mirror of
https://github.com/wazuh/wazuh-docker.git
synced 2025-10-24 08:33:46 +00:00
Compare commits
581 Commits
3.7.1_6.5.
...
v4.1.0
Author | SHA1 | Date | |
---|---|---|---|
|
b36f24a128 | ||
|
5da9c5dd1f | ||
|
4eb80c83b0 | ||
|
68c41bd64c | ||
|
41f2397725 | ||
|
5673a9115c | ||
|
f019658c86 | ||
|
eb944445be | ||
|
fe3b9335c1 | ||
|
771e4e3988 | ||
|
6f60a87b46 | ||
|
201e750f2c | ||
|
7e75b29a0f | ||
|
1c512ae437 | ||
|
7cc89ffdb1 | ||
|
e3d1aa16d0 | ||
|
b7afcf7646 | ||
|
b290efb376 | ||
|
8dd9bc0421 | ||
|
64db5f9067 | ||
|
5313c60a06 | ||
|
ca11769d4f | ||
|
1cc88b3097 | ||
|
e20fb6e728 | ||
|
d84631761a | ||
|
08ac53fee9 | ||
|
f4c484e887 | ||
|
7a99967144 | ||
|
cd7d882261 | ||
|
217be9a075 | ||
|
e683a68cb4 | ||
|
59b55c6d5c | ||
|
0d5d167a5d | ||
|
13ad837787 | ||
|
0ce9aa9991 | ||
|
d2c91ff90a | ||
|
c3943a1523 | ||
|
6c9506aa9a | ||
|
68256252c7 | ||
|
c8184b9145 | ||
|
e2e96c5ba1 | ||
|
3a5500e3ff | ||
|
8dea8fb25b | ||
|
cfb11720ea | ||
|
f41d0f876f | ||
|
56d8c4eaf3 | ||
|
9dc8e256c6 | ||
|
3a028ae547 | ||
|
309fa27bc2 | ||
|
a0e7553aa5 | ||
|
5e5f13c1ff | ||
|
4955c0d5bc | ||
|
0ed25bab2d | ||
|
dfa19bc348 | ||
|
3f53a0c174 | ||
|
a8c7fcc67f | ||
|
b41c1cf290 | ||
|
68719ac891 | ||
|
5d32069193 | ||
|
325b588cbb | ||
|
c6f0c888bb | ||
|
a3945b5491 | ||
|
db0adb9ee1 | ||
|
900bd57219 | ||
|
1138b3a7f4 | ||
|
752b139329 | ||
|
fa4815e51a | ||
|
6e0b3703d6 | ||
|
47e69367e9 | ||
|
1d34d7db27 | ||
|
f6c0432bc9 | ||
|
353c64ba24 | ||
|
a680c955bc | ||
|
1b4818c078 | ||
|
3552e995c8 | ||
|
ddedb606f2 | ||
|
6c6c13b123 | ||
|
b76a033a97 | ||
|
581871d5bc | ||
|
ef5dc54e78 | ||
|
0618f45fcf | ||
|
82beddbeee | ||
|
9489d6b86f | ||
|
f56657cdb0 | ||
|
b874eac3af | ||
|
7175e51012 | ||
|
d4eec39c90 | ||
|
f35927b536 | ||
|
52f48c10a3 | ||
|
a776bdb006 | ||
|
8b39d84207 | ||
|
2d77c33f1b | ||
|
fb53624ed8 | ||
|
ff0c29bbfd | ||
|
1cea49b83f | ||
|
d6cb34517b | ||
|
36c75a1f5d | ||
|
d69f02d469 | ||
|
ed4a967839 | ||
|
1de9dc2c2f | ||
|
3a3b574454 | ||
|
b821942010 | ||
|
ed805ee1c1 | ||
|
1aa36c15d6 | ||
|
1a19c72393 | ||
|
fe1b3d147e | ||
|
3086096c19 | ||
|
1f1a5dd009 | ||
|
2ed39e43fb | ||
|
cbcaa2ff05 | ||
|
c44b154578 | ||
|
925aa43915 | ||
|
d5fb09f8e0 | ||
|
49a16c0ff1 | ||
|
5de7952153 | ||
|
a99d0c2988 | ||
|
edaaf3de7e | ||
|
6f9c7ed082 | ||
|
7f8d0ccb8e | ||
|
22da062a2b | ||
|
ee59bf6f38 | ||
|
47ee64b13f | ||
|
8d5e090a03 | ||
|
eb59ed2e39 | ||
|
c3d89f89dd | ||
|
e6b821c672 | ||
|
c78520b135 | ||
|
bed34c33ca | ||
|
974c359b54 | ||
|
0f8c17c980 | ||
|
baf2d0f536 | ||
|
da68eaf83e | ||
|
cc20d98ae5 | ||
|
3e63de99a8 | ||
|
9c94c43d65 | ||
|
4cb18cc189 | ||
|
37d96b5214 | ||
|
9069d993f1 | ||
|
83941c143a | ||
|
545725bbfc | ||
|
84d1044e70 | ||
|
e2f8f6d164 | ||
|
0fed6d6e8b | ||
|
9a58958bcb | ||
|
960105b776 | ||
|
ee26db692b | ||
|
8c9945c111 | ||
|
925521d352 | ||
|
2028d866a1 | ||
|
4e098924e0 | ||
|
7f98075326 | ||
|
a2e7805251 | ||
|
ac0c85bb64 | ||
|
3d7807d27b | ||
|
37ba48d56d | ||
|
e9fec0e497 | ||
|
e598cc7712 | ||
|
b6cc7d20bb | ||
|
32cd19f344 | ||
|
7042854bfa | ||
|
b63c294288 | ||
|
9df61de961 | ||
|
86ff04c0b3 | ||
|
0992111200 | ||
|
a1a27922de | ||
|
eba6bc6752 | ||
|
e45c0f3c4d | ||
|
8657266ffd | ||
|
8fb7110af5 | ||
|
98273c1e27 | ||
|
68a02f1f38 | ||
|
6ebc52467b | ||
|
a24fd2fbce | ||
|
3deb80d6a0 | ||
|
a9ee1f7e29 | ||
|
0336001012 | ||
|
cfd1d9725d | ||
|
274342e24d | ||
|
bbabf9bb3b | ||
|
1608474bdf | ||
|
7badd1bdec | ||
|
248b769688 | ||
|
d7133df0f3 | ||
|
325c191b68 | ||
|
eb089e8011 | ||
|
5bb1127cf2 | ||
|
139ac79463 | ||
|
da14494144 | ||
|
e7acb70b6f | ||
|
4de5401144 | ||
|
65327f8032 | ||
|
3f0e908a2b | ||
|
2df878f040 | ||
|
131115c238 | ||
|
81aeac1570 | ||
|
e93e67ed6e | ||
|
0c61146986 | ||
|
6e82f67a9d | ||
|
b1e0f9b35e | ||
|
8af39e3a56 | ||
|
c1bcdaf5fb | ||
|
727560b2d1 | ||
|
9dc2c0f82a | ||
|
5079a68fb0 | ||
|
9547305061 | ||
|
746cffc549 | ||
|
09a6e9bc1d | ||
|
9e87c1b597 | ||
|
d8b186aa52 | ||
|
67e259a681 | ||
|
6f039f1de9 | ||
|
ebd416615e | ||
|
a00d16afcd | ||
|
6f2bf0cb3f | ||
|
6419f35716 | ||
|
79c4734801 | ||
|
4acc3b402b | ||
|
eba4fdf8eb | ||
|
1f825c13be | ||
|
3cfa63fc2e | ||
|
77b163bf10 | ||
|
2921d67de1 | ||
|
b886fd6c4d | ||
|
b90fc8053e | ||
|
d2b0656808 | ||
|
edb1c69294 | ||
|
9536ff5963 | ||
|
c8c0e84ed8 | ||
|
feb12837e8 | ||
|
68c1fb171f | ||
|
701386d5a3 | ||
|
5a0865da0b | ||
|
8ebd2b2609 | ||
|
f3bcb7f6e1 | ||
|
18f5f02153 | ||
|
be81cf9593 | ||
|
e0c402600a | ||
|
35f958a25c | ||
|
146dbff787 | ||
|
489bd01f36 | ||
|
54c5c643da | ||
|
63880eab51 | ||
|
fa55036943 | ||
|
6dab191255 | ||
|
7e9abfab60 | ||
|
183519e2d5 | ||
|
618169bffb | ||
|
8f660d06e0 | ||
|
a580c0f05b | ||
|
49cb294933 | ||
|
3a27f55cba | ||
|
75e7f3df62 | ||
|
99ddc15cf6 | ||
|
c0a503bc81 | ||
|
966a3dcef7 | ||
|
9fc689206d | ||
|
9b329b095e | ||
|
f0ba8c3e63 | ||
|
d9264606ef | ||
|
b4e82984b4 | ||
|
9564adf54a | ||
|
edae7d3c6a | ||
|
af5db1efac | ||
|
14f0d6d622 | ||
|
cb60fc8b77 | ||
|
4f612e5426 | ||
|
90074777da | ||
|
320061f022 | ||
|
125f83e6df | ||
|
707fe87804 | ||
|
c9a43bd5ff | ||
|
26679d46f6 | ||
|
627e9517d8 | ||
|
ced83faef0 | ||
|
3b1814ec7b | ||
|
1eb4a53c53 | ||
|
10225496e1 | ||
|
d74b6984d3 | ||
|
2e08f91f62 | ||
|
26d381b403 | ||
|
79f402ca2f | ||
|
d0ba0465fe | ||
|
5dbfa958b7 | ||
|
c13680e084 | ||
|
3a2568879a | ||
|
e2559957da | ||
|
358c8750a4 | ||
|
6afb9d0779 | ||
|
6412cb90f9 | ||
|
159aaf43ac | ||
|
82bb977b9c | ||
|
bde4351a2a | ||
|
03f4e39978 | ||
|
effa446872 | ||
|
c32e306a37 | ||
|
4f7ae19d81 | ||
|
d1f1e401b1 | ||
|
ea27c239b2 | ||
|
e437c1a4ec | ||
|
1f57ad6619 | ||
|
eefaed3ede | ||
|
5db55032b7 | ||
|
0b6d5c99b1 | ||
|
2e228eada4 | ||
|
61a1385462 | ||
|
427b87d6e1 | ||
|
8615cd4d21 | ||
|
a4a64e66f4 | ||
|
a561deeaec | ||
|
9f710f90c3 | ||
|
dcc0634b95 | ||
|
7f7fbd39e1 | ||
|
a34dbb04b7 | ||
|
a41da9d6ea | ||
|
4b054e88ca | ||
|
d903f01e17 | ||
|
e1d3458846 | ||
|
31ba5923fb | ||
|
88b1ace9bd | ||
|
43da69277f | ||
|
3318f4d7f6 | ||
|
72d74ad013 | ||
|
3e6d311721 | ||
|
9d23180b6a | ||
|
bfba87a4b0 | ||
|
5001a7d220 | ||
|
53f905937e | ||
|
6038525d4b | ||
|
17865358d8 | ||
|
95cb2fa3aa | ||
|
bba5b90716 | ||
|
afb1c1fba3 | ||
|
95b6b70a70 | ||
|
44a7a9b16f | ||
|
49f1b476b5 | ||
|
e83a092449 | ||
|
380ba92708 | ||
|
7e8e11bfd6 | ||
|
3c7d0f441d | ||
|
23fffddf95 | ||
|
88ec0fc043 | ||
|
774d14ee18 | ||
|
66f50039b0 | ||
|
370c59dbe7 | ||
|
99361ee0e4 | ||
|
89eda06a27 | ||
|
6c0af46903 | ||
|
846ff81102 | ||
|
35914c35e1 | ||
|
237f55d7e2 | ||
|
8cdfca24cf | ||
|
60f04d3987 | ||
|
2c31757953 | ||
|
505767ef31 | ||
|
6c9fce8964 | ||
|
1f7e3a4498 | ||
|
6d44063077 | ||
|
8fc6512164 | ||
|
aaed0058ce | ||
|
57e71d5545 | ||
|
6d393f976a | ||
|
f7eaf56691 | ||
|
2c9c0f6cea | ||
|
c2f43d0d29 | ||
|
a2dd5867a1 | ||
|
adc4efb694 | ||
|
62e39920cd | ||
|
2a77c6a6e6 | ||
|
1562808cf6 | ||
|
b0782505e1 | ||
|
507d27a448 | ||
|
40bb635036 | ||
|
61b1f45bc4 | ||
|
881a0abfa5 | ||
|
d8c14e108c | ||
|
60b32d0d21 | ||
|
a481d9c376 | ||
|
9740ddcf3e | ||
|
5db7509b52 | ||
|
e00cd1081a | ||
|
7a6c3f5f5e | ||
|
3aff6de0d0 | ||
|
8a6225856d | ||
|
e6cddf8e1d | ||
|
ad4084a8da | ||
|
11b926ffa3 | ||
|
d81ab1e304 | ||
|
a6b453b9df | ||
|
ee0303fd36 | ||
|
286714606b | ||
|
0af05f88fa | ||
|
4a01fcc01f | ||
|
e6da7606b9 | ||
|
5d1432b729 | ||
|
22ad4360f5 | ||
|
6a82b98fcf | ||
|
1922ae145a | ||
|
7944897a0d | ||
|
771396ae9e | ||
|
09164c4285 | ||
|
948aaf289c | ||
|
d96e94f4fa | ||
|
8077b9b084 | ||
|
f66f986abb | ||
|
569d3ee931 | ||
|
2e4f1ffe45 | ||
|
f60195a075 | ||
|
2c67ad822e | ||
|
01e8e18f61 | ||
|
447c15c823 | ||
|
780dfe1a51 | ||
|
eadc765860 | ||
|
ae3734db18 | ||
|
91d4ec5c4b | ||
|
d6074f5f7e | ||
|
6ff836e9fc | ||
|
5799998308 | ||
|
4adb9741e4 | ||
|
1d4161cc02 | ||
|
f462dd5846 | ||
|
20d2891e23 | ||
|
e954a6486a | ||
|
7c49e389a8 | ||
|
f63d9fa387 | ||
|
0cef2a5974 | ||
|
72725daa75 | ||
|
eab0541d0a | ||
|
25cb3a82ea | ||
|
b43b1b4299 | ||
|
7bf7f532e0 | ||
|
dc70fb864d | ||
|
efab5fe0bd | ||
|
9db7bbd160 | ||
|
baa0ac6c22 | ||
|
99008b5e69 | ||
|
2eeb44f902 | ||
|
66adf7fd6f | ||
|
3f75dbdd39 | ||
|
3d8d612298 | ||
|
49ace342a0 | ||
|
5f2859d95e | ||
|
bf52145e7a | ||
|
f44ba2a745 | ||
|
03f87a0927 | ||
|
61d3f460be | ||
|
97b018b86a | ||
|
dab0f53634 | ||
|
c01c17623a | ||
|
9ed503b6e8 | ||
|
582e93b955 | ||
|
274d6248d3 | ||
|
b47f723285 | ||
|
b99d54eb25 | ||
|
2b0f2955d0 | ||
|
38644d380c | ||
|
86bc43a494 | ||
|
8e5ad87619 | ||
|
2bd0138d6f | ||
|
92b2814fb1 | ||
|
91e70da2b8 | ||
|
260762968d | ||
|
beb9bee27b | ||
|
49f6f673c6 | ||
|
1bc6ecca67 | ||
|
ebca6b3696 | ||
|
b15d61cda7 | ||
|
7aeb6b2050 | ||
|
11108631c0 | ||
|
62af977067 | ||
|
be9c278a18 | ||
|
92d957730c | ||
|
8823405dd9 | ||
|
73e5b99983 | ||
|
e563df4093 | ||
|
f3674ff9d9 | ||
|
12b40b48ee | ||
|
715fb4fdec | ||
|
fdca63f592 | ||
|
6a82a36711 | ||
|
18e955090a | ||
|
fc97c3623b | ||
|
283ca42d57 | ||
|
c6793657e7 | ||
|
b3114e7293 | ||
|
727858f74c | ||
|
48e0c75a26 | ||
|
ee7a16eb1a | ||
|
580251104c | ||
|
3fdba44bfa | ||
|
6ce25e00c9 | ||
|
699f2bb82e | ||
|
b7537453e3 | ||
|
9b0602766f | ||
|
e6062f28f3 | ||
|
e182e0d4f8 | ||
|
666708c47f | ||
|
d0df9a06e1 | ||
|
c1a33b7185 | ||
|
b06e4c4a5e | ||
|
7e2549a85a | ||
|
f8dada12b1 | ||
|
532b691172 | ||
|
3b7705e868 | ||
|
3dce66e869 | ||
|
90738fb148 | ||
|
3ef08ccf66 | ||
|
10ae694a92 | ||
|
bc18ef46e6 | ||
|
d149327275 | ||
|
fdd2c9d2bf | ||
|
89e6af0d9a | ||
|
9a841fdbd3 | ||
|
db93ca7b05 | ||
|
649489297b | ||
|
22eeee3592 | ||
|
15f35ca6a8 | ||
|
159b3c02f0 | ||
|
cb10fd20ba | ||
|
c79a81f601 | ||
|
4687360677 | ||
|
a6b7d6ea02 | ||
|
2e3b49dcad | ||
|
02895ec707 | ||
|
302286a29e | ||
|
024d25236a | ||
|
a334450470 | ||
|
a10fa157aa | ||
|
ffe3dde43a | ||
|
f3cc91fdf6 | ||
|
cb2e49eb54 | ||
|
046b2f049b | ||
|
a654c97b47 | ||
|
d1c8d72bc3 | ||
|
c195f38458 | ||
|
01296a6c9e | ||
|
596788ff09 | ||
|
dcf644e37a | ||
|
4db1c4e073 | ||
|
2f74ec6fdb | ||
|
e85c9419b7 | ||
|
e184e7c692 | ||
|
72acec2ddc | ||
|
eed4b0b9dc | ||
|
986635c366 | ||
|
0ab0db67ba | ||
|
8913df6284 | ||
|
b8294dba69 | ||
|
a2c0053ce8 | ||
|
5123f92551 | ||
|
ed913c1e71 | ||
|
81035c39db | ||
|
70e491fa6f | ||
|
57fd4d8859 | ||
|
7c9ee9b256 | ||
|
f3655b1360 | ||
|
0cc8be2142 | ||
|
dff13dfc7a | ||
|
ab90a9a95b | ||
|
7a9b32fbd9 | ||
|
ef5fbe15a5 | ||
|
a8e1661aa6 | ||
|
c7abb4239f | ||
|
68b4703f7a | ||
|
2e66d5f3ee | ||
|
020047aa8f | ||
|
e275dc9446 | ||
|
2a03d08a5b | ||
|
40a74df00d | ||
|
05fa996ffd | ||
|
edd2e250e8 | ||
|
5e3b25aa95 | ||
|
49663b71bb | ||
|
77f123460e | ||
|
458bfcde09 | ||
|
12bb0cba4a | ||
|
608b25df4c | ||
|
7cce0d9c9e | ||
|
cd0d180c93 | ||
|
7e83951672 | ||
|
31b43aa2f1 | ||
|
6b3018a56b |
36
.github/workflows/push.yml
vendored
Normal file
36
.github/workflows/push.yml
vendored
Normal file
@@ -0,0 +1,36 @@
|
|||||||
|
name: Wazuh Docker pipeline
|
||||||
|
|
||||||
|
on: [push]
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
build-stack:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
|
||||||
|
- name: Check out code
|
||||||
|
uses: actions/checkout@v2
|
||||||
|
|
||||||
|
- name: Build the docker-compose stack
|
||||||
|
run: docker-compose -f build-from-sources.yml up -d --build
|
||||||
|
|
||||||
|
- name: Check running containers
|
||||||
|
run: docker ps -a
|
||||||
|
|
||||||
|
- name: Shutdown the stack
|
||||||
|
run: docker-compose -f build-from-sources.yml kill
|
||||||
|
|
||||||
|
- name: Install Goss
|
||||||
|
uses: e1himself/goss-installation-action@v1.0.3
|
||||||
|
with:
|
||||||
|
version: v0.3.16
|
||||||
|
|
||||||
|
- name: Execute Goss tests (wazuh-odfe)
|
||||||
|
run: dgoss run wazuh/wazuh-odfe:dev-version
|
||||||
|
env:
|
||||||
|
GOSS_SLEEP: 30
|
||||||
|
GOSS_FILE: .goss.yaml
|
||||||
|
|
||||||
|
- name: Execute Goss tests (wazuh-kibana-odfe)
|
||||||
|
run: dgoss run wazuh/wazuh-kibana-odfe:dev-version
|
||||||
|
env:
|
||||||
|
GOSS_FILE: .goss.kibana.yaml
|
53
.goss.kibana.yaml
Normal file
53
.goss.kibana.yaml
Normal file
@@ -0,0 +1,53 @@
|
|||||||
|
file:
|
||||||
|
/usr/share/kibana/config/kibana.yml:
|
||||||
|
exists: true
|
||||||
|
mode: "0664"
|
||||||
|
owner: kibana
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/usr/share/kibana/src/core/server/core_app/assets/legacy_light_theme.css:
|
||||||
|
exists: true
|
||||||
|
mode: "0664"
|
||||||
|
owner: kibana
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/usr/share/kibana/src/core/server/core_app/assets/wazuh_logo_circle.svg:
|
||||||
|
exists: true
|
||||||
|
mode: "0644"
|
||||||
|
owner: kibana
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/usr/share/kibana/src/core/server/core_app/assets/wazuh_wazuh_bg.svg:
|
||||||
|
exists: true
|
||||||
|
mode: "0644"
|
||||||
|
owner: kibana
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/usr/share/kibana/data/wazuh/config/wazuh.yml:
|
||||||
|
exists: true
|
||||||
|
mode: "0644"
|
||||||
|
owner: kibana
|
||||||
|
group: kibana
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/usr/share/kibana/src/legacy/ui/ui_render/bootstrap/template.js.hbs:
|
||||||
|
exists: true
|
||||||
|
mode: "0664"
|
||||||
|
owner: kibana
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
user:
|
||||||
|
kibana:
|
||||||
|
exists: true
|
||||||
|
groups:
|
||||||
|
- kibana
|
||||||
|
home: /usr/share/kibana
|
||||||
|
shell: /bin/bash
|
||||||
|
group:
|
||||||
|
kibana:
|
||||||
|
exists: true
|
115
.goss.yaml
Normal file
115
.goss.yaml
Normal file
@@ -0,0 +1,115 @@
|
|||||||
|
file:
|
||||||
|
/etc/filebeat/filebeat.yml:
|
||||||
|
exists: true
|
||||||
|
mode: "0644"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/var/ossec/bin/ossec-control:
|
||||||
|
exists: true
|
||||||
|
mode: "0750"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/var/ossec/etc/lists/audit-keys:
|
||||||
|
exists: true
|
||||||
|
mode: "0660"
|
||||||
|
owner: ossec
|
||||||
|
group: ossec
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/var/ossec/etc/ossec.conf:
|
||||||
|
exists: true
|
||||||
|
mode: "0660"
|
||||||
|
owner: root
|
||||||
|
group: ossec
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/var/ossec/etc/rules/local_rules.xml:
|
||||||
|
exists: true
|
||||||
|
mode: "0660"
|
||||||
|
owner: ossec
|
||||||
|
group: ossec
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/var/ossec/etc/sslmanager.cert:
|
||||||
|
exists: true
|
||||||
|
mode: "0640"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
/var/ossec/etc/sslmanager.key:
|
||||||
|
exists: true
|
||||||
|
mode: "0640"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
filetype: file
|
||||||
|
contains: []
|
||||||
|
package:
|
||||||
|
filebeat:
|
||||||
|
installed: true
|
||||||
|
versions:
|
||||||
|
- 7.10.0
|
||||||
|
wazuh-manager:
|
||||||
|
installed: true
|
||||||
|
versions:
|
||||||
|
- 4.1.0
|
||||||
|
port:
|
||||||
|
tcp:1514:
|
||||||
|
listening: true
|
||||||
|
ip:
|
||||||
|
- 0.0.0.0
|
||||||
|
tcp:1515:
|
||||||
|
listening: true
|
||||||
|
ip:
|
||||||
|
- 0.0.0.0
|
||||||
|
tcp:55000:
|
||||||
|
listening: true
|
||||||
|
ip:
|
||||||
|
- 0.0.0.0
|
||||||
|
user:
|
||||||
|
ossec:
|
||||||
|
exists: true
|
||||||
|
groups:
|
||||||
|
- ossec
|
||||||
|
home: /var/ossec
|
||||||
|
shell: /sbin/nologin
|
||||||
|
ossecm:
|
||||||
|
exists: true
|
||||||
|
groups:
|
||||||
|
- ossec
|
||||||
|
home: /var/ossec
|
||||||
|
shell: /sbin/nologin
|
||||||
|
ossecr:
|
||||||
|
exists: true
|
||||||
|
groups:
|
||||||
|
- ossec
|
||||||
|
home: /var/ossec
|
||||||
|
shell: /sbin/nologin
|
||||||
|
group:
|
||||||
|
ossec:
|
||||||
|
exists: true
|
||||||
|
process:
|
||||||
|
filebeat:
|
||||||
|
running: true
|
||||||
|
ossec-analysisd:
|
||||||
|
running: true
|
||||||
|
ossec-authd:
|
||||||
|
running: true
|
||||||
|
ossec-execd:
|
||||||
|
running: true
|
||||||
|
ossec-monitord:
|
||||||
|
running: true
|
||||||
|
ossec-remoted:
|
||||||
|
running: true
|
||||||
|
ossec-syscheckd:
|
||||||
|
running: true
|
||||||
|
s6-supervise:
|
||||||
|
running: true
|
||||||
|
wazuh-db:
|
||||||
|
running: true
|
||||||
|
wazuh-modulesd:
|
||||||
|
running: true
|
331
CHANGELOG.md
331
CHANGELOG.md
@@ -1,5 +1,336 @@
|
|||||||
# Change Log
|
# Change Log
|
||||||
All notable changes to this project will be documented in this file.
|
All notable changes to this project will be documented in this file.
|
||||||
|
## Wazuh Docker v4.1.0
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Update Wazuh to version [4.1.0](https://github.com/wazuh/wazuh/blob/v4.1.0/CHANGELOG.md#v410)
|
||||||
|
- Update ODFE compatibility to version 1.12.0
|
||||||
|
- Add support for Elasticsearch (xpack) images once again (7.10.2) ([@xr09](https://github.com/xr09)) [#409](https://github.com/wazuh/wazuh-docker/pull/409)
|
||||||
|
- Re-enable entrypoint scripts ([@xr09](https://github.com/xr09)) [#435](https://github.com/wazuh/wazuh-docker/pull/435)
|
||||||
|
- Add Goss binary for healthchecks ([@xr09](https://github.com/xr09)) [$441](https://github.com/wazuh/wazuh-docker/pull/441)
|
||||||
|
- Update s6-overlay to latest version
|
||||||
|
|
||||||
|
## Wazuh Docker v4.0.4_1.11.0
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Update to Wazuh version [4.0.4](https://github.com/wazuh/wazuh/blob/v4.0.4/CHANGELOG.md#v404)
|
||||||
|
|
||||||
|
|
||||||
|
## Wazuh Docker v4.0.3_1.11.0
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Update to Wazuh version 4.0.3
|
||||||
|
|
||||||
|
|
||||||
|
## Wazuh Docker v4.0.2_1.11.0
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Update to Wazuh version 4.0.2
|
||||||
|
|
||||||
|
## Wazuh Docker v4.0.1_1.11.0
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Update to Wazuh version 4.0.1
|
||||||
|
- Opendistro 1.11.0 compatiblity
|
||||||
|
- Re-enabled dumping ossec.log to stdout
|
||||||
|
|
||||||
|
## Wazuh Docker v4.0.0_1.10.1
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Update to Wazuh version 4.0.0
|
||||||
|
- Updating Wazuh cluster key dynamically ([@1stOfHisGame](https://github.com/1stOfHisGame)) [#393](https://github.com/wazuh/wazuh-docker/pull/393)
|
||||||
|
- Switched to CentOS 7 for base image ([@xr09](https://github.com/xr09)) [#259](https://github.com/wazuh/wazuh-docker/issues/259)
|
||||||
|
- Using s6-overlay for process management ([@xr09](https://github.com/xr09)) [#274](https://github.com/wazuh/wazuh-docker/issues/274)
|
||||||
|
- Allow the creation of custom API users ([@xr09](https://github.com/xr09)) [#395](https://github.com/wazuh/wazuh-docker/issues/395)
|
||||||
|
- OpenDistro support ([@xr09](https://github.com/xr09)) [#373](https://github.com/wazuh/wazuh-docker/pull/373)
|
||||||
|
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
- Removal of Elastic images
|
||||||
|
|
||||||
|
|
||||||
|
## Wazuh Docker v3.13.2_7.9.1
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Update to Wazuh version 3.13.2_7.9.1
|
||||||
|
- Add CLUSTER_NETWORK_HOST environment variable ([@jfut](https://github.com/jfut)) [#372](https://github.com/wazuh/wazuh-docker/pull/372)
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
- Too many redirects when running on port 80 ([@chowmean](https://github.com/chowmean)) [#377](https://github.com/wazuh/wazuh-docker/pull/377)
|
||||||
|
- Move Filebeat installation to build stage ([@xr09](https://github.com/xr09)) [#378](https://github.com/wazuh/wazuh-docker/pull/378)
|
||||||
|
|
||||||
|
|
||||||
|
## Wazuh Docker v3.13.1_7.8.0
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Update to Wazuh version 3.13.1_7.8.0
|
||||||
|
|
||||||
|
|
||||||
|
## Wazuh Docker v3.13.0_7.7.1
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Update to Wazuh version 3.13.3_7.7.1
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
- Save agentless state ([@xr09](https://github.com/xr09)) [#350](https://github.com/wazuh/wazuh-docker/pull/350)
|
||||||
|
- Use HTTP credentials for service check when required ([@xr09](https://github.com/xr09)) [#356](https://github.com/wazuh/wazuh-docker/pull/356)
|
||||||
|
|
||||||
|
## Wazuh Docker v3.12.3_7.6.2
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Update to Wazuh version 3.12.3_7.6.2
|
||||||
|
|
||||||
|
|
||||||
|
## Wazuh Docker v3.12.2_7.6.2
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Update to Wazuh version 3.12.2_7.6.2
|
||||||
|
|
||||||
|
## Wazuh Docker v3.12.1_7.6.2
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Update to Wazuh version 3.12.1_7.6.2
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
- Agent timestamp not being properly saved ([@xr09](https://github.com/xr09)) [#323](https://github.com/wazuh/wazuh-docker/pull/323)
|
||||||
|
|
||||||
|
|
||||||
|
## Wazuh Docker v3.12.0_7.6.1
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Update to Wazuh version 3.12.0_7.6.1
|
||||||
|
|
||||||
|
|
||||||
|
## Wazuh Docker v3.11.4_7.6.1
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Update to Wazuh version 3.11.4_7.6.1
|
||||||
|
|
||||||
|
- Enable HTTP v2 on nginx ([@xr09](https://github.com/xr09)) [#308](https://github.com/wazuh/wazuh-docker/pull/308)
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
- Updated NGINX config syntax ([@xr09](https://github.com/xr09)) [#303](https://github.com/wazuh/wazuh-docker/pull/303)
|
||||||
|
|
||||||
|
|
||||||
|
## Wazuh Docker v3.11.3_7.5.2
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Update to Wazuh version 3.11.3_7.5.2
|
||||||
|
|
||||||
|
## Wazuh Docker v3.11.2_7.5.1
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Bumped Node.js to version 10 ([@xr09](https://github.com/xr09)) [#8615cd4](https://github.com/wazuh/wazuh-docker/commit/8615cd4d2152601e55becc7c3675360938e74b6a)
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
- Fix S3 Plugin ([@AnthonySendra](https://github.com/AnthonySendra)) [#293](https://github.com/wazuh/wazuh-docker/pull/293)
|
||||||
|
|
||||||
|
## Wazuh Docker v3.11.1_7.5.1
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Update to Wazuh version 3.11.1_7.5.1
|
||||||
|
- Filebeat configuration file updated to latest version ([@manuasir](https://github.com/manuasir)) [#271](https://github.com/wazuh/wazuh-docker/pull/271)
|
||||||
|
- Allow using the hostname as node_name for managers ([@JPLachance](https://github.com/JPLachance)) [#261](https://github.com/wazuh/wazuh-docker/pull/261)
|
||||||
|
|
||||||
|
## Wazuh Docker v3.11.0_7.5.1
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Update to Wazuh version 3.11.0_7.5.1
|
||||||
|
|
||||||
|
## Wazuh Docker v3.10.2_7.5.0
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Update to Wazuh version 3.10.2_7.5.0
|
||||||
|
|
||||||
|
## Wazuh Docker v3.10.2_7.3.2
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Update to Wazuh version 3.10.2_7.3.2
|
||||||
|
|
||||||
|
## Wazuh Docker v3.10.0_7.3.2
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Update to Wazuh version 3.10.0_7.3.2
|
||||||
|
|
||||||
|
## Wazuh Docker v3.9.5_7.2.1
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Update to Wazuh version 3.9.5_7.2.1
|
||||||
|
|
||||||
|
## Wazuh Docker v3.9.4_7.2.0
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Update to Wazuh version 3.9.4_7.2.0
|
||||||
|
- Implemented Wazuh Filebeat Module ([jm404](https://www.github.com/jm404)) [#2a77c6a](https://github.com/wazuh/wazuh-docker/commit/2a77c6a6e6bf78f2492adeedbade7a507d9974b2)
|
||||||
|
|
||||||
|
## Wazuh Docker v3.9.3_7.2.0
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
- Wazuh-docker reinserts cluster settings after resuming containers ([@manuasir](https://github.com/manuasir)) [#213](https://github.com/wazuh/wazuh-docker/pull/213)
|
||||||
|
|
||||||
|
## Wazuh Docker v3.9.2_7.1.1
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Update to Wazuh version 3.9.2_7.1.1
|
||||||
|
|
||||||
|
## Wazuh Docker v3.9.2_6.8.0
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Update to Wazuh version 3.9.2_6.8.0
|
||||||
|
|
||||||
|
## Wazuh Docker v3.9.1_7.1.0
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Support for Elastic v7.1.0
|
||||||
|
- New environment variables for Kibana ([@manuasir](https://github.com/manuasir)) [#22ad43](https://github.com/wazuh/wazuh-docker/commit/22ad4360f548e54bb0c5e929f8c84a186ad2ab88)
|
||||||
|
|
||||||
|
## Wazuh Docker v3.9.1_6.8.0
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Update to Wazuh version 3.9.1_6.8.0 ([#181](https://github.com/wazuh/wazuh-docker/pull/181))
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
- Fixed `ELASTICSEARCH_KIBANA_IP` environment variable ([@manuasir](https://github.com/manuasir)) ([#181](https://github.com/wazuh/wazuh-docker/pull/181))
|
||||||
|
|
||||||
|
## Wazuh Docker v3.9.0_6.7.2
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
- Update Elastic Stack version to 6.7.2.
