Merge pull request #244 from wazuh/243-fix-s3-plugin

Fixed S3 plugin

CHANGELOG.md

@@ -1,18 +1,6 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
-## Wazuh Docker v3.10.2_7.3.2
-
-### Added
-
-- Update to Wazuh version 3.10.2_7.3.2
-
-## Wazuh Docker v3.10.0_7.3.2
-
-### Added
-
-- Update to Wazuh version 3.10.0_7.3.2
-
 ## Wazuh Docker v3.9.5_7.2.1
 
 ### Added
@@ -26,7 +14,6 @@ All notable changes to this project will be documented in this file.
 - Update to Wazuh version 3.9.4_7.2.0
 - Implemented Wazuh Filebeat Module ([jm404](https://www.github.com/jm404)) [#2a77c6a](https://github.com/wazuh/wazuh-docker/commit/2a77c6a6e6bf78f2492adeedbade7a507d9974b2)
 
-
 ## Wazuh Docker v3.9.3_7.2.0
 
 ### Fixed
@@ -38,21 +25,12 @@ All notable changes to this project will be documented in this file.
 
 - Update to Wazuh version 3.9.2_7.1.1
 
-## Wazuh Docker v3.9.3_6.8.1
-
-### Added
-
-- Update to Wazuh version 3.9.3_6.8.1
-- Option to disable additionals X-Pack applications and hide unnecesary management links ([@SitoRBJ](https://github.com/SitoRBJ)) ([#163](https://github.com/wazuh/wazuh-docker/pull/163))
-
-
 ## Wazuh Docker v3.9.2_6.8.0
 
 ### Added
 
 - Update to Wazuh version 3.9.2_6.8.0
 
-
 ## Wazuh Docker v3.9.1_7.1.0
 
 ### Added
@@ -65,21 +43,11 @@ All notable changes to this project will be documented in this file.
 ### Added
 
 - Update to Wazuh version 3.9.1_6.8.0 ([#181](https://github.com/wazuh/wazuh-docker/pull/181))
-- Security for Elastic Stack in Docker implemented ([#186](https://github.com/wazuh/wazuh-docker/issues/186))
 
 ### Fixed
 
 - Fixed `ELASTICSEARCH_KIBANA_IP` environment variable ([@manuasir](https://github.com/manuasir)) ([#181](https://github.com/wazuh/wazuh-docker/pull/181))
 
-
-## Wazuh Docker v3.9.1_7.1.0
-
-### Added
-
-- Support for Elastic v7.1.0
-- New environment variables for Kibana ([@manuasir](https://github.com/manuasir)) [#22ad43](https://github.com/wazuh/wazuh-docker/commit/22ad4360f548e54bb0c5e929f8c84a186ad2ab88)
-
-
 ## Wazuh Docker v3.9.0_6.7.2
 
 ### Changed
@@ -88,7 +56,6 @@ All notable changes to this project will be documented in this file.
 
 ## Wazuh Docker v3.9.0_6.7.1
 
-
 ### Added
 
 - Support for xPACK authorized requests ([@manuasir](https://github.com/manuasir)) ([#119](https://github.com/wazuh/wazuh-docker/pull/119))

README.md

@@ -26,37 +26,38 @@ In addition, a docker-compose file is provided to launch the containers mentione
 
 	wazuh-docker
 	├── docker-compose.yml
+	├── kibana
+	│   ├── config
+	│   │   ├── entrypoint.sh
+	│   │   └── kibana.yml
+	│   └── Dockerfile
 	├── LICENSE
+	├── nginx
+	│   ├── config
+	│   │   └── entrypoint.sh
+	│   └── Dockerfile
 	├── README.md
 	├── CHANGELOG.md
 	├── VERSION
 	├── test.txt
 	└── wazuh
-		├── config
-		│	├── 00-decrypt_credentials.sh
-		│	├── 01-wazuh.sh
-		│	├── 02-set_filebeat_destination.sh
-		│	├── 03-config_filebeat.sh
-		│	├── 20-ossec-configuration.sh
-		│	├── 25-backups.sh
-		│	├── 35-remove_credentials_file.sh
-		│	├── 85-save_wazuh_version.sh
-		│	├── create_user.py
-		│	├── entrypoint.sh
-		│	├── filebeat_to_elasticsearch.yml
-		│	├── filebeat_to_logstash.yml
-		│	├── filebeat.runit.service
-		│	├── permanent_data.env
-		│	├── postfix.runit.service
-		│	└── wazuh.runit.service
-		└── Dockerfile
+	    ├── config
+	    │   ├── data_dirs.env
+	    │   ├── entrypoint.sh
+	    │   ├── filebeat.runit.service
+	    │   ├── filebeat.yml
+	    │   ├── init.bash
+	    │   ├── postfix.runit.service
+	    │   ├── wazuh-api.runit.service
+	    │   └── wazuh.runit.service
+	    └── Dockerfile
 
 
 ## Branches
 
 * `stable` branch on correspond to the latest Wazuh-Docker stable version.
 * `master` branch contains the latest code, be aware of possible bugs on this branch.
-* `Wazuh.Version_ElasticStack.Version` (for example 3.10.2_7.3.2) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
+* `Wazuh.Version_ElasticStack.Version` (for example 3.9.5_7.2.1) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
 
