Merge pull request #2049 from wazuh/merge-4.14.1-into-main

Merge 4.14.1 into main

.github/workflows/push.yml

@@ -192,7 +192,7 @@ jobs:
       run: sed -i "s/<WAZUH_MANAGER_IP>/$(ip addr show docker0 | grep 'inet ' | awk '{print $2}' | cut -d'/' -f1)/g" wazuh-agent/docker-compose.yml
 
     - name: Start Wazuh agent
-      run: docker-compose -f wazuh-agent/docker-compose.yml up -d
+      run: docker compose -f wazuh-agent/docker-compose.yml up -d
 
     - name: Check Wazuh agent enrollment
       run: |
@@ -355,7 +355,7 @@ jobs:
       run: sed -i "s/<WAZUH_MANAGER_IP>/$(ip addr show docker0 | grep 'inet ' | awk '{print $2}' | cut -d'/' -f1)/g" wazuh-agent/docker-compose.yml
 
     - name: Start Wazuh agent
-      run: docker-compose -f wazuh-agent/docker-compose.yml up -d
+      run: docker compose -f wazuh-agent/docker-compose.yml up -d
 
     - name: Check Wazuh agent enrollment
       run: |

CHANGELOG.md

@@ -9,8 +9,27 @@ All notable changes to this project will be documented in this file.
 
 ### Changed
 
+- Wazuh server clean-up ([#2030](https://github.com/wazuh/wazuh-puppet/issues/2030))
+- Fix OpenSearch deprecated settings ([#1366](https://github.com/wazuh/wazuh-puppet/issues/1366))
+
+### Fixed
+
 - None
 
+### Deleted
+
+- None
+
+## [4.14.1]
+
+### Added
+
+- None
+
+### Changed
+
+- Wazuh cert tool generator improvements ([#2027](https://github.com/wazuh/wazuh-docker/pull/2027))
+
 ### Fixed
 
 - None
@@ -27,11 +46,19 @@ All notable changes to this project will be documented in this file.
 
 ### Changed
 
+- Change filebeat install method ([#2020](https://github.com/wazuh/wazuh-docker/pull/2020))
+- Remove dashboard chat setting ([#2021](https://github.com/wazuh/wazuh-docker/pull/2021))
+- Rollback data source setting ([#1999](https://github.com/wazuh/wazuh-docker/pull/1999))
+- Dashboard settings added ([#1998](https://github.com/wazuh/wazuh-docker/pull/1998))
+- Add filebeat config file in the PERMANENT_DATA_EXCP list ([#1898](https://github.com/wazuh/wazuh-docker/pull/1898))
 - Change validation of existing certs tool in S3 buckets ([#1880](https://github.com/wazuh/wazuh-docker/pull/1880))
 
 ### Fixed
 
-- None
+- Change Wazuh indexer directory owner ([#2029](https://github.com/wazuh/wazuh-docker/pull/2029))
+- Double the amount of space consumed in Wazuh Indexer ([#1953](https://github.com/wazuh/wazuh-docker/pull/1953))
+- Fix config directory for opensearch_security plugin work ([#1951](https://github.com/wazuh/wazuh-docker/pull/1951))
+- Update Dockerfile to copy opensearch-security files ([#1928](https://github.com/wazuh/wazuh-docker/pull/1928))
 
 ### Deleted
 
@@ -59,6 +86,9 @@ All notable changes to this project will be documented in this file.
 
 ### Added
 
+- Add opensearch_dashboard.yml parameters. ([#1985](https://github.com/wazuh/wazuh-docker/pull/1985))
+- Set right ownership for malicious-ioc files on container start ([#1926](https://github.com/wazuh/wazuh-docker/pull/1926))
+- Delete services statement in wazuh agent deployment. ([#1925](https://github.com/wazuh/wazuh-docker/pull/1925))
 - Add permanent_data exceptions. ([#1890](https://github.com/wazuh/wazuh-docker/pull/1890))
 - Integrate bumper script via GitHub action. ([#1863](https://github.com/wazuh/wazuh-docker/pull/1863))
 - Add missing malicious-ioc ruleset lists ([#1870](https://github.com/wazuh/wazuh-docker/pull/1870))
@@ -70,11 +100,12 @@ All notable changes to this project will be documented in this file.
 
 ### Changed
 
+- Syscollector configuration change ([#1994](https://github.com/wazuh/wazuh-docker/pull/1994))
 - Modify wazuh-keystore use ([#1750](https://github.com/wazuh/wazuh-docker/pull/1750)) \- (wazuh-keystore)
 
 ### Fixed
 
-- None
+- Add wazuh-template.json into permanent data exception ([#1968](https://github.com/wazuh/wazuh-docker/pull/1968))
 
 ### Deleted
 

build-docker-images/build-images.sh

@@ -76,7 +76,7 @@ help() {
     echo
     echo "Usage: $0 [OPTIONS]"
     echo
-    echo "    -d, --dev <ref>              [Optional] Set the development stage you want to build, example rc1 or beta1, not used by default."
+    echo "    -d, --dev <ref>              [Optional] Set the development stage you want to build, example rc2 or beta1, not used by default."
     echo "    -f, --filebeat-module <ref>  [Optional] Set Filebeat module version. By default ${FILEBEAT_MODULE_VERSION}."
     echo "    -r, --revision <rev>         [Optional] Package revision. By default ${WAZUH_TAG_REVISION}"
     echo "    -v, --version <ver>          [Optional] Set the Wazuh version should be builded. By default, ${WAZUH_IMAGE_VERSION}."

build-docker-images/build-images.yml

@@ -27,9 +27,7 @@ services:
       - wazuh_logs:/var/ossec/logs
       - wazuh_queue:/var/ossec/queue
       - wazuh_var_multigroups:/var/ossec/var/multigroups
-      - wazuh_integrations:/var/ossec/integrations
       - wazuh_active_response:/var/ossec/active-response/bin
-      - wazuh_agentless:/var/ossec/agentless
       - wazuh_wodles:/var/ossec/wodles
       - filebeat_etc:/etc/filebeat
       - filebeat_var:/var/lib/filebeat
@@ -94,9 +92,7 @@ volumes:
   wazuh_logs:
   wazuh_queue:
   wazuh_var_multigroups:
-  wazuh_integrations:
   wazuh_active_response:
-  wazuh_agentless:
   wazuh_wodles:
   filebeat_etc:
   filebeat_var:

build-docker-images/wazuh-indexer/Dockerfile

@@ -62,25 +62,26 @@ COPY config/entrypoint.sh /
 
 COPY config/securityadmin.sh /
 
-RUN chmod 700 /entrypoint.sh && chmod 700 /securityadmin.sh
+RUN chmod 700 /entrypoint.sh && chmod 700 /securityadmin.sh && \
-
+    mkdir -p /usr/share/wazuh-indexer && \
-RUN chown 1000:1000 /*.sh
+    chown 1000:1000 /usr/share/wazuh-indexer && \
+    chown 1000:1000 /*.sh
 
 COPY --from=builder --chown=1000:1000 /usr/share/wazuh-indexer /usr/share/wazuh-indexer
-COPY --from=builder --chown=1000:1000 /etc/wazuh-indexer /usr/share/wazuh-indexer
+COPY --from=builder --chown=1000:1000 /etc/wazuh-indexer /usr/share/wazuh-indexer/config
+COPY --from=builder --chown=1000:1000 /debian/wazuh-indexer/usr/share/wazuh-indexer /usr/share/wazuh-indexer
 COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/systemd /usr/lib/systemd
 COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/sysctl.d /usr/lib/sysctl.d
 COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/tmpfiles.d /usr/lib/tmpfiles.d
 