|
||||||
|
|
||||||
|
## Wazuh Docker v3.9.0_6.7.1
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Support for xPACK authorized requests ([@manuasir](https://github.com/manuasir)) ([#119](https://github.com/wazuh/wazuh-docker/pull/119))
|
||||||
|
- Add Elasticsearch cluster configuration ([@SitoRBJ](https://github.com/SitoRBJ)). ([#146](https://github.com/wazuh/wazuh-docker/pull/146))
|
||||||
|
- Add Elasticsearch cluster configuration ([@Phandora](https://github.com/Phandora)) ([#140](https://github.com/wazuh/wazuh-docker/pull/140))
|
||||||
|
- Setting Nginx to support several user/passwords in Kibana ([@toniMR](https://github.com/toniMR)) ([#136](https://github.com/wazuh/wazuh-docker/pull/136))
|
||||||
|
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
- Use LS_JAVA_OPTS instead of old LS_HEAP_SIZE ([@ruffy91](https://github.com/ruffy91)) ([#139](https://github.com/wazuh/wazuh-docker/pull/139))
|
||||||
|
- Changing the original Wazuh docker image to allow adding code in the entrypoint ([@Phandora](https://github.com/phandora)) ([#151](https://github.com/wazuh/wazuh-docker/pull/151))
|
||||||
|
|
||||||
|
### Removed
|
||||||
|
|
||||||
|
- Removing files from Wazuh image ([@Phandora](https://github.com/phandora)) ([#153](https://github.com/wazuh/wazuh-docker/pull/153))
|
||||||
|
|
||||||
|
## Wazuh Docker v3.8.2_6.7.0
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
- Update Elastic Stack version to 6.7.0. ([#144](https://github.com/wazuh/wazuh-docker/pull/144))
|
||||||
|
|
||||||
|
## Wazuh Docker v3.8.2_6.6.2
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
- Update Elastic Stack version to 6.6.2. ([#130](https://github.com/wazuh/wazuh-docker/pull/130))
|
||||||
|
|
||||||
|
## Wazuh Docker v3.8.2_6.6.1
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
- Update Elastic Stack version to 6.6.1. ([#129](https://github.com/wazuh/wazuh-docker/pull/129))
|
||||||
|
|
||||||
|
## Wazuh Docker v3.8.2_6.5.4
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Add Wazuh-Elasticsearch. ([#106](https://github.com/wazuh/wazuh-docker/pull/106))
|
||||||
|
- Store Filebeat _/var/lib/filebeat/registry._ ([#109](https://github.com/wazuh/wazuh-docker/pull/109))
|
||||||
|
- Adding the option to disable some xpack features. ([#111](https://github.com/wazuh/wazuh-docker/pull/111))
|
||||||
|
- Wazuh-Kibana customizable at plugin level. ([#117](https://github.com/wazuh/wazuh-docker/pull/117))
|
||||||
|
- Adding env variables for alerts data flow. ([#118](https://github.com/wazuh/wazuh-docker/pull/118))
|
||||||
|
- New Logstash entrypoint added. ([#135](https://github.com/wazuh/wazuh-docker/pull/135/files))
|
||||||
|
- Welcome screen management. ([#133](https://github.com/wazuh/wazuh-docker/pull/133))
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
- Update to Wazuh version 3.8.2. ([#105](https://github.com/wazuh/wazuh-docker/pull/105))
|
||||||
|
|
||||||
|
### Removed
|
||||||
|
|
||||||
|
- Remove alerts created in build time. ([#137](https://github.com/wazuh/wazuh-docker/pull/137))
|
||||||
|
|
||||||
|
|
||||||
|
## Wazuh Docker v3.8.1_6.5.4
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
- Update to Wazuh version 3.8.1. ([#102](https://github.com/wazuh/wazuh-docker/pull/102))
|
||||||
|
|
||||||
|
## Wazuh Docker v3.8.0_6.5.4
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
- Upgrade version 3.8.0_6.5.4. ([#97](https://github.com/wazuh/wazuh-docker/pull/97))
|
||||||
|
|
||||||
|
### Removed
|
||||||
|
|
||||||
|
- Remove cluster.py work around. ([#99](https://github.com/wazuh/wazuh-docker/pull/99))
|
||||||
|
|
||||||
|
## Wazuh Docker v3.7.2_6.5.4
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- Improvements to Kibana settings added. ([#91](https://github.com/wazuh/wazuh-docker/pull/91))
|
||||||
|
- Add Kibana environmental variables for Wazuh APP config.yml. ([#89](https://github.com/wazuh/wazuh-docker/pull/89))
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
- Update Elastic Stack version to 6.5.4. ([#82](https://github.com/wazuh/wazuh-docker/pull/82))
|
||||||
|
- Add env credentials for nginx. ([#86](https://github.com/wazuh/wazuh-docker/pull/86))
|
||||||
|
- Improve filebeat configuration ([#88](https://github.com/wazuh/wazuh-docker/pull/88))
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
- Temporary fix for Wazuh cluster master node in Kubernetes. ([#84](https://github.com/wazuh/wazuh-docker/pull/84))
|
||||||
|
|
||||||
|
## Wazuh Docker v3.7.2_6.5.3
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
- Erasing temporary fix for AWS integration. ([#81](https://github.com/wazuh/wazuh-docker/pull/81))
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
|
||||||
|
- Upgrading errors due to wrong files. ([#80](https://github.com/wazuh/wazuh-docker/pull/80))
|
||||||
|
|
||||||
|
|
||||||
## Wazuh Docker v3.7.0_6.5.0
|
## Wazuh Docker v3.7.0_6.5.0
|
||||||
|
|
||||||
|
2
LICENSE
2
LICENSE
@@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
Portions Copyright (C) 2018 Wazuh, Inc.
|
Portions Copyright (C) 2021 Wazuh, Inc.
|
||||||
Based on work Copyright (C) 2003 - 2013 Trend Micro, Inc.
|
Based on work Copyright (C) 2003 - 2013 Trend Micro, Inc.
|
||||||
|
|
||||||
This program is a free software; you can redistribute it and/or modify
|
This program is a free software; you can redistribute it and/or modify
|
||||||
|
187
README.md
187
README.md
@@ -1,18 +1,19 @@
|
|||||||
# Wazuh containers for Docker
|
# Wazuh containers for Docker
|
||||||
|
|
||||||
[](https://goo.gl/forms/M2AoZC4b2R9A9Zy12)
|
[](https://wazuh.com/community/join-us-on-slack/)
|
||||||
[](https://groups.google.com/forum/#!forum/wazuh)
|
[](https://groups.google.com/forum/#!forum/wazuh)
|
||||||
[](https://documentation.wazuh.com)
|
[](https://documentation.wazuh.com)
|
||||||
[](https://wazuh.com)
|
[](https://wazuh.com)
|
||||||
|
|
||||||
In this repository you will find the containers to run:
|
In this repository you will find the containers to run:
|
||||||
|
|
||||||
* wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack)
|
* wazuh-opendistro: It runs the Wazuh manager, Wazuh API and Filebeat OSS (for integration with ODFE)
|
||||||
* wazuh-logstash: It is used to receive alerts generated by the manager and feed Elasticsearch using an alerts template
|
* wazuh-kibana-opendistro: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status.
|
||||||
* wazuh-kibana: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status.
|
* opendistro-for-elasticsearch: An Elasticsearch (ODFE) container (working as a single-node cluster) using ODFE Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).**
|
||||||
* wazuh-nginx: Proxies the Kibana container, adding HTTPS (via self-signed SSL certificate) and [Basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Basic_authentication_scheme).
|
|
||||||
|
|
||||||
In addition, a docker-compose file is provided to launch the containers mentioned above. It also launches an Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images.
|
In addition, a docker-compose file is provided to launch the containers mentioned above.
|
||||||
|
|
||||||
|
* Elasticsearch cluster. In the Elasticsearch Dockerfile we can visualize variables to configure an Elasticsearch Cluster. These variables are used in the file *config_cluster.sh* to set them in the *elasticsearch.yml* configuration file. You can see the meaning of the node variables [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html) and other cluster settings [here](https://github.com/elastic/elasticsearch/blob/master/distribution/src/config/elasticsearch.yml).
|
||||||
|
|
||||||
## Documentation
|
## Documentation
|
||||||
|
|
||||||
@@ -20,51 +21,151 @@ In addition, a docker-compose file is provided to launch the containers mentione
|
|||||||
* [Wazuh documentation for Docker](https://documentation.wazuh.com/current/docker/index.html)
|
* [Wazuh documentation for Docker](https://documentation.wazuh.com/current/docker/index.html)
|
||||||
* [Docker hub](https://hub.docker.com/u/wazuh)
|
* [Docker hub](https://hub.docker.com/u/wazuh)
|
||||||
|
|
||||||
## Current release
|
|
||||||
|
|
||||||
Containers are currently tested on Wazuh version 3.7.1 and Elastic Stack version 6.5.3. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.
|
### Setup SSL certificate and Basic Authentication
|
||||||
|
|
||||||
|
Before starting the environment it is required to provide an SSL certificate (or just generate one self-signed) and setup the basic auth.
|
||||||
|
|
||||||
|
Documentation on how to provide these two can be found at [nginx_conf/README.md](nginx_conf/README.md).
|
||||||
|
|
||||||
|
|
||||||
|
## Environment Variables
|
||||||
|
|
||||||
|
Default values are included when available.
|
||||||
|
|
||||||
|
### Wazuh
|
||||||
|
```
|
||||||
|
API_USERNAME="wazuh" # Wazuh API username
|
||||||
|
API_PASSWORD="wazuh" # Wazuh API password - Must comply with requirements
|
||||||
|
# (8+ length, uppercase, lowercase, specials chars)
|
||||||
|
|
||||||
|
ELASTICSEARCH_URL=https://elasticsearch:9200 # Elasticsearch URL
|
||||||
|
ELASTIC_USERNAME=admin # Elasticsearch Username
|
||||||
|
ELASTIC_PASSWORD=admin # Elasticsearch Password
|
||||||
|
FILEBEAT_SSL_VERIFICATION_MODE=full # Filebeat SSL Verification mode (full or none)
|
||||||
|
SSL_CERTIFICATE_AUTHORITIES="" # Path of Filebeat SSL CA
|
||||||
|
SSL_CERTIFICATE="" # Path of Filebeat SSL Certificate
|
||||||
|
SSL_KEY="" # Path of Filebeat SSL Key
|
||||||
|
```
|
||||||
|
|
||||||
|
### Kibana
|
||||||
|
```
|
||||||
|
PATTERN="wazuh-alerts-*" # Default index pattern to use
|
||||||
|
|
||||||
|
CHECKS_PATTERN=true # Defines which checks must to be consider by the healthcheck
|
||||||
|
CHECKS_TEMPLATE=true # step once the Wazuh app starts. Values must to be true or false
|
||||||
|
CHECKS_API=true
|
||||||
|
CHECKS_SETUP=true
|
||||||
|
|
||||||
|
EXTENSIONS_PCI=true # Enable PCI Extension
|
||||||
|
EXTENSIONS_GDPR=true # Enable GDPR Extension
|
||||||
|
EXTENSIONS_HIPAA=true # Enable HIPAA Extension
|
||||||
|
EXTENSIONS_NIST=true # Enable NIST Extension
|
||||||
|
EXTENSIONS_TSC=true # Enable TSC Extension
|
||||||
|
EXTENSIONS_AUDIT=true # Enable Audit Extension
|
||||||
|
EXTENSIONS_OSCAP=false # Enable OpenSCAP Extension
|
||||||
|
EXTENSIONS_CISCAT=false # Enable CISCAT Extension
|
||||||
|
EXTENSIONS_AWS=false # Enable AWS Extension
|
||||||
|
EXTENSIONS_GCP=false # Enable GCP Extension
|
||||||
|
EXTENSIONS_VIRUSTOTAL=false # Enable Virustotal Extension
|
||||||
|
EXTENSIONS_OSQUERY=false # Enable OSQuery Extension
|
||||||
|
EXTENSIONS_DOCKER=false # Enable Docker Extension
|
||||||
|
|
||||||
|
APP_TIMEOUT=20000 # Defines maximum timeout to be used on the Wazuh app requests
|
||||||
|
|
||||||
|
API_SELECTOR=true Defines if the user is allowed to change the selected API directly from the Wazuh app top menu
|
||||||
|
IP_SELECTOR=true # Defines if the user is allowed to change the selected index pattern directly from the Wazuh app top menu
|
||||||
|
IP_IGNORE="[]" # List of index patterns to be ignored
|
||||||
|
|
||||||
|
WAZUH_MONITORING_ENABLED=true # Custom settings to enable/disable wazuh-monitoring indices
|
||||||
|
WAZUH_MONITORING_FREQUENCY=900 # Custom setting to set the frequency for wazuh-monitoring indices cron task
|
||||||
|
WAZUH_MONITORING_SHARDS=2 # Configure wazuh-monitoring-* indices shards and replicas
|
||||||
|
WAZUH_MONITORING_REPLICAS=0 #
|
||||||
|
|
||||||
|
ADMIN_PRIVILEGES=true # App privileges
|
||||||
|
```
|
||||||
|
|
||||||
## Directory structure
|
## Directory structure
|
||||||
|
|
||||||
wazuh-docker
|
├── CHANGELOG.md
|
||||||
├── docker-compose.yml
|
├── docker-compose.yml
|
||||||
├── kibana
|
├── generate-opendistro-certs.yml
|
||||||
│ ├── config
|
├── kibana-odfe
|
||||||
│ │ ├── entrypoint.sh
|
│ ├── config
|
||||||
│ │ └── kibana.yml
|
│ │ ├── custom_welcome
|
||||||
│ └── Dockerfile
|
│ │ │ ├── light_theme.style.css
|
||||||
├── LICENSE
|
│ │ │ ├── template.js.hbs
|
||||||
├── logstash
|
│ │ │ ├── wazuh_logo_circle.svg
|
||||||
│ ├── config
|
│ │ │ └── wazuh_wazuh_bg.svg
|
||||||
│ │ ├── 01-wazuh.conf
|
│ │ ├── entrypoint.sh
|
||||||
│ │ └── run.sh
|
│ │ ├── kibana_settings.sh
|
||||||
│ └── Dockerfile
|
│ │ ├── wazuh_app_config.sh
|
||||||
├── nginx
|
│ │ ├── wazuh.yml
|
||||||
│ ├── config
|
│ │ └── welcome_wazuh.sh
|
||||||
│ │ └── entrypoint.sh
|
│ └── Dockerfile
|
||||||
│ └── Dockerfile
|
├── LICENSE
|
||||||
├── README.md
|
├── production_cluster
|
||||||
├── CHANGELOG.md
|
│ ├── elastic_opendistro
|
||||||
├── VERSION
|
│ │ ├── elasticsearch-node1.yml
|
||||||
├── test.txt
|
│ │ ├── elasticsearch-node2.yml
|
||||||
└── wazuh
|
│ │ ├── elasticsearch-node3.yml
|
||||||
├── config
|
│ │ └── internal_users.yml
|
||||||
│ ├── data_dirs.env
|
│ ├── kibana_ssl
|
||||||
│ ├── entrypoint.sh
|
│ │ └── generate-self-signed-cert.sh
|
||||||
│ ├── filebeat.runit.service
|
│ ├── nginx
|
||||||
│ ├── filebeat.yml
|
│ │ ├── nginx.conf
|
||||||
│ ├── init.bash
|
│ │ └── ssl
|
||||||
│ ├── postfix.runit.service
|
│ │ └── generate-self-signed-cert.sh
|
||||||
│ ├── wazuh-api.runit.service
|
│ ├── ssl_certs
|
||||||
│ └── wazuh.runit.service
|
│ │ └── certs.yml
|
||||||
└── Dockerfile
|
│ └── wazuh_cluster
|
||||||
|
│ ├── wazuh_manager.conf
|
||||||
|
│ └── wazuh_worker.conf
|
||||||
|
├── production-cluster.yml
|
||||||
|
├── README.md
|
||||||
|
├── VERSION
|
||||||
|
└── wazuh-odfe
|
||||||
|
├── config
|
||||||
|
│ ├── create_user.py
|
||||||
|
│ ├── etc
|
||||||
|
│ │ ├── cont-init.d
|
||||||
|
│ │ │ ├── 0-wazuh-init
|
||||||
|
│ │ │ ├── 1-config-filebeat
|
||||||
|
│ │ │ └── 2-manager
|
||||||
|
│ │ └── services.d
|
||||||
|
│ │ └── filebeat
|
||||||
|
│ │ ├── finish
|
||||||
|
│ │ └── run
|
||||||
|
│ ├── filebeat.yml
|
||||||
|
│ ├── permanent_data.env
|
||||||
|
│ ├── permanent_data.sh
|
||||||
|
│ └── wazuh.repo
|
||||||
|
└── Dockerfile
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Branches
|
## Branches
|
||||||
|
|
||||||
* `stable` branch on correspond to the last Wazuh-Docker stable version.
|
* `4.0` branch on correspond to the latest Wazuh-Docker stable version.
|
||||||
* `master` branch contains the latest code, be aware of possible bugs on this branch.
|
* `master` branch contains the latest code, be aware of possible bugs on this branch.
|
||||||
* `Wazuh.Version_ElsaticStack.Version` (for example 3.7.0_6.4.3) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
|
* `Wazuh.Version` (for example 3.13.1_7.8.0 or 4.1.0) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
|
||||||
|
|
||||||
|
|
||||||
|
## Compatibility Matrix
|
||||||
|
|
||||||
|
| Wazuh version | ODFE | XPACK |
|
||||||
|
|---------------|---------|--------|
|
||||||
|
| v4.1.0 | 1.12.0 | 7.10.2 |
|
||||||
|
|---------------|---------|--------|
|
||||||
|
| v4.0.4 | 1.11.0 | |
|
||||||
|
|---------------|---------|--------|
|
||||||
|
| v4.0.3 | 1.11.0 | |
|
||||||
|
|---------------|---------|--------|
|
||||||
|
| v4.0.2 | 1.11.0 | |
|
||||||
|
|---------------|---------|--------|
|
||||||
|
| v4.0.1 | 1.11.0 | |
|
||||||
|
|---------------|---------|--------|
|
||||||
|
| v4.0.0 | 1.10.1 | |
|
||||||
|
|
||||||
## Credits and Thank you
|
## Credits and Thank you
|
||||||
|
|
||||||
@@ -77,7 +178,7 @@ We thank you them and everyone else who has contributed to this project.
