Adapt cloud code to v4.4.5

Former-commit-id: 428ba362afc66c556945b86dcda895cb00618ed2

CHANGELOG.md

@@ -1,6 +1,182 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+## Wazuh Docker v3.10.2_7.3.2
+
+### Added
+
+- Update to Wazuh version 3.10.2_7.3.2
+
+## Wazuh Docker v3.10.0_7.3.2
+
+### Added
+
+- Update to Wazuh version 3.10.0_7.3.2
+
+## Wazuh Docker v3.9.5_7.2.1
+
+### Added
+
+- Update to Wazuh version 3.9.5_7.2.1
+
+## Wazuh Docker v3.9.4_7.2.0
+
+### Added
+
+- Update to Wazuh version 3.9.4_7.2.0
+- Implemented Wazuh Filebeat Module ([jm404](https://www.github.com/jm404)) [#2a77c6a](https://github.com/wazuh/wazuh-docker/commit/2a77c6a6e6bf78f2492adeedbade7a507d9974b2)
+
+
+## Wazuh Docker v3.9.3_7.2.0
+
+### Fixed
+- Wazuh-docker reinserts cluster settings after resuming containers ([@manuasir](https://github.com/manuasir)) [#213](https://github.com/wazuh/wazuh-docker/pull/213)
+
+## Wazuh Docker v3.9.2_7.1.1
+
+### Added
+
+- Update to Wazuh version 3.9.2_7.1.1
+
+## Wazuh Docker v3.9.3_6.8.1
+
+### Added
+
+- Update to Wazuh version 3.9.3_6.8.1
+- Option to disable additionals X-Pack applications and hide unnecesary management links ([@SitoRBJ](https://github.com/SitoRBJ)) ([#163](https://github.com/wazuh/wazuh-docker/pull/163))
+
+
+## Wazuh Docker v3.9.2_6.8.0
+
+### Added
+
+- Update to Wazuh version 3.9.2_6.8.0
+
+
+## Wazuh Docker v3.9.1_7.1.0
+
+### Added
+
+- Support for Elastic v7.1.0
+- New environment variables for Kibana ([@manuasir](https://github.com/manuasir)) [#22ad43](https://github.com/wazuh/wazuh-docker/commit/22ad4360f548e54bb0c5e929f8c84a186ad2ab88)
+
+## Wazuh Docker v3.9.1_6.8.0
+
+### Added
+
+- Update to Wazuh version 3.9.1_6.8.0 ([#181](https://github.com/wazuh/wazuh-docker/pull/181))
+- Security for Elastic Stack in Docker implemented ([#186](https://github.com/wazuh/wazuh-docker/issues/186))
+
+### Fixed
+
+- Fixed `ELASTICSEARCH_KIBANA_IP` environment variable ([@manuasir](https://github.com/manuasir)) ([#181](https://github.com/wazuh/wazuh-docker/pull/181))
+
+
+## Wazuh Docker v3.9.1_7.1.0
+
+### Added
+
+- Support for Elastic v7.1.0
+- New environment variables for Kibana ([@manuasir](https://github.com/manuasir)) [#22ad43](https://github.com/wazuh/wazuh-docker/commit/22ad4360f548e54bb0c5e929f8c84a186ad2ab88)
+
+
+## Wazuh Docker v3.9.0_6.7.2
+
+### Changed
+
+- Update Elastic Stack version to 6.7.2.
+
+## Wazuh Docker v3.9.0_6.7.1
+
+
+### Added
+
+- Support for xPACK authorized requests ([@manuasir](https://github.com/manuasir)) ([#119](https://github.com/wazuh/wazuh-docker/pull/119))
+- Add Elasticsearch cluster configuration ([@SitoRBJ](https://github.com/SitoRBJ)). ([#146](https://github.com/wazuh/wazuh-docker/pull/146))
+- Add Elasticsearch cluster configuration ([@Phandora](https://github.com/Phandora)) ([#140](https://github.com/wazuh/wazuh-docker/pull/140))
+- Setting Nginx to support several user/passwords in Kibana ([@toniMR](https://github.com/toniMR)) ([#136](https://github.com/wazuh/wazuh-docker/pull/136))
+
+
+### Changed
+
+- Use LS_JAVA_OPTS instead of old LS_HEAP_SIZE ([@ruffy91](https://github.com/ruffy91)) ([#139](https://github.com/wazuh/wazuh-docker/pull/139))
+- Changing the original Wazuh docker image to allow adding code in the entrypoint ([@Phandora](https://github.com/phandora)) ([#151](https://github.com/wazuh/wazuh-docker/pull/151))
+
+### Removed
+
+- Removing files from Wazuh image ([@Phandora](https://github.com/phandora)) ([#153](https://github.com/wazuh/wazuh-docker/pull/153))
+
+## Wazuh Docker v3.8.2_6.7.0
+
+### Changed
+
+- Update Elastic Stack version to 6.7.0. ([#144](https://github.com/wazuh/wazuh-docker/pull/144))
+
+## Wazuh Docker v3.8.2_6.6.2
+
+### Changed
+
+- Update Elastic Stack version to 6.6.2. ([#130](https://github.com/wazuh/wazuh-docker/pull/130))
+
+## Wazuh Docker v3.8.2_6.6.1
+
+### Changed
+
+- Update Elastic Stack version to 6.6.1. ([#129](https://github.com/wazuh/wazuh-docker/pull/129))
+
+## Wazuh Docker v3.8.2_6.5.4
+
+### Added
+
+- Add Wazuh-Elasticsearch. ([#106](https://github.com/wazuh/wazuh-docker/pull/106))
+- Store Filebeat _/var/lib/filebeat/registry._ ([#109](https://github.com/wazuh/wazuh-docker/pull/109))
+- Adding the option to disable some xpack features. ([#111](https://github.com/wazuh/wazuh-docker/pull/111))
+- Wazuh-Kibana customizable at plugin level. ([#117](https://github.com/wazuh/wazuh-docker/pull/117))
+- Adding env variables for alerts data flow. ([#118](https://github.com/wazuh/wazuh-docker/pull/118))
+- New Logstash entrypoint added. ([#135](https://github.com/wazuh/wazuh-docker/pull/135/files))
+- Welcome screen management. ([#133](https://github.com/wazuh/wazuh-docker/pull/133))
+
+### Changed
+
+- Update to Wazuh version 3.8.2. ([#105](https://github.com/wazuh/wazuh-docker/pull/105))
+
+### Removed
+
+- Remove alerts created in build time. ([#137](https://github.com/wazuh/wazuh-docker/pull/137))
+
+
+## Wazuh Docker v3.8.1_6.5.4
+
+### Changed
+- Update to Wazuh version 3.8.1. ([#102](https://github.com/wazuh/wazuh-docker/pull/102))
+
+## Wazuh Docker v3.8.0_6.5.4
+
+### Changed
+
+- Upgrade version 3.8.0_6.5.4. ([#97](https://github.com/wazuh/wazuh-docker/pull/97))
+
+### Removed
+
+- Remove cluster.py work around. ([#99](https://github.com/wazuh/wazuh-docker/pull/99))
+
+## Wazuh Docker v3.7.2_6.5.4
+
+### Added
+
+- Improvements to Kibana settings added. ([#91](https://github.com/wazuh/wazuh-docker/pull/91))
+- Add Kibana environmental variables for Wazuh APP config.yml. ([#89](https://github.com/wazuh/wazuh-docker/pull/89))
+
+### Changed
+
+- Update Elastic Stack version to 6.5.4. ([#82](https://github.com/wazuh/wazuh-docker/pull/82))
+- Add env credentials for nginx. ([#86](https://github.com/wazuh/wazuh-docker/pull/86))
+- Improve filebeat configuration ([#88](https://github.com/wazuh/wazuh-docker/pull/88))
+
+### Fixed 
+
+- Temporary fix for Wazuh cluster master node in Kubernetes. ([#84](https://github.com/wazuh/wazuh-docker/pull/84))
+
 ## Wazuh Docker v3.7.2_6.5.3
 
 ### Changed

LICENSE

@@ -1,5 +1,5 @@
 
- Portions Copyright (C) 2018 Wazuh, Inc.
+ Portions Copyright (C) 2019 Wazuh, Inc.
  Based on work Copyright (C) 2003 - 2013 Trend Micro, Inc.
 
