Add wodles to permanent_data (#239)

Former-commit-id: 7a8b332c93

CHANGELOG.md

@@ -0,0 +1,170 @@
+# Change Log
+All notable changes to this project will be documented in this file.
+
+## Wazuh Docker v3.9.4_6.8.1
+
+## Wazuh Docker v3.9.3_6.8.1
+
+### Added
+
+- Update to Wazuh version 3.9.3_6.8.1
+
+### Added
+
+- Option to disable additionals X-Pack applications and hide unnecesary management links ([@SitoRBJ](https://github.com/SitoRBJ)) ([#163](https://github.com/wazuh/wazuh-docker/pull/163))
+
+## Wazuh Docker v3.9.2_6.8.0
+
+### Added
+
+- Update to Wazuh version 3.9.2_6.8.0
+
+
+## Wazuh Docker v3.9.1_6.8.0
+
+### Added
+
+- Update to Wazuh version 3.9.1_6.8.0 ([#181](https://github.com/wazuh/wazuh-docker/pull/181))
+- Security for Elastic Stack in Docker implemented ([#186](https://github.com/wazuh/wazuh-docker/issues/186))
+
+### Fixed
+
+- Fixed `ELASTICSEARCH_KIBANA_IP` environment variable ([@manuasir](https://github.com/manuasir)) ([#181](https://github.com/wazuh/wazuh-docker/pull/181))
+
+## Wazuh Docker v3.9.0_6.7.2
+
+### Changed
+
+- Update Elastic Stack version to 6.7.2.
+
+## Wazuh Docker v3.9.0_6.7.1
+
+
+### Added
+
+- Support for xPACK authorized requests ([@manuasir](https://github.com/manuasir)) ([#119](https://github.com/wazuh/wazuh-docker/pull/119))
+- Add Elasticsearch cluster configuration ([@SitoRBJ](https://github.com/SitoRBJ)). ([#146](https://github.com/wazuh/wazuh-docker/pull/146))
+- Add Elasticsearch cluster configuration ([@Phandora](https://github.com/Phandora)) ([#140](https://github.com/wazuh/wazuh-docker/pull/140))
+- Setting Nginx to support several user/passwords in Kibana ([@toniMR](https://github.com/toniMR)) ([#136](https://github.com/wazuh/wazuh-docker/pull/136))
+
+
+### Changed
+
+- Use LS_JAVA_OPTS instead of old LS_HEAP_SIZE ([@ruffy91](https://github.com/ruffy91)) ([#139](https://github.com/wazuh/wazuh-docker/pull/139))
+- Changing the original Wazuh docker image to allow adding code in the entrypoint ([@Phandora](https://github.com/phandora)) ([#151](https://github.com/wazuh/wazuh-docker/pull/151))
+
+### Removed
+
+- Removing files from Wazuh image ([@Phandora](https://github.com/phandora)) ([#153](https://github.com/wazuh/wazuh-docker/pull/153))
+
+## Wazuh Docker v3.8.2_6.7.0
+
+### Changed
+
+- Update Elastic Stack version to 6.7.0. ([#144](https://github.com/wazuh/wazuh-docker/pull/144))
+
+## Wazuh Docker v3.8.2_6.6.2
+
+### Changed
+
+- Update Elastic Stack version to 6.6.2. ([#130](https://github.com/wazuh/wazuh-docker/pull/130))
+
+## Wazuh Docker v3.8.2_6.6.1
+
+### Changed
+
+- Update Elastic Stack version to 6.6.1. ([#129](https://github.com/wazuh/wazuh-docker/pull/129))
+
+## Wazuh Docker v3.8.2_6.5.4
+
+### Added
+
+- Add Wazuh-Elasticsearch. ([#106](https://github.com/wazuh/wazuh-docker/pull/106))
+- Store Filebeat _/var/lib/filebeat/registry._ ([#109](https://github.com/wazuh/wazuh-docker/pull/109))
+- Adding the option to disable some xpack features. ([#111](https://github.com/wazuh/wazuh-docker/pull/111))
+- Wazuh-Kibana customizable at plugin level. ([#117](https://github.com/wazuh/wazuh-docker/pull/117))
+- Adding env variables for alerts data flow. ([#118](https://github.com/wazuh/wazuh-docker/pull/118))
+- New Logstash entrypoint added. ([#135](https://github.com/wazuh/wazuh-docker/pull/135/files))
+- Welcome screen management. ([#133](https://github.com/wazuh/wazuh-docker/pull/133))
+
+### Changed
+
+- Update to Wazuh version 3.8.2. ([#105](https://github.com/wazuh/wazuh-docker/pull/105))
+
+### Removed
+
+- Remove alerts created in build time. ([#137](https://github.com/wazuh/wazuh-docker/pull/137))
+
+
+## Wazuh Docker v3.8.1_6.5.4
+
+### Changed
+- Update to Wazuh version 3.8.1. ([#102](https://github.com/wazuh/wazuh-docker/pull/102))
+
+## Wazuh Docker v3.8.0_6.5.4
+
+### Changed
+
+- Upgrade version 3.8.0_6.5.4. ([#97](https://github.com/wazuh/wazuh-docker/pull/97))
+
+### Removed
+
+- Remove cluster.py work around. ([#99](https://github.com/wazuh/wazuh-docker/pull/99))
+
+## Wazuh Docker v3.7.2_6.5.4
+
+### Added
+
+- Improvements to Kibana settings added. ([#91](https://github.com/wazuh/wazuh-docker/pull/91))
+- Add Kibana environmental variables for Wazuh APP config.yml. ([#89](https://github.com/wazuh/wazuh-docker/pull/89))
+
+### Changed
+
+- Update Elastic Stack version to 6.5.4. ([#82](https://github.com/wazuh/wazuh-docker/pull/82))
+- Add env credentials for nginx. ([#86](https://github.com/wazuh/wazuh-docker/pull/86))
+- Improve filebeat configuration ([#88](https://github.com/wazuh/wazuh-docker/pull/88))
+
+### Fixed 
+
+- Temporary fix for Wazuh cluster master node in Kubernetes. ([#84](https://github.com/wazuh/wazuh-docker/pull/84))
+
+## Wazuh Docker v3.7.2_6.5.3
+
+### Changed
+
+- Erasing temporary fix for AWS integration. ([#81](https://github.com/wazuh/wazuh-docker/pull/81))
+
+### Fixed
+
+- Upgrading errors due to wrong files. ([#80](https://github.com/wazuh/wazuh-docker/pull/80))
+
+
+## Wazuh Docker v3.7.0_6.5.0
+
+### Changed
+
+- Adapt to Elastic stack 6.5.0.
+
+## Wazuh Docker v3.7.0_6.4.3
+
+### Added
+
+- Allow custom scripts or commands before service start ([#58](https://github.com/wazuh/wazuh-docker/pull/58))
+- Added description for wazuh-nginx ([#59](https://github.com/wazuh/wazuh-docker/pull/59))
+- Added license file to match https://github.com/wazuh/wazuh LICENSE ([#60](https://github.com/wazuh/wazuh-docker/pull/60))
+- Added SMTP packages ([#67](https://github.com/wazuh/wazuh-docker/pull/67))
+
+### Changed
+
+- Increased proxy buffer for NGINX Kibana ([#51](https://github.com/wazuh/wazuh-docker/pull/51))
+- Updated logstash config to remove deprecation warnings ([#55](https://github.com/wazuh/wazuh-docker/pull/55))
+- Set ossec user's home path ([#61](https://github.com/wazuh/wazuh-docker/pull/61))
+
+### Fixed
+
+- Fixed a bug that prevents the API from starting when the Wazuh manager was updated. Change in the files that are stored in the volume.  ([#65](https://github.com/wazuh/wazuh-docker/pull/65))
+- Fixed script reference ([#62](https://github.com/wazuh/wazuh-docker/pull/62/files))
+
+## Wazuh Docker v3.6.1_6.4.3
+
+Wazuh-Docker starting point.

LICENSE

@@ -0,0 +1,475 @@
+
+ Portions Copyright (C) 2019 Wazuh, Inc.
+ Based on work Copyright (C) 2003 - 2013 Trend Micro, Inc.
+
+ This program is a free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License (version 2) as
+ published by the FSF - Free Software Foundation.
+
+ In addition, certain source files in this program permit linking with the
+ OpenSSL library (http://www.openssl.org), which otherwise wouldn't be allowed
+ under the GPL.  For purposes of identifying OpenSSL, most source files giving
+ this permission limit it to versions of OpenSSL having a license identical to
+ that listed in this file (see section "OpenSSL LICENSE" below). It is not
+ necessary for the copyright years to match between this file and the OpenSSL
+ version in question.  However, note that because this file is an extension of
+ the license statements of these source files, this file may not be changed
+ except with permission from all copyright holders of source files in this
+ program which reference this file.
+
+ Note that this license applies to the source code, as well as
+ decoders, rules and any other data file included with OSSEC (unless
+ otherwise specified).
+
+ For the purpose of this license, we consider an application to constitute a
+ "derivative work" or a work based on this program if it does any of the
+ following (list not exclusive):
+
+  * Integrates source code/data files from OSSEC.
+  * Includes OSSEC copyrighted material.
+  * Includes/integrates OSSEC into a proprietary executable installer.
+  * Links to a library or executes a program that does any of the above.
+
+ This list is not exclusive, but just a clarification of our interpretation
+ of derived works. These restrictions only apply if you actually redistribute
+ OSSEC (or parts of it).
+
+ We don't consider these to be added restrictions on top of the GPL,
+ but just a clarification of how we interpret "derived works" as it
+ applies to OSSEC. This is similar to the way Linus Torvalds has
+ announced his interpretation of how "derived works" applies to Linux kernel
+ modules. Our interpretation refers only to OSSEC - we don't speak
+ for any other GPL products.
+
+  * As a special exception, the copyright holders give
+  * permission to link the code of portions of this program with the
+  * OpenSSL library under certain conditions as described in each
+  * individual source file, and distribute linked combinations
+  * including the two.
+  * You must obey the GNU General Public License in all respects
+  * for all of the code used other than OpenSSL.  If you modify
+  * file(s) with this exception, you may extend this exception to your
+  * version of the file(s), but you are not obligated to do so.  If you
+  * do not wish to do so, delete this exception statement from your
+  * version.  If you delete this exception statement from all source
+  * files in the program, then also delete it here.
+
+ OSSEC HIDS is distributed in the hope that it will be useful, but WITHOUT
+ ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ FITNESS FOR A PARTICULAR PURPOSE.
+ See the GNU General Public License Version 2 below for more details.
+
+-----------------------------------------------------------------------------
+
+		    GNU GENERAL PUBLIC LICENSE
+		       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+			    Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+		    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+			    NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+		     END OF TERMS AND CONDITIONS
+
+
+-------------------------------------------------------------------------------
+
+OpenSSL License
+---------------
+
+  LICENSE ISSUES
+  ==============
+
+  The OpenSSL toolkit stays under a dual license, i.e. both the conditions of
+  the OpenSSL License and the original SSLeay license apply to the toolkit.
+  See below for the actual license texts. Actually both licenses are BSD-style
+  Open Source licenses. In case of any license issues related to OpenSSL
+  please contact openssl-core@openssl.org.
+
+  OpenSSL License
+  ---------------
+
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+ Original SSLeay License
+ -----------------------
+
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the routines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */

README.md

@@ -1,6 +1,6 @@
 # Wazuh containers for Docker
 
-[![Slack](https://img.shields.io/badge/slack-join-blue.svg)](https://goo.gl/forms/M2AoZC4b2R9A9Zy12)
+[![Slack](https://img.shields.io/badge/slack-join-blue.svg)](https://wazuh.com/community/join-us-on-slack/)
 [![Email](https://img.shields.io/badge/email-join-blue.svg)](https://groups.google.com/forum/#!forum/wazuh)
 [![Documentation](https://img.shields.io/badge/docs-view-green.svg)](https://documentation.wazuh.com)
 [![Documentation](https://img.shields.io/badge/web-view-green.svg)](https://wazuh.com)
@@ -10,57 +10,62 @@ In this repository you will find the containers to run:
 * wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack)
 * wazuh-logstash: It is used to receive alerts generated by the manager and feed Elasticsearch using an alerts template
 * wazuh-kibana: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status.
+* wazuh-nginx: Proxies the Kibana container, adding HTTPS (via self-signed SSL certificate) and [Basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Basic_authentication_scheme).
+* wazuh-elasticsearch: An Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).** 
 
-In addition, a docker-compose file is provided to launch the containers mentioned above. It also launches an Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images.
+In addition, a docker-compose file is provided to launch the containers mentioned above. 
 
-## Current release
+* Elasticsearch cluster. In the Elasticsearch Dockerfile we can visualize variables to configure an Elasticsearch Cluster. These variables are used in the file *config_cluster.sh* to set them in the *elasticsearch.yml* configuration file. You can see the meaning of the node variables [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html) and other cluster settings [here](https://github.com/elastic/elasticsearch/blob/master/distribution/src/config/elasticsearch.yml).
 
