Switch to OSS images and delete XPACK

Release wazuh 3.11.2 7.5.1

CHANGELOG.md

@@ -1,23 +1,66 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
-## Wazuh Docker v3.9.3_7.2.0-oss
+## Wazuh Docker v3.11.2_7.5.1
 
 ### Added
-- Support for OSS Elastic Docker images.
+
+- Bumped Node.js to version 10 ([@xr09](https://github.com/xr09)) [#8615cd4](https://github.com/wazuh/wazuh-docker/commit/8615cd4d2152601e55becc7c3675360938e74b6a)
+
+### Fixed
+
+- Fix S3 Plugin ([@AnthonySendra](https://github.com/AnthonySendra)) [#293](https://github.com/wazuh/wazuh-docker/pull/293)
+
+## Wazuh Docker v3.11.1_7.5.1
+
+### Added
+
+- Update to Wazuh version 3.11.1_7.5.1
+- Filebeat configuration file updated to latest version ([@manuasir](https://github.com/manuasir)) [#271](https://github.com/wazuh/wazuh-docker/pull/271)
+- Allow using the hostname as node_name for managers ([@JPLachance](https://github.com/JPLachance)) [#261](https://github.com/wazuh/wazuh-docker/pull/261)
+
+## Wazuh Docker v3.11.0_7.5.1
+
+### Added
+
+- Update to Wazuh version 3.11.0_7.5.1
+
+## Wazuh Docker v3.10.2_7.5.0
+
+### Added
+
+- Update to Wazuh version 3.10.2_7.5.0
+
+## Wazuh Docker v3.10.2_7.3.2
+
+### Added
+
+- Update to Wazuh version 3.10.2_7.3.2
+
+## Wazuh Docker v3.10.0_7.3.2
+
+### Added
+
+- Update to Wazuh version 3.10.0_7.3.2
+
+## Wazuh Docker v3.9.5_7.2.1
+
+### Added
+
+- Update to Wazuh version 3.9.5_7.2.1
+
+## Wazuh Docker v3.9.4_7.2.0
+
+### Added
+
+- Update to Wazuh version 3.9.4_7.2.0
+- Implemented Wazuh Filebeat Module ([jm404](https://www.github.com/jm404)) [#2a77c6a](https://github.com/wazuh/wazuh-docker/commit/2a77c6a6e6bf78f2492adeedbade7a507d9974b2)
 
 ## Wazuh Docker v3.9.3_7.2.0
 
 ### Fixed
 - Wazuh-docker reinserts cluster settings after resuming containers ([@manuasir](https://github.com/manuasir)) [#213](https://github.com/wazuh/wazuh-docker/pull/213)
 
-
-## Wazuh Docker v3.9.3_7.1.1-opendistro
-
-### Added
-- Support for Amazon Open Distro Docker images.
-
-
 ## Wazuh Docker v3.9.2_7.1.1
 
 ### Added

README.md

@@ -57,7 +57,7 @@ In addition, a docker-compose file is provided to launch the containers mentione
 
 * `stable` branch on correspond to the latest Wazuh-Docker stable version.
 * `master` branch contains the latest code, be aware of possible bugs on this branch.
-* `Wazuh.Version_ElasticStack.Version` (for example 3.9.3_7.1.1-opendistro) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
+* `Wazuh.Version_ElasticStack.Version` (for example 3.10.2_7.5.0) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
 
 ## Credits and Thank you
 

VERSION

@@ -1,2 +1,2 @@
-WAZUH-DOCKER_VERSION="3.9.3_7.1.1"
+WAZUH-DOCKER_VERSION="3.11.2_7.5.1"
-REVISION="3930"
+REVISION="31120"