  This program is a free software; you can redistribute it and/or modify

README.md

@@ -1,6 +1,6 @@
 # Wazuh containers for Docker
 
-[![Slack](https://img.shields.io/badge/slack-join-blue.svg)](https://goo.gl/forms/M2AoZC4b2R9A9Zy12)
+[![Slack](https://img.shields.io/badge/slack-join-blue.svg)](https://wazuh.com/community/join-us-on-slack/)
 [![Email](https://img.shields.io/badge/email-join-blue.svg)](https://groups.google.com/forum/#!forum/wazuh)
 [![Documentation](https://img.shields.io/badge/docs-view-green.svg)](https://documentation.wazuh.com)
 [![Documentation](https://img.shields.io/badge/web-view-green.svg)](https://wazuh.com)
@@ -8,11 +8,13 @@
 In this repository you will find the containers to run:
 
 * wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack)
-* wazuh-logstash: It is used to receive alerts generated by the manager and feed Elasticsearch using an alerts template
 * wazuh-kibana: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status.
 * wazuh-nginx: Proxies the Kibana container, adding HTTPS (via self-signed SSL certificate) and [Basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Basic_authentication_scheme).
+* wazuh-elasticsearch: An Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).** 
 
-In addition, a docker-compose file is provided to launch the containers mentioned above. It also launches an Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images.
+In addition, a docker-compose file is provided to launch the containers mentioned above. 
+
+* Elasticsearch cluster. In the Elasticsearch Dockerfile we can visualize variables to configure an Elasticsearch Cluster. These variables are used in the file *config_cluster.sh* to set them in the *elasticsearch.yml* configuration file. You can see the meaning of the node variables [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html) and other cluster settings [here](https://github.com/elastic/elasticsearch/blob/master/distribution/src/config/elasticsearch.yml).
 
 ## Documentation
 
@@ -20,51 +22,41 @@ In addition, a docker-compose file is provided to launch the containers mentione
 * [Wazuh documentation for Docker](https://documentation.wazuh.com/current/docker/index.html)
 * [Docker hub](https://hub.docker.com/u/wazuh)
 
-## Current release
-
-Containers are currently tested on Wazuh version 3.7.2 and Elastic Stack version 6.5.3. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.
-
 ## Directory structure
 
 	wazuh-docker
 	├── docker-compose.yml
-	├── kibana
-	│   ├── config
-	│   │   ├── entrypoint.sh
-	│   │   └── kibana.yml
-	│   └── Dockerfile
 	├── LICENSE
-	├── logstash
-	│   ├── config
-	│   │   ├── 01-wazuh.conf
-	│   │   └── run.sh
-	│   └── Dockerfile
-	├── nginx
-	│   ├── config
-	│   │   └── entrypoint.sh
-	│   └── Dockerfile
 	├── README.md
 	├── CHANGELOG.md
 	├── VERSION
 	├── test.txt
 	└── wazuh
-	    ├── config
-	    │   ├── data_dirs.env
-	    │   ├── entrypoint.sh
-	    │   ├── filebeat.runit.service
-	    │   ├── filebeat.yml
-	    │   ├── init.bash
-	    │   ├── postfix.runit.service
-	    │   ├── wazuh-api.runit.service
-	    │   └── wazuh.runit.service
-	    └── Dockerfile
+		├── config
+		│	├── 00-decrypt_credentials.sh
+		│	├── 01-wazuh.sh
+		│	├── 02-set_filebeat_destination.sh
+		│	├── 03-config_filebeat.sh
+		│	├── 20-ossec-configuration.sh
+		│	├── 25-backups.sh
+		│	├── 35-remove_credentials_file.sh
+		│	├── 85-save_wazuh_version.sh
+		│	├── create_user.py
+		│	├── entrypoint.sh
+		│	├── filebeat_to_elasticsearch.yml
+		│	├── filebeat_to_logstash.yml
+		│	├── filebeat.runit.service
+		│	├── permanent_data.env
+		│	├── postfix.runit.service
+		│	└── wazuh.runit.service
+		└── Dockerfile
 
 
 ## Branches
 
-* `stable` branch on correspond to the last Wazuh-Docker stable version.
+* `stable` branch on correspond to the latest Wazuh-Docker stable version.
 * `master` branch contains the latest code, be aware of possible bugs on this branch.
-* `Wazuh.Version_ElsaticStack.Version` (for example 3.7.0_6.4.3) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch. 
+* `Wazuh.Version_ElasticStack.Version` (for example 3.10.2_7.3.2) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
 
 ## Credits and Thank you
 
@@ -77,7 +69,7 @@ We thank you them and everyone else who has contributed to this project.
 
 ## License and copyright
 
-Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 ## Web references
 

VERSION

@@ -1,2 +1,2 @@
-WAZUH-DOCKER_VERSION="3.7.2_6.5.3"
-REVISION="3728"
+WAZUH-DOCKER_VERSION="3.11.5_7.3.2"
+REVISION="31150"

docker-compose.yml

@@ -1,9 +1,9 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 version: '2'
 
 services:
   wazuh:
-    image: wazuh/wazuh:3.7.2_6.5.3
+    image: wazuh/wazuh:3.10.2_7.3.2
     hostname: wazuh-manager
     restart: always
     ports:
@@ -11,91 +11,82 @@ services:
       - "1515:1515"
       - "514:514/udp"
       - "55000:55000"
-#      - "1516:1516"
-    networks:
-        - docker_elk
-#    volumes:
-#      - my-path:/var/ossec/data:Z
-#      - my-path:/etc/postfix:Z
-#      - my-path:/etc/filebeat
-#      - my-custom-config-path/ossec.conf:/wazuh-config-mount/etc/ossec.conf
-#   command: ["echo 'hello world'"]
-    depends_on:
-      - logstash
-  logstash:
-    image: wazuh/wazuh-logstash:3.7.2_6.5.3
-    hostname: logstash
-    restart: always
-#    volumes:
-#      - my-path:/etc/logstash/conf.d:Z
-    links:
-      - elasticsearch:elasticsearch
-    ports:
-      - "5000:5000"
-    networks:
-      - docker_elk
-    depends_on:
-      - elasticsearch
-    environment:
-      - LS_HEAP_SIZE=2048m
+  #   depends_on:
+  #     - logstash
+  # logstash:
+  #   image: wazuh/wazuh-elasticsearch:3.10.2_7.3.2
+  #   hostname: logstash
+  #   restart: always
+  #   links:
+  #     - elasticsearch:elasticsearch
+  #   ports:
+  #     - "5000:5000"
+  #   depends_on:
+  #     - elasticsearch
+  #   environment:
+  #     - LS_HEAP_SIZE=2048m
+  #     - SECURITY_ENABLED=no
+  #     - SECURITY_LOGSTASH_USER=service_logstash
+  #     - SECURITY_LOGSTASH_PASS=logstash_pass
+  #     - LOGSTASH_OUTPUT=https://elasticsearch:9200
+  #     - ELASTICSEARCH_URL=https://elasticsearch:9200
+  #     - SECURITY_CA_PEM=server.TEST-CA-signed.pem
   elasticsearch:
-    image: docker.elastic.co/elasticsearch/elasticsearch:6.5.3
+    image: wazuh/wazuh-elasticsearch:3.10.2_7.3.2
     hostname: elasticsearch
     restart: always
     ports:
       - "9200:9200"
-#      - "9300:9300"
     environment:
-      - node.name=node-1
-      - cluster.name=wazuh
-      - network.host=0.0.0.0
-      - bootstrap.memory_lock=true
       - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
+      - ELASTICSEARCH_PROTOCOL=http
+      - ELASTICSEARCH_IP=elasticsearch
+      - ELASTICSEARCH_PORT=9200
+      - SECURITY_ENABLED=no
+      - SECURITY_ELASTIC_PASSWORD=elastic_pass
+      - SECURITY_MAIN_NODE=elasticsearch
+      - ELASTIC_CLUSTER=true
+      - CLUSTER_NODE_MASTER=true
+      - CLUSTER_MASTER_NODE_NAME=elasticsearch
+      - CLUSTER_NODE_DATA=true
+      - CLUSTER_NODE_INGEST=true
+      - CLUSTER_MAX_NODES=3
     ulimits:
       memlock:
         soft: -1
         hard: -1
     mem_limit: 2g
-#    volumes:
-#      - my-path:/usr/share/elasticsearch/data:Z
-    networks:
-        - docker_elk
+
   kibana:
-    image: wazuh/wazuh-kibana:3.7.2_6.5.3
+    image: wazuh/wazuh-kibana:3.10.2_7.3.2
     hostname: kibana
     restart: always
-#    ports:
-#      - "5601:5601"
-#    environment:
-#      - ELASTICSEARCH_URL=http://elasticsearch:9200
-    networks:
-      - docker_elk
     depends_on:
       - elasticsearch
     links:
       - elasticsearch:elasticsearch
       - wazuh:wazuh
+    environment:
+      - ELASTICSEARCH_URL=https://elasticsearch:9200
+      - SECURITY_ENABLED=no
+      - SECURITY_KIBANA_USER=service_kibana
+      - SECURITY_KIBANA_PASS=kibana_pass
+      - ELASTICSEARCH_KIBANA_IP=https://elasticsearch:9200
+      - SECURITY_CA_PEM=server.TEST-CA-signed.pem
+    ports:
+      - "5601:5601"
+
   nginx:
-    image: wazuh/wazuh-nginx:3.7.2_6.5.3
+    image: wazuh/wazuh-nginx:3.10.2_7.3.2
     hostname: nginx
     restart: always
     environment:
       - NGINX_PORT=443
+      - NGINX_CREDENTIALS
     ports:
       - "80:80"
       - "443:443"
-#    volumes:
-#      - my-path:/etc/nginx/conf.d:Z
-    networks:
-      - docker_elk
     depends_on:
       - kibana
     links:
       - kibana:kibana
-
-networks:
-  docker_elk:
-    driver: bridge
-    ipam:
-      config:
-      - subnet: 172.25.0.0/24

