Update License and copyright

README.md

@@ -15,7 +15,7 @@ In addition, a docker-compose file is provided to launch the containers mentione
 
 ## Current release
 
-Containers are currently tested on Wazuh version 3.2.2 and Elastic Stack version 6.2.4. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.
+Containers are currently tested on Wazuh version 3.2.1 and Elastic Stack version 6.2.2. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.
 
 ## Installation notes
 

docker-compose.yml

@@ -20,25 +20,28 @@ services:
 #      - my-path:/etc/filebeat
 #      - my-custom-config-path/ossec.conf:/wazuh-config-mount/etc/ossec.conf
     depends_on:
-      - logstash
+      - elasticsearch
   logstash:
     image: wazuh/wazuh-logstash
     hostname: logstash
     restart: always
+    command: -f /etc/logstash/conf.d/
 #    volumes:
 #      - my-path:/etc/logstash/conf.d:Z
     links:
-      - elasticsearch:elasticsearch
+     - kibana
+     - elasticsearch:elasticsearch
     ports:
       - "5000:5000"
     networks:
-      - docker_elk
+        - docker_elk
     depends_on:
       - elasticsearch
     environment:
       - LS_HEAP_SIZE=2048m
+      - XPACK_MONITORING_ENABLED=false
   elasticsearch:
-    image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.2.4
+    image: docker.elastic.co/elasticsearch/elasticsearch:6.2.3
     hostname: elasticsearch
     restart: always
     ports:
@@ -49,6 +52,11 @@ services:
       - cluster.name=wazuh
       - network.host=0.0.0.0
       - bootstrap.memory_lock=true
+      - xpack.security.enabled=false
+      - xpack.monitoring.enabled=false
+      - xpack.ml.enabled=false
+      - xpack.watcher.enabled=false
+      - xpack.graph.enabled=false
       - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
     ulimits:
       memlock:
@@ -65,19 +73,21 @@ services:
     restart: always
 #    ports:
 #      - "5601:5601"
-#    environment:
-#      - ELASTICSEARCH_URL=http://elasticsearch:9200
+    environment:
+      - "NODE_OPTIONS=--max-old-space-size=3072"
     networks:
       - docker_elk
     depends_on:
       - elasticsearch
     links:
       - elasticsearch:elasticsearch
-      - wazuh:wazuh
+      - wazuh
+    entrypoint: /wait-for-it.sh elasticsearch
   nginx:
     image: wazuh/wazuh-nginx
     hostname: nginx
     restart: always
+    entrypoint: /run.sh
     environment:
       - NGINX_PORT=443
     ports:
@@ -90,7 +100,7 @@ services:
     depends_on:
       - kibana
     links:
-      - kibana:kibana
+      - kibana
 
 networks:
   docker_elk:

kibana/Dockerfile

@@ -1,19 +1,26 @@
 # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/kibana/kibana-oss:6.2.4
-ARG WAZUH_APP_VERSION=3.2.2_6.2.4
+FROM docker.elastic.co/kibana/kibana:6.2.3
+ARG WAZUH_APP_VERSION=3.2.1_6.2.3
 USER root
 
+COPY ./config/kibana.yml /usr/share/kibana/config/kibana.yml
+
+COPY config/wait-for-it.sh /wait-for-it.sh
+
 ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
 
 ADD https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/wazuh-elastic6-template-alerts.json /usr/share/kibana/config
 
-RUN NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip &&\
-    chown -R kibana.kibana /usr/share/kibana &&\
-    rm -rf /tmp/*
+ADD https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/wazuh-elastic6-template-monitoring.json /usr/share/kibana/config
 
-COPY config/entrypoint.sh /entrypoint.sh
-RUN chmod 755 /entrypoint.sh
+ADD https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/alert_sample.json /usr/share/kibana/config
+
+RUN /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip
+
+RUN chown -R kibana.kibana /usr/share/kibana
+
+RUN rm -rf /tmp/*
+
+RUN chmod 755 /wait-for-it.sh
 