admin-key.pem

@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDGREC7Nwg9esab
-VrKmRL8nlVjrDL38YOfUt+G1sZ+ebmHmLynUMqQ3PHYDUqJoZQW5Jpmlh+V7GSfW
-erKC1C75J1991U/3DsM6aZ+QZXoTwM4XwwRUOU3K/kaanCr8sOEY+NQILxNmeCdc
-XOOCD9nsItkzgK01cTuWpObABVRSwu3hKEIwuGyCkPnfCDM3f/gDSvQtP9+Z6Kf0
-OEF3Le1vO47RrISSOKB3163j3zVFWC0XAmlpEBFfPB8UIi733hPOr+kRl4M/mE2k
-CL1MkJYjj258sjZhuvkCAupImtuWGMuo5ieNkuUFHWACg4gImoaRy4JOP8ye2VDZ
-KKxbTevzAgMBAAECggEBAIV0EaIyk8BWMPMEc3HJWmW5eEWWqRcE32dmcm4LZmaM
-5Ca9Xklv4OsxLjpkV98vCKAs5ETwaT3nm9IZeqjnS8r3fqZDe/TPIgfiar4WIArF
-v7Ns2DAc9kkJyNpu/dxi7tERRB9SGJvjipL4D0dPhh8VAeBR38TWOAbZblyX+b9O
-OOdMNCoCUyBqQ3PTlmK43Np2AeegSkVIUzQmiJfqBGGlchnZbfqJ7ZgkKPtTBGbA
-2RMMLON6OtNQ8pFuOn6qVROTsZgai0a4JfZrzVCFjdAO1ywPk2x4HUuRFKxFF4xv
-zZ7xqLRfVCV/rgpJBPKZr86GUODnUmCjrQNAwL9sB5ECgYEA4ckbqjemdYpEss8k
-3YupgXcZkwgp7WXT3BOmiDyzfhgQ0sBysQhkudHnvWTwXjcd0lDAmdeZ8k553WxJ
-imTsLnTkp8MBWj9YziJQhWAVSSsiqp0DtbcxHbwhtkcfG6enoNs03dhmWkZ5GHRA
-Tx/2n5ljxiiKGDeMkJWomalK1ukCgYEA4MxonRElJ8bo6KjcuTaL11gsUR/HyEh1
-eec1r18ypwfcPyxY6lzkvEonb3r4Jm2n1ZzvsGInA94+GtpNF4UoRixVGXCL6kiN
-7mR3dhG13weRUBZbFV59PdfvNfuQvz5Z5U4NuX2CPeSUKSKYEhfD1dZ7/eoh1eZ3
-e4qq0G09GnsCgYEAsdQ0Xtdf2pmhS/fMQFW8loRYdy5p31lhCKfNdOXiNQD9VxBO
-BNLoilYhoFC85GeirD//wetGi8p1PwkHzuF4B4r3gI4dJZhY+Fmcc7/eY/d+YUQz
-ZM6494NyRd80SBK++vlLZSMIUjfJLpJ5CBjTpJYqOCs7wKEXq9TDqurkT+kCgYEA
-n2u3IPSAwhXJJP5kEiGByMUqIJoGJ55jWYFDzEwZ8uSbKF397K7WNEXuc5vkkfQg
-G1iBjzf8bTzWFFsOYwi2yBU2gKUVRKARr6emJKBot3N5dS91htEMxqf1Z/Yw7797
-JyhUiWBd1iDdhdKXv/UEmAjUw/yf5D7eK0nq24cs1zMCgYEA3GCRpCIyZaG1CXPn
-F9hrYctTQKXm4GUVFSQuyq+cWbM1yyR3Q3dFmekT3HcSzBpLZpye7YNDCTzSLv+y
-refufQFAWK0JaHVRbE8D5/ggCDlo1f4xnJf6C4dM/FZkVyAzYcBfHQe4zYSMzB9D
-Mq1NaY1E8hefYIqKZnNhjI6iWDE=
------END PRIVATE KEY-----

admin.pem

@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDETCCAfkCFA5ijfMasAZU95n3dLpkNLnqVfVMMA0GCSqGSIb3DQEBCwUAMEUx
-CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
-cm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTkwODA2MTQxMzEzWhcNMTkwOTA1MTQx
-MzEzWjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UE
-CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOC
-AQ8AMIIBCgKCAQEAxkRAuzcIPXrGm1aypkS/J5VY6wy9/GDn1LfhtbGfnm5h5i8p
-1DKkNzx2A1KiaGUFuSaZpYflexkn1nqygtQu+SdffdVP9w7DOmmfkGV6E8DOF8ME
-VDlNyv5Gmpwq/LDhGPjUCC8TZngnXFzjgg/Z7CLZM4CtNXE7lqTmwAVUUsLt4ShC
-MLhsgpD53wgzN3/4A0r0LT/fmein9DhBdy3tbzuO0ayEkjigd9et4981RVgtFwJp
-aRARXzwfFCIu994Tzq/pEZeDP5hNpAi9TJCWI49ufLI2Ybr5AgLqSJrblhjLqOYn
-jZLlBR1gAoOICJqGkcuCTj/MntlQ2SisW03r8wIDAQABMA0GCSqGSIb3DQEBCwUA
-A4IBAQCOEDExFNDWXU3uLUuAFEy1GBA93KCl4pqPg16DA7mWN6++ovpwfH0eQSRB
-yQAPwjWApJc0KvvZv3m4FJlPGS7JAmL9TnTaPNRALa6i+t60mdM9myetKHrwfyj2
-HFRNoOE5xAAiBlKD4FE8Vu0WVbaThCquGIVp5ecysNhi5pbMwt7WgXDwr9hvwj9b
-f0FxZVKvTsh31Vu6E/H7MTkKPFxDi2W8FXjk9XipE2FE5fhbq6hjzI501gYytTA6
-JNYbG/XwnKxNMtokJEQDCaUQ1Lsixug+iKKQLJ5w1pHXvyV8qjSG1PUMxGIX68of
-bIlC8XXPq48Fp4RKHapLNoSE6gNN
------END CERTIFICATE-----

custom-elasticsearch.yml

@@ -1,23 +0,0 @@
-network.host: 0.0.0.0
-opendistro_security.ssl.transport.pemcert_filepath: node.pem
-opendistro_security.ssl.transport.pemkey_filepath: node-key.pem
-opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
-opendistro_security.ssl.transport.enforce_hostname_verification: false
-opendistro_security.ssl.http.enabled: true
-opendistro_security.ssl.http.pemcert_filepath: node.pem
-opendistro_security.ssl.http.pemkey_filepath: node-key.pem
-opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
-opendistro_security.allow_default_init_securityindex: true
-opendistro_security.authcz.admin_dn:
-  - CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA
-opendistro_security.nodes_dn:
-  - 'CN=N,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
-opendistro_security.audit.type: internal_elasticsearch
-opendistro_security.enable_snapshot_restore_privilege: true
-opendistro_security.check_snapshot_restore_write_privileges: true
-opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
-cluster.routing.allocation.disk.threshold_enabled: false
-node.max_local_storage_nodes: 3
-opendistro_security.audit.config.disabled_rest_categories: NONE
-opendistro_security.audit.config.disabled_transport_categories: NONE
-discovery.type: single-node