kibana/Dockerfile

@@ -1,19 +0,0 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/kibana/kibana:6.5.3
-ARG WAZUH_APP_VERSION=3.7.2_6.5.3
-USER root
-
-ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
-
-ADD https://raw.githubusercontent.com/wazuh/wazuh/3.7/extensions/elasticsearch/wazuh-elastic6-template-alerts.json /usr/share/kibana/config
-
-RUN NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip &&\
-    chown -R kibana:kibana /usr/share/kibana &&\
-    rm -rf /tmp/*
-
-COPY config/entrypoint.sh /entrypoint.sh
-RUN chmod 755 /entrypoint.sh
-
-USER kibana
-
-ENTRYPOINT /entrypoint.sh

kibana/config/entrypoint.sh

@@ -1,56 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-
-set -e
-
-if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
-  el_url="http://elasticsearch:9200"
-else
-  el_url="${ELASTICSEARCH_URL}"
-fi
-
-until curl -XGET $el_url; do
-  >&2 echo "Elastic is unavailable - sleeping"
-  sleep 5
-done
-
->&2 echo "Elastic is up - executing command"
-
-#Insert default templates
-cat /usr/share/kibana/config/wazuh-elastic6-template-alerts.json | curl -XPUT "$el_url/_template/wazuh" -H 'Content-Type: application/json' -d @-
-sleep 5
-
-echo "Setting API credentials into Wazuh APP"
-CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/wazuh-configuration/1513629884013)
-if [ "x$CONFIG_CODE" = "x404" ]; then
-  curl -s -XPOST $el_url/.wazuh/wazuh-configuration/1513629884013 -H 'Content-Type: application/json' -d'
-  {
-    "api_user": "foo",
-    "api_password": "YmFy",
-    "url": "https://wazuh",
-    "api_port": "55000",
-    "insecure": "true",
-    "component": "API",
-    "cluster_info": {
-      "manager": "wazuh-manager",
-      "cluster": "Disabled",
-      "status": "disabled"
-    },
-    "extensions": {
-      "oscap": true,
-      "audit": true,
-      "pci": true,
-      "aws": true,
-      "virustotal": true,
-      "gdpr": true,
-      "ciscat": true
-    }
-  }
-  ' > /dev/null
-else
-  echo "Wazuh APP already configured"
-fi
-
-sleep 5
-
-/usr/local/bin/kibana-docker

kibana/config/kibana.yml

@@ -1,92 +0,0 @@
-# Kibana is served by a back end server. This setting specifies the port to use.
-server.port: 5601
-
-# This setting specifies the IP address of the back end server.
-server.host: "0.0.0.0"
-
-# Enables you to specify a path to mount Kibana at if you are running behind a proxy. This setting
-# cannot end in a slash.
-# server.basePath: ""
-
-# The maximum payload size in bytes for incoming server requests.
-# server.maxPayloadBytes: 1048576
-
-# The Kibana server's name.  This is used for display purposes.
-# server.name: "your-hostname"
-
-# The URL of the Elasticsearch instance to use for all your queries.
-elasticsearch.url: "http://elasticsearch:9200"
-
-# When this setting’s value is true Kibana uses the hostname specified in the server.host
-# setting. When the value of this setting is false, Kibana uses the hostname of the host
-# that connects to this Kibana instance.
-# elasticsearch.preserveHost: true
-
-# Kibana uses an index in Elasticsearch to store saved searches, visualizations and
-# dashboards. Kibana creates a new index if the index doesn’t already exist.
-# kibana.index: ".kibana"
-
-# The default application to load.
-# kibana.defaultAppId: "discover"
-
-# If your Elasticsearch is protected with basic authentication, these settings provide
-# the username and password that the Kibana server uses to perform maintenance on the Kibana
-# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
-# is proxied through the Kibana server.
-# elasticsearch.username: "user"
-# elasticsearch.password: "pass"
-
-# Paths to the PEM-format SSL certificate and SSL key files, respectively. These
-# files enable SSL for outgoing requests from the Kibana server to the browser.
-# server.ssl.cert: /path/to/your/server.crt
-# server.ssl.key: /path/to/your/server.key
-
-# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
-# These files validate that your Elasticsearch backend uses the same key files.
-# elasticsearch.ssl.cert: /path/to/your/client.crt
-# elasticsearch.ssl.key: /path/to/your/client.key
-
-# Optional setting that enables you to specify a path to the PEM file for the certificate
-# authority for your Elasticsearch instance.
-# elasticsearch.ssl.ca: /path/to/your/CA.pem
-
-# To disregard the validity of SSL certificates, change this setting’s value to false.
-# elasticsearch.ssl.verify: true
-
-# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
-# the elasticsearch.requestTimeout setting.
-# elasticsearch.pingTimeout: 1500
-
-# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
-# must be a positive integer.
-# elasticsearch.requestTimeout: 30000
-
-# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
-# headers, set this value to [] (an empty list).
-# elasticsearch.requestHeadersWhitelist: [ authorization ]
-
-# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
-# elasticsearch.shardTimeout: 0
-
-# Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying.
-# elasticsearch.startupTimeout: 5000
-
-# Specifies the path where Kibana creates the process ID file.
-# pid.file: /var/run/kibana.pid
-
-# Enables you specify a file where Kibana stores log output.
-# logging.dest: stdout
-
-# Set the value of this setting to true to suppress all logging output.
-# logging.silent: false
-
-# Set the value of this setting to true to suppress all logging output other than error messages.
-logging.quiet: true
-
-# Set the value of this setting to true to log all events, including system usage information
-# and all requests.
-# logging.verbose: false
-
-# Set the interval in milliseconds to sample system and process performance
-# metrics. Minimum is 100ms. Defaults to 10000.
-# ops.interval: 10000

logstash/Dockerfile

@@ -1,6 +0,0 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/logstash/logstash:6.5.3
-
-RUN rm -f /usr/share/logstash/pipeline/logstash.conf
-
-COPY config/01-wazuh.conf /usr/share/logstash/pipeline/01-wazuh.conf

logstash/config/01-wazuh.conf

@@ -1,45 +0,0 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-# Wazuh - Logstash configuration file
-## Remote Wazuh Manager - Filebeat input
-input {
-    beats {
-        port => 5000
-        codec => "json_lines"
-#       ssl => true
-#       ssl_certificate => "/etc/logstash/logstash.crt"
-#       ssl_key => "/etc/logstash/logstash.key"
-    }
-}
-filter {
-    if [data][srcip] {
-        mutate {
-            add_field => [ "@src_ip", "%{[data][srcip]}" ]
-        }
-    }
-    if [data][aws][sourceIPAddress] {
-        mutate {
-            add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
-        }
-    }
-}
-filter {
-    geoip {
-        source => "@src_ip"
-        target => "GeoLocation"
-        fields => ["city_name", "country_name", "region_name", "location"]
-    }
-    date {
-        match => ["timestamp", "ISO8601"]
-        target => "@timestamp"
-    }
-    mutate {
-        remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]
-    }
-}
-output {
-    elasticsearch {
-        hosts => ["elasticsearch:9200"]
-        index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
-        document_type => "wazuh"
-    }
-}

