Update README

fix: missing directory for tasks manager db

.github/workflows/push.yml

@@ -0,0 +1,36 @@
+name: Wazuh Docker pipeline
+
+on: [push]
+
+jobs:
+  build-stack:
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Check out code
+      uses: actions/checkout@v2
+
+    - name: Build the docker-compose stack
+      run: docker-compose -f build-from-sources.yml up -d --build
+
+    - name: Check running containers
+      run: docker ps -a
+
+    - name: Shutdown the stack
+      run: docker-compose -f build-from-sources.yml kill
+
+    - name: Install Goss
+      uses: e1himself/goss-installation-action@v1.0.3
+      with:
+        version: v0.3.16
+
+    - name: Execute Goss tests (wazuh-odfe)
+      run: dgoss run wazuh/wazuh-odfe:dev-version
+      env:
+        GOSS_SLEEP: 30
+        GOSS_FILE: .goss.yaml
+
+    - name: Execute Goss tests (wazuh-kibana-odfe)
+      run: dgoss run wazuh/wazuh-kibana-odfe:dev-version
+      env:
+        GOSS_FILE: .goss.kibana.yaml

.goss.kibana.yaml

@@ -0,0 +1,53 @@
+file:
+  /usr/share/kibana/config/kibana.yml:
+    exists: true
+    mode: "0664"
+    owner: kibana
+    group: root
+    filetype: file
+    contains: []
+  /usr/share/kibana/src/core/server/core_app/assets/legacy_light_theme.css:
+    exists: true
+    mode: "0664"
+    owner: kibana
+    group: root
+    filetype: file
+    contains: []
+  /usr/share/kibana/src/core/server/core_app/assets/wazuh_logo_circle.svg:
+    exists: true
+    mode: "0644"
+    owner: kibana
+    group: root
+    filetype: file
+    contains: []
+  /usr/share/kibana/src/core/server/core_app/assets/wazuh_wazuh_bg.svg:
+    exists: true
+    mode: "0644"
+    owner: kibana
+    group: root
+    filetype: file
+    contains: []
+  /usr/share/kibana/data/wazuh/config/wazuh.yml:
+    exists: true
+    mode: "0644"
+    owner: kibana
+    group: kibana
+    filetype: file
+    contains: []
+  /usr/share/kibana/src/legacy/ui/ui_render/bootstrap/template.js.hbs:
+    exists: true
+    mode: "0664"
+    owner: kibana
+    group: root
+    filetype: file
+    contains: []
+user:
+  kibana:
+    exists: true
+    groups:
+    - kibana
+    home: /usr/share/kibana
+    shell: /bin/bash
+group:
+  kibana:
+    exists: true

.goss.yaml

@@ -0,0 +1,115 @@
+file:
+  /etc/filebeat/filebeat.yml:
+    exists: true
+    mode: "0644"
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /var/ossec/bin/ossec-control:
+    exists: true
+    mode: "0750"
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /var/ossec/etc/lists/audit-keys:
+    exists: true
+    mode: "0660"
+    owner: ossec
+    group: ossec
+    filetype: file
+    contains: []
+  /var/ossec/etc/ossec.conf:
+    exists: true
+    mode: "0660"
+    owner: root
+    group: ossec
+    filetype: file
+    contains: []
+  /var/ossec/etc/rules/local_rules.xml:
+    exists: true
+    mode: "0660"
+    owner: ossec
+    group: ossec
+    filetype: file
+    contains: []
+  /var/ossec/etc/sslmanager.cert:
+    exists: true
+    mode: "0640"
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+  /var/ossec/etc/sslmanager.key:
+    exists: true
+    mode: "0640"
+    owner: root
+    group: root
+    filetype: file
+    contains: []
+package:
+  filebeat:
+    installed: true
+    versions:
+    - 7.10.2
+  wazuh-manager:
+    installed: true
+    versions:
+    - 4.1.5
+port:
+  tcp:1514:
+    listening: true
+    ip:
+    - 0.0.0.0
+  tcp:1515:
+    listening: true
+    ip:
+    - 0.0.0.0
+  tcp:55000:
+    listening: true
+    ip:
+    - 0.0.0.0
+user:
+  ossec:
+    exists: true
+    groups:
+    - ossec
+    home: /var/ossec
+    shell: /sbin/nologin
+  ossecm:
+    exists: true
+    groups:
+    - ossec
+    home: /var/ossec
+    shell: /sbin/nologin
+  ossecr:
+    exists: true
+    groups:
+    - ossec
+    home: /var/ossec
+    shell: /sbin/nologin
+group:
+  ossec:
+    exists: true
+process:
+  filebeat:
+    running: true
+  ossec-analysisd:
+    running: true
+  ossec-authd:
+    running: true
+  ossec-execd:
+    running: true
+  ossec-monitord:
+    running: true
+  ossec-remoted:
+    running: true
+  ossec-syscheckd:
+    running: true
+  s6-supervise:
+    running: true
+  wazuh-db:
+    running: true
+  wazuh-modulesd:
+    running: true

CHANGELOG.md

@@ -1,17 +1,233 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
-## Wazuh Docker v3.9.4_6.8.1
+## Wazuh Docker v4.1.5
+### Added
 
-## Wazuh Docker v3.9.3_6.8.1
+- Update Wazuh to version [4.1.5](https://github.com/wazuh/wazuh/blob/v4.1.5/CHANGELOG.md#v415)
+- Update ODFE compatibility to version 1.13.2
+
+## Wazuh Docker v4.1.4
+### Added
+
+- Update Wazuh to version [4.1.4](https://github.com/wazuh/wazuh/blob/v4.1.4/CHANGELOG.md#v414)
+
+## Wazuh Docker v4.1.3
+### Added
+
+- Update Wazuh to version [4.1.3](https://github.com/wazuh/wazuh/blob/v4.1.3/CHANGELOG.md#v413)
+
+## Wazuh Docker v4.1.2
+### Added
+
+- Update Wazuh to version [4.1.2](https://github.com/wazuh/wazuh/blob/v4.1.2/CHANGELOG.md#v412)
+
+## Wazuh Docker v4.1.1
+### Added
+
+- Update Wazuh to version [4.1.1](https://github.com/wazuh/wazuh/blob/v4.1.1/CHANGELOG.md#v411)
+
+## Wazuh Docker v4.1.0
+### Added
+
+- Update Wazuh to version [4.1.0](https://github.com/wazuh/wazuh/blob/v4.1.0/CHANGELOG.md#v410)
+- Update ODFE compatibility to version 1.12.0
+- Add support for Elasticsearch (xpack) images once again (7.10.2)  ([@xr09](https://github.com/xr09)) [#409](https://github.com/wazuh/wazuh-docker/pull/409)
+- Re-enable entrypoint scripts  ([@xr09](https://github.com/xr09)) [#435](https://github.com/wazuh/wazuh-docker/pull/435)
+- Add Goss binary for healthchecks ([@xr09](https://github.com/xr09)) [$441](https://github.com/wazuh/wazuh-docker/pull/441)
+- Update s6-overlay to latest version
+
+## Wazuh Docker v4.0.4_1.11.0
 
 ### Added
 
-- Update to Wazuh version 3.9.3_6.8.1
+- Update to Wazuh version [4.0.4](https://github.com/wazuh/wazuh/blob/v4.0.4/CHANGELOG.md#v404)
+
+
+## Wazuh Docker v4.0.3_1.11.0
 
 ### Added
 
-- Option to disable additionals X-Pack applications and hide unnecesary management links ([@SitoRBJ](https://github.com/SitoRBJ)) ([#163](https://github.com/wazuh/wazuh-docker/pull/163))
+- Update to Wazuh version 4.0.3
+
+
+## Wazuh Docker v4.0.2_1.11.0
+
+### Added
+
+- Update to Wazuh version 4.0.2
+
+## Wazuh Docker v4.0.1_1.11.0
+
+### Added
+
+- Update to Wazuh version 4.0.1
+- Opendistro 1.11.0 compatiblity
+- Re-enabled dumping ossec.log to stdout
+
+## Wazuh Docker v4.0.0_1.10.1
+
+### Added
+
+- Update to Wazuh version 4.0.0
+- Updating Wazuh cluster key dynamically ([@1stOfHisGame](https://github.com/1stOfHisGame))  [#393](https://github.com/wazuh/wazuh-docker/pull/393)
+- Switched to CentOS 7 for base image ([@xr09](https://github.com/xr09)) [#259](https://github.com/wazuh/wazuh-docker/issues/259)
+- Using s6-overlay for process management ([@xr09](https://github.com/xr09)) [#274](https://github.com/wazuh/wazuh-docker/issues/274)
+- Allow the creation of custom API users ([@xr09](https://github.com/xr09)) [#395](https://github.com/wazuh/wazuh-docker/issues/395)
+- OpenDistro support ([@xr09](https://github.com/xr09)) [#373](https://github.com/wazuh/wazuh-docker/pull/373)
+
+
+### Changed
+
+- Removal of Elastic images
+
+
+## Wazuh Docker v3.13.2_7.9.1
+
+### Added
+
+- Update to Wazuh version 3.13.2_7.9.1
+- Add CLUSTER_NETWORK_HOST environment variable ([@jfut](https://github.com/jfut)) [#372](https://github.com/wazuh/wazuh-docker/pull/372)
+
+### Fixed
+
+- Too many redirects when running on port 80 ([@chowmean](https://github.com/chowmean)) [#377](https://github.com/wazuh/wazuh-docker/pull/377)
+- Move Filebeat installation to build stage ([@xr09](https://github.com/xr09)) [#378](https://github.com/wazuh/wazuh-docker/pull/378)
+
+
+## Wazuh Docker v3.13.1_7.8.0
+
+### Added
+
+- Update to Wazuh version 3.13.1_7.8.0
+
+
+## Wazuh Docker v3.13.0_7.7.1
+
+### Added
+
+- Update to Wazuh version 3.13.3_7.7.1
+
+### Fixed
+
+- Save agentless state ([@xr09](https://github.com/xr09)) [#350](https://github.com/wazuh/wazuh-docker/pull/350)
+- Use HTTP credentials for service check when required ([@xr09](https://github.com/xr09)) [#356](https://github.com/wazuh/wazuh-docker/pull/356)
+
+## Wazuh Docker v3.12.3_7.6.2
+
+### Added
+
+- Update to Wazuh version 3.12.3_7.6.2
+
+
+## Wazuh Docker v3.12.2_7.6.2
+
+### Added
+
+- Update to Wazuh version 3.12.2_7.6.2
+
+## Wazuh Docker v3.12.1_7.6.2
+
+### Added
+
+- Update to Wazuh version 3.12.1_7.6.2
+
+### Fixed
+
+- Agent timestamp not being properly saved ([@xr09](https://github.com/xr09)) [#323](https://github.com/wazuh/wazuh-docker/pull/323)
+
+
+## Wazuh Docker v3.12.0_7.6.1
+
+### Added
+
+- Update to Wazuh version 3.12.0_7.6.1
+
+
+## Wazuh Docker v3.11.4_7.6.1
+
+### Added
+
+- Update to Wazuh version 3.11.4_7.6.1
+
+- Enable HTTP v2 on nginx ([@xr09](https://github.com/xr09)) [#308](https://github.com/wazuh/wazuh-docker/pull/308)
+
+### Fixed
+
+- Updated NGINX config syntax ([@xr09](https://github.com/xr09)) [#303](https://github.com/wazuh/wazuh-docker/pull/303)
+
+
+## Wazuh Docker v3.11.3_7.5.2
+
+### Added
+
+- Update to Wazuh version 3.11.3_7.5.2
+
+## Wazuh Docker v3.11.2_7.5.1
+
+### Added
+
+- Bumped Node.js to version 10 ([@xr09](https://github.com/xr09)) [#8615cd4](https://github.com/wazuh/wazuh-docker/commit/8615cd4d2152601e55becc7c3675360938e74b6a)
+
+### Fixed
+
+- Fix S3 Plugin ([@AnthonySendra](https://github.com/AnthonySendra)) [#293](https://github.com/wazuh/wazuh-docker/pull/293)
+
+## Wazuh Docker v3.11.1_7.5.1
+
+### Added
+
+- Update to Wazuh version 3.11.1_7.5.1
+- Filebeat configuration file updated to latest version ([@manuasir](https://github.com/manuasir)) [#271](https://github.com/wazuh/wazuh-docker/pull/271)
+- Allow using the hostname as node_name for managers ([@JPLachance](https://github.com/JPLachance)) [#261](https://github.com/wazuh/wazuh-docker/pull/261)
+
+## Wazuh Docker v3.11.0_7.5.1
+
+### Added
+
+- Update to Wazuh version 3.11.0_7.5.1
+
+## Wazuh Docker v3.10.2_7.5.0
+
+### Added
+
+- Update to Wazuh version 3.10.2_7.5.0
+
+## Wazuh Docker v3.10.2_7.3.2
+
+### Added
+
+- Update to Wazuh version 3.10.2_7.3.2
+
+## Wazuh Docker v3.10.0_7.3.2
+
+### Added
+
+- Update to Wazuh version 3.10.0_7.3.2
+
+## Wazuh Docker v3.9.5_7.2.1
+
+### Added
+
+- Update to Wazuh version 3.9.5_7.2.1
+
+## Wazuh Docker v3.9.4_7.2.0
+
+### Added
+
+- Update to Wazuh version 3.9.4_7.2.0
+- Implemented Wazuh Filebeat Module ([jm404](https://www.github.com/jm404)) [#2a77c6a](https://github.com/wazuh/wazuh-docker/commit/2a77c6a6e6bf78f2492adeedbade7a507d9974b2)
+
+## Wazuh Docker v3.9.3_7.2.0
+
+### Fixed
+- Wazuh-docker reinserts cluster settings after resuming containers ([@manuasir](https://github.com/manuasir)) [#213](https://github.com/wazuh/wazuh-docker/pull/213)
+
+## Wazuh Docker v3.9.2_7.1.1
+
+### Added
+
+- Update to Wazuh version 3.9.2_7.1.1
 
 ## Wazuh Docker v3.9.2_6.8.0
 
@@ -19,13 +235,18 @@ All notable changes to this project will be documented in this file.
 
 - Update to Wazuh version 3.9.2_6.8.0
 
+## Wazuh Docker v3.9.1_7.1.0
+
+### Added
+
+- Support for Elastic v7.1.0
+- New environment variables for Kibana ([@manuasir](https://github.com/manuasir)) [#22ad43](https://github.com/wazuh/wazuh-docker/commit/22ad4360f548e54bb0c5e929f8c84a186ad2ab88)
 
 ## Wazuh Docker v3.9.1_6.8.0
 
 ### Added
 
 - Update to Wazuh version 3.9.1_6.8.0 ([#181](https://github.com/wazuh/wazuh-docker/pull/181))
-- Security for Elastic Stack in Docker implemented ([#186](https://github.com/wazuh/wazuh-docker/issues/186))
 
 ### Fixed
 
@@ -39,7 +260,6 @@ All notable changes to this project will be documented in this file.
 
 ## Wazuh Docker v3.9.0_6.7.1
 
-
 ### Added
 
 - Support for xPACK authorized requests ([@manuasir](https://github.com/manuasir)) ([#119](https://github.com/wazuh/wazuh-docker/pull/119))

LICENSE

@@ -1,5 +1,5 @@
 
- Portions Copyright (C) 2019 Wazuh, Inc.
+ Portions Copyright (C) 2021 Wazuh, Inc.
  Based on work Copyright (C) 2003 - 2013 Trend Micro, Inc.
 
  This program is a free software; you can redistribute it and/or modify

README.md

@@ -7,11 +7,9 @@
 
 In this repository you will find the containers to run:
 
-* wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack)
-* wazuh-logstash: It is used to receive alerts generated by the manager and feed Elasticsearch using an alerts template
-* wazuh-kibana: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status.
-* wazuh-nginx: Proxies the Kibana container, adding HTTPS (via self-signed SSL certificate) and [Basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Basic_authentication_scheme).
-* wazuh-elasticsearch: An Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).** 
+* wazuh-opendistro: It runs the Wazuh manager, Wazuh API and Filebeat OSS (for integration with ODFE)
+* wazuh-kibana-opendistro: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status.
+* opendistro-for-elasticsearch: An Elasticsearch (ODFE) container (working as a single-node cluster) using ODFE Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).**
 
 In addition, a docker-compose file is provided to launch the containers mentioned above.
 
@@ -23,47 +21,160 @@ In addition, a docker-compose file is provided to launch the containers mentione
 * [Wazuh documentation for Docker](https://documentation.wazuh.com/current/docker/index.html)
 * [Docker hub](https://hub.docker.com/u/wazuh)
 
+
+### Setup SSL certificate and Basic Authentication
+
+Before starting the environment it is required to provide an SSL certificate (or just generate one self-signed) and setup the basic auth.
+
+Documentation on how to provide these two can be found at [nginx_conf/README.md](nginx_conf/README.md).
+
+
+## Environment Variables
+
+Default values are included when available.
+
+### Wazuh
+```
+API_USERNAME="wazuh"                                # Wazuh API username
+API_PASSWORD="wazuh"                                # Wazuh API password - Must comply with requirements
+                                                    # (8+ length, uppercase, lowercase, specials chars)
+
+ELASTICSEARCH_URL=https://elasticsearch:9200        # Elasticsearch URL
+ELASTIC_USERNAME=admin                              # Elasticsearch Username
+ELASTIC_PASSWORD=admin                              # Elasticsearch Password
+FILEBEAT_SSL_VERIFICATION_MODE=full                 # Filebeat SSL Verification mode (full or none)
+SSL_CERTIFICATE_AUTHORITIES=""                      # Path of Filebeat SSL CA
+SSL_CERTIFICATE=""                                  # Path of Filebeat SSL Certificate
+SSL_KEY=""                                          # Path of Filebeat SSL Key
+```
+
+### Kibana
+```
+PATTERN="wazuh-alerts-*"        # Default index pattern to use
+
+CHECKS_PATTERN=true             # Defines which checks must to be consider by the healthcheck
+CHECKS_TEMPLATE=true            # step once the Wazuh app starts. Values must to be true or false
+CHECKS_API=true
+CHECKS_SETUP=true
+
+EXTENSIONS_PCI=true             # Enable PCI Extension
+EXTENSIONS_GDPR=true            # Enable GDPR Extension
+EXTENSIONS_HIPAA=true           # Enable HIPAA Extension
+EXTENSIONS_NIST=true            # Enable NIST Extension
+EXTENSIONS_TSC=true             # Enable TSC Extension
+EXTENSIONS_AUDIT=true           # Enable Audit Extension
+EXTENSIONS_OSCAP=false          # Enable OpenSCAP Extension
+EXTENSIONS_CISCAT=false         # Enable CISCAT Extension
+EXTENSIONS_AWS=false            # Enable AWS Extension
+EXTENSIONS_GCP=false            # Enable GCP Extension
+EXTENSIONS_VIRUSTOTAL=false     # Enable Virustotal Extension
+EXTENSIONS_OSQUERY=false        # Enable OSQuery Extension
+EXTENSIONS_DOCKER=false         # Enable Docker Extension
+
+APP_TIMEOUT=20000               # Defines maximum timeout to be used on the Wazuh app requests
+
+API_SELECTOR=true               Defines if the user is allowed to change the selected API directly from the Wazuh app top menu
+IP_SELECTOR=true                # Defines if the user is allowed to change the selected index pattern directly from the Wazuh app top menu
+IP_IGNORE="[]"                  # List of index patterns to be ignored
+
+WAZUH_MONITORING_ENABLED=true       # Custom settings to enable/disable wazuh-monitoring indices
+WAZUH_MONITORING_FREQUENCY=900      # Custom setting to set the frequency for wazuh-monitoring indices cron task
+WAZUH_MONITORING_SHARDS=2           # Configure wazuh-monitoring-* indices shards and replicas
+WAZUH_MONITORING_REPLICAS=0         #
+
+ADMIN_PRIVILEGES=true               # App privileges
+```
+
 ## Directory structure
 
-	wazuh-docker
+    ├── CHANGELOG.md
     ├── docker-compose.yml
-	├── kibana
+    ├── generate-opendistro-certs.yml
+    ├── kibana-odfe
     │   ├── config
+    │   │   ├── custom_welcome
+    │   │   │   ├── light_theme.style.css
+    │   │   │   ├── template.js.hbs
+    │   │   │   ├── wazuh_logo_circle.svg
+    │   │   │   └── wazuh_wazuh_bg.svg
     │   │   ├── entrypoint.sh
-	│   │   └── kibana.yml
+    │   │   ├── kibana_settings.sh
+    │   │   ├── wazuh_app_config.sh
+    │   │   ├── wazuh.yml
+    │   │   └── welcome_wazuh.sh
     │   └── Dockerfile
     ├── LICENSE
-	├── logstash
-	│   ├── config
-	│   │   ├── 01-wazuh.conf
-	│   │   └── run.sh
-	│   └── Dockerfile
-	├── nginx
-	│   ├── config
-	│   │   └── entrypoint.sh
-	│   └── Dockerfile
+    ├── production_cluster
+    │   ├── elastic_opendistro
+    │   │   ├── elasticsearch-node1.yml
+    │   │   ├── elasticsearch-node2.yml
+    │   │   ├── elasticsearch-node3.yml
+    │   │   └── internal_users.yml
+    │   ├── kibana_ssl
+    │   │   └── generate-self-signed-cert.sh
+    │   ├── nginx
+    │   │   ├── nginx.conf
+    │   │   └── ssl
+    │   │       └── generate-self-signed-cert.sh
+    │   ├── ssl_certs
+    │   │   └── certs.yml
+    │   └── wazuh_cluster
+    │       ├── wazuh_manager.conf
+    │       └── wazuh_worker.conf
+    ├── production-cluster.yml
     ├── README.md
-	├── CHANGELOG.md
     ├── VERSION
-	├── test.txt
-	└── wazuh
+    └── wazuh-odfe
         ├── config
-	    │   ├── data_dirs.env
-	    │   ├── entrypoint.sh
-	    │   ├── filebeat.runit.service
+        │   ├── create_user.py
+        │   ├── etc
+        │   │   ├── cont-init.d
+        │   │   │   ├── 0-wazuh-init
+        │   │   │   ├── 1-config-filebeat
+        │   │   │   └── 2-manager
+        │   │   └── services.d
+        │   │       └── filebeat
+        │   │           ├── finish
+        │   │           └── run
         │   ├── filebeat.yml
-	    │   ├── init.bash
-	    │   ├── postfix.runit.service
-	    │   ├── wazuh-api.runit.service
-	    │   └── wazuh.runit.service
+        │   ├── permanent_data.env
+        │   ├── permanent_data.sh
+        │   └── wazuh.repo
         └── Dockerfile
 
 
+
 ## Branches
 
-* `stable` branch on correspond to the latest Wazuh-Docker stable version.
 * `master` branch contains the latest code, be aware of possible bugs on this branch.
-* `Wazuh.Version_ElasticStack.Version` (for example 3.9.3_6.8.1) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
+* `stable` branch on correspond to the last Wazuh stable version.
+
+
+## Compatibility Matrix
+
+| Wazuh version | ODFE    | XPACK  |
+|---------------|---------|--------|
+| v4.1.5        | 1.13.2  | 7.10.2 |
+|---------------|---------|--------|
+| v4.1.4        | 1.12.0  | 7.10.2 |
+|---------------|---------|--------|
+| v4.1.3        | 1.12.0  | 7.10.2 |
+|---------------|---------|--------|
+| v4.1.2        | 1.12.0  | 7.10.2 |
+|---------------|---------|--------|
+| v4.1.1        | 1.12.0  | 7.10.2 |
+|---------------|---------|--------|
+| v4.1.0        | 1.12.0  | 7.10.2 |
+|---------------|---------|--------|
+| v4.0.4        | 1.11.0  |        |
+|---------------|---------|--------|
+| v4.0.3        | 1.11.0  |        |
+|---------------|---------|--------|
+| v4.0.2        | 1.11.0  |        |
+|---------------|---------|--------|
+| v4.0.1        | 1.11.0  |        |
+|---------------|---------|--------|
+| v4.0.0        | 1.10.1  |        |
 
 ## Credits and Thank you
 
@@ -76,7 +187,7 @@ We thank you them and everyone else who has contributed to this project.
 