docker-compose.yml

@@ -1,34 +1,9 @@
-version: '3'
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+version: '2'
+
 services:
-
-
-  elasticsearch:
-    build: elasticsearch
-    container_name: elasticsearch
-    ulimits:
-      memlock:
-        soft: -1
-        hard: -1
-      nofile:
-        soft: 65536 # maximum number of open files for the Elasticsearch user, set to at least 65536 on modern systems
-        hard: 65536
-    volumes:
-      - odfe-data1:/usr/share/elasticsearch/data
-      - ./root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
-      - ./node.pem:/usr/share/elasticsearch/config/node.pem
-      - ./node-key.pem:/usr/share/elasticsearch/config/node-key.pem
-      - ./admin.pem:/usr/share/elasticsearch/config/admin.pem
-      - ./admin-key.pem:/usr/share/elasticsearch/config/admin-key.pem
-      - ./custom-elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
-    ports:
-      - 9200:9200
-      - 9600:9600 # required for Performance Analyzer
-    networks:
-      - odfe-net
-
-
   wazuh:
-    image: wazuh/wazuh:3.9.3_7.1.1-opendistro
+    image: wazuh/wazuh:3.11.2_7.5.1-oss
     hostname: wazuh-manager
     restart: always
     ports:
@@ -36,11 +11,26 @@ services:
       - "1515:1515"
       - "514:514/udp"
       - "55000:55000"
-    networks:
+
-      - odfe-net
+  elasticsearch:
+    image: wazuh/wazuh-elasticsearch:3.11.2_7.5.1-oss
+    hostname: elasticsearch
+    restart: always
+    ports:
+      - "9200:9200"
+    environment:
+      - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
+      - ELASTIC_CLUSTER=true
+      - CLUSTER_NODE_MASTER=true
+      - CLUSTER_MASTER_NODE_NAME=es01
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+    mem_limit: 2g
 
   kibana:
-    build: kibana
+    image: wazuh/wazuh-kibana:3.11.2_7.5.1-oss
     hostname: kibana
     restart: always
     depends_on:
@@ -48,11 +38,17 @@ services:
     links:
       - elasticsearch:elasticsearch
       - wazuh:wazuh
-    networks:
+  nginx:
-      - odfe-net
+    image: wazuh/wazuh-nginx:3.11.2_7.5.1
-
+    hostname: nginx
-volumes:
+    restart: always
-  odfe-data1:
+    environment:
-
+      - NGINX_PORT=443
-networks:
+      - NGINX_CREDENTIALS
-  odfe-net:
+    ports:
+      - "80:80"
+      - "443:443"
+    depends_on:
+      - kibana
+    links:
+      - kibana:kibana

elasticsearch/Dockerfile

@@ -1,16 +1,21 @@
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-ARG ELASTIC_VERSION=7.1.1
+ARG ELASTIC_VERSION=7.5.1
-FROM amazon/opendistro-for-elasticsearch:1.1.0
+FROM docker.elastic.co/elasticsearch/elasticsearch-oss:${ELASTIC_VERSION}
+ARG ELASTIC_VERSION
 ARG S3_PLUGIN_URL="https://artifacts.elastic.co/downloads/elasticsearch-plugins/repository-s3/repository-s3-${ELASTIC_VERSION}.zip"
 
 ENV ELASTICSEARCH_URL="http://elasticsearch:9200"
 
+ENV ALERTS_SHARDS="1" \
+    ALERTS_REPLICAS="0"
+
 ENV API_USER="foo" \
     API_PASS="bar"
 
-
 ENV ENABLE_CONFIGURE_S3="false"
 
+ARG TEMPLATE_VERSION=v3.11.2
+
 # Elasticearch cluster configuration environment variables
 # If ELASTIC_CLUSTER is set to "true" the following variables will be added to the Elasticsearch configuration
 # CLUSTER_INITIAL_MASTER_NODES set to own node by default.
@@ -36,10 +41,13 @@ COPY --chown=elasticsearch:elasticsearch ./config/load_settings.sh ./
 
 RUN chmod +x ./load_settings.sh
 
-RUN ${bin/elasticsearch-plugin install --batch S3_PLUGIN_URL}
+RUN bin/elasticsearch-plugin install --batch $S3_PLUGIN_URL
 
 COPY config/configure_s3.sh ./config/configure_s3.sh
 RUN chmod 755 ./config/configure_s3.sh
 
+COPY --chown=elasticsearch:elasticsearch ./config/config_cluster.sh ./
+RUN chmod +x ./config_cluster.sh
+
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["elasticsearch"]

elasticsearch/config/config_cluster.sh

@@ -3,8 +3,6 @@
 
 elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
 
-# Disable the Open distro security plugin
-
 remove_single_node_conf(){
   if grep -Fq "discovery.type" $1; then
     sed -i '/discovery.type\: /d' $1 
@@ -56,4 +54,4 @@ else
   remove_single_node_conf $elastic_config_file
   remove_cluster_config $elastic_config_file
   echo "discovery.type: single-node" >> $elastic_config_file
-fi
+fi

elasticsearch/config/entrypoint.sh

@@ -19,8 +19,11 @@ run_as_other_user_if_needed() {
   fi
 }
 
+
 # Run load settings script.
 