-Containers are currently tested on Wazuh version 3.4.0 and Elastic Stack version 6.3.1. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.
-
-## Installation notes
-
-To run all docker instances you can just run ``docker-compose up``, from the directory where you have docker-compose.yml file. The following is part of the expected behavior when setting up the system:
-
-* Both wazuh-kibana and wazuh-logstash containers will run multiple queries to Elasticsearch API using curl, to learn when Elasticsearch is up. It is expected to see several ``Failed to connect to elasticsearch port 9200`` log messages, until Elasticesearch is started. Then the set up process will continue normally.
-* Kibana container can take a few minutes to install Wazuh plugin, this takes place after ``Optimizing and caching browser bundles...`` is printed out.
-* It is recommended to set Docker host preferences to give at least 4GB memory per container (this doesn't necessarily mean they all will use it, but Elasticsearch requires them to work properly).
-
-Once installed you can browse through the interface at: https://127.0.0.1.
-
-## Mount custom Wazuh configuration files
-
-To mount custom Wazuh configuration files in the Wazuh manager container, mount them in the `/wazuh-config-mount` folder. For example, to mount a custom `ossec.conf` file, mount it in `/wazuh-config-mount/etc/ossec.conf` and the [run.sh](wazuh/config/run.sh) script will copy the file at the right place on boot while respecting the destination file permissions.
-
-Here is an example of a `/wazuh-config-mount` folder used to mount some common custom configuration files:
-```
-root@wazuh-manager:/# tree /wazuh-config-mount/
-/wazuh-config-mount/
-└── etc
-    ├── ossec.conf
-    ├── rules
-    │   └── local_rules.xml
-    └── shared
-        └── default
-            └── agent.conf
-
-4 directories, 3 files
-```
-
-In that case, you will see this in the Wazuh manager logs on boot:
-```
-Identified Wazuh configuration files to mount...
-'/wazuh-config-mount/etc/ossec.conf' -> '/var/ossec/data/etc/ossec.conf'
-'/wazuh-config-mount/etc/rules/local_rules.xml' -> '/var/ossec/data/etc/rules/local_rules.xml'
-'/wazuh-config-mount/etc/shared/default/agent.conf' -> '/var/ossec/data/etc/shared/default/agent.conf'
-```
-
-## More documentation
+## Documentation
 
 * [Wazuh full documentation](http://documentation.wazuh.com)
 * [Wazuh documentation for Docker](https://documentation.wazuh.com/current/docker/index.html)
 * [Docker hub](https://hub.docker.com/u/wazuh)
 
-## Credits
+## Directory structure
+
+	wazuh-docker
+	├── docker-compose.yml
+	├── kibana
+	│   ├── config
+	│   │   ├── entrypoint.sh
+	│   │   └── kibana.yml
+	│   └── Dockerfile
+	├── LICENSE
+	├── logstash
+	│   ├── config
+	│   │   ├── 01-wazuh.conf
+	│   │   └── run.sh
+	│   └── Dockerfile
+	├── nginx
+	│   ├── config
+	│   │   └── entrypoint.sh
+	│   └── Dockerfile
+	├── README.md
+	├── CHANGELOG.md
+	├── VERSION
+	├── test.txt
+	└── wazuh
+	    ├── config
+	    │   ├── data_dirs.env
+	    │   ├── entrypoint.sh
+	    │   ├── filebeat.runit.service
+	    │   ├── filebeat.yml
+	    │   ├── init.bash
+	    │   ├── postfix.runit.service
+	    │   ├── wazuh-api.runit.service
+	    │   └── wazuh.runit.service
+	    └── Dockerfile
+
+
+## Branches
+
+* `stable` branch on correspond to the latest Wazuh-Docker stable version.
+* `master` branch contains the latest code, be aware of possible bugs on this branch.
+* `Wazuh.Version_ElasticStack.Version` (for example 3.9.3_6.8.1) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
+
+## Credits and Thank you
 
 These Docker containers are based on:
 
@@ -71,8 +76,8 @@ We thank you them and everyone else who has contributed to this project.
 
 ## License and copyright
 
-Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
-## Wazuh official website
+## Web references
 
 [Wazuh website](http://wazuh.com)

VERSION

@@ -0,0 +1,2 @@
+WAZUH-DOCKER_VERSION="3.9.4_6.8.1"
+REVISION="3942"

docker-compose.yml

@@ -1,9 +1,9 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 version: '2'
 
 services:
   wazuh:
-    image: wazuh/wazuh:3.4.0_6.3.1
+    image: wazuh/wazuh:3.9.3_6.8.1
     hostname: wazuh-manager
     restart: always
     ports:
@@ -11,90 +11,80 @@ services:
       - "1515:1515"
       - "514:514/udp"
       - "55000:55000"
-#      - "1516:1516"
-    networks:
-        - docker_elk
-#    volumes:
-#      - my-path:/var/ossec/data:Z
-#      - my-path:/etc/postfix:Z
-#      - my-path:/etc/filebeat
-#      - my-custom-config-path/ossec.conf:/wazuh-config-mount/etc/ossec.conf
     depends_on:
       - logstash
   logstash:
-    image: wazuh/wazuh-logstash:3.4.0_6.3.1
+    image: wazuh/wazuh-logstash:3.9.3_6.8.1
     hostname: logstash
     restart: always
-#    volumes:
-#      - my-path:/etc/logstash/conf.d:Z
     links:
       - elasticsearch:elasticsearch
     ports:
       - "5000:5000"
-    networks:
-      - docker_elk
     depends_on:
       - elasticsearch
     environment:
       - LS_HEAP_SIZE=2048m
+      - SECURITY_ENABLED=yes
+      - SECURITY_LOGSTASH_USER=service_logstash
+      - SECURITY_LOGSTASH_PASS=logstash_pass
+      - LOGSTASH_OUTPUT=https://elasticsearch:9200
+      - ELASTICSEARCH_URL=https://elasticsearch:9200
+      - SECURITY_CA_PEM=server.TEST-CA-signed.pem
   elasticsearch:
-    image: docker.elastic.co/elasticsearch/elasticsearch:6.3.1
+    image: wazuh/wazuh-elasticsearch:3.9.3_6.8.1
     hostname: elasticsearch
     restart: always
     ports:
       - "9200:9200"
-#      - "9300:9300"
     environment:
       - node.name=node-1
       - cluster.name=wazuh
       - network.host=0.0.0.0
       - bootstrap.memory_lock=true
       - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
+      - ELASTICSEARCH_PROTOCOL=https
+      - ELASTICSEARCH_IP=elasticsearch
+      - ELASTICSEARCH_PORT=9200
+      - SECURITY_ENABLED=yes
+      - SECURITY_ADMIN_USER=wazuh_admin
+      - SECURITY_ADMIN_PASS=admin_pass
+      - SECURITY_ELASTIC_PASSWORD=elastic_pass
+      - SECURITY_KIBANA_USER=service_kibana
+      - SECURITY_KIBANA_PASS=kibana_pass
+      - SECURITY_LOGSTASH_USER=service_logstash 
+      - SECURITY_LOGSTASH_PASS=logstash_pass
+      - SECURITY_CA_PASSPHRASE=ca_pass
+      - SECURITY_CERTIFICATE_DNS=elasticsearch
+      - SECURITY_CA_PEM=server.TEST-CA-signed.pem
+      - SECURITY_CA_KEY=server.TEST-CA.key
+      - SECURITY_CA_TRUST=server.TEST-CA-signed.pem
+      - SECURITY_MAIN_NODE=elasticsearch
+      - SECURITY_OPENSSL_CONF=TEST_openssl.cnf
+      - SECURITY_MONITORING_USER=service_monitoring
+      - SECURITY_MONITORING_PASS=monitoring_pass
     ulimits:
       memlock:
         soft: -1
         hard: -1
     mem_limit: 2g
-#    volumes:
-#      - my-path:/usr/share/elasticsearch/data:Z
-    networks:
-        - docker_elk
   kibana:
-    image: wazuh/wazuh-kibana:3.4.0_6.3.1
+    image: wazuh/wazuh-kibana:3.9.3_6.8.1
     hostname: kibana
     restart: always
-#    ports:
-#      - "5601:5601"
-#    environment:
-#      - ELASTICSEARCH_URL=http://elasticsearch:9200
-    networks:
-      - docker_elk
     depends_on:
       - elasticsearch
     links:
       - elasticsearch:elasticsearch
       - wazuh:wazuh
-  nginx:
-    image: wazuh/wazuh-nginx:3.4.0_6.3.1
-    hostname: nginx
-    restart: always
     environment:
-      - NGINX_PORT=443
+      - ELASTICSEARCH_URL=https://elasticsearch:9200
+      - SECURITY_ENABLED=yes
+      - SECURITY_KIBANA_USER=service_kibana
+      - SECURITY_KIBANA_PASS=kibana_pass
+      - SECURITY_KIBANA_SSL_KEY_PATH=/usr/share/kibana/config/ssl/private
+      - SECURITY_KIBANA_SSL_CERT_PATH=/usr/share/kibana/config/ssl/certs
+      - ELASTICSEARCH_KIBANA_IP=https://elasticsearch:9200
+      - SECURITY_CA_PEM=server.TEST-CA-signed.pem
     ports:
-      - "80:80"
-      - "443:443"
-#    volumes:
-#      - my-path:/etc/nginx/conf.d:Z
-    networks:
-      - docker_elk
-    depends_on:
-      - kibana
-    links:
-      - kibana:kibana
-
-networks:
-  docker_elk:
-    driver: bridge
-    ipam:
-      config:
-      - subnet: 172.25.0.0/24
+      - "5601:5601"

elasticsearch/Dockerfile

@@ -0,0 +1,79 @@
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+FROM docker.elastic.co/elasticsearch/elasticsearch:6.8.2
+
+ENV ALERTS_SHARDS="1" \
+    ALERTS_REPLICAS="0"
+
+ENV API_USER="foo" \
+    API_PASS="bar"
+
+ENV XPACK_ML="true" 
+
+ENV ENABLE_CONFIGURE_S3="false"
+
+ENV TEMPLATE_VERSION=v3.9.4
+
+
+# This CA is created for testing. Please set your own CA zip containing the key and the signed certificate. 
+# command: $ docker build <elasticsearch_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION> --build-arg SECURITY_CA_KEY_LOCATION=<CA_KEY_LOCATION>
+# ENV variables are necessary: SECURITY_CA_PEM, SECURITY_CA_KEY, SECURITY_CA_TRUST, SECURITY_OPENSSL_CONF 
+# Example:
+# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem"
+# ARG SECURITY_CA_KEY_LOCATION="config/server.TEST-CA.key"
+# ARG SECURITY_OPENSSL_CONF_LOCATION="config/TEST_openssl.cnf"
+# ARG SECURITY_CA_TRUST_LOCATION="config/server.TEST-CA-signed.pem"
+ARG SECURITY_CA_PEM_LOCATION=""
+ARG SECURITY_CA_KEY_LOCATION=""
+ARG SECURITY_OPENSSL_CONF_LOCATION=""
+ARG SECURITY_CA_TRUST_LOCATION=""
+
+# Elasticearch cluster configuration environment variables
+# If ELASTIC_CLUSTER is set to "true" the following variables will be added to the Elasticsearch configuration
+ENV ELASTIC_CLUSTER="false" \
+    CLUSTER_NAME="wazuh" \
+    CLUSTER_NODE_MASTER="true" \
+    CLUSTER_NODE_DATA="true" \
+    CLUSTER_NODE_INGEST="true" \
+    CLUSTER_NODE_NAME="wazuh-elasticsearch" \
+    CLUSTER_MEMORY_LOCK="true" \
+    CLUSTER_DISCOVERY_SERVICE="wazuh-elasticsearch" \
+    CLUSTER_NUMBER_OF_MASTERS="2" \
+    CLUSTER_MAX_NODES="1" \
+    CLUSTER_DELAYED_TIMEOUT="1m"
+
+ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/6.x/wazuh-template.json /usr/share/elasticsearch/config
+
+# CA cert for Transport SSL
+ADD $SECURITY_CA_PEM_LOCATION /usr/share/elasticsearch/config
+ADD $SECURITY_CA_KEY_LOCATION /usr/share/elasticsearch/config 
+ADD $SECURITY_OPENSSL_CONF_LOCATION /usr/share/elasticsearch/config 
+ADD $SECURITY_CA_TRUST_LOCATION /usr/share/elasticsearch/config 
+
+RUN yum install openssl -y
+
+RUN mkdir /entrypoint-scripts
+
+COPY config/entrypoint.sh /entrypoint.sh
+
+RUN chmod 755 /entrypoint.sh
+
+COPY --chown=elasticsearch:elasticsearch ./config/load_settings.sh ./
+
+RUN chmod +x ./load_settings.sh
+
+RUN bin/elasticsearch-plugin install --batch https://artifacts.elastic.co/downloads/elasticsearch-plugins/repository-s3/repository-s3-6.8.2.zip
+
+COPY config/configure_s3.sh ./config/configure_s3.sh
+RUN chmod 755 ./config/configure_s3.sh
+
+COPY --chown=elasticsearch:elasticsearch ./config/10-config_cluster.sh /entrypoint-scripts/10-config_cluster.sh
+RUN chmod +x /entrypoint-scripts/10-config_cluster.sh
+
+COPY --chown=elasticsearch:elasticsearch ./config/20-config_secure.sh /entrypoint-scripts/20-config_secure.sh
+RUN chmod +x /entrypoint-scripts/10-config_cluster.sh
+
+COPY --chown=elasticsearch:elasticsearch ./config/30-entrypoint.sh /entrypoint-scripts/30-entrypoint.sh
+RUN chmod +x /entrypoint-scripts/30-entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["elasticsearch"]

