Updated Changelog

Release 3.13.2 7.9.1

CHANGELOG.md

@@ -1,6 +1,123 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+## Wazuh Docker v3.13.3_7.9.2
+
+### Added
+
+- Update to Wazuh version 3.13.3_7.9.2
+
+## Wazuh Docker v3.13.2_7.9.1
+
+### Added
+
+- Update to Wazuh version 3.13.2_7.9.1
+- Add CLUSTER_NETWORK_HOST environment variable ([@jfut](https://github.com/jfut)) [#372](https://github.com/wazuh/wazuh-docker/pull/372)
+
+### Fixed
+
+- Too many redirects when running on port 80 ([@chowmean](https://github.com/chowmean)) [#377](https://github.com/wazuh/wazuh-docker/pull/377)
+- Move Filebeat installation to build stage ([@xr09](https://github.com/xr09)) [#378](https://github.com/wazuh/wazuh-docker/pull/378)
+
+
+## Wazuh Docker v3.13.1_7.8.0
+
+### Added
+
+- Update to Wazuh version 3.13.1_7.8.0
+
+
+## Wazuh Docker v3.13.0_7.7.1
+
+### Added
+
+- Update to Wazuh version 3.13.3_7.7.1
+
+### Fixed
+
+- Save agentless state ([@xr09](https://github.com/xr09)) [#350](https://github.com/wazuh/wazuh-docker/pull/350)
+- Use HTTP credentials for service check when required ([@xr09](https://github.com/xr09)) [#356](https://github.com/wazuh/wazuh-docker/pull/356)
+
+## Wazuh Docker v3.12.3_7.6.2
+
+### Added
+
+- Update to Wazuh version 3.12.3_7.6.2
+
+
+## Wazuh Docker v3.12.2_7.6.2
+
+### Added
+
+- Update to Wazuh version 3.12.2_7.6.2
+
+## Wazuh Docker v3.12.1_7.6.2
+
+### Added
+
+- Update to Wazuh version 3.12.1_7.6.2
+
+### Fixed
+
+- Agent timestamp not being properly saved ([@xr09](https://github.com/xr09)) [#323](https://github.com/wazuh/wazuh-docker/pull/323)
+
+
+## Wazuh Docker v3.12.0_7.6.1
+
+### Added
+
+- Update to Wazuh version 3.12.0_7.6.1
+
+
+## Wazuh Docker v3.11.4_7.6.1
+
+### Added
+
+- Update to Wazuh version 3.11.4_7.6.1
+
+- Enable HTTP v2 on nginx ([@xr09](https://github.com/xr09)) [#308](https://github.com/wazuh/wazuh-docker/pull/308)
+
+### Fixed
+
+- Updated NGINX config syntax ([@xr09](https://github.com/xr09)) [#303](https://github.com/wazuh/wazuh-docker/pull/303)
+
+
+## Wazuh Docker v3.11.3_7.5.2
+
+### Added
+
+- Update to Wazuh version 3.11.3_7.5.2
+
+## Wazuh Docker v3.11.2_7.5.1
+
+### Added
+
+- Bumped Node.js to version 10 ([@xr09](https://github.com/xr09)) [#8615cd4](https://github.com/wazuh/wazuh-docker/commit/8615cd4d2152601e55becc7c3675360938e74b6a)
+
+### Fixed
+
+- Fix S3 Plugin ([@AnthonySendra](https://github.com/AnthonySendra)) [#293](https://github.com/wazuh/wazuh-docker/pull/293)
+
+## Wazuh Docker v3.11.1_7.5.1
+
+### Added
+
+- Update to Wazuh version 3.11.1_7.5.1
+- Filebeat configuration file updated to latest version ([@manuasir](https://github.com/manuasir)) [#271](https://github.com/wazuh/wazuh-docker/pull/271)
+- Allow using the hostname as node_name for managers ([@JPLachance](https://github.com/JPLachance)) [#261](https://github.com/wazuh/wazuh-docker/pull/261)
+
+## Wazuh Docker v3.11.0_7.5.1
+
+### Added
+
+- Update to Wazuh version 3.11.0_7.5.1
+
+## Wazuh Docker v3.10.2_7.5.0
+
+### Added
+
+- Update to Wazuh version 3.10.2_7.5.0
+
 ## Wazuh Docker v3.10.2_7.3.2
 
 ### Added
@@ -26,7 +143,6 @@ All notable changes to this project will be documented in this file.
 - Update to Wazuh version 3.9.4_7.2.0
 - Implemented Wazuh Filebeat Module ([jm404](https://www.github.com/jm404)) [#2a77c6a](https://github.com/wazuh/wazuh-docker/commit/2a77c6a6e6bf78f2492adeedbade7a507d9974b2)
 
-
 ## Wazuh Docker v3.9.3_7.2.0
 
 ### Fixed
@@ -38,21 +154,12 @@ All notable changes to this project will be documented in this file.
 
 - Update to Wazuh version 3.9.2_7.1.1
 
-## Wazuh Docker v3.9.3_6.8.1
-
-### Added
-
-- Update to Wazuh version 3.9.3_6.8.1
-- Option to disable additionals X-Pack applications and hide unnecesary management links ([@SitoRBJ](https://github.com/SitoRBJ)) ([#163](https://github.com/wazuh/wazuh-docker/pull/163))
-
-
 ## Wazuh Docker v3.9.2_6.8.0
 
 ### Added
 
 - Update to Wazuh version 3.9.2_6.8.0
 
-
 ## Wazuh Docker v3.9.1_7.1.0
 
 ### Added
@@ -65,21 +172,11 @@ All notable changes to this project will be documented in this file.
 ### Added
 
 - Update to Wazuh version 3.9.1_6.8.0 ([#181](https://github.com/wazuh/wazuh-docker/pull/181))
-- Security for Elastic Stack in Docker implemented ([#186](https://github.com/wazuh/wazuh-docker/issues/186))
 
 ### Fixed
 
 - Fixed `ELASTICSEARCH_KIBANA_IP` environment variable ([@manuasir](https://github.com/manuasir)) ([#181](https://github.com/wazuh/wazuh-docker/pull/181))
 
-
-## Wazuh Docker v3.9.1_7.1.0
-
-### Added
-
-- Support for Elastic v7.1.0
-- New environment variables for Kibana ([@manuasir](https://github.com/manuasir)) [#22ad43](https://github.com/wazuh/wazuh-docker/commit/22ad4360f548e54bb0c5e929f8c84a186ad2ab88)
-
-
 ## Wazuh Docker v3.9.0_6.7.2
 
 ### Changed
@@ -88,7 +185,6 @@ All notable changes to this project will be documented in this file.
 
 ## Wazuh Docker v3.9.0_6.7.1
 
-
 ### Added
 
 - Support for xPACK authorized requests ([@manuasir](https://github.com/manuasir)) ([#119](https://github.com/wazuh/wazuh-docker/pull/119))
@@ -173,7 +269,7 @@ All notable changes to this project will be documented in this file.
 - Add env credentials for nginx. ([#86](https://github.com/wazuh/wazuh-docker/pull/86))
 - Improve filebeat configuration ([#88](https://github.com/wazuh/wazuh-docker/pull/88))
 
-### Fixed 
+### Fixed
 
 - Temporary fix for Wazuh cluster master node in Kubernetes. ([#84](https://github.com/wazuh/wazuh-docker/pull/84))
 

LICENSE

@@ -1,5 +1,5 @@
 
- Portions Copyright (C) 2019 Wazuh, Inc.
+ Portions Copyright (C) 2020 Wazuh, Inc.
  Based on work Copyright (C) 2003 - 2013 Trend Micro, Inc.
 
  This program is a free software; you can redistribute it and/or modify

README.md

@@ -10,9 +10,9 @@ In this repository you will find the containers to run:
 * wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack)
 * wazuh-kibana: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status.
 * wazuh-nginx: Proxies the Kibana container, adding HTTPS (via self-signed SSL certificate) and [Basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Basic_authentication_scheme).
-* wazuh-elasticsearch: An Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).** 
+* wazuh-elasticsearch: An Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).**
 
-In addition, a docker-compose file is provided to launch the containers mentioned above. 
+In addition, a docker-compose file is provided to launch the containers mentioned above.
 
 * Elasticsearch cluster. In the Elasticsearch Dockerfile we can visualize variables to configure an Elasticsearch Cluster. These variables are used in the file *config_cluster.sh* to set them in the *elasticsearch.yml* configuration file. You can see the meaning of the node variables [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html) and other cluster settings [here](https://github.com/elastic/elasticsearch/blob/master/distribution/src/config/elasticsearch.yml).
 
@@ -57,7 +57,7 @@ In addition, a docker-compose file is provided to launch the containers mentione
 
 * `stable` branch on correspond to the latest Wazuh-Docker stable version.
 * `master` branch contains the latest code, be aware of possible bugs on this branch.
-* `Wazuh.Version_ElasticStack.Version` (for example 3.10.2_7.3.2) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
+* `Wazuh.Version_ElasticStack.Version` (for example 3.13.1_7.8.0) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
 
 ## Credits and Thank you
 
@@ -70,7 +70,7 @@ We thank you them and everyone else who has contributed to this project.
 
 ## License and copyright
 
-Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
 
 ## Web references
 

VERSION

@@ -1,2 +1,2 @@
-WAZUH-DOCKER_VERSION="3.10.2_7.3.2"
-REVISION="31020"
+WAZUH-DOCKER_VERSION="3.13.3_7.9.2"
+REVISION="31320"

docker-compose.yml

@@ -1,9 +1,9 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2)
 version: '2'
 
 services:
   wazuh:
-    image: wazuh/wazuh:3.10.2_7.3.2
+    image: wazuh/wazuh:3.13.3_7.9.2
     hostname: wazuh-manager
     restart: always
     ports:
@@ -11,46 +11,18 @@ services:
       - "1515:1515"
       - "514:514/udp"
       - "55000:55000"
-  #   depends_on:
-  #     - logstash
-  # logstash:
-  #   image: wazuh/wazuh-elasticsearch:3.10.2_7.3.2
-  #   hostname: logstash
-  #   restart: always
-  #   links:
-  #     - elasticsearch:elasticsearch
-  #   ports:
-  #     - "5000:5000"
-  #   depends_on:
-  #     - elasticsearch
-  #   environment:
-  #     - LS_HEAP_SIZE=2048m
-  #     - SECURITY_ENABLED=no
-  #     - SECURITY_LOGSTASH_USER=service_logstash
-  #     - SECURITY_LOGSTASH_PASS=logstash_pass
-  #     - LOGSTASH_OUTPUT=https://elasticsearch:9200
-  #     - ELASTICSEARCH_URL=https://elasticsearch:9200
-  #     - SECURITY_CA_PEM=server.TEST-CA-signed.pem
+
   elasticsearch:
-    image: wazuh/wazuh-elasticsearch:3.10.2_7.3.2
+    image: wazuh/wazuh-elasticsearch:3.13.3_7.9.2
     hostname: elasticsearch
     restart: always
     ports:
       - "9200:9200"
     environment:
       - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
-      - ELASTICSEARCH_PROTOCOL=http
-      - ELASTICSEARCH_IP=elasticsearch
-      - ELASTICSEARCH_PORT=9200
-      - SECURITY_ENABLED=no
-      - SECURITY_ELASTIC_PASSWORD=elastic_pass
-      - SECURITY_MAIN_NODE=elasticsearch
       - ELASTIC_CLUSTER=true
       - CLUSTER_NODE_MASTER=true
-      - CLUSTER_MASTER_NODE_NAME=elasticsearch
-      - CLUSTER_NODE_DATA=true
-      - CLUSTER_NODE_INGEST=true
-      - CLUSTER_MAX_NODES=3
+      - CLUSTER_MASTER_NODE_NAME=es01
     ulimits:
       memlock:
         soft: -1
@@ -58,7 +30,7 @@ services:
     mem_limit: 2g
 
   kibana:
-    image: wazuh/wazuh-kibana:3.10.2_7.3.2
+    image: wazuh/wazuh-kibana:3.13.3_7.9.2
     hostname: kibana
     restart: always
     depends_on:
@@ -66,18 +38,9 @@ services:
     links:
       - elasticsearch:elasticsearch
       - wazuh:wazuh
-    environment:
-      - ELASTICSEARCH_URL=https://elasticsearch:9200
-      - SECURITY_ENABLED=no
-      - SECURITY_KIBANA_USER=service_kibana
-      - SECURITY_KIBANA_PASS=kibana_pass
-      - ELASTICSEARCH_KIBANA_IP=https://elasticsearch:9200
-      - SECURITY_CA_PEM=server.TEST-CA-signed.pem
-    ports:
-      - "5601:5601"
 
   nginx:
-    image: wazuh/wazuh-nginx:3.10.2_7.3.2
+    image: wazuh/wazuh-nginx:3.13.3_7.9.2
     hostname: nginx
     restart: always
     environment:

elasticsearch/Dockerfile

@@ -1,96 +1,56 @@
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-ARG ELASTIC_VERSION=7.3.2
+# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
+ARG ELASTIC_VERSION=7.9.2
 FROM docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION}
-ARG TEMPLATE_VERSION=v3.10.2
+ARG ELASTIC_VERSION
+ARG S3_PLUGIN_URL="https://artifacts.elastic.co/downloads/elasticsearch-plugins/repository-s3/repository-s3-${ELASTIC_VERSION}.zip"
 
 ENV ELASTICSEARCH_URL="http://elasticsearch:9200"
 
+ENV ALERTS_SHARDS="1" \
+    ALERTS_REPLICAS="0"
+
 ENV API_USER="foo" \
     API_PASS="bar"
 
-ENV XPACK_ML="true" 
+ENV XPACK_ML="true"
 
 ENV ENABLE_CONFIGURE_S3="false"
 
-ENV WAZUH_ALERTS_SHARDS="1" \
-    WAZUH_ALERTS_REPLICAS="0"
-
-ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /usr/share/elasticsearch/config
-
-RUN yum install epel-release -y && \
-    yum install jq -y
-
-# This CA is created for testing. Please set your own CA zip containing the key and the signed certificate. 
-# command: $ docker build <elasticsearch_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION> --build-arg SECURITY_CA_KEY_LOCATION=<CA_KEY_LOCATION>
-# ENV variables are necessary: SECURITY_CA_PEM, SECURITY_CA_KEY, SECURITY_CA_TRUST, SECURITY_OPENSSL_CONF 
-# Example:
-# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem"
-# ARG SECURITY_CA_KEY_LOCATION="config/server.TEST-CA.key"
-# ARG SECURITY_OPENSSL_CONF_LOCATION="config/TEST_openssl.cnf"
-# ARG SECURITY_CA_TRUST_LOCATION="config/server.TEST-CA-signed.pem"
-ARG SECURITY_CA_PEM_LOCATION=""
-ARG SECURITY_CA_KEY_LOCATION=""
-ARG SECURITY_OPENSSL_CONF_LOCATION=""
-ARG SECURITY_CA_TRUST_LOCATION=""
+ARG TEMPLATE_VERSION=v3.13.3
 
 # Elasticearch cluster configuration environment variables
 # If ELASTIC_CLUSTER is set to "true" the following variables will be added to the Elasticsearch configuration
 # CLUSTER_INITIAL_MASTER_NODES set to own node by default.
 ENV ELASTIC_CLUSTER="false" \
     CLUSTER_NAME="wazuh" \
+    CLUSTER_NETWORK_HOST="0.0.0.0" \
     CLUSTER_NODE_MASTER="false" \
     CLUSTER_NODE_DATA="true" \
     CLUSTER_NODE_INGEST="true" \
+    CLUSTER_NODE_NAME="wazuh-elasticsearch" \
+    CLUSTER_MASTER_NODE_NAME="master-node" \
     CLUSTER_MEMORY_LOCK="true" \
     CLUSTER_DISCOVERY_SERVICE="wazuh-elasticsearch" \
     CLUSTER_NUMBER_OF_MASTERS="2" \
     CLUSTER_MAX_NODES="1" \
     CLUSTER_DELAYED_TIMEOUT="1m" \
-    CLUSTER_INITIAL_MASTER_NODES="wazuh-elasticsearch" \
-    CLUSTER_DISCOVERY_SEED="elasticsearch"
-
-# CA cert for Transport SSL
-ADD $SECURITY_CA_PEM_LOCATION /usr/share/elasticsearch/config
-ADD $SECURITY_CA_KEY_LOCATION /usr/share/elasticsearch/config 
-ADD $SECURITY_OPENSSL_CONF_LOCATION /usr/share/elasticsearch/config 
-ADD $SECURITY_CA_TRUST_LOCATION /usr/share/elasticsearch/config 
-
-RUN mkdir /entrypoint-scripts
+    CLUSTER_INITIAL_MASTER_NODES="wazuh-elasticsearch"
 
