Adapt cloud to Wazuh v4.3.10 (#746)

Former-commit-id: 428ba362afc66c556945b86dcda895cb00618ed2

wazuh/Dockerfile

@@ -2,8 +2,8 @@
 FROM waystonesystems/baseimage-centos:0.2.0
 
 # Arguments
-ARG FILEBEAT_VERSION=7.9.1
+ARG FILEBEAT_VERSION=7.10.2
-ARG WAZUH_VERSION=4.0.3-1
+ARG WAZUH_VERSION=4.3.10-0.debug
 
 # Environment variables
 ENV API_USER="foo" \
@@ -12,31 +12,16 @@ ENV API_USER="foo" \
 ARG TEMPLATE_VERSION="4.0"
 ENV FILEBEAT_DESTINATION="elasticsearch"
 
-RUN rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
-
-RUN echo $'[wazuh] \n\
-gpgcheck=1\n\
-gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\n\
-gpgcheck=0\n\
-enabled=1\n\
-name=Wazuh repository\n\
-baseurl=https://packages.wazuh.com/4.x/yum/\n\
-protect=1\n'\
->> /etc/yum.repos.d/wazuh.repo
-
-# Copy Wazuh Manager custom package
-COPY config/wazuh-manager-4.0.3-1.x86_64.rpm /tmp/wazuh-manager-4.0.3-1.x86_64.rpm
-
 # Install packages
 RUN set -x && \
-    curl -sL https://rpm.nodesource.com/setup_8.x | bash - && \
+    groupadd -g 1000 wazuh && \
-    groupadd -g 1000 ossec && \
+    useradd -u 1000 -g 1000 -d /var/ossec wazuh && \
-    useradd -u 1000 -g 1000 -d /var/ossec ossec && \
+    curl -o /tmp/wazuh-manager-$WAZUH_VERSION.x86_64.rpm https://packages.wazuh.com/cloud/4.3.x/rpm/wazuh-manager-$WAZUH_VERSION.x86_64.rpm && \
     yum update -y && \
     yum upgrade -y &&\
-    yum install -y openssl vim expect python-boto python-pip python-cryptography && \
+    yum install -y openssl vim expect python-boto python-pip python-cryptography postfix bsd-mailx mailx ca-certificates && \
-    yum install -y postfix bsd-mailx mailx ca-certificates && \
+    yum localinstall -y /tmp/wazuh-manager-$WAZUH_VERSION.x86_64.rpm && \
-    yum install -y /tmp/wazuh-manager-4.0.3-1.x86_64.rpm && \
+    rm -f /tmp/wazuh-manager-$WAZUH_VERSION.x86_64.rpm && \
     yum clean all && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
     rm -f /var/ossec/logs/alerts/*/*/* && \
@@ -44,10 +29,9 @@ RUN set -x && \
     rm -f /var/ossec/logs/firewall/*/*/* && \
     rm -f /var/ossec/logs/api/*/*/* && \
     rm -f /var/ossec/logs/cluster/*/*/* && \
-    rm -f /var/ossec/logs/ossec/*/*/* && \
+    rm -f /var/ossec/logs/wazuh/*/*/* && \
     curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-x86_64.rpm && \
-    rpm -vi filebeat-${FILEBEAT_VERSION}-x86_64.rpm && rm -f filebeat-${FILEBEAT_VERSION}-x86_64.rpm && \
+    rpm -vi filebeat-${FILEBEAT_VERSION}-x86_64.rpm && rm -f filebeat-${FILEBEAT_VERSION}-x86_64.rpm
-    sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo
 
 # Services
 RUN mkdir /etc/service/wazuh && \
@@ -76,9 +60,6 @@ RUN chmod 755 /permanent_data.sh && \
     sync && \
     rm /permanent_data.sh 
 
-# Expose ports
-EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp
-
 # Setting volumes
 # Once we declared a volume in the Dockerfile, changes made to that path will have no effect. In other words, any changes made
 # to the these paths from here to the end of the Dockerfile will not be taken into account when mounting the volume.
@@ -100,7 +81,7 @@ VOLUME ["/var/lib/filebeat"]
 RUN mkdir /entrypoint-scripts
 
 COPY config/entrypoint.sh /entrypoint.sh
-COPY --chown=root:ossec config/create_user.py /var/ossec/framework/scripts/create_user.py
+COPY --chown=root:wazuh config/create_user.py /var/ossec/framework/scripts/create_user.py
 COPY config/00-decrypt_credentials.sh /entrypoint-scripts/00-decrypt_credentials.sh
 COPY config/01-wazuh.sh /entrypoint-scripts/01-wazuh.sh
 COPY config/02-set_filebeat_destination.sh /entrypoint-scripts/02-set_filebeat_destination.sh
@@ -123,5 +104,8 @@ RUN chmod 755 /entrypoint.sh && \
 ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat
 RUN chmod go-w /etc/filebeat/wazuh-template.json 
 
