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "sgid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "fsgid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "tty": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "session": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "command": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "exe": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "key": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "cwd": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "directory.name": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "directory.inode": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "directory.mode": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "file.name": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "file.inode": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "file.mode": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "acct": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "dev": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "enforcing": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "list": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "old-auid": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "old-ses": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "old_enforcing": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "old_prom": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "op": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "prom": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "res": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "srcip": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "subj": {
+              "type": "keyword",
+              "doc_values": "true"
+            },
+            "success": {
+              "type": "keyword",
+              "doc_values": "true"
+            }
+          }
+        }
+      }
+    },
+    "agent": {
+      "properties": {
+        "@timestamp": {
+          "type": "date",
+          "format": "dateOptionalTime"
+        },
+        "status": {
+          "type": "keyword"
+        },
+        "ip": {
+          "type": "keyword"
+        },
+        "host": {
+          "type": "keyword"
+        },
+        "name": {
+          "type": "keyword"
+        },
+        "id": {
+          "type": "keyword"
+        }
+      }
+    }
+  }
+}

nginx/Dockerfile

@@ -1,8 +0,0 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-FROM nginx:latest
-
-RUN apt-get update && apt-get install -y openssl apache2-utils
-
-COPY config/run.sh /run.sh
-
-RUN chmod 755 /run.sh

nginx/config/run.sh

@@ -1,43 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-set -e
-
-if [ ! -d /etc/pki/tls/certs ]; then
-  echo "Generating SSL certificates"
-  mkdir -p /etc/pki/tls/certs /etc/pki/tls/private
-  openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/kibana-access.key -out /etc/pki/tls/certs/kibana-access.pem >/dev/null
-else
-  echo "SSL certificates already present"
-fi
-
-if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then
-  echo "Setting Nginx credentials"
-  echo bar|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd foo >/dev/null
-else
-  echo "Kibana credentials already configured"
-fi
-
-echo "Configuring NGINX"
-cat > /etc/nginx/conf.d/default.conf <<EOF
-server {
-    listen 80;
-    listen [::]:80;
-    return 301 https://\$host:$NGINX_PORT\$request_uri;
-}
-
-server {
-    listen $NGINX_PORT default_server;
-    listen [::]:$NGINX_PORT;
-    ssl on;
-    ssl_certificate /etc/pki/tls/certs/kibana-access.pem;
-    ssl_certificate_key /etc/pki/tls/private/kibana-access.key;
-    location / {
-        auth_basic "Restricted";
-        auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
-        proxy_pass http://kibana:5601/;
-    }
-}
-EOF
-
-echo "Starting Nginx"
-nginx -g 'daemon off; error_log /dev/stdout info;'

wazuh/Dockerfile

@@ -1,28 +1,27 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+FROM centos:latest
-FROM phusion/baseimage:latest
+ARG FILEBEAT_VERSION=5.5.2
-ARG FILEBEAT_VERSION=6.2.4
+COPY config/*.repo /etc/yum.repos.d/
-ARG WAZUH_VERSION=3.2.1-1
 
-RUN apt-get update; apt-get -y dist-upgrade
+RUN yum -y update; yum clean all;
-RUN apt-get -y install openssl postfix bsd-mailx curl apt-transport-https lsb-release
+RUN yum -y install epel-release openssl useradd; yum clean all
+RUN yum -y install postfix mailx cyrus-sasl cyrus-sasl-plain; yum clean all
 RUN groupadd -g 1000 ossec
 RUN useradd -u 1000 -g 1000 ossec
-RUN curl --silent --location https://deb.nodesource.com/setup_6.x | bash - &&\
+RUN curl --silent --location https://rpm.nodesource.com/setup_6.x | bash - &&\
-    apt-get install -y nodejs
+    yum install -y nodejs
-RUN curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
+RUN yum install -y wazuh-manager wazuh-api
-RUN echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
+
-RUN apt-get update && apt-get -y install wazuh-manager=${WAZUH_VERSION} wazuh-api=${WAZUH_VERSION} expect && apt-get clean
 
 ADD config/data_dirs.env /data_dirs.env
 ADD config/init.bash /init.bash
-
 # Sync calls are due to https://github.com/docker/docker/issues/9547
 RUN chmod 755 /init.bash &&\
   sync && /init.bash &&\
   sync && rm /init.bash
 
-RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb &&\
+
-    dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm filebeat-${FILEBEAT_VERSION}-amd64.deb
+RUN  curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-x86_64.rpm &&\
+  rpm -vi filebeat-${FILEBEAT_VERSION}-x86_64.rpm && rm filebeat-${FILEBEAT_VERSION}-x86_64.rpm
 
 COPY config/filebeat.yml /etc/filebeat/
 
@@ -30,9 +29,8 @@ ADD config/run.sh /tmp/run.sh
 RUN chmod 755 /tmp/run.sh
 
 VOLUME ["/var/ossec/data"]
-VOLUME ["/etc/filebeat"]
 
-EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp
+EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp
 