|
|||||||
|
|
||||||
## License and copyright
|
## License and copyright
|
||||||
|
|
||||||
Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
|
Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
|
||||||
|
|
||||||
## Web references
|
## Web references
|
||||||
|
|
||||||
|
4
VERSION
4
VERSION
@@ -1,2 +1,2 @@
|
|||||||
WAZUH-DOCKER_VERSION="3.7.1_6.5.3"
|
WAZUH-DOCKER_VERSION="4.1.0"
|
||||||
REVISION="3726"
|
REVISION="41000"
|
||||||
|
84
build-from-sources.yml
Normal file
84
build-from-sources.yml
Normal file
@@ -0,0 +1,84 @@
|
|||||||
|
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
|
||||||
|
version: '3.7'
|
||||||
|
|
||||||
|
services:
|
||||||
|
wazuh:
|
||||||
|
build: wazuh-odfe/
|
||||||
|
image: wazuh/wazuh-odfe:dev-version
|
||||||
|
hostname: wazuh-manager
|
||||||
|
restart: always
|
||||||
|
ports:
|
||||||
|
- "1514:1514"
|
||||||
|
- "1515:1515"
|
||||||
|
- "514:514/udp"
|
||||||
|
- "55000:55000"
|
||||||
|
environment:
|
||||||
|
- ELASTICSEARCH_URL=https://elasticsearch:9200
|
||||||
|
- ELASTIC_USERNAME=admin
|
||||||
|
- ELASTIC_PASSWORD=admin
|
||||||
|
- FILEBEAT_SSL_VERIFICATION_MODE=none
|
||||||
|
volumes:
|
||||||
|
- ossec_api_configuration:/var/ossec/api/configuration
|
||||||
|
- ossec_etc:/var/ossec/etc
|
||||||
|
- ossec_logs:/var/ossec/logs
|
||||||
|
- ossec_queue:/var/ossec/queue
|
||||||
|
- ossec_var_multigroups:/var/ossec/var/multigroups
|
||||||
|
- ossec_integrations:/var/ossec/integrations
|
||||||
|
- ossec_active_response:/var/ossec/active-response/bin
|
||||||
|
- ossec_agentless:/var/ossec/agentless
|
||||||
|
- ossec_wodles:/var/ossec/wodles
|
||||||
|
- filebeat_etc:/etc/filebeat
|
||||||
|
- filebeat_var:/var/lib/filebeat
|
||||||
|
|
||||||
|
elasticsearch:
|
||||||
|
image: amazon/opendistro-for-elasticsearch:1.12.0
|
||||||
|
hostname: elasticsearch
|
||||||
|
restart: always
|
||||||
|
ports:
|
||||||
|
- "9200:9200"
|
||||||
|
environment:
|
||||||
|
- discovery.type=single-node
|
||||||
|
- cluster.name=wazuh-cluster
|
||||||
|
- network.host=0.0.0.0
|
||||||
|
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
|
||||||
|
- bootstrap.memory_lock=true
|
||||||
|
ulimits:
|
||||||
|
memlock:
|
||||||
|
soft: -1
|
||||||
|
hard: -1
|
||||||
|
nofile:
|
||||||
|
soft: 65536
|
||||||
|
hard: 65536
|
||||||
|
|
||||||
|
kibana:
|
||||||
|
build: kibana-odfe/
|
||||||
|
image: wazuh/wazuh-kibana-odfe:dev-version
|
||||||
|
hostname: kibana
|
||||||
|
restart: always
|
||||||
|
ports:
|
||||||
|
- 443:5601
|
||||||
|
environment:
|
||||||
|
- ELASTICSEARCH_USERNAME=admin
|
||||||
|
- ELASTICSEARCH_PASSWORD=admin
|
||||||
|
- SERVER_SSL_ENABLED=true
|
||||||
|
- SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/opendistroforelasticsearch.example.org.cert
|
||||||
|
- SERVER_SSL_KEY=/usr/share/kibana/config/opendistroforelasticsearch.example.org.key
|
||||||
|
|
||||||
|
depends_on:
|
||||||
|
- elasticsearch
|
||||||
|
links:
|
||||||
|
- elasticsearch:elasticsearch
|
||||||
|
- wazuh:wazuh
|
||||||
|
|
||||||
|
volumes:
|
||||||
|
ossec_api_configuration:
|
||||||
|
ossec_etc:
|
||||||
|
ossec_logs:
|
||||||
|
ossec_queue:
|
||||||
|
ossec_var_multigroups:
|
||||||
|
ossec_integrations:
|
||||||
|
ossec_active_response:
|
||||||
|
ossec_agentless:
|
||||||
|
ossec_wodles:
|
||||||
|
filebeat_etc:
|
||||||
|
filebeat_var:
|
@@ -1,101 +1,82 @@
|
|||||||
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
|
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
|
||||||
version: '2'
|
version: '3.7'
|
||||||
|
|
||||||
services:
|
services:
|
||||||
wazuh:
|
wazuh:
|
||||||
image: wazuh/wazuh:3.7.1_6.5.3
|
image: wazuh/wazuh-odfe:4.1.0
|
||||||
hostname: wazuh-manager
|
hostname: wazuh-manager
|
||||||
restart: always
|
restart: always
|
||||||
ports:
|
ports:
|
||||||
- "1514:1514/udp"
|
- "1514:1514"
|
||||||
- "1515:1515"
|
- "1515:1515"
|
||||||
- "514:514/udp"
|
- "514:514/udp"
|
||||||
- "55000:55000"
|
- "55000:55000"
|
||||||
# - "1516:1516"
|
|
||||||
networks:
|
|
||||||
- docker_elk
|
|
||||||
# volumes:
|
|
||||||
# - my-path:/var/ossec/data:Z
|
|
||||||
# - my-path:/etc/postfix:Z
|
|
||||||
# - my-path:/etc/filebeat
|
|
||||||
# - my-custom-config-path/ossec.conf:/wazuh-config-mount/etc/ossec.conf
|
|
||||||
# command: ["echo 'hello world'"]
|
|
||||||
depends_on:
|
|
||||||
- logstash
|
|
||||||
logstash:
|
|
||||||
image: wazuh/wazuh-logstash:3.7.1_6.5.3
|
|
||||||
hostname: logstash
|
|
||||||
restart: always
|
|
||||||
# volumes:
|
|
||||||
# - my-path:/etc/logstash/conf.d:Z
|
|
||||||
links:
|
|
||||||
- elasticsearch:elasticsearch
|
|
||||||
ports:
|
|
||||||
- "5000:5000"
|
|
||||||
networks:
|
|
||||||
- docker_elk
|
|
||||||
depends_on:
|
|
||||||
- elasticsearch
|
|
||||||
environment:
|
environment:
|
||||||
- LS_HEAP_SIZE=2048m
|
- ELASTICSEARCH_URL=https://elasticsearch:9200
|
||||||
|
- ELASTIC_USERNAME=admin
|
||||||
|
- ELASTIC_PASSWORD=admin
|
||||||
|
- FILEBEAT_SSL_VERIFICATION_MODE=none
|
||||||
|
volumes:
|
||||||
|
- ossec_api_configuration:/var/ossec/api/configuration
|
||||||
|
- ossec_etc:/var/ossec/etc
|
||||||
|
- ossec_logs:/var/ossec/logs
|
||||||
|
- ossec_queue:/var/ossec/queue
|
||||||
|
- ossec_var_multigroups:/var/ossec/var/multigroups
|
||||||
|
- ossec_integrations:/var/ossec/integrations
|
||||||
|
- ossec_active_response:/var/ossec/active-response/bin
|
||||||
|
- ossec_agentless:/var/ossec/agentless
|
||||||
|
- ossec_wodles:/var/ossec/wodles
|
||||||
|
- filebeat_etc:/etc/filebeat
|
||||||
|
- filebeat_var:/var/lib/filebeat
|
||||||
|
|
||||||
elasticsearch:
|
elasticsearch:
|
||||||
image: docker.elastic.co/elasticsearch/elasticsearch:6.5.3
|
image: amazon/opendistro-for-elasticsearch:1.12.0
|
||||||
hostname: elasticsearch
|
hostname: elasticsearch
|
||||||
restart: always
|
restart: always
|
||||||
ports:
|
ports:
|
||||||
- "9200:9200"
|
- "9200:9200"
|
||||||
# - "9300:9300"
|
|
||||||
environment:
|
environment:
|
||||||
- node.name=node-1
|
- discovery.type=single-node
|
||||||
- cluster.name=wazuh
|
- cluster.name=wazuh-cluster
|
||||||
- network.host=0.0.0.0
|
- network.host=0.0.0.0
|
||||||
|
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
|
||||||
- bootstrap.memory_lock=true
|
- bootstrap.memory_lock=true
|
||||||
- "ES_JAVA_OPTS=-Xms1g -Xmx1g"
|
|
||||||
ulimits:
|
ulimits:
|
||||||
memlock:
|
memlock:
|
||||||
soft: -1
|
soft: -1
|
||||||
hard: -1
|
hard: -1
|
||||||
mem_limit: 2g
|
nofile:
|
||||||
# volumes:
|
soft: 65536
|
||||||
# - my-path:/usr/share/elasticsearch/data:Z
|
hard: 65536
|
||||||
networks:
|
|
||||||
- docker_elk
|
|
||||||
kibana:
|
kibana:
|
||||||
image: wazuh/wazuh-kibana:3.7.1_6.5.3
|
image: wazuh/wazuh-kibana-odfe:4.1.0
|
||||||
hostname: kibana
|
hostname: kibana
|
||||||
restart: always
|
restart: always
|
||||||
# ports:
|
ports:
|
||||||
# - "5601:5601"
|
- 443:5601
|
||||||
# environment:
|
environment:
|
||||||
# - ELASTICSEARCH_URL=http://elasticsearch:9200
|
- ELASTICSEARCH_USERNAME=admin
|
||||||
networks:
|
- ELASTICSEARCH_PASSWORD=admin
|
||||||
- docker_elk
|
- SERVER_SSL_ENABLED=true
|
||||||
|
- SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/opendistroforelasticsearch.example.org.cert
|
||||||
|
- SERVER_SSL_KEY=/usr/share/kibana/config/opendistroforelasticsearch.example.org.key
|
||||||
|
|
||||||
depends_on:
|
depends_on:
|
||||||
- elasticsearch
|
- elasticsearch
|
||||||
links:
|
links:
|
||||||
- elasticsearch:elasticsearch
|
- elasticsearch:elasticsearch
|
||||||
- wazuh:wazuh
|
- wazuh:wazuh
|
||||||
nginx:
|
|
||||||
image: wazuh/wazuh-nginx:3.7.1_6.5.3
|
|
||||||
hostname: nginx
|
|
||||||
restart: always
|
|
||||||
environment:
|
|
||||||
- NGINX_PORT=443
|
|
||||||
ports:
|
|
||||||
- "80:80"
|
|
||||||
- "443:443"
|
|
||||||
# volumes:
|
|
||||||
# - my-path:/etc/nginx/conf.d:Z
|
|
||||||
networks:
|
|
||||||
- docker_elk
|
|
||||||
depends_on:
|
|
||||||
- kibana
|
|
||||||
links:
|
|
||||||
- kibana:kibana
|
|
||||||
|
|
||||||
networks:
|
volumes:
|
||||||
docker_elk:
|
ossec_api_configuration:
|
||||||
driver: bridge
|
ossec_etc:
|
||||||
ipam:
|
ossec_logs:
|
||||||
config:
|
ossec_queue:
|
||||||
- subnet: 172.25.0.0/24
|
ossec_var_multigroups:
|
||||||
|
ossec_integrations:
|
||||||
|
ossec_active_response:
|
||||||
|
ossec_agentless:
|
||||||
|
ossec_wodles:
|
||||||
|
filebeat_etc:
|
||||||
|
filebeat_var:
|
||||||
|
17
generate-elasticsearch-certs.yml
Normal file
17
generate-elasticsearch-certs.yml
Normal file
@@ -0,0 +1,17 @@
|
|||||||
|
version: '2.2'
|
||||||
|
|
||||||
|
services:
|
||||||
|
generator:
|
||||||
|
container_name: generator
|
||||||
|
image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
|
||||||
|
command: >
|
||||||
|
bash -c '
|
||||||
|
if [[ ! -f config/certificates/bundle.zip ]]; then
|
||||||
|
bin/elasticsearch-certutil cert --silent --pem --in config/certificates/instances.yml -out config/certificates/bundle.zip;
|
||||||
|
unzip config/certificates/bundle.zip -d config/certificates/;
|
||||||
|
fi;
|
||||||
|
chown -R 1000:0 /certs
|
||||||
|
'
|
||||||
|
user: "0"
|
||||||
|
working_dir: /usr/share/elasticsearch
|
||||||
|
volumes: ['./xpack:/usr/share/elasticsearch/config/certificates']
|
10
generate-opendistro-certs.yml
Normal file
10
generate-opendistro-certs.yml
Normal file
@@ -0,0 +1,10 @@
|
|||||||
|
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
|
||||||
|
version: '3'
|
||||||
|
|
||||||
|
services:
|
||||||
|
generator:
|
||||||
|
image: wazuh/opendistro-certs-generator:0.1
|
||||||
|
hostname: opendistro-certs-generator
|
||||||
|
volumes:
|
||||||
|
- ./production_cluster/ssl_certs/certs.yml:/usr/src/config/myconf.yml
|
||||||
|
- ./production_cluster/ssl_certs/:/usr/src/certs/out/
|
59
kibana-odfe/Dockerfile
Normal file
59
kibana-odfe/Dockerfile
Normal file
@@ -0,0 +1,59 @@
|
|||||||
|
# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
|
||||||
|
FROM amazon/opendistro-for-elasticsearch-kibana:1.12.0
|
||||||
|
USER kibana
|
||||||
|
ARG ELASTIC_VERSION=7.10.0
|
||||||
|
ARG WAZUH_VERSION=4.1.0
|
||||||
|
ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
|
||||||
|
|
||||||
|
WORKDIR /usr/share/kibana
|
||||||
|
RUN ./bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-${WAZUH_APP_VERSION}-1.zip
|
||||||
|
|
||||||
|
WORKDIR /
|
||||||
|
USER root
|
||||||
|
COPY config/entrypoint.sh ./entrypoint.sh
|
||||||
|
RUN chmod 755 ./entrypoint.sh
|
||||||
|
|
||||||
|
ENV PATTERN="" \
|
||||||
|
CHECKS_PATTERN="" \
|
||||||
|
CHECKS_TEMPLATE="" \
|
||||||
|
CHECKS_API="" \
|
||||||
|
CHECKS_SETUP="" \
|
||||||
|
EXTENSIONS_PCI="" \
|
||||||
|
EXTENSIONS_GDPR="" \
|
||||||
|
EXTENSIONS_HIPAA="" \
|
||||||
|
EXTENSIONS_NIST="" \
|
||||||
|
EXTENSIONS_TSC="" \
|
||||||
|
EXTENSIONS_AUDIT="" \
|
||||||
|
EXTENSIONS_OSCAP="" \
|
||||||
|
EXTENSIONS_CISCAT="" \
|
||||||
|
EXTENSIONS_AWS="" \
|
||||||
|
EXTENSIONS_GCP="" \
|
||||||
|
EXTENSIONS_VIRUSTOTAL="" \
|
||||||
|
EXTENSIONS_OSQUERY="" \
|
||||||
|
EXTENSIONS_DOCKER="" \
|
||||||
|
APP_TIMEOUT="" \
|
||||||
|
API_SELECTOR="" \
|
||||||
|
IP_SELECTOR="" \
|
||||||
|
IP_IGNORE="" \
|
||||||
|
WAZUH_MONITORING_ENABLED="" \
|
||||||
|
WAZUH_MONITORING_FREQUENCY="" \
|
||||||
|
WAZUH_MONITORING_SHARDS="" \
|
||||||
|
WAZUH_MONITORING_REPLICAS="" \
|
||||||
|
ADMIN_PRIVILEGES=""
|
||||||
|
|
||||||
|
USER kibana
|
||||||
|
|
||||||
|
COPY ./config/custom_welcome /tmp/custom_welcome
|
||||||
|
COPY --chown=kibana:kibana ./config/welcome_wazuh.sh ./
|
||||||
|
RUN chmod +x ./welcome_wazuh.sh
|
||||||
|
ARG CHANGE_WELCOME="true"
|
||||||
|
RUN ./welcome_wazuh.sh
|
||||||
|
|
||||||
|
COPY --chown=kibana:kibana ./config/wazuh.yml /usr/share/kibana/data/wazuh/config/wazuh.yml
|
||||||
|
COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./
|
||||||
|
RUN chmod +x ./wazuh_app_config.sh
|
||||||
|
|
||||||
|
COPY --chown=kibana:kibana ./config/kibana_settings.sh ./
|
||||||
|
RUN chmod +x ./kibana_settings.sh
|
||||||
|
|
||||||
|
ENTRYPOINT ./entrypoint.sh
|
4349
kibana-odfe/config/custom_welcome/light_theme.style.css
Normal file
4349
kibana-odfe/config/custom_welcome/light_theme.style.css
Normal file
File diff suppressed because it is too large
Load Diff
112
kibana-odfe/config/custom_welcome/template.js.hbs
Normal file
112
kibana-odfe/config/custom_welcome/template.js.hbs
Normal file
@@ -0,0 +1,112 @@
|
|||||||
|
var kbnCsp = JSON.parse(document.querySelector('kbn-csp').getAttribute('data'));
|
||||||
|
window.__kbnStrictCsp__ = kbnCsp.strictCsp;
|
||||||
|
window.__kbnThemeTag__ = "{{themeTag}}";
|
||||||
|
window.__kbnPublicPath__ = {{publicPathMap}};
|
||||||
|
window.__kbnBundles__ = {{kbnBundlesLoaderSource}}
|
||||||
|
|
||||||
|
if (window.__kbnStrictCsp__ && window.__kbnCspNotEnforced__) {
|
||||||
|
var legacyBrowserError = document.getElementById('kbn_legacy_browser_error');
|
||||||
|
legacyBrowserError.style.display = 'flex';
|
||||||
|
} else {
|
||||||
|
if (!window.__kbnCspNotEnforced__ && window.console) {
|
||||||
|
window.console.log("^ A single error about an inline script not firing due to content security policy is expected!");
|
||||||
|
}
|
||||||
|
var loadingMessage = document.getElementById('kbn_loading_message');
|
||||||
|
loadingMessage.style.display = 'flex';
|
||||||
|
|
||||||
|
window.onload = function () {
|
||||||
|
//WAZUH
|
||||||
|
var interval = setInterval(() => {
|
||||||
|
var title = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > div.euiText.euiText--medium > div")
|
||||||
|
if (!!title) {
|
||||||
|
clearInterval(interval);
|
||||||
|
var content = document.querySelector("#kibana-body > div");
|
||||||
|
content.classList.add("wz-login")
|
||||||
|
title.textContent = "Welcome to Wazuh";
|
||||||
|
var subtitle = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > div.euiText.euiText--small > div")
|
||||||
|
subtitle.textContent = "The Open Source Security Platform";
|
||||||
|
var logo = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > figure");
|
||||||
|
logo.remove();
|
||||||
|
var logoContainer = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul");
|
||||||
|
$(logoContainer).prepend('<span class="loginWelcome__logo"></span>');
|
||||||
|
}
|
||||||
|
})
|
||||||
|
//
|
||||||
|
|
||||||
|
function failure() {
|
||||||
|
// make subsequent calls to failure() noop
|
||||||
|
failure = function () {};
|
||||||
|
|
||||||
|
var err = document.createElement('h1');
|
||||||
|
err.style['color'] = 'white';
|
||||||
|
err.style['font-family'] = 'monospace';
|
||||||
|
err.style['text-align'] = 'center';
|
||||||
|
err.style['background'] = '#F44336';
|
||||||
|
err.style['padding'] = '25px';
|
||||||
|
err.innerText = document.querySelector('[data-error-message]').dataset.errorMessage;
|
||||||
|
|
||||||
|
document.body.innerHTML = err.outerHTML;
|
||||||
|
}
|
||||||
|
|
||||||
|
var stylesheetTarget = document.querySelector('head meta[name="add-styles-here"]')
|
||||||
|
function loadStyleSheet(url, cb) {
|
||||||
|
var dom = document.createElement('link');
|
||||||
|
dom.rel = 'stylesheet';
|
||||||
|
dom.type = 'text/css';
|
||||||
|
dom.href = url;
|
||||||
|
dom.addEventListener('error', failure);
|
||||||
|
dom.addEventListener('load', cb);
|
||||||
|
document.head.insertBefore(dom, stylesheetTarget);
|
||||||
|
}
|
||||||
|
|
||||||
|
var scriptsTarget = document.querySelector('head meta[name="add-scripts-here"]')
|
||||||
|
function loadScript(url, cb) {
|
||||||
|
var dom = document.createElement('script');
|
||||||
|
{{!-- NOTE: async = false is used to trigger async-download/ordered-execution as outlined here: https://www.html5rocks.com/en/tutorials/speed/script-loading/ --}}
|
||||||
|
dom.async = false;
|
||||||
|
dom.src = url;
|
||||||
|
dom.addEventListener('error', failure);
|
||||||
|
dom.addEventListener('load', cb);
|
||||||
|
document.head.insertBefore(dom, scriptsTarget);
|
||||||
|
}
|
||||||
|
|
||||||
|
function load(urls, cb) {
|
||||||
|
var pending = urls.length;
|
||||||
|
urls.forEach(function (url) {
|
||||||
|
var innerCb = function () {
|
||||||
|
pending = pending - 1;
|
||||||
|
if (pending === 0 && typeof cb === 'function') {
|
||||||
|
cb();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (typeof url !== 'string') {
|
||||||
|
load(url, innerCb);
|
||||||
|
} else if (url.slice(-4) === '.css') {
|
||||||
|
loadStyleSheet(url, innerCb);
|
||||||
|
} else {
|
||||||
|
loadScript(url, innerCb);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
load([
|
||||||
|
{{#each jsDependencyPaths}}
|
||||||
|
'{{this}}',
|
||||||
|
{{/each}}
|
||||||
|
], function () {
|
||||||
|
{{#unless legacyBundlePath}}
|
||||||
|
__kbnBundles__.get('entry/core/public').__kbnBootstrap__();
|
||||||
|
{{/unless}}
|
||||||
|
|
||||||
|
load([
|
||||||
|
{{#if legacyBundlePath}}
|
||||||
|
'{{legacyBundlePath}}',
|
||||||
|
{{/if}}
|
||||||
|
{{#each styleSheetPaths}}
|
||||||
|
'{{this}}',
|
||||||
|
{{/each}}
|
||||||
|
]);
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
1
kibana-odfe/config/custom_welcome/wazuh_logo_circle.svg
Normal file
1
kibana-odfe/config/custom_welcome/wazuh_logo_circle.svg
Normal file
@@ -0,0 +1 @@
|
|||||||
|
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 84.67 84.67"><defs><style>.a{fill:#fff;}.b{fill:#00a9e5;}</style></defs><title>wazuh_logo_circle</title><circle class="a" cx="42.34" cy="42.34" r="42.34"/><path class="b" d="M58.13,9.2,50,26.32H35.07L26.16,9.2,20,31l-8.53,9.72,19.18,17.6,7.47,17.21h8.53l7-16.91L73.24,40.83l-8.73-9.57ZM48.58,55.13a1.79,1.79,0,0,1-.74.62,2.49,2.49,0,0,1-1,.2,2.52,2.52,0,0,1-1-.2,1.84,1.84,0,0,1-.71-.62l-2.88-4.36-2.9,4.36a1.87,1.87,0,0,1-.72.62,2.48,2.48,0,0,1-.95.2,1.94,1.94,0,0,1-1.7-.82L21.3,41.37h4.09L37.87,52.3l2.49-3.89h3.93L47,52.3,59.63,40.9h3.74Z"/></svg>
|
After Width: | Height: | Size: 604 B |
1
kibana-odfe/config/custom_welcome/wazuh_wazuh_bg.svg
Normal file
1
kibana-odfe/config/custom_welcome/wazuh_wazuh_bg.svg
Normal file
File diff suppressed because one or more lines are too long
After Width: | Height: | Size: 32 KiB |
65
kibana-odfe/config/entrypoint.sh
Normal file
65
kibana-odfe/config/entrypoint.sh
Normal file
@@ -0,0 +1,65 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# Waiting for elasticsearch
|
||||||
|
##############################################################################
|
||||||
|
|
||||||
|
if [ "x${ELASTICSEARCH_URL}" == "x" ]; then
|
||||||
|
if [[ ${ENABLED_SECURITY} == "false" ]]; then
|
||||||
|
export el_url="http://elasticsearch:9200"
|
||||||
|
else
|
||||||
|
export el_url="https://elasticsearch:9200"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
export el_url="${ELASTICSEARCH_URL}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ ${ENABLED_SECURITY} == "false" || "x${ELASTICSEARCH_USERNAME}" == "x" || "x${ELASTICSEARCH_PASSWORD}" == "x" ]]; then
|
||||||
|
auth=""
|
||||||
|
# remove security plugin from kibana if elasticsearch is not using it either
|
||||||
|
/usr/share/kibana/bin/kibana-plugin remove opendistro_security
|
||||||
|
else
|
||||||
|
export auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} -k"
|
||||||
|
fi
|
||||||
|
|
||||||
|
until curl -XGET $el_url ${auth}; do
|
||||||
|
>&2 echo "Elastic is unavailable - sleeping"
|
||||||
|
sleep 5
|
||||||
|
done
|
||||||
|
|
||||||
|
sleep 2
|
||||||
|
|
||||||
|
>&2 echo "Elasticsearch is up."
|
||||||
|
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# Waiting for wazuh alerts template
|
||||||
|
##############################################################################
|
||||||
|
|
||||||
|
strlen=0
|
||||||
|
|
||||||
|
while [[ $strlen -eq 0 ]]
|
||||||
|
do
|
||||||
|
template=$(curl ${auth} $el_url/_cat/templates/wazuh -s)
|
||||||
|
strlen=${#template}
|
||||||
|
>&2 echo "Wazuh alerts template not loaded - sleeping."
|
||||||
|
sleep 2
|
||||||
|
done
|
||||||
|
|
||||||
|
sleep 2
|
||||||
|
|
||||||
|
>&2 echo "Wazuh alerts template is loaded."
|
||||||
|
|
||||||
|
|
||||||
|
./wazuh_app_config.sh
|
||||||
|
|
||||||
|
sleep 5
|
||||||
|
|
||||||
|
./kibana_settings.sh &
|
||||||
|
|
||||||
|
sleep 2
|
||||||
|
|
||||||
|
/usr/local/bin/kibana-docker
|
60
kibana-odfe/config/kibana_settings.sh
Normal file
60
kibana-odfe/config/kibana_settings.sh
Normal file
@@ -0,0 +1,60 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
|
||||||
|
|
||||||
|
WAZUH_MAJOR=4
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# Wait for the Kibana API to start. It is necessary to do it in this container
|
||||||
|
# because the others are running Elastic Stack and we can not interrupt them.
|
||||||
|
#
|
||||||
|
# The following actions are performed:
|
||||||
|
#
|
||||||
|
# Add the wazuh alerts index as default.
|
||||||
|
# Set the Discover time interval to 24 hours instead of 15 minutes.
|
||||||
|
# Do not ask user to help providing usage statistics to Elastic.
|
||||||
|
##############################################################################
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# Customize elasticsearch ip
|
||||||
|
##############################################################################
|
||||||
|
sed -i "s|elasticsearch.hosts:.*|elasticsearch.hosts: $el_url|g" /usr/share/kibana/config/kibana.yml
|
||||||
|
# disable multitenancy
|
||||||
|
sed -i "s|opendistro_security.multitenancy.enabled:.*|opendistro_security.multitenancy.enabled: false|g" /usr/share/kibana/config/kibana.yml
|
||||||
|
|
||||||
|
# If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate.
|
||||||
|
if [ "$KIBANA_INDEX" != "" ]; then
|
||||||
|
if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then
|
||||||
|
sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml
|
||||||
|
fi
|
||||||
|
echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml
|
||||||
|
fi
|
||||||
|
|
||||||
|
while [[ "$(curl -XGET -I -s -o /dev/null -w '%{http_code}' -k https://127.0.0.1:5601/app/login)" != "200" ]]; do
|
||||||
|
echo "Waiting for Kibana API. Sleeping 5 seconds"
|
||||||
|
sleep 5
|
||||||
|
done
|
||||||
|
|
||||||
|
# Prepare index selection.
|
||||||
|
echo "Kibana API is running"
|
||||||
|
|
||||||
|
default_index="/tmp/default_index.json"
|
||||||
|
|
||||||
|
cat > ${default_index} << EOF
|
||||||
|
{
|
||||||
|
"changes": {
|
||||||
|
"defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
sleep 5
|
||||||
|
# Add the wazuh alerts index as default.
|
||||||
|
curl ${auth} -POST -k https://127.0.0.1:5601/api/kibana/settings -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
|
||||||
|
rm -f ${default_index}
|
||||||
|
|
||||||
|
sleep 5
|
||||||
|
# Configuring Kibana TimePicker.
|
||||||
|
curl ${auth} -POST -k "https://127.0.0.1:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
|
||||||
|
'{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-12h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}'
|
||||||
|
|
||||||
|
echo "End settings"
|
162
kibana-odfe/config/wazuh.yml
Normal file
162
kibana-odfe/config/wazuh.yml
Normal file
@@ -0,0 +1,162 @@
|
|||||||
|
---
|
||||||
|
#
|
||||||
|
# Wazuh app - App configuration file
|
||||||
|
# Copyright (C) 2015-2021 Wazuh, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software; you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation; either version 2 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# Find more information about this on the LICENSE file.
|
||||||
|
#
|
||||||
|
# ======================== Wazuh app configuration file ========================
|
||||||
|
#
|
||||||
|
# Please check the documentation for more information on configuration options:
|
||||||
|
# https://documentation.wazuh.com/current/installation-guide/index.html
|
||||||
|
#
|
||||||
|
# Also, you can check our repository:
|
||||||
|
# https://github.com/wazuh/wazuh-kibana-app
|
||||||
|
#
|
||||||
|
# ------------------------------- Index patterns -------------------------------
|
||||||
|
#
|
||||||
|
# Default index pattern to use.
|
||||||
|
#pattern: wazuh-alerts-*
|
||||||
|
#
|
||||||
|
# ----------------------------------- Checks -----------------------------------
|
||||||
|
#
|
||||||
|
# Defines which checks must to be consider by the healthcheck
|
||||||
|
# step once the Wazuh app starts. Values must to be true or false.
|
||||||
|
#checks.pattern : true
|
||||||
|
#checks.template: true
|
||||||
|
#checks.api : true
|
||||||
|
#checks.setup : true
|
||||||
|
#checks.metaFields: true
|
||||||
|
#
|
||||||
|
# --------------------------------- Extensions ---------------------------------
|
||||||
|
#
|
||||||
|
# Defines which extensions should be activated when you add a new API entry.
|
||||||
|
# You can change them after Wazuh app starts.
|
||||||
|
# Values must to be true or false.
|
||||||
|
#extensions.pci : true
|
||||||
|
#extensions.gdpr : true
|
||||||
|
#extensions.hipaa : true
|
||||||
|
#extensions.nist : true
|
||||||
|
#extensions.tsc : true
|
||||||
|
#extensions.audit : true
|
||||||
|
#extensions.oscap : false
|
||||||
|
#extensions.ciscat : false
|
||||||
|
#extensions.aws : false
|
||||||
|
#extensions.gcp : false
|
||||||
|
#extensions.virustotal: false
|
||||||
|
#extensions.osquery : false
|
||||||
|
#extensions.docker : false
|
||||||
|
#
|
||||||
|
# ---------------------------------- Time out ----------------------------------
|
||||||
|
#
|
||||||
|
# Defines maximum timeout to be used on the Wazuh app requests.
|
||||||
|
# It will be ignored if it is bellow 1500.
|
||||||
|
# It means milliseconds before we consider a request as failed.
|
||||||
|
# Default: 20000
|
||||||
|
#timeout: 20000
|
||||||
|
#
|
||||||
|
# -------------------------------- API selector --------------------------------
|
||||||
|
#
|
||||||
|
# Defines if the user is allowed to change the selected
|
||||||
|
# API directly from the Wazuh app top menu.
|
||||||
|
# Default: true
|
||||||
|
#api.selector: true
|
||||||
|
#
|
||||||
|
# --------------------------- Index pattern selector ---------------------------
|
||||||
|
#
|
||||||
|
# Defines if the user is allowed to change the selected
|
||||||
|
# index pattern directly from the Wazuh app top menu.
|
||||||
|
# Default: true
|
||||||
|
#ip.selector: true
|
||||||
|
#
|
||||||
|
# List of index patterns to be ignored
|
||||||
|
#ip.ignore: []
|
||||||
|
#
|
||||||
|
# -------------------------------- X-Pack RBAC ---------------------------------
|
||||||
|
#
|
||||||
|
# Custom setting to enable/disable built-in X-Pack RBAC security capabilities.
|
||||||
|
# Default: enabled
|
||||||
|
#xpack.rbac.enabled: true
|
||||||
|
#
|
||||||
|
# ------------------------------ wazuh-monitoring ------------------------------
|
||||||
|
#
|
||||||
|
# Custom setting to enable/disable wazuh-monitoring indices.
|
||||||
|
# Values: true, false, worker
|
||||||
|
# If worker is given as value, the app will show the Agents status
|
||||||
|
# visualization but won't insert data on wazuh-monitoring indices.
|
||||||
|
# Default: true
|
||||||
|
#wazuh.monitoring.enabled: true
|
||||||
|
#
|
||||||
|
# Custom setting to set the frequency for wazuh-monitoring indices cron task.
|
||||||
|
# Default: 900 (s)
|
||||||
|
#wazuh.monitoring.frequency: 900
|
||||||
|
#
|
||||||
|
# Configure wazuh-monitoring-* indices shards and replicas.
|
||||||
|
#wazuh.monitoring.shards: 2
|
||||||
|
#wazuh.monitoring.replicas: 0
|
||||||
|
#
|
||||||
|
# Configure wazuh-monitoring-* indices custom creation interval.
|
||||||
|
# Values: h (hourly), d (daily), w (weekly), m (monthly)
|
||||||
|
# Default: d
|
||||||
|
#wazuh.monitoring.creation: d
|
||||||
|
#
|
||||||
|
# Default index pattern to use for Wazuh monitoring
|
||||||
|
#wazuh.monitoring.pattern: wazuh-monitoring-*
|
||||||
|
#
|
||||||
|
# --------------------------------- wazuh-cron ----------------------------------
|
||||||
|
#
|
||||||
|
# Customize the index prefix of predefined jobs
|
||||||
|
# This change is not retroactive, if you change it new indexes will be created
|
||||||
|
# cron.prefix: test
|
||||||
|
#
|
||||||
|
# ------------------------------ wazuh-statistics -------------------------------
|
||||||
|
#
|
||||||
|
# Custom setting to enable/disable statistics tasks.
|
||||||
|
#cron.statistics.status: true
|
||||||
|
#
|
||||||
|
# Enter the ID of the APIs you want to save data from, leave this empty to run
|
||||||
|
# the task on all configured APIs
|
||||||
|
#cron.statistics.apis: []
|
||||||
|
#
|
||||||
|
# Define the frequency of task execution using cron schedule expressions
|
||||||
|
#cron.statistics.interval: 0 0 * * * *
|
||||||
|
#
|
||||||
|
# Define the name of the index in which the documents are to be saved.
|
||||||
|
#cron.statistics.index.name: statistics
|
||||||
|
#
|
||||||
|
# Define the interval in which the index will be created
|
||||||
|
#cron.statistics.index.creation: w
|
||||||
|
#
|
||||||
|
# ------------------------------- App privileges --------------------------------
|
||||||
|
#admin: true
|
||||||
|
#
|
||||||
|
# ---------------------------- Hide manager alerts ------------------------------
|
||||||
|
# Hide the alerts of the manager in all dashboards and discover
|
||||||
|
#hideManagerAlerts: false
|
||||||
|
#
|
||||||
|
# ------------------------------- App logging level -----------------------------
|
||||||
|
# Set the logging level for the Wazuh App log files.
|
||||||
|
# Default value: info
|
||||||
|
# Allowed values: info, debug
|
||||||
|
#logs.level: info
|
||||||
|
#
|
||||||
|
# -------------------------------- Enrollment DNS -------------------------------
|
||||||
|
# Set the variable WAZUH_REGISTRATION_SERVER in agents deployment.
|
||||||
|
# Default value: ''
|
||||||
|
#enrollment.dns: ''
|
||||||
|
#
|
||||||
|
#-------------------------------- API entries -----------------------------------
|
||||||
|
#The following configuration is the default structure to define an API entry.
|
||||||
|
#
|
||||||
|
#hosts:
|
||||||
|
# - <id>:
|
||||||
|
# url: http(s)://<url>
|
||||||
|
# port: <port>
|
||||||
|
# username: <username>
|
||||||
|
# password: <password>
|
||||||
|
|
64
kibana-odfe/config/wazuh_app_config.sh
Normal file
64
kibana-odfe/config/wazuh_app_config.sh
Normal file
@@ -0,0 +1,64 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
|
||||||
|
|
||||||
|
wazuh_url="${WAZUH_API_URL:-https://wazuh}"
|
||||||
|
wazuh_port="${API_PORT:-55000}"
|
||||||
|
api_username="${API_USERNAME:-wazuh-wui}"
|
||||||
|
api_password="${API_PASSWORD:-wazuh-wui}"
|
||||||
|
|
||||||
|
kibana_config_file="/usr/share/kibana/data/wazuh/config/wazuh.yml"
|
||||||
|
|
||||||
|
declare -A CONFIG_MAP=(
|
||||||
|
[pattern]=$PATTERN
|
||||||
|
[checks.pattern]=$CHECKS_PATTERN
|
||||||
|
[checks.template]=$CHECKS_TEMPLATE
|
||||||
|
[checks.api]=$CHECKS_API
|
||||||
|
[checks.setup]=$CHECKS_SETUP
|
||||||
|
[extensions.pci]=$EXTENSIONS_PCI
|
||||||
|
[extensions.gdpr]=$EXTENSIONS_GDPR
|
||||||
|
[extensions.hipaa]=$EXTENSIONS_HIPAA
|
||||||
|
[extensions.nist]=$EXTENSIONS_NIST
|
||||||
|
[extensions.tsc]=$EXTENSIONS_TSC
|
||||||
|
[extensions.audit]=$EXTENSIONS_AUDIT
|
||||||
|
[extensions.oscap]=$EXTENSIONS_OSCAP
|
||||||
|
[extensions.ciscat]=$EXTENSIONS_CISCAT
|
||||||
|
[extensions.aws]=$EXTENSIONS_AWS
|
||||||
|
[extensions.gcp]=$EXTENSIONS_GCP
|
||||||
|
[extensions.virustotal]=$EXTENSIONS_VIRUSTOTAL
|
||||||
|
[extensions.osquery]=$EXTENSIONS_OSQUERY
|
||||||
|
[extensions.docker]=$EXTENSIONS_DOCKER
|
||||||
|
[timeout]=$APP_TIMEOUT
|
||||||
|
[api.selector]=$API_SELECTOR
|
||||||
|
[ip.selector]=$IP_SELECTOR
|
||||||
|
[ip.ignore]=$IP_IGNORE
|
||||||
|
[wazuh.monitoring.enabled]=$WAZUH_MONITORING_ENABLED
|
||||||
|
[wazuh.monitoring.frequency]=$WAZUH_MONITORING_FREQUENCY
|
||||||
|
[wazuh.monitoring.shards]=$WAZUH_MONITORING_SHARDS
|
||||||
|
[wazuh.monitoring.replicas]=$WAZUH_MONITORING_REPLICAS
|
||||||
|
[admin]=$ADMIN_PRIVILEGES
|
||||||
|
)
|
||||||
|
|
||||||
|
for i in "${!CONFIG_MAP[@]}"
|
||||||
|
do
|
||||||
|
if [ "${CONFIG_MAP[$i]}" != "" ]; then
|
||||||
|
sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
CONFIG_CODE=$(curl ${auth} -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013)
|
||||||
|
|
||||||
|
grep -q 1513629884013 $kibana_config_file
|
||||||
|
_config_exists=$?