 ## License and copyright
 
-Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
 
 ## Web references
 

VERSION

@@ -1,2 +1,2 @@
-WAZUH-DOCKER_VERSION="3.9.4_6.8.1"
-REVISION="3942"
+WAZUH-DOCKER_VERSION="4.1.5"
+REVISION="40114"

build-from-sources.yml

@@ -0,0 +1,84 @@
+# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+version: '3.7'
+
+services:
+  wazuh:
+    build:  wazuh-odfe/
+    image: wazuh/wazuh-odfe:dev-version
+    hostname: wazuh-manager
+    restart: always
+    ports:
+      - "1514:1514"
+      - "1515:1515"
+      - "514:514/udp"
+      - "55000:55000"
+    environment:
+      - ELASTICSEARCH_URL=https://elasticsearch:9200
+      - ELASTIC_USERNAME=admin
+      - ELASTIC_PASSWORD=admin
+      - FILEBEAT_SSL_VERIFICATION_MODE=none
+    volumes:
+      - ossec_api_configuration:/var/ossec/api/configuration
+      - ossec_etc:/var/ossec/etc
+      - ossec_logs:/var/ossec/logs
+      - ossec_queue:/var/ossec/queue
+      - ossec_var_multigroups:/var/ossec/var/multigroups
+      - ossec_integrations:/var/ossec/integrations
+      - ossec_active_response:/var/ossec/active-response/bin
+      - ossec_agentless:/var/ossec/agentless
+      - ossec_wodles:/var/ossec/wodles
+      - filebeat_etc:/etc/filebeat
+      - filebeat_var:/var/lib/filebeat
+
+  elasticsearch:
+    image: amazon/opendistro-for-elasticsearch:1.13.2
+    hostname: elasticsearch
+    restart: always
+    ports:
+      - "9200:9200"
+    environment:
+      - discovery.type=single-node
+      - cluster.name=wazuh-cluster
+      - network.host=0.0.0.0
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - bootstrap.memory_lock=true
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+
+  kibana:
+    build: kibana-odfe/
+    image: wazuh/wazuh-kibana-odfe:dev-version
+    hostname: kibana
+    restart: always
+    ports:
+      - 443:5601
+    environment:
+      - ELASTICSEARCH_USERNAME=admin
+      - ELASTICSEARCH_PASSWORD=admin
+      - SERVER_SSL_ENABLED=true
+      - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/opendistroforelasticsearch.example.org.cert
+      - SERVER_SSL_KEY=/usr/share/kibana/config/opendistroforelasticsearch.example.org.key
+
+    depends_on:
+      - elasticsearch
+    links:
+      - elasticsearch:elasticsearch
+      - wazuh:wazuh
+
+volumes:
+  ossec_api_configuration:
+  ossec_etc:
+  ossec_logs:
+  ossec_queue:
+  ossec_var_multigroups:
+  ossec_integrations:
+  ossec_active_response:
+  ossec_agentless:
+  ossec_wodles:
+  filebeat_etc:
+  filebeat_var:

docker-compose.yml

@@ -1,90 +1,82 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-version: '2'
+# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+version: '3.7'
 
 services:
   wazuh:
-    image: wazuh/wazuh:3.9.3_6.8.1
+    image: wazuh/wazuh-odfe:4.1.5
     hostname: wazuh-manager
     restart: always
     ports:
-      - "1514:1514/udp"
+      - "1514:1514"
       - "1515:1515"
       - "514:514/udp"
       - "55000:55000"
-    depends_on:
-      - logstash
-  logstash:
-    image: wazuh/wazuh-logstash:3.9.3_6.8.1
-    hostname: logstash
-    restart: always
-    links:
-      - elasticsearch:elasticsearch
-    ports:
-      - "5000:5000"
-    depends_on:
-      - elasticsearch
     environment:
-      - LS_HEAP_SIZE=2048m
-      - SECURITY_ENABLED=yes
-      - SECURITY_LOGSTASH_USER=service_logstash
-      - SECURITY_LOGSTASH_PASS=logstash_pass
-      - LOGSTASH_OUTPUT=https://elasticsearch:9200
       - ELASTICSEARCH_URL=https://elasticsearch:9200
-      - SECURITY_CA_PEM=server.TEST-CA-signed.pem
+      - ELASTIC_USERNAME=admin
+      - ELASTIC_PASSWORD=admin
+      - FILEBEAT_SSL_VERIFICATION_MODE=none
+    volumes:
+      - ossec_api_configuration:/var/ossec/api/configuration
+      - ossec_etc:/var/ossec/etc
+      - ossec_logs:/var/ossec/logs
+      - ossec_queue:/var/ossec/queue
+      - ossec_var_multigroups:/var/ossec/var/multigroups
+      - ossec_integrations:/var/ossec/integrations
+      - ossec_active_response:/var/ossec/active-response/bin
+      - ossec_agentless:/var/ossec/agentless
+      - ossec_wodles:/var/ossec/wodles
+      - filebeat_etc:/etc/filebeat
+      - filebeat_var:/var/lib/filebeat
+
   elasticsearch:
-    image: wazuh/wazuh-elasticsearch:3.9.3_6.8.1
+    image: amazon/opendistro-for-elasticsearch:1.13.2
     hostname: elasticsearch
     restart: always
     ports:
       - "9200:9200"
     environment:
-      - node.name=node-1
-      - cluster.name=wazuh
+      - discovery.type=single-node
+      - cluster.name=wazuh-cluster
       - network.host=0.0.0.0
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
       - bootstrap.memory_lock=true
-      - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
-      - ELASTICSEARCH_PROTOCOL=https
-      - ELASTICSEARCH_IP=elasticsearch
-      - ELASTICSEARCH_PORT=9200
-      - SECURITY_ENABLED=yes
-      - SECURITY_ADMIN_USER=wazuh_admin
-      - SECURITY_ADMIN_PASS=admin_pass
-      - SECURITY_ELASTIC_PASSWORD=elastic_pass
-      - SECURITY_KIBANA_USER=service_kibana
-      - SECURITY_KIBANA_PASS=kibana_pass
-      - SECURITY_LOGSTASH_USER=service_logstash 
-      - SECURITY_LOGSTASH_PASS=logstash_pass
-      - SECURITY_CA_PASSPHRASE=ca_pass
-      - SECURITY_CERTIFICATE_DNS=elasticsearch
-      - SECURITY_CA_PEM=server.TEST-CA-signed.pem
-      - SECURITY_CA_KEY=server.TEST-CA.key
-      - SECURITY_CA_TRUST=server.TEST-CA-signed.pem
-      - SECURITY_MAIN_NODE=elasticsearch
-      - SECURITY_OPENSSL_CONF=TEST_openssl.cnf
-      - SECURITY_MONITORING_USER=service_monitoring
-      - SECURITY_MONITORING_PASS=monitoring_pass
     ulimits:
       memlock:
         soft: -1
         hard: -1
-    mem_limit: 2g
+      nofile:
+        soft: 65536
+        hard: 65536
+
   kibana:
-    image: wazuh/wazuh-kibana:3.9.3_6.8.1
+    image: wazuh/wazuh-kibana-odfe:4.1.5
     hostname: kibana
     restart: always
+    ports:
+      - 443:5601
+    environment:
+      - ELASTICSEARCH_USERNAME=admin
+      - ELASTICSEARCH_PASSWORD=admin
+      - SERVER_SSL_ENABLED=true
+      - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/opendistroforelasticsearch.example.org.cert
+      - SERVER_SSL_KEY=/usr/share/kibana/config/opendistroforelasticsearch.example.org.key
+
     depends_on:
       - elasticsearch
     links:
       - elasticsearch:elasticsearch
       - wazuh:wazuh
-    environment:
-      - ELASTICSEARCH_URL=https://elasticsearch:9200
-      - SECURITY_ENABLED=yes
-      - SECURITY_KIBANA_USER=service_kibana
-      - SECURITY_KIBANA_PASS=kibana_pass
-      - SECURITY_KIBANA_SSL_KEY_PATH=/usr/share/kibana/config/ssl/private
-      - SECURITY_KIBANA_SSL_CERT_PATH=/usr/share/kibana/config/ssl/certs
-      - ELASTICSEARCH_KIBANA_IP=https://elasticsearch:9200
-      - SECURITY_CA_PEM=server.TEST-CA-signed.pem
-    ports:
-      - "5601:5601"
+
+volumes:
+  ossec_api_configuration:
+  ossec_etc:
+  ossec_logs:
+  ossec_queue:
+  ossec_var_multigroups:
+  ossec_integrations:
+  ossec_active_response:
+  ossec_agentless:
+  ossec_wodles:
+  filebeat_etc:
+  filebeat_var:

elasticsearch/Dockerfile

@@ -1,79 +0,0 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/elasticsearch/elasticsearch:6.8.2
-
-ENV ALERTS_SHARDS="1" \
-    ALERTS_REPLICAS="0"
-
-ENV API_USER="foo" \
-    API_PASS="bar"
-
-ENV XPACK_ML="true" 
-
-ENV ENABLE_CONFIGURE_S3="false"
-
-ENV TEMPLATE_VERSION=v3.9.4
-
-
-# This CA is created for testing. Please set your own CA zip containing the key and the signed certificate. 
-# command: $ docker build <elasticsearch_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION> --build-arg SECURITY_CA_KEY_LOCATION=<CA_KEY_LOCATION>
-# ENV variables are necessary: SECURITY_CA_PEM, SECURITY_CA_KEY, SECURITY_CA_TRUST, SECURITY_OPENSSL_CONF 
-# Example:
-# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem"
-# ARG SECURITY_CA_KEY_LOCATION="config/server.TEST-CA.key"
-# ARG SECURITY_OPENSSL_CONF_LOCATION="config/TEST_openssl.cnf"
-# ARG SECURITY_CA_TRUST_LOCATION="config/server.TEST-CA-signed.pem"
-ARG SECURITY_CA_PEM_LOCATION=""
-ARG SECURITY_CA_KEY_LOCATION=""
-ARG SECURITY_OPENSSL_CONF_LOCATION=""
-ARG SECURITY_CA_TRUST_LOCATION=""
-
-# Elasticearch cluster configuration environment variables
-# If ELASTIC_CLUSTER is set to "true" the following variables will be added to the Elasticsearch configuration
-ENV ELASTIC_CLUSTER="false" \
-    CLUSTER_NAME="wazuh" \
-    CLUSTER_NODE_MASTER="true" \
-    CLUSTER_NODE_DATA="true" \
-    CLUSTER_NODE_INGEST="true" \
-    CLUSTER_NODE_NAME="wazuh-elasticsearch" \
-    CLUSTER_MEMORY_LOCK="true" \
-    CLUSTER_DISCOVERY_SERVICE="wazuh-elasticsearch" \
-    CLUSTER_NUMBER_OF_MASTERS="2" \
-    CLUSTER_MAX_NODES="1" \
-    CLUSTER_DELAYED_TIMEOUT="1m"
-
-ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/6.x/wazuh-template.json /usr/share/elasticsearch/config
-
-# CA cert for Transport SSL
-ADD $SECURITY_CA_PEM_LOCATION /usr/share/elasticsearch/config
-ADD $SECURITY_CA_KEY_LOCATION /usr/share/elasticsearch/config 
-ADD $SECURITY_OPENSSL_CONF_LOCATION /usr/share/elasticsearch/config 
-ADD $SECURITY_CA_TRUST_LOCATION /usr/share/elasticsearch/config 
-
-RUN yum install openssl -y
-
-RUN mkdir /entrypoint-scripts
-
-COPY config/entrypoint.sh /entrypoint.sh
-
-RUN chmod 755 /entrypoint.sh
-
-COPY --chown=elasticsearch:elasticsearch ./config/load_settings.sh ./
-
-RUN chmod +x ./load_settings.sh
-
-RUN bin/elasticsearch-plugin install --batch https://artifacts.elastic.co/downloads/elasticsearch-plugins/repository-s3/repository-s3-6.8.2.zip
-
-COPY config/configure_s3.sh ./config/configure_s3.sh
-RUN chmod 755 ./config/configure_s3.sh
-
-COPY --chown=elasticsearch:elasticsearch ./config/10-config_cluster.sh /entrypoint-scripts/10-config_cluster.sh
-RUN chmod +x /entrypoint-scripts/10-config_cluster.sh
-
-COPY --chown=elasticsearch:elasticsearch ./config/20-config_secure.sh /entrypoint-scripts/20-config_secure.sh
-RUN chmod +x /entrypoint-scripts/10-config_cluster.sh
-
-COPY --chown=elasticsearch:elasticsearch ./config/30-entrypoint.sh /entrypoint-scripts/30-entrypoint.sh
-RUN chmod +x /entrypoint-scripts/30-entrypoint.sh
-
-ENTRYPOINT ["/entrypoint.sh"]
-CMD ["elasticsearch"]

elasticsearch/config/10-config_cluster.sh

@@ -1,36 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
-
-original_file="/usr/share/elasticsearch/config/original-elasticsearch.yml"
-
-cp $elastic_config_file $original_file 
-
-# If Elasticsearch cluster is enable
-if [[ $ELASTIC_CLUSTER == "true" ]]
-then
-  
-  # Set the cluster.name and discovery.zen.minimun_master_nodes variables
-  sed -i 's:cluster.name\: "docker-cluster":cluster.name\: "'$CLUSTER_NAME'":g' $elastic_config_file
-
-  # Add the cluster configuration
-  echo "
-#cluster node
-node:
-  master: ${CLUSTER_NODE_MASTER}
-  data: ${CLUSTER_NODE_DATA}
-  ingest: ${CLUSTER_NODE_INGEST}
-  name: ${CLUSTER_NODE_NAME}
-  max_local_storage_nodes: ${CLUSTER_MAX_NODES}
-
-bootstrap:
-  memory_lock: ${CLUSTER_MEMORY_LOCK}
-
-discovery:
-  zen:
-    ping.unicast.hosts: ${CLUSTER_DISCOVERY_SERVICE}
-    minimum_master_nodes: ${CLUSTER_NUMBER_OF_MASTERS}
-  
-" >> $elastic_config_file
-fi

elasticsearch/config/20-config_secure.sh

@@ -1,111 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
-
-##############################################################################
-# Setup bootstrap password to chagne all Elastic Stack passwords.
-# Set xpack.security.enabled to true. In Elastic 7 must add ssl options
-##############################################################################
-
-if [[ $SECURITY_ENABLED == "yes" ]]; then
-
-  echo "Creating certificate."
-
-  pushd /usr/share/elasticsearch/config/
-
-  echo "Setting configuration options."
-
-  # Create instances.yml for elasticsearch .p12 certificate and key
-  echo "
-instances:
-- name: \"elasticsearch\"
-  dns: 
-    - $SECURITY_CERTIFICATE_DNS
-" > instances.yml
-
-  # Change permissions and owner of ca
-  chown elasticsearch: /usr/share/elasticsearch/config/$SECURITY_CA_PEM
-  chmod 440 /usr/share/elasticsearch/config/$SECURITY_CA_PEM
- 
-
-  # Genereate .p12 certificate and key
-  SECURITY_KEY_PASSPHRASE=`date +%s | sha256sum | base64 | head -c 32 ; echo`
-  /usr/share/elasticsearch/bin/elasticsearch-certutil csr --in instances.yml --out certs.zip --pass $SECURITY_KEY_PASSPHRASE
-  unzip certs.zip
-  rm certs.zip 
-
-  # Change permissions and owner of certificates
-  chown -R elasticsearch: /usr/share/elasticsearch/config/elasticsearch
-  chmod -R 770 /usr/share/elasticsearch/config/elasticsearch
-  chmod 400 /usr/share/elasticsearch/config/elasticsearch/elasticsearch.csr
-
-  # Prepare directories for openssl
-  mkdir /root/ca
-  mkdir /root/ca/certs /root/ca/crl /root/ca/newcerts /root/ca/private
-  chmod 700 /root/ca/private
-  touch /root/ca/index.txt
-  echo 1000 > /root/ca/serial
-
-  mkdir /root/ca/intermediate
-  mkdir /root/ca/intermediate/certs /root/ca/intermediate/crl /root/ca/intermediate/csr /root/ca/intermediate/newcerts /root/ca/intermediate/private
-  chmod 700 /root/ca/intermediate/private
-  touch /root/ca/intermediate/index.txt
-  echo 1000 > /root/ca/intermediate/serial
-  echo 1000 > /root/ca/intermediate/crlnumber
-
-  if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-
-    openssl ca -batch -config $SECURITY_OPENSSL_CONF  -in elasticsearch/elasticsearch.csr -cert $SECURITY_CA_PEM  -keyfile $SECURITY_CA_KEY  -key $SECURITY_CA_PASSPHRASE -out elasticsearch.cert.pem
-  
-  else
-    input=${SECURITY_CREDENTIALS_FILE}
-    CA_PASSPHRASE_FROM_FILE=""
-    while IFS= read -r line
-    do
-      if [[ $line == *"CA_PASSPHRASE"* ]]; then
-        arrIN=(${line//:/ })
-        CA_PASSPHRASE_FROM_FILE=${arrIN[1]}
-      fi
-    done < "$input"
-    
-    openssl ca -batch -config $SECURITY_OPENSSL_CONF  -in elasticsearch/elasticsearch.csr -cert $SECURITY_CA_PEM  -keyfile $SECURITY_CA_KEY  -key $CA_PASSPHRASE_FROM_FILE -out elasticsearch.cert.pem 
-  
-  fi
-  
-  chmod 440 /usr/share/elasticsearch/config/elasticsearch.cert.pem
-
-  # remove CA key
-  rm $SECURITY_CA_KEY
-
-  popd
-
-  echo "Setting configuration options."
-  
-  # Settings for elasticsearch.yml
-  echo "
-# Required to set the passwords and TLS options
-xpack.security.enabled: true
-xpack.security.transport.ssl.enabled: true
-xpack.security.transport.ssl.verification_mode: certificate
-xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
-xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
-xpack.security.transport.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/$SECURITY_CA_TRUST\"]
-
-# HTTP layer
-xpack.security.http.ssl.enabled: true
-xpack.security.http.ssl.verification_mode: certificate
-xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
-xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
-xpack.security.http.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/$SECURITY_CA_TRUST\"]
-" >> $elastic_config_file
-
-  # Create keystore
-  /usr/share/elasticsearch/bin/elasticsearch-keystore create
-
-  # Add keys to keystore
-  echo -e "$SECURITY_KEY_PASSPHRASE" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.secure_key_passphrase --stdin
-  echo -e "$SECURITY_KEY_PASSPHRASE" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase --stdin
-
-fi
-

elasticsearch/config/30-entrypoint.sh

@@ -1,70 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-# For more information https://github.com/elastic/elasticsearch-docker/blob/6.8.1/build/elasticsearch/bin/docker-entrypoint.sh
-
-set -e
-
-# Files created by Elasticsearch should always be group writable too
-umask 0002
-
-run_as_other_user_if_needed() {
-  if [[ "$(id -u)" == "0" ]]; then
-    # If running as root, drop to specified UID and run command
-    exec chroot --userspec=1000 / "${@}"
-  else
-    # Either we are running in Openshift with random uid and are a member of the root group
-    # or with a custom --user
-    exec "${@}"
-  fi
-}
-
-
-#Disabling xpack features
-
-elasticsearch_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
-if grep -Fq  "#xpack features" "$elasticsearch_config_file" ;
-then 
-  declare -A CONFIG_MAP=(
-  [xpack.ml.enabled]=$XPACK_ML
-  )
-  for i in "${!CONFIG_MAP[@]}"
-  do
-    if [ "${CONFIG_MAP[$i]}" != "" ]; then
-      sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $elasticsearch_config_file
-    fi
-  done
-else
-  echo "
-#xpack features
-xpack.ml.enabled: $XPACK_ML
- " >> $elasticsearch_config_file
-fi
-
-# Run load settings script.
-
-bash /usr/share/elasticsearch/load_settings.sh &
-
-# Execute elasticsearch
-
-
-if [[ $SECURITY_ENABLED == "yes" ]]; then
-  echo "Change Elastic password"
-  if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-    run_as_other_user_if_needed echo "$SECURITY_ELASTIC_PASSWORD" | elasticsearch-keystore add -xf 'bootstrap.password'
-  else
-    input=${SECURITY_CREDENTIALS_FILE}
-    ELASTIC_PASSWORD_FROM_FILE=""
-    while IFS= read -r line
-    do
-      if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
-        arrIN=(${line//:/ })
-        ELASTIC_PASSWORD_FROM_FILE=${arrIN[1]}
-      fi
-    done < "$input"
-    run_as_other_user_if_needed echo "$ELASTIC_PASSWORD_FROM_FILE" | elasticsearch-keystore add -xf 'bootstrap.password'
-  fi
-  echo "Elastic password changed"
-fi
-
-run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch 

elasticsearch/config/TEST_openssl.cnf

@@ -1,132 +0,0 @@
-# OpenSSL intermediate CA configuration file.
-# Copy to `/root/ca/intermediate/openssl.cnf`.
-
-[ ca ]
-# `man ca`
-default_ca = CA_default
-
-[ CA_default ]
-# Directory and file locations.
-dir               = /root/ca/intermediate
-certs             = $dir/certs
-crl_dir           = $dir/crl
-new_certs_dir     = $dir/newcerts
-database          = $dir/index.txt
-serial            = $dir/serial
-RANDFILE          = $dir/private/.rand
-
-# The root key and root certificate.
-private_key       = $dir/private/intermediate.key.pem
-certificate       = $dir/certs/intermediate.cert.pem
-
-# For certificate revocation lists.
-crlnumber         = $dir/crlnumber
-crl               = $dir/crl/intermediate.crl.pem
-crl_extensions    = crl_ext
-default_crl_days  = 30
-
-# SHA-1 is deprecated, so use SHA-2 instead.
-default_md        = sha256
-
-name_opt          = ca_default
-cert_opt          = ca_default
-default_days      = 375
-preserve          = no
-policy            = policy_loose
-
-[ policy_strict ]
-# The root CA should only sign intermediate certificates that match.
-# See the POLICY FORMAT section of `man ca`.
-countryName             = match
-stateOrProvinceName     = match
-organizationName        = match
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-
-[ policy_loose ]
-# Allow the intermediate CA to sign a more diverse range of certificates.
-# See the POLICY FORMAT section of the `ca` man page.
-countryName             = optional
-stateOrProvinceName     = optional
-localityName            = optional
-organizationName        = optional
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-
-[ req ]
-# Options for the `req` tool (`man req`).
-default_bits        = 2048
-distinguished_name  = req_distinguished_name
-string_mask         = utf8only
-
-# SHA-1 is deprecated, so use SHA-2 instead.
-default_md          = sha256
-
-# Extension to add when the -x509 option is used.
-x509_extensions     = v3_ca
-
-[ req_distinguished_name ]
-# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
-countryName                     = Country Name (2 letter code)
-stateOrProvinceName             = State or Province Name
-localityName                    = Locality Name
-0.organizationName              = Organization Name
-organizationalUnitName          = Organizational Unit Name
-commonName                      = Common Name
-emailAddress                    = Email Address
-
-# Optionally, specify some defaults.
-countryName_default             = GB
-stateOrProvinceName_default     = England
-localityName_default            =
-0.organizationName_default      = Alice Ltd
-organizationalUnitName_default  =
-emailAddress_default            =
-
-[ v3_ca ]
-# Extensions for a typical CA (`man x509v3_config`).
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer
-basicConstraints = critical, CA:true
-keyUsage = critical, digitalSignature, cRLSign, keyCertSign
-
-[ v3_intermediate_ca ]
-# Extensions for a typical intermediate CA (`man x509v3_config`).
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer
-basicConstraints = critical, CA:true, pathlen:0
-keyUsage = critical, digitalSignature, cRLSign, keyCertSign
-
-[ usr_cert ]
-# Extensions for client certificates (`man x509v3_config`).
-basicConstraints = CA:FALSE
-nsCertType = client, email
-nsComment = "OpenSSL Generated Client Certificate"
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid,issuer
-keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
-extendedKeyUsage = clientAuth, emailProtection
-
-[ server_cert ]
-# Extensions for server certificates (`man x509v3_config`).
-basicConstraints = CA:FALSE
-nsCertType = server
-nsComment = "OpenSSL Generated Server Certificate"
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid,issuer:always
-keyUsage = critical, digitalSignature, keyEncipherment
-extendedKeyUsage = serverAuth
-
-[ crl_ext ]
-# Extension for CRLs (`man x509v3_config`).
-authorityKeyIdentifier=keyid:always
-
-[ ocsp ]
-# Extension for OCSP signing certificates (`man ocsp`).
-basicConstraints = CA:FALSE
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid,issuer
-keyUsage = critical, digitalSignature
-extendedKeyUsage = critical, OCSPSigning