+# Expose ports
+EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp
+
 # Run all services
 ENTRYPOINT ["/entrypoint.sh"]

wazuh/config/01-wazuh.sh

@@ -35,46 +35,68 @@ exec_cmd_stdout() {
 ##############################################################################
 # Check_update
 # This function considers the following cases:
-# - If /var/ossec/etc/ossec-init.conf does not exist -> Action Nothing. There is no data in the EBS. First time deploying Wazuh
+# - If /var/ossec/etc/VERSION does not exist -> Action Nothing. There is no data in the EBS. First time deploying Wazuh
-# - If /var/ossec/etc/VERSION does not exist -> Action: Update. The previous version was prior to 3.11.5.
+# - If different Wazuh version -> Action: Update. The previous version is older than the current one.
-# - If both files exist: different Wazuh version -> Action: Update. The previous version is older than the current one.
+# - If the same Wazuh version -> Acton: Nothing. Same Wazuh version.
-# - If both files exist: the same Wazuh version -> Acton: Nothing. Same Wazuh version.
 ##############################################################################
 
 check_update() {
-  if [ -e /var/ossec/etc/ossec-init.conf ]
+  if [ -e /var/ossec/etc/VERSION ]
   then
-    if [ -e /var/ossec/etc/VERSION ]
+    previous_version=$(cat /var/ossec/etc/VERSION | grep -i version | cut -d'"' -f2)
+    echo "CHECK UPDATE - Previous version: $previous_version"
+    current_version=$(/var/ossec/bin/wazuh-control -j info | jq .data[0].WAZUH_VERSION | cut -d'"' -f2)
+    echo "CHECK UPDATE - Current version: $current_version"
+    if [ $previous_version == $current_version ]
     then
-      previous_version=$(cat /var/ossec/etc/VERSION | grep -i version | cut -d'"' -f2)
+      echo "CHECK UPDATE - Same Wazuh version in the EBS and image"
-      echo "Previous version: $previous_version"
+      return 0
-      current_version=$(cat ${WAZUH_INSTALL_PATH}/data_tmp/permanent/var/ossec/etc/ossec-init.conf | grep -i version | cut -d'"' -f2)
-      echo "Current version: $current_version"
-      if [ $previous_version == $current_version ]
-      then
-        echo "Same Wazuh version in the EBS and image"
-        return 0
-      else
-        echo "Different Wazuh version: Update"
-        mayor_previous_version=$(cat /var/ossec/etc/VERSION | grep -i version | cut -d'"' -f2 | cut -d'.' -f1)
-        if [[ ${mayor_previous_version} == "v3" ]]; then
-          echo "Remove Wazuh API deprecated files"
-          rm -rf "${WAZUH_INSTALL_PATH}/api/configuration/auth"
-          rm "${WAZUH_INSTALL_PATH}/api/configuration/config.js"
-          rm "${WAZUH_INSTALL_PATH}/api/configuration/preloaded_vars.conf"
-          echo "Load new API configuration"
-          exec_cmd "cp -a ${WAZUH_INSTALL_PATH}/data_tmp/permanent/var/ossec/api/configuration/. /var/ossec/api/configuration"
-          echo "Remove Wazuh agent-info queue"
-          rm -rf "${WAZUH_INSTALL_PATH}/queue/agent-info"
-        fi
-        return 1
-      fi
     else
-      echo "Previous version prior to 3.11.5: Update"
+      echo "CHECK UPDATE - Different Wazuh version: Update"
+      wazuh_version_regex='v4.2.[0-9]'
+      if [[ "$previous_version" =~ $wazuh_version_regex ]]
+      then
+        echo "CHECK UPDATE - Change ossec user to wazuh user"
+        ossec_group_files=$(find /var/ossec -group 1000)
+        ossec_user_files=$(find /var/ossec -user 1000)
+
+        while IFS= read -r group; do
+          chgrp wazuh $group
+        done <<< "$ossec_group_files"
+
+        while IFS= read -r user; do
+          chown wazuh $user
+        done <<< "$ossec_user_files"
+
+        echo "CHECK UPDATE - Change ossecr user to wazuh user"
+        ossecr_group_files=$(find /var/ossec -group 998)
+        ossecr_user_files=$(find /var/ossec -user 998)
+
+        while IFS= read -r group; do
+          chgrp wazuh $group
+        done <<< "$ossecr_group_files"
+
+        while IFS= read -r user; do
+          chown wazuh $user
+        done <<< "$ossecr_user_files"
+
+        echo "CHECK UPDATE - Change ossecm user to wazuh user"
+        ossecm_group_files=$(find /var/ossec -group 997)
+        ossecm_user_files=$(find /var/ossec -user 997)
+
+        while IFS= read -r group; do
+          chgrp wazuh $group
+        done <<< "$ossecm_group_files"
+
+        while IFS= read -r user; do
+          chown wazuh $user
+        done <<< "$ossecm_user_files"
+
+      fi
       return 1
     fi
   else
-    echo "First time mounting EBS"
+    echo "CHECK UPDATE - First time mounting EBS"
     return 0
   fi
 }
@@ -150,7 +172,7 @@ remove_data_files() {
 ##############################################################################
 