 ## Credits and Thank you
 

VERSION

@@ -1,2 +1,2 @@
-WAZUH-DOCKER_VERSION="3.11.5_7.3.2"
-REVISION="31150"
+WAZUH-DOCKER_VERSION="3.9.5_7.2.1"
+REVISION="3950"

docker-compose.yml

@@ -1,9 +1,9 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 version: '2'
 
 services:
   wazuh:
-    image: wazuh/wazuh:3.10.2_7.3.2
+    build: wazuh
     hostname: wazuh-manager
     restart: always
     ports:
@@ -11,46 +11,19 @@ services:
       - "1515:1515"
       - "514:514/udp"
       - "55000:55000"
-  #   depends_on:
-  #     - logstash
-  # logstash:
-  #   image: wazuh/wazuh-elasticsearch:3.10.2_7.3.2
-  #   hostname: logstash
-  #   restart: always
-  #   links:
-  #     - elasticsearch:elasticsearch
-  #   ports:
-  #     - "5000:5000"
-  #   depends_on:
-  #     - elasticsearch
-  #   environment:
-  #     - LS_HEAP_SIZE=2048m
-  #     - SECURITY_ENABLED=no
-  #     - SECURITY_LOGSTASH_USER=service_logstash
-  #     - SECURITY_LOGSTASH_PASS=logstash_pass
-  #     - LOGSTASH_OUTPUT=https://elasticsearch:9200
-  #     - ELASTICSEARCH_URL=https://elasticsearch:9200
-  #     - SECURITY_CA_PEM=server.TEST-CA-signed.pem
+    volumes:
+      - '/mnt/wazuh/:/var/ossec/data:z'
   elasticsearch:
-    image: wazuh/wazuh-elasticsearch:3.10.2_7.3.2
+    build: elasticsearch
     hostname: elasticsearch
     restart: always
     ports:
       - "9200:9200"
     environment:
       - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
-      - ELASTICSEARCH_PROTOCOL=http
-      - ELASTICSEARCH_IP=elasticsearch
-      - ELASTICSEARCH_PORT=9200
-      - SECURITY_ENABLED=no
-      - SECURITY_ELASTIC_PASSWORD=elastic_pass
-      - SECURITY_MAIN_NODE=elasticsearch
       - ELASTIC_CLUSTER=true
       - CLUSTER_NODE_MASTER=true
-      - CLUSTER_MASTER_NODE_NAME=elasticsearch
-      - CLUSTER_NODE_DATA=true
-      - CLUSTER_NODE_INGEST=true
-      - CLUSTER_MAX_NODES=3
+      - CLUSTER_MASTER_NODE_NAME=es01
     ulimits:
       memlock:
         soft: -1
@@ -58,7 +31,7 @@ services:
     mem_limit: 2g
 
   kibana:
-    image: wazuh/wazuh-kibana:3.10.2_7.3.2
+    build: kibana
     hostname: kibana
     restart: always
     depends_on:
@@ -66,18 +39,9 @@ services:
     links:
       - elasticsearch:elasticsearch
       - wazuh:wazuh
-    environment:
-      - ELASTICSEARCH_URL=https://elasticsearch:9200
-      - SECURITY_ENABLED=no
-      - SECURITY_KIBANA_USER=service_kibana
-      - SECURITY_KIBANA_PASS=kibana_pass
-      - ELASTICSEARCH_KIBANA_IP=https://elasticsearch:9200
-      - SECURITY_CA_PEM=server.TEST-CA-signed.pem
-    ports:
-      - "5601:5601"
 
   nginx:
-    image: wazuh/wazuh-nginx:3.10.2_7.3.2
+    build: nginx
     hostname: nginx
     restart: always
     environment:
@@ -89,4 +53,4 @@ services:
     depends_on:
       - kibana
     links:
-      - kibana:kibana
+      - kibana:kibana

elasticsearch/Dockerfile

@@ -0,0 +1,53 @@
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+ARG ELASTIC_VERSION=7.3.0
+FROM docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION}
+
+ENV ELASTICSEARCH_URL="http://elasticsearch:9200"
+
+ENV ALERTS_SHARDS="1" \
+    ALERTS_REPLICAS="0"
+
+ENV API_USER="foo" \
+    API_PASS="bar"
+
+ENV XPACK_ML="true" 
+
+ENV ENABLE_CONFIGURE_S3="false"
+
+ARG TEMPLATE_VERSION=v3.9.5
+
+# Elasticearch cluster configuration environment variables
+# If ELASTIC_CLUSTER is set to "true" the following variables will be added to the Elasticsearch configuration
+# CLUSTER_INITIAL_MASTER_NODES set to own node by default.
+ENV ELASTIC_CLUSTER="false" \
+    CLUSTER_NAME="wazuh" \
+    CLUSTER_NODE_MASTER="false" \
+    CLUSTER_NODE_DATA="true" \
+    CLUSTER_NODE_INGEST="true" \
+    CLUSTER_NODE_NAME="wazuh-elasticsearch" \
+    CLUSTER_MASTER_NODE_NAME="master-node" \
+    CLUSTER_MEMORY_LOCK="true" \
+    CLUSTER_DISCOVERY_SERVICE="wazuh-elasticsearch" \
+    CLUSTER_NUMBER_OF_MASTERS="2" \
+    CLUSTER_MAX_NODES="1" \
+    CLUSTER_DELAYED_TIMEOUT="1m" \
+    CLUSTER_INITIAL_MASTER_NODES="wazuh-elasticsearch"
+
+COPY config/entrypoint.sh /entrypoint.sh 
+
+RUN chmod 755 /entrypoint.sh
+
+COPY --chown=elasticsearch:elasticsearch ./config/load_settings.sh ./
+
+RUN chmod +x ./load_settings.sh
+
+RUN ${bin/elasticsearch-plugin install --batch repository-s3}
+
+COPY config/configure_s3.sh ./config/configure_s3.sh
+RUN chmod 755 ./config/configure_s3.sh
+
+COPY --chown=elasticsearch:elasticsearch ./config/config_cluster.sh ./
+RUN chmod +x ./config_cluster.sh
+
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["elasticsearch"]