elasticsearch/config/10-config_cluster.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
+
+original_file="/usr/share/elasticsearch/config/original-elasticsearch.yml"
+
+cp $elastic_config_file $original_file 
+
+# If Elasticsearch cluster is enable
+if [[ $ELASTIC_CLUSTER == "true" ]]
+then
+  
+  # Set the cluster.name and discovery.zen.minimun_master_nodes variables
+  sed -i 's:cluster.name\: "docker-cluster":cluster.name\: "'$CLUSTER_NAME'":g' $elastic_config_file
+
+  # Add the cluster configuration
+  echo "
+#cluster node
+node:
+  master: ${CLUSTER_NODE_MASTER}
+  data: ${CLUSTER_NODE_DATA}
+  ingest: ${CLUSTER_NODE_INGEST}
+  name: ${CLUSTER_NODE_NAME}
+  max_local_storage_nodes: ${CLUSTER_MAX_NODES}
+
+bootstrap:
+  memory_lock: ${CLUSTER_MEMORY_LOCK}
+
+discovery:
+  zen:
+    ping.unicast.hosts: ${CLUSTER_DISCOVERY_SERVICE}
+    minimum_master_nodes: ${CLUSTER_NUMBER_OF_MASTERS}
+  
+" >> $elastic_config_file
+fi

elasticsearch/config/20-config_secure.sh

@@ -0,0 +1,111 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
+
+##############################################################################
+# Setup bootstrap password to chagne all Elastic Stack passwords.
+# Set xpack.security.enabled to true. In Elastic 7 must add ssl options
+##############################################################################
+
+if [[ $SECURITY_ENABLED == "yes" ]]; then
+
+  echo "Creating certificate."
+
+  pushd /usr/share/elasticsearch/config/
+
+  echo "Setting configuration options."
+
+  # Create instances.yml for elasticsearch .p12 certificate and key
+  echo "
+instances:
+- name: \"elasticsearch\"
+  dns: 
+    - $SECURITY_CERTIFICATE_DNS
+" > instances.yml
+
+  # Change permissions and owner of ca
+  chown elasticsearch: /usr/share/elasticsearch/config/$SECURITY_CA_PEM
+  chmod 440 /usr/share/elasticsearch/config/$SECURITY_CA_PEM
+ 
+
+  # Genereate .p12 certificate and key
+  SECURITY_KEY_PASSPHRASE=`date +%s | sha256sum | base64 | head -c 32 ; echo`
+  /usr/share/elasticsearch/bin/elasticsearch-certutil csr --in instances.yml --out certs.zip --pass $SECURITY_KEY_PASSPHRASE
+  unzip certs.zip
+  rm certs.zip 
+
+  # Change permissions and owner of certificates
+  chown -R elasticsearch: /usr/share/elasticsearch/config/elasticsearch
+  chmod -R 770 /usr/share/elasticsearch/config/elasticsearch
+  chmod 400 /usr/share/elasticsearch/config/elasticsearch/elasticsearch.csr
+
+  # Prepare directories for openssl
+  mkdir /root/ca
+  mkdir /root/ca/certs /root/ca/crl /root/ca/newcerts /root/ca/private
+  chmod 700 /root/ca/private
+  touch /root/ca/index.txt
+  echo 1000 > /root/ca/serial
+
+  mkdir /root/ca/intermediate
+  mkdir /root/ca/intermediate/certs /root/ca/intermediate/crl /root/ca/intermediate/csr /root/ca/intermediate/newcerts /root/ca/intermediate/private
+  chmod 700 /root/ca/intermediate/private
+  touch /root/ca/intermediate/index.txt
+  echo 1000 > /root/ca/intermediate/serial
+  echo 1000 > /root/ca/intermediate/crlnumber
+
+  if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+
+    openssl ca -batch -config $SECURITY_OPENSSL_CONF  -in elasticsearch/elasticsearch.csr -cert $SECURITY_CA_PEM  -keyfile $SECURITY_CA_KEY  -key $SECURITY_CA_PASSPHRASE -out elasticsearch.cert.pem
+  
+  else
+    input=${SECURITY_CREDENTIALS_FILE}
+    CA_PASSPHRASE_FROM_FILE=""
+    while IFS= read -r line
+    do
+      if [[ $line == *"CA_PASSPHRASE"* ]]; then
+        arrIN=(${line//:/ })
+        CA_PASSPHRASE_FROM_FILE=${arrIN[1]}
+      fi
+    done < "$input"
+    
+    openssl ca -batch -config $SECURITY_OPENSSL_CONF  -in elasticsearch/elasticsearch.csr -cert $SECURITY_CA_PEM  -keyfile $SECURITY_CA_KEY  -key $CA_PASSPHRASE_FROM_FILE -out elasticsearch.cert.pem 
+  
+  fi
+  
+  chmod 440 /usr/share/elasticsearch/config/elasticsearch.cert.pem
+
+  # remove CA key
+  rm $SECURITY_CA_KEY
+
+  popd
+
+  echo "Setting configuration options."
+  
+  # Settings for elasticsearch.yml
+  echo "
+# Required to set the passwords and TLS options
+xpack.security.enabled: true
+xpack.security.transport.ssl.enabled: true
+xpack.security.transport.ssl.verification_mode: certificate
+xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
+xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
+xpack.security.transport.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/$SECURITY_CA_TRUST\"]
+
+# HTTP layer
+xpack.security.http.ssl.enabled: true
+xpack.security.http.ssl.verification_mode: certificate
+xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
+xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
+xpack.security.http.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/$SECURITY_CA_TRUST\"]
+" >> $elastic_config_file
+
+  # Create keystore
+  /usr/share/elasticsearch/bin/elasticsearch-keystore create
+
+  # Add keys to keystore
+  echo -e "$SECURITY_KEY_PASSPHRASE" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.secure_key_passphrase --stdin
+  echo -e "$SECURITY_KEY_PASSPHRASE" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase --stdin
+
+fi
+

elasticsearch/config/30-entrypoint.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+# For more information https://github.com/elastic/elasticsearch-docker/blob/6.8.1/build/elasticsearch/bin/docker-entrypoint.sh
+
+set -e
+
+# Files created by Elasticsearch should always be group writable too
+umask 0002
+
+run_as_other_user_if_needed() {
+  if [[ "$(id -u)" == "0" ]]; then
+    # If running as root, drop to specified UID and run command
+    exec chroot --userspec=1000 / "${@}"
+  else
+    # Either we are running in Openshift with random uid and are a member of the root group
+    # or with a custom --user
+    exec "${@}"
+  fi
+}
+
+
+#Disabling xpack features
+
+elasticsearch_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
+if grep -Fq  "#xpack features" "$elasticsearch_config_file" ;
+then 
+  declare -A CONFIG_MAP=(
+  [xpack.ml.enabled]=$XPACK_ML
+  )
+  for i in "${!CONFIG_MAP[@]}"
+  do
+    if [ "${CONFIG_MAP[$i]}" != "" ]; then
+      sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $elasticsearch_config_file
+    fi
+  done
+else
+  echo "
+#xpack features
+xpack.ml.enabled: $XPACK_ML
+ " >> $elasticsearch_config_file
+fi
+
+# Run load settings script.
+
+bash /usr/share/elasticsearch/load_settings.sh &
+
+# Execute elasticsearch
+
+
+if [[ $SECURITY_ENABLED == "yes" ]]; then
+  echo "Change Elastic password"
+  if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+    run_as_other_user_if_needed echo "$SECURITY_ELASTIC_PASSWORD" | elasticsearch-keystore add -xf 'bootstrap.password'
+  else
+    input=${SECURITY_CREDENTIALS_FILE}
+    ELASTIC_PASSWORD_FROM_FILE=""
+    while IFS= read -r line
+    do
+      if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
+        arrIN=(${line//:/ })
+        ELASTIC_PASSWORD_FROM_FILE=${arrIN[1]}
+      fi
+    done < "$input"
+    run_as_other_user_if_needed echo "$ELASTIC_PASSWORD_FROM_FILE" | elasticsearch-keystore add -xf 'bootstrap.password'
+  fi
+  echo "Elastic password changed"
+fi
+
+run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch 

elasticsearch/config/TEST_openssl.cnf

@@ -0,0 +1,132 @@
+# OpenSSL intermediate CA configuration file.
+# Copy to `/root/ca/intermediate/openssl.cnf`.
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = /root/ca/intermediate
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/private/.rand
+
+# The root key and root certificate.
+private_key       = $dir/private/intermediate.key.pem
+certificate       = $dir/certs/intermediate.cert.pem
+
+# For certificate revocation lists.
+crlnumber         = $dir/crlnumber
+crl               = $dir/crl/intermediate.crl.pem
+crl_extensions    = crl_ext
+default_crl_days  = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_loose
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+
+# Optionally, specify some defaults.
+countryName_default             = GB
+stateOrProvinceName_default     = England
+localityName_default            =
+0.organizationName_default      = Alice Ltd
+organizationalUnitName_default  =
+emailAddress_default            =
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning

elasticsearch/config/configure_s3.sh

@@ -0,0 +1,106 @@
+#!/bin/bash
+
+set -e
+
+
+##############################################################################
+# If Secure access to Kibana is enabled, we must set the credentials for 
+# monitoring
+##############################################################################
+
+ELASTIC_PASS=""
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
+
+else
+  input=${SECURITY_CREDENTIALS_FILE}
+  while IFS= read -r line
+  do
+    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      ELASTIC_PASS=${arrIN[1]}
+    fi
+  done < "$input"
+ 
+fi
+
+
+if [ ${SECURITY_ENABLED} != "no" ]; then
+  auth="-u elastic:${ELASTIC_PASS} -k"
+else
+  auth=""
+fi
+
+# Check number of arguments passed to configure_s3.sh. If it is different from 4 or 5, the process will finish with error.
+# param 1: number of arguments passed to configure_s3.sh
+
+function CheckArgs()
+{
+    if [ $1 != 4 ] && [ $1 != 5 ];then
+        echo "Use: configure_s3.sh <Elastic_Server_IP:Port> <Bucket> <Path> <RepositoryName> (By default <current_elasticsearch_major_version> is added to the path and the repository name)"
+        echo "or use: configure_s3.sh <Elastic_Server_IP:Port> <Bucket> <Path> <RepositoryName> <Elasticsearch major version>" 
+        exit 1
+
+    fi
+}
+
+# Create S3 repository from base_path <path>/<elasticsearch_major_version> (if there is no <Elasticsearch major version> argument, current version is added)
+# Repository name would be <RepositoryName>-<elasticsearch_major_version> (if there is no <Elasticsearch major version> argument, current version is added)
+# param 1: <Elastic_Server_IP:Port>
+# param 2: <Bucket>
+# param 3: <Path>
+# param 4: <RepositoryName>
+# param 5: Optional <Elasticsearch major version>
+# output: It will show "acknowledged" if the repository has been successfully created
+
+function CreateRepo()
+{
+
+    elastic_ip_port="$2"
+    bucket_name="$3"
+    path="$4"
+    repository_name="$5"
+
+    if [ $1 == 5 ];then
+        version="$6"
+    else
+        version=`curl ${auth} -s $elastic_ip_port | grep number | cut -d"\"" -f4 | cut -c1`
+    fi
+
+    if ! [[ "$version" =~ ^[0-9]+$ ]];then
+        echo "Elasticsearch major version must be an integer"
+        exit 1
+    fi
+
+    repository="$repository_name-$version"
+    s3_path="$path/$version"
+
+    >&2 echo "Create S3 repository"
+
+    until curl ${auth} -X PUT "$elastic_ip_port/_snapshot/$repository" -H 'Content-Type: application/json' -d' {"type": "s3", "settings": { "bucket": "'$bucket_name'", "base_path": "'$s3_path'"} }'; do
+      >&2 echo "Elastic is unavailable, S3 repository not created - sleeping"
+      sleep 5
+    done
+
+    >&2 echo "S3 repository created"
+
+
+}
+
+# Run functions CheckArgs and CreateRepo
+# param 1: number of arguments passed to configure_s3.sh
+# param 2: <Elastic_Server_IP:Port>
+# param 3: <Bucket>
+# param 4: <Path>
+# param 5: <RepositoryName>
+# param 6: Optional <Elasticsearch major version>
+
+function Main()
+{
+    CheckArgs $1
+
+    CreateRepo $1 $2 $3 $4 $5 $6
+}
+
+Main $# $1 $2 $3 $4 $5

elasticsearch/config/entrypoint.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
+for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
+  bash "$script"
+
+done