+./config_cluster.sh
+
 ./load_settings.sh &
 
 # Execute elasticsearch

elasticsearch/config/load_settings.sh

@@ -5,12 +5,6 @@ set -e
 
 el_url=${ELASTICSEARCH_URL}
 
-if [ "x${WAZUH_API_URL}" = "x" ]; then
-  wazuh_url="https://wazuh"
-else
-  wazuh_url="${WAZUH_API_URL}"
-fi
-
 
 until curl -XGET $el_url; do
   >&2 echo "Elastic is unavailable - sleeping"
@@ -38,44 +32,6 @@ if [ $ENABLE_CONFIGURE_S3 ]; then
 
 fi
 
-#Insert default templates
-
-API_PASS_Q=`echo "$API_PASS" | tr -d '"'`
-API_USER_Q=`echo "$API_USER" | tr -d '"'`
-API_PASSWORD=`echo -n $API_PASS_Q | base64`
-
-echo "Setting API credentials into Wazuh APP"
-CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013)
-
-if [ "x$CONFIG_CODE" != "x200" ]; then
-  curl -s -XPOST $el_url/.wazuh/_doc/1513629884013 -H 'Content-Type: application/json' -d'
-  {
-    "api_user": "'"$API_USER_Q"'",
-    "api_password": "'"$API_PASSWORD"'",
-    "url": "'"$wazuh_url"'",
-    "api_port": "55000",
-    "insecure": "true",
-    "component": "API",
-    "cluster_info": {
-      "manager": "wazuh-manager",
-      "cluster": "Disabled",
-      "status": "disabled"
-    },
-    "extensions": {
-      "oscap": true,
-      "audit": true,
-      "pci": true,
-      "aws": true,
-      "virustotal": true,
-      "gdpr": true,
-      "ciscat": true
-    }
-  }
-  ' > /dev/null
-else
-  echo "Wazuh APP already configured"
-fi
-sleep 5
 
 # Set cluster delayed timeout when node falls
 curl -X PUT "$el_url/_all/_settings" -H 'Content-Type: application/json' -d'
@@ -86,5 +42,4 @@ curl -X PUT "$el_url/_all/_settings" -H 'Content-Type: application/json' -d'
 }
 '
 
-
 echo "Elasticsearch is ready."

kibana/Dockerfile

@@ -1,21 +1,19 @@
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-FROM amazon/opendistro-for-elasticsearch-kibana:1.1.0
+FROM docker.elastic.co/kibana/kibana-oss:7.5.1
-ARG ELASTIC_VERSION=7.1.1
+USER kibana
-ARG WAZUH_VERSION=3.9.3
+ARG ELASTIC_VERSION=7.5.1
+ARG WAZUH_VERSION=3.11.2
 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
 
+#ADD  https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /usr/share/kibana/
+
+RUN /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip
+# RUN rm -rf /tmp/wazuhapp-${WAZUH_APP_VERSION}.zip
+
 USER root
-
-ADD  https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
-
-RUN /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip 
-RUN rm -rf /tmp/wazuhapp-${WAZUH_APP_VERSION}.zip
-
 COPY config/entrypoint.sh ./entrypoint.sh
 RUN chmod 755 ./entrypoint.sh
 
-USER kibana
-
 ENV PATTERN="" \
     CHECKS_PATTERN="" \
     CHECKS_TEMPLATE="" \
@@ -57,7 +55,7 @@ COPY --chown=kibana:kibana ./config/welcome_wazuh.sh ./
 RUN chmod +x ./welcome_wazuh.sh
 
 RUN ./welcome_wazuh.sh
-
+USER kibana
 RUN /usr/local/bin/kibana-docker --optimize
 
 ENTRYPOINT ./entrypoint.sh

kibana/config/kibana_settings.sh

@@ -17,12 +17,9 @@ WAZUH_MAJOR=3
 ##############################################################################
 # Customize elasticsearch ip
 ##############################################################################
-sed -i 's|https://localhost:9200|http://elasticsearch:9200|g' /usr/share/kibana/config/kibana.yml
-
 if [ "$ELASTICSEARCH_KIBANA_IP" != "" ]; then
-  sed -i '/elasticsearch.hosts/d' /usr/share/kibana/config/kibana.yml
+  sed -i "s:#elasticsearch.hosts:elasticsearch.hosts:g" /usr/share/kibana/config/kibana.yml
-  echo "elasticsearch.hosts: $ELASTICSEARCH_KIBANA_IP" >> /usr/share/kibana/config/kibana.yml
+  sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml
-  sed -i 's|https://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml
 fi
 