|
||||||
|
|
||||||
|
if [[ "x$CONFIG_CODE" != "x200" && $_config_exists -ne 0 ]]; then
|
||||||
|
cat << EOF >> $kibana_config_file
|
||||||
|
hosts:
|
||||||
|
- 1513629884013:
|
||||||
|
url: $wazuh_url
|
||||||
|
port: $wazuh_port
|
||||||
|
username: $api_username
|
||||||
|
password: $api_password
|
||||||
|
EOF
|
||||||
|
else
|
||||||
|
echo "Wazuh APP already configured"
|
||||||
|
fi
|
14
kibana-odfe/config/welcome_wazuh.sh
Normal file
14
kibana-odfe/config/welcome_wazuh.sh
Normal file
@@ -0,0 +1,14 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
|
||||||
|
|
||||||
|
if [[ $CHANGE_WELCOME == "true" ]]
|
||||||
|
then
|
||||||
|
echo "Set Wazuh app as the default landing page"
|
||||||
|
echo "server.defaultRoute: /app/wazuh" >> /usr/share/kibana/config/kibana.yml
|
||||||
|
|
||||||
|
echo "Set custom welcome styles"
|
||||||
|
cp -f /tmp/custom_welcome/template.js.hbs /usr/share/kibana/src/legacy/ui/ui_render/bootstrap/template.js.hbs
|
||||||
|
cp -f /tmp/custom_welcome/light_theme.style.css /usr/share/kibana/src/core/server/core_app/assets/legacy_light_theme.css
|
||||||
|
cp -f /tmp/custom_welcome/*svg /usr/share/kibana/src/core/server/core_app/assets/
|
||||||
|
fi
|
||||||
|
|
@@ -1,19 +1,64 @@
|
|||||||
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
|
# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
|
||||||
FROM docker.elastic.co/kibana/kibana:6.5.3
|
FROM docker.elastic.co/kibana/kibana:7.10.2
|
||||||
ARG WAZUH_APP_VERSION=3.7.1_6.5.3
|
USER kibana
|
||||||
USER root
|
ARG ELASTIC_VERSION=7.10.2
|
||||||
|
ARG WAZUH_VERSION=4.1.0
|
||||||
|
ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
|
||||||
|
|
||||||
ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
|
WORKDIR /usr/share/kibana
|
||||||
|
RUN ./bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-${WAZUH_APP_VERSION}-1.zip
|
||||||
|
|
||||||
ADD https://raw.githubusercontent.com/wazuh/wazuh/3.7/extensions/elasticsearch/wazuh-elastic6-template-alerts.json /usr/share/kibana/config
|
ENV PATTERN="" \
|
||||||
|
CHECKS_PATTERN="" \
|
||||||
RUN NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip &&\
|
CHECKS_TEMPLATE="" \
|
||||||
chown -R kibana:kibana /usr/share/kibana &&\
|
CHECKS_API="" \
|
||||||
rm -rf /tmp/*
|
CHECKS_SETUP="" \
|
||||||
|
EXTENSIONS_PCI="" \
|
||||||
COPY config/entrypoint.sh /entrypoint.sh
|
EXTENSIONS_GDPR="" \
|
||||||
RUN chmod 755 /entrypoint.sh
|
EXTENSIONS_HIPAA="" \
|
||||||
|
EXTENSIONS_NIST="" \
|
||||||
|
EXTENSIONS_TSC="" \
|
||||||
|
EXTENSIONS_AUDIT="" \
|
||||||
|
EXTENSIONS_OSCAP="" \
|
||||||
|
EXTENSIONS_CISCAT="" \
|
||||||
|
EXTENSIONS_AWS="" \
|
||||||
|
EXTENSIONS_GCP="" \
|
||||||
|
EXTENSIONS_VIRUSTOTAL="" \
|
||||||
|
EXTENSIONS_OSQUERY="" \
|
||||||
|
EXTENSIONS_DOCKER="" \
|
||||||
|
APP_TIMEOUT="" \
|
||||||
|
API_SELECTOR="" \
|
||||||
|
IP_SELECTOR="" \
|
||||||
|
IP_IGNORE="" \
|
||||||
|
WAZUH_MONITORING_ENABLED="" \
|
||||||
|
WAZUH_MONITORING_FREQUENCY="" \
|
||||||
|
WAZUH_MONITORING_SHARDS="" \
|
||||||
|
WAZUH_MONITORING_REPLICAS="" \
|
||||||
|
ADMIN_PRIVILEGES="" \
|
||||||
|
XPACK_CANVAS="true" \
|
||||||
|
XPACK_LOGS="true" \
|
||||||
|
XPACK_INFRA="true" \
|
||||||
|
XPACK_ML="true" \
|
||||||
|
XPACK_DEVTOOLS="true" \
|
||||||
|
XPACK_MONITORING="true" \
|
||||||
|
XPACK_APM="true"
|
||||||
|
|
||||||
|
WORKDIR /
|
||||||
USER kibana
|
USER kibana
|
||||||
|
|
||||||
ENTRYPOINT /entrypoint.sh
|
COPY --chown=kibana:kibana config/entrypoint.sh ./entrypoint.sh
|
||||||
|
RUN chmod 755 ./entrypoint.sh
|
||||||
|
|
||||||
|
RUN printf "\nserver.defaultRoute: /app/wazuh\n" >> /usr/share/kibana/config/kibana.yml
|
||||||
|
|
||||||
|
COPY --chown=kibana:kibana ./config/wazuh.yml /usr/share/kibana/data/wazuh/config/wazuh.yml
|
||||||
|
COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./
|
||||||
|
RUN chmod +x ./wazuh_app_config.sh
|
||||||
|
|
||||||
|
COPY --chown=kibana:kibana ./config/kibana_settings.sh ./
|
||||||
|
RUN chmod +x ./kibana_settings.sh
|
||||||
|
|
||||||
|
COPY --chown=kibana:kibana ./config/xpack_config.sh ./
|
||||||
|
RUN chmod +x ./xpack_config.sh
|
||||||
|
|
||||||
|
ENTRYPOINT ./entrypoint.sh
|
||||||
|
@@ -1,56 +1,60 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
|
# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
|
||||||
|
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# Waiting for elasticsearch
|
||||||
|
##############################################################################
|
||||||
|
|
||||||
if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
|
if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
|
||||||
el_url="http://elasticsearch:9200"
|
export el_url="http://elasticsearch:9200"
|
||||||
else
|
else
|
||||||
el_url="${ELASTICSEARCH_URL}"
|
export el_url="${ELASTICSEARCH_URL}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
until curl -XGET $el_url; do
|
if [[ ${ENABLED_SECURITY} == "false" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
|
||||||
|
export auth=""
|
||||||
|
else
|
||||||
|
export auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} -k"
|
||||||
|
fi
|
||||||
|
|
||||||
|
until curl -XGET $el_url ${auth}; do
|
||||||
>&2 echo "Elastic is unavailable - sleeping"
|
>&2 echo "Elastic is unavailable - sleeping"
|
||||||
sleep 5
|
sleep 5
|
||||||
done
|
done
|
||||||
|
|
||||||
>&2 echo "Elastic is up - executing command"
|
sleep 2
|
||||||
|
|
||||||
#Insert default templates
|
>&2 echo "Elasticsearch is up."
|
||||||
cat /usr/share/kibana/config/wazuh-elastic6-template-alerts.json | curl -XPUT "$el_url/_template/wazuh" -H 'Content-Type: application/json' -d @-
|
|
||||||
sleep 5
|
|
||||||
|
|
||||||
echo "Setting API credentials into Wazuh APP"
|
|
||||||
CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/wazuh-configuration/1513629884013)
|
##############################################################################
|
||||||
if [ "x$CONFIG_CODE" = "x404" ]; then
|
# Waiting for wazuh alerts template
|
||||||
curl -s -XPOST $el_url/.wazuh/wazuh-configuration/1513629884013 -H 'Content-Type: application/json' -d'
|
##############################################################################
|
||||||
{
|
|
||||||
"api_user": "foo",
|
strlen=0
|
||||||
"api_password": "YmFy",
|
|
||||||
"url": "https://wazuh",
|
while [[ $strlen -eq 0 ]]
|
||||||
"api_port": "55000",
|
do
|
||||||
"insecure": "true",
|
template=$(curl ${auth} $el_url/_cat/templates/wazuh -s)
|
||||||
"component": "API",
|
strlen=${#template}
|
||||||
"cluster_info": {
|
>&2 echo "Wazuh alerts template not loaded - sleeping."
|
||||||
"manager": "wazuh-manager",
|
sleep 2
|
||||||
"cluster": "Disabled",
|
done
|
||||||
"status": "disabled"
|
|
||||||
},
|
sleep 2
|
||||||
"extensions": {
|
|
||||||
"oscap": true,
|
>&2 echo "Wazuh alerts template is loaded."
|
||||||
"audit": true,
|
|
||||||
"pci": true,
|
./xpack_config.sh
|
||||||
"aws": true,
|
|
||||||
"virustotal": true,
|
./wazuh_app_config.sh
|
||||||
"gdpr": true,
|
|
||||||
"ciscat": true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
' > /dev/null
|
|
||||||
else
|
|
||||||
echo "Wazuh APP already configured"
|
|
||||||
fi
|
|
||||||
|
|
||||||
sleep 5
|
sleep 5
|
||||||
|
|
||||||
|
./kibana_settings.sh &
|
||||||
|
|
||||||
|
sleep 2
|
||||||
|
|
||||||
/usr/local/bin/kibana-docker
|
/usr/local/bin/kibana-docker
|
||||||
|
@@ -1,92 +0,0 @@
|
|||||||
# Kibana is served by a back end server. This setting specifies the port to use.
|
|
||||||
server.port: 5601
|
|
||||||
|
|
||||||
# This setting specifies the IP address of the back end server.
|
|
||||||
server.host: "0.0.0.0"
|
|
||||||
|
|
||||||
# Enables you to specify a path to mount Kibana at if you are running behind a proxy. This setting
|
|
||||||
# cannot end in a slash.
|
|
||||||
# server.basePath: ""
|
|
||||||
|
|
||||||
# The maximum payload size in bytes for incoming server requests.
|
|
||||||
# server.maxPayloadBytes: 1048576
|
|
||||||
|
|
||||||
# The Kibana server's name. This is used for display purposes.
|
|
||||||
# server.name: "your-hostname"
|
|
||||||
|
|
||||||
# The URL of the Elasticsearch instance to use for all your queries.
|
|
||||||
elasticsearch.url: "http://elasticsearch:9200"
|
|
||||||
|
|
||||||
# When this setting’s value is true Kibana uses the hostname specified in the server.host
|
|
||||||
# setting. When the value of this setting is false, Kibana uses the hostname of the host
|
|
||||||
# that connects to this Kibana instance.
|
|
||||||
# elasticsearch.preserveHost: true
|
|
||||||
|
|
||||||
# Kibana uses an index in Elasticsearch to store saved searches, visualizations and
|
|
||||||
# dashboards. Kibana creates a new index if the index doesn’t already exist.
|
|
||||||
# kibana.index: ".kibana"
|
|
||||||
|
|
||||||
# The default application to load.
|
|
||||||
# kibana.defaultAppId: "discover"
|
|
||||||
|
|
||||||
# If your Elasticsearch is protected with basic authentication, these settings provide
|
|
||||||
# the username and password that the Kibana server uses to perform maintenance on the Kibana
|
|
||||||
# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
|
|
||||||
# is proxied through the Kibana server.
|
|
||||||
# elasticsearch.username: "user"
|
|
||||||
# elasticsearch.password: "pass"
|
|
||||||
|
|
||||||
# Paths to the PEM-format SSL certificate and SSL key files, respectively. These
|
|
||||||
# files enable SSL for outgoing requests from the Kibana server to the browser.
|
|
||||||
# server.ssl.cert: /path/to/your/server.crt
|
|
||||||
# server.ssl.key: /path/to/your/server.key
|
|
||||||
|
|
||||||
# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
|
|
||||||
# These files validate that your Elasticsearch backend uses the same key files.
|
|
||||||
# elasticsearch.ssl.cert: /path/to/your/client.crt
|
|
||||||
# elasticsearch.ssl.key: /path/to/your/client.key
|
|
||||||
|
|
||||||
# Optional setting that enables you to specify a path to the PEM file for the certificate
|
|
||||||
# authority for your Elasticsearch instance.
|
|
||||||
# elasticsearch.ssl.ca: /path/to/your/CA.pem
|
|
||||||
|
|
||||||
# To disregard the validity of SSL certificates, change this setting’s value to false.
|
|
||||||
# elasticsearch.ssl.verify: true
|
|
||||||
|
|
||||||
# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
|
|
||||||
# the elasticsearch.requestTimeout setting.
|
|
||||||
# elasticsearch.pingTimeout: 1500
|
|
||||||
|
|
||||||
# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
|
|
||||||
# must be a positive integer.
|
|
||||||
# elasticsearch.requestTimeout: 30000
|
|
||||||
|
|
||||||
# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
|
|
||||||
# headers, set this value to [] (an empty list).
|
|
||||||
# elasticsearch.requestHeadersWhitelist: [ authorization ]
|
|
||||||
|
|
||||||
# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
|
|
||||||
# elasticsearch.shardTimeout: 0
|
|
||||||
|
|
||||||
# Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying.
|
|
||||||
# elasticsearch.startupTimeout: 5000
|
|
||||||
|
|
||||||
# Specifies the path where Kibana creates the process ID file.
|
|
||||||
# pid.file: /var/run/kibana.pid
|
|
||||||
|
|
||||||
# Enables you specify a file where Kibana stores log output.
|
|
||||||
# logging.dest: stdout
|
|
||||||
|
|
||||||
# Set the value of this setting to true to suppress all logging output.
|
|
||||||
# logging.silent: false
|
|
||||||
|
|
||||||
# Set the value of this setting to true to suppress all logging output other than error messages.
|
|
||||||
logging.quiet: true
|
|
||||||
|
|
||||||
# Set the value of this setting to true to log all events, including system usage information
|
|
||||||
# and all requests.
|
|
||||||
# logging.verbose: false
|
|
||||||
|
|
||||||
# Set the interval in milliseconds to sample system and process performance
|
|
||||||
# metrics. Minimum is 100ms. Defaults to 10000.
|
|
||||||
# ops.interval: 10000
|
|
79
kibana/config/kibana_settings.sh
Normal file
79
kibana/config/kibana_settings.sh
Normal file
@@ -0,0 +1,79 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
|
||||||
|
|
||||||
|
WAZUH_MAJOR=4
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# Wait for the Kibana API to start. It is necessary to do it in this container
|
||||||
|
# because the others are running Elastic Stack and we can not interrupt them.
|
||||||
|
#
|
||||||
|
# The following actions are performed:
|
||||||
|
#
|
||||||
|
# Add the wazuh alerts index as default.
|
||||||
|
# Set the Discover time interval to 24 hours instead of 15 minutes.
|
||||||
|
# Do not ask user to help providing usage statistics to Elastic.
|
||||||
|
##############################################################################
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# Customize elasticsearch ip
|
||||||
|
##############################################################################
|
||||||
|
sed -i "s|elasticsearch.hosts:.*|elasticsearch.hosts: $el_url|g" /usr/share/kibana/config/kibana.yml
|
||||||
|
|
||||||
|
# If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate.
|
||||||
|
if [ "$KIBANA_INDEX" != "" ]; then
|
||||||
|
if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then
|
||||||
|
sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml
|
||||||
|
fi
|
||||||
|
echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml
|
||||||
|
fi
|
||||||
|
|
||||||
|
kibana_proto="http"
|
||||||
|
|
||||||
|
if [ "$XPACK_SECURITY_ENABLED" != "" ]; then
|
||||||
|
kibana_proto="https"
|
||||||
|
if grep -q 'xpack.security.enabled' /usr/share/kibana/config/kibana.yml; then
|
||||||
|
sed -i '/xpack.security.enabled/d' /usr/share/kibana/config/kibana.yml
|
||||||
|
fi
|
||||||
|
echo "xpack.security.enabled: $XPACK_SECURITY_ENABLED" >> /usr/share/kibana/config/kibana.yml
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Add auth headers if required
|
||||||
|
if [ "$ELASTICSEARCH_USERNAME" != "" ] && [ "$ELASTICSEARCH_PASSWORD" != "" ]; then
|
||||||
|
curl_auth="-u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD"
|
||||||
|
fi
|
||||||
|
|
||||||
|
while [[ "$(curl $curl_auth -XGET -I -s -o /dev/null -w ''%{http_code}'' -k $kibana_proto://127.0.0.1:5601/status)" != "200" ]]; do
|
||||||
|
echo "Waiting for Kibana API. Sleeping 5 seconds"
|
||||||
|
sleep 5
|
||||||
|
done
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Prepare index selection.
|
||||||
|
echo "Kibana API is running"
|
||||||
|
|
||||||
|
default_index="/tmp/default_index.json"
|
||||||
|
|
||||||
|
cat > ${default_index} << EOF
|
||||||
|
{
|
||||||
|
"changes": {
|
||||||
|
"defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
sleep 5
|
||||||
|
# Add the wazuh alerts index as default.
|
||||||
|
curl ${auth} -POST -k "$kibana_proto://127.0.0.1:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
|
||||||
|
rm -f ${default_index}
|
||||||
|
|
||||||
|
sleep 5
|
||||||
|
# Configuring Kibana TimePicker.
|
||||||
|
curl ${auth} -POST -k "$kibana_proto://127.0.0.1:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
|
||||||
|
'{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-12h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}'
|
||||||
|
|
||||||
|
sleep 5
|
||||||
|
# Do not ask user to help providing usage statistics to Elastic
|
||||||
|
curl ${auth} -POST -k "$kibana_proto://127.0.0.1:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'
|
||||||
|
|
||||||
|
echo "End settings"
|
162
kibana/config/wazuh.yml
Normal file
162
kibana/config/wazuh.yml
Normal file
@@ -0,0 +1,162 @@
|
|||||||
|
---
|
||||||
|
#
|
||||||
|
# Wazuh app - App configuration file
|
||||||
|
# Copyright (C) 2015-2021 Wazuh, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software; you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation; either version 2 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# Find more information about this on the LICENSE file.
|
||||||
|
#
|
||||||
|
# ======================== Wazuh app configuration file ========================
|
||||||
|
#
|
||||||
|
# Please check the documentation for more information on configuration options:
|
||||||
|
# https://documentation.wazuh.com/current/installation-guide/index.html
|
||||||
|
#
|
||||||
|
# Also, you can check our repository:
|
||||||
|
# https://github.com/wazuh/wazuh-kibana-app
|
||||||
|
#
|
||||||
|
# ------------------------------- Index patterns -------------------------------
|
||||||
|
#
|
||||||
|
# Default index pattern to use.
|
||||||
|
#pattern: wazuh-alerts-*
|
||||||
|
#
|
||||||
|
# ----------------------------------- Checks -----------------------------------
|
||||||
|
#
|
||||||
|
# Defines which checks must to be consider by the healthcheck
|
||||||
|
# step once the Wazuh app starts. Values must to be true or false.
|
||||||
|
#checks.pattern : true
|
||||||
|
#checks.template: true
|
||||||
|
#checks.api : true
|
||||||
|
#checks.setup : true
|
||||||
|
#checks.metaFields: true
|
||||||
|
#
|
||||||
|
# --------------------------------- Extensions ---------------------------------
|
||||||
|
#
|
||||||
|
# Defines which extensions should be activated when you add a new API entry.
|
||||||
|
# You can change them after Wazuh app starts.
|
||||||
|
# Values must to be true or false.
|
||||||
|
#extensions.pci : true
|
||||||
|
#extensions.gdpr : true
|
||||||
|
#extensions.hipaa : true
|
||||||
|
#extensions.nist : true
|
||||||
|
#extensions.tsc : true
|
||||||
|
#extensions.audit : true
|
||||||
|
#extensions.oscap : false
|
||||||
|
#extensions.ciscat : false
|
||||||
|
#extensions.aws : false
|
||||||
|
#extensions.gcp : false
|
||||||
|
#extensions.virustotal: false
|
||||||
|
#extensions.osquery : false
|
||||||
|
#extensions.docker : false
|
||||||
|
#
|
||||||
|
# ---------------------------------- Time out ----------------------------------
|
||||||
|
#
|
||||||
|
# Defines maximum timeout to be used on the Wazuh app requests.
|
||||||
|
# It will be ignored if it is bellow 1500.
|
||||||
|
# It means milliseconds before we consider a request as failed.
|
||||||
|
# Default: 20000
|
||||||
|
#timeout: 20000
|
||||||
|
#
|
||||||
|
# -------------------------------- API selector --------------------------------
|
||||||
|
#
|
||||||
|
# Defines if the user is allowed to change the selected
|
||||||
|
# API directly from the Wazuh app top menu.
|
||||||
|
# Default: true
|
||||||
|
#api.selector: true
|
||||||
|
#
|
||||||
|
# --------------------------- Index pattern selector ---------------------------
|
||||||
|
#
|
||||||
|
# Defines if the user is allowed to change the selected
|
||||||
|
# index pattern directly from the Wazuh app top menu.
|
||||||
|
# Default: true
|
||||||
|
#ip.selector: true
|
||||||
|
#
|
||||||
|
# List of index patterns to be ignored
|
||||||
|
#ip.ignore: []
|
||||||
|
#
|
||||||
|
# -------------------------------- X-Pack RBAC ---------------------------------
|
||||||
|
#
|
||||||
|
# Custom setting to enable/disable built-in X-Pack RBAC security capabilities.
|
||||||
|
# Default: enabled
|
||||||
|
#xpack.rbac.enabled: true
|
||||||
|
#
|
||||||
|
# ------------------------------ wazuh-monitoring ------------------------------
|
||||||
|
#
|
||||||
|
# Custom setting to enable/disable wazuh-monitoring indices.
|
||||||
|
# Values: true, false, worker
|
||||||
|
# If worker is given as value, the app will show the Agents status
|
||||||
|
# visualization but won't insert data on wazuh-monitoring indices.
|
||||||
|
# Default: true
|
||||||
|
#wazuh.monitoring.enabled: true
|
||||||
|
#
|
||||||
|
# Custom setting to set the frequency for wazuh-monitoring indices cron task.
|
||||||
|
# Default: 900 (s)
|
||||||
|
#wazuh.monitoring.frequency: 900
|
||||||
|
#
|
||||||
|
# Configure wazuh-monitoring-* indices shards and replicas.
|
||||||
|
#wazuh.monitoring.shards: 2
|
||||||
|
#wazuh.monitoring.replicas: 0
|
||||||
|
#
|
||||||
|
# Configure wazuh-monitoring-* indices custom creation interval.
|
||||||
|
# Values: h (hourly), d (daily), w (weekly), m (monthly)
|
||||||
|
# Default: d
|
||||||
|
#wazuh.monitoring.creation: d
|
||||||
|
#
|
||||||
|
# Default index pattern to use for Wazuh monitoring
|
||||||
|
#wazuh.monitoring.pattern: wazuh-monitoring-*
|
||||||
|
#
|
||||||
|
# --------------------------------- wazuh-cron ----------------------------------
|
||||||
|
#
|
||||||
|
# Customize the index prefix of predefined jobs
|
||||||
|
# This change is not retroactive, if you change it new indexes will be created
|
||||||
|
# cron.prefix: test
|
||||||
|
#
|
||||||
|
# ------------------------------ wazuh-statistics -------------------------------
|
||||||
|
#
|
||||||
|
# Custom setting to enable/disable statistics tasks.
|
||||||
|
#cron.statistics.status: true
|
||||||
|
#
|
||||||
|
# Enter the ID of the APIs you want to save data from, leave this empty to run
|
||||||
|
# the task on all configured APIs
|
||||||
|
#cron.statistics.apis: []
|
||||||
|
#
|
||||||
|
# Define the frequency of task execution using cron schedule expressions
|
||||||
|
#cron.statistics.interval: 0 0 * * * *
|
||||||
|
#
|
||||||
|
# Define the name of the index in which the documents are to be saved.
|
||||||
|
#cron.statistics.index.name: statistics
|
||||||
|
#
|
||||||
|
# Define the interval in which the index will be created
|
||||||
|
#cron.statistics.index.creation: w
|
||||||
|
#
|
||||||
|
# ------------------------------- App privileges --------------------------------
|
||||||
|
#admin: true
|
||||||
|
#
|
||||||
|
# ---------------------------- Hide manager alerts ------------------------------
|
||||||
|
# Hide the alerts of the manager in all dashboards and discover
|
||||||
|
#hideManagerAlerts: false
|
||||||
|
#
|
||||||
|
# ------------------------------- App logging level -----------------------------
|
||||||
|
# Set the logging level for the Wazuh App log files.
|
||||||
|
# Default value: info
|
||||||
|
# Allowed values: info, debug
|
||||||
|
#logs.level: info
|
||||||
|
#
|
||||||
|
# -------------------------------- Enrollment DNS -------------------------------
|
||||||
|
# Set the variable WAZUH_REGISTRATION_SERVER in agents deployment.
|
||||||
|
# Default value: ''
|
||||||
|
#enrollment.dns: ''
|
||||||
|
#
|
||||||
|
#-------------------------------- API entries -----------------------------------
|
||||||
|
#The following configuration is the default structure to define an API entry.
|
||||||
|
#
|
||||||
|
#hosts:
|
||||||
|
# - <id>:
|
||||||
|
# url: http(s)://<url>
|
||||||
|
# port: <port>
|
||||||
|
# username: <username>
|
||||||
|
# password: <password>
|
||||||
|
|
64
kibana/config/wazuh_app_config.sh
Normal file
64
kibana/config/wazuh_app_config.sh
Normal file
@@ -0,0 +1,64 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
|
||||||
|
|
||||||
|
wazuh_url="${WAZUH_API_URL:-https://wazuh}"
|
||||||
|
wazuh_port="${API_PORT:-55000}"
|
||||||
|
api_username="${API_USERNAME:-wazuh-wui}"
|
||||||
|
api_password="${API_PASSWORD:-wazuh-wui}"
|
||||||
|
|
||||||
|
kibana_config_file="/usr/share/kibana/data/wazuh/config/wazuh.yml"
|
||||||
|
|
||||||
|
declare -A CONFIG_MAP=(
|
||||||
|
[pattern]=$PATTERN
|
||||||
|
[checks.pattern]=$CHECKS_PATTERN
|
||||||
|
[checks.template]=$CHECKS_TEMPLATE
|
||||||
|
[checks.api]=$CHECKS_API
|
||||||
|
[checks.setup]=$CHECKS_SETUP
|
||||||
|
[extensions.pci]=$EXTENSIONS_PCI
|
||||||
|
[extensions.gdpr]=$EXTENSIONS_GDPR
|
||||||
|
[extensions.hipaa]=$EXTENSIONS_HIPAA
|
||||||
|
[extensions.nist]=$EXTENSIONS_NIST
|
||||||
|
[extensions.tsc]=$EXTENSIONS_TSC
|
||||||
|
[extensions.audit]=$EXTENSIONS_AUDIT
|
||||||
|
[extensions.oscap]=$EXTENSIONS_OSCAP
|
||||||
|
[extensions.ciscat]=$EXTENSIONS_CISCAT
|
||||||
|
[extensions.aws]=$EXTENSIONS_AWS
|
||||||
|
[extensions.gcp]=$EXTENSIONS_GCP
|
||||||
|
[extensions.virustotal]=$EXTENSIONS_VIRUSTOTAL
|
||||||
|
[extensions.osquery]=$EXTENSIONS_OSQUERY
|
||||||
|
[extensions.docker]=$EXTENSIONS_DOCKER
|
||||||
|
[timeout]=$APP_TIMEOUT
|
||||||
|
[api.selector]=$API_SELECTOR
|
||||||
|
[ip.selector]=$IP_SELECTOR
|
||||||
|
[ip.ignore]=$IP_IGNORE
|
||||||
|
[wazuh.monitoring.enabled]=$WAZUH_MONITORING_ENABLED
|
||||||
|
[wazuh.monitoring.frequency]=$WAZUH_MONITORING_FREQUENCY
|
||||||
|
[wazuh.monitoring.shards]=$WAZUH_MONITORING_SHARDS
|
||||||
|
[wazuh.monitoring.replicas]=$WAZUH_MONITORING_REPLICAS
|
||||||
|
[admin]=$ADMIN_PRIVILEGES
|
||||||
|
)
|
||||||
|
|
||||||
|
for i in "${!CONFIG_MAP[@]}"
|
||||||
|
do
|
||||||
|
if [ "${CONFIG_MAP[$i]}" != "" ]; then
|
||||||
|
sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
CONFIG_CODE=$(curl ${auth} -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013)
|
||||||
|
|
||||||
|
grep -q 1513629884013 $kibana_config_file
|
||||||
|
_config_exists=$?