elasticsearch/config/load_settings.sh

@@ -0,0 +1,232 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+set -e
+
+if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
+  el_url="http://elasticsearch:9200"
+else
+  el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
+fi
+
+if [[ "x${WAZUH_API_URL}" = "x" ]]; then
+  wazuh_url="https://wazuh"
+else
+  wazuh_url="${WAZUH_API_URL}"
+fi
+
+ELASTIC_PASS=""
+KIBANA_USER=""
+KIBANA_PASS=""
+LOGSTASH_USER=""
+LOGSTASH_PASS=""
+ADMIN_USER=""
+ADMIN_PASS=""
+WAZH_API_USER=""
+WAZH_API_PASS=""
+MONITORING_USER=""
+MONITORING_PASS=""
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
+  KIBANA_USER=${SECURITY_KIBANA_USER}
+  KIBANA_PASS=${SECURITY_KIBANA_PASS}
+  LOGSTASH_USER=${SECURITY_LOGSTASH_USER}
+  LOGSTASH_PASS=${SECURITY_LOGSTASH_PASS}
+  ADMIN_USER=${SECURITY_ADMIN_USER}
+  ADMIN_PASS=${SECURITY_ADMIN_PASS}
+  WAZH_API_USER=${API_USER}
+  WAZH_API_PASS=${API_PASS}
+  MONITORING_USER=${SECURITY_MONITORING_USER}
+  MONITORING_PASS=${SECURITY_MONITORING_PASS}
+else
+  input=${SECURITY_CREDENTIALS_FILE}
+  while IFS= read -r line
+  do
+    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      ELASTIC_PASS=${arrIN[1]}
+    elif [[ $line == *"KIBANA_USER"* ]]; then
+      arrIN=(${line//:/ })
+      KIBANA_USER=${arrIN[1]}
+    elif [[ $line == *"KIBANA_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      KIBANA_PASS=${arrIN[1]}
+    elif [[ $line == *"LOGSTASH_USER"* ]]; then
+      arrIN=(${line//:/ })
+      LOGSTASH_USER=${arrIN[1]}
+    elif [[ $line == *"LOGSTASH_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      LOGSTASH_PASS=${arrIN[1]}
+    elif [[ $line == *"ADMIN_USER"* ]]; then
+      arrIN=(${line//:/ })
+      ADMIN_USER=${arrIN[1]}
+    elif [[ $line == *"ADMIN_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      ADMIN_PASS=${arrIN[1]}
+    elif [[ $line == *"WAZUH_API_USER"* ]]; then
+      arrIN=(${line//:/ })
+      WAZH_API_USER=${arrIN[1]}
+    elif [[ $line == *"WAZUH_API_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      WAZH_API_PASS=${arrIN[1]}
+    elif [[ $line == *"MONITORING_USER"* ]]; then
+      arrIN=(${line//:/ })
+      MONITORING_USER=${arrIN[1]}
+    elif [[ $line == *"MONITORING_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      MONITORING_PASS=${arrIN[1]}
+    fi
+  done < "$input"
+ 
+fi
+
+
+if [ ${SECURITY_ENABLED} != "no" ]; then
+  auth="-uelastic:${ELASTIC_PASS} -k"
+elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
+  auth=""
+else
+  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
+fi
+
+until curl ${auth} -XGET $el_url; do
+  >&2 echo "Elastic is unavailable - sleeping"
+  sleep 5
+done
+
+>&2 echo "Elastic is up - executing command"
+
+if [ $ENABLE_CONFIGURE_S3 ]; then
+  #Wait for Elasticsearch to be ready to create the repository
+  sleep 10
+  >&2 echo "Configure S3"
+  if [ "x$S3_PATH" != "x" ]; then
+    >&2 echo "S3_PATH"
+    >&2 echo $S3_PATH
+    if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then
+      >&2 echo "Elasticsearch major version:"
+      >&2 echo $S3_ELASTIC_MAJOR
+      bash /usr/share/elasticsearch/config/configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR
+    else
+      >&2 echo "Elasticserach major version not given"
+      bash /usr/share/elasticsearch/config/configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME
+
+    fi
+
+  fi
+
+fi
+
+##############################################################################
+# Setup passwords for Elastic Stack users
+##############################################################################
+
+if [[ $SECURITY_ENABLED == "yes" ]]; then
+  MY_HOSTNAME=`hostname`
+  echo "Hostname:"
+  echo $MY_HOSTNAME
+  if [[ $SECURITY_MAIN_NODE == $MY_HOSTNAME ]]; then
+    echo "Setting up passwords for all Elastic Stack users"
+
+    echo "Setting remote monitoring password"
+    SECURITY_REMOTE_USER_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo`
+    until curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/remote_monitoring_user/_password ' -d '{ "password":"'$SECURITY_REMOTE_USER_PASS'" }'; do
+      >&2 echo "Unavailable password seeting- sleeping"
+      sleep 2
+    done
+    echo "Setting Kibana password"
+    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_wazuh_app ' -d ' { "indices": [ { "names": [ ".kibana*", ".reporting*", ".monitoring*" ],  "privileges": ["read"] }, { "names": [ "wazuh-monitoring*", ".wazuh*" ],  "privileges": ["all"] } , { "names": [ "wazuh-alerts*" ],  "privileges": ["read", "view_index_metadata"] }  ] }'
+    sleep 5
+    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$KIBANA_USER"  -d '{ "password":"'$KIBANA_PASS'", "roles" : [ "kibana_system", "service_wazuh_app"],  "full_name" : "Service Internal Kibana User" }'
+    echo "Setting APM password"
+    SECURITY_APM_SYSTEM_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo`
+    curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/apm_system/_password ' -d '{ "password":"'$SECURITY_APM_SYSTEM_PASS'" }'
+    echo "Setting Beats password"
+    SECURITY_BEATS_SYSTEM_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo`
+    curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/beats_system/_password ' -d '{ "password":"'$SECURITY_BEATS_SYSTEM_PASS'" }'
+    echo "Setting Logstash password"
+    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_logstash_writer ' -d '{ "cluster": ["manage_index_templates", "monitor", "manage_ilm"], "indices": [ { "names": [ "*" ],  "privileges": ["write","delete","create_index","manage","manage_ilm"] } ] }'
+    sleep 5
+    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$LOGSTASH_USER" -d '{ "password":"'$LOGSTASH_PASS'", "roles" : [ "service_logstash_writer", "logstash_system"],  "full_name" : "Service Internal Logstash User" }'
+    echo "Passwords established for all Elastic Stack users"
+    echo "Creating Admin user"
+    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$ADMIN_USER" -d '{ "password":"'$ADMIN_PASS'", "roles" : [ "superuser"],  "full_name" : "Wazuh admin" }'
+    echo "Admin user created"
+    echo "Setting monitoring user"
+    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_monitoring_reader ' -d '{ "cluster": ["manage", "monitor"], "indices": [ { "names": [ "*" ],  "privileges": ["write","create_index","manage","read", "index"] } ] }'
+    sleep 5
+    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$MONITORING_USER" -d '{ "password":"'$MONITORING_PASS'", "roles" : [ "service_monitoring_reader", "snapshot_user"],  "full_name" : "Service Internal Monitoring User" }'
+  fi
+fi
+
+#Insert default templates
+
+sed -i 's|    "index.refresh_interval": "5s"|    "index.refresh_interval": "5s",    "number_of_shards" :   '"${ALERTS_SHARDS}"',    "number_of_replicas" : '"${ALERTS_REPLICAS}"'|' /usr/share/elasticsearch/config/wazuh-template.json
+
+cat /usr/share/elasticsearch/config/wazuh-template.json | curl -XPUT "$el_url/_template/wazuh" ${auth} -H 'Content-Type: application/json' -d @-
+sleep 5
+
+
+API_PASS_Q=`echo "$WAZH_API_PASS" | tr -d '"'`
+API_USER_Q=`echo "$WAZH_API_USER" | tr -d '"'`
+API_PASSWORD=`echo -n $API_PASS_Q | base64`
+
+echo "Setting API credentials into Wazuh APP"
+CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/wazuh-configuration/1513629884013 ${auth})
+if [ "x$CONFIG_CODE" = "x404" ]; then
+  curl -s -XPOST $el_url/.wazuh/wazuh-configuration/1513629884013 ${auth} -H 'Content-Type: application/json' -d'
+  {
+    "api_user": "'"$API_USER_Q"'",
+    "api_password": "'"$API_PASSWORD"'",
+    "url": "'"$wazuh_url"'",
+    "api_port": "55000",
+    "insecure": "true",
+    "component": "API",
+    "cluster_info": {
+      "manager": "wazuh-manager",
+      "cluster": "Disabled",
+      "status": "disabled"
+    },
+    "extensions": {
+      "oscap": true,
+      "audit": true,
+      "pci": true,
+      "aws": true,
+      "virustotal": true,
+      "gdpr": true,
+      "ciscat": true
+    }
+  }
+  ' > /dev/null
+else
+  echo "Wazuh APP already configured"
+fi
+sleep 5
+
+curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/json' -d'
+{
+  "persistent": {
+    "xpack.monitoring.collection.enabled": true
+  }
+}
+'
+
+# Set cluster delayed timeout when node falls
+curl -X PUT "$el_url/_all/_settings" ${auth} -H 'Content-Type: application/json' -d'
+{
+  "settings": {
+    "index.unassigned.node_left.delayed_timeout": "'"$CLUSTER_DELAYED_TIMEOUT"'"
+  }
+}
+'
+
+# Remove credentials file.
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  echo "Security credentials file not used. Nothing to do."
+else
+  shred -zvu ${SECURITY_CREDENTIALS_FILE}
+fi
+
+echo "Elasticsearch is ready."

kibana/Dockerfile

@@ -1,19 +1,93 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/kibana/kibana:6.3.1
-ARG WAZUH_APP_VERSION=3.4.0_6.3.1
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+FROM docker.elastic.co/kibana/kibana:6.8.2
+ARG WAZUH_APP_VERSION=3.9.4_6.8.2
 USER root
 
-ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
+ADD https://packages-dev.wazuh.com/pre-release/app/kibana/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
 
-ADD https://raw.githubusercontent.com/wazuh/wazuh/3.4/extensions/elasticsearch/wazuh-elastic6-template-alerts.json /usr/share/kibana/config
+# This CA is created for testing. Please set your own CA pem signed certificate. 
+# command: $ docker build <kibana_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION>
+# ENV variables are necessary: SECURITY_CA_PEM 
+# Sample:
+# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem"
+ARG SECURITY_CA_PEM_LOCATION=""
+
+# CA for secure communication with Elastic
+ADD $SECURITY_CA_PEM_LOCATION /usr/share/kibana/config
 
 RUN NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip &&\
-    chown -R kibana.kibana /usr/share/kibana &&\
+    chown -R kibana:kibana /usr/share/kibana &&\
     rm -rf /tmp/*
 
-COPY config/entrypoint.sh /entrypoint.sh
-RUN chmod 755 /entrypoint.sh
+RUN yum install openssl -y
+
+COPY config/entrypoint.sh ./entrypoint.sh
+RUN chmod 755 ./entrypoint.sh
+RUN mkdir /entrypoint-scripts
 
 USER kibana
 
-ENTRYPOINT /entrypoint.sh
+ENV PATTERN="" \
+    CHECKS_PATTERN="" \
+    CHECKS_TEMPLATE="" \
+    CHECKS_API="" \
+    CHECKS_SETUP="" \
+    EXTENSIONS_PCI="" \
+    EXTENSIONS_GDPR="" \
+    EXTENSIONS_AUDIT="" \
+    EXTENSIONS_OSCAP="" \
+    EXTENSIONS_CISCAT="" \
+    EXTENSIONS_AWS="" \
+    EXTENSIONS_VIRUSTOTAL="" \
+    EXTENSIONS_OSQUERY="" \
+    APP_TIMEOUT="" \
+    WAZUH_SHARDS="" \
+    WAZUH_REPLICAS="" \
+    WAZUH_VERSION_SHARDS="" \
+    WAZUH_VERSION_REPLICAS="" \
+    IP_SELECTOR="" \
+    IP_IGNORE="" \
+    XPACK_RBAC_ENABLED="" \
+    WAZUH_MONITORING_ENABLED="" \
+    WAZUH_MONITORING_FREQUENCY="" \
+    WAZUH_MONITORING_SHARDS="" \
+    WAZUH_MONITORING_REPLICAS="" \
+    ADMIN_PRIVILEGES=""
+
+ARG XPACK_CANVAS="false"
+ARG XPACK_LOGS="false"
+ARG XPACK_INFRA="false"
+ARG XPACK_ML="false"
+ARG XPACK_DEVTOOLS="false"
+ARG XPACK_MONITORING="false"
+ARG XPACK_APM="false"
+ARG XPACK_MAPS="false"
+ARG XPACK_UPTIME="false"
+
+ARG CHANGE_WELCOME="true"
+
+COPY --chown=kibana:kibana ./config/10-wazuh_app_config.sh /entrypoint-scripts/10-wazuh_app_config.sh
+RUN chmod +x /entrypoint-scripts/10-wazuh_app_config.sh
+
+COPY --chown=kibana:kibana ./config/20-entrypoint.sh /entrypoint-scripts/20-entrypoint.sh
+RUN chmod +x /entrypoint-scripts/20-entrypoint.sh
+
+COPY --chown=kibana:kibana ./config/kibana_settings.sh ./
+
+RUN chmod +x ./kibana_settings.sh
+
+COPY --chown=kibana:kibana ./config/xpack_config.sh ./
+
+RUN chmod +x ./xpack_config.sh
+
+RUN ./xpack_config.sh
+
+COPY --chown=kibana:kibana ./config/welcome_wazuh.sh ./
+
+RUN chmod +x ./welcome_wazuh.sh
+
+RUN ./welcome_wazuh.sh
+
+RUN /usr/local/bin/kibana-docker --optimize
+
+ENTRYPOINT ./entrypoint.sh

