Update to Wazuh 3.6.1 and Elastic Stack 6.4.1

Fix typo in Kibana chown command

README.md

@@ -15,7 +15,7 @@ In addition, a docker-compose file is provided to launch the containers mentione
 
 ## Current release
 
-Containers are currently tested on Wazuh version 3.3.0 and Elastic Stack version 6.2.4. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.
+Containers are currently tested on Wazuh version 3.6.1 and Elastic Stack version 6.4.1. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.
 
 ## Installation notes
 
@@ -25,7 +25,7 @@ To run all docker instances you can just run ``docker-compose up``, from the dir
 * Kibana container can take a few minutes to install Wazuh plugin, this takes place after ``Optimizing and caching browser bundles...`` is printed out.
 * It is recommended to set Docker host preferences to give at least 4GB memory per container (this doesn't necessarily mean they all will use it, but Elasticsearch requires them to work properly).
 
-Once installed you can browse through the interface at: https://127.0.0.1.
+Once installed you can browse through the interface at: https://127.0.0.1
 
 ## Mount custom Wazuh configuration files
 

docker-compose.yml

@@ -3,7 +3,7 @@ version: '2'
 
 services:
   wazuh:
-    image: wazuh/wazuh
+    image: wazuh/wazuh:3.6.1_6.4.1
     hostname: wazuh-manager
     restart: always
     ports:
@@ -22,7 +22,7 @@ services:
     depends_on:
       - logstash
   logstash:
-    image: wazuh/wazuh-logstash
+    image: wazuh/wazuh-logstash:3.6.1_6.4.1
     hostname: logstash
     restart: always
 #    volumes:
@@ -38,7 +38,7 @@ services:
     environment:
       - LS_HEAP_SIZE=2048m
   elasticsearch:
-    image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.2.4
+    image: docker.elastic.co/elasticsearch/elasticsearch:6.4.1
     hostname: elasticsearch
     restart: always
     ports:
@@ -60,7 +60,7 @@ services:
     networks:
         - docker_elk
   kibana:
-    image: wazuh/wazuh-kibana
+    image: wazuh/wazuh-kibana:3.6.1_6.4.1
     hostname: kibana
     restart: always
 #    ports:
@@ -75,7 +75,7 @@ services:
       - elasticsearch:elasticsearch
       - wazuh:wazuh
   nginx:
-    image: wazuh/wazuh-nginx
+    image: wazuh/wazuh-nginx:3.6.1_6.4.1
     hostname: nginx
     restart: always
     environment:

kibana/Dockerfile

@@ -1,14 +1,14 @@
 # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/kibana/kibana-oss:6.2.4
+FROM docker.elastic.co/kibana/kibana:6.4.1
-ARG WAZUH_APP_VERSION=3.3.0_6.2.4
+ARG WAZUH_APP_VERSION=3.6.1_6.4.1
 USER root
 
 ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
 
-ADD https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/wazuh-elastic6-template-alerts.json /usr/share/kibana/config
+ADD https://raw.githubusercontent.com/wazuh/wazuh/3.6/extensions/elasticsearch/wazuh-elastic6-template-alerts.json /usr/share/kibana/config
 
 RUN NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip &&\
-    chown -R kibana.kibana /usr/share/kibana &&\
+    chown -R kibana:kibana /usr/share/kibana &&\
     rm -rf /tmp/*
 
 COPY config/entrypoint.sh /entrypoint.sh

kibana/config/entrypoint.sh

@@ -24,28 +24,29 @@ echo "Setting API credentials into Wazuh APP"
 CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/wazuh-configuration/1513629884013)
 if [ "x$CONFIG_CODE" = "x404" ]; then
   curl -s -XPOST $el_url/.wazuh/wazuh-configuration/1513629884013 -H 'Content-Type: application/json' -d'
-    {
+  {
-      "api_user": "foo",
+    "api_user": "foo",
-      "api_password": "YmFy",
+    "api_password": "YmFy",
-      "url": "https://wazuh",
+    "url": "https://wazuh",
-      "api_port": "55000",
+    "api_port": "55000",
-      "insecure": "true",
+    "insecure": "true",
-      "component": "API",
+    "component": "API",
-      "cluster_info": {
+    "cluster_info": {
-        "manager": "wazuh-manager",
+      "manager": "wazuh-manager",
-        "cluster": "Disabled",
+      "cluster": "Disabled",
-        "status": "disabled"
+      "status": "disabled"
-       },
+    },
-      "extensions": {
+    "extensions": {
-        "oscap": true,
+      "oscap": true,
-        "audit": true,
+      "audit": true,
-        "pci": true,
+      "pci": true,
-        "aws": true,
+      "aws": true,
-        "virustotal": true,
+      "virustotal": true,
-        "gdpr": true
+      "gdpr": true,
-      }
+      "ciscat": true
     }
-    ' > /dev/null
+  }
+  ' > /dev/null
 else
   echo "Wazuh APP already configured"
 fi

kibana/config/kibana.yml

@@ -90,10 +90,3 @@ logging.quiet: true
 # Set the interval in milliseconds to sample system and process performance
 # metrics. Minimum is 100ms. Defaults to 10000.
 # ops.interval: 10000
-
-xpack.security.enabled: false
-xpack.grokdebugger.enabled: false
-xpack.graph.enabled: false
-xpack.ml.enabled: false
-xpack.monitoring.enabled: false
-xpack.reporting.enabled: false

logstash/Dockerfile

@@ -1,5 +1,5 @@
 # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/logstash/logstash-oss:6.2.4
+FROM docker.elastic.co/logstash/logstash:6.4.1
 
 RUN rm -f /usr/share/logstash/pipeline/logstash.conf
 

logstash/config/01-wazuh.conf

@@ -26,14 +26,14 @@ filter {
     geoip {
         source => "@src_ip"
         target => "GeoLocation"
-        fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"]
+        fields => ["city_name", "country_name", "region_name", "location"]
     }
     date {
         match => ["timestamp", "ISO8601"]
         target => "@timestamp"
     }
     mutate {
-        remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type","@src_ip"]
+        remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]
     }
 }
 output {

wazuh/Dockerfile

@@ -1,7 +1,7 @@
 # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 FROM phusion/baseimage:latest
-ARG FILEBEAT_VERSION=6.2.4
+ARG FILEBEAT_VERSION=6.4.1
-ARG WAZUH_VERSION=3.3.0-1
+ARG WAZUH_VERSION=3.6.1-1
 
 # Updating image
 RUN apt-get update && apt-get upgrade -y -o Dpkg::Options::="--force-confold"
@@ -22,7 +22,7 @@ RUN echo "postfix postfix/mailname string wazuh-manager" | debconf-set-selection
 RUN echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
 
 # Install packages
-RUN apt-get update && apt-get -y install openssl postfix bsd-mailx   \
+RUN apt-get update && apt-get -y install openssl postfix bsd-mailx python-boto python-pip  \
     apt-transport-https vim expect nodejs python-cryptography wazuh-manager=${WAZUH_VERSION} \
     wazuh-api=${WAZUH_VERSION}
 
@@ -39,6 +39,7 @@ RUN chmod 755 /init.bash &&\
 RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb &&\
     dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm -f filebeat-${FILEBEAT_VERSION}-amd64.deb
 COPY config/filebeat.yml /etc/filebeat/
+RUN chmod go-w /etc/filebeat/filebeat.yml
 
 # Adding entrypoint
 ADD config/entrypoint.sh /entrypoint.sh