|
||||||
|
|
||||||
|
if [[ "x$CONFIG_CODE" != "x200" && $_config_exists -ne 0 ]]; then
|
||||||
|
cat << EOF >> $kibana_config_file
|
||||||
|
hosts:
|
||||||
|
- 1513629884013:
|
||||||
|
url: $wazuh_url
|
||||||
|
port: $wazuh_port
|
||||||
|
username: $api_username
|
||||||
|
password: $api_password
|
||||||
|
EOF
|
||||||
|
else
|
||||||
|
echo "Wazuh APP already configured"
|
||||||
|
fi
|
35
kibana/config/xpack_config.sh
Normal file
35
kibana/config/xpack_config.sh
Normal file
@@ -0,0 +1,35 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
|
||||||
|
|
||||||
|
kibana_config_file="/usr/share/kibana/config/kibana.yml"
|
||||||
|
if grep -Fq "#xpack features" "$kibana_config_file";
|
||||||
|
then
|
||||||
|
declare -A CONFIG_MAP=(
|
||||||
|
[xpack.apm.ui.enabled]=$XPACK_APM
|
||||||
|
[xpack.grokdebugger.enabled]=$XPACK_DEVTOOLS
|
||||||
|
[xpack.searchprofiler.enabled]=$XPACK_DEVTOOLS
|
||||||
|
[xpack.ml.enabled]=$XPACK_ML
|
||||||
|
[xpack.canvas.enabled]=$XPACK_CANVAS
|
||||||
|
[xpack.infra.enabled]=$XPACK_INFRA
|
||||||
|
[xpack.monitoring.enabled]=$XPACK_MONITORING
|
||||||
|
[console.enabled]=$XPACK_DEVTOOLS
|
||||||
|
)
|
||||||
|
for i in "${!CONFIG_MAP[@]}"
|
||||||
|
do
|
||||||
|
if [ "${CONFIG_MAP[$i]}" != "" ]; then
|
||||||
|
sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
else
|
||||||
|
echo "
|
||||||
|
#xpack features
|
||||||
|
xpack.apm.ui.enabled: $XPACK_APM
|
||||||
|
xpack.grokdebugger.enabled: $XPACK_DEVTOOLS
|
||||||
|
xpack.searchprofiler.enabled: $XPACK_DEVTOOLS
|
||||||
|
xpack.ml.enabled: $XPACK_ML
|
||||||
|
xpack.canvas.enabled: $XPACK_CANVAS
|
||||||
|
xpack.infra.enabled: $XPACK_INFRA
|
||||||
|
xpack.monitoring.enabled: $XPACK_MONITORING
|
||||||
|
console.enabled: $XPACK_DEVTOOLS
|
||||||
|
" >> $kibana_config_file
|
||||||
|
fi
|
@@ -1,6 +0,0 @@
|
|||||||
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
|
|
||||||
FROM docker.elastic.co/logstash/logstash:6.5.3
|
|
||||||
|
|
||||||
RUN rm -f /usr/share/logstash/pipeline/logstash.conf
|
|
||||||
|
|
||||||
COPY config/01-wazuh.conf /usr/share/logstash/pipeline/01-wazuh.conf
|
|
@@ -1,45 +0,0 @@
|
|||||||
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
|
|
||||||
# Wazuh - Logstash configuration file
|
|
||||||
## Remote Wazuh Manager - Filebeat input
|
|
||||||
input {
|
|
||||||
beats {
|
|
||||||
port => 5000
|
|
||||||
codec => "json_lines"
|
|
||||||
# ssl => true
|
|
||||||
# ssl_certificate => "/etc/logstash/logstash.crt"
|
|
||||||
# ssl_key => "/etc/logstash/logstash.key"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
filter {
|
|
||||||
if [data][srcip] {
|
|
||||||
mutate {
|
|
||||||
add_field => [ "@src_ip", "%{[data][srcip]}" ]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if [data][aws][sourceIPAddress] {
|
|
||||||
mutate {
|
|
||||||
add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
filter {
|
|
||||||
geoip {
|
|
||||||
source => "@src_ip"
|
|
||||||
target => "GeoLocation"
|
|
||||||
fields => ["city_name", "country_name", "region_name", "location"]
|
|
||||||
}
|
|
||||||
date {
|
|
||||||
match => ["timestamp", "ISO8601"]
|
|
||||||
target => "@timestamp"
|
|
||||||
}
|
|
||||||
mutate {
|
|
||||||
remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
output {
|
|
||||||
elasticsearch {
|
|
||||||
hosts => ["elasticsearch:9200"]
|
|
||||||
index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
|
|
||||||
document_type => "wazuh"
|
|
||||||
}
|
|
||||||
}
|
|
@@ -1,31 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
|
|
||||||
#
|
|
||||||
# OSSEC container bootstrap. See the README for information of the environment
|
|
||||||
# variables expected by this script.
|
|
||||||
#
|
|
||||||
|
|
||||||
#
|
|
||||||
|
|
||||||
#
|
|
||||||
# Apply Templates
|
|
||||||
#
|
|
||||||
|
|
||||||
set -e
|
|
||||||
host="elasticsearch"
|
|
||||||
until curl -XGET $host:9200; do
|
|
||||||
>&2 echo "Elastic is unavailable - sleeping"
|
|
||||||
sleep 1
|
|
||||||
done
|
|
||||||
|
|
||||||
# Add logstash as command if needed
|
|
||||||
if [ "${1:0:1}" = '-' ]; then
|
|
||||||
set -- logstash "$@"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Run as user "logstash" if the command is "logstash"
|
|
||||||
if [ "$1" = 'logstash' ]; then
|
|
||||||
set -- gosu logstash "$@"
|
|
||||||
fi
|
|
||||||
|
|
||||||
exec "$@"
|
|
@@ -1,16 +0,0 @@
|
|||||||
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
|
|
||||||
FROM nginx:latest
|
|
||||||
|
|
||||||
ENV DEBIAN_FRONTEND noninteractive
|
|
||||||
|
|
||||||
RUN apt-get update && apt-get install -y openssl apache2-utils
|
|
||||||
|
|
||||||
COPY config/entrypoint.sh /entrypoint.sh
|
|
||||||
|
|
||||||
RUN chmod 755 /entrypoint.sh
|
|
||||||
|
|
||||||
RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
|
|
||||||
|
|
||||||
VOLUME ["/etc/nginx/conf.d"]
|
|
||||||
|
|
||||||
ENTRYPOINT /entrypoint.sh
|
|
@@ -1,57 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
|
|
||||||
|
|
||||||
set -e
|
|
||||||
|
|
||||||
# Generating certificates.
|
|
||||||
if [ ! -d /etc/nginx/conf.d/ssl ]; then
|
|
||||||
echo "Generating SSL certificates"
|
|
||||||
mkdir -p /etc/nginx/conf.d/ssl/certs /etc/nginx/conf.d/ssl/private
|
|
||||||
openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/conf.d/ssl/private/kibana-access.key -out /etc/nginx/conf.d/ssl/certs/kibana-access.pem >/dev/null
|
|
||||||
else
|
|
||||||
echo "SSL certificates already present"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Configuring default credentiales.
|
|
||||||
if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then
|
|
||||||
echo "Setting Nginx credentials"
|
|
||||||
echo bar|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd foo >/dev/null
|
|
||||||
else
|
|
||||||
echo "Kibana credentials already configured"
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
if [ "x${NGINX_PORT}" = "x" ]; then
|
|
||||||
NGINX_PORT=443
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "x${KIBANA_HOST}" = "x" ]; then
|
|
||||||
KIBANA_HOST="kibana:5601"
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Configuring NGINX"
|
|
||||||
cat > /etc/nginx/conf.d/default.conf <<EOF
|
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
listen [::]:80;
|
|
||||||
return 301 https://\$host:${NGINX_PORT}\$request_uri;
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen ${NGINX_PORT} default_server;
|
|
||||||
listen [::]:${NGINX_PORT};
|
|
||||||
ssl on;
|
|
||||||
ssl_certificate /etc/nginx/conf.d/ssl/certs/kibana-access.pem;
|
|
||||||
ssl_certificate_key /etc/nginx/conf.d/ssl/private/kibana-access.key;
|
|
||||||
location / {
|
|
||||||
auth_basic "Restricted";
|
|
||||||
auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
|
|
||||||
proxy_pass http://${KIBANA_HOST}/;
|
|
||||||
proxy_buffer_size 128k;
|
|
||||||
proxy_buffers 4 256k;
|
|
||||||
proxy_busy_buffers_size 256k;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
|
|
||||||
nginx -g 'daemon off;'
|
|
204
production-cluster.yml
Normal file
204
production-cluster.yml
Normal file
@@ -0,0 +1,204 @@
|
|||||||
|
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
|
||||||
|
version: '3.7'
|
||||||
|
|
||||||
|
services:
|
||||||
|
wazuh-master:
|
||||||
|
image: wazuh/wazuh-odfe:4.1.0
|
||||||
|
hostname: wazuh-master
|
||||||
|
restart: always
|
||||||
|
ports:
|
||||||
|
- "1515:1515"
|
||||||
|
- "514:514/udp"
|
||||||
|
- "55000:55000"
|
||||||
|
environment:
|
||||||
|
- ELASTICSEARCH_URL=https://elasticsearch:9200
|
||||||
|
- ELASTIC_USERNAME=admin
|
||||||
|
- ELASTIC_PASSWORD=SecretPassword
|
||||||
|
- FILEBEAT_SSL_VERIFICATION_MODE=full
|
||||||
|
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
|
||||||
|
- SSL_CERTIFICATE=/etc/ssl/filebeat.pem
|
||||||
|
- SSL_KEY=/etc/ssl/filebeat.key
|
||||||
|
- API_USERNAME=acme-user
|
||||||
|
- API_PASSWORD=MyS3cr37P450r.*-
|
||||||
|
volumes:
|
||||||
|
- ossec-api-configuration:/var/ossec/api/configuration
|
||||||
|
- ossec-etc:/var/ossec/etc
|
||||||
|
- ossec-logs:/var/ossec/logs
|
||||||
|
- ossec-queue:/var/ossec/queue
|
||||||
|
- ossec-var-multigroups:/var/ossec/var/multigroups
|
||||||
|
- ossec-integrations:/var/ossec/integrations
|
||||||
|
- ossec-active-response:/var/ossec/active-response/bin
|
||||||
|
- ossec-agentless:/var/ossec/agentless
|
||||||
|
- ossec-wodles:/var/ossec/wodles
|
||||||
|
- filebeat-etc:/etc/filebeat
|
||||||
|
- filebeat-var:/var/lib/filebeat
|
||||||
|
- ./production_cluster/ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
|
||||||
|
- ./production_cluster/ssl_certs/filebeat.pem:/etc/ssl/filebeat.pem
|
||||||
|
- ./production_cluster/ssl_certs/filebeat.key:/etc/ssl/filebeat.key
|
||||||
|
- ./production_cluster/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
|
||||||
|
|
||||||
|
wazuh-worker:
|
||||||
|
image: wazuh/wazuh-odfe:4.1.0
|
||||||
|
hostname: wazuh-worker
|
||||||
|
restart: always
|
||||||
|
environment:
|
||||||
|
- ELASTICSEARCH_URL=https://elasticsearch:9200
|
||||||
|
- ELASTIC_USERNAME=admin
|
||||||
|
- ELASTIC_PASSWORD=SecretPassword
|
||||||
|
- FILEBEAT_SSL_VERIFICATION_MODE=full
|
||||||
|
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
|
||||||
|
- SSL_CERTIFICATE=/etc/ssl/filebeat.pem
|
||||||
|
- SSL_KEY=/etc/ssl/filebeat.key
|
||||||
|
volumes:
|
||||||
|
- worker-ossec-api-configuration:/var/ossec/api/configuration
|
||||||
|
- worker-ossec-etc:/var/ossec/etc
|
||||||
|
- worker-ossec-logs:/var/ossec/logs
|
||||||
|
- worker-ossec-queue:/var/ossec/queue
|
||||||
|
- worker-ossec-var-multigroups:/var/ossec/var/multigroups
|
||||||
|
- worker-ossec-integrations:/var/ossec/integrations
|
||||||
|
- worker-ossec-active-response:/var/ossec/active-response/bin
|
||||||
|
- worker-ossec-agentless:/var/ossec/agentless
|
||||||
|
- worker-ossec-wodles:/var/ossec/wodles
|
||||||
|
- worker-filebeat-etc:/etc/filebeat
|
||||||
|
- worker-filebeat-var:/var/lib/filebeat
|
||||||
|
- ./production_cluster/ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
|
||||||
|
- ./production_cluster/ssl_certs/filebeat.pem:/etc/ssl/filebeat.pem
|
||||||
|
- ./production_cluster/ssl_certs/filebeat.key:/etc/ssl/filebeat.key
|
||||||
|
- ./production_cluster/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf
|
||||||
|
|
||||||
|
elasticsearch:
|
||||||
|
image: amazon/opendistro-for-elasticsearch:1.12.0
|
||||||
|
hostname: elasticsearch
|
||||||
|
restart: always
|
||||||
|
ports:
|
||||||
|
- "9200:9200"
|
||||||
|
environment:
|
||||||
|
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
|
||||||
|
ulimits:
|
||||||
|
memlock:
|
||||||
|
soft: -1
|
||||||
|
hard: -1
|
||||||
|
nofile:
|
||||||
|
soft: 65536
|
||||||
|
hard: 65536
|
||||||
|
volumes:
|
||||||
|
- elastic-data-1:/usr/share/elasticsearch/data
|
||||||
|
- ./production_cluster/ssl_certs/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
|
||||||
|
- ./production_cluster/ssl_certs/node1.key:/usr/share/elasticsearch/config/node1.key
|
||||||
|
- ./production_cluster/ssl_certs/node1.pem:/usr/share/elasticsearch/config/node1.pem
|
||||||
|
- ./production_cluster/elastic_opendistro/elasticsearch-node1.yml:/usr/share/elasticsearch/config/elasticsearch.yml
|
||||||
|
- ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
|
||||||
|
|
||||||
|
elasticsearch-2:
|
||||||
|
image: amazon/opendistro-for-elasticsearch:1.12.0
|
||||||
|
hostname: elasticsearch-2
|
||||||
|
restart: always
|
||||||
|
environment:
|
||||||
|
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
|
||||||
|
ulimits:
|
||||||
|
memlock:
|
||||||
|
soft: -1
|
||||||
|
hard: -1
|
||||||
|
nofile:
|
||||||
|
soft: 65536
|
||||||
|
hard: 65536
|
||||||
|
volumes:
|
||||||
|
- elastic-data-2:/usr/share/elasticsearch/data
|
||||||
|
- ./production_cluster/ssl_certs/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
|
||||||
|
- ./production_cluster/ssl_certs/node2.key:/usr/share/elasticsearch/config/node2.key
|
||||||
|
- ./production_cluster/ssl_certs/node2.pem:/usr/share/elasticsearch/config/node2.pem
|
||||||
|
- ./production_cluster/elastic_opendistro/elasticsearch-node2.yml:/usr/share/elasticsearch/config/elasticsearch.yml
|
||||||
|
- ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
|
||||||
|
|
||||||
|
elasticsearch-3:
|
||||||
|
image: amazon/opendistro-for-elasticsearch:1.12.0
|
||||||
|
hostname: elasticsearch-3
|
||||||
|
restart: always
|
||||||
|
environment:
|
||||||
|
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
|
||||||
|
ulimits:
|
||||||
|
memlock:
|
||||||
|
soft: -1
|
||||||
|
hard: -1
|
||||||
|
nofile:
|
||||||
|
soft: 65536
|
||||||
|
hard: 65536
|
||||||
|
volumes:
|
||||||
|
- elastic-data-3:/usr/share/elasticsearch/data
|
||||||
|
- ./production_cluster/ssl_certs/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
|
||||||
|
- ./production_cluster/ssl_certs/node3.key:/usr/share/elasticsearch/config/node3.key
|
||||||
|
- ./production_cluster/ssl_certs/node3.pem:/usr/share/elasticsearch/config/node3.pem
|
||||||
|
- ./production_cluster/elastic_opendistro/elasticsearch-node3.yml:/usr/share/elasticsearch/config/elasticsearch.yml
|
||||||
|
- ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
|
||||||
|
|
||||||
|
kibana:
|
||||||
|
image: wazuh/wazuh-kibana-odfe:4.1.0
|
||||||
|
hostname: kibana
|
||||||
|
restart: always
|
||||||
|
ports:
|
||||||
|
- 5601:5601
|
||||||
|
environment:
|
||||||
|
- ELASTICSEARCH_USERNAME=admin
|
||||||
|
- ELASTICSEARCH_PASSWORD=SecretPassword
|
||||||
|
- SERVER_SSL_ENABLED=true
|
||||||
|
- SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/cert.pem
|
||||||
|
- SERVER_SSL_KEY=/usr/share/kibana/config/key.pem
|
||||||
|
- WAZUH_API_URL="https://wazuh-master"
|
||||||
|
- API_USERNAME=acme-user
|
||||||
|
- API_PASSWORD=MyS3cr37P450r.*-
|
||||||
|
volumes:
|
||||||
|
- ./production_cluster/kibana_ssl/cert.pem:/usr/share/kibana/config/cert.pem
|
||||||
|
- ./production_cluster/kibana_ssl/key.pem:/usr/share/kibana/config/key.pem
|
||||||
|
|
||||||
|
depends_on:
|
||||||
|
- elasticsearch
|
||||||
|
links:
|
||||||
|
- elasticsearch:elasticsearch
|
||||||
|
- wazuh-master:wazuh-master
|
||||||
|
|
||||||
|
nginx:
|
||||||
|
image: nginx:stable
|
||||||
|
hostname: nginx
|
||||||
|
restart: always
|
||||||
|
ports:
|
||||||
|
- "80:80"
|
||||||
|
- "443:443"
|
||||||
|
- "1514:1514"
|
||||||
|
depends_on:
|
||||||
|
- wazuh-master
|
||||||
|
- wazuh-worker
|
||||||
|
- kibana
|
||||||
|
links:
|
||||||
|
- wazuh-master:wazuh-master
|
||||||
|
- wazuh-worker:wazuh-worker
|
||||||
|
- kibana:kibana
|
||||||
|
volumes:
|
||||||
|
- ./production_cluster/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
|
||||||
|
- ./production_cluster/nginx/ssl:/etc/nginx/ssl:ro
|
||||||
|
|
||||||
|
volumes:
|
||||||
|
ossec-api-configuration:
|
||||||
|
ossec-etc:
|
||||||
|
ossec-logs:
|
||||||
|
ossec-queue:
|
||||||
|
ossec-var-multigroups:
|
||||||
|
ossec-integrations:
|
||||||
|
ossec-active-response:
|
||||||
|
ossec-agentless:
|
||||||
|
ossec-wodles:
|
||||||
|
filebeat-etc:
|
||||||
|
filebeat-var:
|
||||||
|
worker-ossec-api-configuration:
|
||||||
|
worker-ossec-etc:
|
||||||
|
worker-ossec-logs:
|
||||||
|
worker-ossec-queue:
|
||||||
|
worker-ossec-var-multigroups:
|
||||||
|
worker-ossec-integrations:
|
||||||
|
worker-ossec-active-response:
|
||||||
|
worker-ossec-agentless:
|
||||||
|
worker-ossec-wodles:
|
||||||
|
worker-filebeat-etc:
|
||||||
|
worker-filebeat-var:
|
||||||
|
elastic-data-1:
|
||||||
|
elastic-data-2:
|
||||||
|
elastic-data-3:
|
@@ -0,0 +1,31 @@
|
|||||||
|
network.host: 0.0.0.0
|
||||||
|
cluster.name: wazuh-cluster
|
||||||
|
node.name: elasticsearch
|
||||||
|
discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
|
||||||
|
cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
|
||||||
|
bootstrap.memory_lock: true
|
||||||
|
|
||||||
|
opendistro_security.ssl.transport.pemcert_filepath: node1.pem
|
||||||
|
opendistro_security.ssl.transport.pemkey_filepath: node1.key
|
||||||
|
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
|
||||||
|
opendistro_security.ssl.transport.enforce_hostname_verification: false
|
||||||
|
opendistro_security.ssl.transport.resolve_hostname: false
|
||||||
|
opendistro_security.ssl.http.enabled: true
|
||||||
|
opendistro_security.ssl.http.pemcert_filepath: node1.pem
|
||||||
|
opendistro_security.ssl.http.pemkey_filepath: node1.key
|
||||||
|
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
|
||||||
|
opendistro_security.allow_default_init_securityindex: true
|
||||||
|
opendistro_security.nodes_dn:
|
||||||
|
- 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
|
||||||
|
- 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
|
||||||
|
- 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
|
||||||
|
- 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
|
||||||
|
opendistro_security.authcz.admin_dn: []
|
||||||
|
opendistro_security.audit.type: internal_elasticsearch
|
||||||
|
opendistro_security.enable_snapshot_restore_privilege: true
|
||||||
|
opendistro_security.check_snapshot_restore_write_privileges: true
|
||||||
|
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
|
||||||
|
cluster.routing.allocation.disk.threshold_enabled: false
|
||||||
|
#opendistro_security.audit.config.disabled_rest_categories: NONE
|
||||||
|
#opendistro_security.audit.config.disabled_transport_categories: NONE
|
||||||
|
opendistro_security.audit.log_request_body: false
|
@@ -0,0 +1,31 @@
|
|||||||
|
network.host: 0.0.0.0
|
||||||
|
cluster.name: wazuh-cluster
|
||||||
|
node.name: elasticsearch-2
|
||||||
|
discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
|
||||||
|
cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
|
||||||
|
bootstrap.memory_lock: true
|
||||||
|
|
||||||
|
opendistro_security.ssl.transport.pemcert_filepath: node2.pem
|
||||||
|
opendistro_security.ssl.transport.pemkey_filepath: node2.key
|
||||||
|
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
|
||||||
|
opendistro_security.ssl.transport.enforce_hostname_verification: false
|
||||||
|
opendistro_security.ssl.transport.resolve_hostname: false
|
||||||
|
opendistro_security.ssl.http.enabled: true
|
||||||
|
opendistro_security.ssl.http.pemcert_filepath: node2.pem
|
||||||
|
opendistro_security.ssl.http.pemkey_filepath: node2.key
|
||||||
|
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
|
||||||
|
opendistro_security.allow_default_init_securityindex: true
|
||||||
|
opendistro_security.nodes_dn:
|
||||||
|
- 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
|
||||||
|
- 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
|
||||||
|
- 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
|
||||||
|
- 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
|
||||||
|
opendistro_security.authcz.admin_dn: []
|
||||||
|
opendistro_security.audit.type: internal_elasticsearch
|
||||||
|
opendistro_security.enable_snapshot_restore_privilege: true
|
||||||
|
opendistro_security.check_snapshot_restore_write_privileges: true
|
||||||
|
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
|
||||||
|
cluster.routing.allocation.disk.threshold_enabled: false
|
||||||
|
#opendistro_security.audit.config.disabled_rest_categories: NONE
|
||||||
|
#opendistro_security.audit.config.disabled_transport_categories: NONE
|
||||||
|
opendistro_security.audit.log_request_body: false
|
@@ -0,0 +1,31 @@
|
|||||||
|
network.host: 0.0.0.0
|
||||||
|
cluster.name: wazuh-cluster
|
||||||
|
node.name: elasticsearch-3
|
||||||
|
discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
|
||||||
|
cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
|
||||||
|
bootstrap.memory_lock: true
|
||||||
|
|
||||||
|
opendistro_security.ssl.transport.pemcert_filepath: node3.pem
|
||||||
|
opendistro_security.ssl.transport.pemkey_filepath: node3.key
|
||||||
|
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
|
||||||
|
opendistro_security.ssl.transport.enforce_hostname_verification: false
|
||||||
|
opendistro_security.ssl.transport.resolve_hostname: false
|
||||||
|
opendistro_security.ssl.http.enabled: true
|
||||||
|
opendistro_security.ssl.http.pemcert_filepath: node3.pem
|
||||||
|
opendistro_security.ssl.http.pemkey_filepath: node3.key
|
||||||
|
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
|
||||||
|
opendistro_security.allow_default_init_securityindex: true
|
||||||
|
opendistro_security.nodes_dn:
|
||||||
|
- 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
|
||||||
|
- 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
|
||||||
|
- 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
|
||||||
|
- 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
|
||||||
|
opendistro_security.authcz.admin_dn: []
|
||||||
|
opendistro_security.audit.type: internal_elasticsearch
|
||||||
|
opendistro_security.enable_snapshot_restore_privilege: true
|
||||||
|
opendistro_security.check_snapshot_restore_write_privileges: true
|
||||||
|
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
|
||||||
|
cluster.routing.allocation.disk.threshold_enabled: false
|
||||||
|
#opendistro_security.audit.config.disabled_rest_categories: NONE
|
||||||
|
#opendistro_security.audit.config.disabled_transport_categories: NONE
|
||||||
|
opendistro_security.audit.log_request_body: false
|
56
production_cluster/elastic_opendistro/internal_users.yml
Normal file
56
production_cluster/elastic_opendistro/internal_users.yml
Normal file
@@ -0,0 +1,56 @@
|
|||||||
|
---
|
||||||
|
# This is the internal user database
|
||||||
|
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
|
||||||
|
|
||||||
|
_meta:
|
||||||
|
type: "internalusers"
|
||||||
|
config_version: 2
|
||||||
|
|
||||||
|
# Define your internal users here
|
||||||
|
|
||||||
|
## Demo users
|
||||||
|
|
||||||
|
admin:
|
||||||
|
hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO"
|
||||||
|
reserved: true
|
||||||
|
backend_roles:
|
||||||
|
- "admin"
|
||||||
|
description: "Demo admin user"
|
||||||
|
|
||||||
|
kibanaserver:
|
||||||
|
hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
|
||||||
|
reserved: true
|
||||||
|
description: "Demo kibanaserver user"
|
||||||
|
|
||||||
|
kibanaro:
|
||||||
|
hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
|
||||||
|
reserved: false
|
||||||
|
backend_roles:
|
||||||
|
- "kibanauser"
|
||||||
|
- "readall"
|
||||||
|
attributes:
|
||||||
|
attribute1: "value1"
|
||||||
|
attribute2: "value2"
|
||||||
|
attribute3: "value3"
|
||||||
|
description: "Demo kibanaro user"
|
||||||
|
|
||||||
|
logstash:
|
||||||
|
hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
|
||||||
|
reserved: false
|
||||||
|
backend_roles:
|
||||||
|
- "logstash"
|
||||||
|
description: "Demo logstash user"
|
||||||
|
|
||||||
|
readall:
|
||||||
|
hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
|
||||||
|
reserved: false
|
||||||
|
backend_roles:
|
||||||
|
- "readall"
|
||||||
|
description: "Demo readall user"
|
||||||
|
|
||||||
|
snapshotrestore:
|
||||||
|
hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
|
||||||
|
reserved: false
|
||||||
|
backend_roles:
|
||||||
|
- "snapshotrestore"
|
||||||
|
description: "Demo snapshotrestore user"
|
12
production_cluster/kibana_ssl/generate-self-signed-cert.sh
Normal file
12
production_cluster/kibana_ssl/generate-self-signed-cert.sh
Normal file
@@ -0,0 +1,12 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
|
||||||
|
cd $DIR
|
||||||
|
|
||||||
|
if [ -s key.pem ]
|
||||||
|
then
|
||||||
|
echo "Certificate already exists"
|
||||||
|
exit
|
||||||
|
else
|
||||||
|
openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem
|
||||||
|
fi
|
67
production_cluster/nginx/nginx.conf
Normal file
67
production_cluster/nginx/nginx.conf
Normal file
@@ -0,0 +1,67 @@
|
|||||||
|
user nginx;
|
||||||
|
worker_processes 1;
|
||||||
|
|
||||||
|
error_log /var/log/nginx/error.log warn;
|
||||||
|
pid /var/run/nginx.pid;
|
||||||
|
|
||||||
|
|
||||||
|
events {
|
||||||
|
worker_connections 1024;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
http {
|
||||||
|
include /etc/nginx/mime.types;
|
||||||
|
default_type application/octet-stream;
|
||||||
|
|
||||||
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||||
|
'$status $body_bytes_sent "$http_referer" '
|
||||||
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||||
|
|
||||||
|
access_log /var/log/nginx/access.log main;
|
||||||
|
|
||||||
|
sendfile on;
|
||||||
|
tcp_nopush on;
|
||||||
|
|
||||||
|
keepalive_timeout 65;
|
||||||
|
|
||||||
|
server_tokens off;
|
||||||
|
gzip on;
|
||||||
|
|
||||||
|
# kibana UI
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
return 301 https://$host:443$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 default_server ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
ssl_certificate /etc/nginx/ssl/cert.pem;
|
||||||
|
ssl_certificate_key /etc/nginx/ssl/key.pem;
|
||||||
|
location / {
|
||||||
|
proxy_pass https://kibana:5601/;
|
||||||
|
proxy_ssl_verify off;
|
||||||
|
proxy_buffer_size 128k;
|
||||||
|
proxy_buffers 4 256k;
|
||||||
|
proxy_busy_buffers_size 256k;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# load balancer for Wazuh cluster
|
||||||
|
stream {
|
||||||
|
upstream mycluster {
|
||||||
|
hash $remote_addr consistent;
|
||||||
|
server wazuh-master:1514;
|
||||||
|
server wazuh-worker:1514;
|
||||||
|
}
|
||||||
|
server {
|
||||||
|
listen 1514;
|
||||||
|
proxy_pass mycluster;
|
||||||
|
}
|
||||||
|
}
|
12
production_cluster/nginx/ssl/generate-self-signed-cert.sh
Normal file
12
production_cluster/nginx/ssl/generate-self-signed-cert.sh
Normal file
@@ -0,0 +1,12 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
|
||||||
|
cd $DIR
|
||||||
|
|
||||||
|
if [ -s key.pem ]
|
||||||
|
then
|
||||||
|
echo "Certificate already exists"
|
||||||
|
exit
|
||||||
|
else
|
||||||
|
openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem
|
||||||
|
fi
|