elasticsearch/config/configure_s3.sh

@@ -1,106 +0,0 @@
-#!/bin/bash
-
-set -e
-
-
-##############################################################################
-# If Secure access to Kibana is enabled, we must set the credentials for 
-# monitoring
-##############################################################################
-
-ELASTIC_PASS=""
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
-
-else
-  input=${SECURITY_CREDENTIALS_FILE}
-  while IFS= read -r line
-  do
-    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      ELASTIC_PASS=${arrIN[1]}
-    fi
-  done < "$input"
- 
-fi
-
-
-if [ ${SECURITY_ENABLED} != "no" ]; then
-  auth="-u elastic:${ELASTIC_PASS} -k"
-else
-  auth=""
-fi
-
-# Check number of arguments passed to configure_s3.sh. If it is different from 4 or 5, the process will finish with error.
-# param 1: number of arguments passed to configure_s3.sh
-
-function CheckArgs()
-{
-    if [ $1 != 4 ] && [ $1 != 5 ];then
-        echo "Use: configure_s3.sh <Elastic_Server_IP:Port> <Bucket> <Path> <RepositoryName> (By default <current_elasticsearch_major_version> is added to the path and the repository name)"
-        echo "or use: configure_s3.sh <Elastic_Server_IP:Port> <Bucket> <Path> <RepositoryName> <Elasticsearch major version>" 
-        exit 1
-
-    fi
-}
-
-# Create S3 repository from base_path <path>/<elasticsearch_major_version> (if there is no <Elasticsearch major version> argument, current version is added)
-# Repository name would be <RepositoryName>-<elasticsearch_major_version> (if there is no <Elasticsearch major version> argument, current version is added)
-# param 1: <Elastic_Server_IP:Port>
-# param 2: <Bucket>
-# param 3: <Path>
-# param 4: <RepositoryName>
-# param 5: Optional <Elasticsearch major version>
-# output: It will show "acknowledged" if the repository has been successfully created
-
-function CreateRepo()
-{
-
-    elastic_ip_port="$2"
-    bucket_name="$3"
-    path="$4"
-    repository_name="$5"
-
-    if [ $1 == 5 ];then
-        version="$6"
-    else
-        version=`curl ${auth} -s $elastic_ip_port | grep number | cut -d"\"" -f4 | cut -c1`
-    fi
-
-    if ! [[ "$version" =~ ^[0-9]+$ ]];then
-        echo "Elasticsearch major version must be an integer"
-        exit 1
-    fi
-
-    repository="$repository_name-$version"
-    s3_path="$path/$version"
-
-    >&2 echo "Create S3 repository"
-
-    until curl ${auth} -X PUT "$elastic_ip_port/_snapshot/$repository" -H 'Content-Type: application/json' -d' {"type": "s3", "settings": { "bucket": "'$bucket_name'", "base_path": "'$s3_path'"} }'; do
-      >&2 echo "Elastic is unavailable, S3 repository not created - sleeping"
-      sleep 5
-    done
-
-    >&2 echo "S3 repository created"
-
-
-}
-
-# Run functions CheckArgs and CreateRepo
-# param 1: number of arguments passed to configure_s3.sh
-# param 2: <Elastic_Server_IP:Port>
-# param 3: <Bucket>
-# param 4: <Path>
-# param 5: <RepositoryName>
-# param 6: Optional <Elasticsearch major version>
-
-function Main()
-{
-    CheckArgs $1
-
-    CreateRepo $1 $2 $3 $4 $5 $6
-}
-
-Main $# $1 $2 $3 $4 $5

elasticsearch/config/entrypoint.sh

@@ -1,8 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
-for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
-  bash "$script"
-
-done

elasticsearch/config/load_settings.sh

@@ -1,232 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-set -e
-
-if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
-  el_url="http://elasticsearch:9200"
-else
-  el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
-fi
-
-if [[ "x${WAZUH_API_URL}" = "x" ]]; then
-  wazuh_url="https://wazuh"
-else
-  wazuh_url="${WAZUH_API_URL}"
-fi
-
-ELASTIC_PASS=""
-KIBANA_USER=""
-KIBANA_PASS=""
-LOGSTASH_USER=""
-LOGSTASH_PASS=""
-ADMIN_USER=""
-ADMIN_PASS=""
-WAZH_API_USER=""
-WAZH_API_PASS=""
-MONITORING_USER=""
-MONITORING_PASS=""
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
-  KIBANA_USER=${SECURITY_KIBANA_USER}
-  KIBANA_PASS=${SECURITY_KIBANA_PASS}
-  LOGSTASH_USER=${SECURITY_LOGSTASH_USER}
-  LOGSTASH_PASS=${SECURITY_LOGSTASH_PASS}
-  ADMIN_USER=${SECURITY_ADMIN_USER}
-  ADMIN_PASS=${SECURITY_ADMIN_PASS}
-  WAZH_API_USER=${API_USER}
-  WAZH_API_PASS=${API_PASS}
-  MONITORING_USER=${SECURITY_MONITORING_USER}
-  MONITORING_PASS=${SECURITY_MONITORING_PASS}
-else
-  input=${SECURITY_CREDENTIALS_FILE}
-  while IFS= read -r line
-  do
-    if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      ELASTIC_PASS=${arrIN[1]}
-    elif [[ $line == *"KIBANA_USER"* ]]; then
-      arrIN=(${line//:/ })
-      KIBANA_USER=${arrIN[1]}
-    elif [[ $line == *"KIBANA_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      KIBANA_PASS=${arrIN[1]}
-    elif [[ $line == *"LOGSTASH_USER"* ]]; then
-      arrIN=(${line//:/ })
-      LOGSTASH_USER=${arrIN[1]}
-    elif [[ $line == *"LOGSTASH_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      LOGSTASH_PASS=${arrIN[1]}
-    elif [[ $line == *"ADMIN_USER"* ]]; then
-      arrIN=(${line//:/ })
-      ADMIN_USER=${arrIN[1]}
-    elif [[ $line == *"ADMIN_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      ADMIN_PASS=${arrIN[1]}
-    elif [[ $line == *"WAZUH_API_USER"* ]]; then
-      arrIN=(${line//:/ })
-      WAZH_API_USER=${arrIN[1]}
-    elif [[ $line == *"WAZUH_API_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      WAZH_API_PASS=${arrIN[1]}
-    elif [[ $line == *"MONITORING_USER"* ]]; then
-      arrIN=(${line//:/ })
-      MONITORING_USER=${arrIN[1]}
-    elif [[ $line == *"MONITORING_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      MONITORING_PASS=${arrIN[1]}
-    fi
-  done < "$input"
- 
-fi
-
-
-if [ ${SECURITY_ENABLED} != "no" ]; then
-  auth="-uelastic:${ELASTIC_PASS} -k"
-elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
-  auth=""
-else
-  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
-fi
-
-until curl ${auth} -XGET $el_url; do
-  >&2 echo "Elastic is unavailable - sleeping"
-  sleep 5
-done
-
->&2 echo "Elastic is up - executing command"
-
-if [ $ENABLE_CONFIGURE_S3 ]; then
-  #Wait for Elasticsearch to be ready to create the repository
-  sleep 10
-  >&2 echo "Configure S3"
-  if [ "x$S3_PATH" != "x" ]; then
-    >&2 echo "S3_PATH"
-    >&2 echo $S3_PATH
-    if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then
-      >&2 echo "Elasticsearch major version:"
-      >&2 echo $S3_ELASTIC_MAJOR
-      bash /usr/share/elasticsearch/config/configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR
-    else
-      >&2 echo "Elasticserach major version not given"
-      bash /usr/share/elasticsearch/config/configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME
-
-    fi
-
-  fi
-
-fi
-
-##############################################################################
-# Setup passwords for Elastic Stack users
-##############################################################################
-
-if [[ $SECURITY_ENABLED == "yes" ]]; then
-  MY_HOSTNAME=`hostname`
-  echo "Hostname:"
-  echo $MY_HOSTNAME
-  if [[ $SECURITY_MAIN_NODE == $MY_HOSTNAME ]]; then
-    echo "Setting up passwords for all Elastic Stack users"
-
-    echo "Setting remote monitoring password"
-    SECURITY_REMOTE_USER_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo`
-    until curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/remote_monitoring_user/_password ' -d '{ "password":"'$SECURITY_REMOTE_USER_PASS'" }'; do
-      >&2 echo "Unavailable password seeting- sleeping"
-      sleep 2
-    done
-    echo "Setting Kibana password"
-    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_wazuh_app ' -d ' { "indices": [ { "names": [ ".kibana*", ".reporting*", ".monitoring*" ],  "privileges": ["read"] }, { "names": [ "wazuh-monitoring*", ".wazuh*" ],  "privileges": ["all"] } , { "names": [ "wazuh-alerts*" ],  "privileges": ["read", "view_index_metadata"] }  ] }'
-    sleep 5
-    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$KIBANA_USER"  -d '{ "password":"'$KIBANA_PASS'", "roles" : [ "kibana_system", "service_wazuh_app"],  "full_name" : "Service Internal Kibana User" }'
-    echo "Setting APM password"
-    SECURITY_APM_SYSTEM_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo`
-    curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/apm_system/_password ' -d '{ "password":"'$SECURITY_APM_SYSTEM_PASS'" }'
-    echo "Setting Beats password"
-    SECURITY_BEATS_SYSTEM_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo`
-    curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/beats_system/_password ' -d '{ "password":"'$SECURITY_BEATS_SYSTEM_PASS'" }'
-    echo "Setting Logstash password"
-    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_logstash_writer ' -d '{ "cluster": ["manage_index_templates", "monitor", "manage_ilm"], "indices": [ { "names": [ "*" ],  "privileges": ["write","delete","create_index","manage","manage_ilm"] } ] }'
-    sleep 5
-    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$LOGSTASH_USER" -d '{ "password":"'$LOGSTASH_PASS'", "roles" : [ "service_logstash_writer", "logstash_system"],  "full_name" : "Service Internal Logstash User" }'
-    echo "Passwords established for all Elastic Stack users"
-    echo "Creating Admin user"
-    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$ADMIN_USER" -d '{ "password":"'$ADMIN_PASS'", "roles" : [ "superuser"],  "full_name" : "Wazuh admin" }'
-    echo "Admin user created"
-    echo "Setting monitoring user"
-    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_monitoring_reader ' -d '{ "cluster": ["manage", "monitor"], "indices": [ { "names": [ "*" ],  "privileges": ["write","create_index","manage","read", "index"] } ] }'
-    sleep 5
-    curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$MONITORING_USER" -d '{ "password":"'$MONITORING_PASS'", "roles" : [ "service_monitoring_reader", "snapshot_user"],  "full_name" : "Service Internal Monitoring User" }'
-  fi
-fi
-
-#Insert default templates
-
-sed -i 's|    "index.refresh_interval": "5s"|    "index.refresh_interval": "5s",    "number_of_shards" :   '"${ALERTS_SHARDS}"',    "number_of_replicas" : '"${ALERTS_REPLICAS}"'|' /usr/share/elasticsearch/config/wazuh-template.json
-
-cat /usr/share/elasticsearch/config/wazuh-template.json | curl -XPUT "$el_url/_template/wazuh" ${auth} -H 'Content-Type: application/json' -d @-
-sleep 5
-
-
-API_PASS_Q=`echo "$WAZH_API_PASS" | tr -d '"'`
-API_USER_Q=`echo "$WAZH_API_USER" | tr -d '"'`
-API_PASSWORD=`echo -n $API_PASS_Q | base64`
-
-echo "Setting API credentials into Wazuh APP"
-CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/wazuh-configuration/1513629884013 ${auth})
-if [ "x$CONFIG_CODE" = "x404" ]; then
-  curl -s -XPOST $el_url/.wazuh/wazuh-configuration/1513629884013 ${auth} -H 'Content-Type: application/json' -d'
-  {
-    "api_user": "'"$API_USER_Q"'",
-    "api_password": "'"$API_PASSWORD"'",
-    "url": "'"$wazuh_url"'",
-    "api_port": "55000",
-    "insecure": "true",
-    "component": "API",
-    "cluster_info": {
-      "manager": "wazuh-manager",
-      "cluster": "Disabled",
-      "status": "disabled"
-    },
-    "extensions": {
-      "oscap": true,
-      "audit": true,
-      "pci": true,
-      "aws": true,
-      "virustotal": true,
-      "gdpr": true,
-      "ciscat": true
-    }
-  }
-  ' > /dev/null
-else
-  echo "Wazuh APP already configured"
-fi
-sleep 5
-
-curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/json' -d'
-{
-  "persistent": {
-    "xpack.monitoring.collection.enabled": true
-  }
-}
-'
-
-# Set cluster delayed timeout when node falls
-curl -X PUT "$el_url/_all/_settings" ${auth} -H 'Content-Type: application/json' -d'
-{
-  "settings": {
-    "index.unassigned.node_left.delayed_timeout": "'"$CLUSTER_DELAYED_TIMEOUT"'"
-  }
-}
-'
-
-# Remove credentials file.
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  echo "Security credentials file not used. Nothing to do."
-else
-  shred -zvu ${SECURITY_CREDENTIALS_FILE}
-fi
-
-echo "Elasticsearch is ready."

generate-elasticsearch-certs.yml

@@ -0,0 +1,17 @@
+version: '2.2'
+
+services:
+  generator:
+    container_name: generator
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
+    command: >
+      bash -c '
+        if [[ ! -f config/certificates/bundle.zip ]]; then
+          bin/elasticsearch-certutil cert --silent --pem --in config/certificates/instances.yml -out config/certificates/bundle.zip;
+          unzip config/certificates/bundle.zip -d config/certificates/;
+        fi;
+        chown -R 1000:0 /certs
+      '
+    user: "0"
+    working_dir: /usr/share/elasticsearch
+    volumes: ['./xpack:/usr/share/elasticsearch/config/certificates']

generate-opendistro-certs.yml

@@ -0,0 +1,10 @@
+# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+version: '3'
+
+services:
+  generator:
+    image: wazuh/opendistro-certs-generator:0.1
+    hostname: opendistro-certs-generator
+    volumes:
+      - ./production_cluster/ssl_certs/certs.yml:/usr/src/config/myconf.yml
+      - ./production_cluster/ssl_certs/:/usr/src/certs/out/ 

kibana-odfe/Dockerfile

@@ -0,0 +1,59 @@
+# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+FROM amazon/opendistro-for-elasticsearch-kibana:1.13.2
+USER kibana
+ARG ELASTIC_VERSION=7.10.2
+ARG WAZUH_VERSION=4.1.5
+ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
+
+WORKDIR /usr/share/kibana
+RUN ./bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-${WAZUH_APP_VERSION}-1.zip
+
+WORKDIR /
+USER root
+COPY config/entrypoint.sh ./entrypoint.sh
+RUN chmod 755 ./entrypoint.sh
+
+ENV PATTERN="" \
+    CHECKS_PATTERN="" \
+    CHECKS_TEMPLATE="" \
+    CHECKS_API="" \
+    CHECKS_SETUP="" \
+    EXTENSIONS_PCI="" \
+    EXTENSIONS_GDPR="" \
+    EXTENSIONS_HIPAA="" \
+    EXTENSIONS_NIST="" \
+    EXTENSIONS_TSC="" \
+    EXTENSIONS_AUDIT="" \
+    EXTENSIONS_OSCAP="" \
+    EXTENSIONS_CISCAT="" \
+    EXTENSIONS_AWS="" \
+    EXTENSIONS_GCP="" \
+    EXTENSIONS_VIRUSTOTAL="" \
+    EXTENSIONS_OSQUERY="" \
+    EXTENSIONS_DOCKER="" \
+    APP_TIMEOUT="" \
+    API_SELECTOR="" \
+    IP_SELECTOR="" \
+    IP_IGNORE="" \
+    WAZUH_MONITORING_ENABLED="" \
+    WAZUH_MONITORING_FREQUENCY="" \
+    WAZUH_MONITORING_SHARDS="" \
+    WAZUH_MONITORING_REPLICAS="" \
+    ADMIN_PRIVILEGES=""
+
+USER kibana
+
+COPY ./config/custom_welcome /tmp/custom_welcome
+COPY --chown=kibana:kibana ./config/welcome_wazuh.sh ./
+RUN chmod +x ./welcome_wazuh.sh
+ARG CHANGE_WELCOME="true"
+RUN ./welcome_wazuh.sh
+
+COPY --chown=kibana:kibana ./config/wazuh.yml /usr/share/kibana/data/wazuh/config/wazuh.yml
+COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./
+RUN chmod +x ./wazuh_app_config.sh
+
+COPY --chown=kibana:kibana ./config/kibana_settings.sh ./
+RUN chmod +x ./kibana_settings.sh
+
+ENTRYPOINT ./entrypoint.sh

kibana-odfe/config/custom_welcome/template.js.hbs

@@ -0,0 +1,112 @@
+var kbnCsp = JSON.parse(document.querySelector('kbn-csp').getAttribute('data'));
+window.__kbnStrictCsp__ = kbnCsp.strictCsp;
+window.__kbnThemeTag__ = "{{themeTag}}";
+window.__kbnPublicPath__ = {{publicPathMap}};
+window.__kbnBundles__ = {{kbnBundlesLoaderSource}}
+
+if (window.__kbnStrictCsp__ && window.__kbnCspNotEnforced__) {
+  var legacyBrowserError = document.getElementById('kbn_legacy_browser_error');
+  legacyBrowserError.style.display = 'flex';
+} else {
+  if (!window.__kbnCspNotEnforced__ && window.console) {
+    window.console.log("^ A single error about an inline script not firing due to content security policy is expected!");
+  }
+  var loadingMessage = document.getElementById('kbn_loading_message');
+  loadingMessage.style.display = 'flex';
+
+  window.onload = function () {
+    //WAZUH 
+      var interval = setInterval(() => {  
+        var title = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > div.euiText.euiText--medium > div")
+        if (!!title) {
+          clearInterval(interval);
+	  var content = document.querySelector("#kibana-body > div");
+          content.classList.add("wz-login")
+          title.textContent = "Welcome to Wazuh";
+          var subtitle = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > div.euiText.euiText--small > div")
+          subtitle.textContent = "The Open Source Security Platform";
+          var logo = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > figure");
+          logo.remove();
+          var logoContainer = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul");
+          $(logoContainer).prepend('<span class="loginWelcome__logo"></span>');
+        } 
+      })  
+    //
+
+    function failure() {
+      // make subsequent calls to failure() noop
+      failure = function () {};
+
+      var err = document.createElement('h1');
+      err.style['color'] = 'white';
+      err.style['font-family'] = 'monospace';
+      err.style['text-align'] = 'center';
+      err.style['background'] = '#F44336';
+      err.style['padding'] = '25px';
+      err.innerText = document.querySelector('[data-error-message]').dataset.errorMessage;
+
+      document.body.innerHTML = err.outerHTML;
+    }
+
+    var stylesheetTarget = document.querySelector('head meta[name="add-styles-here"]')
+    function loadStyleSheet(url, cb) {
+      var dom = document.createElement('link');
+      dom.rel = 'stylesheet';
+      dom.type = 'text/css';
+      dom.href = url;
+      dom.addEventListener('error', failure);
+      dom.addEventListener('load', cb);
+      document.head.insertBefore(dom, stylesheetTarget);
+    }
+
+    var scriptsTarget = document.querySelector('head meta[name="add-scripts-here"]')
+    function loadScript(url, cb) {
+      var dom = document.createElement('script');
+      {{!-- NOTE: async = false is used to trigger async-download/ordered-execution as outlined here: https://www.html5rocks.com/en/tutorials/speed/script-loading/ --}}
+      dom.async = false;
+      dom.src = url;
+      dom.addEventListener('error', failure);
+      dom.addEventListener('load', cb);
+      document.head.insertBefore(dom, scriptsTarget);
+    }
+
+    function load(urls, cb) {
+      var pending = urls.length;
+      urls.forEach(function (url) {
+        var innerCb = function () {
+          pending = pending - 1;
+          if (pending === 0 && typeof cb === 'function') {
+            cb();
+          }
+        }
+
+        if (typeof url !== 'string') {
+          load(url, innerCb);
+        } else if (url.slice(-4) === '.css') {
+          loadStyleSheet(url, innerCb);
+        } else {
+          loadScript(url, innerCb);
+        }
+      });
+    }
+
+    load([
+      {{#each jsDependencyPaths}}
+        '{{this}}',
+      {{/each}}
+    ], function () {
+      {{#unless legacyBundlePath}}
+        __kbnBundles__.get('entry/core/public').__kbnBootstrap__();
+      {{/unless}}
+
+      load([
+        {{#if legacyBundlePath}}
+          '{{legacyBundlePath}}',
+        {{/if}}
+        {{#each styleSheetPaths}}
+          '{{this}}',
+        {{/each}}
+      ]);
+    });
+  }
+}

kibana-odfe/config/custom_welcome/wazuh_logo_circle.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 84.67 84.67"><defs><style>.a{fill:#fff;}.b{fill:#00a9e5;}</style></defs><title>wazuh_logo_circle</title><circle class="a" cx="42.34" cy="42.34" r="42.34"/><path class="b" d="M58.13,9.2,50,26.32H35.07L26.16,9.2,20,31l-8.53,9.72,19.18,17.6,7.47,17.21h8.53l7-16.91L73.24,40.83l-8.73-9.57ZM48.58,55.13a1.79,1.79,0,0,1-.74.62,2.49,2.49,0,0,1-1,.2,2.52,2.52,0,0,1-1-.2,1.84,1.84,0,0,1-.71-.62l-2.88-4.36-2.9,4.36a1.87,1.87,0,0,1-.72.62,2.48,2.48,0,0,1-.95.2,1.94,1.94,0,0,1-1.7-.82L21.3,41.37h4.09L37.87,52.3l2.49-3.89h3.93L47,52.3,59.63,40.9h3.74Z"/></svg>

kibana-odfe/config/entrypoint.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+
+set -e
+
+##############################################################################
+# Waiting for elasticsearch
+##############################################################################
+
+if [ "x${ELASTICSEARCH_URL}" == "x" ]; then
+  if [[ ${ENABLED_SECURITY} == "false" ]]; then
+    export el_url="http://elasticsearch:9200"
+  else
+    export el_url="https://elasticsearch:9200"
+  fi
+else
+  export el_url="${ELASTICSEARCH_URL}"
+fi
+
+if [[ ${ENABLED_SECURITY} == "false" || "x${ELASTICSEARCH_USERNAME}" == "x" || "x${ELASTICSEARCH_PASSWORD}" == "x" ]]; then
+  auth=""
+  # remove security plugin from kibana if elasticsearch is not using it either
+  /usr/share/kibana/bin/kibana-plugin remove opendistro_security
+else
+  export auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} -k"
+fi
+
+until curl -XGET $el_url ${auth}; do
+  >&2 echo "Elastic is unavailable - sleeping"
+  sleep 5
+done
+
+sleep 2
+
+>&2 echo "Elasticsearch is up."
+
+
+##############################################################################
+# Waiting for wazuh alerts template
+##############################################################################
+
+strlen=0
+
+while [[ $strlen -eq 0 ]]
+do
+  template=$(curl ${auth} $el_url/_cat/templates/wazuh -s)
+  strlen=${#template}
+  >&2 echo "Wazuh alerts template not loaded - sleeping."
+  sleep 2
+done
+
+sleep 2
+
+>&2 echo "Wazuh alerts template is loaded."
+
+
+./wazuh_app_config.sh
+
+sleep 5
+
+./kibana_settings.sh &
+
+sleep 2
+
+/usr/local/bin/kibana-docker