 COPY config/entrypoint.sh /entrypoint.sh
 
 RUN chmod 755 /entrypoint.sh
 
-RUN bin/elasticsearch-plugin install repository-s3 -b
+COPY --chown=elasticsearch:elasticsearch ./config/load_settings.sh ./
 
-COPY --chown=elasticsearch:elasticsearch ./config/10-config_cluster.sh /entrypoint-scripts/10-config_cluster.sh
-COPY --chown=elasticsearch:elasticsearch ./config/15-get_CA_key.sh /entrypoint-scripts/15-get_CA_key.sh
-COPY --chown=elasticsearch:elasticsearch ./config/20-security_instances.sh /entrypoint-scripts/20-security_instances.sh
-COPY --chown=elasticsearch:elasticsearch ./config/22-security_certs.sh /entrypoint-scripts/22-security_certs.sh
-COPY --chown=elasticsearch:elasticsearch ./config/24-security_configuration.sh /entrypoint-scripts/24-security_configuration.sh
-COPY --chown=elasticsearch:elasticsearch ./config/26-security_keystore.sh /entrypoint-scripts/26-security_keystore.sh
-COPY --chown=elasticsearch:elasticsearch ./config/30-decrypt_credentials.sh /entrypoint-scripts/30-decrypt_credentials.sh
-COPY --chown=elasticsearch:elasticsearch ./config/35-entrypoint.sh /entrypoint-scripts/35-entrypoint.sh
-COPY --chown=elasticsearch:elasticsearch ./config/35-entrypoint_load_settings.sh ./
-COPY config/35-load_settings_configure_s3.sh ./config/35-load_settings_configure_s3.sh
-COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_users_management.sh ./
-COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_policies.sh ./
-COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_templates.sh ./
-COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_aliases.sh ./
-RUN chmod +x /entrypoint-scripts/10-config_cluster.sh && \
-    chmod +x /entrypoint-scripts/15-get_CA_key.sh && \
-    chmod +x /entrypoint-scripts/20-security_instances.sh && \
-    chmod +x /entrypoint-scripts/22-security_certs.sh && \
-    chmod +x /entrypoint-scripts/24-security_configuration.sh && \
-    chmod +x /entrypoint-scripts/26-security_keystore.sh && \
-    chmod +x /entrypoint-scripts/30-decrypt_credentials.sh && \
-    chmod +x /entrypoint-scripts/35-entrypoint.sh && \
-    chmod +x ./35-entrypoint_load_settings.sh && \
-    chmod 755 ./config/35-load_settings_configure_s3.sh && \
-    chmod +x ./35-load_settings_users_management.sh && \
-    chmod +x ./35-load_settings_policies.sh && \
-    chmod +x ./35-load_settings_templates.sh && \
-    chmod +x ./35-load_settings_aliases.sh
+RUN chmod +x ./load_settings.sh
+
+RUN bin/elasticsearch-plugin install --batch $S3_PLUGIN_URL
+
+COPY config/configure_s3.sh ./config/configure_s3.sh
+RUN chmod 755 ./config/configure_s3.sh
+
+COPY --chown=elasticsearch:elasticsearch ./config/config_cluster.sh ./
+RUN chmod +x ./config_cluster.sh
 
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["elasticsearch"]

elasticsearch/config/10-config_cluster.sh

@@ -1,93 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
-original_file="/usr/share/elasticsearch/config/original-elasticsearch.yml"
-ELASTIC_HOSTAME=`hostname`
-
-echo "CLUSTER: - Prepare Configuration"
-echo "CLUSTER: - Hostname"
-echo $ELASTIC_HOSTAME
-echo "CLUSTER: - Security main node"
-echo $SECURITY_MAIN_NODE
-echo "CLUSTER: - Discovery seed"
-echo $CLUSTER_DISCOVERY_SEED
-echo "CLUSTER: - Elastic cluster flag"
-echo $ELASTIC_CLUSTER
-echo "CLUSTER: - Node Master"
-echo $CLUSTER_NODE_MASTER
-echo "CLUSTER: - Node Data"
-echo $CLUSTER_NODE_DATA
-echo "CLUSTER: - Node Ingest"
-echo $CLUSTER_NODE_INGEST
-
-cp $elastic_config_file $original_file 
-
-remove_single_node_conf(){
-  if grep -Fq "discovery.type" $1; then
-    sed -i '/discovery.type\: /d' $1 
-  fi
-}
-
-remove_cluster_config(){
-  sed -i '/# cluster node/,/# end cluster config/d' $1
-}
-
-# If Elasticsearch cluster is enable, then set up the elasticsearch.yml
-if [[ $ELASTIC_CLUSTER == "true" && $CLUSTER_NODE_MASTER != "" && $CLUSTER_NODE_DATA != "" && $CLUSTER_NODE_INGEST != "" && $ELASTIC_HOSTAME != "" ]]; then
-  # Remove the old configuration
-  remove_single_node_conf $elastic_config_file
-  remove_cluster_config $elastic_config_file
-  echo "CLUSTER: - Remove old configuration"
-
-if [[ $ELASTIC_HOSTAME == $SECURITY_MAIN_NODE ]]; then
-# Add the master configuration
-# cluster.initial_master_nodes for bootstrap the cluster
-echo "CLUSTER: - Add the master configuration"
-
-cat > $elastic_config_file << EOF
-# cluster node
-cluster.name: $CLUSTER_NAME
-bootstrap.memory_lock: $CLUSTER_MEMORY_LOCK
-network.host: 0.0.0.0
-node.name: $ELASTIC_HOSTAME
-node.master: $CLUSTER_NODE_MASTER
-node.data: $CLUSTER_NODE_DATA
-node.ingest: $CLUSTER_NODE_INGEST
-node.max_local_storage_nodes: $CLUSTER_MAX_NODES
-cluster.initial_master_nodes: 
-  - $ELASTIC_HOSTAME
-# end cluster config" 
-EOF
-
-elif [[ $CLUSTER_DISCOVERY_SEED != "" ]]; then
-# Remove the old configuration
-remove_single_node_conf $elastic_config_file
-remove_cluster_config $elastic_config_file
-echo "CLUSTER: - Add standard cluster configuration."
-
-cat > $elastic_config_file << EOF
-# cluster node
-cluster.name: $CLUSTER_NAME
-bootstrap.memory_lock: $CLUSTER_MEMORY_LOCK
-network.host: 0.0.0.0
-node.name: $ELASTIC_HOSTAME
-node.master: $CLUSTER_NODE_MASTER
-node.data: $CLUSTER_NODE_DATA
-node.ingest: $CLUSTER_NODE_INGEST
-node.max_local_storage_nodes: $CLUSTER_MAX_NODES
-discovery.seed_hosts: 
-  - $CLUSTER_DISCOVERY_SEED
-# end cluster config" 
-EOF
-fi
-# If the cluster is disabled, then set a single-node configuration
-else
-  # Remove the old configuration
-  remove_single_node_conf $elastic_config_file
-  remove_cluster_config $elastic_config_file
-  echo "discovery.type: single-node" >> $elastic_config_file
-  echo "CLUSTER: - Discovery type: single-node"
-fi
-
-echo "CLUSTER: - Configured"

elasticsearch/config/15-get_CA_key.sh

@@ -1,11 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-##############################################################################
-# Decrypt credentials.
-# If the CA key is encrypted, it must be decrypted for later use. 
-##############################################################################
-
-echo "TO DO"
-
-# TO DO

elasticsearch/config/20-security_instances.sh

@@ -1,21 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-##############################################################################
-# instances.yml
-# This file is necessary for the creation of the Elasticsaerch certificate.
-##############################################################################
-
-if [[ $SECURITY_ENABLED == "yes" ]]; then
-    echo "SECURITY - Setting Elasticserach security."
-
-    # instance.yml to be added by the user. 
-    # Example:
-    #       echo "
-    # instances:
-    # - name: \"elasticsearch\"
-    #   dns:
-    #     - \"elasticsearch\"
-    # " > /user/share/elasticsearch/instances.yml
-
-fi

elasticsearch/config/22-security_certs.sh

@@ -1,16 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-##############################################################################
-# Creation and management of certificates. 
-##############################################################################
-
-if [[ $SECURITY_ENABLED == "yes" ]]; then
-    echo "SECURITY - Elasticserach security certificates."
-    
-    # Creation of the certificate for Elasticsearch.
-    # After the execution of this script will have generated 
-    # the Elasticsearch certificate and related keys and passphrase. 
-    # Example: TO DO
-
-fi

elasticsearch/config/24-security_configuration.sh

@@ -1,32 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-##############################################################################
-# Adapt elasticsearch.yml configuration file 
-##############################################################################
-
-if [[ $SECURITY_ENABLED == "yes" ]]; then
-    echo "SECURITY - Elasticserach security configuration."
-
-    echo "SECURITY - Setting configuration options."
-
-    # Settings for elasticsearch.yml to be added by the user. 
-    # Example: 
-    #     echo "
-    # # Required to set the passwords and TLS options
-    # xpack.security.enabled: true
-    # xpack.security.transport.ssl.enabled: true
-    # xpack.security.transport.ssl.verification_mode: certificate
-    # xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
-    # xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
-    # xpack.security.transport.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/ca.cert.pem\"]
-
-    # # HTTP layer
-    # xpack.security.http.ssl.enabled: true
-    # xpack.security.http.ssl.verification_mode: certificate
-    # xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
-    # xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
-    # xpack.security.http.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/ca.cert.pem\"]
-    # " >> /usr/share/elasticsearch/config/elasticsearch.yml
-
-fi

elasticsearch/config/26-security_keystore.sh

@@ -1,21 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-##############################################################################
-# Adapt elasticsearch.yml keystore management
-##############################################################################
-
-if [[ $SECURITY_ENABLED == "yes" ]]; then
-    echo "SECURITY - Elasticserach keystore management."
-
-    # Create keystore
-    # /usr/share/elasticsearch/bin/elasticsearch-keystore create
-
-    # Add keys to keystore by the user. 
-    # Example
-    # echo -e "$abcd_1234" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.secure_key_passphrase --stdin
-    # echo -e "$abcd_1234" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase --stdin
-
-else
-    echo "SECURITY - Elasticsearch security not established."
-fi

elasticsearch/config/30-decrypt_credentials.sh

@@ -1,15 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-##############################################################################
-# Decrypt credentials.
-# If the credentials of the users to be created are encrypted,
-# they must be decrypted for later use. 
-##############################################################################
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-    echo "Security credentials file not used. Nothing to do."
-else
-    echo "TO DO"
-fi
-# TO DO

elasticsearch/config/35-entrypoint.sh

@@ -1,70 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-# For more information https://github.com/elastic/elasticsearch-docker/blob/6.8.1/build/elasticsearch/bin/docker-entrypoint.sh
-
-set -e
-
-# Files created by Elasticsearch should always be group writable too
-umask 0002
-
-run_as_other_user_if_needed() {
-  if [[ "$(id -u)" == "0" ]]; then
-    # If running as root, drop to specified UID and run command
-    exec chroot --userspec=1000 / "${@}"
-  else
-    # Either we are running in Openshift with random uid and are a member of the root group
-    # or with a custom --user
-    exec "${@}"
-  fi
-}
-
-
-#Disabling xpack features
-
-elasticsearch_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
-if grep -Fq  "#xpack features" "$elasticsearch_config_file" ;
-then 
-  declare -A CONFIG_MAP=(
-  [xpack.ml.enabled]=$XPACK_ML
-  )
-  for i in "${!CONFIG_MAP[@]}"
-  do
-    if [ "${CONFIG_MAP[$i]}" != "" ]; then
-      sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $elasticsearch_config_file
-    fi
-  done
-else
-  echo "
-#xpack features
-xpack.ml.enabled: $XPACK_ML
- " >> $elasticsearch_config_file
-fi
-
-# Run load settings script.
-
-bash /usr/share/elasticsearch/35-entrypoint_load_settings.sh &
-
-# Execute elasticsearch
-
-
-if [[ $SECURITY_ENABLED == "yes" ]]; then
-  echo "Change Elastic password"
-  if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-    run_as_other_user_if_needed echo "$SECURITY_ELASTIC_PASSWORD" | elasticsearch-keystore add -xf 'bootstrap.password'
-  else
-    input=${SECURITY_CREDENTIALS_FILE}
-    ELASTIC_PASSWORD_FROM_FILE=""
-    while IFS= read -r line
-    do
-      if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
-        arrIN=(${line//:/ })
-        ELASTIC_PASSWORD_FROM_FILE=${arrIN[1]}
-      fi
-    done < "$input"
-    run_as_other_user_if_needed echo "$ELASTIC_PASSWORD_FROM_FILE" | elasticsearch-keystore add -xf 'bootstrap.password'
-  fi
-  echo "Elastic password changed"
-fi
-
-run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch 