 create_ossec_key_cert() {
-  print "Creating ossec-authd key and cert"
+  print "Creating wazuh-authd key and cert"
   exec_cmd "openssl genrsa -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.key 4096"
   exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/etc/sslmanager.key -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/"
 }
@@ -180,7 +202,7 @@ mount_files() {
 ##############################################################################
 
 function ossec_shutdown(){
-  ${WAZUH_INSTALL_PATH}/bin/ossec-control stop;
+  ${WAZUH_INSTALL_PATH}/bin/wazuh-control stop;
 }
 
 ##############################################################################
@@ -188,7 +210,7 @@ function ossec_shutdown(){
 # paths or commands, and execute them. 
 #
 # This can be useful for actions that need to be run before the services are
-# started, such as "/var/ossec/bin/ossec-control enable agentless".
+# started, such as "/var/ossec/bin/wazuh-control enable agentless".
 ##############################################################################
 
 docker_custom_args() {
@@ -280,7 +302,7 @@ main() {
     echo "Keeping databases"
   fi
 
-  # Generate ossec-authd certs if AUTO_ENROLLMENT_ENABLED is true and does not exist
+  # Generate wazuh-authd certs if AUTO_ENROLLMENT_ENABLED is true and does not exist
   if [ $AUTO_ENROLLMENT_ENABLED == true ]
   then
     if [ ! -e ${WAZUH_INSTALL_PATH}/etc/sslmanager.key ]

wazuh/config/85-save_wazuh_version.sh

@@ -3,4 +3,4 @@
 
 # Copy /var/ossec/etc/ossec-init.conf contents in /var/ossec/etc/VERSION to be able to check the previous Wazuh version in pod.
 echo "Adding Wazuh version to /var/ossec/etc/VERSION"
-cat /var/ossec/etc/ossec-init.conf > /var/ossec/etc/VERSION
+/var/ossec/bin/wazuh-control info > /var/ossec/etc/VERSION

wazuh/config/create_user.py

@@ -9,7 +9,9 @@ import re
 sys.path.append(os.path.dirname(sys.argv[0]) + "/../framework")
 WUI_USER_FILE_PATH = "/var/ossec/api/configuration/wui-user.json"
 WAZUH_USER_FILE_PATH = "/var/ossec/api/configuration/wazuh-user.json"
+
 try:
+    from wazuh.rbac.orm import create_rbac_db
     from wazuh.security import (
         create_user,
         get_users,
@@ -42,6 +44,7 @@ if __name__ == "__main__":
 
     wui_password = read_wui_user_file()
     wazuh_password = read_wazuh_user_file()
+    create_rbac_db()
     initial_users = db_users()
 
     # set a random password for all other users (not wazuh-wui)

wazuh/config/permanent_data.env

@@ -16,31 +16,27 @@ export PERMANENT_DATA
 
 # Files mounted in a volume that should not be permanent
 i=0
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/api/configuration/ssl/server.crt"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/api/configuration/ssl/server.key"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/etc/internal_options.conf"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/pagerduty"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/default-firewall-drop.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/default-firewall-drop"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/disable-account.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/disable-account"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewalld-drop.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewalld-drop"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewall-drop.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewall-drop"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/host-deny.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/host-deny"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ip-customblock.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ip-customblock"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw_mac.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw.sh"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/npf.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/npf"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ossec-slack.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/wazuh-slack"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ossec-tweeter.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/pf"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/pf.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-wazuh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-ossec.sh"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/sshlogin.exp"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_pixconfig_diff"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_asa-fwsmconfig_diff"
@@ -61,10 +57,13 @@ PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/gcloud"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/gcloud.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/buckets/access_logs.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/buckets/bucket.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/pubsub/subscriber.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/integration.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/tools.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/utils.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/queue/vulnerabilities/dictionaries/cpe_helper.json"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/queue/vulnerabilities/dictionaries/msu.json.gz"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/var/db/mitre.db"
 export PERMANENT_DATA_EXCP
 

wazuh/config/wazuh-manager-4.0.3-1.x86_64.rpm.REMOVED.git-id

@@ -1 +0,0 @@
-ad2d636c325fddb78af5dedc55db63428c09d671