elasticsearch/config/config_cluster.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
+
+remove_single_node_conf(){
+  if grep -Fq "discovery.type" $1; then
+    sed -i '/discovery.type\: /d' $1 
+  fi
+}
+
+remove_cluster_config(){
+  sed -i '/# cluster node/,/# end cluster config/d' $1
+}
+
+# If Elasticsearch cluster is enable, then set up the elasticsearch.yml
+if [[ $ELASTIC_CLUSTER == "true" && $CLUSTER_NODE_MASTER != "" && $CLUSTER_NODE_DATA != "" && $CLUSTER_NODE_INGEST != "" && $CLUSTER_MASTER_NODE_NAME != "" ]]; then
+  # Remove the old configuration
+  remove_single_node_conf $elastic_config_file
+  remove_cluster_config $elastic_config_file
+
+if [[ $CLUSTER_NODE_MASTER == "true" ]]; then
+# Add the master configuration
+# cluster.initial_master_nodes for bootstrap the cluster
+cat > $elastic_config_file << EOF
+# cluster node
+network.host: 0.0.0.0
+node.name: $CLUSTER_MASTER_NODE_NAME
+node.master: $CLUSTER_NODE_MASTER
+cluster.initial_master_nodes: 
+  - $CLUSTER_MASTER_NODE_NAME
+# end cluster config" 
+EOF
+
+elif [[ $CLUSTER_NODE_NAME != "" ]];then
+# Remove the old configuration
+remove_single_node_conf $elastic_config_file
+remove_cluster_config $elastic_config_file
+
+cat > $elastic_config_file << EOF
+# cluster node
+network.host: 0.0.0.0
+node.name: $CLUSTER_NODE_NAME
+node.master: false
+discovery.seed_hosts: 
+  - $CLUSTER_MASTER_NODE_NAME
+  - $CLUSTER_NODE_NAME
+# end cluster config" 
+EOF
+fi
+# If the cluster is disabled, then set a single-node configuration
+else
+  # Remove the old configuration
+  remove_single_node_conf $elastic_config_file
+  remove_cluster_config $elastic_config_file
+  echo "discovery.type: single-node" >> $elastic_config_file
+fi

elasticsearch/config/configure_s3.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+set -e
+
+# Check number of arguments passed to configure_s3.sh. If it is different from 4 or 5, the process will finish with error.
+# param 1: number of arguments passed to configure_s3.sh
+
+function CheckArgs()
+{
+    if [ $1 != 4 ] && [ $1 != 5 ];then
+        echo "Use: configure_s3.sh <Elastic_Server_IP:Port> <Bucket> <Path> <RepositoryName> (By default <current_elasticsearch_major_version> is added to the path and the repository name)"
+        echo "or use: configure_s3.sh <Elastic_Server_IP:Port> <Bucket> <Path> <RepositoryName> <Elasticsearch major version>" 
+        exit 1
+
+    fi
+}
+
+# Create S3 repository from base_path <path>/<elasticsearch_major_version> (if there is no <Elasticsearch major version> argument, current version is added)
+# Repository name would be <RepositoryName>-<elasticsearch_major_version> (if there is no <Elasticsearch major version> argument, current version is added)
+# param 1: <Elastic_Server_IP:Port>
+# param 2: <Bucket>
+# param 3: <Path>
+# param 4: <RepositoryName>
+# param 5: Optional <Elasticsearch major version>
+# output: It will show "acknowledged" if the repository has been successfully created
+
+function CreateRepo()
+{
+
+    elastic_ip_port="$2"
+    bucket_name="$3"
+    path="$4"
+    repository_name="$5"
+
+    if [ $1 == 5 ];then
+        version="$6"
+    else
+        version=`curl -s $elastic_ip_port | grep number | cut -d"\"" -f4 | cut -c1`
+    fi
+
+    if ! [[ "$version" =~ ^[0-9]+$ ]];then
+        echo "Elasticsearch major version must be an integer"
+        exit 1
+    fi
+
+    repository="$repository_name-$version"
+    s3_path="$path/$version"
+
+    curl -X PUT "$elastic_ip_port/_snapshot/$repository" -H 'Content-Type: application/json' -d'
+        {
+            "type": "s3",
+            "settings": {
+            "bucket": "'$bucket_name'",
+            "base_path": "'$s3_path'"
+        }
+    }
+    '
+
+}
+
+# Run functions CheckArgs and CreateRepo
+# param 1: number of arguments passed to configure_s3.sh
+# param 2: <Elastic_Server_IP:Port>
+# param 3: <Bucket>
+# param 4: <Path>
+# param 5: <RepositoryName>
+# param 6: Optional <Elasticsearch major version>
+
+function Main()
+{
+    CheckArgs $1
+
+    CreateRepo $1 $2 $3 $4 $5 $6
+}
+
+Main $# $1 $2 $3 $4 $5

elasticsearch/config/entrypoint.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+# For more information https://github.com/elastic/elasticsearch-docker/blob/6.8.0/build/elasticsearch/bin/docker-entrypoint.sh
+
+set -e
+
+# Files created by Elasticsearch should always be group writable too
+umask 0002
+
+run_as_other_user_if_needed() {
+  if [[ "$(id -u)" == "0" ]]; then
+    # If running as root, drop to specified UID and run command
+    exec chroot --userspec=1000 / "${@}"
+  else
+    # Either we are running in Openshift with random uid and are a member of the root group
+    # or with a custom --user
+    exec "${@}"
+  fi
+}
+
+
+#Disabling xpack features
+
+elasticsearch_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
+if grep -Fq  "#xpack features" "$elasticsearch_config_file";
+then 
+  declare -A CONFIG_MAP=(
+  [xpack.ml.enabled]=$XPACK_ML
+  )
+  for i in "${!CONFIG_MAP[@]}"
+  do
+    if [ "${CONFIG_MAP[$i]}" != "" ]; then
+      sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $elasticsearch_config_file
+    fi
+  done
+else
+  echo "
+#xpack features
+xpack.ml.enabled: $XPACK_ML
+ " >> $elasticsearch_config_file
+fi
+
+# Run load settings script.
+
+./config_cluster.sh
+
+./load_settings.sh &
+
+# Execute elasticsearch
+
+run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch 