elasticsearch/config/35-entrypoint_load_settings.sh

@@ -1,265 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-set -e
-
-##############################################################################
-# Set Elasticsearch API url and Wazuh API url.
-##############################################################################
-
-if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
-  el_url="http://elasticsearch:9200"
-else
-  el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
-fi
-
-if [[ "x${WAZUH_API_URL}" = "x" ]]; then
-  wazuh_url="https://wazuh"
-else
-  wazuh_url="${WAZUH_API_URL}"
-fi
-
-echo "LOAD SETTINGS - Elasticsearch url: $el_url"
-
-
-##############################################################################
-# If Elasticsearch security is enabled get the elastic user password and
-# WAZUH API credentials.
-##############################################################################
-
-ELASTIC_PASS=""
-WAZH_API_USER=""
-WAZH_API_PASS=""
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
-  WAZH_API_USER=${API_USER}
-  WAZH_API_PASS=${API_PASS}
-else
-  input=${SECURITY_CREDENTIALS_FILE}
-  while IFS= read -r line
-  do
-    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      ELASTIC_PASS=${arrIN[1]}
-    elif [[ $line == *"WAZUH_API_USER"* ]]; then
-      arrIN=(${line//:/ })
-      WAZH_API_USER=${arrIN[1]}
-    elif [[ $line == *"WAZUH_API_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      WAZH_API_PASS=${arrIN[1]}
-    fi
-  done < "$input"
- 
-fi
-
-
-##############################################################################
-# Set authentication for curl if Elasticsearch security is enabled.
-##############################################################################
-
-if [ ${SECURITY_ENABLED} != "no" ]; then
-  auth="-uelastic:${ELASTIC_PASS} -k"
-  echo "LOAD SETTINGS - authentication for curl established."
-elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
-  auth=""
-  echo "LOAD SETTINGS - authentication for curl not established."
-else
-  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
-  echo "LOAD SETTINGS - authentication for curl established."
-fi
-
-
-##############################################################################
-# Wait until Elasticsearch is active. 
-##############################################################################
-
-until curl ${auth} -XGET $el_url; do
-  >&2 echo "LOAD SETTINGS - Elastic is unavailable - sleeping"
-  sleep 5
-done
-
->&2 echo "LOAD SETTINGS - Elastic is up - executing command"
-
-
-##############################################################################
-# Configure S3 repository for Elasticsearch snapshots. 
-##############################################################################
-
-if [ $ENABLE_CONFIGURE_S3 ]; then
-  #Wait for Elasticsearch to be ready to create the repository
-  sleep 10
-  >&2 echo "S3 - Configure S3"
-  if [ "x$S3_PATH" != "x" ]; then
-    >&2 echo "S3 - Path: $S3_PATH"
-    if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then
-      >&2 echo "S3 - Elasticsearch major version: $S3_ELASTIC_MAJOR"
-      echo "LOAD SETTINGS - Run 35-load_settings_configure_s3.sh."
-      bash /usr/share/elasticsearch/config/35-load_settings_configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR
-    else
-      >&2 echo "S3 - Elasticserach major version not given."
-      echo "LOAD SETTINGS - Run 35-load_settings_configure_s3.sh."
-      bash /usr/share/elasticsearch/config/35-load_settings_configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME
-    fi
-
-  fi
-
-fi
-
-
-##############################################################################
-# Load custom policies.
-##############################################################################
-
-echo "LOAD SETTINGS - Loading custom Elasticsearch policies."
-bash /usr/share/elasticsearch/35-load_settings_policies.sh
-
-
-##############################################################################
-# Modify wazuh-alerts template shards and replicas
-##############################################################################
-
-echo "LOAD SETTINGS - Change shards and replicas of wazuh-alerts template."
-sed -i 's:"index.number_of_shards"\: "3":"index.number_of_shards"\: "'$WAZUH_ALERTS_SHARDS'":g' /usr/share/elasticsearch/config/wazuh-template.json
-sed -i 's:"index.number_of_replicas"\: "0":"index.number_of_replicas"\: "'$WAZUH_ALERTS_REPLICAS'":g' /usr/share/elasticsearch/config/wazuh-template.json
-
-
-##############################################################################
-# Load default templates
-##############################################################################
-
-echo "LOAD SETTINGS - Loading wazuh-alerts template"
-bash /usr/share/elasticsearch/35-load_settings_templates.sh
-
-
-##############################################################################
-# Load custom aliases.
-##############################################################################
-
-echo "LOAD SETTINGS - Loading custom Elasticsearch aliases."
-bash /usr/share/elasticsearch/35-load_settings_aliases.sh
-
-
-##############################################################################
-# Elastic Stack users creation. 
-# Only security main node can manage users. 
-##############################################################################
-
-echo "LOAD SETTINGS - Run users_management.sh."
-MY_HOSTNAME=`hostname`
-echo "LOAD SETTINGS - Hostname: $MY_HOSTNAME"
-if [[ $SECURITY_MAIN_NODE == $MY_HOSTNAME ]]; then
-  bash /usr/share/elasticsearch/35-load_settings_users_management.sh &
-fi
-
-
-##############################################################################
-# Prepare Wazuh API credentials
-##############################################################################
-
-API_PASS_Q=`echo "$WAZH_API_PASS" | tr -d '"'`
-API_USER_Q=`echo "$WAZH_API_USER" | tr -d '"'`
-API_PASSWORD=`echo -n $API_PASS_Q | base64`
-
-echo "LOAD SETTINGS - Setting API credentials into Wazuh APP"
-CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013 ${auth})
-
-if [ "x$CONFIG_CODE" != "x200" ]; then
-  curl -s -XPOST $el_url/.wazuh/_doc/1513629884013 ${auth} -H 'Content-Type: application/json' -d'
-  {
-    "api_user": "'"$API_USER_Q"'",
-    "api_password": "'"$API_PASSWORD"'",
-    "url": "'"$wazuh_url"'",
-    "api_port": "55000",
-    "insecure": "true",
-    "component": "API",
-    "cluster_info": {
-      "manager": "wazuh-manager",
-      "cluster": "Disabled",
-      "status": "disabled"
-    },
-    "extensions": {
-      "oscap": true,
-      "audit": true,
-      "pci": true,
-      "aws": true,
-      "virustotal": true,
-      "gdpr": true,
-      "ciscat": true
-    }
-  }
-  ' > /dev/null
-else
-  echo "LOAD SETTINGS - Wazuh APP already configured"
-  echo "LOAD SETTINGS - Check if it is an upgrade from Elasticsearch 6.x to 7.x"
-  wazuh_search_request=`curl -s ${auth} "$el_url/.wazuh/_search?pretty"`
-  full_type=`echo $wazuh_search_request | jq .hits.hits | jq .[] | jq ._type`
-  elasticsearch_request=`curl -s $auth "$el_url"`
-  full_elasticsearch_version=`echo $elasticsearch_request | jq .version.number`
-  type=`echo "$full_type" | tr -d '"'`
-  elasticsearch_version=`echo "$full_elasticsearch_version" | tr -d '"'`
-  elasticsearch_major="${elasticsearch_version:0:1}"
-
-  if [[ $type == "wazuh-configuration" ]] && [[ $elasticsearch_major == "7" ]]; then
-    echo "LOAD SETTINGS - Elasticsearch major = $elasticsearch_major."
-    echo "LOAD SETTINGS - Reindex .wazuh in .wazuh-backup."
-    
-    curl -s ${auth} -XPOST "$el_url/_reindex" -H 'Content-Type: application/json' -d'
-    {
-      "source": {
-        "index": ".wazuh"
-      },
-      "dest": {
-        "index": ".wazuh-backup"
-      }
-    }
-    '
-    echo "LOAD SETTINGS - Remove .wazuh index."
-    curl -s  ${auth} -XDELETE "$el_url/.wazuh"
-
-    echo "LOAD SETTINGS - Reindex .wazuh-backup in .wazuh."
-    curl -s ${auth} -XPOST "$el_url/_reindex" -H 'Content-Type: application/json' -d'
-    {
-      "source": {
-        "index": ".wazuh-backup"
-      },
-      "dest": {
-        "index": ".wazuh"
-      }
-    }
-    '
-    curl -s ${auth} -XPUT "https://elasticsearch:9200/.wazuh-backup/_settings?pretty" -H 'Content-Type: application/json' -d'
-    {
-        "index" : {
-            "number_of_replicas" : 0
-        }
-    }
-    '
-
-  fi
-
-fi
-sleep 5
-
-curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/json' -d'
-{
-  "persistent": {
-    "xpack.monitoring.collection.enabled": true
-  }
-}
-'
-
-##############################################################################
-# Set cluster delayed timeout when node falls
-##############################################################################
-
-curl -X PUT "$el_url/_all/_settings" ${auth} -H 'Content-Type: application/json' -d'
-{
-  "settings": {
-    "index.unassigned.node_left.delayed_timeout": "'"$CLUSTER_DELAYED_TIMEOUT"'"
-  }
-}
-'
-echo "LOAD SETTINGS - cluster delayed timeout changed."
-
-echo "LOAD SETTINGS - Elasticsearch is ready."

elasticsearch/config/35-load_settings_aliases.sh

@@ -1,86 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-set -e
-
-
-##############################################################################
-# Set Elasticsearch API url
-##############################################################################
-
-if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
-  el_url="http://elasticsearch:9200"
-else
-  el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
-fi
-
-echo "ALIASES - Elasticsearch url: $el_url"
-
-
-##############################################################################
-# If Elasticsearch security is enabled get the elastic user password.
-##############################################################################
-
-ELASTIC_PASS=""
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
-else
-  input=${SECURITY_CREDENTIALS_FILE}
-  while IFS= read -r line
-  do
-    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      ELASTIC_PASS=${arrIN[1]}
-    fi
-  done < "$input"
- 
-fi
-
-
-##############################################################################
-# If Elasticsearch security is enabled get the users credentials.
-##############################################################################
-
-# The user must get the credentials of the users.
-# TO DO. 
-
-##############################################################################
-# Set authentication for curl if Elasticsearch security is enabled.
-##############################################################################
-
-if [ ${SECURITY_ENABLED} != "no" ]; then
-  auth="-uelastic:${ELASTIC_PASS} -k"
-  echo "ALIASES - authentication for curl established."
-elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
-  auth=""
-  echo "ALIASES - authentication for curl not established."
-else
-  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
-  echo "ALIASES - authentication for curl established."
-fi
-
-
-##############################################################################
-# Wait until Elasticsearch is active. 
-##############################################################################
-
-until curl ${auth} -XGET $el_url; do
-  >&2 echo "ALIASES - Elastic is unavailable - sleeping"
-  sleep 5
-done
-
->&2 echo "ALIASES - Elastic is up - executing command"
-
-
-##############################################################################
-# Add custom aliases.
-##############################################################################
-
-# The user must add the credentials of the users.
-# TO DO.
-# Example 
-# echo "ALIASES - Add custom_user password and role:"
-# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_ilm/policy/my_policy?pretty' -d'
-# {  "policy": { "phases": { "hot": { "actions": { "rollover": {"max_size": "50GB", "max_age": "5m"}}}}}}'
-

elasticsearch/config/35-load_settings_policies.sh

@@ -1,86 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-set -e
-
-
-##############################################################################
-# Set Elasticsearch API url
-##############################################################################
-
-if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
-  el_url="http://elasticsearch:9200"
-else
-  el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
-fi
-
-echo "POLICIES - Elasticsearch url: $el_url"
-
-
-##############################################################################
-# If Elasticsearch security is enabled get the elastic user password.
-##############################################################################
-
-ELASTIC_PASS=""
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
-else
-  input=${SECURITY_CREDENTIALS_FILE}
-  while IFS= read -r line
-  do
-    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      ELASTIC_PASS=${arrIN[1]}
-    fi
-  done < "$input"
- 
-fi
-
-
-##############################################################################
-# If Elasticsearch security is enabled get the users credentials.
-##############################################################################
-
-# The user must get the credentials of the users.
-# TO DO. 
-
-##############################################################################
-# Set authentication for curl if Elasticsearch security is enabled.
-##############################################################################
-
-if [ ${SECURITY_ENABLED} != "no" ]; then
-  auth="-uelastic:${ELASTIC_PASS} -k"
-  echo "POLICIES - authentication for curl established."
-elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
-  auth=""
-  echo "POLICIES - authentication for curl not established."
-else
-  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
-  echo "POLICIES - authentication for curl established."
-fi
-
-
-##############################################################################
-# Wait until Elasticsearch is active. 
-##############################################################################
-
-until curl ${auth} -XGET $el_url; do
-  >&2 echo "POLICIES - Elastic is unavailable - sleeping"
-  sleep 5
-done
-
->&2 echo "POLICIES - Elastic is up - executing command"
-
-
-##############################################################################
-# Add custom policies.
-##############################################################################
-
-# The user must add the credentials of the users.
-# TO DO.
-# Example 
-# echo "POLICIES - Add custom_user password and role:"
-# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_ilm/policy/my_policy?pretty' -d'
-# {  "policy": { "phases": { "hot": { "actions": { "rollover": {"max_size": "50GB", "max_age": "5m"}}}}}}'
-

elasticsearch/config/35-load_settings_templates.sh

@@ -1,81 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-set -e
-
-
-##############################################################################
-# Set Elasticsearch API url
-##############################################################################
-
-if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
-  el_url="http://elasticsearch:9200"
-else
-  el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
-fi
-
-echo "TEMPLATES - Elasticsearch url: $el_url"
-
-
-##############################################################################
-# If Elasticsearch security is enabled get the elastic user password.
-##############################################################################
-
-ELASTIC_PASS=""
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
-else
-  input=${SECURITY_CREDENTIALS_FILE}
-  while IFS= read -r line
-  do
-    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      ELASTIC_PASS=${arrIN[1]}
-    fi
-  done < "$input"
- 
-fi
-
-
-##############################################################################
-# If Elasticsearch security is enabled get the users credentials.
-##############################################################################
-
-# The user must get the credentials of the users.
-# TO DO. 
-
-##############################################################################
-# Set authentication for curl if Elasticsearch security is enabled.
-##############################################################################
-
-if [ ${SECURITY_ENABLED} != "no" ]; then
-  auth="-uelastic:${ELASTIC_PASS} -k"
-  echo "TEMPLATES - authentication for curl established."
-elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
-  auth=""
-  echo "TEMPLATES - authentication for curl not established."
-else
-  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
-  echo "TEMPLATES - authentication for curl established."
-fi
-
-
-##############################################################################
-# Wait until Elasticsearch is active. 
-##############################################################################
-
-until curl ${auth} -XGET $el_url; do
-  >&2 echo "TEMPLATES - Elastic is unavailable - sleeping"
-  sleep 5
-done
-
->&2 echo "TEMPLATES - Elastic is up - executing command"
-
-
-##############################################################################
-# Add wazuh-alerts templates.
-##############################################################################
-
-echo "TEMPLATES - Loading default wazuh-alerts template."
-cat /usr/share/elasticsearch/config/wazuh-template.json | curl -XPUT "$el_url/_template/wazuh" ${auth} -H 'Content-Type: application/json' -d @-

elasticsearch/config/35-load_settings_users_management.sh

@@ -1,100 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-set -e
-
-
-##############################################################################
-# Set Elasticsearch API url
-##############################################################################
-
-if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
-  el_url="http://elasticsearch:9200"
-else
-  el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
-fi
-
-echo "USERS - Elasticsearch url: $el_url"
-
-
-##############################################################################
-# If Elasticsearch security is enabled get the elastic user password.
-##############################################################################
-
-ELASTIC_PASS=""
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
-else
-  input=${SECURITY_CREDENTIALS_FILE}
-  while IFS= read -r line
-  do
-    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      ELASTIC_PASS=${arrIN[1]}
-    fi
-  done < "$input"
- 
-fi
-
-
-##############################################################################
-# If Elasticsearch security is enabled get the users credentials.
-##############################################################################
-
-# The user must get the credentials of the users.
-# TO DO. 
-
-##############################################################################
-# Set authentication for curl if Elasticsearch security is enabled.
-##############################################################################
-
-if [ ${SECURITY_ENABLED} != "no" ]; then
-  auth="-uelastic:${ELASTIC_PASS} -k"
-  echo "USERS - authentication for curl established."
-elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
-  auth=""
-  echo "USERS - authentication for curl not established."
-else
-  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
-  echo "USERS - authentication for curl established."
-fi
-
-
-##############################################################################
-# Wait until Elasticsearch is active. 
-##############################################################################
-
-until curl ${auth} -XGET $el_url; do
-  >&2 echo "USERS - Elastic is unavailable - sleeping"
-  sleep 5
-done
-
->&2 echo "USERS - Elastic is up - executing command"
-
-
-##############################################################################
-# Setup passwords for Elastic Stack users.
-##############################################################################
-
-# The user must add the credentials of the users.
-# TO DO.
-# Example 
-# echo "USERS - Add custom_user password and role:"
-# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/custom_user_role ' -d '
-# { "indices": [ { "names": [ ".kibana*" ],  "privileges": ["read"] }, { "names": [ "wazuh-monitoring*"],  "privileges": ["all"] }] }'
-# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/custom_user'  -d '
-# { "password":"'$CUSTOM_USER_PASSWORD'", "roles" : [ "kibana_system", "custom_user_role"],  "full_name" : "Custom User" }'
-
-
-##############################################################################
-# Remove credentials file.
-##############################################################################
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  echo "USERS - Security credentials file not used. Nothing to do."
-else
-  shred -zvu ${SECURITY_CREDENTIALS_FILE}
-  echo "USERS - Security credentials file removed."
-fi
-