kibana-odfe/config/kibana_settings.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+
+WAZUH_MAJOR=4
+
+##############################################################################
+# Wait for the Kibana API to start. It is necessary to do it in this container
+# because the others are running Elastic Stack and we can not interrupt them.
+#
+# The following actions are performed:
+#
+# Add the wazuh alerts index as default.
+# Set the Discover time interval to 24 hours instead of 15 minutes.
+# Do not ask user to help providing usage statistics to Elastic.
+##############################################################################
+
+##############################################################################
+# Customize elasticsearch ip
+##############################################################################
+sed -i "s|elasticsearch.hosts:.*|elasticsearch.hosts: $el_url|g" /usr/share/kibana/config/kibana.yml
+
+# If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate.
+if [ "$KIBANA_INDEX" != "" ]; then
+  if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then
+    sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml
+  fi
+    echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml
+fi
+
+while [[ "$(curl -XGET -I  -s -o /dev/null -w '%{http_code}' -k https://127.0.0.1:5601/app/login)" != "200" ]]; do
+  echo "Waiting for Kibana API. Sleeping 5 seconds"
+  sleep 5
+done
+
+# Prepare index selection.
+echo "Kibana API is running"
+
+default_index="/tmp/default_index.json"
+
+cat > ${default_index} << EOF
+{
+  "changes": {
+    "defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*"
+  }
+}
+EOF
+
+sleep 5
+# Add the wazuh alerts index as default.
+curl ${auth} -POST -k https://127.0.0.1:5601/api/kibana/settings -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
+rm -f ${default_index}
+
+sleep 5
+# Configuring Kibana TimePicker.
+curl ${auth} -POST -k "https://127.0.0.1:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
+'{"changes":{"timepicker:timeDefaults":"{\n  \"from\": \"now-12h\",\n  \"to\": \"now\",\n  \"mode\": \"quick\"}"}}'
+
+echo "End settings"

kibana-odfe/config/wazuh.yml

@@ -0,0 +1,162 @@
+---
+#
+# Wazuh app - App configuration file
+# Copyright (C) 2015-2021 Wazuh, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Find more information about this on the LICENSE file.
+#
+# ======================== Wazuh app configuration file ========================
+#
+# Please check the documentation for more information on configuration options:
+# https://documentation.wazuh.com/current/installation-guide/index.html
+#
+# Also, you can check our repository:
+# https://github.com/wazuh/wazuh-kibana-app
+#
+# ------------------------------- Index patterns -------------------------------
+#
+# Default index pattern to use.
+#pattern: wazuh-alerts-*
+#
+# ----------------------------------- Checks -----------------------------------
+#
+# Defines which checks must to be consider by the healthcheck
+# step once the Wazuh app starts. Values must to be true or false.
+#checks.pattern : true
+#checks.template: true
+#checks.api     : true
+#checks.setup   : true
+#checks.metaFields: true
+#
+# --------------------------------- Extensions ---------------------------------
+#
+# Defines which extensions should be activated when you add a new API entry.
+# You can change them after Wazuh app starts.
+# Values must to be true or false.
+#extensions.pci       : true
+#extensions.gdpr      : true
+#extensions.hipaa     : true
+#extensions.nist      : true
+#extensions.tsc       : true
+#extensions.audit     : true
+#extensions.oscap     : false
+#extensions.ciscat    : false
+#extensions.aws       : false
+#extensions.gcp       : false
+#extensions.virustotal: false
+#extensions.osquery   : false
+#extensions.docker    : false
+#
+# ---------------------------------- Time out ----------------------------------
+#
+# Defines maximum timeout to be used on the Wazuh app requests.
+# It will be ignored if it is bellow 1500.
+# It means milliseconds before we consider a request as failed.
+# Default: 20000
+#timeout: 20000
+#
+# -------------------------------- API selector --------------------------------
+#
+# Defines if the user is allowed to change the selected
+# API directly from the Wazuh app top menu.
+# Default: true
+#api.selector: true
+#
+# --------------------------- Index pattern selector ---------------------------
+#
+# Defines if the user is allowed to change the selected
+# index pattern directly from the Wazuh app top menu.
+# Default: true
+#ip.selector: true
+#
+# List of index patterns to be ignored
+#ip.ignore: []
+#
+# -------------------------------- X-Pack RBAC ---------------------------------
+#
+# Custom setting to enable/disable built-in X-Pack RBAC security capabilities.
+# Default: enabled
+#xpack.rbac.enabled: true
+#
+# ------------------------------ wazuh-monitoring ------------------------------
+#
+# Custom setting to enable/disable wazuh-monitoring indices.
+# Values: true, false, worker
+# If worker is given as value, the app will show the Agents status
+# visualization but won't insert data on wazuh-monitoring indices.
+# Default: true
+#wazuh.monitoring.enabled: true
+#
+# Custom setting to set the frequency for wazuh-monitoring indices cron task.
+# Default: 900 (s)
+#wazuh.monitoring.frequency: 900
+#
+# Configure wazuh-monitoring-* indices shards and replicas.
+#wazuh.monitoring.shards: 2
+#wazuh.monitoring.replicas: 0
+#
+# Configure wazuh-monitoring-* indices custom creation interval.
+# Values: h (hourly), d (daily), w (weekly), m (monthly)
+# Default: d
+#wazuh.monitoring.creation: d
+#
+# Default index pattern to use for Wazuh monitoring
+#wazuh.monitoring.pattern: wazuh-monitoring-*
+#
+# --------------------------------- wazuh-cron ----------------------------------
+#
+# Customize the index prefix of predefined jobs
+# This change is not retroactive, if you change it new indexes will be created
+# cron.prefix: test
+#
+# ------------------------------ wazuh-statistics -------------------------------
+#
+# Custom setting to enable/disable statistics tasks.
+#cron.statistics.status: true
+#
+# Enter the ID of the APIs you want to save data from, leave this empty to run
+# the task on all configured APIs
+#cron.statistics.apis: []
+#
+# Define the frequency of task execution using cron schedule expressions
+#cron.statistics.interval: 0 0 * * * *
+#
+# Define the name of the index in which the documents are to be saved.
+#cron.statistics.index.name: statistics
+#
+# Define the interval in which the index will be created
+#cron.statistics.index.creation: w
+#
+# ------------------------------- App privileges --------------------------------
+#admin: true
+#
+# ---------------------------- Hide manager alerts ------------------------------
+# Hide the alerts of the manager in all dashboards and discover
+#hideManagerAlerts: false
+#
+# ------------------------------- App logging level -----------------------------
+# Set the logging level for the Wazuh App log files.
+# Default value: info
+# Allowed values: info, debug
+#logs.level: info
+#
+# -------------------------------- Enrollment DNS -------------------------------
+# Set the variable WAZUH_REGISTRATION_SERVER in agents deployment.
+# Default value: ''
+#enrollment.dns: ''
+#
+#-------------------------------- API entries -----------------------------------
+#The following configuration is the default structure to define an API entry.
+#
+#hosts:
+#  - <id>:
+#     url: http(s)://<url>
+#     port: <port>
+#     username: <username>
+#     password: <password>
+

kibana-odfe/config/wazuh_app_config.sh

@@ -1,7 +1,12 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
 
-kibana_config_file="/usr/share/kibana/plugins/wazuh/config.yml"
+wazuh_url="${WAZUH_API_URL:-https://wazuh}"
+wazuh_port="${API_PORT:-55000}"
+api_username="${API_USERNAME:-wazuh-wui}"
+api_password="${API_PASSWORD:-wazuh-wui}"
+
+kibana_config_file="/usr/share/kibana/data/wazuh/config/wazuh.yml"
 
 declare -A CONFIG_MAP=(
   [pattern]=$PATTERN
@@ -11,20 +16,21 @@ declare -A CONFIG_MAP=(
   [checks.setup]=$CHECKS_SETUP
   [extensions.pci]=$EXTENSIONS_PCI
   [extensions.gdpr]=$EXTENSIONS_GDPR
+  [extensions.hipaa]=$EXTENSIONS_HIPAA
+  [extensions.nist]=$EXTENSIONS_NIST
+  [extensions.tsc]=$EXTENSIONS_TSC
   [extensions.audit]=$EXTENSIONS_AUDIT
   [extensions.oscap]=$EXTENSIONS_OSCAP
   [extensions.ciscat]=$EXTENSIONS_CISCAT
   [extensions.aws]=$EXTENSIONS_AWS
+  [extensions.gcp]=$EXTENSIONS_GCP
   [extensions.virustotal]=$EXTENSIONS_VIRUSTOTAL
   [extensions.osquery]=$EXTENSIONS_OSQUERY
+  [extensions.docker]=$EXTENSIONS_DOCKER
   [timeout]=$APP_TIMEOUT
-  [wazuh.shards]=$WAZUH_SHARDS
-  [wazuh.replicas]=$WAZUH_REPLICAS
-  [wazuh-version.shards]=$WAZUH_VERSION_SHARDS
-  [wazuh-version.replicas]=$WAZUH_VERSION_REPLICAS
+  [api.selector]=$API_SELECTOR
   [ip.selector]=$IP_SELECTOR
   [ip.ignore]=$IP_IGNORE
-  [xpack.rbac.enabled]=$XPACK_RBAC_ENABLED
   [wazuh.monitoring.enabled]=$WAZUH_MONITORING_ENABLED
   [wazuh.monitoring.frequency]=$WAZUH_MONITORING_FREQUENCY
   [wazuh.monitoring.shards]=$WAZUH_MONITORING_SHARDS
@@ -38,3 +44,21 @@ do
         sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
     fi
 done
+
+CONFIG_CODE=$(curl ${auth} -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013)
+
+grep -q 1513629884013 $kibana_config_file
+_config_exists=$?
+
+if [[ "x$CONFIG_CODE" != "x200" && $_config_exists -ne 0 ]]; then
+cat << EOF >> $kibana_config_file
+hosts:
+  - 1513629884013:
+      url: $wazuh_url
+      port: $wazuh_port
+      username: $api_username
+      password: $api_password
+EOF
+else
+  echo "Wazuh APP already configured"
+fi

kibana-odfe/config/welcome_wazuh.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+
+if [[ $CHANGE_WELCOME == "true" ]]
+then
+    echo "Set Wazuh app as the default landing page"
+    echo "server.defaultRoute: /app/wazuh?security_tenant=global" >> /usr/share/kibana/config/kibana.yml
+
+    echo "Set custom welcome styles"
+    cp -f /tmp/custom_welcome/template.js.hbs /usr/share/kibana/src/legacy/ui/ui_render/bootstrap/template.js.hbs
+    cp -f /tmp/custom_welcome/light_theme.style.css /usr/share/kibana/src/core/server/core_app/assets/legacy_light_theme.css
+    cp -f /tmp/custom_welcome/*svg /usr/share/kibana/src/core/server/core_app/assets/
+fi
+

kibana/Dockerfile

@@ -1,31 +1,12 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/kibana/kibana:6.8.2
-ARG WAZUH_APP_VERSION=3.9.4_6.8.2
-USER root
-
-ADD https://packages-dev.wazuh.com/pre-release/app/kibana/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
-
-# This CA is created for testing. Please set your own CA pem signed certificate. 
-# command: $ docker build <kibana_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION>
-# ENV variables are necessary: SECURITY_CA_PEM 
-# Sample:
-# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem"
-ARG SECURITY_CA_PEM_LOCATION=""
-
-# CA for secure communication with Elastic
-ADD $SECURITY_CA_PEM_LOCATION /usr/share/kibana/config
-
-RUN NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip &&\
-    chown -R kibana:kibana /usr/share/kibana &&\
-    rm -rf /tmp/*
-
-RUN yum install openssl -y
-
-COPY config/entrypoint.sh ./entrypoint.sh
-RUN chmod 755 ./entrypoint.sh
-RUN mkdir /entrypoint-scripts
-
+# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+FROM docker.elastic.co/kibana/kibana:7.10.2
 USER kibana
+ARG ELASTIC_VERSION=7.10.2
+ARG WAZUH_VERSION=4.1.5
+ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
+
+WORKDIR /usr/share/kibana
+RUN ./bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-${WAZUH_APP_VERSION}-1.zip
 
 ENV PATTERN="" \
     CHECKS_PATTERN="" \
@@ -34,60 +15,50 @@ ENV PATTERN="" \
     CHECKS_SETUP="" \
     EXTENSIONS_PCI="" \
     EXTENSIONS_GDPR="" \
+    EXTENSIONS_HIPAA="" \
+    EXTENSIONS_NIST="" \
+    EXTENSIONS_TSC="" \
     EXTENSIONS_AUDIT="" \
     EXTENSIONS_OSCAP="" \
     EXTENSIONS_CISCAT="" \
     EXTENSIONS_AWS="" \
+    EXTENSIONS_GCP="" \
     EXTENSIONS_VIRUSTOTAL="" \
     EXTENSIONS_OSQUERY="" \
+    EXTENSIONS_DOCKER="" \
     APP_TIMEOUT="" \
-    WAZUH_SHARDS="" \
-    WAZUH_REPLICAS="" \
-    WAZUH_VERSION_SHARDS="" \
-    WAZUH_VERSION_REPLICAS="" \
+    API_SELECTOR="" \
     IP_SELECTOR="" \
     IP_IGNORE="" \
-    XPACK_RBAC_ENABLED="" \
     WAZUH_MONITORING_ENABLED="" \
     WAZUH_MONITORING_FREQUENCY="" \
     WAZUH_MONITORING_SHARDS="" \
     WAZUH_MONITORING_REPLICAS="" \
-    ADMIN_PRIVILEGES=""
+    ADMIN_PRIVILEGES="" \
+    XPACK_CANVAS="true" \
+    XPACK_LOGS="true"   \
+    XPACK_INFRA="true"  \
+    XPACK_ML="true" \
+    XPACK_DEVTOOLS="true"   \
+    XPACK_MONITORING="true" \
+    XPACK_APM="true"
 
-ARG XPACK_CANVAS="false"
-ARG XPACK_LOGS="false"
-ARG XPACK_INFRA="false"
-ARG XPACK_ML="false"
-ARG XPACK_DEVTOOLS="false"
-ARG XPACK_MONITORING="false"
-ARG XPACK_APM="false"
-ARG XPACK_MAPS="false"
-ARG XPACK_UPTIME="false"
+WORKDIR /
+USER kibana
 
-ARG CHANGE_WELCOME="true"
+COPY --chown=kibana:kibana config/entrypoint.sh ./entrypoint.sh
+RUN chmod 755 ./entrypoint.sh
 
-COPY --chown=kibana:kibana ./config/10-wazuh_app_config.sh /entrypoint-scripts/10-wazuh_app_config.sh
-RUN chmod +x /entrypoint-scripts/10-wazuh_app_config.sh
+RUN printf "\nserver.defaultRoute: /app/wazuh\n" >> /usr/share/kibana/config/kibana.yml
 
-COPY --chown=kibana:kibana ./config/20-entrypoint.sh /entrypoint-scripts/20-entrypoint.sh
-RUN chmod +x /entrypoint-scripts/20-entrypoint.sh
+COPY --chown=kibana:kibana ./config/wazuh.yml /usr/share/kibana/data/wazuh/config/wazuh.yml
+COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./
+RUN chmod +x ./wazuh_app_config.sh
 
 COPY --chown=kibana:kibana ./config/kibana_settings.sh ./
-
 RUN chmod +x ./kibana_settings.sh
 
 COPY --chown=kibana:kibana ./config/xpack_config.sh ./
-
 RUN chmod +x ./xpack_config.sh
 
-RUN ./xpack_config.sh
-
-COPY --chown=kibana:kibana ./config/welcome_wazuh.sh ./
-
-RUN chmod +x ./welcome_wazuh.sh
-
-RUN ./welcome_wazuh.sh
-
-RUN /usr/local/bin/kibana-docker --optimize
-
 ENTRYPOINT ./entrypoint.sh

kibana/config/20-entrypoint.sh

@@ -1,133 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-set -e
-
-##############################################################################
-# Waiting for elasticsearch
-##############################################################################
-
-if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
-  el_url="http://elasticsearch:9200"
-else
-  el_url="${ELASTICSEARCH_URL}"
-fi
-
-KIBANA_USER=""
-KIBANA_PASS=""
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  KIBANA_USER=${SECURITY_KIBANA_USER}
-  KIBANA_PASS=${SECURITY_KIBANA_PASS}
-else
-  input=${SECURITY_CREDENTIALS_FILE}
-  while IFS= read -r line
-  do
-    if [[ $line == *"KIBANA_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      KIBANA_PASS=${arrIN[1]}
-    elif [[ $line == *"KIBANA_USER"* ]]; then
-      arrIN=(${line//:/ })
-      KIBANA_USER=${arrIN[1]}
-    fi
-  done < "$input"
- 
-fi
-
-
-if [ ${SECURITY_ENABLED} != "no" ]; then
-  auth="-u ${KIBANA_USER}:${KIBANA_PASS} -k"
-elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
-  auth=""
-else
-  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
-fi
-
-until curl -XGET $el_url ${auth}; do
-  >&2 echo "Elastic is unavailable - sleeping"
-  sleep 5
-done
-
-sleep 2
-
->&2 echo "Elasticsearch is up."
-
-
-##############################################################################
-# Waiting for wazuh alerts template
-##############################################################################
-
-strlen=0
-
-while [[ $strlen -eq 0 ]]
-do
-  template=$(curl $auth $el_url/_cat/templates/wazuh -s)
-  strlen=${#template}
-  >&2 echo "Wazuh alerts template not loaded - sleeping."
-  sleep 2
-done
-
-sleep 2
-
->&2 echo "Wazuh alerts template is loaded."
-
-
-##############################################################################
-# If Secure access to Kibana is enabled, we must set the credentials.
-# We must create the ssl certificate.
-##############################################################################
-
-if [[ $SECURITY_ENABLED == "yes" ]]; then
-
-
-  # Create keystore
-  /usr/share/kibana/bin/kibana-keystore create
-  
-  echo "Setting security Kibana configuiration options."
-
-  echo "
-# Elasticsearch from/to Kibana
-elasticsearch.ssl.certificateAuthorities: [\"/usr/share/kibana/config/$SECURITY_CA_PEM\"]
-
-server.ssl.enabled: true
-server.ssl.certificate: $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem
-server.ssl.key: $SECURITY_KIBANA_SSL_KEY_PATH/kibana-access.key
-server.ssl.supportedProtocols: 
-  - TLSv1.1
-  - TLSv1.2
-" >> /usr/share/kibana/config/kibana.yml
-
-  echo "Create SSL directories."
-
-  mkdir -p $SECURITY_KIBANA_SSL_KEY_PATH $SECURITY_KIBANA_SSL_CERT_PATH
-  CA_PATH="/usr/share/kibana/config"
-
-  echo "Creating SSL certificates."
-  
-  pushd $CA_PATH
-
-  chown kibana: $CA_PATH/$SECURITY_CA_PEM
-  chmod 400 $CA_PATH/$SECURITY_CA_PEM
-  SECURITY_KEY_PASS=`openssl rand -base64 32`
-  openssl req -batch -x509 -days 18250 -newkey rsa:2048 -keyout $SECURITY_KIBANA_SSL_KEY_PATH/kibana-access.key -out $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem -passout pass:"$SECURITY_KEY_PASS" >/dev/null
-  chown -R kibana: $CA_PATH/ssl
-  chmod -R 770 $CA_PATH/ssl
-  chmod 440 $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem
-
-  popd
-  echo "SSL certificates created."
-
-  # Add keys to keystore
-  echo -e "$KIBANA_PASS" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.password --stdin
-  echo -e "$SECURITY_KEY_PASS" | /usr/share/kibana/bin/kibana-keystore add server.ssl.keyPassphrase --stdin
-  echo -e "$KIBANA_USER" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.username --stdin
-
-fi
-
-##############################################################################
-# Run more configuration scripts.
-##############################################################################
-
-bash /usr/share/kibana/kibana_settings.sh &
-
-/usr/local/bin/kibana-docker

kibana/config/entrypoint.sh

@@ -1,8 +1,60 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
 
-# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
-for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
-  bash "$script"
+set -e
 
+##############################################################################
+# Waiting for elasticsearch
+##############################################################################
+
+if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
+  export el_url="http://elasticsearch:9200"
+else
+  export el_url="${ELASTICSEARCH_URL}"
+fi
+
+if [[ ${ENABLED_SECURITY} == "false" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
+  export auth=""
+else
+  export auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} -k"
+fi
+
+until curl -XGET $el_url ${auth}; do
+  >&2 echo "Elastic is unavailable - sleeping"
+  sleep 5
 done
+
+sleep 2
+
+>&2 echo "Elasticsearch is up."
+
+
+##############################################################################
+# Waiting for wazuh alerts template
+##############################################################################
+
+strlen=0
+
+while [[ $strlen -eq 0 ]]
+do
+  template=$(curl ${auth} $el_url/_cat/templates/wazuh -s)
+  strlen=${#template}
+  >&2 echo "Wazuh alerts template not loaded - sleeping."
+  sleep 2
+done
+
+sleep 2
+
+>&2 echo "Wazuh alerts template is loaded."
+
+./xpack_config.sh
+
+./wazuh_app_config.sh
+
+sleep 5
+
+./kibana_settings.sh &
+
+sleep 2
+
+/usr/local/bin/kibana-docker

kibana/config/kibana_settings.sh

@@ -1,8 +1,7 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
 
-
-WAZUH_MAJOR=3
+WAZUH_MAJOR=4
 
 ##############################################################################
 # Wait for the Kibana API to start. It is necessary to do it in this container
@@ -18,52 +17,38 @@ WAZUH_MAJOR=3
 ##############################################################################
 # Customize elasticsearch ip
 ##############################################################################
-if [ "$ELASTICSEARCH_KIBANA_IP" != "" ]; then
-  sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml
-fi
+sed -i "s|elasticsearch.hosts:.*|elasticsearch.hosts: $el_url|g" /usr/share/kibana/config/kibana.yml
 
-if [ "$KIBANA_IP" != "" ]; then
-  kibana_ip="$KIBANA_IP"
-else
-  kibana_ip="kibana"
-fi
-
-KIBANA_USER=""
-KIBANA_PASS=""
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  KIBANA_USER=${SECURITY_KIBANA_USER}
-  KIBANA_PASS=${SECURITY_KIBANA_PASS}
-else
-  input=${SECURITY_CREDENTIALS_FILE}
-  while IFS= read -r line
-  do
-    if [[ $line == *"KIBANA_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      KIBANA_PASS=${arrIN[1]}
-    elif [[ $line == *"KIBANA_USER"* ]]; then
-      arrIN=(${line//:/ })
-      KIBANA_USER=${arrIN[1]}
+# If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate.
+if [ "$KIBANA_INDEX" != "" ]; then
+  if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then
+    sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml
   fi
-  done < "$input"
- 
+    echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml
 fi
 
+kibana_proto="http"
 
-if [ ${SECURITY_ENABLED} != "no" ]; then
-  auth="-u $KIBANA_USER:${KIBANA_PASS}"
-  kibana_secure_ip="https://$kibana_ip"
-else
-  auth=""
-  kibana_secure_ip="http://$kibana_ip"
+if [ "$XPACK_SECURITY_ENABLED" != "" ]; then
+  kibana_proto="https"
+  if grep -q 'xpack.security.enabled' /usr/share/kibana/config/kibana.yml; then
+    sed -i '/xpack.security.enabled/d' /usr/share/kibana/config/kibana.yml
+  fi
+    echo "xpack.security.enabled: $XPACK_SECURITY_ENABLED" >> /usr/share/kibana/config/kibana.yml
 fi
 
+# Add auth headers if required
+if [ "$ELASTICSEARCH_USERNAME" != "" ] && [ "$ELASTICSEARCH_PASSWORD" != "" ]; then
+    curl_auth="-u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD"
+fi
 
-while [[ "$(curl $auth -k -XGET -I  -s -o /dev/null -w ''%{http_code}'' $kibana_secure_ip:5601/status)" != "200" ]]; do
+while [[ "$(curl $curl_auth -XGET -I  -s -o /dev/null -w ''%{http_code}'' -k $kibana_proto://127.0.0.1:5601/status)" != "200" ]]; do
   echo "Waiting for Kibana API. Sleeping 5 seconds"
   sleep 5
 done
 
+
+
 # Prepare index selection.
 echo "Kibana API is running"
 