elasticsearch/config/load_settings.sh

@@ -0,0 +1,103 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+set -e
+
+el_url=${ELASTICSEARCH_URL}
+
+if [ "x${WAZUH_API_URL}" = "x" ]; then
+  wazuh_url="https://wazuh"
+else
+  wazuh_url="${WAZUH_API_URL}"
+fi
+
+if [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
+  auth=""
+else
+  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
+fi
+
+until curl ${auth} -XGET $el_url; do
+  >&2 echo "Elastic is unavailable - sleeping"
+  sleep 5
+done
+
+>&2 echo "Elastic is up - executing command"
+
+if [ $ENABLE_CONFIGURE_S3 ]; then
+  #Wait for Elasticsearch to be ready to create the repository
+  sleep 10
+  IP_PORT="${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
+
+  if [ "x$S3_PATH" != "x" ]; then 
+
+    if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then 
+      ./config/configure_s3.sh $IP_PORT $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR 
+
+    else
+      ./config/configure_s3.sh $IP_PORT $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME 
+
+    fi
+
+  fi
+
+fi
+
+#Insert default templates
+
+API_PASS_Q=`echo "$API_PASS" | tr -d '"'`
+API_USER_Q=`echo "$API_USER" | tr -d '"'`
+API_PASSWORD=`echo -n $API_PASS_Q | base64`
+
+echo "Setting API credentials into Wazuh APP"
+CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013 ${auth})
+
+if [ "x$CONFIG_CODE" != "x200" ]; then
+  curl -s -XPOST $el_url/.wazuh/_doc/1513629884013 ${auth} -H 'Content-Type: application/json' -d'
+  {
+    "api_user": "'"$API_USER_Q"'",
+    "api_password": "'"$API_PASSWORD"'",
+    "url": "'"$wazuh_url"'",
+    "api_port": "55000",
+    "insecure": "true",
+    "component": "API",
+    "cluster_info": {
+      "manager": "wazuh-manager",
+      "cluster": "Disabled",
+      "status": "disabled"
+    },
+    "extensions": {
+      "oscap": true,
+      "audit": true,
+      "pci": true,
+      "aws": true,
+      "virustotal": true,
+      "gdpr": true,
+      "ciscat": true
+    }
+  }
+  ' > /dev/null
+else
+  echo "Wazuh APP already configured"
+fi
+sleep 5
+
+curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/json' -d'
+{
+  "persistent": {
+    "xpack.monitoring.collection.enabled": true
+  }
+}
+'
+
+# Set cluster delayed timeout when node falls
+curl -X PUT "$el_url/_all/_settings" -H 'Content-Type: application/json' -d'
+{
+  "settings": {
+    "index.unassigned.node_left.delayed_timeout": "'"$CLUSTER_DELAYED_TIMEOUT"'"
+  }
+}
+'
+
+
+echo "Elasticsearch is ready."

kibana/Dockerfile

@@ -0,0 +1,78 @@
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+FROM docker.elastic.co/kibana/kibana:7.3.0
+ARG ELASTIC_VERSION=7.3.0
+ARG WAZUH_VERSION=3.9.5
+ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
+
+USER root
+
+ADD  https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
+
+RUN /usr/share/kibana/bin/kibana-plugin install --allow-root file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip 
+RUN rm -rf /tmp/wazuhapp-${WAZUH_APP_VERSION}.zip
+
+COPY config/entrypoint.sh ./entrypoint.sh
+RUN chmod 755 ./entrypoint.sh
+
+USER kibana
+
+ENV PATTERN="" \
+    CHECKS_PATTERN="" \
+    CHECKS_TEMPLATE="" \
+    CHECKS_API="" \
+    CHECKS_SETUP="" \
+    EXTENSIONS_PCI="" \
+    EXTENSIONS_GDPR="" \
+    EXTENSIONS_AUDIT="" \
+    EXTENSIONS_OSCAP="" \
+    EXTENSIONS_CISCAT="" \
+    EXTENSIONS_AWS="" \
+    EXTENSIONS_VIRUSTOTAL="" \
+    EXTENSIONS_OSQUERY="" \
+    APP_TIMEOUT="" \
+    WAZUH_SHARDS="" \
+    WAZUH_REPLICAS="" \
+    WAZUH_VERSION_SHARDS="" \
+    WAZUH_VERSION_REPLICAS="" \
+    IP_SELECTOR="" \
+    IP_IGNORE="" \
+    XPACK_RBAC_ENABLED="" \
+    WAZUH_MONITORING_ENABLED="" \
+    WAZUH_MONITORING_FREQUENCY="" \
+    WAZUH_MONITORING_SHARDS="" \
+    WAZUH_MONITORING_REPLICAS="" \
+    ADMIN_PRIVILEGES=""
+
+ARG XPACK_CANVAS="true"
+ARG XPACK_LOGS="true"
+ARG XPACK_INFRA="true"
+ARG XPACK_ML="true"
+ARG XPACK_DEVTOOLS="true"
+ARG XPACK_MONITORING="true"
+ARG XPACK_APM="true"
+
+ARG CHANGE_WELCOME="false"
+
+COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./
+
+RUN chmod +x ./wazuh_app_config.sh
+
+COPY --chown=kibana:kibana ./config/kibana_settings.sh ./
+
+RUN chmod +x ./kibana_settings.sh
+
+COPY --chown=kibana:kibana ./config/xpack_config.sh ./
+
+RUN chmod +x ./xpack_config.sh
+
+RUN ./xpack_config.sh
+
+COPY --chown=kibana:kibana ./config/welcome_wazuh.sh ./
+
+RUN chmod +x ./welcome_wazuh.sh
+
+RUN ./welcome_wazuh.sh
+
+RUN /usr/local/bin/kibana-docker --optimize
+
+ENTRYPOINT ./entrypoint.sh