elasticsearch/config/TEST_openssl.cnf

@@ -1,132 +0,0 @@
-# OpenSSL intermediate CA configuration file.
-# Copy to `/root/ca/intermediate/openssl.cnf`.
-
-[ ca ]
-# `man ca`
-default_ca = CA_default
-
-[ CA_default ]
-# Directory and file locations.
-dir               = /root/ca/intermediate
-certs             = $dir/certs
-crl_dir           = $dir/crl
-new_certs_dir     = $dir/newcerts
-database          = $dir/index.txt
-serial            = $dir/serial
-RANDFILE          = $dir/private/.rand
-
-# The root key and root certificate.
-private_key       = $dir/private/intermediate.key.pem
-certificate       = $dir/certs/intermediate.cert.pem
-
-# For certificate revocation lists.
-crlnumber         = $dir/crlnumber
-crl               = $dir/crl/intermediate.crl.pem
-crl_extensions    = crl_ext
-default_crl_days  = 30
-
-# SHA-1 is deprecated, so use SHA-2 instead.
-default_md        = sha256
-
-name_opt          = ca_default
-cert_opt          = ca_default
-default_days      = 375
-preserve          = no
-policy            = policy_loose
-
-[ policy_strict ]
-# The root CA should only sign intermediate certificates that match.
-# See the POLICY FORMAT section of `man ca`.
-countryName             = match
-stateOrProvinceName     = match
-organizationName        = match
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-
-[ policy_loose ]
-# Allow the intermediate CA to sign a more diverse range of certificates.
-# See the POLICY FORMAT section of the `ca` man page.
-countryName             = optional
-stateOrProvinceName     = optional
-localityName            = optional
-organizationName        = optional
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-
-[ req ]
-# Options for the `req` tool (`man req`).
-default_bits        = 2048
-distinguished_name  = req_distinguished_name
-string_mask         = utf8only
-
-# SHA-1 is deprecated, so use SHA-2 instead.
-default_md          = sha256
-
-# Extension to add when the -x509 option is used.
-x509_extensions     = v3_ca
-
-[ req_distinguished_name ]
-# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
-countryName                     = Country Name (2 letter code)
-stateOrProvinceName             = State or Province Name
-localityName                    = Locality Name
-0.organizationName              = Organization Name
-organizationalUnitName          = Organizational Unit Name
-commonName                      = Common Name
-emailAddress                    = Email Address
-
-# Optionally, specify some defaults.
-countryName_default             = GB
-stateOrProvinceName_default     = England
-localityName_default            =
-0.organizationName_default      = Alice Ltd
-organizationalUnitName_default  =
-emailAddress_default            =
-
-[ v3_ca ]
-# Extensions for a typical CA (`man x509v3_config`).
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer
-basicConstraints = critical, CA:true
-keyUsage = critical, digitalSignature, cRLSign, keyCertSign
-
-[ v3_intermediate_ca ]
-# Extensions for a typical intermediate CA (`man x509v3_config`).
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer
-basicConstraints = critical, CA:true, pathlen:0
-keyUsage = critical, digitalSignature, cRLSign, keyCertSign
-
-[ usr_cert ]
-# Extensions for client certificates (`man x509v3_config`).
-basicConstraints = CA:FALSE
-nsCertType = client, email
-nsComment = "OpenSSL Generated Client Certificate"
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid,issuer
-keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
-extendedKeyUsage = clientAuth, emailProtection
-
-[ server_cert ]
-# Extensions for server certificates (`man x509v3_config`).
-basicConstraints = CA:FALSE
-nsCertType = server
-nsComment = "OpenSSL Generated Server Certificate"
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid,issuer:always
-keyUsage = critical, digitalSignature, keyEncipherment
-extendedKeyUsage = serverAuth
-
-[ crl_ext ]
-# Extension for CRLs (`man x509v3_config`).
-authorityKeyIdentifier=keyid:always
-
-[ ocsp ]
-# Extension for OCSP signing certificates (`man ocsp`).
-basicConstraints = CA:FALSE
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid,issuer
-keyUsage = critical, digitalSignature
-extendedKeyUsage = critical, OCSPSigning

elasticsearch/config/config_cluster.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
+
+elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
+
+remove_single_node_conf(){
+  if grep -Fq "discovery.type" $1; then
+    sed -i '/discovery.type\: /d' $1
+  fi
+}
+
+remove_cluster_config(){
+  sed -i '/# cluster node/,/# end cluster config/d' $1
+}
+
+# If Elasticsearch cluster is enable, then set up the elasticsearch.yml
+if [[ $ELASTIC_CLUSTER == "true" && $CLUSTER_NODE_MASTER != "" && $CLUSTER_NODE_DATA != "" && $CLUSTER_NODE_INGEST != "" && $CLUSTER_MASTER_NODE_NAME != "" ]]; then
+  # Remove the old configuration
+  remove_single_node_conf $elastic_config_file
+  remove_cluster_config $elastic_config_file
+
+if [[ $CLUSTER_NODE_MASTER == "true" ]]; then
+# Add the master configuration
+# cluster.initial_master_nodes for bootstrap the cluster
+cat > $elastic_config_file << EOF
+# cluster node
+network.host: $CLUSTER_NETWORK_HOST
+node.name: $CLUSTER_MASTER_NODE_NAME
+node.master: $CLUSTER_NODE_MASTER
+cluster.initial_master_nodes:
+  - $CLUSTER_MASTER_NODE_NAME
+# end cluster config"
+EOF
+
+elif [[ $CLUSTER_NODE_NAME != "" ]];then
+# Remove the old configuration
+remove_single_node_conf $elastic_config_file
+remove_cluster_config $elastic_config_file
+
+cat > $elastic_config_file << EOF
+# cluster node
+network.host: $CLUSTER_NETWORK_HOST
+node.name: $CLUSTER_NODE_NAME
+node.master: false
+discovery.seed_hosts:
+  - $CLUSTER_MASTER_NODE_NAME
+  - $CLUSTER_NODE_NAME
+# end cluster config"
+EOF
+fi
+# If the cluster is disabled, then set a single-node configuration
+else
+  # Remove the old configuration
+  remove_single_node_conf $elastic_config_file
+  remove_cluster_config $elastic_config_file
+  echo "discovery.type: single-node" >> $elastic_config_file
+fi

elasticsearch/config/configure_s3.sh

@@ -1,38 +1,8 @@
 #!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
 
 set -e
 
-
-##############################################################################
-# If Secure access to Kibana is enabled, we must set the credentials for 
-# monitoring
-##############################################################################
-
-ELASTIC_PASS=""
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
-
-else
-  input=${SECURITY_CREDENTIALS_FILE}
-  while IFS= read -r line
-  do
-    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      ELASTIC_PASS=${arrIN[1]}
-    fi
-  done < "$input"
- 
-fi
-
-
-if [ ${SECURITY_ENABLED} != "no" ]; then
-  auth="-u elastic:${ELASTIC_PASS} -k"
-else
-  auth=""
-fi
-
 # Check number of arguments passed to configure_s3.sh. If it is different from 4 or 5, the process will finish with error.
 # param 1: number of arguments passed to configure_s3.sh
 
@@ -40,7 +10,7 @@ function CheckArgs()
 {
     if [ $1 != 4 ] && [ $1 != 5 ];then
         echo "Use: configure_s3.sh <Elastic_Server_IP:Port> <Bucket> <Path> <RepositoryName> (By default <current_elasticsearch_major_version> is added to the path and the repository name)"
-        echo "or use: configure_s3.sh <Elastic_Server_IP:Port> <Bucket> <Path> <RepositoryName> <Elasticsearch major version>" 
+        echo "or use: configure_s3.sh <Elastic_Server_IP:Port> <Bucket> <Path> <RepositoryName> <Elasticsearch major version>"
         exit 1
 
     fi
@@ -66,7 +36,7 @@ function CreateRepo()
     if [ $1 == 5 ];then
         version="$6"
     else
-        version=`curl ${auth} -s $elastic_ip_port | grep number | cut -d"\"" -f4 | cut -c1`
+        version=`curl -s $elastic_ip_port | grep number | cut -d"\"" -f4 | cut -c1`
     fi
 
     if ! [[ "$version" =~ ^[0-9]+$ ]];then
@@ -77,15 +47,15 @@ function CreateRepo()
     repository="$repository_name-$version"
     s3_path="$path/$version"
 
-    >&2 echo "Create S3 repository"
-
-    until curl ${auth} -X PUT "$elastic_ip_port/_snapshot/$repository" -H 'Content-Type: application/json' -d' {"type": "s3", "settings": { "bucket": "'$bucket_name'", "base_path": "'$s3_path'"} }'; do
-      >&2 echo "Elastic is unavailable, S3 repository not created - sleeping"
-      sleep 5
-    done
-
-    >&2 echo "S3 repository created"
-
+    curl -X PUT "$elastic_ip_port/_snapshot/$repository" -H 'Content-Type: application/json' -d'
+        {
+            "type": "s3",
+            "settings": {
+            "bucket": "'$bucket_name'",
+            "base_path": "'$s3_path'"
+        }
+    }
+    '
 
 }
 

elasticsearch/config/entrypoint.sh

@@ -1,8 +1,52 @@
 #!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
 
-# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
-for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
-  bash "$script"
+# For more information https://github.com/elastic/elasticsearch-docker/blob/6.8.0/build/elasticsearch/bin/docker-entrypoint.sh
 
-done
+set -e
+
+# Files created by Elasticsearch should always be group writable too
+umask 0002
+
+run_as_other_user_if_needed() {
+  if [[ "$(id -u)" == "0" ]]; then
+    # If running as root, drop to specified UID and run command
+    exec chroot --userspec=1000 / "${@}"
+  else
+    # Either we are running in Openshift with random uid and are a member of the root group
+    # or with a custom --user
+    exec "${@}"
+  fi
+}
+
+
+#Disabling xpack features
+
+elasticsearch_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
+if grep -Fq  "#xpack features" "$elasticsearch_config_file";
+then
+  declare -A CONFIG_MAP=(
+  [xpack.ml.enabled]=$XPACK_ML
+  )
+  for i in "${!CONFIG_MAP[@]}"
+  do
+    if [ "${CONFIG_MAP[$i]}" != "" ]; then
+      sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $elasticsearch_config_file
+    fi
+  done
+else
+  echo "
+#xpack features
+xpack.ml.enabled: $XPACK_ML
+ " >> $elasticsearch_config_file
+fi
+
+# Run load settings script.
+
+./config_cluster.sh
+
+./load_settings.sh &
+
+# Execute elasticsearch
+
+run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch

elasticsearch/config/load_settings.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
+
+set -e
+
+el_url=${ELASTICSEARCH_URL}
+
+
+if [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
+  auth=""
+else
+  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
+fi
+
+until curl ${auth} -XGET $el_url; do
+  >&2 echo "Elastic is unavailable - sleeping"
+  sleep 5
+done
+
+>&2 echo "Elastic is up - executing command"
+
+if [ $ENABLE_CONFIGURE_S3 ]; then
+  #Wait for Elasticsearch to be ready to create the repository
+  sleep 10
+  IP_PORT="${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
+
+  if [ "x$S3_PATH" != "x" ]; then
+
+    if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then
+      ./config/configure_s3.sh $IP_PORT $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR
+
+    else
+      ./config/configure_s3.sh $IP_PORT $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME
+
+    fi
+
+  fi
+
+fi
+
+if [ ${ENABLED_XPACK} = "true" ]; then
+curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/json' -d'
+{
+  "persistent": {
+    "xpack.monitoring.collection.enabled": true
+  }
+}
+'
+fi
+
+# Set cluster delayed timeout when node falls
+curl -X PUT "$el_url/_all/_settings" -H 'Content-Type: application/json' -d'
+{
+  "settings": {
+    "index.unassigned.node_left.delayed_timeout": "'"$CLUSTER_DELAYED_TIMEOUT"'"
+  }
+}
+'
+
+
+echo "Elasticsearch is ready."

kibana/Dockerfile

@@ -1,26 +1,17 @@
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/kibana/kibana:7.3.2
-ARG ELASTIC_VERSION=7.3.2
-ARG WAZUH_VERSION=3.10.2
+# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
+FROM docker.elastic.co/kibana/kibana:7.9.2
+USER kibana
+ARG ELASTIC_VERSION=7.9.2
+ARG WAZUH_VERSION=3.13.3
 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
 
-USER root
+WORKDIR /usr/share/kibana
+RUN ./bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip
 
-# App: 3.10.2 - 7.3.2 with this fix: https://github.com/wazuh/wazuh-kibana-app/issues/1815
-#ADD  https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
-COPY config/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
-USER kibana
-RUN /usr/share/kibana/bin/kibana-plugin install  --allow-root file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip 
+WORKDIR /
 USER root
-RUN rm -rf /tmp/wazuhapp-${WAZUH_APP_VERSION}.zip
-
 COPY config/entrypoint.sh ./entrypoint.sh
 RUN chmod 755 ./entrypoint.sh
-RUN mkdir /entrypoint-scripts
-
-USER kibana
-
-ENV CONFIGURATION_FROM_FILE="false"
 
 ENV PATTERN="" \
     CHECKS_PATTERN="" \
@@ -49,31 +40,23 @@ ENV PATTERN="" \
     WAZUH_MONITORING_REPLICAS="" \
     ADMIN_PRIVILEGES=""
 
-ARG XPACK_CANVAS="false"
-ARG XPACK_LOGS="false"
-ARG XPACK_INFRA="false"
-ARG XPACK_ML="false"
-ARG XPACK_DEVTOOLS="false"
-ARG XPACK_MONITORING="false"
-ARG XPACK_APM="false"
-ARG XPACK_MAPS="false"
-ARG XPACK_UPTIME="false"
-ARG XPACK_SIEM="false"
+ARG XPACK_CANVAS="true"
+ARG XPACK_LOGS="true"
+ARG XPACK_INFRA="true"
+ARG XPACK_ML="true"
+ARG XPACK_DEVTOOLS="true"
+ARG XPACK_MONITORING="true"
+ARG XPACK_APM="true"
 
-ARG CHANGE_WELCOME="true"
+ARG CHANGE_WELCOME="false"
 
-COPY --chown=kibana:kibana ./config/10-wazuh_app_config.sh /entrypoint-scripts/10-wazuh_app_config.sh
-COPY --chown=kibana:kibana ./config/12-custom_logos.sh /entrypoint-scripts/12-custom_logos.sh
-COPY --chown=kibana:kibana ./config/15-decrypt_credentials.sh /entrypoint-scripts/15-decrypt_credentials.sh
-COPY --chown=kibana:kibana ./config/20-entrypoint.sh /entrypoint-scripts/20-entrypoint.sh
-COPY --chown=kibana:kibana ./config/20-entrypoint_kibana_settings.sh ./
-COPY --chown=kibana:kibana ./config/20-entrypoint_certs_management.sh ./
-RUN chmod +x /entrypoint-scripts/10-wazuh_app_config.sh && \
-    chmod +x /entrypoint-scripts/12-custom_logos.sh && \
-    chmod +x /entrypoint-scripts/15-decrypt_credentials.sh && \
-    chmod +x /entrypoint-scripts/20-entrypoint.sh && \
-    chmod +x ./20-entrypoint_kibana_settings.sh && \
-    chmod +x ./20-entrypoint_certs_management.sh
+COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./
+
+RUN chmod +x ./wazuh_app_config.sh
+
+COPY --chown=kibana:kibana ./config/kibana_settings.sh ./
+
+RUN chmod +x ./kibana_settings.sh
 
 COPY --chown=kibana:kibana ./config/xpack_config.sh ./
 
@@ -86,16 +69,7 @@ COPY --chown=kibana:kibana ./config/welcome_wazuh.sh ./
 RUN chmod +x ./welcome_wazuh.sh
 
 RUN ./welcome_wazuh.sh
-
-RUN /usr/local/bin/kibana-docker --optimize
-
-USER root
-
-RUN chmod 660 /usr/share/kibana/plugins/wazuh/config.yml && \
-    chmod 775 /usr/share/kibana/plugins/wazuh && \
-    chown root:kibana /usr/share/kibana/plugins/wazuh/config.yml && \
-    chown root:kibana /usr/share/kibana/plugins/wazuh
-
 USER kibana
+RUN NODE_OPTIONS="--max-old-space-size=2048" /usr/local/bin/kibana-docker --optimize
 