@@ -79,23 +64,16 @@ EOF
 
 sleep 5
 # Add the wazuh alerts index as default.
-curl $auth -k -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
+curl ${auth} -POST -k "$kibana_proto://127.0.0.1:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
 rm -f ${default_index}
 
 sleep 5
 # Configuring Kibana TimePicker.
-curl $auth -k -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
-'{"changes":{"timepicker:timeDefaults":"{\n  \"from\": \"now-24h\",\n  \"to\": \"now\",\n  \"mode\": \"quick\"}"}}'
+curl ${auth} -POST -k "$kibana_proto://127.0.0.1:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
+'{"changes":{"timepicker:timeDefaults":"{\n  \"from\": \"now-12h\",\n  \"to\": \"now\",\n  \"mode\": \"quick\"}"}}'
 
 sleep 5
 # Do not ask user to help providing usage statistics to Elastic
-curl $auth -k -POST "$kibana_secure_ip:5601/api/telemetry/v1/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'
-
-# Remove credentials file
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  echo "Security credentials file not used. Nothing to do."
-else
-  shred -zvu ${SECURITY_CREDENTIALS_FILE}
-fi
+curl ${auth} -POST -k "$kibana_proto://127.0.0.1:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'
 
 echo "End settings"

kibana/config/wazuh.yml

@@ -0,0 +1,162 @@
+---
+#
+# Wazuh app - App configuration file
+# Copyright (C) 2015-2021 Wazuh, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Find more information about this on the LICENSE file.
+#
+# ======================== Wazuh app configuration file ========================
+#
+# Please check the documentation for more information on configuration options:
+# https://documentation.wazuh.com/current/installation-guide/index.html
+#
+# Also, you can check our repository:
+# https://github.com/wazuh/wazuh-kibana-app
+#
+# ------------------------------- Index patterns -------------------------------
+#
+# Default index pattern to use.
+#pattern: wazuh-alerts-*
+#
+# ----------------------------------- Checks -----------------------------------
+#
+# Defines which checks must to be consider by the healthcheck
+# step once the Wazuh app starts. Values must to be true or false.
+#checks.pattern : true
+#checks.template: true
+#checks.api     : true
+#checks.setup   : true
+#checks.metaFields: true
+#
+# --------------------------------- Extensions ---------------------------------
+#
+# Defines which extensions should be activated when you add a new API entry.
+# You can change them after Wazuh app starts.
+# Values must to be true or false.
+#extensions.pci       : true
+#extensions.gdpr      : true
+#extensions.hipaa     : true
+#extensions.nist      : true
+#extensions.tsc       : true
+#extensions.audit     : true
+#extensions.oscap     : false
+#extensions.ciscat    : false
+#extensions.aws       : false
+#extensions.gcp       : false
+#extensions.virustotal: false
+#extensions.osquery   : false
+#extensions.docker    : false
+#
+# ---------------------------------- Time out ----------------------------------
+#
+# Defines maximum timeout to be used on the Wazuh app requests.
+# It will be ignored if it is bellow 1500.
+# It means milliseconds before we consider a request as failed.
+# Default: 20000
+#timeout: 20000
+#
+# -------------------------------- API selector --------------------------------
+#
+# Defines if the user is allowed to change the selected
+# API directly from the Wazuh app top menu.
+# Default: true
+#api.selector: true
+#
+# --------------------------- Index pattern selector ---------------------------
+#
+# Defines if the user is allowed to change the selected
+# index pattern directly from the Wazuh app top menu.
+# Default: true
+#ip.selector: true
+#
+# List of index patterns to be ignored
+#ip.ignore: []
+#
+# -------------------------------- X-Pack RBAC ---------------------------------
+#
+# Custom setting to enable/disable built-in X-Pack RBAC security capabilities.
+# Default: enabled
+#xpack.rbac.enabled: true
+#
+# ------------------------------ wazuh-monitoring ------------------------------
+#
+# Custom setting to enable/disable wazuh-monitoring indices.
+# Values: true, false, worker
+# If worker is given as value, the app will show the Agents status
+# visualization but won't insert data on wazuh-monitoring indices.
+# Default: true
+#wazuh.monitoring.enabled: true
+#
+# Custom setting to set the frequency for wazuh-monitoring indices cron task.
+# Default: 900 (s)
+#wazuh.monitoring.frequency: 900
+#
+# Configure wazuh-monitoring-* indices shards and replicas.
+#wazuh.monitoring.shards: 2
+#wazuh.monitoring.replicas: 0
+#
+# Configure wazuh-monitoring-* indices custom creation interval.
+# Values: h (hourly), d (daily), w (weekly), m (monthly)
+# Default: d
+#wazuh.monitoring.creation: d
+#
+# Default index pattern to use for Wazuh monitoring
+#wazuh.monitoring.pattern: wazuh-monitoring-*
+#
+# --------------------------------- wazuh-cron ----------------------------------
+#
+# Customize the index prefix of predefined jobs
+# This change is not retroactive, if you change it new indexes will be created
+# cron.prefix: test
+#
+# ------------------------------ wazuh-statistics -------------------------------
+#
+# Custom setting to enable/disable statistics tasks.
+#cron.statistics.status: true
+#
+# Enter the ID of the APIs you want to save data from, leave this empty to run
+# the task on all configured APIs
+#cron.statistics.apis: []
+#
+# Define the frequency of task execution using cron schedule expressions
+#cron.statistics.interval: 0 0 * * * *
+#
+# Define the name of the index in which the documents are to be saved.
+#cron.statistics.index.name: statistics
+#
+# Define the interval in which the index will be created
+#cron.statistics.index.creation: w
+#
+# ------------------------------- App privileges --------------------------------
+#admin: true
+#
+# ---------------------------- Hide manager alerts ------------------------------
+# Hide the alerts of the manager in all dashboards and discover
+#hideManagerAlerts: false
+#
+# ------------------------------- App logging level -----------------------------
+# Set the logging level for the Wazuh App log files.
+# Default value: info
+# Allowed values: info, debug
+#logs.level: info
+#
+# -------------------------------- Enrollment DNS -------------------------------
+# Set the variable WAZUH_REGISTRATION_SERVER in agents deployment.
+# Default value: ''
+#enrollment.dns: ''
+#
+#-------------------------------- API entries -----------------------------------
+#The following configuration is the default structure to define an API entry.
+#
+#hosts:
+#  - <id>:
+#     url: http(s)://<url>
+#     port: <port>
+#     username: <username>
+#     password: <password>
+

kibana/config/wazuh_app_config.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+
+wazuh_url="${WAZUH_API_URL:-https://wazuh}"
+wazuh_port="${API_PORT:-55000}"
+api_username="${API_USERNAME:-wazuh-wui}"
+api_password="${API_PASSWORD:-wazuh-wui}"
+
+kibana_config_file="/usr/share/kibana/data/wazuh/config/wazuh.yml"
+
+declare -A CONFIG_MAP=(
+  [pattern]=$PATTERN
+  [checks.pattern]=$CHECKS_PATTERN
+  [checks.template]=$CHECKS_TEMPLATE
+  [checks.api]=$CHECKS_API
+  [checks.setup]=$CHECKS_SETUP
+  [extensions.pci]=$EXTENSIONS_PCI
+  [extensions.gdpr]=$EXTENSIONS_GDPR
+  [extensions.hipaa]=$EXTENSIONS_HIPAA
+  [extensions.nist]=$EXTENSIONS_NIST
+  [extensions.tsc]=$EXTENSIONS_TSC
+  [extensions.audit]=$EXTENSIONS_AUDIT
+  [extensions.oscap]=$EXTENSIONS_OSCAP
+  [extensions.ciscat]=$EXTENSIONS_CISCAT
+  [extensions.aws]=$EXTENSIONS_AWS
+  [extensions.gcp]=$EXTENSIONS_GCP
+  [extensions.virustotal]=$EXTENSIONS_VIRUSTOTAL
+  [extensions.osquery]=$EXTENSIONS_OSQUERY
+  [extensions.docker]=$EXTENSIONS_DOCKER
+  [timeout]=$APP_TIMEOUT
+  [api.selector]=$API_SELECTOR
+  [ip.selector]=$IP_SELECTOR
+  [ip.ignore]=$IP_IGNORE
+  [wazuh.monitoring.enabled]=$WAZUH_MONITORING_ENABLED
+  [wazuh.monitoring.frequency]=$WAZUH_MONITORING_FREQUENCY
+  [wazuh.monitoring.shards]=$WAZUH_MONITORING_SHARDS
+  [wazuh.monitoring.replicas]=$WAZUH_MONITORING_REPLICAS
+  [admin]=$ADMIN_PRIVILEGES
+)
+
+for i in "${!CONFIG_MAP[@]}"
+do
+    if [ "${CONFIG_MAP[$i]}" != "" ]; then
+        sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
+    fi
+done
+
+CONFIG_CODE=$(curl ${auth} -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013)
+
+grep -q 1513629884013 $kibana_config_file
+_config_exists=$?
+
+if [[ "x$CONFIG_CODE" != "x200" && $_config_exists -ne 0 ]]; then
+cat << EOF >> $kibana_config_file
+hosts:
+  - 1513629884013:
+      url: $wazuh_url
+      port: $wazuh_port
+      username: $api_username
+      password: $api_password
+EOF
+else
+  echo "Wazuh APP already configured"
+fi

kibana/config/welcome_wazuh.sh

@@ -1,27 +0,0 @@
-#!/bin/bash
-
-if [[ $CHANGE_WELCOME == "true" ]]
-then
-
-    rm -rf ./optimize/bundles
-
-    kibana_path="/usr/share/kibana"
-    # Set Wazuh app as the default landing page
-    echo "Set Wazuh app as the default landing page"
-    echo "server.defaultRoute: /app/wazuh" >> /usr/share/kibana/config/kibana.yml
-
-    # Redirect Kibana welcome screen to Discover
-    echo "Redirect Kibana welcome screen to Discover"
-    sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/global_nav/global_nav.html
-    sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/header_global_nav/header_global_nav.js
-
-    # Hide management undesired links
-    echo "Hide management undesired links"
-    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/rollup/public/crud_app/index.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/license_management/public/management_section.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/index_lifecycle_management/public/register_management_section.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/cross_cluster_replication/public/register_routes.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/remote_clusters/public/index.js
-    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/upgrade_assistant/public/index.js
-fi
-

kibana/config/xpack_config.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
 
 kibana_config_file="/usr/share/kibana/config/kibana.yml"
 if grep -Fq  "#xpack features" "$kibana_config_file";
@@ -9,11 +10,8 @@ then
     [xpack.searchprofiler.enabled]=$XPACK_DEVTOOLS
     [xpack.ml.enabled]=$XPACK_ML
     [xpack.canvas.enabled]=$XPACK_CANVAS
-    [xpack.logstash.enabled]=$XPACK_LOGS
     [xpack.infra.enabled]=$XPACK_INFRA
     [xpack.monitoring.enabled]=$XPACK_MONITORING
-    [xpack.maps.enabled]=$XPACK_MAPS
-    [xpack.uptime.enabled]=$XPACK_UPTIME
     [console.enabled]=$XPACK_DEVTOOLS
   )
   for i in "${!CONFIG_MAP[@]}"
@@ -30,11 +28,8 @@ xpack.grokdebugger.enabled: $XPACK_DEVTOOLS
 xpack.searchprofiler.enabled: $XPACK_DEVTOOLS
 xpack.ml.enabled: $XPACK_ML
 xpack.canvas.enabled: $XPACK_CANVAS
-xpack.logstash.enabled: $XPACK_LOGS
 xpack.infra.enabled: $XPACK_INFRA
 xpack.monitoring.enabled: $XPACK_MONITORING
-xpack.maps.enabled: $XPACK_MAPS
-xpack.uptime.enabled: $XPACK_UPTIME
 console.enabled: $XPACK_DEVTOOLS
 " >> $kibana_config_file
 fi

logstash/Dockerfile

@@ -1,37 +0,0 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/logstash/logstash:6.8.2
-
-COPY --chown=logstash:logstash config/entrypoint.sh /entrypoint.sh
-
-RUN chmod 755 /entrypoint.sh
-
-RUN rm -f /usr/share/logstash/pipeline/logstash.conf
-
-COPY config/01-wazuh.conf /usr/share/logstash/pipeline/01-wazuh.conf
-
-# This CA is created for testing. Please set your own CA pem signed certificate. 
-# command: $ docker build <logstash_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION> --build-arg SECURITY_CA_PEM_ARG=<CA_PEM_NAME>
-# ENV variables are necessary: SECURITY_CA_PEM 
-# Sample:
-# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem"
-# ARG SECURITY_CA_PEM_ARG="server.TEST-CA-signed.pem"
-ARG SECURITY_CA_PEM_LOCATION=""
-ARG SECURITY_CA_PEM_ARG=""
-
-# CA for secure communication with Elastic
-ADD $SECURITY_CA_PEM_LOCATION /usr/share/logstash/config
-
-# Set permissions for CA
-USER root
-RUN if [[ "x$SECURITY_CA_PEM_LOCATION" == x ]] ; then echo Nothing to do ; else chown logstash: /usr/share/logstash/config/$SECURITY_CA_PEM_ARG ; fi
-RUN if [[ "x$SECURITY_CA_PEM_LOCATION" == x ]] ; then echo Nothing to do ; else chmod 400 /usr/share/logstash/config/$SECURITY_CA_PEM_ARG ; fi
-
-# Add entrypoint scripts
-RUN mkdir /entrypoint-scripts
-RUN chmod -R 774 /entrypoint-scripts
-RUN chown -R logstash:logstash /entrypoint-scripts
-COPY --chown=logstash:logstash ./config/10-entrypoint.sh /entrypoint-scripts/10-entrypoint.sh
-RUN chmod +x /entrypoint-scripts/10-entrypoint.sh
-USER logstash
-
-ENTRYPOINT /entrypoint.sh

logstash/config/01-wazuh.conf

@@ -1,49 +0,0 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-# Wazuh - Logstash configuration file
-## Remote Wazuh Manager - Filebeat input
-input {
-    beats {
-        port => 5000
-        codec => "json_lines"
-#       ssl => true
-#       ssl_certificate => "/etc/logstash/logstash.crt"
-#       ssl_key => "/etc/logstash/logstash.key"
-    }
-}
-filter {
-    if [data][srcip] {
-        mutate {
-            add_field => [ "@src_ip", "%{[data][srcip]}" ]
-        }
-    }
-    if [data][aws][sourceIPAddress] {
-        mutate {
-            add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
-        }
-    }
-}
-filter {
-    geoip {
-        source => "@src_ip"
-        target => "GeoLocation"
-        fields => ["city_name", "country_name", "region_name", "location"]
-    }
-    date {
-        match => ["timestamp", "ISO8601"]
-        target => "@timestamp"
-    }
-    mutate {
-        remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]
-    }
-}
-output {
-    elasticsearch {
-        hosts => ["elasticsearch:9200"]
-        index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
-        document_type => "wazuh"
-        #user => service_logstash
-        #password => service_logstash_internal_password
-        #ssl => true
-        #cacert => "/path/to/cert.pem"
-    }
-}

logstash/config/10-entrypoint.sh

@@ -1,158 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-#
-# OSSEC container bootstrap. See the README for information of the environment
-# variables expected by this script.
-#
-
-set -e
-
-##############################################################################
-# Waiting for elasticsearch
-##############################################################################
-
-if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
-  el_url="http://elasticsearch:9200"
-else
-  el_url="${ELASTICSEARCH_URL}"
-fi
-
-LOGSTASH_USER=""
-LOGSTASH_PASS=""
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  LOGSTASH_USER=${SECURITY_LOGSTASH_USER}
-  LOGSTASH_PASS=${SECURITY_LOGSTASH_PASS}
-else
-  input=${SECURITY_CREDENTIALS_FILE}
-  while IFS= read -r line
-  do
-    if [[ $line == *"LOGSTASH_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      LOGSTASH_PASS=${arrIN[1]}
-    elif [[ $line == *"LOGSTASH_USER"* ]]; then
-      arrIN=(${line//:/ })
-      LOGSTASH_USER=${arrIN[1]}
-    fi
-  done < "$input"
- 
-fi
-
-if [ ${SECURITY_ENABLED} != "no" ]; then
-  auth="-u ${LOGSTASH_USER}:${LOGSTASH_PASS} -k"
-elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
-  auth=""
-else
-  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
-fi
-
-
-##############################################################################
-# Customize logstash output ip
-##############################################################################
-
-if [ "$LOGSTASH_OUTPUT" != "" ]; then
-  >&2 echo "Customize Logstash ouput ip."
-  sed -i 's|elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/pipeline/01-wazuh.conf
-  sed -i 's|http://elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/config/logstash.yml
-fi
-
-until curl $auth -XGET $el_url; do
-  >&2 echo "Elastic is unavailable - sleeping."
-  sleep 5
-done
-
-sleep 2
-
->&2 echo "Elasticsearch is up."
-
-
-##############################################################################
-# Set Logstash password
-##############################################################################
-
-##############################################################################
-# If Secure access to Kibana is enabled, we must set the credentials.
-##############################################################################
-
-if [[ $SECURITY_ENABLED == "yes" ]]; then
-
-  ## Create secure keystore
-  SECURITY_RANDOM_PASS=`date +%s | sha256sum | base64 | head -c 32 ; echo`
-  export LOGSTASH_KEYSTORE_PASS=$SECURITY_RANDOM_PASS
-  /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config create
-
-  ## Settings for logstash.yml
-  echo "
-# Required set the passwords
-xpack.monitoring.enabled: true
-xpack.monitoring.elasticsearch.username: \${LOGSTASH_KS_USER}
-xpack.monitoring.elasticsearch.password: \${LOGSTASH_KS_PASS}
-xpack.monitoring.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/$SECURITY_CA_PEM
-
-xpack.management.elasticsearch.hosts: \"$LOGSTASH_OUTPUT/\"
-xpack.management.elasticsearch.username: \${LOGSTASH_KS_USER}
-xpack.management.elasticsearch.password: \${LOGSTASH_KS_PASS}
-xpack.management.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/$SECURITY_CA_PEM
-" >> /usr/share/logstash/config/logstash.yml
-
-  ## Settings for 01-wazuh.conf
-  sed -i 's:#user => service_logstash:user => "${LOGSTASH_KS_USER}":g' /usr/share/logstash/pipeline/01-wazuh.conf
-  sed -i 's:#password => service_logstash_internal_password:password => "${LOGSTASH_KS_PASS}":g' /usr/share/logstash/pipeline/01-wazuh.conf
-  sed -i 's:#ssl => true:ssl => true:g' /usr/share/logstash/pipeline/01-wazuh.conf
-  sed -i 's:#cacert => "/path/to/cert.pem":cacert => "/usr/share/logstash/config/'$SECURITY_CA_PEM'":g' /usr/share/logstash/pipeline/01-wazuh.conf 
-
-  ## Add keys to the keystore
-  echo -e "$LOGSTASH_USER" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_USER
-  echo -e "$LOGSTASH_PASS" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_PASS
-  
-  
-fi
-  
-
-##############################################################################
-# Waiting for wazuh alerts template
-##############################################################################
-
-strlen=0
-
-while [[ $strlen -eq 0 ]]
-do
-  template=$(curl $auth $el_url/_cat/templates/wazuh -s)
-  strlen=${#template}
-  >&2 echo "Wazuh alerts template not loaded - sleeping."
-  sleep 2
-done
-
-sleep 2
-
->&2 echo "Wazuh alerts template is loaded."
-
-
-##############################################################################
-# Remove credentials file
-##############################################################################
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  echo "Security credentials file not used. Nothing to do."
-else
-  shred -zvu ${SECURITY_CREDENTIALS_FILE}
-fi
-
-
-##############################################################################
-# Map environment variables to entries in logstash.yml.
-# Note that this will mutate logstash.yml in place if any such settings are found.
-# This may be undesirable, especially if logstash.yml is bind-mounted from the
-# host system.
-##############################################################################
-
-env2yaml /usr/share/logstash/config/logstash.yml
-
-export LS_JAVA_OPTS="-Dls.cgroup.cpuacct.path.override=/ -Dls.cgroup.cpu.path.override=/ $LS_JAVA_OPTS"
-
-if [[ -z $1 ]] || [[ ${1:0:1} == '-' ]] ; then
-  exec logstash "$@"
-else
-  exec "$@"
-fi

logstash/config/entrypoint.sh

@@ -1,8 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
-for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
-  bash "$script"
-
-done

nginx/Dockerfile

@@ -1,19 +0,0 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-FROM nginx:latest
-
-ENV DEBIAN_FRONTEND noninteractive
-
-RUN apt-get update && apt-get install -y openssl apache2-utils
-
-COPY config/entrypoint.sh /entrypoint.sh
-
-RUN chmod 755 /entrypoint.sh
-
-RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
-
-VOLUME ["/etc/nginx/conf.d"]
-
-ENV NGINX_NAME="foo" \
-    NGINX_PWD="bar"
-
-ENTRYPOINT /entrypoint.sh

nginx/config/entrypoint.sh

@@ -1,79 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-set -e
-
-# Generating certificates.
-if [ ! -d /etc/nginx/conf.d/ssl ]; then
-  echo "Generating SSL certificates"
-  mkdir -p /etc/nginx/conf.d/ssl/certs /etc/nginx/conf.d/ssl/private
-  openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/conf.d/ssl/private/kibana-access.key -out /etc/nginx/conf.d/ssl/certs/kibana-access.pem >/dev/null
-else
-  echo "SSL certificates already present"
-fi
-
-# Setting users credentials.
-# In order to set NGINX_CREDENTIALS, before "docker-compose up -d" run (a or b):
-#
-# a) export NGINX_CREDENTIALS="user1:pass1;user2:pass2;" or
-#    export NGINX_CREDENTIALS="user1:pass1;user2:pass2"
-#
-# b) Set NGINX_CREDENTIALS in docker-compose.yml:
-#    NGINX_CREDENTIALS=user1:pass1;user2:pass2; or
-#    NGINX_CREDENTIALS=user1:pass1;user2:pass2
-#
-if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then
-  echo "Setting users credentials"
-  if [ ! -z "$NGINX_CREDENTIALS" ]; then
-    IFS=';' read -r -a users <<< "$NGINX_CREDENTIALS"
-    for index in "${!users[@]}"
-    do
-      IFS=':' read -r -a credentials <<< "${users[index]}"
-      if [ $index -eq 0 ]; then
-        echo ${credentials[1]}|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd ${credentials[0]} >/dev/null
-      else
-        echo ${credentials[1]}|htpasswd -i /etc/nginx/conf.d/kibana.htpasswd  ${credentials[0]} >/dev/null
-      fi
-    done
-  else
-    # NGINX_PWD and NGINX_NAME are declared in nginx/Dockerfile 
-    echo $NGINX_PWD|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd $NGINX_NAME >/dev/null
-  fi
-else
-  echo "Kibana credentials already configured"
-fi
-
-if [ "x${NGINX_PORT}" = "x" ]; then
-  NGINX_PORT=443
-fi
-
-if [ "x${KIBANA_HOST}" = "x" ]; then
-  KIBANA_HOST="kibana:5601"
-fi
-
-echo "Configuring NGINX"
-cat > /etc/nginx/conf.d/default.conf <<EOF
-server {
-    listen 80;
-    listen [::]:80;
-    return 301 https://\$host:${NGINX_PORT}\$request_uri;
-}
-
-server {
-    listen ${NGINX_PORT} default_server;
-    listen [::]:${NGINX_PORT};
-    ssl on;
-    ssl_certificate /etc/nginx/conf.d/ssl/certs/kibana-access.pem;
-    ssl_certificate_key /etc/nginx/conf.d/ssl/private/kibana-access.key;
-    location / {
-        auth_basic "Restricted";
-        auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
-        proxy_pass http://${KIBANA_HOST}/;
-        proxy_buffer_size          128k;
-        proxy_buffers              4 256k;
-        proxy_busy_buffers_size    256k;
-    }
-}
-EOF
-
-nginx -g 'daemon off;'

