Update to Wazuh version 3.8.1 (#102)

Add env credentials for nginx

CHANGELOG.md

@@ -1,6 +1,48 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+## Wazuh Docker v3.8.1_6.5.4
+
+### Changed
+- Update to Wazuh version 3.8.1. ([#102](https://github.com/wazuh/wazuh-docker/pull/102))
+
+## Wazuh Docker v3.8.0_6.5.4
+
+### Changed
+
+- Upgrade version 3.8.0_6.5.4. ([#97](https://github.com/wazuh/wazuh-docker/pull/97))
+
+### Removed
+
+- Remove cluster.py work around. ([#99](https://github.com/wazuh/wazuh-docker/pull/99))
+
+## Wazuh Docker v3.7.2_6.5.4
+
+### Added
+
+- Add Kibana environmental variables for Wazuh APP config.yml. ([#89](https://github.com/wazuh/wazuh-docker/pull/89))
+
+### Changed
+
+- Update Elastic Stack version to 6.5.4. ([#82](https://github.com/wazuh/wazuh-docker/pull/82))
+- Add env credentials for nginx. ([#86](https://github.com/wazuh/wazuh-docker/pull/86))
+- Improve filebeat configuration ([#88](https://github.com/wazuh/wazuh-docker/pull/88))
+
+### Fixed 
+
+- Temporary fix for Wazuh cluster master node in Kubernetes. ([#84](https://github.com/wazuh/wazuh-docker/pull/84))
+
+## Wazuh Docker v3.7.2_6.5.3
+
+### Changed
+
+- Erasing temporary fix for AWS integration. ([#81](https://github.com/wazuh/wazuh-docker/pull/81))
+
+### Fixed
+
+- Upgrading errors due to wrong files. ([#80](https://github.com/wazuh/wazuh-docker/pull/80))
+
+
 ## Wazuh Docker v3.7.0_6.5.0
 
 ### Changed

README.md

@@ -1,6 +1,6 @@
 # Wazuh containers for Docker
 
-[![Slack](https://img.shields.io/badge/slack-join-blue.svg)](https://goo.gl/forms/M2AoZC4b2R9A9Zy12)
+[![Slack](https://img.shields.io/badge/slack-join-blue.svg)](https://wazuh.com/community/join-us-on-slack/)
 [![Email](https://img.shields.io/badge/email-join-blue.svg)](https://groups.google.com/forum/#!forum/wazuh)
 [![Documentation](https://img.shields.io/badge/docs-view-green.svg)](https://documentation.wazuh.com)
 [![Documentation](https://img.shields.io/badge/web-view-green.svg)](https://wazuh.com)
@@ -20,10 +20,6 @@ In addition, a docker-compose file is provided to launch the containers mentione
 * [Wazuh documentation for Docker](https://documentation.wazuh.com/current/docker/index.html)
 * [Docker hub](https://hub.docker.com/u/wazuh)
 
-## Current release
-
-Containers are currently tested on Wazuh version 3.7.1 and Elastic Stack version 6.5.3. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.
-
 ## Directory structure
 
 	wazuh-docker
@@ -64,7 +60,7 @@ Containers are currently tested on Wazuh version 3.7.1 and Elastic Stack version
 
 * `stable` branch on correspond to the last Wazuh-Docker stable version.
 * `master` branch contains the latest code, be aware of possible bugs on this branch.
-* `Wazuh.Version_ElsaticStack.Version` (for example 3.7.0_6.4.3) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch. 
+* `Wazuh.Version_ElasticStack.Version` (for example 3.7.0_6.4.3) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
 
 ## Credits and Thank you
 

VERSION

@@ -1,2 +1,2 @@
-WAZUH-DOCKER_VERSION="3.7.1_6.5.3"
+WAZUH-DOCKER_VERSION="3.8.1_6.5.4"
-REVISION="3726"
+REVISION="3801"

docker-compose.yml

@@ -3,7 +3,7 @@ version: '2'
 