-RUN chown -R 1000:1000 /usr/share/wazuh-indexer
-
 RUN mkdir -p /var/lib/wazuh-indexer && chown 1000:1000 /var/lib/wazuh-indexer && \
     mkdir -p /usr/share/wazuh-indexer/logs && chown 1000:1000 /usr/share/wazuh-indexer/logs && \
     mkdir -p /run/wazuh-indexer && chown 1000:1000 /run/wazuh-indexer && \
     mkdir -p /var/log/wazuh-indexer && chown 1000:1000 /var/log/wazuh-indexer && \
     chmod 700 /usr/share/wazuh-indexer && \
-    chmod 600 /usr/share/wazuh-indexer/jvm.options && \
+    chmod 700 /usr/share/wazuh-indexer/config && \
-    chmod 600 /usr/share/wazuh-indexer/opensearch.yml
+    chmod 600 /usr/share/wazuh-indexer/config/jvm.options && \
+    chmod 600 /usr/share/wazuh-indexer/config/opensearch.yml
 
 USER wazuh-indexer
 

build-docker-images/wazuh-indexer/config/config.sh

@@ -13,7 +13,7 @@ export LOG_DIR=/var/log/${NAME}
 export LIB_DIR=/var/lib/${NAME}
 export PID_DIR=/run/${NAME}
 export INSTALLATION_DIR=/usr/share/${NAME}
-export CONFIG_DIR=${INSTALLATION_DIR}
+export CONFIG_DIR=${INSTALLATION_DIR}/config
 export BASE_DIR=${NAME}-*
 export INDEXER_FILE=wazuh-indexer-base.tar.xz
 export BASE_FILE=wazuh-indexer-base-${VERSION}-linux-x64.tar.xz

build-docker-images/wazuh-indexer/config/entrypoint.sh

@@ -6,7 +6,7 @@ umask 0002
 
 export USER=wazuh-indexer
 export INSTALLATION_DIR=/usr/share/wazuh-indexer
-export OPENSEARCH_PATH_CONF=${INSTALLATION_DIR}
+export OPENSEARCH_PATH_CONF=${INSTALLATION_DIR}/config
 export JAVA_HOME=${INSTALLATION_DIR}/jdk
 export DISCOVERY=$(grep -oP "(?<=discovery.type: ).*" ${OPENSEARCH_PATH_CONF}/opensearch.yml)
 export CACERT=$(grep -oP "(?<=plugins.security.ssl.transport.pemtrustedcas_filepath: ).*" ${OPENSEARCH_PATH_CONF}/opensearch.yml)

build-docker-images/wazuh-indexer/config/opensearch.yml

@@ -1,9 +1,9 @@
 network.host: "0.0.0.0"
 node.name: "wazuh.indexer"
+cluster.name: "wazuh-cluster"
 path.data: /var/lib/wazuh-indexer
 path.logs: /var/log/wazuh-indexer
 discovery.type: single-node
-compatibility.override_main_response_version: true
 plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/indexer.pem
 plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/indexer-key.pem
 plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem

build-docker-images/wazuh-manager/Dockerfile

@@ -8,6 +8,7 @@ ARG WAZUH_TAG_REVISION
 ARG FILEBEAT_TEMPLATE_BRANCH
 ARG FILEBEAT_CHANNEL=filebeat-oss
 ARG FILEBEAT_VERSION=7.10.2
+ARG FILEBEAT_REVISION=2
 ARG WAZUH_FILEBEAT_MODULE
 ARG S6_VERSION="v2.2.0.3"
 
@@ -50,9 +51,6 @@ RUN chmod go-w /etc/filebeat/wazuh-template.json
 RUN mkdir -p /var/ossec/var/multigroups && \
     chown root:wazuh /var/ossec/var/multigroups && \
     chmod 770 /var/ossec/var/multigroups && \
-    mkdir -p /var/ossec/agentless && \
-    chown root:wazuh /var/ossec/agentless && \
-    chmod 770 /var/ossec/agentless && \
     mkdir -p /var/ossec/active-response/bin && \
     chown root:wazuh /var/ossec/active-response/bin && \
     chmod 770 /var/ossec/active-response/bin && \

build-docker-images/wazuh-manager/config/etc/cont-init.d/0-wazuh-init

@@ -167,16 +167,17 @@ set_custom_cluster_key() {
 }
 
 ##############################################################################
-# Modify /var/ossec/queue/rids directory owner on
+# Set correct ownership for Wazuh related directories
-# container start.
+# on container start.
 ##############################################################################
 
-set_rids_owner() {
+configure_permissions() {
   chown -R wazuh:wazuh /var/ossec/queue/rids
+  chown -R wazuh:wazuh /var/ossec/etc/lists
 }
 
 ##############################################################################
-# Change any ossec user/group to wazuh user/group 
+# Change any ossec user/group to wazuh user/group
 ##############################################################################
 
 set_correct_permOwner() {
@@ -226,8 +227,8 @@ main() {
   # Delete temporary data folder
   rm -rf ${WAZUH_INSTALL_PATH}/data_tmp
 
-  # Set rids directory owner
+  # Set correct ownership for Wazuh related directories
-  set_rids_owner
+  configure_permissions
 }
 
 main

build-docker-images/wazuh-manager/config/etc/cont-init.d/2-manager

@@ -60,12 +60,6 @@ function_wazuh_migration(){
       chown wazuh:wazuh /var/ossec/etc/rules/*
       chmod 660 /var/ossec/etc/rules/*
 
-      if [ -e /wazuh-migration/data/agentless/.passlist ]; then
-        \cp -f /wazuh-migration/data/agentless/.passlist /var/ossec/agentless/.passlist
-        chown root:wazuh /var/ossec/agentless/.passlist
-        chmod 640 /var/ossec/agentless/.passlist
-      fi
-
       \cp -f /wazuh-migration/global.db /var/ossec/queue/db/global.db
       chown wazuh:wazuh /var/ossec/queue/db/global.db
       chmod 640 /var/ossec/queue/db/global.db

build-docker-images/wazuh-manager/config/filebeat_module.sh

@@ -7,6 +7,5 @@ if [[ -n "${WAZUH_TAG}" ]]; then
   REPOSITORY="packages.wazuh.com/5.x"
 fi
 
-curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm &&\
+yum install filebeat-${FILEBEAT_VERSION}-${FILEBEAT_REVISION} -y && \
-yum install -y ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && rm -f ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && \
 curl -s https://${REPOSITORY}/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module

build-docker-images/wazuh-manager/config/permanent_data.env

@@ -4,9 +4,7 @@ PERMANENT_DATA[((i++))]="/var/ossec/api/configuration"
 PERMANENT_DATA[((i++))]="/var/ossec/etc"
 PERMANENT_DATA[((i++))]="/var/ossec/logs"
 PERMANENT_DATA[((i++))]="/var/ossec/queue"
-PERMANENT_DATA[((i++))]="/var/ossec/agentless"
 PERMANENT_DATA[((i++))]="/var/ossec/var/multigroups"
-PERMANENT_DATA[((i++))]="/var/ossec/integrations"
 PERMANENT_DATA[((i++))]="/var/ossec/active-response/bin"
 PERMANENT_DATA[((i++))]="/var/ossec/wodles"
 PERMANENT_DATA[((i++))]="/etc/filebeat"
@@ -16,16 +14,6 @@ export PERMANENT_DATA
 # Files mounted in a volume that should not be permanent
 i=0
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/etc/internal_options.conf"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/shuffle"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/shuffle.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/pagerduty"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/pagerduty.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/maltiverse"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/maltiverse.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/default-firewall-drop"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/disable-account"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewalld-drop"
@@ -41,18 +29,6 @@ PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/pf"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-wazuh"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart.sh"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/sshlogin.exp"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_pixconfig_diff"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_asa-fwsmconfig_diff"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_bsd"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/main.exp"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/su.exp"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_linux"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/register_host.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_generic_diff"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_foundry_diff"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_nopass.exp"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh.exp"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/utils.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3.py"
@@ -100,6 +76,8 @@ PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/pubsub/subscriber.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/etc/lists/malicious-ioc/malicious-ip"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/etc/lists/malicious-ioc/malicious-domains"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/etc/lists/malicious-ioc/malware-hashes"
+PERMANENT_DATA_EXCP[((i++))]="/etc/filebeat/wazuh-template.json"
+PERMANENT_DATA_EXCP[((i++))]="/etc/filebeat/filebeat.yml"
 export PERMANENT_DATA_EXCP
 
 # Files mounted in a volume that should be deleted

docs/dev/build-image.md

@@ -23,7 +23,7 @@ $ build-docker-images/build-images.sh -h
 
 Usage: build-docker-images/build-images.sh [OPTIONS]
 
-    -d, --dev <ref>              [Optional] Set the development stage you want to build, example rc1 or beta1, not used by default.
+    -d, --dev <ref>              [Optional] Set the development stage you want to build, example rc2 or beta1, not used by default.
     -f, --filebeat-module <ref>  [Optional] Set Filebeat module version. By default 0.4.
     -r, --revision <rev>         [Optional] Package revision. By default 1
     -v, --version <ver>          [Optional] Set the Wazuh version should be builded. By default, 5.0.0.

docs/ref/configuration/configuration-files.md

@@ -2,7 +2,7 @@
 
 ### 1. Wazuh Manager Configuration
 
-* **`ossec.conf`**: The main configuration file for the Wazuh manager. It controls rules, decoders, agent enrollment, active responses, integrations, clustering, and more.
+* **`ossec.conf`**: The main configuration file for the Wazuh manager. It controls rules, decoders, agent enrollment, active responses, clustering, and more.
     * **Customization**: Mount a custom `ossec.conf` or specific configuration snippets (e.g., local rules in `local_rules.xml`) into the manager container at `/wazuh-mount-point/`, which will be copied to the path `/var/ossec` (e.g., the file `/var/ossec/etc/ossec.conf` must be mounted at `/wazuh-mount-point/etc/ossec.conf`) .
 
 ### 2. Wazuh Indexer Configuration

docs/ref/getting-started/deployment/multi-node.md

@@ -17,18 +17,18 @@ This deployment utilizes the `multi-node/docker-compose.yml` file, which defines
 
 3.  Run the script to generate the necessary certificates for the Wazuh Stack. This ensures secure communication between the nodes:
     ```bash
-    docker-compose -f generate-indexer-certs.yml run --rm generator
+    docker compose -f generate-indexer-certs.yml run --rm generator
     ```
 
-4.  Start the Wazuh environment using `docker-compose`:
+4.  Start the Wazuh environment using `docker compose`:
 
     * To run in the foreground (logs will be displayed in your current terminal; press `Ctrl+C` to stop):
         ```bash
-        docker-compose up
+        docker compose up
         ```
     * To run in the background (detached mode, allowing the containers to run independently of your terminal):
         ```bash
-        docker-compose up -d
+        docker compose up -d
         ```
 
 Please allow some time for the environment to initialize, especially on the first run. A multi-node setup can take a few minutes (depending on your host resources and network) as the Wazuh Indexer cluster forms, and the necessary indexes and index patterns are generated.

docs/ref/getting-started/deployment/single-node.md

@@ -17,18 +17,18 @@ This deployment uses the `single-node/docker-compose.yml` file, which defines a
 
 3.  Run the script to generate the necessary certificates for the Wazuh Stack. This ensures secure communication between the nodes:
     ```bash
-    docker-compose -f generate-indexer-certs.yml run --rm generator
+    docker compose -f generate-indexer-certs.yml run --rm generator
     ```
 
-4.  Start the Wazuh environment using `docker-compose`:
+4.  Start the Wazuh environment using `docker compose`:
 
     * To run in the foreground (logs will be displayed in your current terminal; press `Ctrl+C` to stop):
         ```bash
-        docker-compose up
+        docker compose up
         ```
     * To run in the background (detached mode, allowing the containers to run independently of your terminal):
         ```bash
-        docker-compose up -d
+        docker compose up -d
         ```
 
 Please allow some time for the environment to initialize, especially on the first run. It can take approximately a minute or two (depending on your host's resources) as the Wazuh Indexer starts up and generates the necessary indexes and index patterns.

docs/ref/getting-started/deployment/wazuh-agent.md

@@ -23,14 +23,14 @@ Follow these steps to deploy the Wazuh agent using Docker.
     ```
     **Note:** Replace `<YOUR_WAZUH_MANAGER_IP_OR_HOSTNAME>` with the actual IP address or hostname of your Wazuh manager.
 
-3.  Start the environment using `docker-compose`:
+3.  Start the environment using `docker compose`:
 
     * To run in the foreground (logs will be displayed in your current terminal, and you can stop it with `Ctrl+C`):
         ```bash
-        docker-compose up
+        docker compose up
         ```
 
     * To run in the background (detached mode, allowing the container to run independently of your terminal):
         ```bash
-        docker-compose up -d
+        docker compose up -d
         ```

indexer-certs-creator/Dockerfile

@@ -1,7 +1,7 @@
 # Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
-FROM ubuntu:focal
+FROM amazonlinux:2023
 
-RUN apt-get update && apt-get install openssl curl -y
+RUN yum update -y && yum install openssl curl-minimal -y
 
 WORKDIR /
 

indexer-certs-creator/README.md

@@ -5,5 +5,5 @@ The dockerfile hosted in this directory is used to build the image used to boot
 To create the image, the following command must be executed:
 
 ```
-$ docker build -t wazuh/wazuh-certs-generator:0.0.2 .
+$ docker build -t wazuh/wazuh-certs-generator:0.0.3 .
 ```

indexer-certs-creator/config/entrypoint.sh

@@ -8,29 +8,35 @@
 ## Variables
 CERT_TOOL=wazuh-certs-tool.sh
 PASSWORD_TOOL=wazuh-passwords-tool.sh
-PACKAGES_URL=https://packages.wazuh.com/5.0/
+PACKAGES_URL=https://packages.wazuh.com/$CERT_TOOL_VERSION/
-PACKAGES_DEV_URL=https://packages-dev.wazuh.com/5.0/
+PACKAGES_DEV_URL=https://packages-dev.wazuh.com/$CERT_TOOL_VERSION/
 