kibana/config/entrypoint.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+set -e
+
+##############################################################################
+# Waiting for elasticsearch
+##############################################################################
+
+if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
+  el_url="http://elasticsearch:9200"
+else
+  el_url="${ELASTICSEARCH_URL}"
+fi
+
+if [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
+  auth=""
+else
+  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
+fi
+
+until curl -XGET $el_url ${auth}; do
+  >&2 echo "Elastic is unavailable - sleeping"
+  sleep 5
+done
+
+sleep 2
+
+>&2 echo "Elasticsearch is up."
+
+
+##############################################################################
+# Waiting for wazuh alerts template
+##############################################################################
+
+strlen=0
+
+while [[ $strlen -eq 0 ]]
+do
+  template=$(curl $el_url/_cat/templates/wazuh -s)
+  strlen=${#template}
+  >&2 echo "Wazuh alerts template not loaded - sleeping."
+  sleep 2
+done
+
+sleep 2
+
+>&2 echo "Wazuh alerts template is loaded."
+
+
+./wazuh_app_config.sh
+
+sleep 5
+
+./kibana_settings.sh &
+
+/usr/local/bin/kibana-docker

kibana/config/kibana_settings.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+WAZUH_MAJOR=3
+
+##############################################################################
+# Wait for the Kibana API to start. It is necessary to do it in this container
+# because the others are running Elastic Stack and we can not interrupt them. 
+# 
+# The following actions are performed:
+#
+# Add the wazuh alerts index as default.
+# Set the Discover time interval to 24 hours instead of 15 minutes.
+# Do not ask user to help providing usage statistics to Elastic.
+##############################################################################
+
+##############################################################################
+# Customize elasticsearch ip
+##############################################################################
+if [ "$ELASTICSEARCH_KIBANA_IP" != "" ]; then
+  sed -i "s:#elasticsearch.hosts:elasticsearch.hosts:g" /usr/share/kibana/config/kibana.yml
+  sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml
+fi
+
+# If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate.
+if [ "$KIBANA_INDEX" != "" ]; then
+  if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then
+    sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml
+  fi
+    echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml
+fi
+
+# If XPACK_SECURITY_ENABLED was set, then change the xpack.security.enabled option from true (default) to false.
+if [ "$XPACK_SECURITY_ENABLED" != "" ]; then
+  if grep -q 'xpack.security.enabled' /usr/share/kibana/config/kibana.yml; then
+    sed -i '/xpack.security.enabled/d' /usr/share/kibana/config/kibana.yml
+  fi
+    echo "xpack.security.enabled: $XPACK_SECURITY_ENABLED" >> /usr/share/kibana/config/kibana.yml
+fi
+
+if [ "$KIBANA_IP" != "" ]; then
+  kibana_ip="$KIBANA_IP"
+else
+  kibana_ip="kibana"
+fi
+
+while [[ "$(curl -XGET -I  -s -o /dev/null -w ''%{http_code}'' $kibana_ip:5601/status)" != "200" ]]; do
+  echo "Waiting for Kibana API. Sleeping 5 seconds"
+  sleep 5
+done
+
+# Prepare index selection. 
+echo "Kibana API is running"
+
+default_index="/tmp/default_index.json"
+
+cat > ${default_index} << EOF
+{
+  "changes": {
+    "defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*"
+  }
+}
+EOF
+
+sleep 5
+# Add the wazuh alerts index as default.
+curl -POST "http://$kibana_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
+rm -f ${default_index}
+
+sleep 5
+# Configuring Kibana TimePicker.
+curl -POST "http://$kibana_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
+'{"changes":{"timepicker:timeDefaults":"{\n  \"from\": \"now-24h\",\n  \"to\": \"now\",\n  \"mode\": \"quick\"}"}}'
+
+sleep 5
+# Do not ask user to help providing usage statistics to Elastic
+curl -POST "http://$kibana_ip:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'
+
+echo "End settings"

kibana/config/wazuh_app_config.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+kibana_config_file="/usr/share/kibana/plugins/wazuh/config.yml"
+
+declare -A CONFIG_MAP=(
+  [pattern]=$PATTERN
+  [checks.pattern]=$CHECKS_PATTERN
+  [checks.template]=$CHECKS_TEMPLATE
+  [checks.api]=$CHECKS_API
+  [checks.setup]=$CHECKS_SETUP
+  [extensions.pci]=$EXTENSIONS_PCI
+  [extensions.gdpr]=$EXTENSIONS_GDPR
+  [extensions.audit]=$EXTENSIONS_AUDIT
+  [extensions.oscap]=$EXTENSIONS_OSCAP
+  [extensions.ciscat]=$EXTENSIONS_CISCAT
+  [extensions.aws]=$EXTENSIONS_AWS
+  [extensions.virustotal]=$EXTENSIONS_VIRUSTOTAL
+  [extensions.osquery]=$EXTENSIONS_OSQUERY
+  [timeout]=$APP_TIMEOUT
+  [wazuh.shards]=$WAZUH_SHARDS
+  [wazuh.replicas]=$WAZUH_REPLICAS
+  [wazuh-version.shards]=$WAZUH_VERSION_SHARDS
+  [wazuh-version.replicas]=$WAZUH_VERSION_REPLICAS
+  [ip.selector]=$IP_SELECTOR
+  [ip.ignore]=$IP_IGNORE
+  [xpack.rbac.enabled]=$XPACK_RBAC_ENABLED
+  [wazuh.monitoring.enabled]=$WAZUH_MONITORING_ENABLED
+  [wazuh.monitoring.frequency]=$WAZUH_MONITORING_FREQUENCY
+  [wazuh.monitoring.shards]=$WAZUH_MONITORING_SHARDS
+  [wazuh.monitoring.replicas]=$WAZUH_MONITORING_REPLICAS
+  [admin]=$ADMIN_PRIVILEGES
+)
+
+for i in "${!CONFIG_MAP[@]}"
+do
+    if [ "${CONFIG_MAP[$i]}" != "" ]; then
+        sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
+    fi
+done