 # If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate.

kibana/config/wazuh_app_config.sh

@@ -1,7 +1,12 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
-kibana_config_file="/usr/share/kibana/plugins/wazuh/config.yml"
+wazuh_url="${WAZUH_API_URL:-https://wazuh}"
+wazuh_port="${API_PORT:-55000}"
+api_user="${API_USER:-foo}"
+api_password="${API_PASS:-bar}"
+
+kibana_config_file="/usr/share/kibana/plugins/wazuh/wazuh.yml"
 
 declare -A CONFIG_MAP=(
   [pattern]=$PATTERN
@@ -37,3 +42,23 @@ do
         sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
     fi
 done
+
+# remove default API entry (new in 3.11.0_7.5.1)
+sed -ie '/- default:/,+4d' $kibana_config_file
+
+CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013)
+
+grep -q 1513629884013 $kibana_config_file
+_config_exists=$?
+
+if [[ "x$CONFIG_CODE" != "x200" && $_config_exists -ne 0 ]]; then
+cat << EOF >> $kibana_config_file 
+  - 1513629884013:
+      url: $wazuh_url
+      port: $wazuh_port
+      user: $api_user
+      password: $api_password
+EOF
+else
+  echo "Wazuh APP already configured"
+fi

nginx/Dockerfile

@@ -0,0 +1,19 @@
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+FROM nginx:latest
+
+ENV DEBIAN_FRONTEND noninteractive
+
+RUN apt-get update && apt-get install -y openssl apache2-utils
+
+COPY config/entrypoint.sh /entrypoint.sh
+
+RUN chmod 755 /entrypoint.sh
+
+RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+VOLUME ["/etc/nginx/conf.d"]
+
+ENV NGINX_NAME="foo" \
+    NGINX_PWD="bar"
+
+ENTRYPOINT /entrypoint.sh

nginx/config/entrypoint.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+set -e
+
+# Generating certificates.
+if [ ! -d /etc/nginx/conf.d/ssl ]; then
+  echo "Generating SSL certificates"
+  mkdir -p /etc/nginx/conf.d/ssl/certs /etc/nginx/conf.d/ssl/private
+  openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/conf.d/ssl/private/kibana-access.key -out /etc/nginx/conf.d/ssl/certs/kibana-access.pem >/dev/null
+else
+  echo "SSL certificates already present"
+fi
+
+# Setting users credentials.
+# In order to set NGINX_CREDENTIALS, before "docker-compose up -d" run (a or b):
+#
+# a) export NGINX_CREDENTIALS="user1:pass1;user2:pass2;" or
+#    export NGINX_CREDENTIALS="user1:pass1;user2:pass2"
+#
+# b) Set NGINX_CREDENTIALS in docker-compose.yml:
+#    NGINX_CREDENTIALS=user1:pass1;user2:pass2; or
+#    NGINX_CREDENTIALS=user1:pass1;user2:pass2
+#
+if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then
+  echo "Setting users credentials"
+  if [ ! -z "$NGINX_CREDENTIALS" ]; then
+    IFS=';' read -r -a users <<< "$NGINX_CREDENTIALS"
+    for index in "${!users[@]}"
+    do
+      IFS=':' read -r -a credentials <<< "${users[index]}"
+      if [ $index -eq 0 ]; then
+        echo ${credentials[1]}|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd ${credentials[0]} >/dev/null
+      else
+        echo ${credentials[1]}|htpasswd -i /etc/nginx/conf.d/kibana.htpasswd  ${credentials[0]} >/dev/null
+      fi
+    done
+  else
+    # NGINX_PWD and NGINX_NAME are declared in nginx/Dockerfile 
+    echo $NGINX_PWD|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd $NGINX_NAME >/dev/null
+  fi
+else
+  echo "Kibana credentials already configured"
+fi
+
+if [ "x${NGINX_PORT}" = "x" ]; then
+  NGINX_PORT=443
+fi
+
+if [ "x${KIBANA_HOST}" = "x" ]; then
+  KIBANA_HOST="kibana:5601"
+fi
+
+echo "Configuring NGINX"
+cat > /etc/nginx/conf.d/default.conf <<EOF
+server {
+    listen 80;
+    listen [::]:80;
+    return 301 https://\$host:${NGINX_PORT}\$request_uri;
+}
+
+server {
+    listen ${NGINX_PORT} default_server;
+    listen [::]:${NGINX_PORT};
+    ssl on;
+    ssl_certificate /etc/nginx/conf.d/ssl/certs/kibana-access.pem;
+    ssl_certificate_key /etc/nginx/conf.d/ssl/private/kibana-access.key;
+    location / {
+        auth_basic "Restricted";
+        auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
+        proxy_pass http://${KIBANA_HOST}/;
+        proxy_buffer_size          128k;
+        proxy_buffers              4 256k;
+        proxy_busy_buffers_size    256k;
+    }
+}
+EOF
+
+nginx -g 'daemon off;'