 USER kibana
-
-ENTRYPOINT /entrypoint.sh 

kibana/config/wait-for-it.sh

@@ -3,27 +3,34 @@
 
 set -e
 
-if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
-  el_url="http://elasticsearch:9200"
-else
-  el_url="${ELASTICSEARCH_URL}"
-fi
+host="$1"
+shift
+cmd="kibana"
 
-until curl -XGET $el_url; do
+until curl -XGET $host:9200; do
   >&2 echo "Elastic is unavailable - sleeping"
   sleep 5
 done
 
 >&2 echo "Elastic is up - executing command"
 
-#Insert default templates
-cat /usr/share/kibana/config/wazuh-elastic6-template-alerts.json | curl -XPUT "$el_url/_template/wazuh" -H 'Content-Type: application/json' -d @-
 sleep 5
+#Insert default templates
+cat /usr/share/kibana/config/wazuh-elastic6-template-alerts.json | curl -XPUT "http://$host:9200/_template/wazuh" -H 'Content-Type: application/json' -d @-
 
+sleep 5
+#Insert default templates
+cat /usr/share/kibana/config/wazuh-elastic6-template-monitoring.json | curl -XPUT "http://$host:9200/_template/wazuh-agent" -H 'Content-Type: application/json' -d @-
+
+#Insert sample alert:
+sleep 5
+cat /usr/share/kibana/config/alert_sample.json | curl -XPUT "http://$host:9200/wazuh-alerts-3.x-"`date +%Y.%m.%d`"/wazuh/sample" -H 'Content-Type: application/json' -d @-
+
+sleep 5
 echo "Setting API credentials into Wazuh APP"
-CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/wazuh-configuration/1513629884013)
+CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET http://$host:9200/.wazuh/wazuh-configuration/1513629884013)
 if [ "x$CONFIG_CODE" = "x404" ]; then
-  curl -s -XPOST $el_url/.wazuh/wazuh-configuration/1513629884013 -H 'Content-Type: application/json' -d'
+  curl -s -XPOST http://$host:9200/.wazuh/wazuh-configuration/1513629884013 -H 'Content-Type: application/json' -d'
     {
       "api_user": "foo",
       "api_password": "YmFy",
@@ -51,4 +58,4 @@ fi
 
 sleep 5
 
-/usr/local/bin/kibana-docker
+exec $cmd

logstash/Dockerfile

@@ -1,6 +1,4 @@
 # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/logstash/logstash-oss:6.2.4
+FROM docker.elastic.co/logstash/logstash:6.2.3
 
-RUN rm -f /usr/share/logstash/pipeline/logstash.conf
-
-COPY config/01-wazuh.conf /usr/share/logstash/pipeline/01-wazuh.conf
+COPY config/logstash.conf /etc/logstash/conf.d/logstash.conf

logstash/config/run.sh

@@ -1,12 +1,5 @@
 #!/bin/bash
 # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-#
-# OSSEC container bootstrap. See the README for information of the environment
-# variables expected by this script.
-#
-
-#
-
 #
 # Apply Templates
 #

nginx/Dockerfile

@@ -1,16 +1,8 @@
 # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 FROM nginx:latest
 
-ENV DEBIAN_FRONTEND noninteractive
-
 RUN apt-get update && apt-get install -y openssl apache2-utils
 
-COPY config/entrypoint.sh /entrypoint.sh
+COPY config/run.sh /run.sh
 
-RUN chmod 755 /entrypoint.sh
-
-RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
-
-VOLUME ["/etc/nginx/conf.d"]
-
-ENTRYPOINT /entrypoint.sh
+RUN chmod 755 /run.sh