production-cluster.yml

@@ -0,0 +1,204 @@
+# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+version: '3.7'
+
+services:
+  wazuh-master:
+    image: wazuh/wazuh-odfe:4.1.5
+    hostname: wazuh-master
+    restart: always
+    ports:
+      - "1515:1515"
+      - "514:514/udp"
+      - "55000:55000"
+    environment:
+      - ELASTICSEARCH_URL=https://elasticsearch:9200
+      - ELASTIC_USERNAME=admin
+      - ELASTIC_PASSWORD=SecretPassword
+      - FILEBEAT_SSL_VERIFICATION_MODE=full
+      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
+      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
+      - SSL_KEY=/etc/ssl/filebeat.key
+      - API_USERNAME=acme-user
+      - API_PASSWORD=MyS3cr37P450r.*-
+    volumes:
+      - ossec-api-configuration:/var/ossec/api/configuration
+      - ossec-etc:/var/ossec/etc
+      - ossec-logs:/var/ossec/logs
+      - ossec-queue:/var/ossec/queue
+      - ossec-var-multigroups:/var/ossec/var/multigroups
+      - ossec-integrations:/var/ossec/integrations
+      - ossec-active-response:/var/ossec/active-response/bin
+      - ossec-agentless:/var/ossec/agentless
+      - ossec-wodles:/var/ossec/wodles
+      - filebeat-etc:/etc/filebeat
+      - filebeat-var:/var/lib/filebeat
+      - ./production_cluster/ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
+      - ./production_cluster/ssl_certs/filebeat.pem:/etc/ssl/filebeat.pem
+      - ./production_cluster/ssl_certs/filebeat.key:/etc/ssl/filebeat.key
+      - ./production_cluster/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
+
+  wazuh-worker:
+    image: wazuh/wazuh-odfe:4.1.5
+    hostname: wazuh-worker
+    restart: always
+    environment:
+      - ELASTICSEARCH_URL=https://elasticsearch:9200
+      - ELASTIC_USERNAME=admin
+      - ELASTIC_PASSWORD=SecretPassword
+      - FILEBEAT_SSL_VERIFICATION_MODE=full
+      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
+      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
+      - SSL_KEY=/etc/ssl/filebeat.key
+    volumes:
+      - worker-ossec-api-configuration:/var/ossec/api/configuration
+      - worker-ossec-etc:/var/ossec/etc
+      - worker-ossec-logs:/var/ossec/logs
+      - worker-ossec-queue:/var/ossec/queue
+      - worker-ossec-var-multigroups:/var/ossec/var/multigroups
+      - worker-ossec-integrations:/var/ossec/integrations
+      - worker-ossec-active-response:/var/ossec/active-response/bin
+      - worker-ossec-agentless:/var/ossec/agentless
+      - worker-ossec-wodles:/var/ossec/wodles
+      - worker-filebeat-etc:/etc/filebeat
+      - worker-filebeat-var:/var/lib/filebeat
+      - ./production_cluster/ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
+      - ./production_cluster/ssl_certs/filebeat.pem:/etc/ssl/filebeat.pem
+      - ./production_cluster/ssl_certs/filebeat.key:/etc/ssl/filebeat.key
+      - ./production_cluster/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf
+
+  elasticsearch:
+    image: amazon/opendistro-for-elasticsearch:1.13.2
+    hostname: elasticsearch
+    restart: always
+    ports:
+      - "9200:9200"
+    environment:
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    volumes:
+      - elastic-data-1:/usr/share/elasticsearch/data
+      - ./production_cluster/ssl_certs/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
+      - ./production_cluster/ssl_certs/node1.key:/usr/share/elasticsearch/config/node1.key
+      - ./production_cluster/ssl_certs/node1.pem:/usr/share/elasticsearch/config/node1.pem
+      - ./production_cluster/elastic_opendistro/elasticsearch-node1.yml:/usr/share/elasticsearch/config/elasticsearch.yml
+      - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
+
+  elasticsearch-2:
+    image: amazon/opendistro-for-elasticsearch:1.13.2
+    hostname: elasticsearch-2
+    restart: always
+    environment:
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    volumes:
+      - elastic-data-2:/usr/share/elasticsearch/data
+      - ./production_cluster/ssl_certs/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
+      - ./production_cluster/ssl_certs/node2.key:/usr/share/elasticsearch/config/node2.key
+      - ./production_cluster/ssl_certs/node2.pem:/usr/share/elasticsearch/config/node2.pem
+      - ./production_cluster/elastic_opendistro/elasticsearch-node2.yml:/usr/share/elasticsearch/config/elasticsearch.yml
+      - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
+
+  elasticsearch-3:
+    image: amazon/opendistro-for-elasticsearch:1.13.2
+    hostname: elasticsearch-3
+    restart: always
+    environment:
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    volumes:
+      - elastic-data-3:/usr/share/elasticsearch/data
+      - ./production_cluster/ssl_certs/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
+      - ./production_cluster/ssl_certs/node3.key:/usr/share/elasticsearch/config/node3.key
+      - ./production_cluster/ssl_certs/node3.pem:/usr/share/elasticsearch/config/node3.pem
+      - ./production_cluster/elastic_opendistro/elasticsearch-node3.yml:/usr/share/elasticsearch/config/elasticsearch.yml
+      - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
+
+  kibana:
+    image: wazuh/wazuh-kibana-odfe:4.1.5
+    hostname: kibana
+    restart: always
+    ports:
+      - 5601:5601
+    environment:
+      - ELASTICSEARCH_USERNAME=admin
+      - ELASTICSEARCH_PASSWORD=SecretPassword
+      - SERVER_SSL_ENABLED=true
+      - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/cert.pem
+      - SERVER_SSL_KEY=/usr/share/kibana/config/key.pem
+      - WAZUH_API_URL="https://wazuh-master"
+      - API_USERNAME=acme-user
+      - API_PASSWORD=MyS3cr37P450r.*-
+    volumes:
+      - ./production_cluster/kibana_ssl/cert.pem:/usr/share/kibana/config/cert.pem
+      - ./production_cluster/kibana_ssl/key.pem:/usr/share/kibana/config/key.pem
+
+    depends_on:
+      - elasticsearch
+    links:
+      - elasticsearch:elasticsearch
+      - wazuh-master:wazuh-master
+
+  nginx:
+    image: nginx:stable
+    hostname: nginx
+    restart: always
+    ports:
+      - "80:80"
+      - "443:443"
+      - "1514:1514"
+    depends_on:
+      - wazuh-master
+      - wazuh-worker
+      - kibana
+    links:
+      - wazuh-master:wazuh-master
+      - wazuh-worker:wazuh-worker
+      - kibana:kibana
+    volumes:
+      - ./production_cluster/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./production_cluster/nginx/ssl:/etc/nginx/ssl:ro
+
+volumes:
+  ossec-api-configuration:
+  ossec-etc:
+  ossec-logs:
+  ossec-queue:
+  ossec-var-multigroups:
+  ossec-integrations:
+  ossec-active-response:
+  ossec-agentless:
+  ossec-wodles:
+  filebeat-etc:
+  filebeat-var:
+  worker-ossec-api-configuration:
+  worker-ossec-etc:
+  worker-ossec-logs:
+  worker-ossec-queue:
+  worker-ossec-var-multigroups:
+  worker-ossec-integrations:
+  worker-ossec-active-response:
+  worker-ossec-agentless:
+  worker-ossec-wodles:
+  worker-filebeat-etc:
+  worker-filebeat-var:
+  elastic-data-1:
+  elastic-data-2:
+  elastic-data-3:

production_cluster/elastic_opendistro/elasticsearch-node1.yml

@@ -0,0 +1,31 @@
+network.host: 0.0.0.0
+cluster.name: wazuh-cluster
+node.name: elasticsearch
+discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
+cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
+bootstrap.memory_lock: true
+
+opendistro_security.ssl.transport.pemcert_filepath: node1.pem
+opendistro_security.ssl.transport.pemkey_filepath: node1.key
+opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
+opendistro_security.ssl.transport.enforce_hostname_verification: false
+opendistro_security.ssl.transport.resolve_hostname: false
+opendistro_security.ssl.http.enabled: true
+opendistro_security.ssl.http.pemcert_filepath: node1.pem
+opendistro_security.ssl.http.pemkey_filepath: node1.key
+opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
+opendistro_security.allow_default_init_securityindex: true
+opendistro_security.nodes_dn:
+    - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+opendistro_security.authcz.admin_dn: []
+opendistro_security.audit.type: internal_elasticsearch
+opendistro_security.enable_snapshot_restore_privilege: true
+opendistro_security.check_snapshot_restore_write_privileges: true
+opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
+cluster.routing.allocation.disk.threshold_enabled: false
+#opendistro_security.audit.config.disabled_rest_categories: NONE
+#opendistro_security.audit.config.disabled_transport_categories: NONE
+opendistro_security.audit.log_request_body: false

production_cluster/elastic_opendistro/elasticsearch-node2.yml

@@ -0,0 +1,31 @@
+network.host: 0.0.0.0
+cluster.name: wazuh-cluster
+node.name: elasticsearch-2
+discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
+cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
+bootstrap.memory_lock: true
+
+opendistro_security.ssl.transport.pemcert_filepath: node2.pem
+opendistro_security.ssl.transport.pemkey_filepath: node2.key
+opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
+opendistro_security.ssl.transport.enforce_hostname_verification: false
+opendistro_security.ssl.transport.resolve_hostname: false
+opendistro_security.ssl.http.enabled: true
+opendistro_security.ssl.http.pemcert_filepath: node2.pem
+opendistro_security.ssl.http.pemkey_filepath: node2.key
+opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
+opendistro_security.allow_default_init_securityindex: true
+opendistro_security.nodes_dn:
+    - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+opendistro_security.authcz.admin_dn: []
+opendistro_security.audit.type: internal_elasticsearch
+opendistro_security.enable_snapshot_restore_privilege: true
+opendistro_security.check_snapshot_restore_write_privileges: true
+opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
+cluster.routing.allocation.disk.threshold_enabled: false
+#opendistro_security.audit.config.disabled_rest_categories: NONE
+#opendistro_security.audit.config.disabled_transport_categories: NONE
+opendistro_security.audit.log_request_body: false

production_cluster/elastic_opendistro/elasticsearch-node3.yml

@@ -0,0 +1,31 @@
+network.host: 0.0.0.0
+cluster.name: wazuh-cluster
+node.name: elasticsearch-3
+discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
+cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
+bootstrap.memory_lock: true
+
+opendistro_security.ssl.transport.pemcert_filepath: node3.pem
+opendistro_security.ssl.transport.pemkey_filepath: node3.key
+opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
+opendistro_security.ssl.transport.enforce_hostname_verification: false
+opendistro_security.ssl.transport.resolve_hostname: false
+opendistro_security.ssl.http.enabled: true
+opendistro_security.ssl.http.pemcert_filepath: node3.pem
+opendistro_security.ssl.http.pemkey_filepath: node3.key
+opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
+opendistro_security.allow_default_init_securityindex: true
+opendistro_security.nodes_dn:
+    - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+    - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
+opendistro_security.authcz.admin_dn: []
+opendistro_security.audit.type: internal_elasticsearch
+opendistro_security.enable_snapshot_restore_privilege: true
+opendistro_security.check_snapshot_restore_write_privileges: true
+opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
+cluster.routing.allocation.disk.threshold_enabled: false
+#opendistro_security.audit.config.disabled_rest_categories: NONE
+#opendistro_security.audit.config.disabled_transport_categories: NONE
+opendistro_security.audit.log_request_body: false

production_cluster/elastic_opendistro/internal_users.yml

@@ -0,0 +1,56 @@
+---
+# This is the internal user database
+# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
+
+_meta:
+  type: "internalusers"
+  config_version: 2
+
+# Define your internal users here
+
+## Demo users
+
+admin:
+  hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO"
+  reserved: true
+  backend_roles:
+  - "admin"
+  description: "Demo admin user"
+
+kibanaserver:
+  hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
+  reserved: true
+  description: "Demo kibanaserver user"
+
+kibanaro:
+  hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
+  reserved: false
+  backend_roles:
+  - "kibanauser"
+  - "readall"
+  attributes:
+    attribute1: "value1"
+    attribute2: "value2"
+    attribute3: "value3"
+  description: "Demo kibanaro user"
+
+logstash:
+  hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
+  reserved: false
+  backend_roles:
+  - "logstash"
+  description: "Demo logstash user"
+
+readall:
+  hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
+  reserved: false
+  backend_roles:
+  - "readall"
+  description: "Demo readall user"
+
+snapshotrestore:
+  hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
+  reserved: false
+  backend_roles:
+  - "snapshotrestore"
+  description: "Demo snapshotrestore user"

production_cluster/kibana_ssl/generate-self-signed-cert.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+cd $DIR
+
+if [ -s key.pem ]
+then
+    echo "Certificate already exists"
+    exit
+else
+    openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem
+fi

production_cluster/nginx/nginx.conf

@@ -0,0 +1,67 @@
+user  nginx;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    server_tokens off;
+    gzip  on;
+
+    # kibana UI
+    server {
+        listen 80;
+        listen [::]:80;
+        return 301 https://$host:443$request_uri;
+    }
+
+    server {
+        listen 443 default_server ssl http2;
+        listen [::]:443 ssl http2;
+        ssl_certificate /etc/nginx/ssl/cert.pem;
+        ssl_certificate_key /etc/nginx/ssl/key.pem;
+        location / {
+            proxy_pass https://kibana:5601/;
+            proxy_ssl_verify off;
+            proxy_buffer_size          128k;
+            proxy_buffers              4 256k;
+            proxy_busy_buffers_size    256k;
+        }
+    }
+
+}
+
+
+
+# load balancer for Wazuh cluster
+stream {
+    upstream mycluster {
+        hash $remote_addr consistent;
+        server wazuh-master:1514;
+        server wazuh-worker:1514;
+    }
+    server {
+        listen 1514;
+        proxy_pass mycluster;
+    }
+}

production_cluster/nginx/ssl/generate-self-signed-cert.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+cd $DIR
+
+if [ -s key.pem ]
+then
+    echo "Certificate already exists"
+    exit
+else
+    openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem
+fi

production_cluster/ssl_certs/certs.yml

@@ -0,0 +1,30 @@
+ca:
+   root:
+      dn: CN=root-ca,OU=CA,O=Example\, Inc.,DC=example,DC=com
+      pkPassword: none
+      keysize: 2048
+      file: root-ca.pem 
+   intermediate:
+      dn: CN=intermediate,OU=CA,O=Example\, Inc.,DC=example,DC=com
+      keysize: 2048
+      validityDays: 3650  
+      pkPassword: intermediate-ca-password
+      file: intermediate-ca.pem
+
+nodes:
+  - name: node1
+    dn: CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com
+    dns: 
+      - elasticsearch
+  - name: node2
+    dn: CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com
+    dns: 
+      - elasticsearch-2
+  - name: node3
+    dn: CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com
+    dns: 
+      - elasticsearch-3
+  - name: filebeat
+    dn: CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com
+    dns: 
+      - wazuh 

production_cluster/wazuh_cluster/wazuh_manager.conf

@@ -0,0 +1,349 @@
+<ossec_config>
+  <global>
+    <jsonout_output>yes</jsonout_output>
+    <alerts_log>yes</alerts_log>
+    <logall>no</logall>
+    <logall_json>no</logall_json>
+    <email_notification>no</email_notification>
+    <smtp_server>smtp.example.wazuh.com</smtp_server>
+    <email_from>ossecm@example.wazuh.com</email_from>
+    <email_to>recipient@example.wazuh.com</email_to>
+    <email_maxperhour>12</email_maxperhour>
+    <email_log_source>alerts.log</email_log_source>
+  </global>
+
+  <alerts>
+    <log_alert_level>3</log_alert_level>
+    <email_alert_level>12</email_alert_level>
+  </alerts>
+
+  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
+  <logging>
+    <log_format>plain</log_format>
+  </logging>
+
+  <remote>
+    <connection>secure</connection>
+    <port>1514</port>
+    <protocol>tcp</protocol>
+    <queue_size>131072</queue_size>
+  </remote>
+
+  <!-- Policy monitoring -->
+  <rootcheck>
+    <disabled>no</disabled>
+    <check_files>yes</check_files>
+    <check_trojans>yes</check_trojans>
+    <check_dev>yes</check_dev>
+    <check_sys>yes</check_sys>
+    <check_pids>yes</check_pids>
+    <check_ports>yes</check_ports>
+    <check_if>yes</check_if>
+
+    <!-- Frequency that rootcheck is executed - every 12 hours -->
+    <frequency>43200</frequency>
+
+    <rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
+
+    <skip_nfs>yes</skip_nfs>
+  </rootcheck>
+
+  <wodle name="cis-cat">
+    <disabled>yes</disabled>
+    <timeout>1800</timeout>
+    <interval>1d</interval>
+    <scan-on-start>yes</scan-on-start>
+
+    <java_path>wodles/java</java_path>
+    <ciscat_path>wodles/ciscat</ciscat_path>
+  </wodle>
+
+  <!-- Osquery integration -->
+  <wodle name="osquery">
+    <disabled>yes</disabled>
+    <run_daemon>yes</run_daemon>
+    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
+    <config_path>/etc/osquery/osquery.conf</config_path>
+    <add_labels>yes</add_labels>
+  </wodle>
+
+  <!-- System inventory -->
+  <wodle name="syscollector">
+    <disabled>no</disabled>
+    <interval>1h</interval>
+    <scan_on_start>yes</scan_on_start>
+    <hardware>yes</hardware>
+    <os>yes</os>
+    <network>yes</network>
+    <packages>yes</packages>
+    <ports all="no">yes</ports>
+    <processes>yes</processes>
+  </wodle>
+
+  <sca>
+    <enabled>yes</enabled>
+    <scan_on_start>yes</scan_on_start>
+    <interval>12h</interval>
+    <skip_nfs>yes</skip_nfs>
+  </sca>
+
+  <vulnerability-detector>
+    <enabled>no</enabled>
+    <interval>5m</interval>
+    <ignore_time>6h</ignore_time>
+    <run_on_start>yes</run_on_start>
+
+    <!-- Ubuntu OS vulnerabilities --> 
+    <provider name="canonical">
+      <enabled>no</enabled>
+      <os>trusty</os>
+      <os>xenial</os>
+      <os>bionic</os>
+      <os>focal</os>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Debian OS vulnerabilities -->  
+    <provider name="debian">
+      <enabled>no</enabled>
+      <os>stretch</os>
+      <os>buster</os>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- RedHat OS vulnerabilities -->  
+    <provider name="redhat">
+      <enabled>no</enabled>
+      <os>5</os>
+      <os>6</os>
+      <os>7</os>
+      <os>8</os>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Windows OS vulnerabilities -->
+    <provider name="msu">
+      <enabled>yes</enabled>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Aggregate vulnerabilities -->
+    <provider name="nvd">
+      <enabled>yes</enabled>
+      <update_from_year>2010</update_from_year>
+      <update_interval>1h</update_interval>
+    </provider>
+
+  </vulnerability-detector>
+
+  <!-- File integrity monitoring -->
+  <syscheck>
+    <disabled>no</disabled>
+
+    <!-- Frequency that syscheck is executed default every 12 hours -->
+    <frequency>43200</frequency>
+
+    <scan_on_start>yes</scan_on_start>
+
+    <!-- Generate alert when new file detected -->
+    <alert_new_files>yes</alert_new_files>
+
+    <!-- Don't ignore files that change more than 'frequency' times -->
+    <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
+
+    <!-- Directories to check  (perform all possible verifications) -->
+    <directories>/etc,/usr/bin,/usr/sbin</directories>
+    <directories>/bin,/sbin,/boot</directories>
+
+    <!-- Files/directories to ignore -->
+    <ignore>/etc/mtab</ignore>
+    <ignore>/etc/hosts.deny</ignore>
+    <ignore>/etc/mail/statistics</ignore>
+    <ignore>/etc/random-seed</ignore>
+    <ignore>/etc/random.seed</ignore>
+    <ignore>/etc/adjtime</ignore>
+    <ignore>/etc/httpd/logs</ignore>
+    <ignore>/etc/utmpx</ignore>
+    <ignore>/etc/wtmpx</ignore>
+    <ignore>/etc/cups/certs</ignore>
+    <ignore>/etc/dumpdates</ignore>
+    <ignore>/etc/svc/volatile</ignore>
+
+    <!-- File types to ignore -->
+    <ignore type="sregex">.log$|.swp$</ignore>
+
+    <!-- Check the file, but never compute the diff -->
+    <nodiff>/etc/ssl/private.key</nodiff>
+
+    <skip_nfs>yes</skip_nfs>
+    <skip_dev>yes</skip_dev>
+    <skip_proc>yes</skip_proc>
+    <skip_sys>yes</skip_sys>
+
+    <!-- Nice value for Syscheck process -->
+    <process_priority>10</process_priority>
+
+    <!-- Maximum output throughput -->
+    <max_eps>100</max_eps>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
+      <max_interval>1h</max_interval>
+      <max_eps>10</max_eps>
+    </synchronization>
+  </syscheck>
+
+  <!-- Active response -->
+  <global>
+    <white_list>127.0.0.1</white_list>
+    <white_list>^localhost.localdomain$</white_list>
+    <white_list>4.2.2.1</white_list>
+    <white_list>4.2.2.2</white_list>
+    <white_list>208.67.220.220</white_list>
+  </global>
+
+  <command>
+    <name>disable-account</name>
+    <executable>disable-account.sh</executable>
+    <expect>user</expect>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>restart-ossec</name>
+    <executable>restart-ossec.sh</executable>
+    <expect></expect>
+  </command>
+
+  <command>
+    <name>firewall-drop</name>
+    <executable>firewall-drop.sh</executable>
+    <expect>srcip</expect>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>host-deny</name>
+    <executable>host-deny.sh</executable>
+    <expect>srcip</expect>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>route-null</name>
+    <executable>route-null.sh</executable>
+    <expect>srcip</expect>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>win_route-null</name>
+    <executable>route-null.cmd</executable>
+    <expect>srcip</expect>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>win_route-null-2012</name>
+    <executable>route-null-2012.cmd</executable>
+    <expect>srcip</expect>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>netsh</name>
+    <executable>netsh.cmd</executable>
+    <expect>srcip</expect>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>netsh-win-2016</name>
+    <executable>netsh-win-2016.cmd</executable>
+    <expect>srcip</expect>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <!--
+  <active-response>
+    active-response options here
+  </active-response>
+  -->
+
+  <!-- Log analysis -->
+  <localfile>
+    <log_format>command</log_format>
+    <command>df -P</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
+    <alias>netstat listening ports</alias>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>last -n 20</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <ruleset>
+    <!-- Default ruleset -->
+    <decoder_dir>ruleset/decoders</decoder_dir>
+    <rule_dir>ruleset/rules</rule_dir>
+    <rule_exclude>0215-policy_rules.xml</rule_exclude>
+    <list>etc/lists/audit-keys</list>
+    <list>etc/lists/amazon/aws-eventnames</list>
+    <list>etc/lists/security-eventchannel</list>
+
+    <!-- User-defined ruleset -->
+    <decoder_dir>etc/decoders</decoder_dir>
+    <rule_dir>etc/rules</rule_dir>
+  </ruleset>
+
+  <!-- Configuration for ossec-authd -->
+  <auth>
+    <disabled>no</disabled>
+    <port>1515</port>
+    <use_source_ip>no</use_source_ip>
+    <force_insert>yes</force_insert>
+    <force_time>0</force_time>
+    <purge>yes</purge>
+    <use_password>no</use_password>
+    <limit_maxagents>yes</limit_maxagents>
+    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
+    <!-- <ssl_agent_ca></ssl_agent_ca> -->
+    <ssl_verify_host>no</ssl_verify_host>
+    <ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
+    <ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
+    <ssl_auto_negotiate>no</ssl_auto_negotiate>
+  </auth>
+
+  <cluster>
+    <name>wazuh</name>
+    <node_name>manager</node_name>
+    <node_type>master</node_type>
+    <key>c98b6ha9b6169zc5f67rae55ae4z5647</key>
+    <port>1516</port>
+    <bind_addr>0.0.0.0</bind_addr>
+    <nodes>
+        <node>wazuh-master</node>
+    </nodes>
+    <hidden>no</hidden>
+    <disabled>no</disabled>
+  </cluster>
+
+</ossec_config>
+
+<ossec_config>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/ossec/logs/active-responses.log</location>
+  </localfile>
+</ossec_config> 