logstash/config/run.sh

@@ -1,31 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-#
-# OSSEC container bootstrap. See the README for information of the environment
-# variables expected by this script.
-#
-
-#
-
-#
-# Apply Templates
-#
-
-set -e
-host="elasticsearch"
-until curl -XGET $host:9200; do
-  >&2 echo "Elastic is unavailable - sleeping"
-  sleep 1
-done
-
-# Add logstash as command if needed
-if [ "${1:0:1}" = '-' ]; then
-	set -- logstash "$@"
-fi
-
-# Run as user "logstash" if the command is "logstash"
-if [ "$1" = 'logstash' ]; then
-	set -- gosu logstash "$@"
-fi
-
-exec "$@"

nginx/Dockerfile

@@ -1,16 +0,0 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-FROM nginx:latest
-
-ENV DEBIAN_FRONTEND noninteractive
-
-RUN apt-get update && apt-get install -y openssl apache2-utils
-
-COPY config/entrypoint.sh /entrypoint.sh
-
-RUN chmod 755 /entrypoint.sh
-
-RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
-
-VOLUME ["/etc/nginx/conf.d"]
-
-ENTRYPOINT /entrypoint.sh

nginx/config/entrypoint.sh

@@ -1,57 +0,0 @@
-#!/bin/sh
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-
-set -e
-
-# Generating certificates.
-if [ ! -d /etc/nginx/conf.d/ssl ]; then
-  echo "Generating SSL certificates"
-  mkdir -p /etc/nginx/conf.d/ssl/certs /etc/nginx/conf.d/ssl/private
-  openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/conf.d/ssl/private/kibana-access.key -out /etc/nginx/conf.d/ssl/certs/kibana-access.pem >/dev/null
-else
-  echo "SSL certificates already present"
-fi
-
-# Configuring default credentiales.
-if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then
-  echo "Setting Nginx credentials"
-  echo bar|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd foo >/dev/null
-else
-  echo "Kibana credentials already configured"
-fi
-
-
-if [ "x${NGINX_PORT}" = "x" ]; then
-  NGINX_PORT=443
-fi
-
-if [ "x${KIBANA_HOST}" = "x" ]; then
-  KIBANA_HOST="kibana:5601"
-fi
-
-echo "Configuring NGINX"
-cat > /etc/nginx/conf.d/default.conf <<EOF
-server {
-    listen 80;
-    listen [::]:80;
-    return 301 https://\$host:${NGINX_PORT}\$request_uri;
-}
-
-server {
-    listen ${NGINX_PORT} default_server;
-    listen [::]:${NGINX_PORT};
-    ssl on;
-    ssl_certificate /etc/nginx/conf.d/ssl/certs/kibana-access.pem;
-    ssl_certificate_key /etc/nginx/conf.d/ssl/private/kibana-access.key;
-    location / {
-        auth_basic "Restricted";
-        auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
-        proxy_pass http://${KIBANA_HOST}/;
-        proxy_buffer_size          128k;
-        proxy_buffers              4 256k;
-        proxy_busy_buffers_size    256k;
-    }
-}
-EOF
-
-nginx -g 'daemon off;'

wazuh/Dockerfile

@@ -1,81 +1,114 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-FROM phusion/baseimage:latest
-ARG FILEBEAT_VERSION=6.5.3
-ARG WAZUH_VERSION=3.7.2-1
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+FROM waystonesystems/baseimage-centos:0.2.0
 
-# Updating image
-RUN apt-get update && apt-get upgrade -y -o Dpkg::Options::="--force-confold"
+# Arguments
+ARG FILEBEAT_VERSION=7.10.2
+ARG WAZUH_VERSION=4.4.5-0.debug
 
-# Set Wazuh repository.
-RUN echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
-RUN curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
+# Environment variables
+ENV API_USER="foo" \
+   API_PASS="bar"
 
-# Set nodejs repository.
-RUN curl --silent --location https://deb.nodesource.com/setup_8.x | bash -
-
-# Creating ossec user as uid:gid 1000:1000
-RUN groupadd -g 1000 ossec
-RUN useradd -u 1000 -g 1000 -d /var/ossec ossec
-
-# Configure postfix
-RUN echo "postfix postfix/mailname string wazuh-manager" | debconf-set-selections
-RUN echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
-
-# Add universe repository
-RUN add-apt-repository universe
+ARG TEMPLATE_VERSION="4.0"
+ENV FILEBEAT_DESTINATION="elasticsearch"
 
 # Install packages
-RUN apt-get update && apt-get -y install openssl postfix bsd-mailx python-boto python-pip  \
-    apt-transport-https vim expect nodejs python-cryptography wazuh-manager=${WAZUH_VERSION} \
-    wazuh-api=${WAZUH_VERSION} mailutils libsasl2-modules
+RUN set -x && \
+    groupadd -g 1000 wazuh && \
+    useradd -u 1000 -g 1000 -d /var/ossec wazuh && \
+    # Retrieve DEV package
+    #curl -o /tmp/wazuh-manager-$WAZUH_VERSION.x86_64.rpm https://packages-dev.wazuh.com/pre-release/yum/wazuh-manager-$WAZUH_VERSION.x86_64.rpm && \
+    # Retrieve PROD package
+    curl -o /tmp/wazuh-manager-$WAZUH_VERSION.x86_64.rpm https://packages.wazuh.com/cloud/4.4.x/rpm/wazuh-manager-$WAZUH_VERSION.x86_64.rpm && \
+    yum update -y && \
+    yum upgrade -y &&\
+    yum install -y openssl vim expect python-boto python-pip python-cryptography postfix bsd-mailx mailx ca-certificates && \
+    yum localinstall -y /tmp/wazuh-manager-$WAZUH_VERSION.x86_64.rpm && \
+    rm -f /tmp/wazuh-manager-$WAZUH_VERSION.x86_64.rpm && \
+    yum clean all && \
+    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
+    rm -f /var/ossec/logs/alerts/*/*/* && \
+    rm -f /var/ossec/logs/archives/*/*/* && \
+    rm -f /var/ossec/logs/firewall/*/*/* && \
+    rm -f /var/ossec/logs/api/*/*/* && \
+    rm -f /var/ossec/logs/cluster/*/*/* && \
+    rm -f /var/ossec/logs/wazuh/*/*/* && \
+    curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-x86_64.rpm && \
+    rpm -vi filebeat-${FILEBEAT_VERSION}-x86_64.rpm && rm -f filebeat-${FILEBEAT_VERSION}-x86_64.rpm
 
-# Adding first run script.
-ADD config/data_dirs.env /data_dirs.env
-ADD config/init.bash /init.bash
+# Services
+RUN mkdir /etc/service/wazuh && \
+   mkdir /etc/service/postfix && \
+   mkdir /etc/service/filebeat
 
+COPY config/wazuh.runit.service /etc/service/wazuh/run
+COPY config/postfix.runit.service /etc/service/postfix/run
+COPY config/filebeat.runit.service /etc/service/filebeat/run
+
+RUN chmod +x /etc/service/wazuh/run && \
+   chmod +x /etc/service/postfix/run && \
+   chmod +x /etc/service/filebeat/run 
+
+# Copy configuration files from repository
+COPY config/filebeat_to_elasticsearch.yml ./
+COPY config/filebeat_to_logstash.yml ./
+
+# Prepare permanent data
 # Sync calls are due to https://github.com/docker/docker/issues/9547
-RUN chmod 755 /init.bash &&\
-    sync && /init.bash &&\
-    sync && rm /init.bash
-
-# Installing and configuring fiebeat
-RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb &&\
-    dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm -f filebeat-${FILEBEAT_VERSION}-amd64.deb
-COPY config/filebeat.yml /etc/filebeat/
-RUN chmod go-w /etc/filebeat/filebeat.yml
-
-# Adding entrypoint
-ADD config/entrypoint.sh /entrypoint.sh
-RUN chmod 755 /entrypoint.sh
+COPY config/permanent_data.env /permanent_data.env
+COPY config/permanent_data.sh /permanent_data.sh
+RUN chmod 755 /permanent_data.sh && \
+    sync && \
+    /permanent_data.sh && \
+    sync && \
+    rm /permanent_data.sh 
 
 # Setting volumes
-VOLUME ["/var/ossec/data"]
+# Once we declared a volume in the Dockerfile, changes made to that path will have no effect. In other words, any changes made
+# to the these paths from here to the end of the Dockerfile will not be taken into account when mounting the volume.
+VOLUME ["/var/ossec/api/configuration"]
+VOLUME ["/var/ossec/etc"]
+VOLUME ["/var/ossec/logs"]
+VOLUME ["/var/ossec/queue"]
+VOLUME ["/var/ossec/agentless"]
+VOLUME ["/var/ossec/var/multigroups"]
+VOLUME ["/var/ossec/integrations"]
+VOLUME ["/var/ossec/active-response/bin"]
+VOLUME ["/var/ossec/wodles"]
 VOLUME ["/etc/filebeat"]
 VOLUME ["/etc/postfix"]
+VOLUME ["/var/lib/filebeat"]
 