-## Check if the cert tool exists in S3 buckets
+OUTPUT_FILE="/$CERT_TOOL"
-CERT_TOOL_PACKAGES=$(curl --silent --head --location --output /dev/null --write-out "%{http_code}" "$PACKAGES_URL$CERT_TOOL")
-CERT_TOOL_PACKAGES_DEV=$(curl --silent --head --location --output /dev/null --write-out "%{http_code}" "$PACKAGES_DEV_URL$CERT_TOOL")
 
-## If cert tool exists in some bucket, download it, if not exit 1
+download_package() {
-if [ "$CERT_TOOL_PACKAGES" = "200" ]; then
+    local url=$1
-  curl -o $CERT_TOOL $PACKAGES_URL$CERT_TOOL -s
+    echo "Checking $url$CERT_TOOL ..."
-  echo "The tool to create the certificates exists in the in Packages bucket"
+    if curl -fsL "$url$CERT_TOOL" -o "$OUTPUT_FILE"; then
-elif [ "$CERT_TOOL_PACKAGES_DEV" = "200" ]; then
+        echo "Downloaded $CERT_TOOL from $url"
-  curl -o $CERT_TOOL $PACKAGES_DEV_URL$CERT_TOOL -s
+        return 0
-  echo "The tool to create the certificates exists in Packages-dev bucket"
+    else
+        return 1
+    fi
+}
+
+# Try first the prod URL, if it fails try the dev URL
+if download_package "$PACKAGES_URL"; then
+    :
+elif download_package "$PACKAGES_DEV_URL"; then
+    :
 else
-  echo "The tool to create the certificates does not exist in any bucket"
+    echo "The tool to create the certificates does not exist in any bucket"
-  echo "ERROR: certificates were not created"
+    echo "ERROR: certificates were not created"
-  exit 1
+    exit 1
 fi
 
 cp /config/certs.yml /config.yml
-
+chmod 700 "$OUTPUT_FILE"
-chmod 700 /$CERT_TOOL
 
 ##############################################################################
 # Creating Cluster certificates

multi-node/Migration-to-Wazuh-4.4.md

@@ -80,13 +80,6 @@ docker volume create \
            multi-node_master-wazuh-var-multigroups
 ```
 ```
-docker volume create \
-           --label com.docker.compose.project=multi-node \
-           --label com.docker.compose.version=1.25.0 \
-           --label com.docker.compose.volume=master-wazuh-integrations \
-           multi-node_master-wazuh-integrations
-```
-```
 docker volume create \
            --label com.docker.compose.project=multi-node \
            --label com.docker.compose.version=1.25.0 \
@@ -94,13 +87,6 @@ docker volume create \
            multi-node_master-wazuh-active-response
 ```
 ```
-docker volume create \
-           --label com.docker.compose.project=multi-node \
-           --label com.docker.compose.version=1.25.0 \
-           --label com.docker.compose.volume=master-wazuh-agentless \
-           multi-node_master-wazuh-agentless
-```
-```
 docker volume create \
            --label com.docker.compose.project=multi-node \
            --label com.docker.compose.version=1.25.0 \
@@ -157,13 +143,6 @@ docker volume create \
            multi-node_worker-wazuh-var-multigroups
 ```
 ```
-docker volume create \
-           --label com.docker.compose.project=multi-node \
-           --label com.docker.compose.version=1.25.0 \
-           --label com.docker.compose.volume=worker-wazuh-integrations \
-           multi-node_worker-wazuh-integrations
-```
-```
 docker volume create \
            --label com.docker.compose.project=multi-node \
            --label com.docker.compose.version=1.25.0 \
@@ -171,13 +150,6 @@ docker volume create \
            multi-node_worker-wazuh-active-response
 ```
 ```
-docker volume create \
-           --label com.docker.compose.project=multi-node \
-           --label com.docker.compose.version=1.25.0 \
-           --label com.docker.compose.volume=worker-wazuh-agentless \
-           multi-node_worker-wazuh-agentless
-```
-```
 docker volume create \
            --label com.docker.compose.project=multi-node \
            --label com.docker.compose.version=1.25.0 \
@@ -248,24 +220,12 @@ docker container run --rm -it \
            alpine ash -c "cd /from ; cp -avp . /to"
 ```
 ```
-docker container run --rm -it \
-           -v wazuh-docker_ossec-integrations:/from \
-           -v multi-node_master-wazuh-integrations:/to \
-           alpine ash -c "cd /from ; cp -avp . /to"
-```
-```
 docker container run --rm -it \
            -v wazuh-docker_ossec-active-response:/from \
            -v multi-node_master-wazuh-active-response:/to \
            alpine ash -c "cd /from ; cp -avp . /to"
 ```
 ```
-docker container run --rm -it \
-           -v wazuh-docker_ossec-agentless:/from \
-           -v multi-node_master-wazuh-agentless:/to \
-           alpine ash -c "cd /from ; cp -avp . /to"
-```
-```
 docker container run --rm -it \
            -v wazuh-docker_ossec-wodles:/from \
            -v multi-node_master-wazuh-wodles:/to \
@@ -314,24 +274,12 @@ docker container run --rm -it \
            alpine ash -c "cd /from ; cp -avp . /to"
 ```
 ```
-docker container run --rm -it \
-           -v wazuh-docker_worker-ossec-integrations:/from \
-           -v multi-node_worker-wazuh-integrations:/to \
-           alpine ash -c "cd /from ; cp -avp . /to"
-```
-```
 docker container run --rm -it \
            -v wazuh-docker_worker-ossec-active-response:/from \
            -v multi-node_worker-wazuh-active-response:/to \
            alpine ash -c "cd /from ; cp -avp . /to"
 ```
 ```
-docker container run --rm -it \
-           -v wazuh-docker_worker-ossec-agentless:/from \
-           -v multi-node_worker-wazuh-agentless:/to \
-           alpine ash -c "cd /from ; cp -avp . /to"
-```
-```
 docker container run --rm -it \
            -v wazuh-docker_worker-ossec-wodles:/from \
            -v multi-node_worker-wazuh-wodles:/to \

multi-node/config/wazuh_cluster/wazuh_manager.conf

@@ -1,24 +1,10 @@
 <ossec_config>
   <global>
-    <jsonout_output>yes</jsonout_output>
+    <agents_disconnection_time>15m</agents_disconnection_time>
-    <alerts_log>yes</alerts_log>
-    <logall>no</logall>
-    <logall_json>no</logall_json>
-    <email_notification>no</email_notification>
-    <smtp_server>smtp.example.wazuh.com</smtp_server>
-    <email_from>wazuh@example.wazuh.com</email_from>
-    <email_to>recipient@example.wazuh.com</email_to>
-    <email_maxperhour>12</email_maxperhour>
-    <email_log_source>alerts.log</email_log_source>
-    <agents_disconnection_time>10m</agents_disconnection_time>
     <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
+    <update_check>yes</update_check>
   </global>
 
-  <alerts>
-    <log_alert_level>3</log_alert_level>
-    <email_alert_level>12</email_alert_level>
-  </alerts>
-
   <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
   <logging>
     <log_format>plain</log_format>
@@ -34,8 +20,6 @@
   <!-- Policy monitoring -->
   <rootcheck>
     <disabled>no</disabled>
-    <check_files>yes</check_files>
-    <check_trojans>yes</check_trojans>
     <check_dev>yes</check_dev>
     <check_sys>yes</check_sys>
     <check_pids>yes</check_pids>
@@ -45,31 +29,12 @@
     <!-- Frequency that rootcheck is executed - every 12 hours -->
     <frequency>43200</frequency>
 