 ENTRYPOINT ./entrypoint.sh

kibana/config/12-custom_logos.sh

@@ -1,14 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-##############################################################################
-# Kibana logos
-##############################################################################
-
-if [[ $CUSTOM_LOGO == "true" ]]; then
-
-
-    echo "CUSTOM LOGO - Change Kibana logos."
-    # TO DO
-
-fi

kibana/config/15-decrypt_credentials.sh

@@ -1,15 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-##############################################################################
-# Decrypt credentials.
-# If the credentials of the users to be created are encrypted,
-# they must be decrypted for later use. 
-##############################################################################
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-    echo "Security credentials file not used. Nothing to do."
-else
-    echo "TO DO"
-fi
-# TO DO

kibana/config/20-entrypoint.sh

@@ -1,126 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-set -e
-
-##############################################################################
-# Set Elasticsearch API url.
-##############################################################################
-
-if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
-  el_url="http://elasticsearch:9200"
-else
-  el_url="${ELASTICSEARCH_URL}"
-fi
-
-echo "ENTRYPOINT - Set Elasticsearc url:${ELASTICSEARCH_URL}"
-
-
-##############################################################################
-# If there are credentials for Kibana they are obtained. 
-##############################################################################
-
-KIBANA_USER=""
-KIBANA_PASS=""
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  KIBANA_USER=${SECURITY_KIBANA_USER}
-  KIBANA_PASS=${SECURITY_KIBANA_PASS}
-else
-  input=${SECURITY_CREDENTIALS_FILE}
-  while IFS= read -r line
-  do
-    if [[ $line == *"KIBANA_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      KIBANA_PASS=${arrIN[1]}
-    elif [[ $line == *"KIBANA_USER"* ]]; then
-      arrIN=(${line//:/ })
-      KIBANA_USER=${arrIN[1]}
-    fi
-  done < "$input"
- 
-fi
-
-echo "ENTRYPOINT - Kibana credentials obtained."
-
-##############################################################################
-# Establish the way to run the curl command, with or without authentication. 
-##############################################################################
-
-if [ ${SECURITY_ENABLED} != "no" ]; then
-  auth="-u ${KIBANA_USER}:${KIBANA_PASS} -k"
-elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
-  auth=""
-else
-  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
-fi
-
-echo "ENTRYPOINT - Kibana authentication established."
-
-##############################################################################
-# Waiting for elasticsearch.
-##############################################################################
-
-until curl -XGET $el_url ${auth}; do
-  >&2 echo "ENTRYPOINT - Elastic is unavailable: sleeping"
-  sleep 5
-done
-
-sleep 2
-
->&2 echo "ENTRYPOINT - Elasticsearch is up."
-
-
-##############################################################################
-# Waiting for wazuh alerts template.
-##############################################################################
-
-strlen=0
-
-while [[ $strlen -eq 0 ]]
-do
-  template=$(curl $auth $el_url/_cat/templates/wazuh -s)
-  strlen=${#template}
-  >&2 echo "ENTRYPOINT - Wazuh alerts template not loaded - sleeping."
-  sleep 2
-done
-
-sleep 2
-
->&2 echo "ENTRYPOINT - Wazuh alerts template is loaded."
-
-
-##############################################################################
-# Create keystore if security is enabled.
-##############################################################################
-
-if [[ $SECURITY_ENABLED == "yes" ]]; then
-
-  echo "ENTRYPOINT - Create Keystore."
-  /usr/share/kibana/bin/kibana-keystore create
-  # Add keys to keystore
-  echo -e "$KIBANA_PASS" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.password --stdin
-  echo -e "$KIBANA_USER" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.username --stdin
-
-  echo "ENTRYPOINT - Keystore created."
-fi
-
-##############################################################################
-# If security is enabled set Kibana configuration.
-# Create the ssl certificate.
-##############################################################################
-
-if [[ $SECURITY_ENABLED == "yes" ]]; then
-
-  bash /usr/share/kibana/20-entrypoint_certs_management.sh
-
-fi
-
-
-##############################################################################
-# Run kibana_settings.sh script.
-##############################################################################
-
-bash /usr/share/kibana/20-entrypoint_kibana_settings.sh &
-
-/usr/local/bin/kibana-docker

kibana/config/20-entrypoint_certs_management.sh

@@ -1,14 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-##############################################################################
-# Kibana certs and keystore management 
-##############################################################################
-
-if [[ $SECURITY_ENABLED == "yes" ]]; then
-
-
-    echo "CERTS_MANAGEMENT - Create certificates. TO DO."
-    # TO DO
-
-fi

kibana/config/20-entrypoint_kibana_settings.sh

@@ -1,183 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-WAZUH_MAJOR=3
-
-##############################################################################
-# Wait for the Kibana API to start. It is necessary to do it in this container
-# because the others are running Elastic Stack and we can not interrupt them.
-#
-# The following actions are performed:
-#
-# Add the wazuh alerts index as default.
-# Set the Discover time interval to 24 hours instead of 15 minutes.
-# Do not ask user to help providing usage statistics to Elastic.
-##############################################################################
-
-##############################################################################
-# Customize elasticsearch ip
-##############################################################################
-if [[ "$ELASTICSEARCH_KIBANA_IP" != "" && "$CONFIGURATION_FROM_FILE" == "false" ]]; then
-  sed -i "s:#elasticsearch.hosts:elasticsearch.hosts:g" /usr/share/kibana/config/kibana.yml
-  sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml
-fi
-
-echo "SETTINGS - Update Elasticsearch host."
-
-# If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate.
-if [[ "$KIBANA_INDEX" != "" && "$CONFIGURATION_FROM_FILE" == "false" ]]; then
-  if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then
-    sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml
-  fi
-    echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml
-fi
-
-# If XPACK_SECURITY_ENABLED was set, then change the xpack.security.enabled option from true (default) to false.
-if [[ "$XPACK_SECURITY_ENABLED" != "" && "$CONFIGURATION_FROM_FILE" == "false" ]]; then
-  if grep -q 'xpack.security.enabled' /usr/share/kibana/config/kibana.yml; then
-    sed -i '/xpack.security.enabled/d' /usr/share/kibana/config/kibana.yml
-  fi
-    echo "xpack.security.enabled: $XPACK_SECURITY_ENABLED" >> /usr/share/kibana/config/kibana.yml
-fi
-
-##############################################################################
-# Get Kibana credentials
-##############################################################################
-
-if [ "$KIBANA_IP" != "" ]; then
-  kibana_ip="$KIBANA_IP"
-else
-  kibana_ip="kibana"
-fi
-
-KIBANA_USER=""
-KIBANA_PASS=""
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  KIBANA_USER=${SECURITY_KIBANA_USER}
-  KIBANA_PASS=${SECURITY_KIBANA_PASS}
-else
-  input=${SECURITY_CREDENTIALS_FILE}
-  while IFS= read -r line
-  do
-    if [[ $line == *"KIBANA_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      KIBANA_PASS=${arrIN[1]}
-    elif [[ $line == *"KIBANA_USER"* ]]; then
-      arrIN=(${line//:/ })
-      KIBANA_USER=${arrIN[1]}
-    fi
-  done < "$input"
- 
-fi
-
-echo "SETTINGS - Kibana credentials obtained."
-
-
-##############################################################################
-# Set url authentication.
-##############################################################################
-
-if [ ${SECURITY_ENABLED} != "no" ]; then
-  auth="-k -u $KIBANA_USER:${KIBANA_PASS}"
-  kibana_secure_ip="https://$kibana_ip"
-else
-  auth=""
-  kibana_secure_ip="http://$kibana_ip"
-fi
-
-echo "SETTINGS - Kibana authentication established."
-
-
-##############################################################################
-# Waiting for Kibana.
-##############################################################################
-
-while [[ "$(curl $auth -XGET -I  -s -o /dev/null -w ''%{http_code}'' $kibana_secure_ip:5601/status)" != "200" ]]; do
-  echo "SETTINGS - Waiting for Kibana API. Sleeping 5 seconds"
-  sleep 5
-done
-
-echo "SETTINGS - Kibana API is running"
-
-
-##############################################################################
-# Prepare index selection.
-##############################################################################
-
-echo "SETTINGS - Prepare index selection."
-
-default_index="/tmp/default_index.json"
-
-if [[ $PATTERN == "" ]]; then
-
-  cat > ${default_index} << EOF
-{
-  "changes": {
-    "defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*"
-  }
-}
-EOF
-
-else
-
-  cat > ${default_index} << EOF
-{
-  "changes": {
-    "defaultIndex": "$PATTERN"
-  }
-}
-EOF
-
-fi
-
-
-sleep 5
-
-
-##############################################################################
-# Add the wazuh alerts index as default.
-##############################################################################
-
-echo "SETTINGS - Add the wazuh alerts index as default."
-
-curl $auth -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
-rm -f ${default_index}
-
-sleep 5
-
-
-##############################################################################
-# Configuring Kibana TimePicker.
-##############################################################################
-
-echo "SETTINGS - Configuring Kibana TimePicker."
-
-curl $auth -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
-'{"changes":{"timepicker:timeDefaults":"{\n  \"from\": \"now-24h\",\n  \"to\": \"now\",\n  \"mode\": \"quick\"}"}}'
-
-sleep 5
-
-
-##############################################################################
-# Do not ask user to help providing usage statistics to Elastic.
-##############################################################################
-
-echo "SETTINGS - Do not ask user to help providing usage statistics to Elastic."
-
-curl $auth -POST "$kibana_secure_ip:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'
-
-
-##############################################################################
-# Remove credentials file.
-##############################################################################
-
-echo "SETTINGS - Remove credentials file."
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  echo "Security credentials file not used. Nothing to do."
-else
-  shred -zvu ${SECURITY_CREDENTIALS_FILE}
-fi
-
-echo "End settings"

kibana/config/entrypoint.sh

@@ -1,8 +1,57 @@
 #!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
 
-# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
-for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
-  bash "$script"
+set -e
 
+##############################################################################
+# Waiting for elasticsearch
+##############################################################################
+
+if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
+  el_url="http://elasticsearch:9200"
+else
+  el_url="${ELASTICSEARCH_URL}"
+fi
+
+if [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
+  auth=""
+else
+  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
+fi
+
+until curl -XGET $el_url ${auth}; do
+  >&2 echo "Elastic is unavailable - sleeping"
+  sleep 5
 done
+
+sleep 2
+
+>&2 echo "Elasticsearch is up."
+
+
+##############################################################################
+# Waiting for wazuh alerts template
+##############################################################################
+
+strlen=0
+
+while [[ $strlen -eq 0 ]]
+do
+  template=$(curl $el_url/_cat/templates/wazuh -s)
+  strlen=${#template}
+  >&2 echo "Wazuh alerts template not loaded - sleeping."
+  sleep 2
+done
+
+sleep 2
+
+>&2 echo "Wazuh alerts template is loaded."
+
+
+./wazuh_app_config.sh
+
+sleep 5
+
+./kibana_settings.sh &
+
+/usr/local/bin/kibana-docker

kibana/config/kibana_settings.sh

@@ -0,0 +1,84 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
+
+WAZUH_MAJOR=3
+
+##############################################################################
+# Wait for the Kibana API to start. It is necessary to do it in this container
+# because the others are running Elastic Stack and we can not interrupt them.
+#
+# The following actions are performed:
+#
+# Add the wazuh alerts index as default.
+# Set the Discover time interval to 24 hours instead of 15 minutes.
+# Do not ask user to help providing usage statistics to Elastic.
+##############################################################################
+
+##############################################################################
+# Customize elasticsearch ip
+##############################################################################
+if [ "$ELASTICSEARCH_KIBANA_IP" != "" ]; then
+  sed -i "s:#elasticsearch.hosts:elasticsearch.hosts:g" /usr/share/kibana/config/kibana.yml
+  sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml
+fi
+
+# If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate.
+if [ "$KIBANA_INDEX" != "" ]; then
+  if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then
+    sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml
+  fi
+    echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml
+fi
+
+# If XPACK_SECURITY_ENABLED was set, then change the xpack.security.enabled option from true (default) to false.
+if [ "$XPACK_SECURITY_ENABLED" != "" ]; then
+  if grep -q 'xpack.security.enabled' /usr/share/kibana/config/kibana.yml; then
+    sed -i '/xpack.security.enabled/d' /usr/share/kibana/config/kibana.yml
+  fi
+    echo "xpack.security.enabled: $XPACK_SECURITY_ENABLED" >> /usr/share/kibana/config/kibana.yml
+fi
+
+if [ "$KIBANA_IP" != "" ]; then
+  kibana_ip="$KIBANA_IP"
+else
+  kibana_ip="kibana"
+fi
+
+# Add auth headers if required
+if [ "$ELASTICSEARCH_USERNAME" != "" ] && [ "$ELASTICSEARCH_PASSWORD" != "" ]; then
+    curl_auth="-u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD"
+fi
+
+while [[ "$(curl $curl_auth -XGET -I  -s -o /dev/null -w ''%{http_code}'' $kibana_ip:5601/status)" != "200" ]]; do
+  echo "Waiting for Kibana API. Sleeping 5 seconds"
+  sleep 5
+done
+
+# Prepare index selection.
+echo "Kibana API is running"
+
+default_index="/tmp/default_index.json"
+
+cat > ${default_index} << EOF
+{
+  "changes": {
+    "defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*"
+  }
+}
+EOF
+
+sleep 5
+# Add the wazuh alerts index as default.
+curl -POST "http://$kibana_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
+rm -f ${default_index}
+
+sleep 5
+# Configuring Kibana TimePicker.
+curl -POST "http://$kibana_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
+'{"changes":{"timepicker:timeDefaults":"{\n  \"from\": \"now-24h\",\n  \"to\": \"now\",\n  \"mode\": \"quick\"}"}}'
+
+sleep 5
+# Do not ask user to help providing usage statistics to Elastic
+curl -POST "http://$kibana_ip:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'
+
+echo "End settings"

kibana/config/wazuh_app_config.sh

@@ -1,7 +1,14 @@
 #!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
 
-kibana_config_file="/usr/share/kibana/plugins/wazuh/config.yml"
+wazuh_url="${WAZUH_API_URL:-https://wazuh}"
+wazuh_port="${API_PORT:-55000}"
+api_user="${API_USER:-foo}"
+api_password="${API_PASS:-bar}"
+
+kibana_config_file="/usr/share/kibana/optimize/wazuh/config/wazuh.yml"
+mkdir -p /usr/share/kibana/optimize/wazuh/config/
+touch $kibana_config_file
 
 declare -A CONFIG_MAP=(
   [pattern]=$PATTERN
@@ -38,3 +45,24 @@ do
         sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
     fi
 done
+
+# remove default API entry (new in 3.11.0_7.5.1)
+sed -ie '/- default:/,+4d' $kibana_config_file
+
+CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013 ${auth})
+
+grep -q 1513629884013 $kibana_config_file
+_config_exists=$?
+
+if [[ "x$CONFIG_CODE" != "x200" && $_config_exists -ne 0 ]]; then
+cat << EOF > $kibana_config_file
+hosts:
+  - 1513629884013:
+      url: $wazuh_url
+      port: $wazuh_port
+      user: $api_user
+      password: $api_password
+EOF
+else
+  echo "Wazuh APP already configured"
+fi

kibana/config/wazuhapp-3.10.2_7.3.2.zip.REMOVED.git-id

@@ -1 +0,0 @@
-1bda3f0db629fab2a64f859fe0769afc8a359fc7

kibana/config/welcome_wazuh.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
 
 if [[ $CHANGE_WELCOME == "true" ]]
 then
@@ -9,22 +9,15 @@ then
     kibana_path="/usr/share/kibana"
     # Set Wazuh app as the default landing page
     echo "Set Wazuh app as the default landing page"
-    echo "server.defaultRoute: /app/wazuh" >> $kibana_path/config/kibana.yml
+    echo "server.defaultRoute: /app/wazuh" >> /usr/share/kibana/config/kibana.yml
 
     # Redirect Kibana welcome screen to Discover
     echo "Redirect Kibana welcome screen to Discover"
-    sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/core/public/chrome/chrome_service.js
+    sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/global_nav/global_nav.html
+    sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/header_global_nav/header_global_nav.js
 