30
production_cluster/ssl_certs/certs.yml
Normal file
30
production_cluster/ssl_certs/certs.yml
Normal file
@@ -0,0 +1,30 @@
|
|||||||
|
ca:
|
||||||
|
root:
|
||||||
|
dn: CN=root-ca,OU=CA,O=Example\, Inc.,DC=example,DC=com
|
||||||
|
pkPassword: none
|
||||||
|
keysize: 2048
|
||||||
|
file: root-ca.pem
|
||||||
|
intermediate:
|
||||||
|
dn: CN=intermediate,OU=CA,O=Example\, Inc.,DC=example,DC=com
|
||||||
|
keysize: 2048
|
||||||
|
validityDays: 3650
|
||||||
|
pkPassword: intermediate-ca-password
|
||||||
|
file: intermediate-ca.pem
|
||||||
|
|
||||||
|
nodes:
|
||||||
|
- name: node1
|
||||||
|
dn: CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com
|
||||||
|
dns:
|
||||||
|
- elasticsearch
|
||||||
|
- name: node2
|
||||||
|
dn: CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com
|
||||||
|
dns:
|
||||||
|
- elasticsearch-2
|
||||||
|
- name: node3
|
||||||
|
dn: CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com
|
||||||
|
dns:
|
||||||
|
- elasticsearch-3
|
||||||
|
- name: filebeat
|
||||||
|
dn: CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com
|
||||||
|
dns:
|
||||||
|
- wazuh
|
349
production_cluster/wazuh_cluster/wazuh_manager.conf
Normal file
349
production_cluster/wazuh_cluster/wazuh_manager.conf
Normal file
@@ -0,0 +1,349 @@
|
|||||||
|
<ossec_config>
|
||||||
|
<global>
|
||||||
|
<jsonout_output>yes</jsonout_output>
|
||||||
|
<alerts_log>yes</alerts_log>
|
||||||
|
<logall>no</logall>
|
||||||
|
<logall_json>no</logall_json>
|
||||||
|
<email_notification>no</email_notification>
|
||||||
|
<smtp_server>smtp.example.wazuh.com</smtp_server>
|
||||||
|
<email_from>ossecm@example.wazuh.com</email_from>
|
||||||
|
<email_to>recipient@example.wazuh.com</email_to>
|
||||||
|
<email_maxperhour>12</email_maxperhour>
|
||||||
|
<email_log_source>alerts.log</email_log_source>
|
||||||
|
</global>
|
||||||
|
|
||||||
|
<alerts>
|
||||||
|
<log_alert_level>3</log_alert_level>
|
||||||
|
<email_alert_level>12</email_alert_level>
|
||||||
|
</alerts>
|
||||||
|
|
||||||
|
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
|
||||||
|
<logging>
|
||||||
|
<log_format>plain</log_format>
|
||||||
|
</logging>
|
||||||
|
|
||||||
|
<remote>
|
||||||
|
<connection>secure</connection>
|
||||||
|
<port>1514</port>
|
||||||
|
<protocol>tcp</protocol>
|
||||||
|
<queue_size>131072</queue_size>
|
||||||
|
</remote>
|
||||||
|
|
||||||
|
<!-- Policy monitoring -->
|
||||||
|
<rootcheck>
|
||||||
|
<disabled>no</disabled>
|
||||||
|
<check_files>yes</check_files>
|
||||||
|
<check_trojans>yes</check_trojans>
|
||||||
|
<check_dev>yes</check_dev>
|
||||||
|
<check_sys>yes</check_sys>
|
||||||
|
<check_pids>yes</check_pids>
|
||||||
|
<check_ports>yes</check_ports>
|
||||||
|
<check_if>yes</check_if>
|
||||||
|
|
||||||
|
<!-- Frequency that rootcheck is executed - every 12 hours -->
|
||||||
|
<frequency>43200</frequency>
|
||||||
|
|
||||||
|
<rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
|
||||||
|
<rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
|
||||||
|
|
||||||
|
<skip_nfs>yes</skip_nfs>
|
||||||
|
</rootcheck>
|
||||||
|
|
||||||
|
<wodle name="cis-cat">
|
||||||
|
<disabled>yes</disabled>
|
||||||
|
<timeout>1800</timeout>
|
||||||
|
<interval>1d</interval>
|
||||||
|
<scan-on-start>yes</scan-on-start>
|
||||||
|
|
||||||
|
<java_path>wodles/java</java_path>
|
||||||
|
<ciscat_path>wodles/ciscat</ciscat_path>
|
||||||
|
</wodle>
|
||||||
|
|
||||||
|
<!-- Osquery integration -->
|
||||||
|
<wodle name="osquery">
|
||||||
|
<disabled>yes</disabled>
|
||||||
|
<run_daemon>yes</run_daemon>
|
||||||
|
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
|
||||||
|
<config_path>/etc/osquery/osquery.conf</config_path>
|
||||||
|
<add_labels>yes</add_labels>
|
||||||
|
</wodle>
|
||||||
|
|
||||||
|
<!-- System inventory -->
|
||||||
|
<wodle name="syscollector">
|
||||||
|
<disabled>no</disabled>
|
||||||
|
<interval>1h</interval>
|
||||||
|
<scan_on_start>yes</scan_on_start>
|
||||||
|
<hardware>yes</hardware>
|
||||||
|
<os>yes</os>
|
||||||
|
<network>yes</network>
|
||||||
|
<packages>yes</packages>
|
||||||
|
<ports all="no">yes</ports>
|
||||||
|
<processes>yes</processes>
|
||||||
|
</wodle>
|
||||||
|
|
||||||
|
<sca>
|
||||||
|
<enabled>yes</enabled>
|
||||||
|
<scan_on_start>yes</scan_on_start>
|
||||||
|
<interval>12h</interval>
|
||||||
|
<skip_nfs>yes</skip_nfs>
|
||||||
|
</sca>
|
||||||
|
|
||||||
|
<vulnerability-detector>
|
||||||
|
<enabled>no</enabled>
|
||||||
|
<interval>5m</interval>
|
||||||
|
<ignore_time>6h</ignore_time>
|
||||||
|
<run_on_start>yes</run_on_start>
|
||||||
|
|
||||||
|
<!-- Ubuntu OS vulnerabilities -->
|
||||||
|
<provider name="canonical">
|
||||||
|
<enabled>no</enabled>
|
||||||
|
<os>trusty</os>
|
||||||
|
<os>xenial</os>
|
||||||
|
<os>bionic</os>
|
||||||
|
<os>focal</os>
|
||||||
|
<update_interval>1h</update_interval>
|
||||||
|
</provider>
|
||||||
|
|
||||||
|
<!-- Debian OS vulnerabilities -->
|
||||||
|
<provider name="debian">
|
||||||
|
<enabled>no</enabled>
|
||||||
|
<os>stretch</os>
|
||||||
|
<os>buster</os>
|
||||||
|
<update_interval>1h</update_interval>
|
||||||
|
</provider>
|
||||||
|
|
||||||
|
<!-- RedHat OS vulnerabilities -->
|
||||||
|
<provider name="redhat">
|
||||||
|
<enabled>no</enabled>
|
||||||
|
<os>5</os>
|
||||||
|
<os>6</os>
|
||||||
|
<os>7</os>
|
||||||
|
<os>8</os>
|
||||||
|
<update_interval>1h</update_interval>
|
||||||
|
</provider>
|
||||||
|
|
||||||
|
<!-- Windows OS vulnerabilities -->
|
||||||
|
<provider name="msu">
|
||||||
|
<enabled>yes</enabled>
|
||||||
|
<update_interval>1h</update_interval>
|
||||||
|
</provider>
|
||||||
|
|
||||||
|
<!-- Aggregate vulnerabilities -->
|
||||||
|
<provider name="nvd">
|
||||||
|
<enabled>yes</enabled>
|
||||||
|
<update_from_year>2010</update_from_year>
|
||||||
|
<update_interval>1h</update_interval>
|
||||||
|
</provider>
|
||||||
|
|
||||||
|
</vulnerability-detector>
|
||||||
|
|
||||||
|
<!-- File integrity monitoring -->
|
||||||
|
<syscheck>
|
||||||
|
<disabled>no</disabled>
|
||||||
|
|
||||||
|
<!-- Frequency that syscheck is executed default every 12 hours -->
|
||||||
|
<frequency>43200</frequency>
|
||||||
|
|
||||||
|
<scan_on_start>yes</scan_on_start>
|
||||||
|
|
||||||
|
<!-- Generate alert when new file detected -->
|
||||||
|
<alert_new_files>yes</alert_new_files>
|
||||||
|
|
||||||
|
<!-- Don't ignore files that change more than 'frequency' times -->
|
||||||
|
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
|
||||||
|
|
||||||
|
<!-- Directories to check (perform all possible verifications) -->
|
||||||
|
<directories>/etc,/usr/bin,/usr/sbin</directories>
|
||||||
|
<directories>/bin,/sbin,/boot</directories>
|
||||||
|
|
||||||
|
<!-- Files/directories to ignore -->
|
||||||
|
<ignore>/etc/mtab</ignore>
|
||||||
|
<ignore>/etc/hosts.deny</ignore>
|
||||||
|
<ignore>/etc/mail/statistics</ignore>
|
||||||
|
<ignore>/etc/random-seed</ignore>
|
||||||
|
<ignore>/etc/random.seed</ignore>
|
||||||
|
<ignore>/etc/adjtime</ignore>
|
||||||
|
<ignore>/etc/httpd/logs</ignore>
|
||||||
|
<ignore>/etc/utmpx</ignore>
|
||||||
|
<ignore>/etc/wtmpx</ignore>
|
||||||
|
<ignore>/etc/cups/certs</ignore>
|
||||||
|
<ignore>/etc/dumpdates</ignore>
|
||||||
|
<ignore>/etc/svc/volatile</ignore>
|
||||||
|
|
||||||
|
<!-- File types to ignore -->
|
||||||
|
<ignore type="sregex">.log$|.swp$</ignore>
|
||||||
|
|
||||||
|
<!-- Check the file, but never compute the diff -->
|
||||||
|
<nodiff>/etc/ssl/private.key</nodiff>
|
||||||
|
|
||||||
|
<skip_nfs>yes</skip_nfs>
|
||||||
|
<skip_dev>yes</skip_dev>
|
||||||
|
<skip_proc>yes</skip_proc>
|
||||||
|
<skip_sys>yes</skip_sys>
|
||||||
|
|
||||||
|
<!-- Nice value for Syscheck process -->
|
||||||
|
<process_priority>10</process_priority>
|
||||||
|
|
||||||
|
<!-- Maximum output throughput -->
|
||||||
|
<max_eps>100</max_eps>
|
||||||
|
|
||||||
|
<!-- Database synchronization settings -->
|
||||||
|
<synchronization>
|
||||||
|
<enabled>yes</enabled>
|
||||||
|
<interval>5m</interval>
|
||||||
|
<max_interval>1h</max_interval>
|
||||||
|
<max_eps>10</max_eps>
|
||||||
|
</synchronization>
|
||||||
|
</syscheck>
|
||||||
|
|
||||||
|
<!-- Active response -->
|
||||||
|
<global>
|
||||||
|
<white_list>127.0.0.1</white_list>
|
||||||
|
<white_list>^localhost.localdomain$</white_list>
|
||||||
|
<white_list>4.2.2.1</white_list>
|
||||||
|
<white_list>4.2.2.2</white_list>
|
||||||
|
<white_list>208.67.220.220</white_list>
|
||||||
|
</global>
|
||||||
|
|
||||||
|
<command>
|
||||||
|
<name>disable-account</name>
|
||||||
|
<executable>disable-account.sh</executable>
|
||||||
|
<expect>user</expect>
|
||||||
|
<timeout_allowed>yes</timeout_allowed>
|
||||||
|
</command>
|
||||||
|
|
||||||
|
<command>
|
||||||
|
<name>restart-ossec</name>
|
||||||
|
<executable>restart-ossec.sh</executable>
|
||||||
|
<expect></expect>
|
||||||
|
</command>
|
||||||
|
|
||||||
|
<command>
|
||||||
|
<name>firewall-drop</name>
|
||||||
|
<executable>firewall-drop.sh</executable>
|
||||||
|
<expect>srcip</expect>
|
||||||
|
<timeout_allowed>yes</timeout_allowed>
|
||||||
|
</command>
|
||||||
|
|
||||||
|
<command>
|
||||||
|
<name>host-deny</name>
|
||||||
|
<executable>host-deny.sh</executable>
|
||||||
|
<expect>srcip</expect>
|
||||||
|
<timeout_allowed>yes</timeout_allowed>
|
||||||
|
</command>
|
||||||
|
|
||||||
|
<command>
|
||||||
|
<name>route-null</name>
|
||||||
|
<executable>route-null.sh</executable>
|
||||||
|
<expect>srcip</expect>
|
||||||
|
<timeout_allowed>yes</timeout_allowed>
|
||||||
|
</command>
|
||||||
|
|
||||||
|
<command>
|
||||||
|
<name>win_route-null</name>
|
||||||
|
<executable>route-null.cmd</executable>
|
||||||
|
<expect>srcip</expect>
|
||||||
|
<timeout_allowed>yes</timeout_allowed>
|
||||||
|
</command>
|
||||||
|
|
||||||
|
<command>
|
||||||
|
<name>win_route-null-2012</name>
|
||||||
|
<executable>route-null-2012.cmd</executable>
|
||||||
|
<expect>srcip</expect>
|
||||||
|
<timeout_allowed>yes</timeout_allowed>
|
||||||
|
</command>
|
||||||
|
|
||||||
|
<command>
|
||||||
|
<name>netsh</name>
|
||||||
|
<executable>netsh.cmd</executable>
|
||||||
|
<expect>srcip</expect>
|
||||||
|
<timeout_allowed>yes</timeout_allowed>
|
||||||
|
</command>
|
||||||
|
|
||||||
|
<command>
|
||||||
|
<name>netsh-win-2016</name>
|
||||||
|
<executable>netsh-win-2016.cmd</executable>
|
||||||
|
<expect>srcip</expect>
|
||||||
|
<timeout_allowed>yes</timeout_allowed>
|
||||||
|
</command>
|
||||||
|
|
||||||
|
<!--
|
||||||
|
<active-response>
|
||||||
|
active-response options here
|
||||||
|
</active-response>
|
||||||
|
-->
|
||||||
|
|
||||||
|
<!-- Log analysis -->
|
||||||
|
<localfile>
|
||||||
|
<log_format>command</log_format>
|
||||||
|
<command>df -P</command>
|
||||||
|
<frequency>360</frequency>
|
||||||
|
</localfile>
|
||||||
|
|
||||||
|
<localfile>
|
||||||
|
<log_format>full_command</log_format>
|
||||||
|
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
|
||||||
|
<alias>netstat listening ports</alias>
|
||||||
|
<frequency>360</frequency>
|
||||||
|
</localfile>
|
||||||
|
|
||||||
|
<localfile>
|
||||||
|
<log_format>full_command</log_format>
|
||||||
|
<command>last -n 20</command>
|
||||||
|
<frequency>360</frequency>
|
||||||
|
</localfile>
|
||||||
|
|
||||||
|
<ruleset>
|
||||||
|
<!-- Default ruleset -->
|
||||||
|
<decoder_dir>ruleset/decoders</decoder_dir>
|
||||||
|
<rule_dir>ruleset/rules</rule_dir>
|
||||||
|
<rule_exclude>0215-policy_rules.xml</rule_exclude>
|
||||||
|
<list>etc/lists/audit-keys</list>
|
||||||
|
<list>etc/lists/amazon/aws-eventnames</list>
|
||||||
|
<list>etc/lists/security-eventchannel</list>
|
||||||
|
|
||||||
|
<!-- User-defined ruleset -->
|
||||||
|
<decoder_dir>etc/decoders</decoder_dir>
|
||||||
|
<rule_dir>etc/rules</rule_dir>
|
||||||
|
</ruleset>
|
||||||
|
|
||||||
|
<!-- Configuration for ossec-authd -->
|
||||||
|
<auth>
|
||||||
|
<disabled>no</disabled>
|
||||||
|
<port>1515</port>
|
||||||
|
<use_source_ip>no</use_source_ip>
|
||||||
|
<force_insert>yes</force_insert>
|
||||||
|
<force_time>0</force_time>
|
||||||
|
<purge>yes</purge>
|
||||||
|
<use_password>no</use_password>
|
||||||
|
<limit_maxagents>yes</limit_maxagents>
|
||||||
|
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
|
||||||
|
<!-- <ssl_agent_ca></ssl_agent_ca> -->
|
||||||
|
<ssl_verify_host>no</ssl_verify_host>
|
||||||
|
<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
|
||||||
|
<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
|
||||||
|
<ssl_auto_negotiate>no</ssl_auto_negotiate>
|
||||||
|
</auth>
|
||||||
|
|
||||||
|
<cluster>
|
||||||
|
<name>wazuh</name>
|
||||||
|
<node_name>manager</node_name>
|
||||||
|
<node_type>master</node_type>
|
||||||
|
<key>c98b6ha9b6169zc5f67rae55ae4z5647</key>
|
||||||
|
<port>1516</port>
|
||||||
|
<bind_addr>0.0.0.0</bind_addr>
|
||||||
|
<nodes>
|
||||||
|
<node>wazuh-master</node>
|
||||||
|
</nodes>
|
||||||
|
<hidden>no</hidden>
|
||||||
|
<disabled>no</disabled>
|
||||||
|
</cluster>
|
||||||
|
|
||||||
|
</ossec_config>
|
||||||
|
|
||||||
|
<ossec_config>
|
||||||
|
<localfile>
|
||||||
|
<log_format>syslog</log_format>
|
||||||
|
<location>/var/ossec/logs/active-responses.log</location>
|
||||||
|
</localfile>
|
||||||
|
</ossec_config>
|
349
production_cluster/wazuh_cluster/wazuh_worker.conf
Normal file
349
production_cluster/wazuh_cluster/wazuh_worker.conf
Normal file
@@ -0,0 +1,349 @@
|
|||||||
|
<ossec_config>
|
||||||
|
<global>
|
||||||
|
<jsonout_output>yes</jsonout_output>
|
||||||
|
<alerts_log>yes</alerts_log>
|
||||||
|
<logall>no</logall>
|
||||||
|
<logall_json>no</logall_json>
|
||||||
|
<email_notification>no</email_notification>
|
||||||
|
<smtp_server>smtp.example.wazuh.com</smtp_server>
|
||||||
|
<email_from>ossecm@example.wazuh.com</email_from>
|
||||||
|
<email_to>recipient@example.wazuh.com</email_to>
|
||||||
|
<email_maxperhour>12</email_maxperhour>
|
||||||
|
<email_log_source>alerts.log</email_log_source>
|
||||||
|
</global>
|
||||||
|
|
||||||
|
<alerts>
|
||||||
|
<log_alert_level>3</log_alert_level>
|
||||||
|
<email_alert_level>12</email_alert_level>
|
||||||
|
</alerts>
|
||||||
|
|
||||||
|
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
|
||||||
|
<logging>
|
||||||
|
<log_format>plain</log_format>
|
||||||
|
</logging>
|
||||||
|
|
||||||
|
<remote>
|
||||||
|
<connection>secure</connection>
|
||||||
|
<port>1514</port>
|
||||||
|
<protocol>tcp</protocol>
|
||||||
|
<queue_size>131072</queue_size>
|
||||||
|
</remote>
|
||||||
|
|
||||||
|
<!-- Policy monitoring -->
|
||||||
|
<rootcheck>
|
||||||
|
<disabled>no</disabled>
|
||||||
|
<check_files>yes</check_files>
|
||||||
|
<check_trojans>yes</check_trojans>
|
||||||
|
<check_dev>yes</check_dev>
|
||||||
|
<check_sys>yes</check_sys>
|
||||||
|
<check_pids>yes</check_pids>
|
||||||
|
<check_ports>yes</check_ports>
|
||||||
|
<check_if>yes</check_if>
|
||||||
|
|
||||||
|
<!-- Frequency that rootcheck is executed - every 12 hours -->
|
||||||
|
<frequency>43200</frequency>
|
||||||
|
|
||||||
|
<rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
|
||||||
|
<rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
|
||||||
|
|
||||||
|
<skip_nfs>yes</skip_nfs>
|
||||||
|
</rootcheck>
|
||||||
|
|
||||||
|
<wodle name="cis-cat">
|
||||||
|
<disabled>yes</disabled>
|
||||||
|
<timeout>1800</timeout>
|
||||||
|
<interval>1d</interval>
|
||||||
|
<scan-on-start>yes</scan-on-start>
|
||||||
|
|
||||||
|
<java_path>wodles/java</java_path>
|
||||||
|
<ciscat_path>wodles/ciscat</ciscat_path>
|
||||||
|
</wodle>
|
||||||
|
|
||||||
|
<!-- Osquery integration -->
|
||||||
|
<wodle name="osquery">
|
||||||
|
<disabled>yes</disabled>
|
||||||
|
<run_daemon>yes</run_daemon>
|
||||||
|
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
|
||||||
|
<config_path>/etc/osquery/osquery.conf</config_path>
|
||||||
|
<add_labels>yes</add_labels>
|
||||||
|
</wodle>
|
||||||
|
|
||||||
|
<!-- System inventory -->
|
||||||
|
<wodle name="syscollector">
|
||||||
|
<disabled>no</disabled>
|
||||||
|
<interval>1h</interval>
|
||||||
|
<scan_on_start>yes</scan_on_start>
|
||||||
|
<hardware>yes</hardware>
|
||||||
|
<os>yes</os>
|
||||||
|
<network>yes</network>
|
||||||
|
<packages>yes</packages>
|
||||||
|
<ports all="no">yes</ports>
|
||||||
|
<processes>yes</processes>
|
||||||
|
</wodle>
|
||||||
|
|
||||||
|
<sca>
|
||||||
|
<enabled>yes</enabled>
|
||||||
|
<scan_on_start>yes</scan_on_start>
|
||||||
|
<interval>12h</interval>
|
||||||
|
<skip_nfs>yes</skip_nfs>
|
||||||
|
</sca>
|
||||||
|
|
||||||
|
<vulnerability-detector>
|
||||||
|
<enabled>no</enabled>
|
||||||
|
<interval>5m</interval>
|
||||||
|
<ignore_time>6h</ignore_time>
|
||||||
|
<run_on_start>yes</run_on_start>
|
||||||
|
|
||||||
|
<!-- Ubuntu OS vulnerabilities -->
|
||||||
|
<provider name="canonical">
|
||||||
|
<enabled>no</enabled>
|
||||||
|
<os>trusty</os>
|
||||||
|
<os>xenial</os>
|
||||||
|
<os>bionic</os>
|
||||||
|
<os>focal</os>
|
||||||
|
<update_interval>1h</update_interval>
|
||||||
|
</provider>
|
||||||
|
|
||||||
|
<!-- Debian OS vulnerabilities -->
|
||||||
|
<provider name="debian">
|
||||||
|
<enabled>no</enabled>
|
||||||
|
<os>stretch</os>
|
||||||
|
<os>buster</os>
|
||||||
|
<update_interval>1h</update_interval>
|
||||||
|
</provider>
|
||||||
|
|
||||||
|
<!-- RedHat OS vulnerabilities -->
|
||||||
|
<provider name="redhat">
|
||||||
|
<enabled>no</enabled>
|
||||||
|
<os>5</os>
|
||||||
|
<os>6</os>
|
||||||
|
<os>7</os>
|
||||||
|
<os>8</os>
|
||||||
|
<update_interval>1h</update_interval>
|
||||||
|
</provider>
|
||||||
|
|
||||||
|
<!-- Windows OS vulnerabilities -->
|
||||||
|
<provider name="msu">
|
||||||
|
<enabled>yes</enabled>
|
||||||
|
<update_interval>1h</update_interval>
|
||||||
|
</provider>
|
||||||
|
|
||||||
|
<!-- Aggregate vulnerabilities -->
|
||||||
|
<provider name="nvd">
|
||||||
|
<enabled>yes</enabled>
|
||||||
|
<update_from_year>2010</update_from_year>
|
||||||
|
<update_interval>1h</update_interval>
|
||||||
|
</provider>
|
||||||
|
|
||||||
|
</vulnerability-detector>
|
||||||
|
|
||||||
|
<!-- File integrity monitoring -->
|
||||||
|
<syscheck>
|
||||||
|
<disabled>no</disabled>
|
||||||
|
|
||||||
|
<!-- Frequency that syscheck is executed default every 12 hours -->
|
||||||
|
<frequency>43200</frequency>
|
||||||
|
|
||||||
|
<scan_on_start>yes</scan_on_start>
|
||||||
|
|
||||||
|
<!-- Generate alert when new file detected -->
|
||||||
|
<alert_new_files>yes</alert_new_files>
|
||||||
|
|
||||||
|
<!-- Don't ignore files that change more than 'frequency' times -->
|
||||||
|
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
|
||||||
|
|
||||||
|
<!-- Directories to check (perform all possible verifications) -->
|
||||||
|
<directories>/etc,/usr/bin,/usr/sbin</directories>
|
||||||
|
<directories>/bin,/sbin,/boot</directories>
|
||||||
|
|
||||||
|
<!-- Files/directories to ignore -->
|
||||||
|
<ignore>/etc/mtab</ignore>
|
||||||
|
<ignore>/etc/hosts.deny</ignore>
|
||||||
|
<ignore>/etc/mail/statistics</ignore>
|
||||||
|
<ignore>/etc/random-seed</ignore>
|
||||||
|
<ignore>/etc/random.seed</ignore>
|
||||||
|
<ignore>/etc/adjtime</ignore>
|
||||||
|
<ignore>/etc/httpd/logs</ignore>
|
||||||
|
<ignore>/etc/utmpx</ignore>
|
||||||
|
<ignore>/etc/wtmpx</ignore>
|
||||||
|
<ignore>/etc/cups/certs</ignore>
|
||||||
|
<ignore>/etc/dumpdates</ignore>
|
||||||
|
<ignore>/etc/svc/volatile</ignore>
|
||||||
|
|
||||||
|
<!-- File types to ignore -->
|
||||||
|
<ignore type="sregex">.log$|.swp$</ignore>
|
||||||
|
|
||||||
|
<!-- Check the file, but never compute the diff -->
|
||||||
|
<nodiff>/etc/ssl/private.key</nodiff>
|
||||||
|
|
||||||
|
<skip_nfs>yes</skip_nfs>
|
||||||
|
<skip_dev>yes</skip_dev>
|
||||||
|
<skip_proc>yes</skip_proc>
|
||||||
|
<skip_sys>yes</skip_sys>
|
||||||
|
|
||||||
|
<!-- Nice value for Syscheck process -->
|
||||||
|
<process_priority>10</process_priority>
|
||||||
|
|
||||||
|
<!-- Maximum output throughput -->
|
||||||
|
<max_eps>100</max_eps>
|
||||||
|
|
||||||
|
<!-- Database synchronization settings -->
|
||||||
|
<synchronization>
|
||||||
|
<enabled>yes</enabled>
|
||||||
|
<interval>5m</interval>
|
||||||
|
<max_interval>1h</max_interval>
|
||||||
|
<max_eps>10</max_eps>
|
||||||
|
</synchronization>
|
||||||
|
</syscheck>
|
||||||
|
|
||||||
|
<!-- Active response -->
|
||||||
|
<global>
|
||||||
|
<white_list>127.0.0.1</white_list>
|
||||||
|
<white_list>^localhost.localdomain$</white_list>
|
||||||
|
<white_list>4.2.2.1</white_list>
|
||||||
|
<white_list>4.2.2.2</white_list>
|
||||||
|
<white_list>208.67.220.220</white_list>
|
||||||
|
</global>
|
||||||
|
|
||||||
|
<command>
|
||||||
|
<name>disable-account</name>
|
||||||
|
<executable>disable-account.sh</executable>
|
||||||
|
<expect>user</expect>
|
||||||
|
<timeout_allowed>yes</timeout_allowed>
|
||||||
|
</command>
|
||||||
|
|
||||||
|
<command>
|
||||||
|
<name>restart-ossec</name>
|
||||||
|
<executable>restart-ossec.sh</executable>
|
||||||
|
<expect></expect>
|
||||||
|
</command>
|
||||||
|
|
||||||
|
<command>
|
||||||
|
<name>firewall-drop</name>
|
||||||
|
<executable>firewall-drop.sh</executable>
|
||||||
|
<expect>srcip</expect>
|
||||||
|
<timeout_allowed>yes</timeout_allowed>
|
||||||
|
</command>
|
||||||
|
|
||||||
|
<command>
|
||||||
|
<name>host-deny</name>
|
||||||
|
<executable>host-deny.sh</executable>
|
||||||
|
<expect>srcip</expect>
|
||||||
|
<timeout_allowed>yes</timeout_allowed>
|
||||||
|
</command>
|
||||||
|
|
||||||
|
<command>
|
||||||
|
<name>route-null</name>
|
||||||
|
<executable>route-null.sh</executable>
|
||||||
|
<expect>srcip</expect>
|
||||||
|
<timeout_allowed>yes</timeout_allowed>
|
||||||
|
</command>
|
||||||
|
|
||||||
|
<command>
|
||||||
|
<name>win_route-null</name>
|
||||||
|
<executable>route-null.cmd</executable>
|
||||||
|
<expect>srcip</expect>
|
||||||
|
<timeout_allowed>yes</timeout_allowed>
|
||||||
|
</command>
|
||||||
|
|
||||||
|
<command>
|
||||||
|
<name>win_route-null-2012</name>
|
||||||
|
<executable>route-null-2012.cmd</executable>
|
||||||
|
<expect>srcip</expect>
|
||||||
|
<timeout_allowed>yes</timeout_allowed>
|
||||||
|
</command>
|
||||||
|
|
||||||
|
<command>
|
||||||
|
<name>netsh</name>
|
||||||
|
<executable>netsh.cmd</executable>
|
||||||
|
<expect>srcip</expect>
|
||||||
|
<timeout_allowed>yes</timeout_allowed>
|
||||||
|
</command>
|
||||||
|
|
||||||
|
<command>
|
||||||
|
<name>netsh-win-2016</name>
|
||||||
|
<executable>netsh-win-2016.cmd</executable>
|
||||||
|
<expect>srcip</expect>
|
||||||
|
<timeout_allowed>yes</timeout_allowed>
|
||||||
|
</command>
|
||||||
|
|
||||||
|
<!--
|
||||||
|
<active-response>
|
||||||
|
active-response options here
|
||||||
|
</active-response>
|
||||||
|
-->
|
||||||
|
|
||||||
|
<!-- Log analysis -->
|
||||||
|
<localfile>
|
||||||
|
<log_format>command</log_format>
|
||||||
|
<command>df -P</command>
|
||||||
|
<frequency>360</frequency>
|
||||||
|
</localfile>
|
||||||
|
|
||||||
|
<localfile>
|
||||||
|
<log_format>full_command</log_format>
|
||||||
|
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
|
||||||
|
<alias>netstat listening ports</alias>
|
||||||
|
<frequency>360</frequency>
|
||||||
|
</localfile>
|
||||||
|
|
||||||
|
<localfile>
|
||||||
|
<log_format>full_command</log_format>
|
||||||
|
<command>last -n 20</command>
|
||||||
|
<frequency>360</frequency>
|
||||||
|
</localfile>
|
||||||
|
|
||||||
|
<ruleset>
|
||||||
|
<!-- Default ruleset -->
|
||||||
|
<decoder_dir>ruleset/decoders</decoder_dir>
|
||||||
|
<rule_dir>ruleset/rules</rule_dir>
|
||||||
|
<rule_exclude>0215-policy_rules.xml</rule_exclude>
|
||||||
|
<list>etc/lists/audit-keys</list>
|
||||||
|
<list>etc/lists/amazon/aws-eventnames</list>
|
||||||
|
<list>etc/lists/security-eventchannel</list>
|
||||||
|
|
||||||
|
<!-- User-defined ruleset -->
|
||||||
|
<decoder_dir>etc/decoders</decoder_dir>
|
||||||
|
<rule_dir>etc/rules</rule_dir>
|
||||||
|
</ruleset>
|
||||||
|
|
||||||
|
<!-- Configuration for ossec-authd -->
|
||||||
|
<auth>
|
||||||
|
<disabled>no</disabled>
|
||||||
|
<port>1515</port>
|
||||||
|
<use_source_ip>no</use_source_ip>
|
||||||
|
<force_insert>yes</force_insert>
|
||||||
|
<force_time>0</force_time>
|
||||||
|
<purge>yes</purge>
|
||||||
|
<use_password>no</use_password>
|
||||||
|
<limit_maxagents>yes</limit_maxagents>
|
||||||
|
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
|
||||||
|
<!-- <ssl_agent_ca></ssl_agent_ca> -->
|
||||||
|
<ssl_verify_host>no</ssl_verify_host>
|
||||||
|
<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
|
||||||
|
<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
|
||||||
|
<ssl_auto_negotiate>no</ssl_auto_negotiate>
|
||||||
|
</auth>
|
||||||
|
|
||||||
|
<cluster>
|
||||||
|
<name>wazuh</name>
|
||||||
|
<node_name>worker01</node_name>
|
||||||
|
<node_type>worker</node_type>
|
||||||
|
<key>c98b6ha9b6169zc5f67rae55ae4z5647</key>
|
||||||
|
<port>1516</port>
|
||||||
|
<bind_addr>0.0.0.0</bind_addr>
|
||||||
|
<nodes>
|
||||||
|
<node>wazuh-master</node>
|
||||||
|
</nodes>
|
||||||
|
<hidden>no</hidden>
|
||||||
|
<disabled>no</disabled>
|
||||||
|
</cluster>
|
||||||
|
|
||||||
|
</ossec_config>
|
||||||
|
|
||||||
|
<ossec_config>
|
||||||
|
<localfile>
|
||||||
|
<log_format>syslog</log_format>
|
||||||
|
<location>/var/ossec/logs/active-responses.log</location>
|
||||||
|
</localfile>
|
||||||
|
</ossec_config>
|
54
wazuh-odfe/Dockerfile
Normal file
54
wazuh-odfe/Dockerfile
Normal file
@@ -0,0 +1,54 @@
|
|||||||
|
# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
|
||||||
|
FROM centos:7
|
||||||
|
|
||||||
|
ARG FILEBEAT_CHANNEL=filebeat-oss
|
||||||
|
ARG FILEBEAT_VERSION=7.10.0
|
||||||
|
ARG WAZUH_VERSION=4.1.0-1
|
||||||
|
ARG TEMPLATE_VERSION="master"
|
||||||
|
ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz"