kibana/config/10-wazuh_app_config.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+kibana_config_file="/usr/share/kibana/plugins/wazuh/config.yml"
+
+declare -A CONFIG_MAP=(
+  [pattern]=$PATTERN
+  [checks.pattern]=$CHECKS_PATTERN
+  [checks.template]=$CHECKS_TEMPLATE
+  [checks.api]=$CHECKS_API
+  [checks.setup]=$CHECKS_SETUP
+  [extensions.pci]=$EXTENSIONS_PCI
+  [extensions.gdpr]=$EXTENSIONS_GDPR
+  [extensions.audit]=$EXTENSIONS_AUDIT
+  [extensions.oscap]=$EXTENSIONS_OSCAP
+  [extensions.ciscat]=$EXTENSIONS_CISCAT
+  [extensions.aws]=$EXTENSIONS_AWS
+  [extensions.virustotal]=$EXTENSIONS_VIRUSTOTAL
+  [extensions.osquery]=$EXTENSIONS_OSQUERY
+  [timeout]=$APP_TIMEOUT
+  [wazuh.shards]=$WAZUH_SHARDS
+  [wazuh.replicas]=$WAZUH_REPLICAS
+  [wazuh-version.shards]=$WAZUH_VERSION_SHARDS
+  [wazuh-version.replicas]=$WAZUH_VERSION_REPLICAS
+  [ip.selector]=$IP_SELECTOR
+  [ip.ignore]=$IP_IGNORE
+  [xpack.rbac.enabled]=$XPACK_RBAC_ENABLED
+  [wazuh.monitoring.enabled]=$WAZUH_MONITORING_ENABLED
+  [wazuh.monitoring.frequency]=$WAZUH_MONITORING_FREQUENCY
+  [wazuh.monitoring.shards]=$WAZUH_MONITORING_SHARDS
+  [wazuh.monitoring.replicas]=$WAZUH_MONITORING_REPLICAS
+  [admin]=$ADMIN_PRIVILEGES
+)
+
+for i in "${!CONFIG_MAP[@]}"
+do
+    if [ "${CONFIG_MAP[$i]}" != "" ]; then
+        sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
+    fi
+done

kibana/config/20-entrypoint.sh

@@ -0,0 +1,133 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+set -e
+
+##############################################################################
+# Waiting for elasticsearch
+##############################################################################
+
+if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
+  el_url="http://elasticsearch:9200"
+else
+  el_url="${ELASTICSEARCH_URL}"
+fi
+
+KIBANA_USER=""
+KIBANA_PASS=""
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  KIBANA_USER=${SECURITY_KIBANA_USER}
+  KIBANA_PASS=${SECURITY_KIBANA_PASS}
+else
+  input=${SECURITY_CREDENTIALS_FILE}
+  while IFS= read -r line
+  do
+    if [[ $line == *"KIBANA_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      KIBANA_PASS=${arrIN[1]}
+    elif [[ $line == *"KIBANA_USER"* ]]; then
+      arrIN=(${line//:/ })
+      KIBANA_USER=${arrIN[1]}
+    fi
+  done < "$input"
+ 
+fi
+
+
+if [ ${SECURITY_ENABLED} != "no" ]; then
+  auth="-u ${KIBANA_USER}:${KIBANA_PASS} -k"
+elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
+  auth=""
+else
+  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
+fi
+
+until curl -XGET $el_url ${auth}; do
+  >&2 echo "Elastic is unavailable - sleeping"
+  sleep 5
+done
+
+sleep 2
+
+>&2 echo "Elasticsearch is up."
+
+
+##############################################################################
+# Waiting for wazuh alerts template
+##############################################################################
+
+strlen=0
+
+while [[ $strlen -eq 0 ]]
+do
+  template=$(curl $auth $el_url/_cat/templates/wazuh -s)
+  strlen=${#template}
+  >&2 echo "Wazuh alerts template not loaded - sleeping."
+  sleep 2
+done
+
+sleep 2
+
+>&2 echo "Wazuh alerts template is loaded."
+
+
+##############################################################################
+# If Secure access to Kibana is enabled, we must set the credentials.
+# We must create the ssl certificate.
+##############################################################################
+
+if [[ $SECURITY_ENABLED == "yes" ]]; then
+
+
+  # Create keystore
+  /usr/share/kibana/bin/kibana-keystore create
+  
+  echo "Setting security Kibana configuiration options."
+
+  echo "
+# Elasticsearch from/to Kibana
+elasticsearch.ssl.certificateAuthorities: [\"/usr/share/kibana/config/$SECURITY_CA_PEM\"]
+
+server.ssl.enabled: true
+server.ssl.certificate: $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem
+server.ssl.key: $SECURITY_KIBANA_SSL_KEY_PATH/kibana-access.key
+server.ssl.supportedProtocols: 
+  - TLSv1.1
+  - TLSv1.2
+" >> /usr/share/kibana/config/kibana.yml
+
+  echo "Create SSL directories."
+
+  mkdir -p $SECURITY_KIBANA_SSL_KEY_PATH $SECURITY_KIBANA_SSL_CERT_PATH
+  CA_PATH="/usr/share/kibana/config"
+
+  echo "Creating SSL certificates."
+  
+  pushd $CA_PATH
+
+  chown kibana: $CA_PATH/$SECURITY_CA_PEM
+  chmod 400 $CA_PATH/$SECURITY_CA_PEM
+  SECURITY_KEY_PASS=`openssl rand -base64 32`
+  openssl req -batch -x509 -days 18250 -newkey rsa:2048 -keyout $SECURITY_KIBANA_SSL_KEY_PATH/kibana-access.key -out $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem -passout pass:"$SECURITY_KEY_PASS" >/dev/null
+  chown -R kibana: $CA_PATH/ssl
+  chmod -R 770 $CA_PATH/ssl
+  chmod 440 $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem
+
+  popd
+  echo "SSL certificates created."
+
+  # Add keys to keystore
+  echo -e "$KIBANA_PASS" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.password --stdin
+  echo -e "$SECURITY_KEY_PASS" | /usr/share/kibana/bin/kibana-keystore add server.ssl.keyPassphrase --stdin
+  echo -e "$KIBANA_USER" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.username --stdin
+
+fi
+
+##############################################################################
+# Run more configuration scripts.
+##############################################################################
+
+bash /usr/share/kibana/kibana_settings.sh &
+
+/usr/local/bin/kibana-docker

kibana/config/entrypoint.sh

@@ -1,56 +1,8 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
-set -e
+# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
+for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
+  bash "$script"
 
-if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
-  el_url="http://elasticsearch:9200"
-else
-  el_url="${ELASTICSEARCH_URL}"
-fi
-
-until curl -XGET $el_url; do
-  >&2 echo "Elastic is unavailable - sleeping"
-  sleep 5
-done
-
->&2 echo "Elastic is up - executing command"
-
-#Insert default templates
-cat /usr/share/kibana/config/wazuh-elastic6-template-alerts.json | curl -XPUT "$el_url/_template/wazuh" -H 'Content-Type: application/json' -d @-
-sleep 5
-
-echo "Setting API credentials into Wazuh APP"
-CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/wazuh-configuration/1513629884013)
-if [ "x$CONFIG_CODE" = "x404" ]; then
-  curl -s -XPOST $el_url/.wazuh/wazuh-configuration/1513629884013 -H 'Content-Type: application/json' -d'
-  {
-    "api_user": "foo",
-    "api_password": "YmFy",
-    "url": "https://wazuh",
-    "api_port": "55000",
-    "insecure": "true",
-    "component": "API",
-    "cluster_info": {
-      "manager": "wazuh-manager",
-      "cluster": "Disabled",
-      "status": "disabled"
-    },
-    "extensions": {
-      "oscap": true,
-      "audit": true,
-      "pci": true,
-      "aws": true,
-      "virustotal": true,
-      "gdpr": true,
-      "ciscat": true
-    }
-  }
-  ' > /dev/null
-else
-  echo "Wazuh APP already configured"
-fi
-
-sleep 5
-
-/usr/local/bin/kibana-docker
+done

kibana/config/kibana.yml

@@ -1,92 +0,0 @@
-# Kibana is served by a back end server. This setting specifies the port to use.
-server.port: 5601
-
-# This setting specifies the IP address of the back end server.
-server.host: "0.0.0.0"
-
-# Enables you to specify a path to mount Kibana at if you are running behind a proxy. This setting
-# cannot end in a slash.
-# server.basePath: ""
-
-# The maximum payload size in bytes for incoming server requests.
-# server.maxPayloadBytes: 1048576
-
-# The Kibana server's name.  This is used for display purposes.
-# server.name: "your-hostname"
-
-# The URL of the Elasticsearch instance to use for all your queries.
-elasticsearch.url: "http://elasticsearch:9200"
-
-# When this setting’s value is true Kibana uses the hostname specified in the server.host
-# setting. When the value of this setting is false, Kibana uses the hostname of the host
-# that connects to this Kibana instance.
-# elasticsearch.preserveHost: true
-
-# Kibana uses an index in Elasticsearch to store saved searches, visualizations and
-# dashboards. Kibana creates a new index if the index doesn’t already exist.
-# kibana.index: ".kibana"
-
-# The default application to load.
-# kibana.defaultAppId: "discover"
-
-# If your Elasticsearch is protected with basic authentication, these settings provide
-# the username and password that the Kibana server uses to perform maintenance on the Kibana
-# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
-# is proxied through the Kibana server.
-# elasticsearch.username: "user"
-# elasticsearch.password: "pass"
-
-# Paths to the PEM-format SSL certificate and SSL key files, respectively. These
-# files enable SSL for outgoing requests from the Kibana server to the browser.
-# server.ssl.cert: /path/to/your/server.crt
-# server.ssl.key: /path/to/your/server.key
-
-# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
-# These files validate that your Elasticsearch backend uses the same key files.
-# elasticsearch.ssl.cert: /path/to/your/client.crt
-# elasticsearch.ssl.key: /path/to/your/client.key
-
-# Optional setting that enables you to specify a path to the PEM file for the certificate
-# authority for your Elasticsearch instance.
-# elasticsearch.ssl.ca: /path/to/your/CA.pem
-
-# To disregard the validity of SSL certificates, change this setting’s value to false.
-# elasticsearch.ssl.verify: true
-
-# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
-# the elasticsearch.requestTimeout setting.
-# elasticsearch.pingTimeout: 1500
-
-# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
-# must be a positive integer.
-# elasticsearch.requestTimeout: 30000
-
-# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
-# headers, set this value to [] (an empty list).
-# elasticsearch.requestHeadersWhitelist: [ authorization ]
-
-# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
-# elasticsearch.shardTimeout: 0
-
-# Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying.
-# elasticsearch.startupTimeout: 5000
-
-# Specifies the path where Kibana creates the process ID file.
-# pid.file: /var/run/kibana.pid
-
-# Enables you specify a file where Kibana stores log output.
-# logging.dest: stdout
-
-# Set the value of this setting to true to suppress all logging output.
-# logging.silent: false
-
-# Set the value of this setting to true to suppress all logging output other than error messages.
-logging.quiet: true
-
-# Set the value of this setting to true to log all events, including system usage information
-# and all requests.
-# logging.verbose: false
-
-# Set the interval in milliseconds to sample system and process performance
-# metrics. Minimum is 100ms. Defaults to 10000.
-# ops.interval: 10000

kibana/config/kibana_settings.sh

@@ -0,0 +1,101 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+
+WAZUH_MAJOR=3
+
+##############################################################################
+# Wait for the Kibana API to start. It is necessary to do it in this container
+# because the others are running Elastic Stack and we can not interrupt them.
+#
+# The following actions are performed:
+#
+# Add the wazuh alerts index as default.
+# Set the Discover time interval to 24 hours instead of 15 minutes.
+# Do not ask user to help providing usage statistics to Elastic.
+##############################################################################
+
+##############################################################################
+# Customize elasticsearch ip
+##############################################################################
+if [ "$ELASTICSEARCH_KIBANA_IP" != "" ]; then
+  sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml
+fi
+
+if [ "$KIBANA_IP" != "" ]; then
+  kibana_ip="$KIBANA_IP"
+else
+  kibana_ip="kibana"
+fi
+
+KIBANA_USER=""
+KIBANA_PASS=""
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  KIBANA_USER=${SECURITY_KIBANA_USER}
+  KIBANA_PASS=${SECURITY_KIBANA_PASS}
+else
+  input=${SECURITY_CREDENTIALS_FILE}
+  while IFS= read -r line
+  do
+    if [[ $line == *"KIBANA_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      KIBANA_PASS=${arrIN[1]}
+    elif [[ $line == *"KIBANA_USER"* ]]; then
+      arrIN=(${line//:/ })
+      KIBANA_USER=${arrIN[1]}
+    fi
+  done < "$input"
+ 
+fi
+
+
+if [ ${SECURITY_ENABLED} != "no" ]; then
+  auth="-u $KIBANA_USER:${KIBANA_PASS}"
+  kibana_secure_ip="https://$kibana_ip"
+else
+  auth=""
+  kibana_secure_ip="http://$kibana_ip"
+fi
+
+
+while [[ "$(curl $auth -k -XGET -I  -s -o /dev/null -w ''%{http_code}'' $kibana_secure_ip:5601/status)" != "200" ]]; do
+  echo "Waiting for Kibana API. Sleeping 5 seconds"
+  sleep 5
+done
+
+# Prepare index selection.
+echo "Kibana API is running"
+
+default_index="/tmp/default_index.json"
+
+cat > ${default_index} << EOF
+{
+  "changes": {
+    "defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*"
+  }
+}
+EOF
+
+sleep 5
+# Add the wazuh alerts index as default.
+curl $auth -k -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
+rm -f ${default_index}
+
+sleep 5
+# Configuring Kibana TimePicker.
+curl $auth -k -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
+'{"changes":{"timepicker:timeDefaults":"{\n  \"from\": \"now-24h\",\n  \"to\": \"now\",\n  \"mode\": \"quick\"}"}}'
+
+sleep 5
+# Do not ask user to help providing usage statistics to Elastic
+curl $auth -k -POST "$kibana_secure_ip:5601/api/telemetry/v1/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'
+
+# Remove credentials file
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  echo "Security credentials file not used. Nothing to do."
+else
+  shred -zvu ${SECURITY_CREDENTIALS_FILE}
+fi
+
+echo "End settings"