nginx/config/entrypoint.sh

@@ -1,54 +0,0 @@
-#!/bin/sh
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-
-set -e
-
-# Generating certificates.
-if [ ! -d /etc/nginx/conf.d/ssl ]; then
-  echo "Generating SSL certificates"
-  mkdir -p /etc/nginx/conf.d/ssl/certs /etc/nginx/conf.d/ssl/private
-  openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/conf.d/ssl/private/kibana-access.key -out /etc/nginx/conf.d/ssl/certs/kibana-access.pem >/dev/null
-else
-  echo "SSL certificates already present"
-fi
-
-# Configuring default credentiales.
-if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then
-  echo "Setting Nginx credentials"
-  echo bar|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd foo >/dev/null
-else
-  echo "Kibana credentials already configured"
-fi
-
-
-if [ "x${NGINX_PORT}" = "x" ]; then
-  NGINX_PORT=443
-fi
-
-if [ "x${KIBANA_HOST}" = "x" ]; then
-  KIBANA_HOST="kibana:5601"
-fi
-
-echo "Configuring NGINX"
-cat > /etc/nginx/conf.d/default.conf <<EOF
-server {
-    listen 80;
-    listen [::]:80;
-    return 301 https://\$host:${NGINX_PORT}\$request_uri;
-}
-
-server {
-    listen ${NGINX_PORT} default_server;
-    listen [::]:${NGINX_PORT};
-    ssl on;
-    ssl_certificate /etc/nginx/conf.d/ssl/certs/kibana-access.pem;
-    ssl_certificate_key /etc/nginx/conf.d/ssl/private/kibana-access.key;
-    location / {
-        auth_basic "Restricted";
-        auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
-        proxy_pass http://${KIBANA_HOST}/;
-    }
-}
-EOF
-
-nginx -g 'daemon off;'

nginx/config/run.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+set -e
+
+if [ ! -d /etc/pki/tls/certs ]; then
+  echo "Generating SSL certificates"
+  mkdir -p /etc/pki/tls/certs /etc/pki/tls/private
+  openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/kibana-access.key -out /etc/pki/tls/certs/kibana-access.pem >/dev/null
+else
+  echo "SSL certificates already present"
+fi
+
+if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then
+  echo "Setting Nginx credentials"
+  echo bar|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd foo >/dev/null
+else
+  echo "Kibana credentials already configured"
+fi
+
+echo "Configuring NGINX"
+cat > /etc/nginx/conf.d/default.conf <<EOF
+server {
+    listen 80;
+    listen [::]:80;
+    return 301 https://\$host:$NGINX_PORT\$request_uri;
+}
+
+server {
+    listen $NGINX_PORT default_server;
+    listen [::]:$NGINX_PORT;
+    ssl on;
+    ssl_certificate /etc/pki/tls/certs/kibana-access.pem;
+    ssl_certificate_key /etc/pki/tls/private/kibana-access.key;
+    location / {
+        auth_basic "Restricted";
+        auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
+        proxy_pass http://kibana:5601/;
+    }
+}
+EOF
+
+echo "Starting Nginx"
+nginx -g 'daemon off; error_log /dev/stdout info;'

wazuh/Dockerfile

@@ -1,76 +1,39 @@
 # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 FROM phusion/baseimage:latest
-ARG FILEBEAT_VERSION=6.2.4
-ARG WAZUH_VERSION=3.2.2-1
+ARG FILEBEAT_VERSION=6.2.3
+ARG WAZUH_VERSION=3.2.1-1
 
-# Updating image
-RUN apt-get update && apt-get upgrade -y -o Dpkg::Options::="--force-confold"
-
-# Set Wazuh repository.
-RUN echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
-RUN curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
-
-# Set nodejs repository.
-RUN curl --silent --location https://deb.nodesource.com/setup_6.x | bash - 
-
-# Creating ossec user as uid:gid 1000:1000
+RUN apt-get update; apt-get -y dist-upgrade
+RUN apt-get -y install openssl postfix bsd-mailx curl apt-transport-https lsb-release
 RUN groupadd -g 1000 ossec
 RUN useradd -u 1000 -g 1000 ossec
+RUN curl --silent --location https://deb.nodesource.com/setup_6.x | bash - &&\
+    apt-get install -y nodejs
+RUN curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
+RUN echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
+RUN apt-get update && apt-get -y install wazuh-manager=${WAZUH_VERSION} wazuh-api=${WAZUH_VERSION} expect && apt-get clean
 