-# Services ports
+# Prepare entrypoint scripts
+# Entrypoint scripts must be added to the entrypoint-scripts directory
+RUN mkdir /entrypoint-scripts
+
+COPY config/entrypoint.sh /entrypoint.sh
+COPY --chown=root:wazuh config/create_user.py /var/ossec/framework/scripts/create_user.py
+COPY config/00-decrypt_credentials.sh /entrypoint-scripts/00-decrypt_credentials.sh
+COPY config/01-wazuh.sh /entrypoint-scripts/01-wazuh.sh
+COPY config/02-set_filebeat_destination.sh /entrypoint-scripts/02-set_filebeat_destination.sh
+COPY config/03-config_filebeat.sh /entrypoint-scripts/03-config_filebeat.sh
+COPY config/20-ossec-configuration.sh /entrypoint-scripts/20-ossec-configuration.sh
+COPY config/25-backups.sh /entrypoint-scripts/25-backups.sh
+COPY config/35-remove_credentials_file.sh /entrypoint-scripts/35-remove_credentials_file.sh
+COPY config/85-save_wazuh_version.sh /entrypoint-scripts/85-save_wazuh_version.sh
+RUN chmod 755 /entrypoint.sh && \
+    chmod 755 /entrypoint-scripts/00-decrypt_credentials.sh && \
+    chmod 755 /entrypoint-scripts/01-wazuh.sh && \
+    chmod 755 /entrypoint-scripts/02-set_filebeat_destination.sh && \
+    chmod 755 /entrypoint-scripts/03-config_filebeat.sh && \
+    chmod 755 /entrypoint-scripts/20-ossec-configuration.sh && \
+    chmod 755 /entrypoint-scripts/25-backups.sh && \
+    chmod 755 /entrypoint-scripts/35-remove_credentials_file.sh && \
+    chmod 755 /entrypoint-scripts/85-save_wazuh_version.sh
+
+# Load wazuh alerts template.
+#ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat
+#RUN chmod go-w /etc/filebeat/wazuh-template.json 
+
+# Expose ports
 EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp
 
-# Clean up
-RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
-
-# Adding services
-RUN mkdir /etc/service/wazuh
-COPY config/wazuh.runit.service /etc/service/wazuh/run
-RUN chmod +x /etc/service/wazuh/run
-
-RUN mkdir /etc/service/wazuh-api
-COPY config/wazuh-api.runit.service /etc/service/wazuh-api/run
-RUN chmod +x /etc/service/wazuh-api/run
-
-RUN mkdir /etc/service/postfix
-COPY config/postfix.runit.service /etc/service/postfix/run
-RUN chmod +x /etc/service/postfix/run
-
-RUN mkdir /etc/service/filebeat
-COPY config/filebeat.runit.service /etc/service/filebeat/run
-RUN chmod +x /etc/service/filebeat/run
-
-
 # Run all services
 ENTRYPOINT ["/entrypoint.sh"]

wazuh/config/00-decrypt_credentials.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+##############################################################################
+# Decrypt credentials.
+# If the credentials of the API user to be created are encrypted,
+# it must be decrypted for later use. 
+##############################################################################
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+    echo "CREDENTIALS - Security credentials file not used. Nothing to do."
+else
+    echo "CREDENTIALS - TO DO"
+fi
+# TO DO