kibana/config/welcome_wazuh.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+if [[ $CHANGE_WELCOME == "true" ]]
+then
+
+    rm -rf ./optimize/bundles
+
+    kibana_path="/usr/share/kibana"
+    # Set Wazuh app as the default landing page
+    echo "Set Wazuh app as the default landing page"
+    echo "server.defaultRoute: /app/wazuh" >> /usr/share/kibana/config/kibana.yml
+
+    # Redirect Kibana welcome screen to Discover
+    echo "Redirect Kibana welcome screen to Discover"
+    sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/global_nav/global_nav.html
+    sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/header_global_nav/header_global_nav.js
+
+    # Redirect Kibana welcome screen to Discover
+    echo "Hide undesired links"
+    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/rollup/public/crud_app/index.js
+    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/license_management/public/management_section.js
+fi
+

kibana/config/xpack_config.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+kibana_config_file="/usr/share/kibana/config/kibana.yml"
+if grep -Fq  "#xpack features" "$kibana_config_file";
+then 
+  declare -A CONFIG_MAP=(
+    [xpack.apm.ui.enabled]=$XPACK_APM
+    [xpack.grokdebugger.enabled]=$XPACK_DEVTOOLS
+    [xpack.searchprofiler.enabled]=$XPACK_DEVTOOLS
+    [xpack.ml.enabled]=$XPACK_ML
+    [xpack.canvas.enabled]=$XPACK_CANVAS
+    [xpack.infra.enabled]=$XPACK_INFRA
+    [xpack.monitoring.enabled]=$XPACK_MONITORING
+    [console.enabled]=$XPACK_DEVTOOLS
+  )
+  for i in "${!CONFIG_MAP[@]}"
+  do
+    if [ "${CONFIG_MAP[$i]}" != "" ]; then
+      sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
+    fi
+  done
+else
+  echo "
+#xpack features
+xpack.apm.ui.enabled: $XPACK_APM 
+xpack.grokdebugger.enabled: $XPACK_DEVTOOLS
+xpack.searchprofiler.enabled: $XPACK_DEVTOOLS
+xpack.ml.enabled: $XPACK_ML
+xpack.canvas.enabled: $XPACK_CANVAS
+xpack.infra.enabled: $XPACK_INFRA
+xpack.monitoring.enabled: $XPACK_MONITORING
+console.enabled: $XPACK_DEVTOOLS
+" >> $kibana_config_file
+fi