 # Run supervisord so that the container will stay alive
 

wazuh/config/filebeat.yml

@@ -1,4 +1,3 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 filebeat:
  prospectors:
   - input_type: log

wazuh/config/init.bash

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+
 #
 # Initialize the custom data directory layout
 #

wazuh/config/run.sh

@@ -1,45 +1,26 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+
+#
+# OSSEC container bootstrap. See the README for information of the environment
+# variables expected by this script.
+#
+
+#
+
+#
 # Startup the services
 #
 
 source /data_dirs.env
-
 FIRST_TIME_INSTALLATION=false
-
+DATA_PATH=/var/ossec/data
-WAZUH_INSTALL_PATH=/var/ossec
-DATA_PATH=${WAZUH_INSTALL_PATH}/data
-
-WAZUH_CONFIG_MOUNT=/wazuh-config-mount
-
-print() {
-    echo -e $1
-}
-
-error_and_exit() {
-    echo "Error executing command: '$1'."
-    echo 'Exiting.'
-    exit 1
-}
-
-exec_cmd() {
-    eval $1 > /dev/null 2>&1 || error_and_exit "$1"
-}
-
-exec_cmd_stdout() {
-    eval $1 2>&1 || error_and_exit "$1"
-}
-
-edit_configuration() { # $1 -> setting,  $2 -> value
-    sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${DATA_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)"
-}
 
 for ossecdir in "${DATA_DIRS[@]}"; do
   if [ ! -e "${DATA_PATH}/${ossecdir}" ]
   then
-    print "Installing ${ossecdir}"
+    echo "Installing ${ossecdir}"
-    exec_cmd "mkdir -p $(dirname ${DATA_PATH}/${ossecdir})"
+    mkdir -p $(dirname ${DATA_PATH}/${ossecdir})
-    exec_cmd "cp -pr /var/ossec/${ossecdir}-template ${DATA_PATH}/${ossecdir}"
+    cp -pr /var/ossec/${ossecdir}-template ${DATA_PATH}/${ossecdir}
     FIRST_TIME_INSTALLATION=true
   fi
 done
@@ -49,54 +30,29 @@ chgrp ossec ${DATA_PATH}/process_list
 chmod g+rw ${DATA_PATH}/process_list
 
 AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
-API_GENERATE_CERTS=${API_GENERATE_CERTS:-true}
 
 if [ $FIRST_TIME_INSTALLATION == true ]
 then
+
   if [ $AUTO_ENROLLMENT_ENABLED == true ]
   then
     if [ ! -e ${DATA_PATH}/etc/sslmanager.key ]
     then
-      print "Creating ossec-authd key and cert"
+      echo "Creating ossec-authd key and cert"
-      exec_cmd "openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096"
+      openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096
-      exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key -out ${DATA_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/"
+      openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key\
-    fi
+        -out ${DATA_PATH}/etc/sslmanager.cert -days 3650\
-  fi
+        -subj /CN=${HOSTNAME}/
-  if [ $API_GENERATE_CERTS == true ]
-  then
-    if [ ! -e ${DATA_PATH}/api/configuration/ssl/server.crt ]
-    then
-      print "Enabling Wazuh API HTTPS"
-      edit_configuration "https" "yes"
-      print "Create Wazuh API key and cert"
-      exec_cmd "openssl genrsa -out ${DATA_PATH}/api/configuration/ssl/server.key 4096"
-      exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/api/configuration/ssl/server.key -out ${DATA_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/"
     fi
   fi
 fi
 
-##############################################################################
-# Copy all files from $WAZUH_CONFIG_MOUNT to $DATA_PATH and respect
-# destination files permissions
-#
-# For example, to mount the file /var/ossec/data/etc/ossec.conf, mount it at
-# $WAZUH_CONFIG_MOUNT/etc/ossec.conf in your container and this code will
-# replace the ossec.conf file in /var/ossec/data/etc with yours.
-##############################################################################
-if [ -e "$WAZUH_CONFIG_MOUNT" ]
-then
-  print "Identified Wazuh configuration files to mount..."
-
-  exec_cmd_stdout "cp --verbose -r $WAZUH_CONFIG_MOUNT/* $DATA_PATH"
-else
-  print "No Wazuh configuration files to mount..."
-fi
-
-# Enabling ossec-authd.
-exec_cmd "/var/ossec/bin/ossec-control enable auth"
-
 function ossec_shutdown(){
-  ${WAZUH_INSTALL_PATH}/bin/ossec-control stop;
+  /var/ossec/bin/ossec-control stop;
+  if [ $AUTO_ENROLLMENT_ENABLED == true ]
+  then
+     kill $AUTHD_PID
+  fi
 }
 
 # Trap exit signals and do a proper shutdown
@@ -104,9 +60,20 @@ trap "ossec_shutdown; exit" SIGINT SIGTERM
 
 chmod -R g+rw ${DATA_PATH}
 
-service postfix start
+if [ $AUTO_ENROLLMENT_ENABLED == true ]
-service wazuh-api start
+then
-service wazuh-manager start
+  echo "Starting ossec-authd..."
-service filebeat start
+  /var/ossec/bin/ossec-authd -p 1515 -g ossec $AUTHD_OPTIONS >/dev/null 2>&1 &
+  AUTHD_PID=$!
+fi
+sleep 15 # give ossec a reasonable amount of time to start before checking status
+LAST_OK_DATE=`date +%s`
+
+## Start services
+/usr/sbin/postfix start
+/bin/node /var/ossec/api/app.js &
+/usr/bin/filebeat.sh &
+/var/ossec/bin/ossec-control restart
+
 
 tail -f /var/ossec/logs/ossec.log

wazuh/config/wazuh.repo

@@ -0,0 +1,7 @@
+[wazuh_repo]
+gpgcheck=1
+gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
+enabled=1
+name=CENTOS-$releasever - Wazuh
+baseurl=https://packages.wazuh.com/yum/el/$releasever/$basearch
+protect=1