kibana/config/welcome_wazuh.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+if [[ $CHANGE_WELCOME == "true" ]]
+then
+
+    rm -rf ./optimize/bundles
+
+    kibana_path="/usr/share/kibana"
+    # Set Wazuh app as the default landing page
+    echo "Set Wazuh app as the default landing page"
+    echo "server.defaultRoute: /app/wazuh" >> /usr/share/kibana/config/kibana.yml
+
+    # Redirect Kibana welcome screen to Discover
+    echo "Redirect Kibana welcome screen to Discover"
+    sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/global_nav/global_nav.html
+    sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/header_global_nav/header_global_nav.js
+
+    # Hide management undesired links
+    echo "Hide management undesired links"
+    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/rollup/public/crud_app/index.js
+    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/license_management/public/management_section.js
+    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/index_lifecycle_management/public/register_management_section.js
+    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/cross_cluster_replication/public/register_routes.js
+    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/remote_clusters/public/index.js
+    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/upgrade_assistant/public/index.js
+fi
+

kibana/config/xpack_config.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+kibana_config_file="/usr/share/kibana/config/kibana.yml"
+if grep -Fq  "#xpack features" "$kibana_config_file";
+then 
+  declare -A CONFIG_MAP=(
+    [xpack.apm.ui.enabled]=$XPACK_APM
+    [xpack.grokdebugger.enabled]=$XPACK_DEVTOOLS
+    [xpack.searchprofiler.enabled]=$XPACK_DEVTOOLS
+    [xpack.ml.enabled]=$XPACK_ML
+    [xpack.canvas.enabled]=$XPACK_CANVAS
+    [xpack.logstash.enabled]=$XPACK_LOGS
+    [xpack.infra.enabled]=$XPACK_INFRA
+    [xpack.monitoring.enabled]=$XPACK_MONITORING
+    [xpack.maps.enabled]=$XPACK_MAPS
+    [xpack.uptime.enabled]=$XPACK_UPTIME
+    [console.enabled]=$XPACK_DEVTOOLS
+  )
+  for i in "${!CONFIG_MAP[@]}"
+  do
+    if [ "${CONFIG_MAP[$i]}" != "" ]; then
+      sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
+    fi
+  done
+else
+  echo "
+#xpack features
+xpack.apm.ui.enabled: $XPACK_APM 
+xpack.grokdebugger.enabled: $XPACK_DEVTOOLS
+xpack.searchprofiler.enabled: $XPACK_DEVTOOLS
+xpack.ml.enabled: $XPACK_ML
+xpack.canvas.enabled: $XPACK_CANVAS
+xpack.logstash.enabled: $XPACK_LOGS
+xpack.infra.enabled: $XPACK_INFRA
+xpack.monitoring.enabled: $XPACK_MONITORING
+xpack.maps.enabled: $XPACK_MAPS
+xpack.uptime.enabled: $XPACK_UPTIME
+console.enabled: $XPACK_DEVTOOLS
+" >> $kibana_config_file
+fi

logstash/Dockerfile

@@ -1,6 +1,37 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/logstash/logstash:6.3.1
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+FROM docker.elastic.co/logstash/logstash:6.8.2
+
+COPY --chown=logstash:logstash config/entrypoint.sh /entrypoint.sh
+
+RUN chmod 755 /entrypoint.sh
 
 RUN rm -f /usr/share/logstash/pipeline/logstash.conf
 
 COPY config/01-wazuh.conf /usr/share/logstash/pipeline/01-wazuh.conf
+
+# This CA is created for testing. Please set your own CA pem signed certificate. 
+# command: $ docker build <logstash_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION> --build-arg SECURITY_CA_PEM_ARG=<CA_PEM_NAME>
+# ENV variables are necessary: SECURITY_CA_PEM 
+# Sample:
+# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem"
+# ARG SECURITY_CA_PEM_ARG="server.TEST-CA-signed.pem"
+ARG SECURITY_CA_PEM_LOCATION=""
+ARG SECURITY_CA_PEM_ARG=""
+
+# CA for secure communication with Elastic
+ADD $SECURITY_CA_PEM_LOCATION /usr/share/logstash/config
+
+# Set permissions for CA
+USER root
+RUN if [[ "x$SECURITY_CA_PEM_LOCATION" == x ]] ; then echo Nothing to do ; else chown logstash: /usr/share/logstash/config/$SECURITY_CA_PEM_ARG ; fi
+RUN if [[ "x$SECURITY_CA_PEM_LOCATION" == x ]] ; then echo Nothing to do ; else chmod 400 /usr/share/logstash/config/$SECURITY_CA_PEM_ARG ; fi
+
+# Add entrypoint scripts
+RUN mkdir /entrypoint-scripts
+RUN chmod -R 774 /entrypoint-scripts
+RUN chown -R logstash:logstash /entrypoint-scripts
+COPY --chown=logstash:logstash ./config/10-entrypoint.sh /entrypoint-scripts/10-entrypoint.sh
+RUN chmod +x /entrypoint-scripts/10-entrypoint.sh
+USER logstash
+
+ENTRYPOINT /entrypoint.sh

logstash/config/01-wazuh.conf

@@ -1,4 +1,4 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 # Wazuh - Logstash configuration file
 ## Remote Wazuh Manager - Filebeat input
 input {
@@ -41,5 +41,9 @@ output {
         hosts => ["elasticsearch:9200"]
         index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
         document_type => "wazuh"
+        #user => service_logstash
+        #password => service_logstash_internal_password
+        #ssl => true
+        #cacert => "/path/to/cert.pem"
     }
 }

logstash/config/10-entrypoint.sh

@@ -0,0 +1,158 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+#
+# OSSEC container bootstrap. See the README for information of the environment
+# variables expected by this script.
+#
+
+set -e
+
+##############################################################################
+# Waiting for elasticsearch
+##############################################################################
+
+if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
+  el_url="http://elasticsearch:9200"
+else
+  el_url="${ELASTICSEARCH_URL}"
+fi
+
+LOGSTASH_USER=""
+LOGSTASH_PASS=""
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  LOGSTASH_USER=${SECURITY_LOGSTASH_USER}
+  LOGSTASH_PASS=${SECURITY_LOGSTASH_PASS}
+else
+  input=${SECURITY_CREDENTIALS_FILE}
+  while IFS= read -r line
+  do
+    if [[ $line == *"LOGSTASH_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      LOGSTASH_PASS=${arrIN[1]}
+    elif [[ $line == *"LOGSTASH_USER"* ]]; then
+      arrIN=(${line//:/ })
+      LOGSTASH_USER=${arrIN[1]}
+    fi
+  done < "$input"
+ 
+fi
+
+if [ ${SECURITY_ENABLED} != "no" ]; then
+  auth="-u ${LOGSTASH_USER}:${LOGSTASH_PASS} -k"
+elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
+  auth=""
+else
+  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
+fi
+
+
+##############################################################################
+# Customize logstash output ip
+##############################################################################
+
+if [ "$LOGSTASH_OUTPUT" != "" ]; then
+  >&2 echo "Customize Logstash ouput ip."
+  sed -i 's|elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/pipeline/01-wazuh.conf
+  sed -i 's|http://elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/config/logstash.yml
+fi
+
+until curl $auth -XGET $el_url; do
+  >&2 echo "Elastic is unavailable - sleeping."
+  sleep 5
+done
+
+sleep 2
+
+>&2 echo "Elasticsearch is up."
+
+
+##############################################################################
+# Set Logstash password
+##############################################################################
+
+##############################################################################
+# If Secure access to Kibana is enabled, we must set the credentials.
+##############################################################################
+
+if [[ $SECURITY_ENABLED == "yes" ]]; then
+
+  ## Create secure keystore
+  SECURITY_RANDOM_PASS=`date +%s | sha256sum | base64 | head -c 32 ; echo`
+  export LOGSTASH_KEYSTORE_PASS=$SECURITY_RANDOM_PASS
+  /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config create
+
+  ## Settings for logstash.yml
+  echo "
+# Required set the passwords
+xpack.monitoring.enabled: true
+xpack.monitoring.elasticsearch.username: \${LOGSTASH_KS_USER}
+xpack.monitoring.elasticsearch.password: \${LOGSTASH_KS_PASS}
+xpack.monitoring.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/$SECURITY_CA_PEM
+
+xpack.management.elasticsearch.hosts: \"$LOGSTASH_OUTPUT/\"
+xpack.management.elasticsearch.username: \${LOGSTASH_KS_USER}
+xpack.management.elasticsearch.password: \${LOGSTASH_KS_PASS}
+xpack.management.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/$SECURITY_CA_PEM
+" >> /usr/share/logstash/config/logstash.yml
+
+  ## Settings for 01-wazuh.conf
+  sed -i 's:#user => service_logstash:user => "${LOGSTASH_KS_USER}":g' /usr/share/logstash/pipeline/01-wazuh.conf
+  sed -i 's:#password => service_logstash_internal_password:password => "${LOGSTASH_KS_PASS}":g' /usr/share/logstash/pipeline/01-wazuh.conf
+  sed -i 's:#ssl => true:ssl => true:g' /usr/share/logstash/pipeline/01-wazuh.conf
+  sed -i 's:#cacert => "/path/to/cert.pem":cacert => "/usr/share/logstash/config/'$SECURITY_CA_PEM'":g' /usr/share/logstash/pipeline/01-wazuh.conf 
+
+  ## Add keys to the keystore
+  echo -e "$LOGSTASH_USER" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_USER
+  echo -e "$LOGSTASH_PASS" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_PASS
+  
+  
+fi
+  
+
+##############################################################################
+# Waiting for wazuh alerts template
+##############################################################################
+
+strlen=0
+
+while [[ $strlen -eq 0 ]]
+do
+  template=$(curl $auth $el_url/_cat/templates/wazuh -s)
+  strlen=${#template}
+  >&2 echo "Wazuh alerts template not loaded - sleeping."
+  sleep 2
+done
+
+sleep 2
+
+>&2 echo "Wazuh alerts template is loaded."
+
+
+##############################################################################
+# Remove credentials file
+##############################################################################
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  echo "Security credentials file not used. Nothing to do."
+else
+  shred -zvu ${SECURITY_CREDENTIALS_FILE}
+fi
+
+
+##############################################################################
+# Map environment variables to entries in logstash.yml.
+# Note that this will mutate logstash.yml in place if any such settings are found.
+# This may be undesirable, especially if logstash.yml is bind-mounted from the
+# host system.
+##############################################################################
+
+env2yaml /usr/share/logstash/config/logstash.yml
+
+export LS_JAVA_OPTS="-Dls.cgroup.cpuacct.path.override=/ -Dls.cgroup.cpu.path.override=/ $LS_JAVA_OPTS"
+
+if [[ -z $1 ]] || [[ ${1:0:1} == '-' ]] ; then
+  exec logstash "$@"
+else
+  exec "$@"
+fi

logstash/config/entrypoint.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
+for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
+  bash "$script"
+
+done

logstash/config/run.sh

@@ -1,31 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-#
-# OSSEC container bootstrap. See the README for information of the environment
-# variables expected by this script.
-#
-
-#
-
-#
-# Apply Templates
-#
-
-set -e
-host="elasticsearch"
-until curl -XGET $host:9200; do
-  >&2 echo "Elastic is unavailable - sleeping"
-  sleep 1
-done
-
-# Add logstash as command if needed
-if [ "${1:0:1}" = '-' ]; then
-	set -- logstash "$@"
-fi
-
-# Run as user "logstash" if the command is "logstash"
-if [ "$1" = 'logstash' ]; then
-	set -- gosu logstash "$@"
-fi
-
-exec "$@"

nginx/Dockerfile

@@ -1,4 +1,4 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 FROM nginx:latest
 
 ENV DEBIAN_FRONTEND noninteractive
@@ -13,4 +13,7 @@ RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
 VOLUME ["/etc/nginx/conf.d"]
 
+ENV NGINX_NAME="foo" \
+    NGINX_PWD="bar"
+
 ENTRYPOINT /entrypoint.sh

nginx/config/entrypoint.sh

@@ -1,5 +1,5 @@
-#!/bin/sh
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 set -e
 