migration/volumes.sh

@@ -0,0 +1,138 @@
+#!/bin/bash 
+# Copyright (C) 2019, Wazuh Inc.
+
+# Script to update old environments containing /var/ossec/data with symbolic links the new structure
+
+wazuh_path=/var/ossec/
+data_path=/var/ossec/data/
+wazuh_dirs=(api/configuration etc logs queue var/multigroups active-response/bin integrations)
+no_wazuh_dirs=(/etc/filebeat)
+
+wazuh_preserve_links=(/var/ossec/api/configuration/auth/htpasswd /var/ossec/etc/ossec-init.conf)
+wazuh_files=(/var/ossec/queue/agents-timestamp)
+filebeat_files=(/var/lib/filebeat/registry /var/lib/filebeat/meta.json)
+postfix_files=(/etc/postfix/dynamicmaps.cf /etc/postfix/main.cf /etc/postfix/main.cf.proto /etc/postfix/master.cf /etc/postfix/master.cf.proto /etc/postfix/postfix-files /etc/postfix/sasl /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db /etc/postfix/postfix-script /etc/postfix/post-install)
+
+for dir in "${wazuh_dirs[@]}"; do
+  if [ ! -e $data_path"wazuh"$wazuh_path$dir ]
+  then
+    mkdir -p $data_path"wazuh"$wazuh_path$dir
+  fi
+  echo "Copying $wazuh_path$dir to $data_path"wazuh"$wazuh_path$dir"
+  cp -LR --preserve=all $wazuh_path$dir/* $data_path"wazuh"$wazuh_path$dir
+done
+
+for dir in "${no_wazuh_dirs[@]}"; do
+  base=$(basename $dir)
+  if [ ! -e $data_path$base$dir ]
+  then
+    mkdir -p $data_path$base$dir
+  fi
+  echo "Copying $dir to $data_path$base$dir"
+  cp -a $dir/* $data_path$base$dir
+done
+
+
+for file in "${wazuh_files[@]}"; do
+  echo "Copying $file to $data_path"wazuh"$file"
+  cp -LR --preserve=all $file $data_path"wazuh"$file
+done
+
+echo ">> Checking filebeat files" 
+mkdir -p $data_path"filebeat/var/lib/filebeat"
+
+for file in "${filebeat_files[@]}"; do
+  if [[ -e $file ]]; then
+    if [[ -d $file ]]; then
+        mkdir -p $data_path"filebeat"$file
+        echo "Copying $file to $data_path"filebeat"$file"
+        cp -a $file/* $data_path"filebeat"$file
+    else
+        echo "Copying $file to $data_path"filebeat"$file"
+        cp -a $file $data_path"filebeat"$file
+    fi
+  fi
+done
+
+echo ">> Checking postfix files"
+mkdir -p $data_path"postfix/etc/postfix"
+
+for file in "${postfix_files[@]}"; do
+  if [[ -e $file ]]; then
+    if [[ -d $file ]]; then
+        mkdir -p $data_path"postfix"$file
+        echo "Copying $file to $data_path"postfix"$file"
+        cp -a $file/* $data_path"postfix"$file
+    else
+        echo "Copying $file to $data_path"postfix"$file"
+        cp -a $file $data_path"postfix"$file
+    fi
+  fi
+done
+
+echo ">> Preserving Wazuh symbolic links files"
+for file in "${wazuh_preserve_links[@]}"; do
+  rm  $wazuh_path"data/wazuh"$file
+  cp -a $file $wazuh_path"data/wazuh"$file
+done
+
+# Grant proper permissions
+
+chmod 750 /var/ossec/data/wazuh/var/ossec/api/configuration
+chown root:ossec /var/ossec/data/wazuh/var/ossec/api/configuration
+chmod 750 /var/ossec/data/wazuh/var/ossec/api/configuration/auth
+chmod 740 /var/ossec/data/wazuh/var/ossec/api/configuration/config.js
+chmod 750 /var/ossec/data/wazuh/var/ossec/api/configuration/preloaded_vars.conf
+chmod 750 /var/ossec/data/wazuh/var/ossec/api/configuration/ssl
+chmod 400 /var/ossec/data/wazuh/var/ossec/api/configuration/ssl/server.crt
+chmod 400 /var/ossec/data/wazuh/var/ossec/api/configuration/ssl/server.key
+chmod 770 /var/ossec/data/wazuh/var/ossec/etc
+chown ossec:ossec /var/ossec/data/wazuh/var/ossec/etc
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/client.keys
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/decoders/local_decoder.xml
+chown root:ossec /var/ossec/data/wazuh/var/ossec/etc/decoders/local_decoder.xml
+chmod 660 /var/ossec/data/wazuh/var/ossec/etc/lists/amazon/aws-sources.cdb
+chown ossec:ossec /var/ossec/data/wazuh/var/ossec/etc/lists/amazon/aws-sources.cdb
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/lists/audit-keys
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/lists/audit-keys.cdb
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/lists/security-eventchannel
+chmod 640 /var/ossec/data/wazuh//var/ossec/etc/lists/security-eventchannel.cdb
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/local_internal_options.conf
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/localtime
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/ossec.conf
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/rules/local_rules.xml
+chown root:ossec /var/ossec/data/wazuh/var/ossec/etc/rules/local_rules.xml
+chown root:ossec /var/ossec/data/wazuh/var/ossec/etc/shared/default/agent.conf
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/sslmanager.cert
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/sslmanager.key
+chmod 770 /var/ossec/data/wazuh/var/ossec/logs
+chown ossec:ossec /var/ossec/data/wazuh/var/ossec/logs
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/alerts
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/alerts/2019
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/alerts/2019/May
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/api
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/archives
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/archives/2019
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/archives/2019/May
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/cluster
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/firewall
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/firewall/2019
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/firewall/2019/May
+chmod 640 /var/ossec/data/wazuh/var/ossec/logs/integrations.log
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/ossec
+chmod 750 /var/ossec/data/wazuh/var/ossec/queue
+chown root:ossec /var/ossec/data/wazuh/var/ossec/queue
+chmod 750 /var/ossec/data/wazuh/var/ossec/queue/agentless
+chmod 600 /var/ossec/data/wazuh/var/ossec/queue/agents-timestamp
+chmod 750 /var/ossec/data/wazuh/var/ossec/queue/db 
+chmod 640 /var/ossec/data/wazuh/var/ossec/queue/db/000.db
+chmod 640 /var/ossec/data/wazuh/var/ossec/queue/db/000.db-shm
+chmod 640 /var/ossec/data/wazuh/var/ossec/queue/db/000.db-wal
+chmod 750 /var/ossec/data/wazuh/var/ossec/queue/fts
+chmod 640 /var/ossec/data/wazuh/var/ossec/queue/fts/fts-queue
+chmod 640 /var/ossec/data/wazuh/var/ossec/queue/fts/hostinfo
+chmod 640 /var/ossec/data/wazuh/var/ossec/queue/fts/ig-queue
+chmod 644 /var/ossec/data/wazuh/var/ossec/queue/rids/sender_counter
+chmod 750 /var/ossec/data/wazuh/var/ossec/queue/rootcheck
+chmod 770 /var/ossec/data/wazuh/var/ossec/var/multigroups
+chown root:ossec /var/ossec/data/wazuh/var/ossec/var/multigroups

nginx/Dockerfile

@@ -0,0 +1,19 @@
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+FROM nginx:latest
+
+ENV DEBIAN_FRONTEND noninteractive
+
+RUN apt-get update && apt-get install -y openssl apache2-utils
+
+COPY config/entrypoint.sh /entrypoint.sh
+
+RUN chmod 755 /entrypoint.sh
+
+RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+VOLUME ["/etc/nginx/conf.d"]
+
+ENV NGINX_NAME="foo" \
+    NGINX_PWD="bar"
+
+ENTRYPOINT /entrypoint.sh