node-key.pem

@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDex0W7QYjrJzc+
-lYGO3ypsAngCFHgCjfnEhh+yNw8DdxayTyBqlvPlBk09JeVU8xF6EjqHy4broAYW
-vZ15YRdeE7aDXJ05IiqCC7XFVz/pdpxZKeovEjlZi4gXtbB+lrcmChL4tQ5I5E1f
-27KsC98fJZ6gRJz+Eede83eDi14Wt4uQJgG6JUosMGM0lBzzY/l37vRSFxeTP8cK
-ex4vwWmgsFmR6AUf/corGm+OGK6ony9SGraZU3EoVUF7zWDhSxsS/pVheFizjpiT
-2NLgbXCWVHozp4AjD3Ghzi3D5DV3Mw85ZTHTbgsxWx6fxygWH40OBOWj6o5454Ef
-GKazJjz7AgMBAAECggEAQt+8vfZxPG28Nqw4hQPWvy+KiM1OLS4jUOwWLbA7cIXa
-KVJ5X6XKtvBKVVW/3t1MXMGGEmd1K9wQl9j5oYsUsafnPM2bYKAx9HHBcei8BcAW
-NOnRI6orzwaEpuFihs2FUwTpJwFqtVTbKTBRFTZHFxl64Y9XNSl4s9cQBEvcxaJp
-/vPBhlYpkupKLSYFmey3fyuX190xYmD5hEbf+fYRCmEv9faLgyAmJCWlo6EjfZGZ
-nQd/WtnzOhshFltkzFAj2EWu+8pIwL+qGdRyc5U5vr0BTvsTOyhlidnaZuNELaPv
-DuVDH0GMGm6/5NyNQs+rWTTERJ3lC0aWsyyfA31l4QKBgQDxkNDMmtOVxqeg+n4h
-nXYAhXdLlgxu7Hg7cxO1juwJS3e/5nAvgQm8Q00PcNrAQwMlY/jcdvf1wSosbbM0
-I1Z2aQ5rriDuyYAxpdUn0PMKFwNEA7F7My2kGl/7HlIFH2twkb3nf9umnb/81VpY
-OigNwv4uLylwcE7S9YHrx/orawKBgQDsFxJDgA9hOydHaCKsJ1pPqmbOsydInCFf
-q4rneo/6rzbgzv/Wbpbd0cmUGLq41xe1rWsYjUd6/GGGbc4I/JzlaPIPNqL/bjIF
-Gz1S9rS+zWj47Ggjb5gW6vJqzNkOMtkc4YEIWFNoDR78bFLw5NenJxwJ0mRd5eIV
-6pBWpBCosQKBgDryE4FZ5neN2im19kFNoxXNe6a+HpqSqWQYWJ7dGUvLVpVFLerp
-me6Onac+6qIvt/zPwFJL1YXqdNgSjMAUP2z1hcdQ3khmcxmqVbE5k5TKuMlH/W8K
-tgBtTy5/35PQbu8xIR30XSzzIX4YscsFpfB1vICYkYwWW6Wust1OFwWxAoGBAIcA
-2mzG+gR7swZeQhV3m2ka5Bcm0zvuLBdtHM0phNOxBgyf0iRosNS/dim9ymiQdvpo
-5GjxwQJO9+XLPJpe+cklreWNNMAj326UGQksEkdZZsGRTiuVUL8qMt1nrmc0JHsj
-aInBGFDTz/hAaV1fPwJSlvH24XXgUtx9eXRR9UTBAoGBAJoCY11pJ9C1NLSflWY5
-0ig/aOCUx4vz0NX203KwmN2P7YXX4iq+qPIpnlsKRMR57hgajRm8Hs7OxvlNIUCt
-6VYr2gRGH3rN7wL60dE8fGmHF0/BjWfFvRfkFmujO+ytmlf/SwjcJKmYDIMW7ZsF
-Xvk6V/ziLkKUNL5P0xR0X6I8
------END PRIVATE KEY-----

node.pem

@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDETCCAfkCFA5ijfMasAZU95n3dLpkNLnqVfVNMA0GCSqGSIb3DQEBCwUAMEUx
-CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
-cm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTkwODA2MTQxMzI4WhcNMTkwOTA1MTQx
-MzI4WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UE
-CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOC
-AQ8AMIIBCgKCAQEA3sdFu0GI6yc3PpWBjt8qbAJ4AhR4Ao35xIYfsjcPA3cWsk8g
-apbz5QZNPSXlVPMRehI6h8uG66AGFr2deWEXXhO2g1ydOSIqggu1xVc/6XacWSnq
-LxI5WYuIF7Wwfpa3JgoS+LUOSORNX9uyrAvfHyWeoESc/hHnXvN3g4teFreLkCYB
-uiVKLDBjNJQc82P5d+70UhcXkz/HCnseL8FpoLBZkegFH/3KKxpvjhiuqJ8vUhq2
-mVNxKFVBe81g4UsbEv6VYXhYs46Yk9jS4G1wllR6M6eAIw9xoc4tw+Q1dzMPOWUx
-024LMVsen8coFh+NDgTlo+qOeOeBHximsyY8+wIDAQABMA0GCSqGSIb3DQEBCwUA
-A4IBAQCm7P73s4azGocdSG3qHYDqEpUUxRyzkz9NuGoqYkXBbnKe2z4dCIZx1URm
-muY2EKK+IHG9QCMgOIPCu8cMnwYqAcxT/Ob2EYOzOglvUhz6GR7MerfxU69hdGL7
-gVSQSsVnRnMKzgO+8n6Nawx26GNxDO/6CNu5GS+jDPhR5ABV8su4+OmKa070wfB+
-rFVfGWzYkxpgIteUKF/F59eH//DHllerHnoNvX03rpuIt6ofZoTzMJoBxAJIRiaP
-Q3+0B0v/t+kxzSpkLNHs1X4xcDulpDU64oeSGYkB2ebK/rGOCBd4C+pNMY1zNaHQ
-/7Xn7ZabuVcPtbqEcpszTfL5a/t9
------END CERTIFICATE-----