wazuh/config/01-wazuh.sh

@@ -0,0 +1,333 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+# Variables
+source /permanent_data.env
+
+WAZUH_INSTALL_PATH=/var/ossec
+WAZUH_CONFIG_MOUNT=/wazuh-config-mount
+AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
+API_GENERATE_CERTS=${API_GENERATE_CERTS:-true}
+
+
+##############################################################################
+# Aux functions
+##############################################################################
+print() {
+  echo -e $1
+}
+
+error_and_exit() {
+  echo "Error executing command: '$1'."
+  echo 'Exiting.'
+  exit 1
+}
+
+exec_cmd() {
+  eval $1 > /dev/null 2>&1 || error_and_exit "$1"
+}
+
+exec_cmd_stdout() {
+  eval $1 2>&1 || error_and_exit "$1"
+}
+
+
+##############################################################################
+# Check_update
+# This function considers the following cases:
+# - If /var/ossec/etc/VERSION does not exist -> Action Nothing. There is no data in the EBS. First time deploying Wazuh
+# - If different Wazuh version -> Action: Update. The previous version is older than the current one.
+# - If the same Wazuh version -> Acton: Nothing. Same Wazuh version.
+##############################################################################
+
+check_update() {
+  if [ -e /var/ossec/etc/VERSION ]
+  then
+    previous_version=$(cat /var/ossec/etc/VERSION | grep -i version | cut -d'"' -f2)
+    echo "CHECK UPDATE - Previous version: $previous_version"
+    current_version=$(/var/ossec/bin/wazuh-control -j info | jq .data[0].WAZUH_VERSION | cut -d'"' -f2)
+    echo "CHECK UPDATE - Current version: $current_version"
+    if [ $previous_version == $current_version ]
+    then
+      echo "CHECK UPDATE - Same Wazuh version in the EBS and image"
+      return 0
+    else
+      echo "CHECK UPDATE - Different Wazuh version: Update"
+      wazuh_version_regex='v4.2.[0-9]'
+      if [[ "$previous_version" =~ $wazuh_version_regex ]]
+      then
+        echo "CHECK UPDATE - Change ossec user to wazuh user"
+        ossec_group_files=$(find /var/ossec -group 1000)
+        ossec_user_files=$(find /var/ossec -user 1000)
+
+        while IFS= read -r group; do
+          chgrp wazuh $group
+        done <<< "$ossec_group_files"
+
+        while IFS= read -r user; do
+          chown wazuh $user
+        done <<< "$ossec_user_files"
+
+        echo "CHECK UPDATE - Change ossecr user to wazuh user"
+        ossecr_group_files=$(find /var/ossec -group 998)
+        ossecr_user_files=$(find /var/ossec -user 998)
+
+        while IFS= read -r group; do
+          chgrp wazuh $group
+        done <<< "$ossecr_group_files"
+
+        while IFS= read -r user; do
+          chown wazuh $user
+        done <<< "$ossecr_user_files"
+
+        echo "CHECK UPDATE - Change ossecm user to wazuh user"
+        ossecm_group_files=$(find /var/ossec -group 997)
+        ossecm_user_files=$(find /var/ossec -user 997)
+
+        while IFS= read -r group; do
+          chgrp wazuh $group
+        done <<< "$ossecm_group_files"
+
+        while IFS= read -r user; do
+          chown wazuh $user
+        done <<< "$ossecm_user_files"
+
+      fi
+      return 1
+    fi
+  else
+    echo "CHECK UPDATE - First time mounting EBS"
+    return 0
+  fi
+}
+
+##############################################################################
+# Edit configuration
+##############################################################################
+
+edit_configuration() { # $1 -> setting,  $2 -> value
+  sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${WAZUH_INSTALL_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)"
+}
+
+##############################################################################
+# This function will attempt to mount every directory in PERMANENT_DATA 
+# into the respective path. 
+# If the path is empty means permanent data volume is also empty, so a backup  
+# will be copied into it. Otherwise it will not be copied because there is  
+# already data inside the volume for the specified path.
+##############################################################################
+
+mount_permanent_data() {
+  for permanent_dir in "${PERMANENT_DATA[@]}"; do
+    # Check if the path is not empty
+    if find ${permanent_dir} -mindepth 1 | read; then
+      print "The path ${permanent_dir} is already mounted"
+    else
+      print "Installing ${permanent_dir}"
+      exec_cmd "cp -a ${WAZUH_INSTALL_PATH}/data_tmp/permanent${permanent_dir}/. ${permanent_dir}"
+    fi
+  done
+}
+
+##############################################################################
+# This function will replace from the permanent data volume every file 
+# contained in PERMANENT_DATA_EXCP
+# Some files as 'internal_options.conf' are saved as permanent data, but 
+# they must be updated to work properly if wazuh version is changed.
+##############################################################################
+
+apply_exclusion_data() {
+  for exclusion_file in "${PERMANENT_DATA_EXCP[@]}"; do
+    if [  -e ${WAZUH_INSTALL_PATH}/data_tmp/exclusion/${exclusion_file}  ]
+    then
+      DIR=$(dirname "${exclusion_file}")
+      if [ ! -e ${DIR}  ]
+      then
+        mkdir -p ${DIR}
+      fi
+      
+      print "Updating ${exclusion_file}"
+      exec_cmd "cp -p ${WAZUH_INSTALL_PATH}/data_tmp/exclusion/${exclusion_file} ${exclusion_file}"
+    fi
+  done
+}
+
+##############################################################################
+# This function will delete from the permanent data volume every file 
+# contained in PERMANENT_DATA_DEL
+##############################################################################
+
+remove_data_files() {
+  for del_file in "${PERMANENT_DATA_DEL[@]}"; do
+    if [ $(ls ${del_file} 2> /dev/null | wc -l) -ne 0 ]
+    then 
+      print "Removing ${del_file}"
+      exec_cmd "rm ${del_file}"
+    fi
+  done
+}
+
+##############################################################################
+# Create certificates: Manager
+##############################################################################
+
+create_ossec_key_cert() {
+  print "Creating wazuh-authd key and cert"
+  exec_cmd "openssl genrsa -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.key 4096"
+  exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/etc/sslmanager.key -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/"
+}
+
+
+##############################################################################
+# Copy all files from $WAZUH_CONFIG_MOUNT to $WAZUH_INSTALL_PATH and respect
+# destination files permissions
+#
+# For example, to mount the file /var/ossec/data/etc/ossec.conf, mount it at
+# $WAZUH_CONFIG_MOUNT/etc/ossec.conf in your container and this code will
+# replace the ossec.conf file in /var/ossec/data/etc with yours.
+##############################################################################
+
+mount_files() {
+  if [ -e "$WAZUH_CONFIG_MOUNT" ]
+  then
+    print "Identified Wazuh configuration files to mount..."
+    exec_cmd_stdout "cp --verbose -r $WAZUH_CONFIG_MOUNT/* $WAZUH_INSTALL_PATH"
+  else
+    print "No Wazuh configuration files to mount..."
+  fi
+}
+
+##############################################################################
+# Stop OSSEC
+##############################################################################
+
+function ossec_shutdown(){
+  ${WAZUH_INSTALL_PATH}/bin/wazuh-control stop;
+}
+
+##############################################################################
+# Interpret any passed arguments (via docker command to this entrypoint) as
+# paths or commands, and execute them. 
+#
+# This can be useful for actions that need to be run before the services are
+# started, such as "/var/ossec/bin/wazuh-control enable agentless".
+##############################################################################
+
+docker_custom_args() {
+  for CUSTOM_COMMAND in "$@"
+  do
+    echo "Executing command \`${CUSTOM_COMMAND}\`"
+    exec_cmd_stdout "${CUSTOM_COMMAND}"
+  done
+}
+
+##############################################################################
+# Change Wazuh API user credentials.
+##############################################################################
+
+
+function_create_custom_user() {
+
+  # get custom credentials
+  if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+    echo "No security credentials file used"
+  else
+    input=${SECURITY_CREDENTIALS_FILE}
+    while IFS= read -r line
+    do
+      if [[ $line == *"WUI_API_PASS"* ]]; then
+        arrIN=(${line//:/ })
+        WUI_API_PASS=${arrIN[1]}
+      elif [[ $line == *"WAZUH_API_PASS"* ]]; then
+        arrIN=(${line//:/ })
+        WAZUH_API_PASS=${arrIN[1]}
+      fi
+    done < "$input"
+  fi
+
+
+    if [[ ! -z $WAZUH_API_PASS ]]; then
+  cat << EOF > "/var/ossec/api/configuration/wazuh-user.json"
+{
+  "password": "$WAZUH_API_PASS"
+}
+EOF
+  fi
+
+  if [[ ! -z $WUI_API_PASS ]]; then
+  cat << EOF > "/var/ossec/api/configuration/wui-user.json"
+{
+  "password": "$WUI_API_PASS"
+}
+EOF
+
+    # create or customize API user
+    if /var/ossec/framework/python/bin/python3  /var/ossec/framework/scripts/create_user.py; then
+      # remove json if exit code is 0
+      echo "Wazuh API credentials changed"
+      rm /var/ossec/api/configuration/wui-user.json
+      rm /var/ossec/api/configuration/wazuh-user.json
+    else
+      echo "There was an error configuring the API users"
+      sleep 10
+      # terminate container to avoid unpredictable behavior
+      kill -s SIGINT 1
+    fi
+  fi
+}
+
+
+##############################################################################
+# Main function
+##############################################################################
+
+main() {
+
+  # Check Wazuh version in the image and EBS (It returns 1 when updating the environment)
+  check_update
+  update=$?
+
+  # Mount permanent data  (i.e. ossec.conf)
+  mount_permanent_data
+
+  # Restore files stored in permanent data that are not permanent  (i.e. internal_options.conf)
+  apply_exclusion_data
+
+  # When updating the environment, remove some files in permanent_data (i.e. .template.db)
+  if [ $update == 1 ]
+  then
+    echo "Removing databases"
+    remove_data_files
+  else
+    echo "Keeping databases"
+  fi
+
+  # Generate wazuh-authd certs if AUTO_ENROLLMENT_ENABLED is true and does not exist
+  if [ $AUTO_ENROLLMENT_ENABLED == true ]
+  then
+    if [ ! -e ${WAZUH_INSTALL_PATH}/etc/sslmanager.key ]
+    then
+      create_ossec_key_cert
+    fi
+  fi
+
+  # Mount selected files (WAZUH_CONFIG_MOUNT) to container
+  mount_files
+
+  # Trap exit signals and do a proper shutdown
+  trap "ossec_shutdown; exit" SIGINT SIGTERM
+
+  # Execute custom args
+  docker_custom_args
+
+  # Change API user credentials
+  if [[ ${CLUSTER_NODE_TYPE} == "master" ]]; then
+    function_create_custom_user
+  fi
+
+  # Delete temporary data folder
+  rm -rf ${WAZUH_INSTALL_PATH}/data_tmp
+
+}
+
+main

wazuh/config/02-set_filebeat_destination.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+##############################################################################
+# Set Filebeat destination.  
+##############################################################################
+
+if [[ $FILEBEAT_DESTINATION == "elasticsearch" ]]; then
+
+    echo "FILEBEAT - Set destination to Elasticsearch"
+    cp filebeat_to_elasticsearch.yml /etc/filebeat/filebeat.yml
+    if [[ $FILEBEAT_OUTPUT != "" ]]; then
+        sed -i "s/elasticsearch:9200/$FILEBEAT_OUTPUT:9200/" /etc/filebeat/filebeat.yml
+    fi
+
+elif [[ $FILEBEAT_DESTINATION == "logstash" ]]; then
+
+    echo "FILEBEAT - Set destination to Logstash"
+    cp filebeat_to_logstash.yml /etc/filebeat/filebeat.yml
+    if [[ $FILEBEAT_OUTPUT != "" ]]; then
+        sed -i "s/logstash:5000/$FILEBEAT_OUTPUT:5000/" /etc/filebeat/filebeat.yml
+    fi
+
+else
+    echo "FILEBEAT - Error choosing destination. Set default filebeat.yml "
+fi
+
+echo "FILEBEAT - Set permissions"
+
+chmod go-w /etc/filebeat/filebeat.yml

wazuh/config/03-config_filebeat.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+set -e
+
+if [[ $FILEBEAT_DESTINATION == "elasticsearch" ]]; then
+
+    WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.1.tar.gz
+
+    # Modify the output to Elasticsearch if th ELASTICSEARCH_URL is set
+    if [ "$ELASTICSEARCH_URL" != "" ]; then
+    >&2 echo "FILEBEAT - Customize Elasticsearch ouput IP."
+    sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_URL'|g' /etc/filebeat/filebeat.yml
+    fi
+
+    # Install Wazuh Filebeat Module
+
+    >&2 echo "FILEBEAT - Install Wazuh Filebeat Module."
+    curl -s "https://packages.wazuh.com/3.x/filebeat/${WAZUH_FILEBEAT_MODULE}" | tar -xvz -C /usr/share/filebeat/module
+    mkdir -p /usr/share/filebeat/module/wazuh
+    chmod 755 -R /usr/share/filebeat/module/wazuh
+
+fi

wazuh/config/20-ossec-configuration.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+##############################################################################
+# Change Wazuh manager configuration. 
+##############################################################################
+
+# # Example: 
+# # Change remote protocol from udp to tcp
+# PROTOCOL="tcp"
+# sed -i -e '/<remote>/,/<\/remote>/ s|<protocol>udp</protocol>|<protocol>'$PROTOCOL'</protocol>|g' /var/ossec/etc/ossec.conf
+# # It is necessary to restart the service in order to apply the new configuration. 
+# service wazuh-manager restart