-    <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
-    <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
-
     <skip_nfs>yes</skip_nfs>
+
+    <ignore>/var/lib/containerd</ignore>
+    <ignore>/var/lib/docker/overlay2</ignore>
   </rootcheck>
 
-  <wodle name="cis-cat">
-    <disabled>yes</disabled>
-    <timeout>1800</timeout>
-    <interval>1d</interval>
-    <scan-on-start>yes</scan-on-start>
-
-    <java_path>wodles/java</java_path>
-    <ciscat_path>wodles/ciscat</ciscat_path>
-  </wodle>
-
-  <!-- Osquery integration -->
-  <wodle name="osquery">
-    <disabled>yes</disabled>
-    <run_daemon>yes</run_daemon>
-    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
-    <config_path>/etc/osquery/osquery.conf</config_path>
-    <add_labels>yes</add_labels>
-  </wodle>
-
   <!-- System inventory -->
   <wodle name="syscollector">
     <disabled>no</disabled>
@@ -79,11 +44,17 @@
     <os>yes</os>
     <network>yes</network>
     <packages>yes</packages>
-    <ports all="no">yes</ports>
+    <ports all="yes">yes</ports>
     <processes>yes</processes>
+    <users>yes</users>
+    <groups>yes</groups>
+    <services>yes</services>
+    <browser_extensions>yes</browser_extensions>
 
     <!-- Database synchronization settings -->
     <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
       <max_eps>10</max_eps>
     </synchronization>
   </wodle>
@@ -92,7 +63,13 @@
     <enabled>yes</enabled>
     <scan_on_start>yes</scan_on_start>
     <interval>12h</interval>
-    <skip_nfs>yes</skip_nfs>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
+      <max_eps>10</max_eps>
+    </synchronization>
   </sca>
 
   <vulnerability-detection>
@@ -124,8 +101,6 @@
     <!-- Frequency that syscheck is executed default every 12 hours -->
     <frequency>43200</frequency>
 
-    <scan_on_start>yes</scan_on_start>
-
     <!-- Generate alert when new file detected -->
     <alert_new_files>yes</alert_new_files>
 
@@ -165,13 +140,12 @@
     <process_priority>10</process_priority>
 
     <!-- Maximum output throughput -->
-    <max_eps>100</max_eps>
+    <max_eps>50</max_eps>
 
     <!-- Database synchronization settings -->
     <synchronization>
       <enabled>yes</enabled>
       <interval>5m</interval>
-      <max_interval>1h</max_interval>
       <max_eps>10</max_eps>
     </synchronization>
   </syscheck>
@@ -266,13 +240,6 @@
     <rule_dir>etc/rules</rule_dir>
   </ruleset>
 
-  <rule_test>
-    <enabled>yes</enabled>
-    <threads>1</threads>
-    <max_sessions>64</max_sessions>
-    <session_timeout>15m</session_timeout>
-  </rule_test>
-
   <!-- Configuration for wazuh-authd -->
   <auth>
     <disabled>no</disabled>
@@ -305,9 +272,19 @@
 </ossec_config>
 
 <ossec_config>
+  <localfile>
+    <log_format>journald</log_format>
+    <location>journald</location>
+  </localfile>
+
+  <localfile>
+    <log_format>audit</log_format>
+    <location>/var/log/audit/audit.log</location>
+  </localfile>
+
   <localfile>
     <log_format>syslog</log_format>
     <location>/var/ossec/logs/active-responses.log</location>
   </localfile>
 
-</ossec_config>
+</ossec_config>

multi-node/config/wazuh_cluster/wazuh_worker.conf

@@ -1,24 +1,10 @@
 <ossec_config>
   <global>
-    <jsonout_output>yes</jsonout_output>
+    <agents_disconnection_time>15m</agents_disconnection_time>
-    <alerts_log>yes</alerts_log>
-    <logall>no</logall>
-    <logall_json>no</logall_json>
-    <email_notification>no</email_notification>
-    <smtp_server>smtp.example.wazuh.com</smtp_server>
-    <email_from>wazuh@example.wazuh.com</email_from>
-    <email_to>recipient@example.wazuh.com</email_to>
-    <email_maxperhour>12</email_maxperhour>
-    <email_log_source>alerts.log</email_log_source>
-    <agents_disconnection_time>10m</agents_disconnection_time>
     <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
+    <update_check>yes</update_check>
   </global>
 
-  <alerts>
-    <log_alert_level>3</log_alert_level>
-    <email_alert_level>12</email_alert_level>
-  </alerts>
-
   <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
   <logging>
     <log_format>plain</log_format>
@@ -34,8 +20,6 @@
   <!-- Policy monitoring -->
   <rootcheck>
     <disabled>no</disabled>
-    <check_files>yes</check_files>
-    <check_trojans>yes</check_trojans>
     <check_dev>yes</check_dev>
     <check_sys>yes</check_sys>
     <check_pids>yes</check_pids>
@@ -45,31 +29,12 @@
     <!-- Frequency that rootcheck is executed - every 12 hours -->
     <frequency>43200</frequency>
 
-    <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
-    <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
-
     <skip_nfs>yes</skip_nfs>
+
+    <ignore>/var/lib/containerd</ignore>
+    <ignore>/var/lib/docker/overlay2</ignore>
   </rootcheck>
 
-  <wodle name="cis-cat">
-    <disabled>yes</disabled>
-    <timeout>1800</timeout>
-    <interval>1d</interval>
-    <scan-on-start>yes</scan-on-start>
-
-    <java_path>wodles/java</java_path>
-    <ciscat_path>wodles/ciscat</ciscat_path>
-  </wodle>
-
-  <!-- Osquery integration -->
-  <wodle name="osquery">
-    <disabled>yes</disabled>
-    <run_daemon>yes</run_daemon>
-    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
-    <config_path>/etc/osquery/osquery.conf</config_path>
-    <add_labels>yes</add_labels>
-  </wodle>
-
   <!-- System inventory -->
   <wodle name="syscollector">
     <disabled>no</disabled>
@@ -79,11 +44,17 @@
     <os>yes</os>
     <network>yes</network>
     <packages>yes</packages>
-    <ports all="no">yes</ports>
+    <ports all="yes">yes</ports>
     <processes>yes</processes>
+    <users>yes</users>
+    <groups>yes</groups>
+    <services>yes</services>
+    <browser_extensions>yes</browser_extensions>
 
     <!-- Database synchronization settings -->
     <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
       <max_eps>10</max_eps>
     </synchronization>
   </wodle>
@@ -92,7 +63,13 @@
     <enabled>yes</enabled>
     <scan_on_start>yes</scan_on_start>
     <interval>12h</interval>
-    <skip_nfs>yes</skip_nfs>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
+      <max_eps>10</max_eps>
+    </synchronization>
   </sca>
 
   <vulnerability-detection>
@@ -124,8 +101,6 @@
     <!-- Frequency that syscheck is executed default every 12 hours -->
     <frequency>43200</frequency>
 
-    <scan_on_start>yes</scan_on_start>
-
     <!-- Generate alert when new file detected -->
     <alert_new_files>yes</alert_new_files>
 