-    # Hide management undesired links
-    echo "Hide management undesired links"
-    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/rollup/public/crud_app/index.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/license_management/public/management_section.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/index_lifecycle_management/public/register_management_section.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/cross_cluster_replication/public/register_routes.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/remote_clusters/public/index.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/upgrade_assistant/public/index.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/snapshot_restore/public/plugin.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/remote_clusters/public/plugin.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/index_management/public/register_management_section.js
+    # Redirect Kibana welcome screen to Discover
+    echo "Hide undesired links"
+    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/rollup/public/crud_app/index.js
+    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/license_management/public/management_section.js
 fi
-

kibana/config/xpack_config.sh

@@ -1,21 +1,17 @@
 #!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
 
 kibana_config_file="/usr/share/kibana/config/kibana.yml"
 if grep -Fq  "#xpack features" "$kibana_config_file";
-then 
+then
   declare -A CONFIG_MAP=(
     [xpack.apm.ui.enabled]=$XPACK_APM
     [xpack.grokdebugger.enabled]=$XPACK_DEVTOOLS
     [xpack.searchprofiler.enabled]=$XPACK_DEVTOOLS
     [xpack.ml.enabled]=$XPACK_ML
     [xpack.canvas.enabled]=$XPACK_CANVAS
-    [xpack.logstash.enabled]=$XPACK_LOGS
     [xpack.infra.enabled]=$XPACK_INFRA
-    [xpack.monitoring.enabled]=$XPACK_MONITORING
-    [xpack.maps.enabled]=$XPACK_MAPS
-    [xpack.uptime.enabled]=$XPACK_UPTIME
-    [xpack.siem.enabled]=$XPACK_SIEM
+    [monitoring.enabled]=$XPACK_MONITORING
     [console.enabled]=$XPACK_DEVTOOLS
   )
   for i in "${!CONFIG_MAP[@]}"
@@ -27,17 +23,13 @@ then
 else
   echo "
 #xpack features
-xpack.apm.ui.enabled: $XPACK_APM 
+xpack.apm.ui.enabled: $XPACK_APM
 xpack.grokdebugger.enabled: $XPACK_DEVTOOLS
 xpack.searchprofiler.enabled: $XPACK_DEVTOOLS
 xpack.ml.enabled: $XPACK_ML
 xpack.canvas.enabled: $XPACK_CANVAS
-xpack.logstash.enabled: $XPACK_LOGS
 xpack.infra.enabled: $XPACK_INFRA
 xpack.monitoring.enabled: $XPACK_MONITORING
-xpack.maps.enabled: $XPACK_MAPS
-xpack.uptime.enabled: $XPACK_UPTIME
-xpack.siem.enabled: $XPACK_SIEM
 console.enabled: $XPACK_DEVTOOLS
 " >> $kibana_config_file
 fi

logstash/Dockerfile

@@ -1,46 +0,0 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-ARG LOGSTASH_VERSION=7.3.2
-FROM docker.elastic.co/logstash/logstash:${LOGSTASH_VERSION}
-
-COPY --chown=logstash:logstash config/entrypoint.sh /entrypoint.sh
-
-RUN chmod 755 /entrypoint.sh
-
-RUN rm -f /usr/share/logstash/pipeline/logstash.conf
-
-ENV PIPELINE_FROM_FILE="false"
-COPY config/01-wazuh.conf /usr/share/logstash/pipeline/01-wazuh.conf
-
-# This CA is created for testing. Please set your own CA pem signed certificate. 
-# command: $ docker build <logstash_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION> --build-arg SECURITY_CA_PEM_ARG=<CA_PEM_NAME>
-# ENV variables are necessary: SECURITY_CA_PEM 
-# Sample:
-# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem"
-# ARG SECURITY_CA_PEM_ARG="server.TEST-CA-signed.pem"
-ARG SECURITY_CA_PEM_LOCATION=""
-ARG SECURITY_CA_PEM_ARG=""
-
-# CA for secure communication with Elastic
-ADD $SECURITY_CA_PEM_LOCATION /usr/share/logstash/config
-
-# Set permissions for CA
-USER root
-RUN if [[ "x$SECURITY_CA_PEM_LOCATION" == x ]] ; then echo Nothing to do ; else chown logstash: /usr/share/logstash/config/$SECURITY_CA_PEM_ARG ; fi
-RUN if [[ "x$SECURITY_CA_PEM_LOCATION" == x ]] ; then echo Nothing to do ; else chmod 400 /usr/share/logstash/config/$SECURITY_CA_PEM_ARG ; fi
-
-# Add entrypoint scripts
-RUN mkdir /entrypoint-scripts
-RUN chmod -R 774 /entrypoint-scripts
-RUN chown -R logstash:logstash /entrypoint-scripts
-
-COPY --chown=logstash:logstash ./config/05-decrypt_credentials.sh /entrypoint-scripts/05-decrypt_credentials.sh
-COPY --chown=logstash:logstash ./config/10-entrypoint.sh /entrypoint-scripts/10-entrypoint.sh
-COPY --chown=logstash:logstash ./config/10-entrypoint_configuration.sh ./config/10-entrypoint_configuration.sh
-RUN chmod +x /entrypoint-scripts/05-decrypt_credentials.sh && \
-    chmod +x /entrypoint-scripts/10-entrypoint.sh && \
-    chmod +x ./config/10-entrypoint_configuration.sh
-
-USER logstash
-
-ENTRYPOINT /entrypoint.sh

logstash/config/01-wazuh.conf

@@ -1,64 +0,0 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-# Wazuh - Logstash configuration file
-## Remote Wazuh Manager - Filebeat input
-input {
-    beats {
-        port => 5000
-#       ssl => true
-#       ssl_certificate => "/etc/logstash/logstash.crt"
-#       ssl_key => "/etc/logstash/logstash.key"
-    }
-}
-filter {
-    json {
-      source => "message"
-    }
-}
-filter {
-    if [data][srcip] {
-        mutate {
-            add_field => [ "@src_ip", "%{[data][srcip]}" ]
-        }
-    }
-    if [data][aws][sourceIPAddress] {
-        mutate {
-            add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
-        }
-    }
-}
-filter {
-    geoip {
-        source => "@src_ip"
-        target => "GeoLocation"
-        fields => ["city_name", "country_name", "region_name", "location"]
-    }
-    date {
-        match => ["timestamp", "ISO8601"]
-        target => "@timestamp"
-    }
-    mutate {
-        remove_field => [ "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]
-    }
-}
-filter {
-    # Workarounds for vulnerability-detector
-    if "vulnerability-detector" in [rule][groups] {
-        # Drop vulnerability-detector events from Manager
-        if [agent][id] == "000"{
-            drop { }
-        }
-
-        # if exists, remove data.vulnerability.published field due to conflicts
-        if [data][vulnerability][published] {
-            mutate {
-                remove_field => [ "[data][vulnerability][published]" ]
-            }
-        }
-    }
-}
-output {
-    elasticsearch {
-        hosts => ["elasticsearch:9200"]
-        index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
-    }
-}

logstash/config/05-decrypt_credentials.sh

@@ -1,15 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-##############################################################################
-# Decrypt credentials.
-# If the credentials of the users to be created are encrypted,
-# they must be decrypted for later use. 
-##############################################################################
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-    echo "Security credentials file not used. Nothing to do."
-else
-    echo "TO DO"
-fi
-# TO DO

logstash/config/10-entrypoint.sh

@@ -1,163 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-#
-# OSSEC container bootstrap. See the README for information of the environment
-# variables expected by this script.
-#
-
-set -e
-
-##############################################################################
-# Set elasticsearch url.
-##############################################################################
-
-if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
-  el_url="http://elasticsearch:9200"
-else
-  el_url="${ELASTICSEARCH_URL}"
-fi
-
-echo "ENTRYPOINT - Elasticsearch url: $el_url"
-
-##############################################################################
-# Get Logstash credentials.
-##############################################################################
-
-LOGSTASH_USER=""
-LOGSTASH_PASS=""
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  LOGSTASH_USER=${SECURITY_LOGSTASH_USER}
-  LOGSTASH_PASS=${SECURITY_LOGSTASH_PASS}
-else
-  input=${SECURITY_CREDENTIALS_FILE}
-  while IFS= read -r line
-  do
-    if [[ $line == *"LOGSTASH_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      LOGSTASH_PASS=${arrIN[1]}
-    elif [[ $line == *"LOGSTASH_USER"* ]]; then
-      arrIN=(${line//:/ })
-      LOGSTASH_USER=${arrIN[1]}
-    fi
-  done < "$input"
- 
-fi
-
-echo "ENTRYPOINT - Logstash credentials obtained."
-
-##############################################################################
-# Set authentication for curl command. 
-##############################################################################
-
-if [ ${SECURITY_ENABLED} != "no" ]; then
-  auth="-u ${LOGSTASH_USER}:${LOGSTASH_PASS} -k"
-elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
-  auth=""
-else
-  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
-fi
-
-echo "ENTRYPOINT - curl authentication established"
-
-
-##############################################################################
-# Customize logstash output ip.
-##############################################################################
-
-if [ "$LOGSTASH_OUTPUT" != "" ]; then
-  >&2 echo "ENTRYPOINT - Customize Logstash ouput ip."
-  sed -i 's|http://elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/config/logstash.yml
-
-  if [[ "$PIPELINE_FROM_FILE" == "false" ]]; then
-    sed -i 's|elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/pipeline/01-wazuh.conf
-  fi
-fi
-
-
-##############################################################################
-# Waiting for elasticsearch.
-##############################################################################
-
-until curl $auth -XGET $el_url; do
-  >&2 echo "ENTRYPOINT - Elastic is unavailable - sleeping."
-  sleep 5
-done
-
-sleep 2
-
->&2 echo "ENTRYPOINT - Elasticsearch is up."
-
-
-##############################################################################
-# Create keystore if security is enabled.
-##############################################################################
-
-if [[ $SECURITY_ENABLED == "yes" ]]; then
-
-  echo "ENTRYPOINT - Create Keystore."
-
-  ## Create secure keystore
-  SECURITY_RANDOM_PASS=`date +%s | sha256sum | base64 | head -c 32 ; echo`
-  export LOGSTASH_KEYSTORE_PASS=$SECURITY_RANDOM_PASS
-  /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config create
-
-  ## Settings for logstash.yml
-  bash /usr/share/logstash/config/10-entrypoint_configuration.sh 
-
-  ## Add keys to the keystore
-  echo -e "$LOGSTASH_USER" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_USER
-  echo -e "$LOGSTASH_PASS" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_PASS
-
-fi
-  
-
-##############################################################################
-# Waiting for wazuh alerts template
-##############################################################################
-
-strlen=0
-
-while [[ $strlen -eq 0 ]]
-do
-  template=$(curl $auth $el_url/_cat/templates/wazuh -s)
-  strlen=${#template}
-  >&2 echo "ENTRYPOINT - Wazuh alerts template not loaded - sleeping."
-  sleep 2
-done
-
-sleep 2
-
->&2 echo "ENTRYPOINT - Wazuh alerts template is loaded."
-
-
-##############################################################################
-# Remove credentials file
-##############################################################################
-
->&2 echo "ENTRYPOINT - Removing unnecessary files."
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  echo "ENTRYPOINT - Security credentials file not used. Nothing to do."
-else
-  shred -zvu ${SECURITY_CREDENTIALS_FILE}
-fi
-
->&2 echo "ENTRYPOINT - Unnecessary files removed."
-
-##############################################################################
-# Map environment variables to entries in logstash.yml.
-# Note that this will mutate logstash.yml in place if any such settings are found.
-# This may be undesirable, especially if logstash.yml is bind-mounted from the
-# host system.
-##############################################################################
-
-env2yaml /usr/share/logstash/config/logstash.yml
-
-export LS_JAVA_OPTS="-Dls.cgroup.cpuacct.path.override=/ -Dls.cgroup.cpu.path.override=/ $LS_JAVA_OPTS"
-
-if [[ -z $1 ]] || [[ ${1:0:1} == '-' ]] ; then
-  exec logstash "$@"
-else
-  exec "$@"
-fi

logstash/config/10-entrypoint_configuration.sh

@@ -1,27 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-#
-# OSSEC container bootstrap. See the README for information of the environment
-# variables expected by this script.
-#
-
-set -e
-
-##############################################################################
-# Adapt logstash.yml configuration. 
-##############################################################################
-
-if [[ $SECURITY_ENABLED == "yes" ]]; then
-
-    echo "CONFIGURATION - TO DO"
-
-    # Settings for logstash.yml
-    # Example:
-    #   echo "
-    # xpack.monitoring.enabled: true
-    # xpack.monitoring.elasticsearch.username: LOGSTASH_USER
-    # xpack.monitoring.elasticsearch.password: LOGSTASH_PASS
-    # xpack.monitoring.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/CA.pem
-    # " >> /usr/share/logstash/config/logstash.yml
-
-fi

logstash/config/entrypoint.sh

@@ -1,8 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
-for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
-  bash "$script"
-
-done

nginx/Dockerfile

@@ -1,4 +1,4 @@
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
 FROM nginx:latest
 
 ENV DEBIAN_FRONTEND noninteractive
@@ -16,4 +16,4 @@ VOLUME ["/etc/nginx/conf.d"]
 ENV NGINX_NAME="foo" \
     NGINX_PWD="bar"
 
-ENTRYPOINT /entrypoint.sh
+ENTRYPOINT [ "/entrypoint.sh" ]

nginx/config/entrypoint.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
 
 set -e
 
@@ -30,14 +30,14 @@ if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then
     do
       IFS=':' read -r -a credentials <<< "${users[index]}"
       if [ $index -eq 0 ]; then
-        echo ${credentials[1]}|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd ${credentials[0]} >/dev/null
+        htpasswd -b -c /etc/nginx/conf.d/kibana.htpasswd ${credentials[0]} ${credentials[1]} >/dev/null
       else
-        echo ${credentials[1]}|htpasswd -i /etc/nginx/conf.d/kibana.htpasswd  ${credentials[0]} >/dev/null
+        htpasswd -b /etc/nginx/conf.d/kibana.htpasswd  ${credentials[0]} ${credentials[1]} >/dev/null
       fi
     done
   else
-    # NGINX_PWD and NGINX_NAME are declared in nginx/Dockerfile 
-    echo $NGINX_PWD|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd $NGINX_NAME >/dev/null
+    # NGINX_PWD and NGINX_NAME are declared in nginx/Dockerfile
+    htpasswd -b -c /etc/nginx/conf.d/kibana.htpasswd $NGINX_NAME $NGINX_PWD >/dev/null
   fi
 else
   echo "Kibana credentials already configured"
@@ -52,17 +52,19 @@ if [ "x${KIBANA_HOST}" = "x" ]; then
 fi
 
 echo "Configuring NGINX"
+
+
+if [ "${NGINX_PORT}" = "443" ]; then
 cat > /etc/nginx/conf.d/default.conf <<EOF
 server {
     listen 80;
     listen [::]:80;
-    return 301 https://\$host:${NGINX_PORT}\$request_uri;
+    return 301 https://\$host\$request_uri;
 }
 
 server {
-    listen ${NGINX_PORT} default_server;
-    listen [::]:${NGINX_PORT};
-    ssl on;
+    listen ${NGINX_PORT} default_server ssl http2;
+    listen [::]:${NGINX_PORT} ssl http2;
     ssl_certificate /etc/nginx/conf.d/ssl/certs/kibana-access.pem;
     ssl_certificate_key /etc/nginx/conf.d/ssl/private/kibana-access.key;
     location / {
@@ -75,5 +77,21 @@ server {
     }
 }
 EOF
+else
+cat > /etc/nginx/conf.d/default.conf <<EOF
+server {
+    listen ${NGINX_PORT};
+    listen [::]:${NGINX_PORT};
+    location / {
+        auth_basic "Restricted";
+        auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
+        proxy_pass http://${KIBANA_HOST}/;
+        proxy_buffer_size          128k;
+        proxy_buffers              4 256k;
+        proxy_busy_buffers_size    256k;
+    }
+}
+EOF
+fi
 
-nginx -g 'daemon off;'
+exec nginx -g 'daemon off;'

wazuh/Dockerfile

@@ -1,46 +1,62 @@
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-FROM phusion/baseimage:latest
+# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
+FROM phusion/baseimage:0.10.2
 
-# Arguments
-ARG FILEBEAT_VERSION=7.3.2
-ARG WAZUH_VERSION=3.10.2-1
+ARG FILEBEAT_VERSION=7.9.2
+
+ARG WAZUH_VERSION=3.13.3-1
 
-# Environment variables
 ENV API_USER="foo" \
    API_PASS="bar"
 
-ARG TEMPLATE_VERSION="v3.10.2"
-ENV FILEBEAT_DESTINATION="elasticsearch"
+ARG TEMPLATE_VERSION="v3.13.3"
 
-# Install packages
-RUN set -x && \
-    echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list && \
-    curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - && \
-    curl --silent --location https://deb.nodesource.com/setup_8.x | bash - && \
-    echo "postfix postfix/mailname string wazuh-manager" | debconf-set-selections && \
-    echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections && \
-    groupadd -g 1000 ossec && \
-    useradd -u 1000 -g 1000 -d /var/ossec ossec && \
-    add-apt-repository universe && \
-    apt-get update && \
-    apt-get upgrade -y -o Dpkg::Options::="--force-confold" && \
-    apt-get --no-install-recommends --no-install-suggests -y install openssl apt-transport-https vim expect python-boto python-pip python-cryptography && \
-    apt-get --no-install-recommends --no-install-suggests -y install postfix bsd-mailx mailutils libsasl2-2 ca-certificates libsasl2-modules && \
-    apt-get --no-install-recommends --no-install-suggests -y install wazuh-manager=${WAZUH_VERSION} && \
-    apt-get --no-install-recommends --no-install-suggests -y install nodejs wazuh-api=${WAZUH_VERSION} && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
-    rm -f /var/ossec/logs/alerts/*/*/* && \
-    rm -f /var/ossec/logs/archives/*/*/* && \
-    rm -f /var/ossec/logs/firewall/*/*/* && \
-    rm -f /var/ossec/logs/api/*/*/* && \
-    rm -f /var/ossec/logs/cluster/*/*/* && \
-    rm -f /var/ossec/logs/ossec/*/*/* && \
-    rm /var/ossec/var/run/* && \
-    curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb && \
-    dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm -f filebeat-${FILEBEAT_VERSION}-amd64.deb
+# Set repositories.
+RUN set -x && echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list && \
+   curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - && \
+   curl --silent --location https://deb.nodesource.com/setup_10.x | bash - && \
+   echo "postfix postfix/mailname string wazuh-manager" | debconf-set-selections && \
+   echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections && \
+   groupadd -g 1000 ossec && useradd -u 1000 -g 1000 -d /var/ossec ossec
 