-# Configure postfix
-RUN echo "postfix postfix/mailname string wazuh-manager" | debconf-set-selections 
-RUN echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
-
-# Install packages
-RUN apt-get update && apt-get -y install openssl postfix bsd-mailx   \
-    apt-transport-https vim expect nodejs python-cryptography wazuh-manager=${WAZUH_VERSION} \
-    wazuh-api=${WAZUH_VERSION}
-
-# Adding first run script.
 ADD config/data_dirs.env /data_dirs.env
 ADD config/init.bash /init.bash
 
 # Sync calls are due to https://github.com/docker/docker/issues/9547
 RUN chmod 755 /init.bash &&\
-    sync && /init.bash &&\
-    sync && rm /init.bash
+  sync && /init.bash &&\
+  sync && rm /init.bash
 
-# Installing and configuring fiebeat
 RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb &&\
-    dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm -f filebeat-${FILEBEAT_VERSION}-amd64.deb
+    dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm filebeat-${FILEBEAT_VERSION}-amd64.deb
+
 COPY config/filebeat.yml /etc/filebeat/
 
-# Adding entrypoint
-ADD config/entrypoint.sh /entrypoint.sh
-RUN chmod 755 /entrypoint.sh
+ADD config/run.sh /tmp/run.sh
+RUN chmod 755 /tmp/run.sh
 
-# Setting volumes
 VOLUME ["/var/ossec/data"]
 VOLUME ["/etc/filebeat"]
-VOLUME ["/etc/postfix"]
 
-# Services ports
 EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp
 
-# Clean up
-RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+# Run supervisord so that the container will stay alive
 
-# Adding services
-RUN mkdir /etc/service/wazuh
-COPY config/wazuh.runit.service /etc/service/wazuh/run
-RUN chmod +x /etc/service/wazuh/run
-
-RUN mkdir /etc/service/wazuh-api
-COPY config/wazuh-api.runit.service /etc/service/wazuh-api/run
-RUN chmod +x /etc/service/wazuh-api/run
-
-RUN mkdir /etc/service/postfix
-COPY config/postfix.runit.service /etc/service/postfix/run
-RUN chmod +x /etc/service/postfix/run
-
-RUN mkdir /etc/service/filebeat
-COPY config/filebeat.runit.service /etc/service/filebeat/run
-RUN chmod +x /etc/service/filebeat/run
-
-# Run all services
-ENTRYPOINT ["/entrypoint.sh"]
+ENTRYPOINT ["/tmp/run.sh"]

wazuh/config/filebeat.runit.service

@@ -1,3 +0,0 @@
-#!/bin/sh
-service filebeat start
-tail -f /var/log/filebeat/filebeat

wazuh/config/init.bash

@@ -1,6 +1,5 @@
 #!/bin/bash
 # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-
 #
 # Initialize the custom data directory layout
 #

wazuh/config/postfix.runit.service

@@ -1,3 +0,0 @@
-#!/bin/sh
-service postfix start
-tail -f /var/log/mail.log

wazuh/config/run.sh

@@ -1,14 +1,5 @@
 #!/bin/bash
 # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-
-#
-# OSSEC container bootstrap. See the README for information of the environment
-# variables expected by this script.
-#
-
-#
-
-#
 # Startup the services
 #
 
@@ -113,4 +104,9 @@ trap "ossec_shutdown; exit" SIGINT SIGTERM
 
 chmod -R g+rw ${DATA_PATH}
 
-/sbin/my_init 
+service postfix start
+service wazuh-api start
+service wazuh-manager start
+service filebeat start
+
+tail -f /var/ossec/logs/ossec.log

wazuh/config/wazuh-api.runit.service

@@ -1,4 +0,0 @@
-#!/bin/sh
-service wazuh-api start
-tail -f /var/ossec/data/logs/api.log
-

wazuh/config/wazuh.runit.service

@@ -1,4 +0,0 @@
-#!/bin/sh
-service wazuh-manager start
-tail -f /var/ossec/data/logs/ossec.log
-