@@ -165,13 +140,12 @@
     <process_priority>10</process_priority>
 
     <!-- Maximum output throughput -->
-    <max_eps>100</max_eps>
+    <max_eps>50</max_eps>
 
     <!-- Database synchronization settings -->
     <synchronization>
       <enabled>yes</enabled>
       <interval>5m</interval>
-      <max_interval>1h</max_interval>
       <max_eps>10</max_eps>
     </synchronization>
   </syscheck>
@@ -266,13 +240,6 @@
     <rule_dir>etc/rules</rule_dir>
   </ruleset>
 
-  <rule_test>
-    <enabled>yes</enabled>
-    <threads>1</threads>
-    <max_sessions>64</max_sessions>
-    <session_timeout>15m</session_timeout>
-  </rule_test>
-
   <!-- Configuration for wazuh-authd -->
   <auth>
     <disabled>no</disabled>
@@ -305,9 +272,19 @@
 </ossec_config>
 
 <ossec_config>
+  <localfile>
+    <log_format>journald</log_format>
+    <location>journald</location>
+  </localfile>
+
+  <localfile>
+    <log_format>audit</log_format>
+    <location>/var/log/audit/audit.log</location>
+  </localfile>
+
   <localfile>
     <log_format>syslog</log_format>
     <location>/var/ossec/logs/active-responses.log</location>
   </localfile>
 
-</ossec_config>
+</ossec_config>

multi-node/config/wazuh_dashboard/opensearch_dashboards.yml

@@ -2,7 +2,7 @@ server.host: 0.0.0.0
 server.port: 5601
 opensearch.hosts: https://wazuh1.indexer:9200
 opensearch.ssl.verificationMode: certificate
-opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
+opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
 opensearch_security.multitenancy.enabled: false
 opensearch_security.readonly_mode.roles: ["kibana_read_only"]
 server.ssl.enabled: true
@@ -10,3 +10,7 @@ server.ssl.key: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
 server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem"
 opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/root-ca.pem"]
 uiSettings.overrides.defaultRoute: /app/wz-home
+# Session expiration settings
+opensearch_security.cookie.ttl: 900000
+opensearch_security.session.ttl: 900000
+opensearch_security.session.keepalive: true

multi-node/config/wazuh_indexer/wazuh1.indexer.yml

@@ -1,6 +1,6 @@
 network.host: wazuh1.indexer
 node.name: wazuh1.indexer
-cluster.initial_master_nodes:
+cluster.initial_cluster_manager_nodes:
         - wazuh1.indexer
         - wazuh2.indexer
         - wazuh3.indexer
@@ -35,4 +35,3 @@ plugins.security.restapi.roles_enabled:
 - "security_rest_api_access"
 plugins.security.allow_default_init_securityindex: true
 cluster.routing.allocation.disk.threshold_enabled: false
-compatibility.override_main_response_version: true

multi-node/config/wazuh_indexer/wazuh2.indexer.yml

@@ -1,6 +1,6 @@
 network.host: wazuh2.indexer
 node.name: wazuh2.indexer
-cluster.initial_master_nodes:
+cluster.initial_cluster_manager_nodes:
         - wazuh1.indexer
         - wazuh2.indexer
         - wazuh3.indexer
@@ -35,4 +35,3 @@ plugins.security.restapi.roles_enabled:
 - "security_rest_api_access"
 plugins.security.allow_default_init_securityindex: true
 cluster.routing.allocation.disk.threshold_enabled: false
-compatibility.override_main_response_version: true

multi-node/config/wazuh_indexer/wazuh3.indexer.yml

@@ -1,6 +1,6 @@
 network.host: wazuh3.indexer
 node.name: wazuh3.indexer
-cluster.initial_master_nodes:
+cluster.initial_cluster_manager_nodes:
         - wazuh1.indexer
         - wazuh2.indexer
         - wazuh3.indexer
@@ -35,4 +35,3 @@ plugins.security.restapi.roles_enabled:
 - "security_rest_api_access"
 plugins.security.allow_default_init_securityindex: true
 cluster.routing.allocation.disk.threshold_enabled: false
-compatibility.override_main_response_version: true

multi-node/docker-compose.yml

@@ -31,9 +31,7 @@ services:
       - master-wazuh-logs:/var/ossec/logs
       - master-wazuh-queue:/var/ossec/queue
       - master-wazuh-var-multigroups:/var/ossec/var/multigroups
-      - master-wazuh-integrations:/var/ossec/integrations
       - master-wazuh-active-response:/var/ossec/active-response/bin
-      - master-wazuh-agentless:/var/ossec/agentless
       - master-wazuh-wodles:/var/ossec/wodles
       - master-filebeat-etc:/etc/filebeat
       - master-filebeat-var:/var/lib/filebeat
@@ -67,9 +65,7 @@ services:
       - worker-wazuh-logs:/var/ossec/logs
       - worker-wazuh-queue:/var/ossec/queue
       - worker-wazuh-var-multigroups:/var/ossec/var/multigroups
-      - worker-wazuh-integrations:/var/ossec/integrations
       - worker-wazuh-active-response:/var/ossec/active-response/bin
-      - worker-wazuh-agentless:/var/ossec/agentless
       - worker-wazuh-wodles:/var/ossec/wodles
       - worker-filebeat-etc:/etc/filebeat
       - worker-filebeat-var:/var/lib/filebeat
@@ -96,13 +92,13 @@ services:
         hard: 65536
     volumes:
       - wazuh-indexer-data-1:/var/lib/wazuh-indexer
-      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/certs/root-ca.pem
-      - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh1.indexer.key
+      - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer-key.pem:/usr/share/wazuh-indexer/config/certs/wazuh1.indexer.key
-      - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh1.indexer.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer.pem:/usr/share/wazuh-indexer/config/certs/wazuh1.indexer.pem
-      - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
+      - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/config/certs/admin.pem
-      - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
+      - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/config/certs/admin-key.pem
-      - ./config/wazuh_indexer/wazuh1.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
+      - ./config/wazuh_indexer/wazuh1.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
-      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
+      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/config/opensearch-security/internal_users.yml
 
   wazuh2.indexer:
     image: wazuh/wazuh-indexer:5.0.0
@@ -120,11 +116,11 @@ services:
         hard: 65536
     volumes:
       - wazuh-indexer-data-2:/var/lib/wazuh-indexer
-      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/certs/root-ca.pem
-      - ./config/wazuh_indexer_ssl_certs/wazuh2.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh2.indexer.key
+      - ./config/wazuh_indexer_ssl_certs/wazuh2.indexer-key.pem:/usr/share/wazuh-indexer/config/certs/wazuh2.indexer.key
-      - ./config/wazuh_indexer_ssl_certs/wazuh2.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh2.indexer.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh2.indexer.pem:/usr/share/wazuh-indexer/config/certs/wazuh2.indexer.pem
-      - ./config/wazuh_indexer/wazuh2.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
+      - ./config/wazuh_indexer/wazuh2.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
-      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
+      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/config/opensearch-security/internal_users.yml
 