 services:
   wazuh:
-    image: wazuh/wazuh:3.7.1_6.5.3
+    image: wazuh/wazuh:3.8.1_6.5.4
     hostname: wazuh-manager
     restart: always
     ports:
@@ -23,7 +23,7 @@ services:
     depends_on:
       - logstash
   logstash:
-    image: wazuh/wazuh-logstash:3.7.1_6.5.3
+    image: wazuh/wazuh-logstash:3.8.1_6.5.4
     hostname: logstash
     restart: always
 #    volumes:
@@ -39,7 +39,7 @@ services:
     environment:
       - LS_HEAP_SIZE=2048m
   elasticsearch:
-    image: docker.elastic.co/elasticsearch/elasticsearch:6.5.3
+    image: docker.elastic.co/elasticsearch/elasticsearch:6.5.4
     hostname: elasticsearch
     restart: always
     ports:
@@ -61,7 +61,7 @@ services:
     networks:
         - docker_elk
   kibana:
-    image: wazuh/wazuh-kibana:3.7.1_6.5.3
+    image: wazuh/wazuh-kibana:3.8.1_6.5.4
     hostname: kibana
     restart: always
 #    ports:
@@ -76,7 +76,7 @@ services:
       - elasticsearch:elasticsearch
       - wazuh:wazuh
   nginx:
-    image: wazuh/wazuh-nginx:3.7.1_6.5.3
+    image: wazuh/wazuh-nginx:3.8.1_6.5.4
     hostname: nginx
     restart: always
     environment:

kibana/Dockerfile

@@ -1,11 +1,11 @@
 # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/kibana/kibana:6.5.3
+FROM docker.elastic.co/kibana/kibana:6.5.4
-ARG WAZUH_APP_VERSION=3.7.1_6.5.3
+ARG WAZUH_APP_VERSION=3.8.1_6.5.4
 USER root
 
 ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
 
-ADD https://raw.githubusercontent.com/wazuh/wazuh/3.7/extensions/elasticsearch/wazuh-elastic6-template-alerts.json /usr/share/kibana/config
+ADD https://raw.githubusercontent.com/wazuh/wazuh/3.8/extensions/elasticsearch/wazuh-elastic6-template-alerts.json /usr/share/kibana/config
 
 RUN NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip &&\
     chown -R kibana:kibana /usr/share/kibana &&\
@@ -16,4 +16,37 @@ RUN chmod 755 /entrypoint.sh
 
 USER kibana
 
+ENV PATTERN="" \
+    CHECKS_PATTERN="" \
+    CHECKS_TEMPLATE="" \
+    CHECKS_API="" \
+    CHECKS_SETUP="" \
+    EXTENSIONS_PCI="" \
+    EXTENSIONS_GDPR="" \
+    EXTENSIONS_AUDIT="" \
+    EXTENSIONS_OSCAP="" \
+    EXTENSIONS_CISCAT="" \
+    EXTENSIONS_AWS="" \
+    EXTENSIONS_VIRUSTOTAL="" \
+    EXTENSIONS_OSQUERY="" \
+    APP_TIMEOUT="" \
+    WAZUH_SHARDS="" \
+    WAZUH_REPLICAS="" \
+    WAZUH_VERSION_SHARDS="" \
+    WAZUH_VERSION_REPLICAS="" \
+    IP_SELECTOR="" \
+    IP_IGNORE="" \
+    XPACK_RBAC_ENABLED="" \
+    WAZUH_MONITORING_ENABLED="" \
+    WAZUH_MONITORING_FREQUENCY="" \
+    WAZUH_MONITORING_SHARDS="" \
+    WAZUH_MONITORING_REPLICAS="" \
+    ADMIN_PRIVILEGES=""
+
+
+COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./
+
+RUN chmod +x ./wazuh_app_config.sh
+
 ENTRYPOINT /entrypoint.sh
+

kibana/config/entrypoint.sh

@@ -50,6 +50,9 @@ if [ "x$CONFIG_CODE" = "x404" ]; then
 else
   echo "Wazuh APP already configured"
 fi
+sleep 5
+
+./wazuh_app_config.sh
 
 sleep 5
 

kibana/config/wazuh_app_config.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+
+kibana_config_file="/usr/share/kibana/plugins/wazuh/config.yml"
+
+declare -A CONFIG_MAP=(
+  [pattern]=$PATTERN
+  [checks.pattern]=$CHECKS_PATTERN
+  [checks.template]=$CHECKS_TEMPLATE
+  [checks.api]=$CHECKS_API
+  [checks.setup]=$CHECKS_SETUP
+  [extensions.pci]=$EXTENSIONS_PCI
+  [extensions.gdpr]=$EXTENSIONS_GDPR
+  [extensions.audit]=$EXTENSIONS_AUDIT
+  [extensions.oscap]=$EXTENSIONS_OSCAP
+  [extensions.ciscat]=$EXTENSIONS_CISCAT
+  [extensions.aws]=$EXTENSIONS_AWS
+  [extensions.virustotal]=$EXTENSIONS_VIRUSTOTAL
+  [extensions.osquery]=$EXTENSIONS_OSQUERY
+  [timeout]=$APP_TIMEOUT
+  [wazuh.shards]=$WAZUH_SHARDS
+  [wazuh.replicas]=$WAZUH_REPLICAS
+  [wazuh-version.shards]=$WAZUH_VERSION_SHARDS
+  [wazuh-version.replicas]=$WAZUH_VERSION_REPLICAS
+  [ip.selector]=$IP_SELECTOR
+  [ip.ignore]=$IP_IGNORE
+  [xpack.rbac.enabled]=$XPACK_RBAC_ENABLED
+  [wazuh.monitoring.enabled]=$WAZUH_MONITORING_ENABLED
+  [wazuh.monitoring.frequency]=$WAZUH_MONITORING_FREQUENCY
+  [wazuh.monitoring.shards]=$WAZUH_MONITORING_SHARDS
+  [wazuh.monitoring.replicas]=$WAZUH_MONITORING_REPLICAS
+  [admin]=$ADMIN_PRIVILEGES
+)
+
+for i in "${!CONFIG_MAP[@]}"
+do
+    if [ "${CONFIG_MAP[$i]}" != "" ]; then
+        sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
+    fi
+done