-# Services
+RUN add-apt-repository universe && apt-get update && apt-get upgrade -y -o Dpkg::Options::="--force-confold" && \
+   apt-get --no-install-recommends --no-install-suggests -y install openssl postfix bsd-mailx python-boto python-pip  \
+   apt-transport-https vim expect nodejs python-cryptography mailutils libsasl2-modules wazuh-manager=${WAZUH_VERSION} \
+   wazuh-api=${WAZUH_VERSION} && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && rm -f \
+   /var/ossec/logs/alerts/*/*/*.log && rm -f /var/ossec/logs/alerts/*/*/*.json && rm -f \
+   /var/ossec/logs/archives/*/*/*.log && rm -f /var/ossec/logs/archives/*/*/*.json && rm -f \
+   /var/ossec/logs/firewall/*/*/*.log && rm -f /var/ossec/logs/firewall/*/*/*.json
+
+# Adding first run script and entrypoint
+COPY config/data_dirs.env /data_dirs.env
+COPY config/init.bash /init.bash
+RUN mkdir /entrypoint-scripts
+COPY config/entrypoint.sh /entrypoint.sh
+COPY config/00-wazuh.sh /entrypoint-scripts/00-wazuh.sh
+COPY config/01-config_filebeat.sh /entrypoint-scripts/01-config_filebeat.sh
+
+# Sync calls are due to https://github.com/docker/docker/issues/9547
+RUN chmod 755 /init.bash && \
+   sync && /init.bash && \
+   sync && rm /init.bash && \
+   curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb &&\
+   dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm -f filebeat-${FILEBEAT_VERSION}-amd64.deb && \
+   chmod 755 /entrypoint.sh && \
+   chmod 755 /entrypoint-scripts/00-wazuh.sh && \
+   chmod 755 /entrypoint-scripts/01-config_filebeat.sh
+
+COPY config/filebeat.yml /etc/filebeat/
+RUN chmod go-w /etc/filebeat/filebeat.yml
+
+# Setting volumes
+VOLUME ["/var/ossec/data"]
+VOLUME ["/etc/filebeat"]
+VOLUME ["/etc/postfix"]
+VOLUME ["/var/lib/filebeat"]
+
+# Services ports
+EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp
+
+# Adding services
 RUN mkdir /etc/service/wazuh && \
    mkdir /etc/service/wazuh-api && \
    mkdir /etc/service/postfix && \
@@ -54,71 +70,14 @@ COPY config/filebeat.runit.service /etc/service/filebeat/run
 RUN chmod +x /etc/service/wazuh-api/run && \
    chmod +x /etc/service/wazuh/run && \
    chmod +x /etc/service/postfix/run && \
-   chmod +x /etc/service/filebeat/run 
+   chmod +x /etc/service/filebeat/run
 
-# Copy configuration files from repository
-COPY config/filebeat_to_elasticsearch.yml ./
-COPY config/filebeat_to_logstash.yml ./
 
-# Prepare permanent data
-# Sync calls are due to https://github.com/docker/docker/issues/9547
-COPY config/permanent_data.env /permanent_data.env
-COPY config/permanent_data.sh /permanent_data.sh
-RUN chmod 755 /permanent_data.sh && \
-    sync && \
-    /permanent_data.sh && \
-    sync && \
-    rm /permanent_data.sh 
-
-# Expose ports
-EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp
-
-# Setting volumes
-# Once we declared a volume in the Dockerfile, changes made to that path will have no effect. In other words, any changes made
-# to the these paths from here to the end of the Dockerfile will not be taken into account when mounting the volume.
-VOLUME ["/var/ossec/api/configuration"]
-VOLUME ["/var/ossec/etc"]
-VOLUME ["/var/ossec/logs"]
-VOLUME ["/var/ossec/queue"]
-VOLUME ["/var/ossec/var/multigroups"]
-VOLUME ["/var/ossec/integrations"]
-VOLUME ["/var/ossec/active-response/bin"]
-VOLUME ["/var/ossec/wodles"]
-VOLUME ["/etc/filebeat"]
-VOLUME ["/etc/postfix"]
-VOLUME ["/var/lib/filebeat"]
-
-# Prepare entrypoint scripts
-# Entrypoint scripts must be added to the entrypoint-scripts directory
-RUN mkdir /entrypoint-scripts
-
-COPY config/entrypoint.sh /entrypoint.sh
-COPY config/00-decrypt_credentials.sh /entrypoint-scripts/00-decrypt_credentials.sh
-COPY config/01-wazuh.sh /entrypoint-scripts/01-wazuh.sh
-COPY config/02-set_filebeat_destination.sh /entrypoint-scripts/02-set_filebeat_destination.sh
-COPY config/03-config_filebeat.sh /entrypoint-scripts/03-config_filebeat.sh
-COPY config/05-remove_credentials_file.sh /entrypoint-scripts/05-remove_credentials_file.sh
-COPY config/10-backups.sh /entrypoint-scripts/10-backups.sh
-COPY config/20-ossec-configuration.sh /entrypoint-scripts/20-ossec-configuration.sh
-RUN chmod 755 /entrypoint.sh && \
-    chmod 755 /entrypoint-scripts/00-decrypt_credentials.sh && \
-    chmod 755 /entrypoint-scripts/01-wazuh.sh && \
-    chmod 755 /entrypoint-scripts/02-set_filebeat_destination.sh && \
-    chmod 755 /entrypoint-scripts/03-config_filebeat.sh && \
-    chmod 755 /entrypoint-scripts/05-remove_credentials_file.sh && \
-    chmod 755 /entrypoint-scripts/10-backups.sh && \
-    chmod 755 /entrypoint-scripts/20-ossec-configuration.sh
-
-# Workaround. 
-# Issues: Wazuh-api
-# https://github.com/wazuh/wazuh-api/issues/440  
-# https://github.com/wazuh/wazuh-api/issues/443
-COPY --chown=root:ossec config/agents.js /var/ossec/api/controllers/agents.js
-RUN chmod 770 /var/ossec/api/controllers/agents.js
-
-# Load wazuh alerts template.
 ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat
-RUN chmod go-w /etc/filebeat/wazuh-template.json 
+RUN chmod go-w /etc/filebeat/wazuh-template.json
+
+ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz"
+RUN curl -s https://packages.wazuh.com/3.x/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module
 
 # Run all services
-ENTRYPOINT ["/entrypoint.sh"]
+ENTRYPOINT ["/entrypoint.sh"]

wazuh/config/00-decrypt_credentials.sh

@@ -1,15 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-##############################################################################
-# Decrypt credentials.
-# If the credentials of the API user to be created are encrypted,
-# it must be decrypted for later use. 
-##############################################################################
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-    echo "CREDENTIALS - Security credentials file not used. Nothing to do."
-else
-    echo "CREDENTIALS - TO DO"
-fi
-# TO DO

wazuh/config/00-wazuh.sh

@@ -0,0 +1,155 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
+
+# Wazuh container bootstrap. See the README for information of the environment
+# variables expected by this script.
+
+# Startup the services
+source /data_dirs.env
+
+FIRST_TIME_INSTALLATION=false
+
+WAZUH_INSTALL_PATH=/var/ossec
+DATA_PATH=${WAZUH_INSTALL_PATH}/data
+
+WAZUH_CONFIG_MOUNT=/wazuh-config-mount
+
+print() {
+    echo -e $1
+}
+
+error_and_exit() {
+    echo "Error executing command: '$1'."
+    echo 'Exiting.'
+    exit 1
+}
+
+exec_cmd() {
+    eval $1 > /dev/null 2>&1 || error_and_exit "$1"
+}
+
+exec_cmd_stdout() {
+    eval $1 2>&1 || error_and_exit "$1"
+}
+
+edit_configuration() { # $1 -> setting,  $2 -> value
+    sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${DATA_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)"
+}
+
+for ossecdir in "${DATA_DIRS[@]}"; do
+  if [ ! -e "${DATA_PATH}/${ossecdir}" ]
+  then
+    print "Installing ${ossecdir}"
+    exec_cmd "mkdir -p $(dirname ${DATA_PATH}/${ossecdir})"
+    exec_cmd "cp -pr /var/ossec/${ossecdir}-template ${DATA_PATH}/${ossecdir}"
+    FIRST_TIME_INSTALLATION=true
+  fi
+done
+
+if [  -e ${WAZUH_INSTALL_PATH}/etc-template  ]
+then
+    cp -p /var/ossec/etc-template/internal_options.conf /var/ossec/etc/internal_options.conf
+fi
+
+# copy missing files from queue-template (in case this is an upgrade from previous versions)
+for filename in /var/ossec/queue-template/*; do
+  fname=$(basename $filename)
+  echo $fname
+  if test ! -e "/var/ossec/data/queue/$fname"; then
+    cp -rp "/var/ossec/queue-template/$fname" /var/ossec/data/queue/
+  fi
+done
+
+touch ${DATA_PATH}/process_list
+chgrp ossec ${DATA_PATH}/process_list
+chmod g+rw ${DATA_PATH}/process_list
+
+AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
+API_GENERATE_CERTS=${API_GENERATE_CERTS:-true}
+
+if [ $FIRST_TIME_INSTALLATION == true ]
+then
+  if [ $AUTO_ENROLLMENT_ENABLED == true ]
+  then
+    if [ ! -e ${DATA_PATH}/etc/sslmanager.key ]
+    then
+      print "Creating ossec-authd key and cert"
+      exec_cmd "openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096"
+      exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key -out ${DATA_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/"
+    fi
+  fi
+  if [ $API_GENERATE_CERTS == true ]
+  then
+    if [ ! -e ${DATA_PATH}/api/configuration/ssl/server.crt ]
+    then
+      print "Enabling Wazuh API HTTPS"
+      edit_configuration "https" "yes"
+      print "Create Wazuh API key and cert"
+      exec_cmd "openssl genrsa -out ${DATA_PATH}/api/configuration/ssl/server.key 4096"
+      exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/api/configuration/ssl/server.key -out ${DATA_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/"
+    fi
+  fi
+fi
+
+##############################################################################
+# Copy all files from $WAZUH_CONFIG_MOUNT to $DATA_PATH and respect
+# destination files permissions
+#
+# For example, to mount the file /var/ossec/data/etc/ossec.conf, mount it at
+# $WAZUH_CONFIG_MOUNT/etc/ossec.conf in your container and this code will
+# replace the ossec.conf file in /var/ossec/data/etc with yours.
+##############################################################################
+if [ -e "$WAZUH_CONFIG_MOUNT" ]
+then
+  print "Identified Wazuh configuration files to mount..."
+
+  exec_cmd_stdout "cp --verbose -r $WAZUH_CONFIG_MOUNT/* $DATA_PATH"
+else
+  print "No Wazuh configuration files to mount..."
+fi
+
+function ossec_shutdown(){
+  ${WAZUH_INSTALL_PATH}/bin/ossec-control stop;
+}
+
+##############################################################################
+# Allow users to set the container hostname as <node_name> dynamically on
+# container start.
+#
+# To use this:
+# 1. Create your own ossec.conf file
+# 2. In your ossec.conf file, set to_be_replaced_by_hostname as your node_name
+# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf
+##############################################################################
+sed -i 's/<node_name>to_be_replaced_by_hostname<\/node_name>/<node_name>'"${HOSTNAME}"'<\/node_name>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf
+
+# Trap exit signals and do a proper shutdown
+trap "ossec_shutdown; exit" SIGINT SIGTERM
+
+chmod -R g+rw ${DATA_PATH}
+chmod 750 /var/ossec/agentless/*
+
+##############################################################################
+# Interpret any passed arguments (via docker command to this entrypoint) as
+# paths or commands, and execute them.
+#
+# This can be useful for actions that need to be run before the services are
+# started, such as "/var/ossec/bin/ossec-control enable agentless".
+##############################################################################
+for CUSTOM_COMMAND in "$@"
+do
+  echo "Executing command \`${CUSTOM_COMMAND}\`"
+  exec_cmd_stdout "${CUSTOM_COMMAND}"
+done
+
+##############################################################################
+# Change Wazuh API user credentials.
+##############################################################################
+
+pushd /var/ossec/api/configuration/auth/
+
+echo "Change Wazuh API user credentials"
+change_user="node htpasswd -b -c user $API_USER $API_PASS"
+eval $change_user
+
+popd

wazuh/config/01-config_filebeat.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2)
+
+set -e
+
+# Modify the output to Elasticsearch if th ELASTICSEARCH_URL is set
+if [ "$ELASTICSEARCH_URL" != "" ]; then
+  >&2 echo "Customize Elasticsearch ouput IP."
+  sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_URL'|g' /etc/filebeat/filebeat.yml
+fi