@@ -12,15 +12,37 @@ else
   echo "SSL certificates already present"
 fi
 
-# Configuring default credentiales.
+# Setting users credentials.
+# In order to set NGINX_CREDENTIALS, before "docker-compose up -d" run (a or b):
+#
+# a) export NGINX_CREDENTIALS="user1:pass1;user2:pass2;" or
+#    export NGINX_CREDENTIALS="user1:pass1;user2:pass2"
+#
+# b) Set NGINX_CREDENTIALS in docker-compose.yml:
+#    NGINX_CREDENTIALS=user1:pass1;user2:pass2; or
+#    NGINX_CREDENTIALS=user1:pass1;user2:pass2
+#
 if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then
-  echo "Setting Nginx credentials"
-  echo bar|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd foo >/dev/null
+  echo "Setting users credentials"
+  if [ ! -z "$NGINX_CREDENTIALS" ]; then
+    IFS=';' read -r -a users <<< "$NGINX_CREDENTIALS"
+    for index in "${!users[@]}"
+    do
+      IFS=':' read -r -a credentials <<< "${users[index]}"
+      if [ $index -eq 0 ]; then
+        echo ${credentials[1]}|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd ${credentials[0]} >/dev/null
+      else
+        echo ${credentials[1]}|htpasswd -i /etc/nginx/conf.d/kibana.htpasswd  ${credentials[0]} >/dev/null
+      fi
+    done
+  else
+    # NGINX_PWD and NGINX_NAME are declared in nginx/Dockerfile 
+    echo $NGINX_PWD|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd $NGINX_NAME >/dev/null
+  fi
 else
   echo "Kibana credentials already configured"
 fi
 
-
 if [ "x${NGINX_PORT}" = "x" ]; then
   NGINX_PORT=443
 fi
@@ -47,6 +69,9 @@ server {
         auth_basic "Restricted";
         auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
         proxy_pass http://${KIBANA_HOST}/;
+        proxy_buffer_size          128k;
+        proxy_buffers              4 256k;
+        proxy_busy_buffers_size    256k;
     }
 }
 EOF

wazuh/Dockerfile

@@ -1,77 +1,106 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 FROM phusion/baseimage:latest
-ARG FILEBEAT_VERSION=6.3.1
-ARG WAZUH_VERSION=3.4.0-1
 
-# Updating image
-RUN apt-get update && apt-get upgrade -y -o Dpkg::Options::="--force-confold"
+# Arguments
+ARG FILEBEAT_VERSION=6.8.2
+ARG WAZUH_VERSION=3.9.4-1
 
-# Set Wazuh repository.
-RUN echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
-RUN curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
-
-# Set nodejs repository.
-RUN curl --silent --location https://deb.nodesource.com/setup_8.x | bash -
-
-# Creating ossec user as uid:gid 1000:1000
-RUN groupadd -g 1000 ossec
-RUN useradd -u 1000 -g 1000 ossec
-
-# Configure postfix
-RUN echo "postfix postfix/mailname string wazuh-manager" | debconf-set-selections
-RUN echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
+# Environment variables
+ENV API_USER="foo" \
+    API_PASS="bar"
 
 # Install packages
-RUN apt-get update && apt-get -y install openssl postfix bsd-mailx   \
-    apt-transport-https vim expect nodejs python-cryptography wazuh-manager=${WAZUH_VERSION} \
-    wazuh-api=${WAZUH_VERSION}
-
-# Adding first run script.
-ADD config/data_dirs.env /data_dirs.env
-ADD config/init.bash /init.bash
-
-# Sync calls are due to https://github.com/docker/docker/issues/9547
-RUN chmod 755 /init.bash &&\
-    sync && /init.bash &&\
-    sync && rm /init.bash
-
-# Installing and configuring fiebeat
-RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb &&\
+RUN set -x && \
+    echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list && \
+    curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - && \
+    curl --silent --location https://deb.nodesource.com/setup_8.x | bash - && \
+    echo "postfix postfix/mailname string wazuh-manager" | debconf-set-selections && \
+    echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections && \
+    groupadd -g 1000 ossec && \
+    useradd -u 1000 -g 1000 -d /var/ossec ossec && \
+    add-apt-repository universe && \
+    apt-get update && \
+    apt-get upgrade -y -o Dpkg::Options::="--force-confold" && \
+    apt-get --no-install-recommends --no-install-suggests -y install openssl apt-transport-https vim expect python-boto python-pip python-cryptography && \
+    apt-get --no-install-recommends --no-install-suggests -y install postfix bsd-mailx mailutils libsasl2-2 ca-certificates libsasl2-modules && \
+    apt-get --no-install-recommends --no-install-suggests -y install wazuh-manager=${WAZUH_VERSION} && \
+    apt-get --no-install-recommends --no-install-suggests -y install nodejs wazuh-api=${WAZUH_VERSION} && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
+    rm -f /var/ossec/logs/alerts/*/*/* && \
+    rm -f /var/ossec/logs/archives/*/*/* && \
+    rm -f /var/ossec/logs/firewall/*/*/* && \
+    rm -f /var/ossec/logs/api/*/*/* && \
+    rm -f /var/ossec/logs/cluster/*/*/* && \
+    rm -f /var/ossec/logs/ossec/*/*/* && \
+    rm /var/ossec/var/run/* && \
+    curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb && \
     dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm -f filebeat-${FILEBEAT_VERSION}-amd64.deb
+
+# Services
+RUN mkdir /etc/service/wazuh && \
+    mkdir /etc/service/wazuh-api && \
+    mkdir /etc/service/postfix && \
+    mkdir /etc/service/filebeat
+
+COPY config/wazuh.runit.service /etc/service/wazuh/run
+COPY config/wazuh-api.runit.service /etc/service/wazuh-api/run
+COPY config/postfix.runit.service /etc/service/postfix/run
+COPY config/filebeat.runit.service /etc/service/filebeat/run
+
+RUN chmod +x /etc/service/wazuh-api/run && \
+    chmod +x /etc/service/wazuh/run && \
+    chmod +x /etc/service/postfix/run && \
+    chmod +x /etc/service/filebeat/run 
+
+# Copy configuration files from repository
 COPY config/filebeat.yml /etc/filebeat/
-RUN chmod go-w /etc/filebeat/filebeat.yml
+RUN chmod go-w /etc/filebeat/filebeat.yml 
 
-# Adding entrypoint
-ADD config/entrypoint.sh /entrypoint.sh
-RUN chmod 755 /entrypoint.sh
+# Prepare permanent data
+# Sync calls are due to https://github.com/docker/docker/issues/9547
+COPY config/permanent_data.env /permanent_data.env
+COPY config/permanent_data.sh /permanent_data.sh
+RUN chmod 755 /permanent_data.sh && \
+    sync && \
+    /permanent_data.sh && \
+    sync && \
+    rm /permanent_data.sh 
 
-# Setting volumes
-VOLUME ["/var/ossec/data"]
-VOLUME ["/etc/filebeat"]
-VOLUME ["/etc/postfix"]
-
-# Services ports
+# Expose ports
 EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp
 
-# Clean up
-RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+# Setting volumes
+# Once we declared a volume in the Dockerfile, changes made to that path will have no effect. In other words, any changes made
+# to the these paths from here to the end of the Dockerfile will not be taken into account when mounting the volume.
+VOLUME ["/var/ossec/api/configuration"]
+VOLUME ["/var/ossec/etc"]
+VOLUME ["/var/ossec/logs"]
+VOLUME ["/var/ossec/queue"]
+VOLUME ["/var/ossec/var/multigroups"]
+VOLUME ["/var/ossec/integrations"]
+VOLUME ["/var/ossec/active-response/bin"]
+VOLUME ["/var/ossec/wodles"]
+VOLUME ["/etc/filebeat"]
+VOLUME ["/etc/postfix"]
+VOLUME ["/var/lib/filebeat"]
 
-# Adding services
-RUN mkdir /etc/service/wazuh
-COPY config/wazuh.runit.service /etc/service/wazuh/run
-RUN chmod +x /etc/service/wazuh/run
+# Prepare entrypoint scripts
+# Entrypoint scripts must be added to the entrypoint-scripts directory
+RUN mkdir /entrypoint-scripts
 
-RUN mkdir /etc/service/wazuh-api
-COPY config/wazuh-api.runit.service /etc/service/wazuh-api/run
-RUN chmod +x /etc/service/wazuh-api/run
+COPY config/entrypoint.sh /entrypoint.sh
+COPY config/01-wazuh.sh /entrypoint-scripts/01-wazuh.sh
 
-RUN mkdir /etc/service/postfix
-COPY config/postfix.runit.service /etc/service/postfix/run
-RUN chmod +x /etc/service/postfix/run
+RUN chmod 755 /entrypoint.sh && \
+    chmod 755 /entrypoint-scripts/01-wazuh.sh
 
-RUN mkdir /etc/service/filebeat
-COPY config/filebeat.runit.service /etc/service/filebeat/run
-RUN chmod +x /etc/service/filebeat/run
+# Workaround. 
+# Issues: Wazuh-api
+# https://github.com/wazuh/wazuh-api/issues/440  
+# https://github.com/wazuh/wazuh-api/issues/443
+COPY --chown=root:ossec config/agents.js /var/ossec/api/controllers/agents.js
+RUN chmod 770 /var/ossec/api/controllers/agents.js
 