   wazuh3.indexer:
     image: wazuh/wazuh-indexer:5.0.0
@@ -142,11 +138,11 @@ services:
         hard: 65536
     volumes:
       - wazuh-indexer-data-3:/var/lib/wazuh-indexer
-      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/certs/root-ca.pem
-      - ./config/wazuh_indexer_ssl_certs/wazuh3.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh3.indexer.key
+      - ./config/wazuh_indexer_ssl_certs/wazuh3.indexer-key.pem:/usr/share/wazuh-indexer/config/certs/wazuh3.indexer.key
-      - ./config/wazuh_indexer_ssl_certs/wazuh3.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh3.indexer.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh3.indexer.pem:/usr/share/wazuh-indexer/config/certs/wazuh3.indexer.pem
-      - ./config/wazuh_indexer/wazuh3.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
+      - ./config/wazuh_indexer/wazuh3.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
-      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
+      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/config/opensearch-security/internal_users.yml
 
   wazuh.dashboard:
     image: wazuh/wazuh-dashboard:5.0.0
@@ -198,9 +194,7 @@ volumes:
   master-wazuh-logs:
   master-wazuh-queue:
   master-wazuh-var-multigroups:
-  master-wazuh-integrations:
   master-wazuh-active-response:
-  master-wazuh-agentless:
   master-wazuh-wodles:
   master-filebeat-etc:
   master-filebeat-var:
@@ -209,9 +203,7 @@ volumes:
   worker-wazuh-logs:
   worker-wazuh-queue:
   worker-wazuh-var-multigroups:
-  worker-wazuh-integrations:
   worker-wazuh-active-response:
-  worker-wazuh-agentless:
   worker-wazuh-wodles:
   worker-filebeat-etc:
   worker-filebeat-var:

multi-node/generate-indexer-certs.yml

@@ -1,8 +1,10 @@
 # Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
 services:
   generator:
-    image: wazuh/wazuh-certs-generator:0.0.2
+    image: wazuh/wazuh-certs-generator:0.0.3
     hostname: wazuh-certs-generator
+    environment:
+      - CERT_TOOL_VERSION=4.14
     volumes:
       - ./config/wazuh_indexer_ssl_certs/:/certificates/
       - ./config/certs.yml:/config/certs.yml

multi-node/volume-migrator.sh

@@ -46,24 +46,12 @@ docker volume create \
            --label com.docker.compose.volume=master-wazuh-var-multigroups \
            $2_master-wazuh-var-multigroups
 
-docker volume create \
-           --label com.docker.compose.project=$2 \
-           --label com.docker.compose.version=$1 \
-           --label com.docker.compose.volume=master-wazuh-integrations \
-           $2_master-wazuh-integrations
-
 docker volume create \
            --label com.docker.compose.project=$2 \
            --label com.docker.compose.version=$1 \
            --label com.docker.compose.volume=master-wazuh-active-response \
            $2_master-wazuh-active-response
 
-docker volume create \
-           --label com.docker.compose.project=$2 \
-           --label com.docker.compose.version=$1 \
-           --label com.docker.compose.volume=master-wazuh-agentless \
-           $2_master-wazuh-agentless
-
 docker volume create \
            --label com.docker.compose.project=$2 \
            --label com.docker.compose.version=$1 \
@@ -112,24 +100,12 @@ docker volume create \
            --label com.docker.compose.volume=worker-wazuh-var-multigroups \
            $2_worker-wazuh-var-multigroups
 
-docker volume create \
-           --label com.docker.compose.project=$2 \
-           --label com.docker.compose.version=$1 \
-           --label com.docker.compose.volume=worker-wazuh-integrations \
-           $2_worker-wazuh-integrations
-
 docker volume create \
            --label com.docker.compose.project=$2 \
            --label com.docker.compose.version=$1 \
            --label com.docker.compose.volume=worker-wazuh-active-response \
            $2_worker-wazuh-active-response
 
-docker volume create \
-           --label com.docker.compose.project=$2 \
-           --label com.docker.compose.version=$1 \
-           --label com.docker.compose.volume=worker-wazuh-agentless \
-           $2_worker-wazuh-agentless
-
 docker volume create \
            --label com.docker.compose.project=$2 \
            --label com.docker.compose.version=$1 \
@@ -193,21 +169,11 @@ docker container run --rm -it \
            -v $2_master-wazuh-var-multigroups:/to \
            alpine ash -c "cd /from ; cp -avp . /to"
 
-docker container run --rm -it \
-           -v wazuh-docker_ossec-integrations:/from \
-           -v $2_master-wazuh-integrations:/to \
-           alpine ash -c "cd /from ; cp -avp . /to"
-
 docker container run --rm -it \
            -v wazuh-docker_ossec-active-response:/from \
            -v $2_master-wazuh-active-response:/to \
            alpine ash -c "cd /from ; cp -avp . /to"
 
-docker container run --rm -it \
-           -v wazuh-docker_ossec-agentless:/from \
-           -v $2_master-wazuh-agentless:/to \
-           alpine ash -c "cd /from ; cp -avp . /to"
-
 docker container run --rm -it \
            -v wazuh-docker_ossec-wodles:/from \
            -v $2_master-wazuh-wodles:/to \
@@ -248,21 +214,11 @@ docker container run --rm -it \
            -v $2_worker-wazuh-var-multigroups:/to \
            alpine ash -c "cd /from ; cp -avp . /to"
 
-docker container run --rm -it \
-           -v wazuh-docker_worker-ossec-integrations:/from \
-           -v $2_worker-wazuh-integrations:/to \
-           alpine ash -c "cd /from ; cp -avp . /to"
-
 docker container run --rm -it \
            -v wazuh-docker_worker-ossec-active-response:/from \
            -v $2_worker-wazuh-active-response:/to \
            alpine ash -c "cd /from ; cp -avp . /to"
 
-docker container run --rm -it \
-           -v wazuh-docker_worker-ossec-agentless:/from \
-           -v $2_worker-wazuh-agentless:/to \
-           alpine ash -c "cd /from ; cp -avp . /to"
-
 docker container run --rm -it \
            -v wazuh-docker_worker-ossec-wodles:/from \
            -v $2_worker-wazuh-wodles:/to \

single-node/config/wazuh_cluster/wazuh_manager.conf

@@ -1,24 +1,10 @@
 <ossec_config>
   <global>
-    <jsonout_output>yes</jsonout_output>
+    <agents_disconnection_time>15m</agents_disconnection_time>
-    <alerts_log>yes</alerts_log>
-    <logall>no</logall>
-    <logall_json>no</logall_json>
-    <email_notification>no</email_notification>
-    <smtp_server>smtp.example.wazuh.com</smtp_server>
-    <email_from>wazuh@example.wazuh.com</email_from>
-    <email_to>recipient@example.wazuh.com</email_to>
-    <email_maxperhour>12</email_maxperhour>
-    <email_log_source>alerts.log</email_log_source>
-    <agents_disconnection_time>10m</agents_disconnection_time>
     <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
+    <update_check>yes</update_check>
   </global>
 
-  <alerts>
-    <log_alert_level>3</log_alert_level>
-    <email_alert_level>12</email_alert_level>
-  </alerts>
-
   <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
   <logging>
     <log_format>plain</log_format>
@@ -34,8 +20,6 @@
   <!-- Policy monitoring -->
   <rootcheck>
     <disabled>no</disabled>
-    <check_files>yes</check_files>
-    <check_trojans>yes</check_trojans>
     <check_dev>yes</check_dev>
     <check_sys>yes</check_sys>
     <check_pids>yes</check_pids>
@@ -45,31 +29,12 @@
     <!-- Frequency that rootcheck is executed - every 12 hours -->
     <frequency>43200</frequency>
 