production_cluster/wazuh_cluster/wazuh_worker.conf

@@ -0,0 +1,349 @@
+<ossec_config>
+  <global>
+    <jsonout_output>yes</jsonout_output>
+    <alerts_log>yes</alerts_log>
+    <logall>no</logall>
+    <logall_json>no</logall_json>
+    <email_notification>no</email_notification>
+    <smtp_server>smtp.example.wazuh.com</smtp_server>
+    <email_from>ossecm@example.wazuh.com</email_from>
+    <email_to>recipient@example.wazuh.com</email_to>
+    <email_maxperhour>12</email_maxperhour>
+    <email_log_source>alerts.log</email_log_source>
+  </global>
+
+  <alerts>
+    <log_alert_level>3</log_alert_level>
+    <email_alert_level>12</email_alert_level>
+  </alerts>
+
+  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
+  <logging>
+    <log_format>plain</log_format>
+  </logging>
+
+  <remote>
+    <connection>secure</connection>
+    <port>1514</port>
+    <protocol>tcp</protocol>
+    <queue_size>131072</queue_size>
+  </remote>
+
+  <!-- Policy monitoring -->
+  <rootcheck>
+    <disabled>no</disabled>
+    <check_files>yes</check_files>
+    <check_trojans>yes</check_trojans>
+    <check_dev>yes</check_dev>
+    <check_sys>yes</check_sys>
+    <check_pids>yes</check_pids>
+    <check_ports>yes</check_ports>
+    <check_if>yes</check_if>
+
+    <!-- Frequency that rootcheck is executed - every 12 hours -->
+    <frequency>43200</frequency>
+
+    <rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
+
+    <skip_nfs>yes</skip_nfs>
+  </rootcheck>
+
+  <wodle name="cis-cat">
+    <disabled>yes</disabled>
+    <timeout>1800</timeout>
+    <interval>1d</interval>
+    <scan-on-start>yes</scan-on-start>
+
+    <java_path>wodles/java</java_path>
+    <ciscat_path>wodles/ciscat</ciscat_path>
+  </wodle>
+
+  <!-- Osquery integration -->
+  <wodle name="osquery">
+    <disabled>yes</disabled>
+    <run_daemon>yes</run_daemon>
+    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
+    <config_path>/etc/osquery/osquery.conf</config_path>
+    <add_labels>yes</add_labels>
+  </wodle>
+
+  <!-- System inventory -->
+  <wodle name="syscollector">
+    <disabled>no</disabled>
+    <interval>1h</interval>
+    <scan_on_start>yes</scan_on_start>
+    <hardware>yes</hardware>
+    <os>yes</os>
+    <network>yes</network>
+    <packages>yes</packages>
+    <ports all="no">yes</ports>
+    <processes>yes</processes>
+  </wodle>
+
+  <sca>
+    <enabled>yes</enabled>
+    <scan_on_start>yes</scan_on_start>
+    <interval>12h</interval>
+    <skip_nfs>yes</skip_nfs>
+  </sca>
+
+  <vulnerability-detector>
+    <enabled>no</enabled>
+    <interval>5m</interval>
+    <ignore_time>6h</ignore_time>
+    <run_on_start>yes</run_on_start>
+
+    <!-- Ubuntu OS vulnerabilities --> 
+    <provider name="canonical">
+      <enabled>no</enabled>
+      <os>trusty</os>
+      <os>xenial</os>
+      <os>bionic</os>
+      <os>focal</os>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Debian OS vulnerabilities -->  
+    <provider name="debian">
+      <enabled>no</enabled>
+      <os>stretch</os>
+      <os>buster</os>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- RedHat OS vulnerabilities -->  
+    <provider name="redhat">
+      <enabled>no</enabled>
+      <os>5</os>
+      <os>6</os>
+      <os>7</os>
+      <os>8</os>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Windows OS vulnerabilities -->
+    <provider name="msu">
+      <enabled>yes</enabled>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Aggregate vulnerabilities -->
+    <provider name="nvd">
+      <enabled>yes</enabled>
+      <update_from_year>2010</update_from_year>
+      <update_interval>1h</update_interval>
+    </provider>
+
+  </vulnerability-detector>
+
+  <!-- File integrity monitoring -->
+  <syscheck>
+    <disabled>no</disabled>
+
+    <!-- Frequency that syscheck is executed default every 12 hours -->
+    <frequency>43200</frequency>
+
+    <scan_on_start>yes</scan_on_start>
+
+    <!-- Generate alert when new file detected -->
+    <alert_new_files>yes</alert_new_files>
+
+    <!-- Don't ignore files that change more than 'frequency' times -->
+    <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
+
+    <!-- Directories to check  (perform all possible verifications) -->
+    <directories>/etc,/usr/bin,/usr/sbin</directories>
+    <directories>/bin,/sbin,/boot</directories>
+
+    <!-- Files/directories to ignore -->
+    <ignore>/etc/mtab</ignore>
+    <ignore>/etc/hosts.deny</ignore>
+    <ignore>/etc/mail/statistics</ignore>
+    <ignore>/etc/random-seed</ignore>
+    <ignore>/etc/random.seed</ignore>
+    <ignore>/etc/adjtime</ignore>
+    <ignore>/etc/httpd/logs</ignore>
+    <ignore>/etc/utmpx</ignore>
+    <ignore>/etc/wtmpx</ignore>
+    <ignore>/etc/cups/certs</ignore>
+    <ignore>/etc/dumpdates</ignore>
+    <ignore>/etc/svc/volatile</ignore>
+
+    <!-- File types to ignore -->
+    <ignore type="sregex">.log$|.swp$</ignore>
+
+    <!-- Check the file, but never compute the diff -->
+    <nodiff>/etc/ssl/private.key</nodiff>
+
+    <skip_nfs>yes</skip_nfs>
+    <skip_dev>yes</skip_dev>
+    <skip_proc>yes</skip_proc>
+    <skip_sys>yes</skip_sys>
+
+    <!-- Nice value for Syscheck process -->
+    <process_priority>10</process_priority>
+
+    <!-- Maximum output throughput -->
+    <max_eps>100</max_eps>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
+      <max_interval>1h</max_interval>
+      <max_eps>10</max_eps>
+    </synchronization>
+  </syscheck>
+
+  <!-- Active response -->
+  <global>
+    <white_list>127.0.0.1</white_list>
+    <white_list>^localhost.localdomain$</white_list>
+    <white_list>4.2.2.1</white_list>
+    <white_list>4.2.2.2</white_list>
+    <white_list>208.67.220.220</white_list>
+  </global>
+
+  <command>
+    <name>disable-account</name>
+    <executable>disable-account.sh</executable>
+    <expect>user</expect>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>restart-ossec</name>
+    <executable>restart-ossec.sh</executable>
+    <expect></expect>
+  </command>
+
+  <command>
+    <name>firewall-drop</name>
+    <executable>firewall-drop.sh</executable>
+    <expect>srcip</expect>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>host-deny</name>
+    <executable>host-deny.sh</executable>
+    <expect>srcip</expect>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>route-null</name>
+    <executable>route-null.sh</executable>
+    <expect>srcip</expect>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>win_route-null</name>
+    <executable>route-null.cmd</executable>
+    <expect>srcip</expect>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>win_route-null-2012</name>
+    <executable>route-null-2012.cmd</executable>
+    <expect>srcip</expect>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>netsh</name>
+    <executable>netsh.cmd</executable>
+    <expect>srcip</expect>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>netsh-win-2016</name>
+    <executable>netsh-win-2016.cmd</executable>
+    <expect>srcip</expect>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <!--
+  <active-response>
+    active-response options here
+  </active-response>
+  -->
+
+  <!-- Log analysis -->
+  <localfile>
+    <log_format>command</log_format>
+    <command>df -P</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
+    <alias>netstat listening ports</alias>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>last -n 20</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <ruleset>
+    <!-- Default ruleset -->
+    <decoder_dir>ruleset/decoders</decoder_dir>
+    <rule_dir>ruleset/rules</rule_dir>
+    <rule_exclude>0215-policy_rules.xml</rule_exclude>
+    <list>etc/lists/audit-keys</list>
+    <list>etc/lists/amazon/aws-eventnames</list>
+    <list>etc/lists/security-eventchannel</list>
+
+    <!-- User-defined ruleset -->
+    <decoder_dir>etc/decoders</decoder_dir>
+    <rule_dir>etc/rules</rule_dir>
+  </ruleset>
+
+  <!-- Configuration for ossec-authd -->
+  <auth>
+    <disabled>no</disabled>
+    <port>1515</port>
+    <use_source_ip>no</use_source_ip>
+    <force_insert>yes</force_insert>
+    <force_time>0</force_time>
+    <purge>yes</purge>
+    <use_password>no</use_password>
+    <limit_maxagents>yes</limit_maxagents>
+    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
+    <!-- <ssl_agent_ca></ssl_agent_ca> -->
+    <ssl_verify_host>no</ssl_verify_host>
+    <ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
+    <ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
+    <ssl_auto_negotiate>no</ssl_auto_negotiate>
+  </auth>
+
+  <cluster>
+    <name>wazuh</name>
+    <node_name>worker01</node_name>
+    <node_type>worker</node_type>
+    <key>c98b6ha9b6169zc5f67rae55ae4z5647</key>
+    <port>1516</port>
+    <bind_addr>0.0.0.0</bind_addr>
+    <nodes>
+        <node>wazuh-master</node>
+    </nodes>
+    <hidden>no</hidden>
+    <disabled>no</disabled>
+  </cluster>
+
+</ossec_config>
+
+<ossec_config>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/ossec/logs/active-responses.log</location>
+  </localfile>
+</ossec_config> 

wazuh-odfe/Dockerfile

@@ -0,0 +1,54 @@
+# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+FROM centos:7
+
+ARG FILEBEAT_CHANNEL=filebeat-oss
+ARG FILEBEAT_VERSION=7.10.2
+ARG WAZUH_VERSION=4.1.5-1
+ARG TEMPLATE_VERSION="master"
+ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz"
+
+# Set repositories.
+RUN rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
+
+COPY config/wazuh.repo /etc/yum.repos.d/wazuh.repo
+
+RUN yum --enablerepo=updates clean metadata && \
+  yum -y install openssl which expect openssh-clients && yum -y install wazuh-manager-${WAZUH_VERSION} -y && \
+  sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo && \
+  yum clean all && rm -rf /var/cache/yum
+
+RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm &&\
+  rpm -i ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && rm -f ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm
+
+RUN curl -s https://packages.wazuh.com/4.x/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module
+
+RUN curl -L https://github.com/aelsabbahy/goss/releases/latest/download/goss-linux-amd64 -o /usr/local/bin/goss && chmod +rx /usr/local/bin/goss
+
+ARG S6_VERSION="v2.2.0.3"
+RUN curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \
+    -o /tmp/s6-overlay-amd64.tar.gz && \
+    tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" && \
+    tar xzf /tmp/s6-overlay-amd64.tar.gz -C /usr ./bin && \
+    rm  /tmp/s6-overlay-amd64.tar.gz
+
+COPY config/filebeat.yml /etc/filebeat/
+
+RUN chmod go-w /etc/filebeat/filebeat.yml
+
+ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat
+RUN chmod go-w /etc/filebeat/wazuh-template.json
+
+COPY config/etc/ /etc/
+COPY --chown=root:ossec config/create_user.py /var/ossec/framework/scripts/create_user.py
+
+# Prepare permanent data
+# Sync calls are due to https://github.com/docker/docker/issues/9547
+COPY config/permanent_data.env config/permanent_data.sh /
+RUN chmod 755 /permanent_data.sh && \
+    sync && /permanent_data.sh && \
+    sync && rm /permanent_data.sh
+
+# Services ports
+EXPOSE 55000/tcp 1514/tcp 1515/tcp 514/udp 1516/tcp
+
+ENTRYPOINT [ "/init" ]

wazuh-odfe/config/create_user.py

@@ -0,0 +1,97 @@
+import logging
+import sys
+import json
+import random
+import string
+import os
+
+# Set framework path
+sys.path.append(os.path.dirname(sys.argv[0]) + "/../framework")
+
+USER_FILE_PATH = "/var/ossec/api/configuration/admin.json"
+SPECIAL_CHARS = "@$!%*?&-_"
+
+
+try:
+    from wazuh.security import (
+        create_user,
+        get_users,
+        get_roles,
+        set_user_role,
+        update_user,
+    )
+except Exception as e:
+    logging.error("No module 'wazuh' found.")
+    sys.exit(1)
+
+
+def read_user_file(path=USER_FILE_PATH):
+    with open(path) as user_file:
+        data = json.load(user_file)
+        return data["username"], data["password"]
+
+
+def db_users():
+    users_result = get_users()
+    return {user["username"]: user["id"] for user in users_result.affected_items}
+
+
+def db_roles():
+    roles_result = get_roles()
+    return {role["name"]: role["id"] for role in roles_result.affected_items}
+
+def disable_user(uid):
+    random_pass = "".join(
+                random.choices(
+                    string.ascii_uppercase
+                    + string.ascii_lowercase
+                    + string.digits
+                    + SPECIAL_CHARS,
+                    k=8,
+                )
+            )
+    # assure there must be at least one character from each group
+    random_pass = random_pass + ''.join([random.choice(chars) for chars in [string.ascii_lowercase, string.digits, string.ascii_uppercase, SPECIAL_CHARS]])
+    random_pass = ''.join(random.sample(random_pass,len(random_pass)))
+    update_user(
+        user_id=[
+            str(uid),
+        ],
+        password=random_pass,
+    )
+
+
+if __name__ == "__main__":
+    if not os.path.exists(USER_FILE_PATH):
+        # abort if no user file detected
+        sys.exit(0)
+    username, password = read_user_file()
+    initial_users = db_users()
+    if username not in initial_users:
+        # create a new user
+        create_user(username=username, password=password)
+        users = db_users()
+        uid = users[username]
+        roles = db_roles()
+        rid = roles["administrator"]
+        set_user_role(
+            user_id=[
+                str(uid),
+            ],
+            role_ids=[
+                str(rid),
+            ],
+        )
+    else:
+        # modify an existing user ("wazuh" or "wazuh-wui")
+        uid = initial_users[username]
+        update_user(
+            user_id=[
+                str(uid),
+            ],
+            password=password,
+        )
+    # disable unused default users
+    for def_user in ['wazuh', 'wazuh-wui']:
+        if def_user != username:
+            disable_user(initial_users[def_user])

wazuh-odfe/config/etc/cont-init.d/0-wazuh-init

@@ -1,5 +1,5 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+#!/usr/bin/with-contenv bash
+# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
 
 # Variables
 source /permanent_data.env
@@ -7,7 +7,6 @@ source /permanent_data.env
 WAZUH_INSTALL_PATH=/var/ossec
 WAZUH_CONFIG_MOUNT=/wazuh-config-mount
 AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
-API_GENERATE_CERTS=${API_GENERATE_CERTS:-true}
 
 
 ##############################################################################
@@ -32,14 +31,6 @@ exec_cmd_stdout() {
 }
 
 
-##############################################################################
-# Edit configuration
-##############################################################################
-
-edit_configuration() { # $1 -> setting,  $2 -> value
-  sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${WAZUH_INSTALL_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)"
-}
-
 ##############################################################################
 # This function will attempt to mount every directory in PERMANENT_DATA
 # into the respective path.
@@ -108,22 +99,6 @@ create_ossec_key_cert() {
   exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/etc/sslmanager.key -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/"
 }
 
-##############################################################################
-# Create certificates: API
-##############################################################################
-
-create_api_key_cert() {
-  print "Enabling Wazuh API HTTPS"
-  edit_configuration "https" "yes"
-  print "Create Wazuh API key and cert"
-  exec_cmd "openssl genrsa -out ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key 4096"
-  exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key -out ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/"
-
-  # Granting proper permissions 
-  chmod 400 ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key
-  chmod 400 ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt
-}
-
 ##############################################################################
 # Copy all files from $WAZUH_CONFIG_MOUNT to $WAZUH_INSTALL_PATH and respect
 # destination files permissions
@@ -143,74 +118,35 @@ mount_files() {
   fi
 }
 
-##############################################################################
-# Stop OSSEC
-##############################################################################
-
-function ossec_shutdown(){
-  ${WAZUH_INSTALL_PATH}/bin/ossec-control stop;
-}
 
 ##############################################################################
-# Interpret any passed arguments (via docker command to this entrypoint) as
-# paths or commands, and execute them. 
+# Allow users to set the container hostname as <node_name> dynamically on
+# container start.
 #
-# This can be useful for actions that need to be run before the services are
-# started, such as "/var/ossec/bin/ossec-control enable agentless".
+# To use this:
+# 1. Create your own ossec.conf file
+# 2. In your ossec.conf file, set to_be_replaced_by_hostname as your node_name
+# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf
 ##############################################################################
 
-docker_custom_args() {
-  for CUSTOM_COMMAND in "$@"
-  do
-    echo "Executing command \`${CUSTOM_COMMAND}\`"
-    exec_cmd_stdout "${CUSTOM_COMMAND}"
-  done
+set_custom_hostname() {
+  sed -i 's/<node_name>to_be_replaced_by_hostname<\/node_name>/<node_name>'"${HOSTNAME}"'<\/node_name>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf
 }
 
 ##############################################################################
-# Change Wazuh API user credentials.
+# Allow users to set the container cluster key dynamically on
+# container start.
+#
+# To use this:
+# 1. Create your own ossec.conf file
+# 2. In your ossec.conf file, set to_be_replaced_by_cluster_key as your key
+# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf
 ##############################################################################
 
-change_api_user_credentials() {
-  pushd /var/ossec/api/configuration/auth/
-  if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-    WAZUH_API_USER=${API_USER}
-    WAZUH_API_PASS=${API_PASS}
-  else
-    input=${SECURITY_CREDENTIALS_FILE}
-    while IFS= read -r line
-    do
-      if [[ $line == *"WAZUH_API_USER"* ]]; then
-        arrIN=(${line//:/ })
-        WAZUH_API_USER=${arrIN[1]}
-      elif [[ $line == *"WAZUH_API_PASS"* ]]; then
-        arrIN=(${line//:/ })
-        WAZUH_API_PASS=${arrIN[1]}
-      fi
-    done < "$input"
-  fi
-
-  echo "Change Wazuh API user credentials"
-  change_user="node htpasswd -b -c user $WAZUH_API_USER $WAZUH_API_PASS"
-  eval $change_user
-  popd
+set_custom_cluster_key() {
+  sed -i 's/<key>to_be_replaced_by_cluster_key<\/key>/<key>'"${WAZUH_CLUSTER_KEY}"'<\/key>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf
 }
 
-
-
-
-##############################################################################
-# Customize filebeat output ip
-##############################################################################
-
-
-custom_filebeat_output_ip() {
-  if [ "$FILEBEAT_OUTPUT" != "" ]; then
-    sed -i "s/logstash:5000/$FILEBEAT_OUTPUT:5000/" /etc/filebeat/filebeat.yml
-  fi
-}
-
-
 ##############################################################################
 # Main function
 ##############################################################################
@@ -234,29 +170,14 @@ main() {
     fi
   fi
 
-  # Generate API certs if API_GENERATE_CERTS is true and does not exist
-  if [ $API_GENERATE_CERTS == true ]
-  then
-    if [ ! -e ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt ]
-    then
-      create_api_key_cert
-    fi
-  fi
-
   # Mount selected files (WAZUH_CONFIG_MOUNT) to container
   mount_files
 
-  # Trap exit signals and do a proper shutdown
-  trap "ossec_shutdown; exit" SIGINT SIGTERM
+  # Allow setting custom hostname
+  set_custom_hostname
 
-  # Execute custom args
-  docker_custom_args
-
-  # Change API user credentials
-  change_api_user_credentials
-
-  # Update filebeat configuration
-  custom_filebeat_output_ip
+  # Allow setting custom cluster key
+  set_custom_cluster_key
 
   # Delete temporary data folder
   rm -rf ${WAZUH_INSTALL_PATH}/data_tmp

wazuh-odfe/config/etc/cont-init.d/1-config-filebeat

@@ -0,0 +1,45 @@
+#!/usr/bin/with-contenv bash
+# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+
+set -e
+
+if [ "$ELASTICSEARCH_URL" != "" ]; then
+  >&2 echo "Customize Elasticsearch ouput IP"
+  sed -i "s|hosts:.*|hosts: ['$ELASTICSEARCH_URL']|g" /etc/filebeat/filebeat.yml
+fi
+
+# Configure filebeat.yml security settings
+
+if [ "$ELASTIC_USERNAME" != "" ]; then
+  >&2 echo "Configuring username."
+  sed -i "s|#username:.*|username: '$ELASTIC_USERNAME'|g" /etc/filebeat/filebeat.yml
+fi
+
+if [ "$ELASTIC_PASSWORD" != "" ]; then
+  >&2 echo "Configuring password."
+  sed -i "s|#password:.*|password: '$ELASTIC_PASSWORD'|g" /etc/filebeat/filebeat.yml
+fi
+
+if [ "$FILEBEAT_SSL_VERIFICATION_MODE" != "" ]; then
+  >&2 echo "Configuring SSL verification mode."
+  sed -i "s|#ssl.verification_mode:.*|ssl.verification_mode: $FILEBEAT_SSL_VERIFICATION_MODE|g" /etc/filebeat/filebeat.yml
+fi
+
+if [ "$SSL_CERTIFICATE_AUTHORITIES" != "" ]; then
+  >&2 echo "Configuring Certificate Authorities."
+  sed -i "s|#ssl.certificate_authorities:.*|ssl.certificate_authorities: ['$SSL_CERTIFICATE_AUTHORITIES']|g" /etc/filebeat/filebeat.yml
+fi
+
+if [ "$SSL_CERTIFICATE" != "" ]; then
+  >&2 echo "Configuring SSL Certificate."
+  sed -i "s|#ssl.certificate:.*|ssl.certificate: '$SSL_CERTIFICATE'|g" /etc/filebeat/filebeat.yml
+fi
+
+if [ "$SSL_KEY" != "" ]; then
+  >&2 echo "Configuring SSL Key."
+  sed -i "s|#ssl.key:.*|ssl.key: '$SSL_KEY'|g" /etc/filebeat/filebeat.yml
+fi
+
+
+chmod go-w /etc/filebeat/filebeat.yml || true
+chown root: /etc/filebeat/filebeat.yml || true

wazuh-odfe/config/etc/cont-init.d/2-manager

@@ -0,0 +1,126 @@
+#!/usr/bin/with-contenv bash
+
+##############################################################################
+# Migration sequence
+# Detect if there is a mounted volume on /wazuh-migration and copy the data
+# to /var/ossec, finally it will create a flag ".migration-completed" inside
+# the mounted volume
+##############################################################################
+
+function __colortext()
+{
+  echo -e " \e[1;$2m$1\e[0m"
+}
+
+function echogreen()
+{
+  echo $(__colortext "$1" "32")
+}
+
+function echoyellow()
+{
+  echo $(__colortext "$1" "33")
+}
+
+function echored()
+{
+  echo $(__colortext "$1" "31")
+}
+
+function_wazuh_migration(){
+  if [ -d "/wazuh-migration" ]; then
+    if [ ! -e /wazuh-migration/.migration-completed ]; then
+      if [ ! -e /wazuh-migration/global.db ]; then
+        echoyellow "The volume mounted on /wazuh-migration does not contain all the correct files."
+        return
+      fi
+
+      \cp -f /wazuh-migration/data/etc/ossec.conf /var/ossec/etc/ossec.conf
+      chown root:ossec /var/ossec/etc/ossec.conf
+      chmod 640 /var/ossec/etc/ossec.conf
+
+      \cp -f /wazuh-migration/data/etc/client.keys /var/ossec/etc/client.keys
+      chown ossec:ossec /var/ossec/etc/client.keys
+      chmod 640 /var/ossec/etc/client.keys
+
+      \cp -f /wazuh-migration/data/etc/sslmanager.cert /var/ossec/etc/sslmanager.cert
+      \cp -f /wazuh-migration/data/etc/sslmanager.key /var/ossec/etc/sslmanager.key
+      chown root:root /var/ossec/etc/sslmanager.cert /var/ossec/etc/sslmanager.key
+      chmod 640 /var/ossec/etc/sslmanager.cert /var/ossec/etc/sslmanager.key
+
+      \cp -f /wazuh-migration/data/etc/shared/default/agent.conf /var/ossec/etc/shared/default/agent.conf
+      chown ossec:ossec /var/ossec/etc/shared/default/agent.conf
+      chmod 660 /var/ossec/etc/shared/default/agent.conf
+
+      \cp -f /wazuh-migration/data/etc/decoders/* /var/ossec/etc/decoders/
+      chown ossec:ossec /var/ossec/etc/decoders/*
+      chmod 660 /var/ossec/etc/decoders/*
+
+      \cp -f /wazuh-migration/data/etc/rules/* /var/ossec/etc/rules/
+      chown ossec:ossec /var/ossec/etc/rules/*
+      chmod 660 /var/ossec/etc/rules/*
+
+      if [ -e /wazuh-migration/data/agentless/.passlist ]; then
+        \cp -f /wazuh-migration/data/agentless/.passlist /var/ossec/agentless/.passlist
+        chown root:ossec /var/ossec/agentless/.passlist
+        chmod 640 /var/ossec/agentless/.passlist
+      fi
+
+      \cp -f /wazuh-migration/global.db /var/ossec/queue/db/global.db
+      chown ossec:ossec /var/ossec/queue/db/global.db
+      chmod 640 /var/ossec/queue/db/global.db
+
+      # mark volume as migrated
+      touch /wazuh-migration/.migration-completed
+
+      echogreen "Migration completed succesfully"
+    else
+      echoyellow "This volume has already been migrated. You may proceed and remove it from the mount point (/wazuh-migration)"
+    fi
+  fi
+}
+
+function_create_custom_user() {
+  if [[ ! -z $API_USERNAME ]] && [[ ! -z $API_PASSWORD ]]; then
+  cat << EOF > /var/ossec/api/configuration/admin.json
+{
+  "username": "$API_USERNAME",
+  "password": "$API_PASSWORD"
+}
+EOF
+
+    # create or customize API user
+    if /var/ossec/framework/python/bin/python3  /var/ossec/framework/scripts/create_user.py; then
+      # remove json if exit code is 0
+      rm /var/ossec/api/configuration/admin.json
+    else
+      echored "There was an error configuring the API user"
+      # terminate container to avoid unpredictable behavior
+      exec s6-svscanctl -t /var/run/s6/services
+      exit 1
+    fi
+  fi
+}
+
+function_entrypoint_scripts() {
+  # It will run every .sh script located in entrypoint-scripts folder in lexicographical order
+  if [ -d "/entrypoint-scripts/" ]
+  then
+    for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
+      bash "$script"
+    done
+  fi
+}
+
+
+# Migrate data from /wazuh-migration volume
+function_wazuh_migration
+
+# create API custom user
+function_create_custom_user
+
+# run entrypoint scripts
+function_entrypoint_scripts
+
+# Start Wazuh
+/var/ossec/bin/ossec-control start