 # Run all services
-ENTRYPOINT ["/entrypoint.sh"]
+ENTRYPOINT ["/entrypoint.sh"]

wazuh/config/01-wazuh.sh

@@ -0,0 +1,266 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+# Variables
+source /permanent_data.env
+
+WAZUH_INSTALL_PATH=/var/ossec
+WAZUH_CONFIG_MOUNT=/wazuh-config-mount
+AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
+API_GENERATE_CERTS=${API_GENERATE_CERTS:-true}
+
+
+##############################################################################
+# Aux functions
+##############################################################################
+print() {
+  echo -e $1
+}
+
+error_and_exit() {
+  echo "Error executing command: '$1'."
+  echo 'Exiting.'
+  exit 1
+}
+
+exec_cmd() {
+  eval $1 > /dev/null 2>&1 || error_and_exit "$1"
+}
+
+exec_cmd_stdout() {
+  eval $1 2>&1 || error_and_exit "$1"
+}
+
+
+##############################################################################
+# Edit configuration
+##############################################################################
+
+edit_configuration() { # $1 -> setting,  $2 -> value
+  sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${WAZUH_INSTALL_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)"
+}
+
+##############################################################################
+# This function will attempt to mount every directory in PERMANENT_DATA 
+# into the respective path. 
+# If the path is empty means permanent data volume is also empty, so a backup  
+# will be copied into it. Otherwise it will not be copied because there is  
+# already data inside the volume for the specified path.
+##############################################################################
+
+mount_permanent_data() {
+  for permanent_dir in "${PERMANENT_DATA[@]}"; do
+    # Check if the path is not empty
+    if find ${permanent_dir} -mindepth 1 | read; then
+      print "The path ${permanent_dir} is already mounted"
+    else
+      print "Installing ${permanent_dir}"
+      exec_cmd "cp -a ${WAZUH_INSTALL_PATH}/data_tmp/permanent${permanent_dir}/. ${permanent_dir}"
+    fi
+  done
+}
+
+##############################################################################
+# This function will replace from the permanent data volume every file 
+# contained in PERMANENT_DATA_EXCP
+# Some files as 'internal_options.conf' are saved as permanent data, but 
+# they must be updated to work properly if wazuh version is changed.
+##############################################################################
+
+apply_exclusion_data() {
+  for exclusion_file in "${PERMANENT_DATA_EXCP[@]}"; do
+    if [  -e ${WAZUH_INSTALL_PATH}/data_tmp/exclusion/${exclusion_file}  ]
+    then
+      DIR=$(dirname "${exclusion_file}")
+      if [ ! -e ${DIR}  ]
+      then
+        mkdir -p ${DIR}
+      fi
+      
+      print "Updating ${exclusion_file}"
+      exec_cmd "cp -p ${WAZUH_INSTALL_PATH}/data_tmp/exclusion/${exclusion_file} ${exclusion_file}"
+    fi
+  done
+}
+
+##############################################################################
+# This function will delete from the permanent data volume every file 
+# contained in PERMANENT_DATA_DEL
+##############################################################################
+
+remove_data_files() {
+  for del_file in "${PERMANENT_DATA_DEL[@]}"; do
+    if [ -e ${del_file} ]
+    then 
+      print "Removing ${del_file}"
+      exec_cmd "rm ${del_file}"
+    fi
+  done
+}
+
+##############################################################################
+# Create certificates: Manager
+##############################################################################
+
+create_ossec_key_cert() {
+  print "Creating ossec-authd key and cert"
+  exec_cmd "openssl genrsa -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.key 4096"
+  exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/etc/sslmanager.key -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/"
+}
+
+##############################################################################
+# Create certificates: API
+##############################################################################
+
+create_api_key_cert() {
+  print "Enabling Wazuh API HTTPS"
+  edit_configuration "https" "yes"
+  print "Create Wazuh API key and cert"
+  exec_cmd "openssl genrsa -out ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key 4096"
+  exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key -out ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/"
+
+  # Granting proper permissions 
+  chmod 400 ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key
+  chmod 400 ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt
+}
+
+##############################################################################
+# Copy all files from $WAZUH_CONFIG_MOUNT to $WAZUH_INSTALL_PATH and respect
+# destination files permissions
+#
+# For example, to mount the file /var/ossec/data/etc/ossec.conf, mount it at
+# $WAZUH_CONFIG_MOUNT/etc/ossec.conf in your container and this code will
+# replace the ossec.conf file in /var/ossec/data/etc with yours.
+##############################################################################
+
+mount_files() {
+  if [ -e "$WAZUH_CONFIG_MOUNT" ]
+  then
+    print "Identified Wazuh configuration files to mount..."
+    exec_cmd_stdout "cp --verbose -r $WAZUH_CONFIG_MOUNT/* $WAZUH_INSTALL_PATH"
+  else
+    print "No Wazuh configuration files to mount..."
+  fi
+}
+
+##############################################################################
+# Stop OSSEC
+##############################################################################
+
+function ossec_shutdown(){
+  ${WAZUH_INSTALL_PATH}/bin/ossec-control stop;
+}
+
+##############################################################################
+# Interpret any passed arguments (via docker command to this entrypoint) as
+# paths or commands, and execute them. 
+#
+# This can be useful for actions that need to be run before the services are
+# started, such as "/var/ossec/bin/ossec-control enable agentless".
+##############################################################################
+
+docker_custom_args() {
+  for CUSTOM_COMMAND in "$@"
+  do
+    echo "Executing command \`${CUSTOM_COMMAND}\`"
+    exec_cmd_stdout "${CUSTOM_COMMAND}"
+  done
+}
+
+##############################################################################
+# Change Wazuh API user credentials.
+##############################################################################
+
+change_api_user_credentials() {
+  pushd /var/ossec/api/configuration/auth/
+  if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+    WAZUH_API_USER=${API_USER}
+    WAZUH_API_PASS=${API_PASS}
+  else
+    input=${SECURITY_CREDENTIALS_FILE}
+    while IFS= read -r line
+    do
+      if [[ $line == *"WAZUH_API_USER"* ]]; then
+        arrIN=(${line//:/ })
+        WAZUH_API_USER=${arrIN[1]}
+      elif [[ $line == *"WAZUH_API_PASS"* ]]; then
+        arrIN=(${line//:/ })
+        WAZUH_API_PASS=${arrIN[1]}
+      fi
+    done < "$input"
+  fi
+
+  echo "Change Wazuh API user credentials"
+  change_user="node htpasswd -b -c user $WAZUH_API_USER $WAZUH_API_PASS"
+  eval $change_user
+  popd
+}
+
+
+
+
+##############################################################################
+# Customize filebeat output ip
+##############################################################################
+
+
+custom_filebeat_output_ip() {
+  if [ "$FILEBEAT_OUTPUT" != "" ]; then
+    sed -i "s/logstash:5000/$FILEBEAT_OUTPUT:5000/" /etc/filebeat/filebeat.yml
+  fi
+}
+
+
+##############################################################################
+# Main function
+##############################################################################
+
+main() {
+  # Mount permanent data  (i.e. ossec.conf)
+  mount_permanent_data
+
+  # Restore files stored in permanent data that are not permanent  (i.e. internal_options.conf)
+  apply_exclusion_data
+
+  # Remove some files in permanent_data (i.e. .template.db)
+  remove_data_files
+
+  # Generate ossec-authd certs if AUTO_ENROLLMENT_ENABLED is true and does not exist
+  if [ $AUTO_ENROLLMENT_ENABLED == true ]
+  then
+    if [ ! -e ${WAZUH_INSTALL_PATH}/etc/sslmanager.key ]
+    then
+      create_ossec_key_cert
+    fi
+  fi
+
+  # Generate API certs if API_GENERATE_CERTS is true and does not exist
+  if [ $API_GENERATE_CERTS == true ]
+  then
+    if [ ! -e ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt ]
+    then
+      create_api_key_cert
+    fi
+  fi
+
+  # Mount selected files (WAZUH_CONFIG_MOUNT) to container
+  mount_files
+
+  # Trap exit signals and do a proper shutdown
+  trap "ossec_shutdown; exit" SIGINT SIGTERM
+
+  # Execute custom args
+  docker_custom_args
+
+  # Change API user credentials
+  change_api_user_credentials
+
+  # Update filebeat configuration
+  custom_filebeat_output_ip
+
+  # Delete temporary data folder
+  rm -rf ${WAZUH_INSTALL_PATH}/data_tmp
+
+}
+
+main

wazuh/config/data_dirs.env

@@ -1,9 +0,0 @@
-i=0
-DATA_DIRS[((i++))]="etc"
-DATA_DIRS[((i++))]="ruleset"
-DATA_DIRS[((i++))]="logs"
-DATA_DIRS[((i++))]="stats"
-DATA_DIRS[((i++))]="queue"
-DATA_DIRS[((i++))]="var/db"
-DATA_DIRS[((i++))]="api"
-export DATA_DIRS

wazuh/config/entrypoint.sh

@@ -1,116 +1,13 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
-#
-# OSSEC container bootstrap. See the README for information of the environment
-# variables expected by this script.
-#
-
-#
-
-#
-# Startup the services
-#
-
-source /data_dirs.env
-
-FIRST_TIME_INSTALLATION=false
-
-WAZUH_INSTALL_PATH=/var/ossec
-DATA_PATH=${WAZUH_INSTALL_PATH}/data
-
-WAZUH_CONFIG_MOUNT=/wazuh-config-mount
-
-print() {
-    echo -e $1
-}
-
-error_and_exit() {
-    echo "Error executing command: '$1'."
-    echo 'Exiting.'
-    exit 1
-}
-
-exec_cmd() {
-    eval $1 > /dev/null 2>&1 || error_and_exit "$1"
-}
-
-exec_cmd_stdout() {
-    eval $1 2>&1 || error_and_exit "$1"
-}
-
-edit_configuration() { # $1 -> setting,  $2 -> value
-    sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${DATA_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)"
-}
-
-for ossecdir in "${DATA_DIRS[@]}"; do
-  if [ ! -e "${DATA_PATH}/${ossecdir}" ]
-  then
-    print "Installing ${ossecdir}"
-    exec_cmd "mkdir -p $(dirname ${DATA_PATH}/${ossecdir})"
-    exec_cmd "cp -pr /var/ossec/${ossecdir}-template ${DATA_PATH}/${ossecdir}"
-    FIRST_TIME_INSTALLATION=true
-  fi
+# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
+for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
+  bash "$script"
 done
 
-touch ${DATA_PATH}/process_list
-chgrp ossec ${DATA_PATH}/process_list
-chmod g+rw ${DATA_PATH}/process_list
-
-AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
-API_GENERATE_CERTS=${API_GENERATE_CERTS:-true}
-
-if [ $FIRST_TIME_INSTALLATION == true ]
-then
-  if [ $AUTO_ENROLLMENT_ENABLED == true ]
-  then
-    if [ ! -e ${DATA_PATH}/etc/sslmanager.key ]
-    then
-      print "Creating ossec-authd key and cert"
-      exec_cmd "openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096"
-      exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key -out ${DATA_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/"
-    fi
-  fi
-  if [ $API_GENERATE_CERTS == true ]
-  then
-    if [ ! -e ${DATA_PATH}/api/configuration/ssl/server.crt ]
-    then
-      print "Enabling Wazuh API HTTPS"
-      edit_configuration "https" "yes"
-      print "Create Wazuh API key and cert"
-      exec_cmd "openssl genrsa -out ${DATA_PATH}/api/configuration/ssl/server.key 4096"
-      exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/api/configuration/ssl/server.key -out ${DATA_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/"
-    fi
-  fi
-fi
-
 ##############################################################################
-# Copy all files from $WAZUH_CONFIG_MOUNT to $DATA_PATH and respect
-# destination files permissions
-#
-# For example, to mount the file /var/ossec/data/etc/ossec.conf, mount it at
-# $WAZUH_CONFIG_MOUNT/etc/ossec.conf in your container and this code will
-# replace the ossec.conf file in /var/ossec/data/etc with yours.
+# Start Wazuh Server.
 ##############################################################################
-if [ -e "$WAZUH_CONFIG_MOUNT" ]
-then
-  print "Identified Wazuh configuration files to mount..."
-
-  exec_cmd_stdout "cp --verbose -r $WAZUH_CONFIG_MOUNT/* $DATA_PATH"
-else
-  print "No Wazuh configuration files to mount..."
-fi
-
-# Enabling ossec-authd.
-exec_cmd "/var/ossec/bin/ossec-control enable auth"
-
-function ossec_shutdown(){
-  ${WAZUH_INSTALL_PATH}/bin/ossec-control stop;
-}
-
-# Trap exit signals and do a proper shutdown
-trap "ossec_shutdown; exit" SIGINT SIGTERM
-
-chmod -R g+rw ${DATA_PATH}
 
 /sbin/my_init 

wazuh/config/filebeat.yml

@@ -1,13 +1,14 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 filebeat:
  prospectors:
-  - input_type: log
+  - type: log
     paths:
-     - "/var/ossec/data/logs/alerts/alerts.json"
-    document_type: wazuh-alerts
+     - "/var/ossec/logs/alerts/alerts.json"
+    document_type: json
     json.message_key: log
     json.keys_under_root: true
     json.overwrite_keys: true
+    tail_files: true
 
 output:
  logstash:

wazuh/config/init.bash

@@ -1,13 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-
-#
-# Initialize the custom data directory layout
-#
-source /data_dirs.env
-
-cd /var/ossec
-for ossecdir in "${DATA_DIRS[@]}"; do
-  mv ${ossecdir} ${ossecdir}-template
-  ln -s $(realpath --relative-to=$(dirname ${ossecdir}) data)/${ossecdir} ${ossecdir}
-done

wazuh/config/permanent_data.env

@@ -0,0 +1,61 @@
+# Permanent data mounted in volumes
+i=0
+PERMANENT_DATA[((i++))]="/var/ossec/api/configuration"
+PERMANENT_DATA[((i++))]="/var/ossec/etc"
+PERMANENT_DATA[((i++))]="/var/ossec/logs"
+PERMANENT_DATA[((i++))]="/var/ossec/queue"
+PERMANENT_DATA[((i++))]="/var/ossec/var/multigroups"
+PERMANENT_DATA[((i++))]="/var/ossec/integrations"
+PERMANENT_DATA[((i++))]="/var/ossec/active-response/bin"
+PERMANENT_DATA[((i++))]="/var/ossec/wodles"
+PERMANENT_DATA[((i++))]="/etc/filebeat"
+PERMANENT_DATA[((i++))]="/etc/postfix"
+export PERMANENT_DATA
+
+# Files mounted in a volume that should not be permanent
+i=0
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/etc/internal_options.conf"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/pagerduty"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/default-firewall-drop.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/disable-account.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewalld-drop.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewall-drop.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/host-deny.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ip-customblock.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw_mac.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/npf.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ossec-slack.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ossec-tweeter.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/pf.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-ossec.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/oscap"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/oscap.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/template_oval.xsl"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/template_xccdf.xsl"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-debian-8-oval.xml"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-debian-9-oval.xml"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-ubuntu-xenial-oval.xml"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-debian-8-ds.xml"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-ubuntu-1404-ds.xml"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-ubuntu-1604-ds.xml"
+export PERMANENT_DATA_EXCP
+
+# Files mounted in a volume that should be deleted 
+i=0
+PERMANENT_DATA_DEL[((i++))]="/var/ossec/queue/db/.template.db"
+export PERMANENT_DATA_DEL

wazuh/config/permanent_data.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+# Variables
+source /permanent_data.env
+
+WAZUH_INSTALL_PATH=/var/ossec
+DATA_TMP_PATH=${WAZUH_INSTALL_PATH}/data_tmp
+mkdir ${DATA_TMP_PATH}
+
+# Move exclusion files to EXCLUSION_PATH
+EXCLUSION_PATH=${DATA_TMP_PATH}/exclusion
+mkdir ${EXCLUSION_PATH}
+
+for exclusion_file in "${PERMANENT_DATA_EXCP[@]}"; do
+  # Create the directory for the exclusion file if it does not exist
+  DIR=$(dirname "${exclusion_file}")
+  if [ ! -e ${EXCLUSION_PATH}/${DIR}  ]
+  then
+    mkdir -p ${EXCLUSION_PATH}/${DIR}
+  fi
+
+  mv ${exclusion_file} ${EXCLUSION_PATH}/${exclusion_file}
+done
+
+# Move permanent files to PERMANENT_PATH
+PERMANENT_PATH=${DATA_TMP_PATH}/permanent
+mkdir ${PERMANENT_PATH}
+
+for permanent_dir in "${PERMANENT_DATA[@]}"; do
+  # Create the directory for the permanent file if it does not exist
+  DIR=$(dirname "${permanent_dir}")
+  if [ ! -e ${PERMANENT_PATH}${DIR}  ]
+  then
+    mkdir -p ${PERMANENT_PATH}${DIR}
+  fi
+  
+  mv ${permanent_dir} ${PERMANENT_PATH}${permanent_dir}
+
+done

wazuh/config/wazuh-api.runit.service

@@ -1,4 +1,4 @@
 #!/bin/sh
 service wazuh-api start
-tail -f /var/ossec/data/logs/api.log
+tail -f /var/ossec/logs/api.log
 

wazuh/config/wazuh.runit.service

@@ -1,4 +1,4 @@
 #!/bin/sh
 service wazuh-manager start
-tail -f /var/ossec/data/logs/ossec.log
+tail -f /var/ossec/logs/ossec.log