wazuh/config/01-wazuh.sh

@@ -1,249 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-# Variables
-source /permanent_data.env
-
-WAZUH_INSTALL_PATH=/var/ossec
-WAZUH_CONFIG_MOUNT=/wazuh-config-mount
-AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
-API_GENERATE_CERTS=${API_GENERATE_CERTS:-true}
-
-
-##############################################################################
-# Aux functions
-##############################################################################
-print() {
-  echo -e $1
-}
-
-error_and_exit() {
-  echo "Error executing command: '$1'."
-  echo 'Exiting.'
-  exit 1
-}
-
-exec_cmd() {
-  eval $1 > /dev/null 2>&1 || error_and_exit "$1"
-}
-
-exec_cmd_stdout() {
-  eval $1 2>&1 || error_and_exit "$1"
-}
-
-
-##############################################################################
-# Edit configuration
-##############################################################################
-
-edit_configuration() { # $1 -> setting,  $2 -> value
-  sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${WAZUH_INSTALL_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)"
-}
-
-##############################################################################
-# This function will attempt to mount every directory in PERMANENT_DATA 
-# into the respective path. 
-# If the path is empty means permanent data volume is also empty, so a backup  
-# will be copied into it. Otherwise it will not be copied because there is  
-# already data inside the volume for the specified path.
-##############################################################################
-
-mount_permanent_data() {
-  for permanent_dir in "${PERMANENT_DATA[@]}"; do
-    # Check if the path is not empty
-    if find ${permanent_dir} -mindepth 1 | read; then
-      print "The path ${permanent_dir} is already mounted"
-    else
-      print "Installing ${permanent_dir}"
-      exec_cmd "cp -a ${WAZUH_INSTALL_PATH}/data_tmp/permanent${permanent_dir}/. ${permanent_dir}"
-    fi
-  done
-}
-
-##############################################################################
-# This function will replace from the permanent data volume every file 
-# contained in PERMANENT_DATA_EXCP
-# Some files as 'internal_options.conf' are saved as permanent data, but 
-# they must be updated to work properly if wazuh version is changed.
-##############################################################################
-
-apply_exclusion_data() {
-  for exclusion_file in "${PERMANENT_DATA_EXCP[@]}"; do
-    if [  -e ${WAZUH_INSTALL_PATH}/data_tmp/exclusion/${exclusion_file}  ]
-    then
-      DIR=$(dirname "${exclusion_file}")
-      if [ ! -e ${DIR}  ]
-      then
-        mkdir -p ${DIR}
-      fi
-      
-      print "Updating ${exclusion_file}"
-      exec_cmd "cp -p ${WAZUH_INSTALL_PATH}/data_tmp/exclusion/${exclusion_file} ${exclusion_file}"
-    fi
-  done
-}
-
-##############################################################################
-# This function will delete from the permanent data volume every file 
-# contained in PERMANENT_DATA_DEL
-##############################################################################
-
-remove_data_files() {
-  for del_file in "${PERMANENT_DATA_DEL[@]}"; do
-    if [ -e ${del_file} ]
-    then 
-      print "Removing ${del_file}"
-      exec_cmd "rm ${del_file}"
-    fi
-  done
-}
-
-##############################################################################
-# Create certificates: Manager
-##############################################################################
-
-create_ossec_key_cert() {
-  print "Creating ossec-authd key and cert"
-  exec_cmd "openssl genrsa -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.key 4096"
-  exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/etc/sslmanager.key -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/"
-}
-
-##############################################################################
-# Create certificates: API
-##############################################################################
-
-create_api_key_cert() {
-  print "Enabling Wazuh API HTTPS"
-  edit_configuration "https" "yes"
-  print "Create Wazuh API key and cert"
-  exec_cmd "openssl genrsa -out ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key 4096"
-  exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key -out ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/"
-
-  # Granting proper permissions 
-  chmod 400 ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key
-  chmod 400 ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt
-}
-
-##############################################################################
-# Copy all files from $WAZUH_CONFIG_MOUNT to $WAZUH_INSTALL_PATH and respect
-# destination files permissions
-#
-# For example, to mount the file /var/ossec/data/etc/ossec.conf, mount it at
-# $WAZUH_CONFIG_MOUNT/etc/ossec.conf in your container and this code will
-# replace the ossec.conf file in /var/ossec/data/etc with yours.
-##############################################################################
-
-mount_files() {
-  if [ -e "$WAZUH_CONFIG_MOUNT" ]
-  then
-    print "Identified Wazuh configuration files to mount..."
-    exec_cmd_stdout "cp --verbose -r $WAZUH_CONFIG_MOUNT/* $WAZUH_INSTALL_PATH"
-  else
-    print "No Wazuh configuration files to mount..."
-  fi
-}
-
-##############################################################################
-# Stop OSSEC
-##############################################################################
-
-function ossec_shutdown(){
-  ${WAZUH_INSTALL_PATH}/bin/ossec-control stop;
-}
-
-##############################################################################
-# Interpret any passed arguments (via docker command to this entrypoint) as
-# paths or commands, and execute them. 
-#
-# This can be useful for actions that need to be run before the services are
-# started, such as "/var/ossec/bin/ossec-control enable agentless".
-##############################################################################
-
-docker_custom_args() {
-  for CUSTOM_COMMAND in "$@"
-  do
-    echo "Executing command \`${CUSTOM_COMMAND}\`"
-    exec_cmd_stdout "${CUSTOM_COMMAND}"
-  done
-}
-
-##############################################################################
-# Change Wazuh API user credentials.
-##############################################################################
-
-change_api_user_credentials() {
-  pushd /var/ossec/api/configuration/auth/
-  if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-    WAZUH_API_USER=${API_USER}
-    WAZUH_API_PASS=${API_PASS}
-  else
-    input=${SECURITY_CREDENTIALS_FILE}
-    while IFS= read -r line
-    do
-      if [[ $line == *"WAZUH_API_USER"* ]]; then
-        arrIN=(${line//:/ })
-        WAZUH_API_USER=${arrIN[1]}
-      elif [[ $line == *"WAZUH_API_PASS"* ]]; then
-        arrIN=(${line//:/ })
-        WAZUH_API_PASS=${arrIN[1]}
-      fi
-    done < "$input"
-  fi
-
-  echo "Change Wazuh API user credentials"
-  change_user="node htpasswd -b -c user $WAZUH_API_USER $WAZUH_API_PASS"
-  eval $change_user
-  popd
-}
-
-
-##############################################################################
-# Main function
-##############################################################################
-
-main() {
-  # Mount permanent data  (i.e. ossec.conf)
-  mount_permanent_data
-
-  # Restore files stored in permanent data that are not permanent  (i.e. internal_options.conf)
-  apply_exclusion_data
-
-  # Remove some files in permanent_data (i.e. .template.db)
-  remove_data_files
-
-  # Generate ossec-authd certs if AUTO_ENROLLMENT_ENABLED is true and does not exist
-  if [ $AUTO_ENROLLMENT_ENABLED == true ]
-  then
-    if [ ! -e ${WAZUH_INSTALL_PATH}/etc/sslmanager.key ]
-    then
-      create_ossec_key_cert
-    fi
-  fi
-
-  # Generate API certs if API_GENERATE_CERTS is true and does not exist
-  if [ $API_GENERATE_CERTS == true ]
-  then
-    if [ ! -e ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt ]
-    then
-      create_api_key_cert
-    fi
-  fi
-
-  # Mount selected files (WAZUH_CONFIG_MOUNT) to container
-  mount_files
-
-  # Trap exit signals and do a proper shutdown
-  trap "ossec_shutdown; exit" SIGINT SIGTERM
-
-  # Execute custom args
-  docker_custom_args
-
-  # Change API user credentials
-  change_api_user_credentials
-
-  # Delete temporary data folder
-  rm -rf ${WAZUH_INSTALL_PATH}/data_tmp
-
-}
-
-main

wazuh/config/02-set_filebeat_destination.sh

@@ -1,30 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-##############################################################################
-# Set Filebeat destination.  
-##############################################################################
-
-if [[ $FILEBEAT_DESTINATION == "elasticsearch" ]]; then
-
-    echo "FILEBEAT - Set destination to Elasticsearch"
-    cp filebeat_to_elasticsearch.yml /etc/filebeat/filebeat.yml
-    if [[ $FILEBEAT_OUTPUT != "" ]]; then
-        sed -i "s/elasticsearch:9200/$FILEBEAT_OUTPUT:9200/" /etc/filebeat/filebeat.yml
-    fi
-
-elif [[ $FILEBEAT_DESTINATION == "logstash" ]]; then
-
-    echo "FILEBEAT - Set destination to Logstash"
-    cp filebeat_to_logstash.yml /etc/filebeat/filebeat.yml
-    if [[ $FILEBEAT_OUTPUT != "" ]]; then
-        sed -i "s/logstash:5000/$FILEBEAT_OUTPUT:5000/" /etc/filebeat/filebeat.yml
-    fi
-
-else
-    echo "FILEBEAT - Error choosing destination. Set default filebeat.yml "
-fi
-
-echo "FILEBEAT - Set permissions"
-
-chmod go-w /etc/filebeat/filebeat.yml

wazuh/config/03-config_filebeat.sh

@@ -1,23 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-set -e
-
-if [[ $FILEBEAT_DESTINATION == "elasticsearch" ]]; then
-
-    WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.1.tar.gz
-
-    # Modify the output to Elasticsearch if th ELASTICSEARCH_URL is set
-    if [ "$ELASTICSEARCH_URL" != "" ]; then
-    >&2 echo "FILEBEAT - Customize Elasticsearch ouput IP."
-    sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_URL'|g' /etc/filebeat/filebeat.yml
-    fi
-
-    # Install Wazuh Filebeat Module
-
-    >&2 echo "FILEBEAT - Install Wazuh Filebeat Module."
-    curl -s "https://packages.wazuh.com/3.x/filebeat/${WAZUH_FILEBEAT_MODULE}" | tar -xvz -C /usr/share/filebeat/module
-    mkdir -p /usr/share/filebeat/module/wazuh
-    chmod 755 -R /usr/share/filebeat/module/wazuh
-
-fi

wazuh/config/05-remove_credentials_file.sh

@@ -1,14 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-##############################################################################
-# Decrypt credentials.
-# Remove the credentials file for security reasons.
-##############################################################################
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  echo "CREDENTIALS - Security credentials file not used. Nothing to do."
-else
-  echo "CREDENTIALS - Remove credentiasl file."
-  shred -zvu ${SECURITY_CREDENTIALS_FILE}
-fi

wazuh/config/10-backups.sh

@@ -1,10 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-##############################################################################
-# Enable Wazuh backups and store them in a repository. 
-##############################################################################
-
-
-# TO DO
-echo "BACKUPS - TO DO"

wazuh/config/20-ossec-configuration.sh

@@ -1,13 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-##############################################################################
-# Change Wazuh manager configuration. 
-##############################################################################
-
-# # Example: 
-# # Change remote protocol from udp to tcp
-# PROTOCOL="tcp"
-# sed -i -e '/<remote>/,/<\/remote>/ s|<protocol>udp</protocol>|<protocol>'$PROTOCOL'</protocol>|g' /var/ossec/etc/ossec.conf
-# # It is necessary to restart the service in order to apply the new configuration. 
-# service wazuh-manager restart

wazuh/config/data_dirs.env

@@ -0,0 +1,8 @@
+i=0
+DATA_DIRS[((i++))]="api/configuration"
+DATA_DIRS[((i++))]="etc"
+DATA_DIRS[((i++))]="logs"
+DATA_DIRS[((i++))]="queue"
+DATA_DIRS[((i++))]="agentless"
+DATA_DIRS[((i++))]="var/multigroups"
+export DATA_DIRS

wazuh/config/entrypoint.sh

@@ -1,13 +1,14 @@
 #!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
 
 # It will run every .sh script located in entrypoint-scripts folder in lexicographical order
 for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
   bash "$script"
+
 done
 
 ##############################################################################
 # Start Wazuh Server.
 ##############################################################################
 
-/sbin/my_init 
+/sbin/my_init

wazuh/config/filebeat.runit.service

@@ -1,4 +1,4 @@
 #!/bin/sh
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
 service filebeat start
 tail -f /var/log/filebeat/filebeat

wazuh/config/filebeat.yml

@@ -0,0 +1,15 @@
+# Wazuh - Filebeat configuration file
+filebeat.modules:
+  - module: wazuh
+    alerts:
+      enabled: true
+    archives:
+      enabled: false
+
+setup.template.json.enabled: true
+setup.template.json.path: '/etc/filebeat/wazuh-template.json'
+setup.template.json.name: 'wazuh'
+setup.template.overwrite: true
+setup.ilm.enabled: false
+
+output.elasticsearch.hosts: ['http://elasticsearch:9200']

wazuh/config/filebeat_to_elasticsearch.yml

@@ -1,55 +0,0 @@
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-# Wazuh - Filebeat configuration file
-filebeat.inputs:
-  - type: log
-    paths:
-      - '/var/ossec/logs/alerts/alerts.json'
-
-setup.template.json.enabled: true
-setup.template.json.path: "/etc/filebeat/wazuh-template.json"
-setup.template.json.name: "wazuh"
-setup.template.overwrite: true
-
-processors:
-  - decode_json_fields:
-      fields: ['message']
-      process_array: true
-      max_depth: 200
-      target: ''
-      overwrite_keys: true
-  - drop_fields:
-      fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host']
-  - rename:
-      fields:
-        - from: "data.aws.sourceIPAddress"
-          to: "@src_ip"
-      ignore_missing: true
-      fail_on_error: false
-      when:
-        regexp:
-          data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
-  - rename:
-      fields:
-        - from: "data.srcip"
-          to: "@src_ip"
-      ignore_missing: true
-      fail_on_error: false
-      when:
-        regexp:
-          data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
-  - rename:
-      fields:
-        - from: "data.win.eventdata.ipAddress"
-          to: "@src_ip"
-      ignore_missing: true
-      fail_on_error: false
-      when:
-        regexp:
-          data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
-
-output.elasticsearch:
-  hosts: ['http://elasticsearch:9200']
-  #pipeline: geoip
-  indices:
-    - index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}'

wazuh/config/filebeat_to_logstash.yml

@@ -1,15 +0,0 @@
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-# Wazuh - Filebeat configuration file
-filebeat:
- inputs:
-  - type: log
-    paths:
-     - "/var/ossec/logs/alerts/alerts.json"
-
-output:
- logstash:
-   # The Logstash hosts
-         hosts: ["logstash:5000"]
-#   ssl:
-#     certificate_authorities: ["/etc/filebeat/logstash.crt"]

wazuh/config/init.bash

@@ -0,0 +1,11 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
+
+# Initialize the custom data directory layout
+source /data_dirs.env
+
+cd /var/ossec
+for ossecdir in "${DATA_DIRS[@]}"; do
+  mv ${ossecdir} ${ossecdir}-template
+  ln -s $(realpath --relative-to=$(dirname ${ossecdir}) data)/${ossecdir} ${ossecdir}
+done

wazuh/config/permanent_data.env

@@ -1,61 +0,0 @@
-# Permanent data mounted in volumes
-i=0
-PERMANENT_DATA[((i++))]="/var/ossec/api/configuration"
-PERMANENT_DATA[((i++))]="/var/ossec/etc"
-PERMANENT_DATA[((i++))]="/var/ossec/logs"
-PERMANENT_DATA[((i++))]="/var/ossec/queue"
-PERMANENT_DATA[((i++))]="/var/ossec/var/multigroups"
-PERMANENT_DATA[((i++))]="/var/ossec/integrations"
-PERMANENT_DATA[((i++))]="/var/ossec/active-response/bin"
-PERMANENT_DATA[((i++))]="/var/ossec/wodles"
-PERMANENT_DATA[((i++))]="/etc/filebeat"
-PERMANENT_DATA[((i++))]="/etc/postfix"
-export PERMANENT_DATA
-
-# Files mounted in a volume that should not be permanent
-i=0
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/etc/internal_options.conf"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/pagerduty"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/default-firewall-drop.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/disable-account.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewalld-drop.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewall-drop.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/host-deny.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ip-customblock.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw_mac.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/npf.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ossec-slack.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ossec-tweeter.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/pf.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-ossec.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/oscap"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/oscap.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/template_oval.xsl"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/template_xccdf.xsl"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-debian-8-oval.xml"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-debian-9-oval.xml"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-ubuntu-xenial-oval.xml"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-debian-8-ds.xml"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-ubuntu-1404-ds.xml"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-ubuntu-1604-ds.xml"
-export PERMANENT_DATA_EXCP
-
-# Files mounted in a volume that should be deleted 
-i=0
-PERMANENT_DATA_DEL[((i++))]="/var/ossec/queue/db/.template.db"
-export PERMANENT_DATA_DEL

wazuh/config/permanent_data.sh

@@ -1,40 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-# Variables
-source /permanent_data.env
-
-WAZUH_INSTALL_PATH=/var/ossec
-DATA_TMP_PATH=${WAZUH_INSTALL_PATH}/data_tmp
-mkdir ${DATA_TMP_PATH}
-
-# Move exclusion files to EXCLUSION_PATH
-EXCLUSION_PATH=${DATA_TMP_PATH}/exclusion
-mkdir ${EXCLUSION_PATH}
-
-for exclusion_file in "${PERMANENT_DATA_EXCP[@]}"; do
-  # Create the directory for the exclusion file if it does not exist
-  DIR=$(dirname "${exclusion_file}")
-  if [ ! -e ${EXCLUSION_PATH}/${DIR}  ]
-  then
-    mkdir -p ${EXCLUSION_PATH}/${DIR}
-  fi
-
-  mv ${exclusion_file} ${EXCLUSION_PATH}/${exclusion_file}
-done
-
-# Move permanent files to PERMANENT_PATH
-PERMANENT_PATH=${DATA_TMP_PATH}/permanent
-mkdir ${PERMANENT_PATH}
-
-for permanent_dir in "${PERMANENT_DATA[@]}"; do
-  # Create the directory for the permanent file if it does not exist
-  DIR=$(dirname "${permanent_dir}")
-  if [ ! -e ${PERMANENT_PATH}${DIR}  ]
-  then
-    mkdir -p ${PERMANENT_PATH}${DIR}
-  fi
-  
-  mv ${permanent_dir} ${PERMANENT_PATH}${permanent_dir}
-
-done

wazuh/config/postfix.runit.service

@@ -1,4 +1,4 @@
 #!/bin/sh
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
 service postfix start
 tail -f /var/log/mail.log

wazuh/config/wazuh-api.runit.service

@@ -1,5 +1,4 @@
 #!/bin/sh
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
 service wazuh-api start
-tail -f /var/ossec/logs/api.log
-
+tail -f /var/ossec/data/logs/api.log

wazuh/config/wazuh.runit.service

@@ -1,5 +1,4 @@
 #!/bin/sh
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
 service wazuh-manager start
-tail -f /var/ossec/logs/ossec.log
-
+tail -f /var/ossec/data/logs/ossec.log