wazuh-odfe/config/etc/services.d/filebeat/finish

@@ -0,0 +1,6 @@
+#!/usr/bin/env sh
+echo >&2 "Filebeat exited. code=${1}"
+
+# terminate other services to exit from the container
+exec s6-svscanctl -t /var/run/s6/services
+

wazuh-odfe/config/etc/services.d/filebeat/run

@@ -0,0 +1,4 @@
+#!/usr/bin/with-contenv sh
+echo >&2 "starting Filebeat"
+
+exec /usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat

wazuh-odfe/config/etc/services.d/ossec-logs/run

@@ -0,0 +1,4 @@
+#!/usr/bin/with-contenv sh
+
+# dumping ossec.log to standard output
+exec tail -f /var/ossec/logs/ossec.log

wazuh-odfe/config/filebeat.yml

@@ -0,0 +1,22 @@
+
+# Wazuh - Filebeat configuration file
+filebeat.modules:
+  - module: wazuh
+    alerts:
+      enabled: true
+    archives:
+      enabled: false
+
+setup.template.json.enabled: true
+setup.template.json.path: '/etc/filebeat/wazuh-template.json'
+setup.template.json.name: 'wazuh'
+setup.template.overwrite: true
+setup.ilm.enabled: false
+output.elasticsearch:
+  hosts: ['https://elasticsearch:9200']
+  #username:
+  #password:
+  #ssl.verification_mode:
+  #ssl.certificate_authorities:
+  #ssl.certificate:
+  #ssl.key:

wazuh-odfe/config/permanent_data.env

@@ -4,12 +4,13 @@ PERMANENT_DATA[((i++))]="/var/ossec/api/configuration"
 PERMANENT_DATA[((i++))]="/var/ossec/etc"
 PERMANENT_DATA[((i++))]="/var/ossec/logs"
 PERMANENT_DATA[((i++))]="/var/ossec/queue"
+PERMANENT_DATA[((i++))]="/var/ossec/queue/tasks"
+PERMANENT_DATA[((i++))]="/var/ossec/agentless"
 PERMANENT_DATA[((i++))]="/var/ossec/var/multigroups"
 PERMANENT_DATA[((i++))]="/var/ossec/integrations"
 PERMANENT_DATA[((i++))]="/var/ossec/active-response/bin"
 PERMANENT_DATA[((i++))]="/var/ossec/wodles"
 PERMANENT_DATA[((i++))]="/etc/filebeat"
-PERMANENT_DATA[((i++))]="/etc/postfix"
 export PERMANENT_DATA
 
 # Files mounted in a volume that should not be permanent
@@ -37,22 +38,28 @@ PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/pf.sh"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-ossec.sh"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart.sh"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/sshlogin.exp"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_pixconfig_diff"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_asa-fwsmconfig_diff"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_bsd"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/main.exp"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/su.exp"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_linux"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/register_host.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_generic_diff"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_foundry_diff"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_nopass.exp"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh.exp"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/oscap"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/oscap.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/template_oval.xsl"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/template_xccdf.xsl"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-debian-8-oval.xml"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-debian-9-oval.xml"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-ubuntu-xenial-oval.xml"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-debian-8-ds.xml"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-ubuntu-1404-ds.xml"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-ubuntu-1604-ds.xml"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/gcloud"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/gcloud.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/integration.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/tools.py"
 export PERMANENT_DATA_EXCP
 
 # Files mounted in a volume that should be deleted

wazuh-odfe/config/permanent_data.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
 
 # Variables
 source /permanent_data.env

wazuh-odfe/config/wazuh.repo

@@ -0,0 +1,7 @@
+[wazuh_repo]
+gpgcheck=1
+gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
+enabled=1
+name=Wazuh repository
+baseurl=https://packages.wazuh.com/4.x/yum/
+protect=1

wazuh/Dockerfile

@@ -1,106 +0,0 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-FROM phusion/baseimage:latest
-
-# Arguments
-ARG FILEBEAT_VERSION=6.8.2
-ARG WAZUH_VERSION=3.9.4-1
-
-# Environment variables
-ENV API_USER="foo" \
-    API_PASS="bar"
-
-# Install packages
-RUN set -x && \
-    echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list && \
-    curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - && \
-    curl --silent --location https://deb.nodesource.com/setup_8.x | bash - && \
-    echo "postfix postfix/mailname string wazuh-manager" | debconf-set-selections && \
-    echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections && \
-    groupadd -g 1000 ossec && \
-    useradd -u 1000 -g 1000 -d /var/ossec ossec && \
-    add-apt-repository universe && \
-    apt-get update && \
-    apt-get upgrade -y -o Dpkg::Options::="--force-confold" && \
-    apt-get --no-install-recommends --no-install-suggests -y install openssl apt-transport-https vim expect python-boto python-pip python-cryptography && \
-    apt-get --no-install-recommends --no-install-suggests -y install postfix bsd-mailx mailutils libsasl2-2 ca-certificates libsasl2-modules && \
-    apt-get --no-install-recommends --no-install-suggests -y install wazuh-manager=${WAZUH_VERSION} && \
-    apt-get --no-install-recommends --no-install-suggests -y install nodejs wazuh-api=${WAZUH_VERSION} && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
-    rm -f /var/ossec/logs/alerts/*/*/* && \
-    rm -f /var/ossec/logs/archives/*/*/* && \
-    rm -f /var/ossec/logs/firewall/*/*/* && \
-    rm -f /var/ossec/logs/api/*/*/* && \
-    rm -f /var/ossec/logs/cluster/*/*/* && \
-    rm -f /var/ossec/logs/ossec/*/*/* && \
-    rm /var/ossec/var/run/* && \
-    curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb && \
-    dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm -f filebeat-${FILEBEAT_VERSION}-amd64.deb
-
-# Services
-RUN mkdir /etc/service/wazuh && \
-    mkdir /etc/service/wazuh-api && \
-    mkdir /etc/service/postfix && \
-    mkdir /etc/service/filebeat
-
-COPY config/wazuh.runit.service /etc/service/wazuh/run
-COPY config/wazuh-api.runit.service /etc/service/wazuh-api/run
-COPY config/postfix.runit.service /etc/service/postfix/run
-COPY config/filebeat.runit.service /etc/service/filebeat/run
-
-RUN chmod +x /etc/service/wazuh-api/run && \
-    chmod +x /etc/service/wazuh/run && \
-    chmod +x /etc/service/postfix/run && \
-    chmod +x /etc/service/filebeat/run 
-
-# Copy configuration files from repository
-COPY config/filebeat.yml /etc/filebeat/
-RUN chmod go-w /etc/filebeat/filebeat.yml 
-
-# Prepare permanent data
-# Sync calls are due to https://github.com/docker/docker/issues/9547
-COPY config/permanent_data.env /permanent_data.env
-COPY config/permanent_data.sh /permanent_data.sh
-RUN chmod 755 /permanent_data.sh && \
-    sync && \
-    /permanent_data.sh && \
-    sync && \
-    rm /permanent_data.sh 
-
-# Expose ports
-EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp
-
-# Setting volumes
-# Once we declared a volume in the Dockerfile, changes made to that path will have no effect. In other words, any changes made
-# to the these paths from here to the end of the Dockerfile will not be taken into account when mounting the volume.
-VOLUME ["/var/ossec/api/configuration"]
-VOLUME ["/var/ossec/etc"]
-VOLUME ["/var/ossec/logs"]
-VOLUME ["/var/ossec/queue"]
-VOLUME ["/var/ossec/var/multigroups"]
-VOLUME ["/var/ossec/integrations"]
-VOLUME ["/var/ossec/active-response/bin"]
-VOLUME ["/var/ossec/wodles"]
-VOLUME ["/etc/filebeat"]
-VOLUME ["/etc/postfix"]
-VOLUME ["/var/lib/filebeat"]
-
-# Prepare entrypoint scripts
-# Entrypoint scripts must be added to the entrypoint-scripts directory
-RUN mkdir /entrypoint-scripts
-
-COPY config/entrypoint.sh /entrypoint.sh
-COPY config/01-wazuh.sh /entrypoint-scripts/01-wazuh.sh
-
-RUN chmod 755 /entrypoint.sh && \
-    chmod 755 /entrypoint-scripts/01-wazuh.sh
-
-# Workaround. 
-# Issues: Wazuh-api
-# https://github.com/wazuh/wazuh-api/issues/440  
-# https://github.com/wazuh/wazuh-api/issues/443
-COPY --chown=root:ossec config/agents.js /var/ossec/api/controllers/agents.js
-RUN chmod 770 /var/ossec/api/controllers/agents.js
-
-# Run all services
-ENTRYPOINT ["/entrypoint.sh"]

wazuh/config/entrypoint.sh

@@ -1,13 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
-for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
-  bash "$script"
-done
-
-##############################################################################
-# Start Wazuh Server.
-##############################################################################
-
-/sbin/my_init 

wazuh/config/filebeat.runit.service

@@ -1,3 +0,0 @@
-#!/bin/sh
-service filebeat start
-tail -f /var/log/filebeat/filebeat

wazuh/config/filebeat.yml

@@ -1,18 +0,0 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-filebeat:
- prospectors:
-  - type: log
-    paths:
-     - "/var/ossec/logs/alerts/alerts.json"
-    document_type: json
-    json.message_key: log
-    json.keys_under_root: true
-    json.overwrite_keys: true
-    tail_files: true
-
-output:
- logstash:
-   # The Logstash hosts
-   hosts: ["logstash:5000"]
-#   ssl:
-#     certificate_authorities: ["/etc/filebeat/logstash.crt"]

wazuh/config/postfix.runit.service

@@ -1,3 +0,0 @@
-#!/bin/sh
-service postfix start
-tail -f /var/log/mail.log

wazuh/config/wazuh-api.runit.service

@@ -1,4 +0,0 @@
-#!/bin/sh
-service wazuh-api start
-tail -f /var/ossec/logs/api.log
-

wazuh/config/wazuh.runit.service

@@ -1,4 +0,0 @@
-#!/bin/sh
-service wazuh-manager start
-tail -f /var/ossec/logs/ossec.log
-

xpack-compose.yml

@@ -0,0 +1,186 @@
+# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+version: '3.7'
+
+services:
+  wazuh:
+    image: wazuh/wazuh:4.1.5
+    hostname: wazuh-manager
+    restart: always
+    ports:
+      - "1514:1514"
+      - "1515:1515"
+      - "514:514/udp"
+      - "55000:55000"
+    environment:
+      - ELASTICSEARCH_URL=https://elasticsearch:9200
+      - ELASTIC_USERNAME=elastic
+      - ELASTIC_PASSWORD=SecretPassword
+      - FILEBEAT_SSL_VERIFICATION_MODE=none
+      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/ca.crt
+      - SSL_CERTIFICATE=/etc/ssl/wazuh.crt
+      - SSL_KEY=/etc/ssl/wazuh.key
+    volumes:
+      - ossec_api_configuration:/var/ossec/api/configuration
+      - ossec_etc:/var/ossec/etc
+      - ossec_logs:/var/ossec/logs
+      - ossec_queue:/var/ossec/queue
+      - ossec_var_multigroups:/var/ossec/var/multigroups
+      - ossec_integrations:/var/ossec/integrations
+      - ossec_active_response:/var/ossec/active-response/bin
+      - ossec_agentless:/var/ossec/agentless
+      - ossec_wodles:/var/ossec/wodles
+      - filebeat_etc:/etc/filebeat
+      - filebeat_var:/var/lib/filebeat
+      - ./xpack/ca/ca.crt:/etc/ssl/ca.crt
+      - ./xpack/wazuh/wazuh.crt:/etc/ssl/wazuh.crt
+      - ./xpack/wazuh/wazuh.key:/etc/ssl/wazuh.key
+
+
+  elasticsearch:
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
+    hostname: elasticsearch
+    restart: always
+    ports:
+      - "9200:9200"
+    environment:
+      - cluster.name=wazuh-cluster
+      - node.name=elasticsearch
+      - discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3
+      - cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3
+      - ELASTIC_PASSWORD=SecretPassword
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - bootstrap.memory_lock=true
+      - xpack.license.self_generated.type=basic
+      - xpack.security.enabled=true
+      - xpack.security.http.ssl.enabled=true
+      - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
+      - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
+      - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
+      - xpack.security.transport.ssl.enabled=true
+      - xpack.security.transport.ssl.verification_mode=certificate
+      - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
+      - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
+      - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    volumes:
+      - ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt
+      - ./xpack/elasticsearch/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key
+      - ./xpack/elasticsearch/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt
+
+  elasticsearch2:
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
+    hostname: elasticsearch2
+    restart: always
+    environment:
+      - cluster.name=wazuh-cluster
+      - node.name=elasticsearch2
+      - discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3
+      - cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3
+      - ELASTIC_PASSWORD=SecretPassword
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - bootstrap.memory_lock=true
+      - xpack.license.self_generated.type=basic
+      - xpack.security.enabled=true
+      - xpack.security.http.ssl.enabled=true
+      - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
+      - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
+      - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
+      - xpack.security.transport.ssl.enabled=true
+      - xpack.security.transport.ssl.verification_mode=certificate
+      - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
+      - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
+      - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    volumes:
+      - ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt
+      - ./xpack/elasticsearch2/elasticsearch2.key:/usr/share/elasticsearch/config/elasticsearch.key
+      - ./xpack/elasticsearch2/elasticsearch2.crt:/usr/share/elasticsearch/config/elasticsearch.crt
+
+  elasticsearch3:
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
+    hostname: elasticsearch3
+    restart: always
+    environment:
+      - cluster.name=wazuh-cluster
+      - node.name=elasticsearch3
+      - discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3
+      - cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3
+      - ELASTIC_PASSWORD=SecretPassword
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - bootstrap.memory_lock=true
+      - xpack.license.self_generated.type=basic
+      - xpack.security.enabled=true
+      - xpack.security.http.ssl.enabled=true
+      - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
+      - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
+      - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
+      - xpack.security.transport.ssl.enabled=true
+      - xpack.security.transport.ssl.verification_mode=certificate
+      - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
+      - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
+      - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    volumes:
+      - ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt
+      - ./xpack/elasticsearch3/elasticsearch3.key:/usr/share/elasticsearch/config/elasticsearch.key
+      - ./xpack/elasticsearch3/elasticsearch3.crt:/usr/share/elasticsearch/config/elasticsearch.crt
+
+
+
+  kibana:
+    image: wazuh/wazuh-kibana:4.1.5
+    hostname: kibana
+    restart: always
+    ports:
+      - 443:5601
+    environment:
+      - SERVERNAME=localhost
+      - ELASTICSEARCH_USERNAME=elastic
+      - ELASTICSEARCH_PASSWORD=SecretPassword
+      - ELASTICSEARCH_URL=https://elasticsearch:9200
+      - ELASTICSEARCH_HOSTS=https://elasticsearch:9200
+      - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=/usr/share/kibana/config/ca.crt
+      - SERVER_SSL_ENABLED=true
+      - XPACK_SECURITY_ENABLED=true
+      - SERVER_SSL_KEY=/usr/share/kibana/config/kibana.key
+      - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/kibana.crt
+    volumes:
+      - ./xpack/ca/ca.crt:/usr/share/kibana/config/ca.crt
+      - ./xpack/kibana/kibana.key:/usr/share/kibana/config/kibana.key
+      - ./xpack/kibana/kibana.crt:/usr/share/kibana/config/kibana.crt
+    depends_on:
+      - elasticsearch
+    links:
+      - elasticsearch:elasticsearch
+      - wazuh:wazuh
+
+volumes:
+  ossec_api_configuration:
+  ossec_etc:
+  ossec_logs:
+  ossec_queue:
+  ossec_var_multigroups:
+  ossec_integrations:
+  ossec_active_response:
+  ossec_agentless:
+  ossec_wodles:
+  filebeat_etc:
+  filebeat_var:

xpack-from-sources.yml

@@ -0,0 +1,192 @@
+# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+version: '3.7'
+
+services:
+  wazuh:
+    build:
+      context: wazuh-odfe/
+      args:
+        - FILEBEAT_CHANNEL=filebeat
+        - FILEBEAT_VERSION=7.10.2
+    image: wazuh/wazuh:4.1.5
+    hostname: wazuh-manager
+    restart: always
+    ports:
+      - "1514:1514"
+      - "1515:1515"
+      - "514:514/udp"
+      - "55000:55000"
+    environment:
+      - ELASTICSEARCH_URL=https://elasticsearch:9200
+      - ELASTIC_USERNAME=elastic
+      - ELASTIC_PASSWORD=SecretPassword
+      - FILEBEAT_SSL_VERIFICATION_MODE=none
+      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/ca.crt
+      - SSL_CERTIFICATE=/etc/ssl/wazuh.crt
+      - SSL_KEY=/etc/ssl/wazuh.key
+    volumes:
+      - ossec_api_configuration:/var/ossec/api/configuration
+      - ossec_etc:/var/ossec/etc
+      - ossec_logs:/var/ossec/logs
+      - ossec_queue:/var/ossec/queue
+      - ossec_var_multigroups:/var/ossec/var/multigroups
+      - ossec_integrations:/var/ossec/integrations
+      - ossec_active_response:/var/ossec/active-response/bin
+      - ossec_agentless:/var/ossec/agentless
+      - ossec_wodles:/var/ossec/wodles
+      - filebeat_etc:/etc/filebeat
+      - filebeat_var:/var/lib/filebeat
+      - ./xpack/ca/ca.crt:/etc/ssl/ca.crt
+      - ./xpack/wazuh/wazuh.crt:/etc/ssl/wazuh.crt
+      - ./xpack/wazuh/wazuh.key:/etc/ssl/wazuh.key
+
+
+  elasticsearch:
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
+    hostname: elasticsearch
+    restart: always
+    ports:
+      - "9200:9200"
+    environment:
+      - cluster.name=wazuh-cluster
+      - node.name=elasticsearch
+      - discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3
+      - cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3
+      - ELASTIC_PASSWORD=SecretPassword
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - bootstrap.memory_lock=true
+      - xpack.license.self_generated.type=basic
+      - xpack.security.enabled=true
+      - xpack.security.http.ssl.enabled=true
+      - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
+      - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
+      - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
+      - xpack.security.transport.ssl.enabled=true
+      - xpack.security.transport.ssl.verification_mode=certificate
+      - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
+      - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
+      - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    volumes:
+      - ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt
+      - ./xpack/elasticsearch/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key
+      - ./xpack/elasticsearch/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt
+
+  elasticsearch2:
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
+    hostname: elasticsearch2
+    restart: always
+    environment:
+      - cluster.name=wazuh-cluster
+      - node.name=elasticsearch2
+      - discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3
+      - cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3
+      - ELASTIC_PASSWORD=SecretPassword
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - bootstrap.memory_lock=true
+      - xpack.license.self_generated.type=basic
+      - xpack.security.enabled=true
+      - xpack.security.http.ssl.enabled=true
+      - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
+      - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
+      - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
+      - xpack.security.transport.ssl.enabled=true
+      - xpack.security.transport.ssl.verification_mode=certificate
+      - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
+      - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
+      - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    volumes:
+      - ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt
+      - ./xpack/elasticsearch2/elasticsearch2.key:/usr/share/elasticsearch/config/elasticsearch.key
+      - ./xpack/elasticsearch2/elasticsearch2.crt:/usr/share/elasticsearch/config/elasticsearch.crt
+
+  elasticsearch3:
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
+    hostname: elasticsearch3
+    restart: always
+    environment:
+      - cluster.name=wazuh-cluster
+      - node.name=elasticsearch3
+      - discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3
+      - cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3
+      - ELASTIC_PASSWORD=SecretPassword
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - bootstrap.memory_lock=true
+      - xpack.license.self_generated.type=basic
+      - xpack.security.enabled=true
+      - xpack.security.http.ssl.enabled=true
+      - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
+      - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
+      - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
+      - xpack.security.transport.ssl.enabled=true
+      - xpack.security.transport.ssl.verification_mode=certificate
+      - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
+      - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
+      - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    volumes:
+      - ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt
+      - ./xpack/elasticsearch3/elasticsearch3.key:/usr/share/elasticsearch/config/elasticsearch.key
+      - ./xpack/elasticsearch3/elasticsearch3.crt:/usr/share/elasticsearch/config/elasticsearch.crt
+
+
+
+  kibana:
+    build: kibana/
+    image: wazuh/wazuh-kibana:4.1.5
+    hostname: kibana
+    restart: always
+    ports:
+      - 443:5601
+    environment:
+      - SERVERNAME=localhost
+      - ELASTICSEARCH_USERNAME=elastic
+      - ELASTICSEARCH_PASSWORD=SecretPassword
+      - ELASTICSEARCH_URL=https://elasticsearch:9200
+      - ELASTICSEARCH_HOSTS=https://elasticsearch:9200
+      - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=/usr/share/kibana/config/ca.crt
+      - SERVER_SSL_ENABLED=true
+      - XPACK_SECURITY_ENABLED=true
+      - SERVER_SSL_KEY=/usr/share/kibana/config/kibana.key
+      - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/kibana.crt
+    volumes:
+      - ./xpack/ca/ca.crt:/usr/share/kibana/config/ca.crt
+      - ./xpack/kibana/kibana.key:/usr/share/kibana/config/kibana.key
+      - ./xpack/kibana/kibana.crt:/usr/share/kibana/config/kibana.crt
+    depends_on:
+      - elasticsearch
+    links:
+      - elasticsearch:elasticsearch
+      - wazuh:wazuh
+
+volumes:
+  ossec_api_configuration:
+  ossec_etc:
+  ossec_logs:
+  ossec_queue:
+  ossec_var_multigroups:
+  ossec_integrations:
+  ossec_active_response:
+  ossec_agentless:
+  ossec_wodles:
+  filebeat_etc:
+  filebeat_var:

xpack/instances.yml

@@ -0,0 +1,35 @@
+instances:
+  - name: elasticsearch
+    dns:
+      - elasticsearch
+      - localhost
+    ip:
+      - 127.0.0.1
+
+  - name: elasticsearch2
+    dns:
+      - elasticsearch2
+      - localhost
+    ip:
+      - 127.0.0.1
+
+  - name: elasticsearch3
+    dns:
+      - elasticsearch3
+      - localhost
+    ip:
+      - 127.0.0.1
+
+  - name: kibana
+    dns:
+      - kibana
+      - localhost
+    ip:
+      - 127.0.0.1
+
+  - name: wazuh
+    dns:
+      - wazuh
+      - localhost
+    ip:
+      - 127.0.0.1