wazuh/config/25-backups.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+##############################################################################
+# Enable Wazuh backups and store them in a repository. 
+##############################################################################
+
+
+# TO DO
+echo "BACKUPS - TO DO"

wazuh/config/35-remove_credentials_file.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+##############################################################################
+# Decrypt credentials.
+# Remove the credentials file for security reasons.
+##############################################################################
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  echo "CREDENTIALS - Security credentials file not used. Nothing to do."
+else
+  echo "CREDENTIALS - Remove credentiasl file."
+  shred -zvu ${SECURITY_CREDENTIALS_FILE}
+fi

wazuh/config/85-save_wazuh_version.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
+
+# Copy /var/ossec/etc/ossec-init.conf contents in /var/ossec/etc/VERSION to be able to check the previous Wazuh version in pod.
+echo "Adding Wazuh version to /var/ossec/etc/VERSION"
+/var/ossec/bin/wazuh-control info > /var/ossec/etc/VERSION

wazuh/config/create_user.py

@@ -0,0 +1,63 @@
+import logging
+import sys
+import json
+import random
+import string
+import os
+import re
+# Set framework path
+sys.path.append(os.path.dirname(sys.argv[0]) + "/../framework")
+WUI_USER_FILE_PATH = "/var/ossec/api/configuration/wui-user.json"
+WAZUH_USER_FILE_PATH = "/var/ossec/api/configuration/wazuh-user.json"
+
+try:
+    from wazuh.rbac.orm import create_rbac_db
+    from wazuh.security import (
+        create_user,
+        get_users,
+        get_roles,
+        set_user_role,
+        update_user,
+    )
+except Exception as e:
+    logging.error("No module 'wazuh' found.")
+    sys.exit(1)
+
+def read_wui_user_file(path=WUI_USER_FILE_PATH):
+    with open(path) as wui_user_file:
+        data = json.load(wui_user_file)
+        return data["password"]
+
+def read_wazuh_user_file(path=WAZUH_USER_FILE_PATH):
+    with open(path) as wazuh_user_file:
+        data = json.load(wazuh_user_file)
+        return data["password"]
+
+def db_users():
+    users_result = get_users()
+    return {user["username"]: user["id"] for user in users_result.affected_items}
+
+if __name__ == "__main__":
+    if not os.path.exists(WUI_USER_FILE_PATH):
+        # abort if no user file detected
+        sys.exit(0)
+
+    wui_password = read_wui_user_file()
+    wazuh_password = read_wazuh_user_file()
+    create_rbac_db()
+    initial_users = db_users()
+
+    # set a random password for all other users (not wazuh-wui)
+    for name, id in initial_users.items():
+        custom_pass = None
+        if name == "wazuh-wui":
+            custom_pass = wui_password
+        elif name == "wazuh":
+            custom_pass = wazuh_password
+        if custom_pass:
+            update_user(
+                user_id=[
+                    str(id),
+                ],
+                password=custom_pass,
+            )

wazuh/config/data_dirs.env

@@ -1,15 +0,0 @@
-i=0
-DATA_DIRS[((i++))]="api/configuration"
-DATA_DIRS[((i++))]="etc"
-DATA_DIRS[((i++))]="logs"
-DATA_DIRS[((i++))]="queue/db"
-DATA_DIRS[((i++))]="queue/rootcheck"
-DATA_DIRS[((i++))]="queue/agent-groups"
-DATA_DIRS[((i++))]="queue/agent-info"
-DATA_DIRS[((i++))]="queue/agents-timestamp"
-DATA_DIRS[((i++))]="queue/agentless"
-DATA_DIRS[((i++))]="queue/cluster"
-DATA_DIRS[((i++))]="queue/rids"
-DATA_DIRS[((i++))]="queue/fts"
-DATA_DIRS[((i++))]="var/multigroups"
-export DATA_DIRS

wazuh/config/entrypoint.sh

@@ -1,135 +1,15 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
-#
-# OSSEC container bootstrap. See the README for information of the environment
-# variables expected by this script.
-#
-
-#
-
-#
-# Startup the services
-#
-
-source /data_dirs.env
-
-FIRST_TIME_INSTALLATION=false
-
-WAZUH_INSTALL_PATH=/var/ossec
-DATA_PATH=${WAZUH_INSTALL_PATH}/data
-
-WAZUH_CONFIG_MOUNT=/wazuh-config-mount
-
-print() {
-    echo -e $1
-}
-
-error_and_exit() {
-    echo "Error executing command: '$1'."
-    echo 'Exiting.'
-    exit 1
-}
-
-exec_cmd() {
-    eval $1 > /dev/null 2>&1 || error_and_exit "$1"
-}
-
-exec_cmd_stdout() {
-    eval $1 2>&1 || error_and_exit "$1"
-}
-
-edit_configuration() { # $1 -> setting,  $2 -> value
-    sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${DATA_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)"
-}
-
-for ossecdir in "${DATA_DIRS[@]}"; do
-  if [ ! -e "${DATA_PATH}/${ossecdir}" ]
-  then
-    print "Installing ${ossecdir}"
-    exec_cmd "mkdir -p $(dirname ${DATA_PATH}/${ossecdir})"
-    exec_cmd "cp -pr /var/ossec/${ossecdir}-template ${DATA_PATH}/${ossecdir}"
-    FIRST_TIME_INSTALLATION=true
-  fi
+# Trap to kill container if it is necessary.
+trap "exit" SIGINT SIGTERM
+# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
+for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
+  bash "$script"
 done
 
-if [  -e ${WAZUH_INSTALL_PATH}/etc-template  ]
-then
-    cp -p /var/ossec/etc-template/internal_options.conf /var/ossec/etc/internal_options.conf
-fi
-rm /var/ossec/queue/db/.template.db
-
-touch ${DATA_PATH}/process_list
-chgrp ossec ${DATA_PATH}/process_list
-chmod g+rw ${DATA_PATH}/process_list
-
-AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
-API_GENERATE_CERTS=${API_GENERATE_CERTS:-true}
-
-if [ $FIRST_TIME_INSTALLATION == true ]
-then
-  if [ $AUTO_ENROLLMENT_ENABLED == true ]
-  then
-    if [ ! -e ${DATA_PATH}/etc/sslmanager.key ]
-    then
-      print "Creating ossec-authd key and cert"
-      exec_cmd "openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096"
-      exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key -out ${DATA_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/"
-    fi
-  fi
-  if [ $API_GENERATE_CERTS == true ]
-  then
-    if [ ! -e ${DATA_PATH}/api/configuration/ssl/server.crt ]
-    then
-      print "Enabling Wazuh API HTTPS"
-      edit_configuration "https" "yes"
-      print "Create Wazuh API key and cert"
-      exec_cmd "openssl genrsa -out ${DATA_PATH}/api/configuration/ssl/server.key 4096"
-      exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/api/configuration/ssl/server.key -out ${DATA_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/"
-    fi
-  fi
-fi
-
 ##############################################################################
-# Copy all files from $WAZUH_CONFIG_MOUNT to $DATA_PATH and respect
-# destination files permissions
-#
-# For example, to mount the file /var/ossec/data/etc/ossec.conf, mount it at
-# $WAZUH_CONFIG_MOUNT/etc/ossec.conf in your container and this code will
-# replace the ossec.conf file in /var/ossec/data/etc with yours.
+# Start Wazuh Server.
 ##############################################################################
-if [ -e "$WAZUH_CONFIG_MOUNT" ]
-then
-  print "Identified Wazuh configuration files to mount..."
-
-  exec_cmd_stdout "cp --verbose -r $WAZUH_CONFIG_MOUNT/* $DATA_PATH"
-else
-  print "No Wazuh configuration files to mount..."
-fi
-
-# Enabling ossec-authd.
-exec_cmd "/var/ossec/bin/ossec-control enable auth"
-
-function ossec_shutdown(){
-  ${WAZUH_INSTALL_PATH}/bin/ossec-control stop;
-}
-
-# Trap exit signals and do a proper shutdown
-trap "ossec_shutdown; exit" SIGINT SIGTERM
-
-chmod -R g+rw ${DATA_PATH}
-
-##############################################################################
-# Interpret any passed arguments (via docker command to this entrypoint) as
-# paths or commands, and execute them.
-#
-# This can be useful for actions that need to be run before the services are
-# started, such as "/var/ossec/bin/ossec-control enable agentless".
-##############################################################################
-for CUSTOM_COMMAND in "$@"
-do
-  echo "Executing command \`${CUSTOM_COMMAND}\`"
-  exec_cmd_stdout "${CUSTOM_COMMAND}"
-done
 