logstash/Dockerfile

@@ -1,5 +1,5 @@
 # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/logstash/logstash:6.5.3
+FROM docker.elastic.co/logstash/logstash:6.5.4
 
 RUN rm -f /usr/share/logstash/pipeline/logstash.conf
 

nginx/Dockerfile

@@ -13,4 +13,7 @@ RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
 VOLUME ["/etc/nginx/conf.d"]
 
+ENV NGINX_NAME="foo" \
+    NGINX_PWD="bar"
+
 ENTRYPOINT /entrypoint.sh

nginx/config/entrypoint.sh

@@ -15,7 +15,7 @@ fi
 # Configuring default credentiales.
 if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then
   echo "Setting Nginx credentials"
-  echo bar|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd foo >/dev/null
+  echo $NGINX_PWD|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd $NGINX_NAME >/dev/null
 else
   echo "Kibana credentials already configured"
 fi

wazuh/Dockerfile

@@ -1,7 +1,8 @@
 # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 FROM phusion/baseimage:latest
-ARG FILEBEAT_VERSION=6.5.3
+ARG FILEBEAT_VERSION=6.5.4
-ARG WAZUH_VERSION=3.7.1-1
+ARG WAZUH_VERSION=3.8.1-1
+
 
 # Updating image
 RUN apt-get update && apt-get upgrade -y -o Dpkg::Options::="--force-confold"
@@ -76,11 +77,5 @@ RUN mkdir /etc/service/filebeat
 COPY config/filebeat.runit.service /etc/service/filebeat/run
 RUN chmod +x /etc/service/filebeat/run
 
-# Temporary fix for AWS integration
-RUN sed -i 's/.*with open*/#wiht open/' /var/ossec/wodles/aws/aws-s3
-RUN sed -i 's/.*max_queue_buffer = int(kernel_param.read().strip())*/#max_queue_buffer/' /var/ossec/wodles/aws/aws-s3
-RUN sed -i '784imax_queue_buffer = 0' /var/ossec/wodles/aws/aws-s3
-RUN sed -i '784s/^/    /' /var/ossec/wodles/aws/aws-s3
-
 # Run all services
 ENTRYPOINT ["/entrypoint.sh"]

wazuh/config/entrypoint.sh

@@ -53,6 +53,12 @@ for ossecdir in "${DATA_DIRS[@]}"; do
   fi
 done
 
+if [  -e ${WAZUH_INSTALL_PATH}/etc-template  ]
+then
+    cp -p /var/ossec/etc-template/internal_options.conf /var/ossec/etc/internal_options.conf
+fi
+rm /var/ossec/queue/db/.template.db
+
 touch ${DATA_PATH}/process_list
 chgrp ossec ${DATA_PATH}/process_list
 chmod g+rw ${DATA_PATH}/process_list
@@ -101,9 +107,6 @@ else
   print "No Wazuh configuration files to mount..."
 fi
 
-# Enabling ossec-authd.
-exec_cmd "/var/ossec/bin/ossec-control enable auth"
-
 function ossec_shutdown(){
   ${WAZUH_INSTALL_PATH}/bin/ossec-control stop;
 }

wazuh/config/filebeat.yml

@@ -1,11 +1,10 @@
 # Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
 filebeat:
- inputs:
+ prospectors:
   - type: log
     paths:
-     - "/var/ossec/data/logs/alerts/alerts.json"
+     - "/var/ossec/logs/alerts/alerts.json"
-    fields:
+    document_type: json
-      document_type: wazuh-alerts
     json.message_key: log
     json.keys_under_root: true
     json.overwrite_keys: true