-    <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
-    <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
-
     <skip_nfs>yes</skip_nfs>
+
+    <ignore>/var/lib/containerd</ignore>
+    <ignore>/var/lib/docker/overlay2</ignore>
   </rootcheck>
 
-  <wodle name="cis-cat">
-    <disabled>yes</disabled>
-    <timeout>1800</timeout>
-    <interval>1d</interval>
-    <scan-on-start>yes</scan-on-start>
-
-    <java_path>wodles/java</java_path>
-    <ciscat_path>wodles/ciscat</ciscat_path>
-  </wodle>
-
-  <!-- Osquery integration -->
-  <wodle name="osquery">
-    <disabled>yes</disabled>
-    <run_daemon>yes</run_daemon>
-    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
-    <config_path>/etc/osquery/osquery.conf</config_path>
-    <add_labels>yes</add_labels>
-  </wodle>
-
   <!-- System inventory -->
   <wodle name="syscollector">
     <disabled>no</disabled>
@@ -79,11 +44,17 @@
     <os>yes</os>
     <network>yes</network>
     <packages>yes</packages>
-    <ports all="no">yes</ports>
+    <ports all="yes">yes</ports>
     <processes>yes</processes>
+    <users>yes</users>
+    <groups>yes</groups>
+    <services>yes</services>
+    <browser_extensions>yes</browser_extensions>
 
     <!-- Database synchronization settings -->
     <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
       <max_eps>10</max_eps>
     </synchronization>
   </wodle>
@@ -92,7 +63,13 @@
     <enabled>yes</enabled>
     <scan_on_start>yes</scan_on_start>
     <interval>12h</interval>
-    <skip_nfs>yes</skip_nfs>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
+      <max_eps>10</max_eps>
+    </synchronization>
   </sca>
 
   <vulnerability-detection>
@@ -122,8 +99,6 @@
     <!-- Frequency that syscheck is executed default every 12 hours -->
     <frequency>43200</frequency>
 
-    <scan_on_start>yes</scan_on_start>
-
     <!-- Generate alert when new file detected -->
     <alert_new_files>yes</alert_new_files>
 
@@ -163,13 +138,12 @@
     <process_priority>10</process_priority>
 
     <!-- Maximum output throughput -->
-    <max_eps>100</max_eps>
+    <max_eps>50</max_eps>
 
     <!-- Database synchronization settings -->
     <synchronization>
       <enabled>yes</enabled>
       <interval>5m</interval>
-      <max_interval>1h</max_interval>
       <max_eps>10</max_eps>
     </synchronization>
   </syscheck>
@@ -264,13 +238,6 @@
     <rule_dir>etc/rules</rule_dir>
   </ruleset>
 
-  <rule_test>
-    <enabled>yes</enabled>
-    <threads>1</threads>
-    <max_sessions>64</max_sessions>
-    <session_timeout>15m</session_timeout>
-  </rule_test>
-
   <!-- Configuration for wazuh-authd -->
   <auth>
     <disabled>no</disabled>
@@ -303,9 +270,19 @@
 </ossec_config>
 
 <ossec_config>
+  <localfile>
+    <log_format>journald</log_format>
+    <location>journald</location>
+  </localfile>
+
+  <localfile>
+    <log_format>audit</log_format>
+    <location>/var/log/audit/audit.log</location>
+  </localfile>
+
   <localfile>
     <log_format>syslog</log_format>
     <location>/var/ossec/logs/active-responses.log</location>
   </localfile>
 
-</ossec_config>
+</ossec_config>

single-node/config/wazuh_dashboard/opensearch_dashboards.yml

@@ -2,7 +2,7 @@ server.host: 0.0.0.0
 server.port: 5601
 opensearch.hosts: https://wazuh.indexer:9200
 opensearch.ssl.verificationMode: certificate
-opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
+opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
 opensearch_security.multitenancy.enabled: false
 opensearch_security.readonly_mode.roles: ["kibana_read_only"]
 server.ssl.enabled: true
@@ -10,3 +10,7 @@ server.ssl.key: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
 server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem"
 opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/root-ca.pem"]
 uiSettings.overrides.defaultRoute: /app/wz-home
+# Session expiration settings
+opensearch_security.cookie.ttl: 900000
+opensearch_security.session.ttl: 900000
+opensearch_security.session.keepalive: true

single-node/config/wazuh_indexer/wazuh.indexer.yml

@@ -1,11 +1,11 @@
 network.host: "0.0.0.0"
 node.name: "wazuh.indexer"
+cluster.name: "wazuh-cluster"
 path.data: /var/lib/wazuh-indexer
 path.logs: /var/log/wazuh-indexer
 discovery.type: single-node
 http.port: 9200-9299
 transport.tcp.port: 9300-9399
-compatibility.override_main_response_version: true
 plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
 plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
 plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem

single-node/docker-compose.yml

@@ -32,9 +32,7 @@ services:
       - wazuh_logs:/var/ossec/logs
       - wazuh_queue:/var/ossec/queue
       - wazuh_var_multigroups:/var/ossec/var/multigroups
-      - wazuh_integrations:/var/ossec/integrations
       - wazuh_active_response:/var/ossec/active-response/bin
-      - wazuh_agentless:/var/ossec/agentless
       - wazuh_wodles:/var/ossec/wodles
       - filebeat_etc:/etc/filebeat
       - filebeat_var:/var/lib/filebeat
@@ -60,13 +58,13 @@ services:
         hard: 65536
     volumes:
       - wazuh-indexer-data:/var/lib/wazuh-indexer
-      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/certs/root-ca.pem
-      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.key
+      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/config/certs/wazuh.indexer.key
-      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/config/certs/wazuh.indexer.pem
-      - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
+      - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/config/certs/admin.pem
-      - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
+      - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/config/certs/admin-key.pem
-      - ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
+      - ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
-      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
+      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/config/opensearch-security/internal_users.yml
 
   wazuh.dashboard:
     image: wazuh/wazuh-dashboard:5.0.0
@@ -102,9 +100,7 @@ volumes:
   wazuh_logs:
   wazuh_queue:
   wazuh_var_multigroups:
-  wazuh_integrations:
   wazuh_active_response:
-  wazuh_agentless:
   wazuh_wodles:
   filebeat_etc:
   filebeat_var:

single-node/generate-indexer-certs.yml

@@ -1,8 +1,10 @@
 # Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
 services:
   generator:
-    image: wazuh/wazuh-certs-generator:0.0.2
+    image: wazuh/wazuh-certs-generator:0.0.3
     hostname: wazuh-certs-generator
+    environment:
+      - CERT_TOOL_VERSION=4.14
     volumes:
       - ./config/wazuh_indexer_ssl_certs/:/certificates/
       - ./config/certs.yml:/config/certs.yml

wazuh-agent/config/wazuh-agent-conf

@@ -83,7 +83,7 @@
     <os>yes</os>
     <network>yes</network>
     <packages>yes</packages>
-    <ports all="no">yes</ports>
+    <ports all="yes">yes</ports>
     <processes>yes</processes>
 
     <!-- Database synchronization settings -->

wazuh-agent/docker-compose.yml

@@ -1,6 +1,4 @@
 # Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
-version: '3.7'
-
 services:
   wazuh.agent:
     image: wazuh/wazuh-agent:5.0.0