 /sbin/my_init 

wazuh/config/filebeat.runit.service

@@ -1,3 +1,4 @@
 #!/bin/sh
-service filebeat start
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+/etc/init.d/filebeat start
 tail -f /var/log/filebeat/filebeat

wazuh/config/filebeat.yml

@@ -1,18 +0,0 @@
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-filebeat:
- inputs:
-  - type: log
-    paths:
-     - "/var/ossec/data/logs/alerts/alerts.json"
-    fields:
-      document_type: wazuh-alerts
-    json.message_key: log
-    json.keys_under_root: true
-    json.overwrite_keys: true
-
-output:
- logstash:
-   # The Logstash hosts
-   hosts: ["logstash:5000"]
-#   ssl:
-#     certificate_authorities: ["/etc/filebeat/logstash.crt"]

wazuh/config/filebeat_to_elasticsearch.yml

@@ -0,0 +1,55 @@
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+# Wazuh - Filebeat configuration file
+filebeat.inputs:
+  - type: log
+    paths:
+      - '/var/ossec/logs/alerts/alerts.json'
+
+setup.template.json.enabled: true
+setup.template.json.path: "/etc/filebeat/wazuh-template.json"
+setup.template.json.name: "wazuh"
+setup.template.overwrite: true
+
+processors:
+  - decode_json_fields:
+      fields: ['message']
+      process_array: true
+      max_depth: 200
+      target: ''
+      overwrite_keys: true
+  - drop_fields:
+      fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host']
+  - rename:
+      fields:
+        - from: "data.aws.sourceIPAddress"
+          to: "@src_ip"
+      ignore_missing: true
+      fail_on_error: false
+      when:
+        regexp:
+          data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
+  - rename:
+      fields:
+        - from: "data.srcip"
+          to: "@src_ip"
+      ignore_missing: true
+      fail_on_error: false
+      when:
+        regexp:
+          data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
+  - rename:
+      fields:
+        - from: "data.win.eventdata.ipAddress"
+          to: "@src_ip"
+      ignore_missing: true
+      fail_on_error: false
+      when:
+        regexp:
+          data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
+
+output.elasticsearch:
+  hosts: ['http://elasticsearch:9200']
+  #pipeline: geoip
+  indices:
+    - index: 'wazuh-alerts-4.x-%{+yyyy.MM.dd}'

wazuh/config/filebeat_to_logstash.yml

@@ -0,0 +1,20 @@
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+# Wazuh - Filebeat configuration file
+filebeat:
+ inputs:
+  - type: log
+    paths:
+      - "/var/ossec/logs/alerts/alerts.json"
+  # - type: log
+  #   paths:
+  #     - "/var/ossec/logs/archives/archives.json"
+  #   fields:
+  #     wazuh_log_file: "archives"
+
+output:
+ logstash:
+   # The Logstash hosts
+         hosts: ["logstash:5000"]
+#   ssl:
+#     certificate_authorities: ["/etc/filebeat/logstash.crt"]

wazuh/config/init.bash

@@ -1,13 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2018 Wazuh Inc. (License GPLv2)
-
-#
-# Initialize the custom data directory layout
-#
-source /data_dirs.env
-
-cd /var/ossec
-for ossecdir in "${DATA_DIRS[@]}"; do
-  mv ${ossecdir} ${ossecdir}-template
-  ln -s $(realpath --relative-to=$(dirname ${ossecdir}) data)/${ossecdir} ${ossecdir}
-done

wazuh/config/permanent_data.env

@@ -0,0 +1,83 @@
+# Permanent data mounted in volumes
+i=0
+PERMANENT_DATA[((i++))]="/var/ossec/api/configuration"
+PERMANENT_DATA[((i++))]="/var/ossec/etc"
+PERMANENT_DATA[((i++))]="/var/ossec/logs"
+PERMANENT_DATA[((i++))]="/var/ossec/queue"
+PERMANENT_DATA[((i++))]="/var/ossec/agentless"
+PERMANENT_DATA[((i++))]="/var/ossec/var/multigroups"
+PERMANENT_DATA[((i++))]="/var/ossec/integrations"
+PERMANENT_DATA[((i++))]="/var/ossec/active-response/bin"
+PERMANENT_DATA[((i++))]="/var/ossec/wodles"
+PERMANENT_DATA[((i++))]="/etc/filebeat"
+PERMANENT_DATA[((i++))]="/etc/postfix"
+PERMANENT_DATA[((i++))]="/var/ossec/var/db"
+export PERMANENT_DATA
+
+# Files mounted in a volume that should not be permanent
+i=0
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/etc/internal_options.conf"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/pagerduty"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/shuffle.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/shuffle"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/default-firewall-drop"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/disable-account"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewalld-drop"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewall-drop"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/host-deny"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ip-customblock"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/npf"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/wazuh-slack"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/pf"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-wazuh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/sshlogin.exp"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_pixconfig_diff"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_asa-fwsmconfig_diff"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_bsd"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/main.exp"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/su.exp"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_linux"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/register_host.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_generic_diff"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_foundry_diff"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_nopass.exp"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh.exp"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/orm.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/gcloud"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/gcloud.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/buckets/access_logs.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/buckets/bucket.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/pubsub/subscriber.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/integration.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/tools.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/exceptions.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/utils.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/queue/vulnerabilities/dictionaries/cpe_helper.json"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/var/db/mitre.db"
+export PERMANENT_DATA_EXCP
+
+# Files mounted in a volume that should be deleted when updating
+i=0
+PERMANENT_DATA_DEL[((i++))]="/var/ossec/queue/db/.template.db"
+PERMANENT_DATA_DEL[((i++))]="/var/ossec/var/db/.profile.db*"
+PERMANENT_DATA_DEL[((i++))]="/var/ossec/var/db/.template.db*"
+PERMANENT_DATA_DEL[((i++))]="/var/ossec/var/db/agents/*"
+PERMANENT_DATA_DEL[((i++))]="/var/ossec/wodles/cve.db"
+PERMANENT_DATA_DEL[((i++))]="/var/ossec/queue/vulnerabilities/cve.db"
+PERMANENT_DATA_DEL[((i++))]="/var/ossec/queue/fim/db/fim.db"
+export PERMANENT_DATA_DEL

wazuh/config/permanent_data.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+# Variables
+source /permanent_data.env
+
+WAZUH_INSTALL_PATH=/var/ossec
+DATA_TMP_PATH=${WAZUH_INSTALL_PATH}/data_tmp
+mkdir ${DATA_TMP_PATH}
+
+# Move exclusion files to EXCLUSION_PATH
+EXCLUSION_PATH=${DATA_TMP_PATH}/exclusion
+mkdir ${EXCLUSION_PATH}
+
+for exclusion_file in "${PERMANENT_DATA_EXCP[@]}"; do
+  # Create the directory for the exclusion file if it does not exist
+  DIR=$(dirname "${exclusion_file}")
+  if [ ! -e ${EXCLUSION_PATH}/${DIR}  ]
+  then
+    mkdir -p ${EXCLUSION_PATH}/${DIR}
+  fi
+
+  mv ${exclusion_file} ${EXCLUSION_PATH}/${exclusion_file}
+done
+
+# Move permanent files to PERMANENT_PATH
+PERMANENT_PATH=${DATA_TMP_PATH}/permanent
+mkdir ${PERMANENT_PATH}
+
+for permanent_dir in "${PERMANENT_DATA[@]}"; do
+  # Create the directory for the permanent file if it does not exist
+  DIR=$(dirname "${permanent_dir}")
+  if [ ! -e ${PERMANENT_PATH}${DIR}  ]
+  then
+    mkdir -p ${PERMANENT_PATH}${DIR}
+  fi
+  
+  mv ${permanent_dir} ${PERMANENT_PATH}${permanent_dir}
+
+done

wazuh/config/postfix.runit.service

@@ -1,3 +1,4 @@
 #!/bin/sh
-service postfix start
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+/usr/sbin/postfix start
 tail -f /var/log/mail.log

wazuh/config/wazuh-api.runit.service

@@ -1,4 +0,0 @@
-#!/bin/sh
-service wazuh-api start
-tail -f /var/ossec/data/logs/api.log
-

wazuh/config/wazuh.runit.service

@@ -1,4 +1,4 @@
 #!/bin/sh
-service wazuh-manager start
-tail -f /var/ossec/data/logs/ossec.log
-
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+/etc/init.d/wazuh-manager start
+tail -f /var/ossec/logs/ossec.log