root-ca-key.pem

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA1vp+v6lcQ+UCMfCfvoSvffZA72Az+i0l7rmk46iZfmqhiXaV
-x9Q44C2G6V5Jey2EWUAERaNoj+IvXlOE39fzrSKRVZP3CJ3FcbXTmrhxIcNq6c64
-BG0oMExMlYzfSZbobeTkm+f4B6SNRpswz1MSnGwh5fwN6mwHq5sYJs7PcGHL1u81
-tzHjIwvOxXXufAPaw9RI6IG96bKT8/hs/5IAtH8uN8im62+7Jzd1HdM/TNgrajpn
-P7AgDwrEOo6EAZ4GxuOPsZYi33MZ+/GmhjRp3oheCx2MTyX2PWXAFDBJYdov2g/j
-rmJgQKqXBtFozOc/wGuXgcN1NrGabhfsq6bv3QIDAQABAoIBADCQdBOuGcbItD89
-4YhzhwWInNC2xectTdVpIMPBMbOqOQXJwTpcSeDyx/huMWFfPfe/i3eD27otWZAQ
-hALhUQ36siRIAdVzdsgiUEQyiHQdJkjdRxrQ4fRPODnMkiCYs7cnrzE9LP3lAXlC
-07ryRFEL6HiBAU/EydLNfZ4+uAPl2cHnJ5sddimQy/smg4wGSyz/xsbglF5wFMMy
-IT2h9xtYqRDfz8SKjBx4CCXzM6bPwjlp04fkc2s6n1slDp6FfyCGFMlxs8IbJRK2
-6nDXg9q4+t3BZkVDVsA0GMRWDO1bv/yP3Xh4c2FN8hT4/vGvDnFeIxHVUkQapFa/
-plL53cECgYEA9Wk4aqWzbAB7KCa8Ygac8X2cp5XV938acHNaOlEqeskhKf427GBR
-Jv0PnyvcSZ6HvkqfsX6/zcaDBjl6d93vqTt7Caa6+AlyLXh5wBYWfHfoWw6Cd9a9
-EHz6l8RXtjO1BDrEmp0eeaVwIi9J0gC9klIQeAyIGEckpK5rCIFrVo0CgYEA4EEe
-8rry+Gw6M5BHIub5m8TX7QN8vPC7zre13MgLRxgasZjY6BDULf063On4ULhe5gol
-D1QJmJz7IqCRSyOyR4PQUZ93vOrgRkajIEg1gDfw5BL+XfcB24F2iSdjHAj5Yel6
-HDC4QfGuE+Pf2JjXfS46rTJOpCtPvZRO/1YZEpECgYBwffffYu84zYumnwLxSCi+
-xZ5+bz9yQLAE5ctxOe1n9TQfhKj2dzwbzBpSEw/aKzH790b2XKxdDebXfpd1xKTs
-BRjkFqpTsjjFQRlGBJnwGiLHQoJpnmRx32gbE2RFX7RVKP8gBG+IwV4CPXzwJ2i+
-XqGv9caYolvYpR7o+jISrQKBgFYkzdWiOOly8ZyTJLBkl6fdorB6MXWG6C4NZf/s
-nGBwAvkL5O6oYElWSEFKY0fmuxWU+g18U79bNiFkGswJZ1ePa/uezWk1tHdqdQlW
-k66wTonePfYsh3shrT4ccjb3v4x8Gpsvn+g9BYjAdWGHvOdqVcHoXEs2FAiYKwxs
-r27xAoGBAOCRicRMDmzZEn6+H2TPLcF8I1z5Zmbfe2wxpbJTyRrlsPYRDWVD5AQq
-ot1997UYoOU3/dVh1Hboilw/FhWgWefElqZ0ZbR/c0SQ9mVIk1pdjBiIVb9wIMPb
-JUFzTOZpJLFm+3XprcolynJ5eEwNVo4qznQ6/wKIiHl3218oMlLO
------END RSA PRIVATE KEY-----

root-ca.pem

@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDazCCAlOgAwIBAgIUKv3kyQj4hZXfq9c8n2eaVyfbxgIwDQYJKoZIhvcNAQEL
-BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
-GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTA4MDYxNDEzMDBaFw0xOTA5
-MDUxNDEzMDBaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
-HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQDW+n6/qVxD5QIx8J++hK999kDvYDP6LSXuuaTjqJl+
-aqGJdpXH1DjgLYbpXkl7LYRZQARFo2iP4i9eU4Tf1/OtIpFVk/cIncVxtdOauHEh
-w2rpzrgEbSgwTEyVjN9Jluht5OSb5/gHpI1GmzDPUxKcbCHl/A3qbAermxgmzs9w
-YcvW7zW3MeMjC87Fde58A9rD1Ejogb3pspPz+Gz/kgC0fy43yKbrb7snN3Ud0z9M
-2CtqOmc/sCAPCsQ6joQBngbG44+xliLfcxn78aaGNGneiF4LHYxPJfY9ZcAUMElh
-2i/aD+OuYmBAqpcG0WjM5z/Aa5eBw3U2sZpuF+yrpu/dAgMBAAGjUzBRMB0GA1Ud
-DgQWBBSB8K9j6PWB7xsXY6FhQ5yiwyuBADAfBgNVHSMEGDAWgBSB8K9j6PWB7xsX
-Y6FhQ5yiwyuBADAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBT
-19LIJpNg/03mvmGlnI7pfKIKpJSA1GZDZ+QJ/K8uOlo6aX0r511Sc7CWHTNDwdH/
-K8lvnMTGDXNHY2iblGjJU067Z1ahwqVewix0cy36dy/k2g5BnxaH4yuHRvn5DeWx
-1GQLP6sVDpw5aTVq8KtuSvzv6Qc9I8Ra2708SxZY2KnQPKHlgVhs5tbYaFRic4xl
-Ir9unaTWyHlZ0UAE0HlJSL6Fe1OTwyyjZi9msriuIQozKuaiobzOU2P1I+2rgHic
-yzS1R9zI3YxPZsUaJiuiC6NWZ7gnrnf0qp1MGJ+qDKMeVISJFILa8PpSAuDxyr5r
-XW5PH/MBrI0VpiUi4Pi7
------END CERTIFICATE-----

root-ca.srl

@@ -1 +0,0 @@
-0E628DF31AB00654F799F774BA6434B9EA55F54D

wazuh/Dockerfile

@@ -1,19 +1,19 @@
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 FROM phusion/baseimage:latest
 