|
||||||
|
|
||||||
|
# Set repositories.
|
||||||
|
RUN rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
|
||||||
|
|
||||||
|
COPY config/wazuh.repo /etc/yum.repos.d/wazuh.repo
|
||||||
|
|
||||||
|
RUN yum --enablerepo=updates clean metadata && \
|
||||||
|
yum -y install openssl which expect openssh-clients && yum -y install wazuh-manager-${WAZUH_VERSION} -y && \
|
||||||
|
sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo && \
|
||||||
|
yum clean all && rm -rf /var/cache/yum
|
||||||
|
|
||||||
|
RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm &&\
|
||||||
|
rpm -i ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && rm -f ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm
|
||||||
|
|
||||||
|
RUN curl -s https://packages.wazuh.com/4.x/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module
|
||||||
|
|
||||||
|
RUN curl -L https://github.com/aelsabbahy/goss/releases/latest/download/goss-linux-amd64 -o /usr/local/bin/goss && chmod +rx /usr/local/bin/goss
|
||||||
|
|
||||||
|
ARG S6_VERSION="v2.2.0.3"
|
||||||
|
RUN curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \
|
||||||
|
-o /tmp/s6-overlay-amd64.tar.gz && \
|
||||||
|
tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" && \
|
||||||
|
tar xzf /tmp/s6-overlay-amd64.tar.gz -C /usr ./bin && \
|
||||||
|
rm /tmp/s6-overlay-amd64.tar.gz
|
||||||
|
|
||||||
|
COPY config/filebeat.yml /etc/filebeat/
|
||||||
|
|
||||||
|
RUN chmod go-w /etc/filebeat/filebeat.yml
|
||||||
|
|
||||||
|
ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat
|
||||||
|
RUN chmod go-w /etc/filebeat/wazuh-template.json
|
||||||
|
|
||||||
|
COPY config/etc/ /etc/
|
||||||
|
COPY --chown=root:ossec config/create_user.py /var/ossec/framework/scripts/create_user.py
|
||||||
|
|
||||||
|
# Prepare permanent data
|
||||||
|
# Sync calls are due to https://github.com/docker/docker/issues/9547
|
||||||
|
COPY config/permanent_data.env config/permanent_data.sh /
|
||||||
|
RUN chmod 755 /permanent_data.sh && \
|
||||||
|
sync && /permanent_data.sh && \
|
||||||
|
sync && rm /permanent_data.sh
|
||||||
|
|
||||||
|
# Services ports
|
||||||
|
EXPOSE 55000/tcp 1514/tcp 1515/tcp 514/udp 1516/tcp
|
||||||
|
|
||||||
|
ENTRYPOINT [ "/init" ]
|
97
wazuh-odfe/config/create_user.py
Normal file
97
wazuh-odfe/config/create_user.py
Normal file
@@ -0,0 +1,97 @@
|
|||||||
|
import logging
|
||||||
|
import sys
|
||||||
|
import json
|
||||||
|
import random
|
||||||
|
import string
|
||||||
|
import os
|
||||||
|
|
||||||
|
# Set framework path
|
||||||
|
sys.path.append(os.path.dirname(sys.argv[0]) + "/../framework")
|
||||||
|
|
||||||
|
USER_FILE_PATH = "/var/ossec/api/configuration/admin.json"
|
||||||
|
SPECIAL_CHARS = "@$!%*?&-_"
|
||||||
|
|
||||||
|
|
||||||
|
try:
|
||||||
|
from wazuh.security import (
|
||||||
|
create_user,
|
||||||
|
get_users,
|
||||||
|
get_roles,
|
||||||
|
set_user_role,
|
||||||
|
update_user,
|
||||||
|
)
|
||||||
|
except Exception as e:
|
||||||
|
logging.error("No module 'wazuh' found.")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
|
||||||
|
def read_user_file(path=USER_FILE_PATH):
|
||||||
|
with open(path) as user_file:
|
||||||
|
data = json.load(user_file)
|
||||||
|
return data["username"], data["password"]
|
||||||
|
|
||||||
|
|
||||||
|
def db_users():
|
||||||
|
users_result = get_users()
|
||||||
|
return {user["username"]: user["id"] for user in users_result.affected_items}
|
||||||
|
|
||||||
|
|
||||||
|
def db_roles():
|
||||||
|
roles_result = get_roles()
|
||||||
|
return {role["name"]: role["id"] for role in roles_result.affected_items}
|
||||||
|
|
||||||
|
def disable_user(uid):
|
||||||
|
random_pass = "".join(
|
||||||
|
random.choices(
|
||||||
|
string.ascii_uppercase
|
||||||
|
+ string.ascii_lowercase
|
||||||
|
+ string.digits
|
||||||
|
+ SPECIAL_CHARS,
|
||||||
|
k=8,
|
||||||
|
)
|
||||||
|
)
|
||||||
|
# assure there must be at least one character from each group
|
||||||
|
random_pass = random_pass + ''.join([random.choice(chars) for chars in [string.ascii_lowercase, string.digits, string.ascii_uppercase, SPECIAL_CHARS]])
|
||||||
|
random_pass = ''.join(random.sample(random_pass,len(random_pass)))
|
||||||
|
update_user(
|
||||||
|
user_id=[
|
||||||
|
str(uid),
|
||||||
|
],
|
||||||
|
password=random_pass,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
if not os.path.exists(USER_FILE_PATH):
|
||||||
|
# abort if no user file detected
|
||||||
|
sys.exit(0)
|
||||||
|
username, password = read_user_file()
|
||||||
|
initial_users = db_users()
|
||||||
|
if username not in initial_users:
|
||||||
|
# create a new user
|
||||||
|
create_user(username=username, password=password)
|
||||||
|
users = db_users()
|
||||||
|
uid = users[username]
|
||||||
|
roles = db_roles()
|
||||||
|
rid = roles["administrator"]
|
||||||
|
set_user_role(
|
||||||
|
user_id=[
|
||||||
|
str(uid),
|
||||||
|
],
|
||||||
|
role_ids=[
|
||||||
|
str(rid),
|
||||||
|
],
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
# modify an existing user ("wazuh" or "wazuh-wui")
|
||||||
|
uid = initial_users[username]
|
||||||
|
update_user(
|
||||||
|
user_id=[
|
||||||
|
str(uid),
|
||||||
|
],
|
||||||
|
password=password,
|
||||||
|
)
|
||||||
|
# disable unused default users
|
||||||
|
for def_user in ['wazuh', 'wazuh-wui']:
|
||||||
|
if def_user != username:
|
||||||
|
disable_user(initial_users[def_user])
|
187
wazuh-odfe/config/etc/cont-init.d/0-wazuh-init
Normal file
187
wazuh-odfe/config/etc/cont-init.d/0-wazuh-init
Normal file
@@ -0,0 +1,187 @@
|
|||||||
|
#!/usr/bin/with-contenv bash
|
||||||
|
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
|
||||||
|
|
||||||
|
# Variables
|
||||||
|
source /permanent_data.env
|
||||||
|
|
||||||
|
WAZUH_INSTALL_PATH=/var/ossec
|
||||||
|
WAZUH_CONFIG_MOUNT=/wazuh-config-mount
|
||||||
|
AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
|
||||||
|
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# Aux functions
|
||||||
|
##############################################################################
|
||||||
|
print() {
|
||||||
|
echo -e $1
|
||||||
|
}
|
||||||
|
|
||||||
|
error_and_exit() {
|
||||||
|
echo "Error executing command: '$1'."
|
||||||
|
echo 'Exiting.'
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
exec_cmd() {
|
||||||
|
eval $1 > /dev/null 2>&1 || error_and_exit "$1"
|
||||||
|
}
|
||||||
|
|
||||||
|
exec_cmd_stdout() {
|
||||||
|
eval $1 2>&1 || error_and_exit "$1"
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# This function will attempt to mount every directory in PERMANENT_DATA
|
||||||
|
# into the respective path.
|
||||||
|
# If the path is empty means permanent data volume is also empty, so a backup
|
||||||
|
# will be copied into it. Otherwise it will not be copied because there is
|
||||||
|
# already data inside the volume for the specified path.
|
||||||
|
##############################################################################
|
||||||
|
|
||||||
|
mount_permanent_data() {
|
||||||
|
for permanent_dir in "${PERMANENT_DATA[@]}"; do
|
||||||
|
# Check if the path is not empty
|
||||||
|
if find ${permanent_dir} -mindepth 1 | read; then
|
||||||
|
print "The path ${permanent_dir} is already mounted"
|
||||||
|
else
|
||||||
|
print "Installing ${permanent_dir}"
|
||||||
|
exec_cmd "cp -a ${WAZUH_INSTALL_PATH}/data_tmp/permanent${permanent_dir}/. ${permanent_dir}"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# This function will replace from the permanent data volume every file
|
||||||
|
# contained in PERMANENT_DATA_EXCP
|
||||||
|
# Some files as 'internal_options.conf' are saved as permanent data, but
|
||||||
|
# they must be updated to work properly if wazuh version is changed.
|
||||||
|
##############################################################################
|
||||||
|
|
||||||
|
apply_exclusion_data() {
|
||||||
|
for exclusion_file in "${PERMANENT_DATA_EXCP[@]}"; do
|
||||||
|
if [ -e ${WAZUH_INSTALL_PATH}/data_tmp/exclusion/${exclusion_file} ]
|
||||||
|
then
|
||||||
|
DIR=$(dirname "${exclusion_file}")
|
||||||
|
if [ ! -e ${DIR} ]
|
||||||
|
then
|
||||||
|
mkdir -p ${DIR}
|
||||||
|
fi
|
||||||
|
|
||||||
|
print "Updating ${exclusion_file}"
|
||||||
|
exec_cmd "cp -p ${WAZUH_INSTALL_PATH}/data_tmp/exclusion/${exclusion_file} ${exclusion_file}"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# This function will delete from the permanent data volume every file
|
||||||
|
# contained in PERMANENT_DATA_DEL
|
||||||
|
##############################################################################
|
||||||
|
|
||||||
|
remove_data_files() {
|
||||||
|
for del_file in "${PERMANENT_DATA_DEL[@]}"; do
|
||||||
|
if [ -e ${del_file} ]
|
||||||
|
then
|
||||||
|
print "Removing ${del_file}"
|
||||||
|
exec_cmd "rm ${del_file}"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# Create certificates: Manager
|
||||||
|
##############################################################################
|
||||||
|
|
||||||
|
create_ossec_key_cert() {
|
||||||
|
print "Creating ossec-authd key and cert"
|
||||||
|
exec_cmd "openssl genrsa -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.key 4096"
|
||||||
|
exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/etc/sslmanager.key -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/"
|
||||||
|
}
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# Copy all files from $WAZUH_CONFIG_MOUNT to $WAZUH_INSTALL_PATH and respect
|
||||||
|
# destination files permissions
|
||||||
|
#
|
||||||
|
# For example, to mount the file /var/ossec/data/etc/ossec.conf, mount it at
|
||||||
|
# $WAZUH_CONFIG_MOUNT/etc/ossec.conf in your container and this code will
|
||||||
|
# replace the ossec.conf file in /var/ossec/data/etc with yours.
|
||||||
|
##############################################################################
|
||||||
|
|
||||||
|
mount_files() {
|
||||||
|
if [ -e "$WAZUH_CONFIG_MOUNT" ]
|
||||||
|
then
|
||||||
|
print "Identified Wazuh configuration files to mount..."
|
||||||
|
exec_cmd_stdout "cp --verbose -r $WAZUH_CONFIG_MOUNT/* $WAZUH_INSTALL_PATH"
|
||||||
|
else
|
||||||
|
print "No Wazuh configuration files to mount..."
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# Allow users to set the container hostname as <node_name> dynamically on
|
||||||
|
# container start.
|
||||||
|
#
|
||||||
|
# To use this:
|
||||||
|
# 1. Create your own ossec.conf file
|
||||||
|
# 2. In your ossec.conf file, set to_be_replaced_by_hostname as your node_name
|
||||||
|
# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf
|
||||||
|
##############################################################################
|
||||||
|
|
||||||
|
set_custom_hostname() {
|
||||||
|
sed -i 's/<node_name>to_be_replaced_by_hostname<\/node_name>/<node_name>'"${HOSTNAME}"'<\/node_name>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf
|
||||||
|
}
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# Allow users to set the container cluster key dynamically on
|
||||||
|
# container start.
|
||||||
|
#
|
||||||
|
# To use this:
|
||||||
|
# 1. Create your own ossec.conf file
|
||||||
|
# 2. In your ossec.conf file, set to_be_replaced_by_cluster_key as your key
|
||||||
|
# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf
|
||||||
|
##############################################################################
|
||||||
|
|
||||||
|
set_custom_cluster_key() {
|
||||||
|
sed -i 's/<key>to_be_replaced_by_cluster_key<\/key>/<key>'"${WAZUH_CLUSTER_KEY}"'<\/key>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf
|
||||||
|
}
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# Main function
|
||||||
|
##############################################################################
|
||||||
|
|
||||||
|
main() {
|
||||||
|
# Mount permanent data (i.e. ossec.conf)
|
||||||
|
mount_permanent_data
|
||||||
|
|
||||||
|
# Restore files stored in permanent data that are not permanent (i.e. internal_options.conf)
|
||||||
|
apply_exclusion_data
|
||||||
|
|
||||||
|
# Remove some files in permanent_data (i.e. .template.db)
|
||||||
|
remove_data_files
|
||||||
|
|
||||||
|
# Generate ossec-authd certs if AUTO_ENROLLMENT_ENABLED is true and does not exist
|
||||||
|
if [ $AUTO_ENROLLMENT_ENABLED == true ]
|
||||||
|
then
|
||||||
|
if [ ! -e ${WAZUH_INSTALL_PATH}/etc/sslmanager.key ]
|
||||||
|
then
|
||||||
|
create_ossec_key_cert
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Mount selected files (WAZUH_CONFIG_MOUNT) to container
|
||||||
|
mount_files
|
||||||
|
|
||||||
|
# Allow setting custom hostname
|
||||||
|
set_custom_hostname
|
||||||
|
|
||||||
|
# Allow setting custom cluster key
|
||||||
|
set_custom_cluster_key
|
||||||
|
|
||||||
|
# Delete temporary data folder
|
||||||
|
rm -rf ${WAZUH_INSTALL_PATH}/data_tmp
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
main
|
45
wazuh-odfe/config/etc/cont-init.d/1-config-filebeat
Normal file
45
wazuh-odfe/config/etc/cont-init.d/1-config-filebeat
Normal file
@@ -0,0 +1,45 @@
|
|||||||
|
#!/usr/bin/with-contenv bash
|
||||||
|
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
if [ "$ELASTICSEARCH_URL" != "" ]; then
|
||||||
|
>&2 echo "Customize Elasticsearch ouput IP"
|
||||||
|
sed -i "s|hosts:.*|hosts: ['$ELASTICSEARCH_URL']|g" /etc/filebeat/filebeat.yml
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Configure filebeat.yml security settings
|
||||||
|
|
||||||
|
if [ "$ELASTIC_USERNAME" != "" ]; then
|
||||||
|
>&2 echo "Configuring username."
|
||||||
|
sed -i "s|#username:.*|username: '$ELASTIC_USERNAME'|g" /etc/filebeat/filebeat.yml
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$ELASTIC_PASSWORD" != "" ]; then
|
||||||
|
>&2 echo "Configuring password."
|
||||||
|
sed -i "s|#password:.*|password: '$ELASTIC_PASSWORD'|g" /etc/filebeat/filebeat.yml
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$FILEBEAT_SSL_VERIFICATION_MODE" != "" ]; then
|
||||||
|
>&2 echo "Configuring SSL verification mode."
|
||||||
|
sed -i "s|#ssl.verification_mode:.*|ssl.verification_mode: $FILEBEAT_SSL_VERIFICATION_MODE|g" /etc/filebeat/filebeat.yml
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$SSL_CERTIFICATE_AUTHORITIES" != "" ]; then
|
||||||
|
>&2 echo "Configuring Certificate Authorities."
|
||||||
|
sed -i "s|#ssl.certificate_authorities:.*|ssl.certificate_authorities: ['$SSL_CERTIFICATE_AUTHORITIES']|g" /etc/filebeat/filebeat.yml
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$SSL_CERTIFICATE" != "" ]; then
|
||||||
|
>&2 echo "Configuring SSL Certificate."
|
||||||
|
sed -i "s|#ssl.certificate:.*|ssl.certificate: '$SSL_CERTIFICATE'|g" /etc/filebeat/filebeat.yml
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$SSL_KEY" != "" ]; then
|
||||||
|
>&2 echo "Configuring SSL Key."
|
||||||
|
sed -i "s|#ssl.key:.*|ssl.key: '$SSL_KEY'|g" /etc/filebeat/filebeat.yml
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
chmod go-w /etc/filebeat/filebeat.yml || true
|
||||||
|
chown root: /etc/filebeat/filebeat.yml || true
|
126
wazuh-odfe/config/etc/cont-init.d/2-manager
Normal file
126
wazuh-odfe/config/etc/cont-init.d/2-manager
Normal file
@@ -0,0 +1,126 @@
|
|||||||
|
#!/usr/bin/with-contenv bash
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# Migration sequence
|
||||||
|
# Detect if there is a mounted volume on /wazuh-migration and copy the data
|
||||||
|
# to /var/ossec, finally it will create a flag ".migration-completed" inside
|
||||||
|
# the mounted volume
|
||||||
|
##############################################################################
|
||||||
|
|
||||||
|
function __colortext()
|
||||||
|
{
|
||||||
|
echo -e " \e[1;$2m$1\e[0m"
|
||||||
|
}
|
||||||
|
|
||||||
|
function echogreen()
|
||||||
|
{
|
||||||
|
echo $(__colortext "$1" "32")
|
||||||
|
}
|
||||||
|
|
||||||
|
function echoyellow()
|
||||||
|
{
|
||||||
|
echo $(__colortext "$1" "33")
|
||||||
|
}
|
||||||
|
|
||||||
|
function echored()
|
||||||
|
{
|
||||||
|
echo $(__colortext "$1" "31")
|
||||||
|
}
|
||||||
|
|
||||||
|
function_wazuh_migration(){
|
||||||
|
if [ -d "/wazuh-migration" ]; then
|
||||||
|
if [ ! -e /wazuh-migration/.migration-completed ]; then
|
||||||
|
if [ ! -e /wazuh-migration/global.db ]; then
|
||||||
|
echoyellow "The volume mounted on /wazuh-migration does not contain all the correct files."
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
\cp -f /wazuh-migration/data/etc/ossec.conf /var/ossec/etc/ossec.conf
|
||||||
|
chown root:ossec /var/ossec/etc/ossec.conf
|
||||||
|
chmod 640 /var/ossec/etc/ossec.conf
|
||||||
|
|
||||||
|
\cp -f /wazuh-migration/data/etc/client.keys /var/ossec/etc/client.keys
|
||||||
|
chown ossec:ossec /var/ossec/etc/client.keys
|
||||||
|
chmod 640 /var/ossec/etc/client.keys
|
||||||
|
|
||||||
|
\cp -f /wazuh-migration/data/etc/sslmanager.cert /var/ossec/etc/sslmanager.cert
|
||||||
|
\cp -f /wazuh-migration/data/etc/sslmanager.key /var/ossec/etc/sslmanager.key
|
||||||
|
chown root:root /var/ossec/etc/sslmanager.cert /var/ossec/etc/sslmanager.key
|
||||||
|
chmod 640 /var/ossec/etc/sslmanager.cert /var/ossec/etc/sslmanager.key
|
||||||
|
|
||||||
|
\cp -f /wazuh-migration/data/etc/shared/default/agent.conf /var/ossec/etc/shared/default/agent.conf
|
||||||
|
chown ossec:ossec /var/ossec/etc/shared/default/agent.conf
|
||||||
|
chmod 660 /var/ossec/etc/shared/default/agent.conf
|
||||||
|
|
||||||
|
\cp -f /wazuh-migration/data/etc/decoders/* /var/ossec/etc/decoders/
|
||||||
|
chown ossec:ossec /var/ossec/etc/decoders/*
|
||||||
|
chmod 660 /var/ossec/etc/decoders/*
|
||||||
|
|
||||||
|
\cp -f /wazuh-migration/data/etc/rules/* /var/ossec/etc/rules/
|
||||||
|
chown ossec:ossec /var/ossec/etc/rules/*
|
||||||
|
chmod 660 /var/ossec/etc/rules/*
|
||||||
|
|
||||||
|
if [ -e /wazuh-migration/data/agentless/.passlist ]; then
|
||||||
|
\cp -f /wazuh-migration/data/agentless/.passlist /var/ossec/agentless/.passlist
|
||||||
|
chown root:ossec /var/ossec/agentless/.passlist
|
||||||
|
chmod 640 /var/ossec/agentless/.passlist
|
||||||
|
fi
|
||||||
|
|
||||||
|
\cp -f /wazuh-migration/global.db /var/ossec/queue/db/global.db
|
||||||
|
chown ossec:ossec /var/ossec/queue/db/global.db
|
||||||
|
chmod 640 /var/ossec/queue/db/global.db
|
||||||
|
|
||||||
|
# mark volume as migrated
|
||||||
|
touch /wazuh-migration/.migration-completed
|
||||||
|
|
||||||
|
echogreen "Migration completed succesfully"
|
||||||
|
else
|
||||||
|
echoyellow "This volume has already been migrated. You may proceed and remove it from the mount point (/wazuh-migration)"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
function_create_custom_user() {
|
||||||
|
if [[ ! -z $API_USERNAME ]] && [[ ! -z $API_PASSWORD ]]; then
|
||||||
|
cat << EOF > /var/ossec/api/configuration/admin.json
|
||||||
|
{
|
||||||
|
"username": "$API_USERNAME",
|
||||||
|
"password": "$API_PASSWORD"
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
# create or customize API user
|
||||||
|
if /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/create_user.py; then
|
||||||
|
# remove json if exit code is 0
|
||||||
|
rm /var/ossec/api/configuration/admin.json
|
||||||
|
else
|
||||||
|
echored "There was an error configuring the API user"
|
||||||
|
# terminate container to avoid unpredictable behavior
|
||||||
|
exec s6-svscanctl -t /var/run/s6/services
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
function_entrypoint_scripts() {
|
||||||
|
# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
|
||||||
|
if [ -d "/entrypoint-scripts/" ]
|
||||||
|
then
|
||||||
|
for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
|
||||||
|
bash "$script"
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Migrate data from /wazuh-migration volume
|
||||||
|
function_wazuh_migration
|
||||||
|
|
||||||
|
# create API custom user
|
||||||
|
function_create_custom_user
|
||||||
|
|
||||||
|
# run entrypoint scripts
|
||||||
|
function_entrypoint_scripts
|
||||||
|
|
||||||
|
# Start Wazuh
|
||||||
|
/var/ossec/bin/ossec-control start
|
6
wazuh-odfe/config/etc/services.d/filebeat/finish
Normal file
6
wazuh-odfe/config/etc/services.d/filebeat/finish
Normal file
@@ -0,0 +1,6 @@
|
|||||||
|
#!/usr/bin/env sh
|
||||||
|
echo >&2 "Filebeat exited. code=${1}"
|
||||||
|
|
||||||
|
# terminate other services to exit from the container
|
||||||
|
exec s6-svscanctl -t /var/run/s6/services
|
||||||
|
|
4
wazuh-odfe/config/etc/services.d/filebeat/run
Normal file
4
wazuh-odfe/config/etc/services.d/filebeat/run
Normal file
@@ -0,0 +1,4 @@
|
|||||||
|
#!/usr/bin/with-contenv sh
|
||||||
|
echo >&2 "starting Filebeat"
|
||||||
|
|
||||||
|
exec /usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat
|
4
wazuh-odfe/config/etc/services.d/ossec-logs/run
Normal file
4
wazuh-odfe/config/etc/services.d/ossec-logs/run
Normal file
@@ -0,0 +1,4 @@
|
|||||||
|
#!/usr/bin/with-contenv sh
|
||||||
|
|
||||||
|
# dumping ossec.log to standard output
|
||||||
|
exec tail -f /var/ossec/logs/ossec.log
|
22
wazuh-odfe/config/filebeat.yml
Normal file
22
wazuh-odfe/config/filebeat.yml
Normal file
@@ -0,0 +1,22 @@
|
|||||||
|
|
||||||
|
# Wazuh - Filebeat configuration file
|
||||||
|
filebeat.modules:
|
||||||
|
- module: wazuh
|
||||||
|
alerts:
|
||||||
|
enabled: true
|
||||||
|
archives:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
setup.template.json.enabled: true
|
||||||
|
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
|
||||||
|
setup.template.json.name: 'wazuh'
|
||||||
|
setup.template.overwrite: true
|
||||||
|
setup.ilm.enabled: false
|
||||||
|
output.elasticsearch:
|
||||||
|
hosts: ['https://elasticsearch:9200']
|
||||||
|
#username:
|
||||||
|
#password:
|
||||||
|
#ssl.verification_mode:
|
||||||
|
#ssl.certificate_authorities:
|
||||||
|
#ssl.certificate:
|
||||||
|
#ssl.key:
|
67
wazuh-odfe/config/permanent_data.env
Normal file
67
wazuh-odfe/config/permanent_data.env
Normal file
@@ -0,0 +1,67 @@
|
|||||||
|
# Permanent data mounted in volumes
|
||||||
|
i=0
|
||||||
|
PERMANENT_DATA[((i++))]="/var/ossec/api/configuration"
|
||||||
|
PERMANENT_DATA[((i++))]="/var/ossec/etc"
|
||||||
|
PERMANENT_DATA[((i++))]="/var/ossec/logs"
|
||||||
|
PERMANENT_DATA[((i++))]="/var/ossec/queue"
|
||||||
|
PERMANENT_DATA[((i++))]="/var/ossec/agentless"
|
||||||
|
PERMANENT_DATA[((i++))]="/var/ossec/var/multigroups"
|
||||||
|
PERMANENT_DATA[((i++))]="/var/ossec/integrations"
|
||||||
|
PERMANENT_DATA[((i++))]="/var/ossec/active-response/bin"
|
||||||
|
PERMANENT_DATA[((i++))]="/var/ossec/wodles"
|
||||||
|
PERMANENT_DATA[((i++))]="/etc/filebeat"
|
||||||
|
export PERMANENT_DATA
|
||||||
|
|
||||||
|
# Files mounted in a volume that should not be permanent
|
||||||
|
i=0
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/etc/internal_options.conf"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/pagerduty"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack.py"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal.py"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/default-firewall-drop.sh"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/disable-account.sh"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewalld-drop.sh"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewall-drop.sh"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/host-deny.sh"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ip-customblock.sh"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw_mac.sh"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw.sh"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky.py"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky.sh"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/npf.sh"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ossec-slack.sh"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ossec-tweeter.sh"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/pf.sh"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-ossec.sh"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart.sh"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null.sh"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/sshlogin.exp"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_pixconfig_diff"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_asa-fwsmconfig_diff"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_bsd"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/main.exp"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/su.exp"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_linux"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/register_host.sh"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_generic_diff"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_foundry_diff"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_nopass.exp"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh.exp"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3.py"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs.py"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener.py"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/gcloud"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/gcloud.py"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/integration.py"
|
||||||
|
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/tools.py"
|
||||||
|
export PERMANENT_DATA_EXCP
|
||||||
|
|
||||||
|
# Files mounted in a volume that should be deleted
|
||||||
|
i=0
|
||||||
|
PERMANENT_DATA_DEL[((i++))]="/var/ossec/queue/db/.template.db"
|
||||||
|
export PERMANENT_DATA_DEL
|
40
wazuh-odfe/config/permanent_data.sh
Normal file
40
wazuh-odfe/config/permanent_data.sh
Normal file
@@ -0,0 +1,40 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
|
||||||
|
|
||||||
|
# Variables
|
||||||
|
source /permanent_data.env
|
||||||
|
|
||||||
|
WAZUH_INSTALL_PATH=/var/ossec
|
||||||
|
DATA_TMP_PATH=${WAZUH_INSTALL_PATH}/data_tmp
|
||||||
|
mkdir ${DATA_TMP_PATH}
|
||||||
|
|
||||||
|
# Move exclusion files to EXCLUSION_PATH
|
||||||
|
EXCLUSION_PATH=${DATA_TMP_PATH}/exclusion
|
||||||
|
mkdir ${EXCLUSION_PATH}
|
||||||
|
|
||||||
|
for exclusion_file in "${PERMANENT_DATA_EXCP[@]}"; do
|
||||||
|
# Create the directory for the exclusion file if it does not exist
|
||||||
|
DIR=$(dirname "${exclusion_file}")
|
||||||
|
if [ ! -e ${EXCLUSION_PATH}/${DIR} ]
|
||||||
|
then
|
||||||
|
mkdir -p ${EXCLUSION_PATH}/${DIR}
|
||||||
|
fi
|
||||||
|
|
||||||
|
mv ${exclusion_file} ${EXCLUSION_PATH}/${exclusion_file}
|
||||||
|
done
|
||||||
|
|
||||||
|
# Move permanent files to PERMANENT_PATH
|
||||||
|
PERMANENT_PATH=${DATA_TMP_PATH}/permanent
|
||||||
|
mkdir ${PERMANENT_PATH}
|
||||||
|
|
||||||
|
for permanent_dir in "${PERMANENT_DATA[@]}"; do
|
||||||
|
# Create the directory for the permanent file if it does not exist
|
||||||
|
DIR=$(dirname "${permanent_dir}")
|
||||||
|
if [ ! -e ${PERMANENT_PATH}${DIR} ]
|
||||||
|
then
|
||||||
|
mkdir -p ${PERMANENT_PATH}${DIR}
|
||||||
|
fi
|
||||||
|
|
||||||
|
mv ${permanent_dir} ${PERMANENT_PATH}${permanent_dir}
|
||||||
|
|
||||||
|
done
|
7
wazuh-odfe/config/wazuh.repo
Normal file
7
wazuh-odfe/config/wazuh.repo
Normal file
@@ -0,0 +1,7 @@
|
|||||||
|
[wazuh_repo]
|
||||||
|
gpgcheck=1
|
||||||
|
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
|
||||||
|
enabled=1
|
||||||
|
name=Wazuh repository
|
||||||
|
baseurl=https://packages.wazuh.com/4.x/yum/
|
||||||
|
protect=1
|
@@ -1,86 +0,0 @@
|
|||||||
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
|
|
||||||
FROM phusion/baseimage:latest
|
|
||||||
ARG FILEBEAT_VERSION=6.5.3
|
|
||||||
ARG WAZUH_VERSION=3.7.1-1
|
|
||||||
|
|
||||||
# Updating image
|
|
||||||
RUN apt-get update && apt-get upgrade -y -o Dpkg::Options::="--force-confold"
|
|
||||||
|
|
||||||
# Set Wazuh repository.
|
|
||||||
RUN echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
|
|
||||||
RUN curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
|
|
||||||
|
|
||||||
# Set nodejs repository.
|
|
||||||
RUN curl --silent --location https://deb.nodesource.com/setup_8.x | bash -
|
|
||||||
|
|
||||||
# Creating ossec user as uid:gid 1000:1000
|
|
||||||
RUN groupadd -g 1000 ossec
|
|
||||||
RUN useradd -u 1000 -g 1000 -d /var/ossec ossec
|
|
||||||
|
|
||||||
# Configure postfix
|
|
||||||
RUN echo "postfix postfix/mailname string wazuh-manager" | debconf-set-selections
|
|
||||||
RUN echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
|
|
||||||
|
|
||||||
# Add universe repository
|
|
||||||
RUN add-apt-repository universe
|
|
||||||
|
|
||||||
# Install packages
|
|
||||||
RUN apt-get update && apt-get -y install openssl postfix bsd-mailx python-boto python-pip \
|
|
||||||
apt-transport-https vim expect nodejs python-cryptography wazuh-manager=${WAZUH_VERSION} \