-ARG FILEBEAT_VERSION=7.1.1
+ARG FILEBEAT_VERSION=7.5.1
 
-ARG WAZUH_VERSION=3.9.3-1
+ARG WAZUH_VERSION=3.11.2-1
 
 ENV API_USER="foo" \
    API_PASS="bar"
 
-ARG TEMPLATE_VERSION="v3.9.3"
+ARG TEMPLATE_VERSION="v3.11.2"
 
 # Set repositories.
 RUN set -x && echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list && \
    curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - && \
-   curl --silent --location https://deb.nodesource.com/setup_8.x | bash - && \
+   curl --silent --location https://deb.nodesource.com/setup_10.x | bash - && \
    echo "postfix postfix/mailname string wazuh-manager" | debconf-set-selections && \
    echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections && \
    groupadd -g 1000 ossec && useradd -u 1000 -g 1000 -d /var/ossec ossec
@@ -74,7 +74,7 @@ RUN chmod +x /etc/service/wazuh-api/run && \
 
 
 ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat
-RUN chmod go-w /etc/filebeat/wazuh-template.json
+RUN chmod go-w /etc/filebeat/wazuh-template.json 
 
 # Run all services
-ENTRYPOINT ["/entrypoint.sh"]
+ENTRYPOINT ["/entrypoint.sh"]

wazuh/config/00-wazuh.sh

@@ -104,6 +104,17 @@ function ossec_shutdown(){
   ${WAZUH_INSTALL_PATH}/bin/ossec-control stop;
 }
 
+##############################################################################
+# Allow users to set the container hostname as <node_name> dynamically on
+# container start.
+#
+# To use this:
+# 1. Create your own ossec.conf file
+# 2. In your ossec.conf file, set to_be_replaced_by_hostname as your node_name
+# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf
+##############################################################################
+sed -i 's/<node_name>to_be_replaced_by_hostname<\/node_name>/<node_name>'"${HOSTNAME}"'<\/node_name>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf
+
 # Trap exit signals and do a proper shutdown
 trap "ossec_shutdown; exit" SIGINT SIGTERM
 

wazuh/config/01-config_filebeat.sh

@@ -3,8 +3,17 @@
 
 set -e
 
+WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.1.tar.gz
+
 # Modify the output to Elasticsearch if th ELASTICSEARCH_URL is set
 if [ "$ELASTICSEARCH_URL" != "" ]; then
   >&2 echo "Customize Elasticsearch ouput IP."
   sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_URL'|g' /etc/filebeat/filebeat.yml
-fi
+fi
+
+# Install Wazuh Filebeat Module
+
+curl -s "https://packages.wazuh.com/3.x/filebeat/${WAZUH_FILEBEAT_MODULE}" | tar -xvz -C /usr/share/filebeat/module
+mkdir -p /usr/share/filebeat/module/wazuh
+chmod 755 -R /usr/share/filebeat/module/wazuh
+

wazuh/config/filebeat.yml

@@ -1,53 +1,15 @@
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh - Filebeat configuration file
-filebeat.inputs:
+filebeat.modules:
-  - type: log
+  - module: wazuh
-    paths:
+    alerts:
-      - '/var/ossec/logs/alerts/alerts.json'
+      enabled: true
+    archives:
+      enabled: false
 
 setup.template.json.enabled: true
-setup.template.json.path: "/etc/filebeat/wazuh-template.json"
+setup.template.json.path: '/etc/filebeat/wazuh-template.json'
-setup.template.json.name: "wazuh"
+setup.template.json.name: 'wazuh'
 setup.template.overwrite: true
+setup.ilm.enabled: false
 
-processors:
+output.elasticsearch.hosts: ['http://elasticsearch:9200']
-  - decode_json_fields:
-      fields: ['message']
-      process_array: true
-      max_depth: 200
-      target: ''
-      overwrite_keys: true
-  - drop_fields:
-      fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host']
-  - rename:
-      fields:
-        - from: "data.aws.sourceIPAddress"
-          to: "@src_ip"
-      ignore_missing: true
-      fail_on_error: false
-      when:
-        regexp:
-          data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
-  - rename:
-      fields:
-        - from: "data.srcip"
-          to: "@src_ip"
-      ignore_missing: true
-      fail_on_error: false
-      when:
-        regexp:
-          data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
-  - rename:
-      fields:
-        - from: "data.win.eventdata.ipAddress"
-          to: "@src_ip"
-      ignore_missing: true
-      fail_on_error: false
-      when:
-        regexp:
-          data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
-
-output.elasticsearch:
-  hosts: ['http://elasticsearch:9200']
-  #pipeline: geoip
-  indices:
-    - index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}'