|
|
||||||
wazuh-api=${WAZUH_VERSION} mailutils libsasl2-modules
|
|
||||||
|
|
||||||
# Adding first run script.
|
|
||||||
ADD config/data_dirs.env /data_dirs.env
|
|
||||||
ADD config/init.bash /init.bash
|
|
||||||
|
|
||||||
# Sync calls are due to https://github.com/docker/docker/issues/9547
|
|
||||||
RUN chmod 755 /init.bash &&\
|
|
||||||
sync && /init.bash &&\
|
|
||||||
sync && rm /init.bash
|
|
||||||
|
|
||||||
# Installing and configuring fiebeat
|
|
||||||
RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb &&\
|
|
||||||
dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm -f filebeat-${FILEBEAT_VERSION}-amd64.deb
|
|
||||||
COPY config/filebeat.yml /etc/filebeat/
|
|
||||||
RUN chmod go-w /etc/filebeat/filebeat.yml
|
|
||||||
|
|
||||||
# Adding entrypoint
|
|
||||||
ADD config/entrypoint.sh /entrypoint.sh
|
|
||||||
RUN chmod 755 /entrypoint.sh
|
|
||||||
|
|
||||||
# Setting volumes
|
|
||||||
VOLUME ["/var/ossec/data"]
|
|
||||||
VOLUME ["/etc/filebeat"]
|
|
||||||
VOLUME ["/etc/postfix"]
|
|
||||||
|
|
||||||
# Services ports
|
|
||||||
EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp
|
|
||||||
|
|
||||||
# Clean up
|
|
||||||
RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
|
|
||||||
|
|
||||||
# Adding services
|
|
||||||
RUN mkdir /etc/service/wazuh
|
|
||||||
COPY config/wazuh.runit.service /etc/service/wazuh/run
|
|
||||||
RUN chmod +x /etc/service/wazuh/run
|
|
||||||
|
|
||||||
RUN mkdir /etc/service/wazuh-api
|
|
||||||
COPY config/wazuh-api.runit.service /etc/service/wazuh-api/run
|
|
||||||
RUN chmod +x /etc/service/wazuh-api/run
|
|
||||||
|
|
||||||
RUN mkdir /etc/service/postfix
|
|
||||||
COPY config/postfix.runit.service /etc/service/postfix/run
|
|
||||||
RUN chmod +x /etc/service/postfix/run
|
|
||||||
|
|
||||||
RUN mkdir /etc/service/filebeat
|
|
||||||
COPY config/filebeat.runit.service /etc/service/filebeat/run
|
|
||||||
RUN chmod +x /etc/service/filebeat/run
|
|
||||||
|
|
||||||
# Temporary fix for AWS integration
|
|
||||||
RUN sed -i 's/.*with open*/#wiht open/' /var/ossec/wodles/aws/aws-s3
|
|
||||||
RUN sed -i 's/.*max_queue_buffer = int(kernel_param.read().strip())*/#max_queue_buffer/' /var/ossec/wodles/aws/aws-s3
|
|
||||||
RUN sed -i '784imax_queue_buffer = 0' /var/ossec/wodles/aws/aws-s3
|
|
||||||
RUN sed -i '784s/^/ /' /var/ossec/wodles/aws/aws-s3
|
|
||||||
|
|
||||||
# Run all services
|
|
||||||
ENTRYPOINT ["/entrypoint.sh"]
|
|
@@ -1,15 +0,0 @@
|
|||||||
i=0
|
|
||||||
DATA_DIRS[((i++))]="api/configuration"
|
|
||||||
DATA_DIRS[((i++))]="etc"
|
|
||||||
DATA_DIRS[((i++))]="logs"
|
|
||||||
DATA_DIRS[((i++))]="queue/db"
|
|
||||||
DATA_DIRS[((i++))]="queue/rootcheck"
|
|
||||||
DATA_DIRS[((i++))]="queue/agent-groups"
|
|
||||||
DATA_DIRS[((i++))]="queue/agent-info"
|
|
||||||
DATA_DIRS[((i++))]="queue/agents-timestamp"
|
|
||||||
DATA_DIRS[((i++))]="queue/agentless"
|
|
||||||
DATA_DIRS[((i++))]="queue/cluster"
|
|
||||||
DATA_DIRS[((i++))]="queue/rids"
|
|
||||||
DATA_DIRS[((i++))]="queue/fts"
|
|
||||||
DATA_DIRS[((i++))]="var/multigroups"
|
|
||||||
export DATA_DIRS
|
|
@@ -1,129 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
|
|
||||||
|
|
||||||
#
|
|
||||||
# OSSEC container bootstrap. See the README for information of the environment
|
|
||||||
# variables expected by this script.
|
|
||||||
#
|
|
||||||
|
|
||||||
#
|
|
||||||
|
|
||||||
#
|
|
||||||
# Startup the services
|
|
||||||
#
|
|
||||||
|
|
||||||
source /data_dirs.env
|
|
||||||
|
|
||||||
FIRST_TIME_INSTALLATION=false
|
|
||||||
|
|
||||||
WAZUH_INSTALL_PATH=/var/ossec
|
|
||||||
DATA_PATH=${WAZUH_INSTALL_PATH}/data
|
|
||||||
|
|
||||||
WAZUH_CONFIG_MOUNT=/wazuh-config-mount
|
|
||||||
|
|
||||||
print() {
|
|
||||||
echo -e $1
|
|
||||||
}
|
|
||||||
|
|
||||||
error_and_exit() {
|
|
||||||
echo "Error executing command: '$1'."
|
|
||||||
echo 'Exiting.'
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
|
|
||||||
exec_cmd() {
|
|
||||||
eval $1 > /dev/null 2>&1 || error_and_exit "$1"
|
|
||||||
}
|
|
||||||
|
|
||||||
exec_cmd_stdout() {
|
|
||||||
eval $1 2>&1 || error_and_exit "$1"
|
|
||||||
}
|
|
||||||
|
|
||||||
edit_configuration() { # $1 -> setting, $2 -> value
|
|
||||||
sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${DATA_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)"
|
|
||||||
}
|
|
||||||
|
|
||||||
for ossecdir in "${DATA_DIRS[@]}"; do
|
|
||||||
if [ ! -e "${DATA_PATH}/${ossecdir}" ]
|
|
||||||
then
|
|
||||||
print "Installing ${ossecdir}"
|
|
||||||
exec_cmd "mkdir -p $(dirname ${DATA_PATH}/${ossecdir})"
|
|
||||||
exec_cmd "cp -pr /var/ossec/${ossecdir}-template ${DATA_PATH}/${ossecdir}"
|
|
||||||
FIRST_TIME_INSTALLATION=true
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
touch ${DATA_PATH}/process_list
|
|
||||||
chgrp ossec ${DATA_PATH}/process_list
|
|
||||||
chmod g+rw ${DATA_PATH}/process_list
|
|
||||||
|
|
||||||
AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
|
|
||||||
API_GENERATE_CERTS=${API_GENERATE_CERTS:-true}
|
|
||||||
|
|
||||||
if [ $FIRST_TIME_INSTALLATION == true ]
|
|
||||||
then
|
|
||||||
if [ $AUTO_ENROLLMENT_ENABLED == true ]
|
|
||||||
then
|
|
||||||
if [ ! -e ${DATA_PATH}/etc/sslmanager.key ]
|
|
||||||
then
|
|
||||||
print "Creating ossec-authd key and cert"
|
|
||||||
exec_cmd "openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096"
|
|
||||||
exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key -out ${DATA_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
if [ $API_GENERATE_CERTS == true ]
|
|
||||||
then
|
|
||||||
if [ ! -e ${DATA_PATH}/api/configuration/ssl/server.crt ]
|
|
||||||
then
|
|
||||||
print "Enabling Wazuh API HTTPS"
|
|
||||||
edit_configuration "https" "yes"
|
|
||||||
print "Create Wazuh API key and cert"
|
|
||||||
exec_cmd "openssl genrsa -out ${DATA_PATH}/api/configuration/ssl/server.key 4096"
|
|
||||||
exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/api/configuration/ssl/server.key -out ${DATA_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
##############################################################################
|
|
||||||
# Copy all files from $WAZUH_CONFIG_MOUNT to $DATA_PATH and respect
|
|
||||||
# destination files permissions
|
|
||||||
#
|
|
||||||
# For example, to mount the file /var/ossec/data/etc/ossec.conf, mount it at
|
|
||||||
# $WAZUH_CONFIG_MOUNT/etc/ossec.conf in your container and this code will
|
|
||||||
# replace the ossec.conf file in /var/ossec/data/etc with yours.
|
|
||||||
##############################################################################
|
|
||||||
if [ -e "$WAZUH_CONFIG_MOUNT" ]
|
|
||||||
then
|
|
||||||
print "Identified Wazuh configuration files to mount..."
|
|
||||||
|
|
||||||
exec_cmd_stdout "cp --verbose -r $WAZUH_CONFIG_MOUNT/* $DATA_PATH"
|
|
||||||
else
|
|
||||||
print "No Wazuh configuration files to mount..."
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Enabling ossec-authd.
|
|
||||||
exec_cmd "/var/ossec/bin/ossec-control enable auth"
|
|
||||||
|
|
||||||
function ossec_shutdown(){
|
|
||||||
${WAZUH_INSTALL_PATH}/bin/ossec-control stop;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Trap exit signals and do a proper shutdown
|
|
||||||
trap "ossec_shutdown; exit" SIGINT SIGTERM
|
|
||||||
|
|
||||||
chmod -R g+rw ${DATA_PATH}
|
|
||||||
|
|
||||||
##############################################################################
|
|
||||||
# Interpret any passed arguments (via docker command to this entrypoint) as
|
|
||||||
# paths or commands, and execute them.
|
|
||||||
#
|
|
||||||
# This can be useful for actions that need to be run before the services are
|
|
||||||
# started, such as "/var/ossec/bin/ossec-control enable agentless".
|
|
||||||
##############################################################################
|
|
||||||
for CUSTOM_COMMAND in "$@"
|
|
||||||
do
|
|
||||||
echo "Executing command \`${CUSTOM_COMMAND}\`"
|
|
||||||
exec_cmd_stdout "${CUSTOM_COMMAND}"
|
|
||||||
done
|
|
||||||
|
|
||||||
/sbin/my_init
|
|
@@ -1,3 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
service filebeat start
|
|
||||||
tail -f /var/log/filebeat/filebeat
|
|
@@ -1,18 +0,0 @@
|
|||||||
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
|
|
||||||
filebeat:
|
|
||||||
inputs:
|
|
||||||
- type: log
|
|
||||||
paths:
|
|
||||||
- "/var/ossec/data/logs/alerts/alerts.json"
|
|
||||||
fields:
|
|
||||||
document_type: wazuh-alerts
|
|
||||||
json.message_key: log
|
|
||||||
json.keys_under_root: true
|
|
||||||
json.overwrite_keys: true
|
|
||||||
|
|
||||||
output:
|
|
||||||
logstash:
|
|
||||||
# The Logstash hosts
|
|
||||||
hosts: ["logstash:5000"]
|
|
||||||
# ssl:
|
|
||||||
# certificate_authorities: ["/etc/filebeat/logstash.crt"]
|
|
@@ -1,13 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
|
|
||||||
|
|
||||||
#
|
|
||||||
# Initialize the custom data directory layout
|
|
||||||
#
|
|
||||||
source /data_dirs.env
|
|
||||||
|
|
||||||
cd /var/ossec
|
|
||||||
for ossecdir in "${DATA_DIRS[@]}"; do
|
|
||||||
mv ${ossecdir} ${ossecdir}-template
|
|
||||||
ln -s $(realpath --relative-to=$(dirname ${ossecdir}) data)/${ossecdir} ${ossecdir}
|
|
||||||
done
|
|
@@ -1,3 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
service postfix start
|
|
||||||
tail -f /var/log/mail.log
|
|
@@ -1,4 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
service wazuh-api start
|
|
||||||
tail -f /var/ossec/data/logs/api.log
|
|
||||||
|
|
@@ -1,4 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
service wazuh-manager start
|
|
||||||
tail -f /var/ossec/data/logs/ossec.log
|
|
||||||
|
|
186
xpack-compose.yml
Normal file
186
xpack-compose.yml
Normal file
@@ -0,0 +1,186 @@
|
|||||||
|
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
|
||||||
|
version: '3.7'
|
||||||
|
|
||||||
|
services:
|
||||||
|
wazuh:
|
||||||
|
image: wazuh/wazuh:4.1.0
|
||||||
|
hostname: wazuh-manager
|
||||||
|
restart: always
|
||||||
|
ports:
|
||||||
|
- "1514:1514"
|
||||||
|
- "1515:1515"
|
||||||
|
- "514:514/udp"
|
||||||
|
- "55000:55000"
|
||||||
|
environment:
|
||||||
|
- ELASTICSEARCH_URL=https://elasticsearch:9200
|
||||||
|
- ELASTIC_USERNAME=elastic
|
||||||
|
- ELASTIC_PASSWORD=SecretPassword
|
||||||
|
- FILEBEAT_SSL_VERIFICATION_MODE=none
|
||||||
|
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/ca.crt
|
||||||
|
- SSL_CERTIFICATE=/etc/ssl/wazuh.crt
|
||||||
|
- SSL_KEY=/etc/ssl/wazuh.key
|
||||||
|
volumes:
|
||||||
|
- ossec_api_configuration:/var/ossec/api/configuration
|
||||||
|
- ossec_etc:/var/ossec/etc
|
||||||
|
- ossec_logs:/var/ossec/logs
|
||||||
|
- ossec_queue:/var/ossec/queue
|
||||||
|
- ossec_var_multigroups:/var/ossec/var/multigroups
|
||||||
|
- ossec_integrations:/var/ossec/integrations
|
||||||
|
- ossec_active_response:/var/ossec/active-response/bin
|
||||||
|
- ossec_agentless:/var/ossec/agentless
|
||||||
|
- ossec_wodles:/var/ossec/wodles
|
||||||
|
- filebeat_etc:/etc/filebeat
|
||||||
|
- filebeat_var:/var/lib/filebeat
|
||||||
|
- ./xpack/ca/ca.crt:/etc/ssl/ca.crt
|
||||||
|
- ./xpack/wazuh/wazuh.crt:/etc/ssl/wazuh.crt
|
||||||
|
- ./xpack/wazuh/wazuh.key:/etc/ssl/wazuh.key
|
||||||
|
|
||||||
|
|
||||||
|
elasticsearch:
|
||||||
|
image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
|
||||||
|
hostname: elasticsearch
|
||||||
|
restart: always
|
||||||
|
ports:
|
||||||
|
- "9200:9200"
|
||||||
|
environment:
|
||||||
|
- cluster.name=wazuh-cluster
|
||||||
|
- node.name=elasticsearch
|
||||||
|
- discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3
|
||||||
|
- cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3
|
||||||
|
- ELASTIC_PASSWORD=SecretPassword
|
||||||
|
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
|
||||||
|
- bootstrap.memory_lock=true
|
||||||
|
- xpack.license.self_generated.type=basic
|
||||||
|
- xpack.security.enabled=true
|
||||||
|
- xpack.security.http.ssl.enabled=true
|
||||||
|
- xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
|
||||||
|
- xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
|
||||||
|
- xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
|
||||||
|
- xpack.security.transport.ssl.enabled=true
|
||||||
|
- xpack.security.transport.ssl.verification_mode=certificate
|
||||||
|
- xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
|
||||||
|
- xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
|
||||||
|
- xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
|
||||||
|
ulimits:
|
||||||
|
memlock:
|
||||||
|
soft: -1
|
||||||
|
hard: -1
|
||||||
|
nofile:
|
||||||
|
soft: 65536
|
||||||
|
hard: 65536
|
||||||
|
volumes:
|
||||||
|
- ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt
|
||||||
|
- ./xpack/elasticsearch/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key
|
||||||
|
- ./xpack/elasticsearch/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt
|
||||||
|
|
||||||
|
elasticsearch2:
|
||||||
|
image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
|
||||||
|
hostname: elasticsearch2
|
||||||
|
restart: always
|
||||||
|
environment:
|
||||||
|
- cluster.name=wazuh-cluster
|
||||||
|
- node.name=elasticsearch2
|
||||||
|
- discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3
|
||||||
|
- cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3
|
||||||
|
- ELASTIC_PASSWORD=SecretPassword
|
||||||
|
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
|
||||||
|
- bootstrap.memory_lock=true
|
||||||
|
- xpack.license.self_generated.type=basic
|
||||||
|
- xpack.security.enabled=true
|
||||||
|
- xpack.security.http.ssl.enabled=true
|
||||||
|
- xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
|
||||||
|
- xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
|
||||||
|
- xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
|
||||||
|
- xpack.security.transport.ssl.enabled=true
|
||||||
|
- xpack.security.transport.ssl.verification_mode=certificate
|
||||||
|
- xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
|
||||||
|
- xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
|
||||||
|
- xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
|
||||||
|
ulimits:
|
||||||
|
memlock:
|
||||||
|
soft: -1
|
||||||
|
hard: -1
|
||||||
|
nofile:
|
||||||
|
soft: 65536
|
||||||
|
hard: 65536
|
||||||
|
volumes:
|
||||||
|
- ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt
|
||||||
|
- ./xpack/elasticsearch2/elasticsearch2.key:/usr/share/elasticsearch/config/elasticsearch.key
|
||||||
|
- ./xpack/elasticsearch2/elasticsearch2.crt:/usr/share/elasticsearch/config/elasticsearch.crt
|
||||||
|
|
||||||
|
elasticsearch3:
|
||||||
|
image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
|
||||||
|
hostname: elasticsearch3
|
||||||
|
restart: always
|
||||||
|
environment:
|
||||||
|
- cluster.name=wazuh-cluster
|
||||||
|
- node.name=elasticsearch3
|
||||||
|
- discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3
|
||||||
|
- cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3
|
||||||
|
- ELASTIC_PASSWORD=SecretPassword
|
||||||
|
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
|
||||||
|
- bootstrap.memory_lock=true
|
||||||
|
- xpack.license.self_generated.type=basic
|
||||||
|
- xpack.security.enabled=true
|
||||||
|
- xpack.security.http.ssl.enabled=true
|
||||||
|
- xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
|
||||||
|
- xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
|
||||||
|
- xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
|
||||||
|
- xpack.security.transport.ssl.enabled=true
|
||||||
|
- xpack.security.transport.ssl.verification_mode=certificate
|
||||||
|
- xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
|
||||||
|
- xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
|
||||||
|
- xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
|
||||||
|
ulimits:
|
||||||
|
memlock:
|
||||||
|
soft: -1
|
||||||
|
hard: -1
|
||||||
|
nofile:
|
||||||
|
soft: 65536
|
||||||
|
hard: 65536
|
||||||
|
volumes:
|
||||||
|
- ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt
|
||||||
|
- ./xpack/elasticsearch3/elasticsearch3.key:/usr/share/elasticsearch/config/elasticsearch.key
|
||||||
|
- ./xpack/elasticsearch3/elasticsearch3.crt:/usr/share/elasticsearch/config/elasticsearch.crt
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
kibana:
|
||||||
|
image: wazuh/wazuh-kibana:4.1.0
|
||||||
|
hostname: kibana
|
||||||
|
restart: always
|
||||||
|
ports:
|
||||||
|
- 443:5601
|
||||||
|
environment:
|
||||||
|
- SERVERNAME=localhost
|
||||||
|
- ELASTICSEARCH_USERNAME=elastic
|
||||||
|
- ELASTICSEARCH_PASSWORD=SecretPassword
|
||||||
|
- ELASTICSEARCH_URL=https://elasticsearch:9200
|
||||||
|
- ELASTICSEARCH_HOSTS=https://elasticsearch:9200
|
||||||
|
- ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=/usr/share/kibana/config/ca.crt
|
||||||
|
- SERVER_SSL_ENABLED=true
|
||||||
|
- XPACK_SECURITY_ENABLED=true
|
||||||
|
- SERVER_SSL_KEY=/usr/share/kibana/config/kibana.key
|
||||||
|
- SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/kibana.crt
|
||||||
|
volumes:
|
||||||
|
- ./xpack/ca/ca.crt:/usr/share/kibana/config/ca.crt
|
||||||
|
- ./xpack/kibana/kibana.key:/usr/share/kibana/config/kibana.key
|
||||||
|
- ./xpack/kibana/kibana.crt:/usr/share/kibana/config/kibana.crt
|
||||||
|
depends_on:
|
||||||
|
- elasticsearch
|
||||||
|
links:
|
||||||
|
- elasticsearch:elasticsearch
|
||||||
|
- wazuh:wazuh
|
||||||
|
|
||||||
|
volumes:
|
||||||
|
ossec_api_configuration:
|
||||||
|
ossec_etc:
|
||||||
|
ossec_logs:
|
||||||
|
ossec_queue:
|
||||||
|
ossec_var_multigroups:
|
||||||
|
ossec_integrations:
|
||||||
|
ossec_active_response:
|
||||||
|
ossec_agentless:
|
||||||
|
ossec_wodles:
|
||||||
|
filebeat_etc:
|
||||||
|
filebeat_var:
|
192
xpack-from-sources.yml
Normal file
192
xpack-from-sources.yml
Normal file
@@ -0,0 +1,192 @@
|
|||||||
|
# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
|
||||||
|
version: '3.7'
|
||||||
|
|
||||||
|
services:
|
||||||
|
wazuh:
|
||||||
|
build:
|
||||||
|
context: wazuh-odfe/
|
||||||
|
args:
|
||||||
|
- FILEBEAT_CHANNEL=filebeat
|
||||||
|
- FILEBEAT_VERSION=7.10.2
|
||||||
|
image: wazuh/wazuh:4.1.0
|
||||||
|
hostname: wazuh-manager
|
||||||
|
restart: always
|
||||||
|
ports:
|
||||||
|
- "1514:1514"
|
||||||
|
- "1515:1515"
|
||||||
|
- "514:514/udp"
|
||||||
|
- "55000:55000"
|
||||||
|
environment:
|
||||||
|
- ELASTICSEARCH_URL=https://elasticsearch:9200
|
||||||
|
- ELASTIC_USERNAME=elastic
|
||||||
|
- ELASTIC_PASSWORD=SecretPassword
|
||||||
|
- FILEBEAT_SSL_VERIFICATION_MODE=none
|
||||||
|
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/ca.crt
|
||||||
|
- SSL_CERTIFICATE=/etc/ssl/wazuh.crt
|
||||||
|
- SSL_KEY=/etc/ssl/wazuh.key
|
||||||
|
volumes:
|
||||||
|
- ossec_api_configuration:/var/ossec/api/configuration
|
||||||
|
- ossec_etc:/var/ossec/etc
|
||||||
|
- ossec_logs:/var/ossec/logs
|
||||||
|
- ossec_queue:/var/ossec/queue
|
||||||
|
- ossec_var_multigroups:/var/ossec/var/multigroups
|
||||||
|
- ossec_integrations:/var/ossec/integrations
|
||||||
|
- ossec_active_response:/var/ossec/active-response/bin
|
||||||
|
- ossec_agentless:/var/ossec/agentless
|
||||||
|
- ossec_wodles:/var/ossec/wodles
|
||||||
|
- filebeat_etc:/etc/filebeat
|
||||||
|
- filebeat_var:/var/lib/filebeat
|
||||||
|
- ./xpack/ca/ca.crt:/etc/ssl/ca.crt
|
||||||
|
- ./xpack/wazuh/wazuh.crt:/etc/ssl/wazuh.crt
|
||||||
|
- ./xpack/wazuh/wazuh.key:/etc/ssl/wazuh.key
|
||||||
|
|
||||||
|
|
||||||
|
elasticsearch:
|
||||||
|
image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
|
||||||
|
hostname: elasticsearch
|
||||||
|
restart: always
|
||||||
|
ports:
|
||||||
|
- "9200:9200"
|
||||||
|
environment:
|
||||||
|
- cluster.name=wazuh-cluster
|
||||||
|
- node.name=elasticsearch
|
||||||
|
- discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3
|
||||||
|
- cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3
|
||||||
|
- ELASTIC_PASSWORD=SecretPassword
|
||||||
|
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
|
||||||
|
- bootstrap.memory_lock=true
|
||||||
|
- xpack.license.self_generated.type=basic
|
||||||
|
- xpack.security.enabled=true
|
||||||
|
- xpack.security.http.ssl.enabled=true
|
||||||
|
- xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
|
||||||
|
- xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
|
||||||
|
- xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
|
||||||
|
- xpack.security.transport.ssl.enabled=true
|
||||||
|
- xpack.security.transport.ssl.verification_mode=certificate
|
||||||
|
- xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
|
||||||
|
- xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
|
||||||
|
- xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
|
||||||
|
ulimits:
|
||||||
|
memlock:
|
||||||
|
soft: -1
|
||||||
|
hard: -1
|
||||||
|
nofile:
|
||||||
|
soft: 65536
|
||||||
|
hard: 65536
|
||||||
|
volumes:
|
||||||
|
- ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt
|
||||||
|
- ./xpack/elasticsearch/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key
|
||||||
|
- ./xpack/elasticsearch/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt
|
||||||
|
|
||||||
|
elasticsearch2:
|
||||||
|
image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
|
||||||
|
hostname: elasticsearch2
|
||||||
|
restart: always
|
||||||
|
environment:
|
||||||
|
- cluster.name=wazuh-cluster
|
||||||
|
- node.name=elasticsearch2
|
||||||
|
- discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3
|
||||||
|
- cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3
|
||||||
|
- ELASTIC_PASSWORD=SecretPassword
|
||||||
|
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
|
||||||
|
- bootstrap.memory_lock=true
|
||||||
|
- xpack.license.self_generated.type=basic
|
||||||
|
- xpack.security.enabled=true
|
||||||
|
- xpack.security.http.ssl.enabled=true
|
||||||
|
- xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
|
||||||
|
- xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
|
||||||
|
- xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
|
||||||
|
- xpack.security.transport.ssl.enabled=true
|
||||||
|
- xpack.security.transport.ssl.verification_mode=certificate
|
||||||
|
- xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
|
||||||
|
- xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
|
||||||
|
- xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
|
||||||
|
ulimits:
|
||||||
|
memlock:
|
||||||
|
soft: -1
|
||||||
|
hard: -1
|
||||||
|
nofile:
|
||||||
|
soft: 65536
|
||||||
|
hard: 65536
|
||||||
|
volumes:
|
||||||
|
- ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt
|
||||||
|
- ./xpack/elasticsearch2/elasticsearch2.key:/usr/share/elasticsearch/config/elasticsearch.key
|
||||||
|
- ./xpack/elasticsearch2/elasticsearch2.crt:/usr/share/elasticsearch/config/elasticsearch.crt
|
||||||
|
|
||||||
|
elasticsearch3:
|
||||||
|
image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
|
||||||
|
hostname: elasticsearch3
|
||||||
|
restart: always
|
||||||
|
environment:
|
||||||
|
- cluster.name=wazuh-cluster
|
||||||
|
- node.name=elasticsearch3
|
||||||
|
- discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3
|
||||||
|
- cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3
|
||||||
|
- ELASTIC_PASSWORD=SecretPassword
|
||||||
|
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
|
||||||
|
- bootstrap.memory_lock=true
|
||||||
|
- xpack.license.self_generated.type=basic
|
||||||
|
- xpack.security.enabled=true
|
||||||
|
- xpack.security.http.ssl.enabled=true
|
||||||
|
- xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
|
||||||
|
- xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
|
||||||
|
- xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
|
||||||
|
- xpack.security.transport.ssl.enabled=true
|
||||||
|
- xpack.security.transport.ssl.verification_mode=certificate
|
||||||
|
- xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
|
||||||
|
- xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
|
||||||
|
- xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
|
||||||
|
ulimits:
|
||||||
|
memlock:
|
||||||
|
soft: -1
|
||||||
|
hard: -1
|
||||||
|
nofile:
|
||||||
|
soft: 65536
|
||||||
|
hard: 65536
|
||||||
|
volumes:
|
||||||
|
- ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt
|
||||||
|
- ./xpack/elasticsearch3/elasticsearch3.key:/usr/share/elasticsearch/config/elasticsearch.key
|
||||||
|
- ./xpack/elasticsearch3/elasticsearch3.crt:/usr/share/elasticsearch/config/elasticsearch.crt
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
kibana:
|
||||||
|
build: kibana/
|
||||||
|
image: wazuh/wazuh-kibana:4.1.0
|
||||||
|
hostname: kibana
|
||||||
|
restart: always
|
||||||
|
ports:
|
||||||
|
- 443:5601
|
||||||
|
environment:
|
||||||
|
- SERVERNAME=localhost
|
||||||
|
- ELASTICSEARCH_USERNAME=elastic
|
||||||
|
- ELASTICSEARCH_PASSWORD=SecretPassword
|
||||||
|
- ELASTICSEARCH_URL=https://elasticsearch:9200
|
||||||
|
- ELASTICSEARCH_HOSTS=https://elasticsearch:9200
|
||||||
|
- ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=/usr/share/kibana/config/ca.crt
|
||||||
|
- SERVER_SSL_ENABLED=true
|
||||||
|
- XPACK_SECURITY_ENABLED=true
|
||||||
|
- SERVER_SSL_KEY=/usr/share/kibana/config/kibana.key
|
||||||
|
- SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/kibana.crt
|
||||||
|
volumes:
|
||||||
|
- ./xpack/ca/ca.crt:/usr/share/kibana/config/ca.crt
|
||||||
|
- ./xpack/kibana/kibana.key:/usr/share/kibana/config/kibana.key
|
||||||
|
- ./xpack/kibana/kibana.crt:/usr/share/kibana/config/kibana.crt
|
||||||
|
depends_on:
|
||||||
|
- elasticsearch
|
||||||
|
links:
|
||||||
|
- elasticsearch:elasticsearch
|
||||||
|
- wazuh:wazuh
|
||||||
|
|
||||||
|
volumes:
|
||||||
|
ossec_api_configuration:
|
||||||
|
ossec_etc:
|
||||||
|
ossec_logs:
|
||||||
|
ossec_queue:
|
||||||
|
ossec_var_multigroups:
|
||||||
|
ossec_integrations:
|
||||||
|
ossec_active_response:
|
||||||
|
ossec_agentless:
|
||||||
|
ossec_wodles:
|
||||||
|
filebeat_etc:
|
||||||
|
filebeat_var:
|
35
xpack/instances.yml
Normal file
35
xpack/instances.yml
Normal file
@@ -0,0 +1,35 @@
|
|||||||
|
instances:
|
||||||
|
- name: elasticsearch
|
||||||
|
dns:
|
||||||
|
- elasticsearch
|
||||||
|
- localhost
|
||||||
|
ip:
|
||||||
|
- 127.0.0.1
|
||||||
|
|
||||||
|
- name: elasticsearch2
|
||||||
|
dns:
|
||||||
|
- elasticsearch2
|
||||||
|
- localhost
|
||||||
|
ip:
|
||||||
|
- 127.0.0.1
|
||||||
|
|
||||||
|
- name: elasticsearch3
|
||||||
|
dns:
|
||||||
|
- elasticsearch3
|
||||||
|
- localhost
|
||||||
|
ip:
|
||||||
|
- 127.0.0.1
|
||||||
|
|
||||||
|
- name: kibana
|
||||||
|
dns:
|
||||||
|
- kibana
|
||||||
|
- localhost
|
||||||
|
ip:
|
||||||
|
- 127.0.0.1
|
||||||
|
|
||||||
|
- name: wazuh
|
||||||
|
dns:
|
||||||
|
- wazuh
|
||||||
|
- localhost
|
||||||
|
ip:
|
||||||
|
- 127.0.0.1
|
Reference in New Issue
Block a user