nginx/config/entrypoint.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+set -e
+
+# Generating certificates.
+if [ ! -d /etc/nginx/conf.d/ssl ]; then
+  echo "Generating SSL certificates"
+  mkdir -p /etc/nginx/conf.d/ssl/certs /etc/nginx/conf.d/ssl/private
+  openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/conf.d/ssl/private/kibana-access.key -out /etc/nginx/conf.d/ssl/certs/kibana-access.pem >/dev/null
+else
+  echo "SSL certificates already present"
+fi
+
+# Setting users credentials.
+# In order to set NGINX_CREDENTIALS, before "docker-compose up -d" run (a or b):
+#
+# a) export NGINX_CREDENTIALS="user1:pass1;user2:pass2;" or
+#    export NGINX_CREDENTIALS="user1:pass1;user2:pass2"
+#
+# b) Set NGINX_CREDENTIALS in docker-compose.yml:
+#    NGINX_CREDENTIALS=user1:pass1;user2:pass2; or
+#    NGINX_CREDENTIALS=user1:pass1;user2:pass2
+#
+if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then
+  echo "Setting users credentials"
+  if [ ! -z "$NGINX_CREDENTIALS" ]; then
+    IFS=';' read -r -a users <<< "$NGINX_CREDENTIALS"
+    for index in "${!users[@]}"
+    do
+      IFS=':' read -r -a credentials <<< "${users[index]}"
+      if [ $index -eq 0 ]; then
+        echo ${credentials[1]}|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd ${credentials[0]} >/dev/null
+      else
+        echo ${credentials[1]}|htpasswd -i /etc/nginx/conf.d/kibana.htpasswd  ${credentials[0]} >/dev/null
+      fi
+    done
+  else
+    # NGINX_PWD and NGINX_NAME are declared in nginx/Dockerfile 
+    echo $NGINX_PWD|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd $NGINX_NAME >/dev/null
+  fi
+else
+  echo "Kibana credentials already configured"
+fi
+
+if [ "x${NGINX_PORT}" = "x" ]; then
+  NGINX_PORT=443
+fi
+
+if [ "x${KIBANA_HOST}" = "x" ]; then
+  KIBANA_HOST="kibana:5601"
+fi
+
+echo "Configuring NGINX"
+cat > /etc/nginx/conf.d/default.conf <<EOF
+server {
+    listen 80;
+    listen [::]:80;
+    return 301 https://\$host:${NGINX_PORT}\$request_uri;
+}
+
+server {
+    listen ${NGINX_PORT} default_server;
+    listen [::]:${NGINX_PORT};
+    ssl on;
+    ssl_certificate /etc/nginx/conf.d/ssl/certs/kibana-access.pem;
+    ssl_certificate_key /etc/nginx/conf.d/ssl/private/kibana-access.key;
+    location / {
+        auth_basic "Restricted";
+        auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
+        proxy_pass http://${KIBANA_HOST}/;
+        proxy_buffer_size          128k;
+        proxy_buffers              4 256k;
+        proxy_busy_buffers_size    256k;
+    }
+}
+EOF
+
+nginx -g 'daemon off;'

wazuh/Dockerfile

@@ -1,57 +1,66 @@
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-FROM waystonesystems/baseimage-centos:0.2.0
+FROM phusion/baseimage:master
 
 # Arguments
-ARG FILEBEAT_VERSION=7.10.2
-ARG WAZUH_VERSION=4.5.4-0.debug
+ARG FILEBEAT_VERSION=7.3.0
+ARG WAZUH_VERSION=3.9.5-1
 
 # Environment variables
 ENV API_USER="foo" \
-   API_PASS="bar"
-
-ARG TEMPLATE_VERSION="4.0"
-ENV FILEBEAT_DESTINATION="elasticsearch"
+    API_PASS="bar"
 
 # Install packages
-RUN set -x && \
-    groupadd -g 1000 wazuh && \
-    useradd -u 1000 -g 1000 -d /var/ossec wazuh && \
-    # Retrieve DEV package
-    #curl -o /tmp/wazuh-manager-$WAZUH_VERSION.x86_64.rpm https://packages-dev.wazuh.com/pre-release/yum/wazuh-manager-$WAZUH_VERSION.x86_64.rpm && \
-    # Retrieve PROD package
-    curl -o /tmp/wazuh-manager-$WAZUH_VERSION.x86_64.rpm https://packages.wazuh.com/cloud/4.5.x/rpm/wazuh-manager-$WAZUH_VERSION.x86_64.rpm && \
-    yum update -y && \
-    yum upgrade -y &&\
-    yum install -y openssl vim expect python-boto python-pip python-cryptography postfix bsd-mailx mailx ca-certificates && \
-    yum localinstall -y /tmp/wazuh-manager-$WAZUH_VERSION.x86_64.rpm && \
-    rm -f /tmp/wazuh-manager-$WAZUH_VERSION.x86_64.rpm && \
-    yum clean all && \
+RUN set -x && \ 
+    echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list && \
+    curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - && \
+    curl --silent --location https://deb.nodesource.com/setup_8.x | bash - && \
+    echo "postfix postfix/mailname string wazuh-manager" | debconf-set-selections && \
+    echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections && \
+    groupadd -g 1000 ossec && \
+    useradd -u 1000 -g 1000 -d /var/ossec ossec && \
+    add-apt-repository universe && \
+    apt-get update && \
+    apt-get upgrade -y -o Dpkg::Options::="--force-confold" && \
+    apt-get --no-install-recommends --no-install-suggests -y install openssl apt-transport-https vim expect python-boto python-pip python-cryptography && \
+    apt-get --no-install-recommends --no-install-suggests -y install postfix bsd-mailx mailutils libsasl2-2 ca-certificates libsasl2-modules && \
+    apt-get --no-install-recommends --no-install-suggests -y install wazuh-manager=${WAZUH_VERSION} && \
+    apt-get --no-install-recommends --no-install-suggests -y install nodejs wazuh-api=${WAZUH_VERSION} && \
+    apt-get clean && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
     rm -f /var/ossec/logs/alerts/*/*/* && \
     rm -f /var/ossec/logs/archives/*/*/* && \
-    rm -f /var/ossec/logs/firewall/*/*/* && \
+    rm -f /var/ossec/logs/firewall/*/*/* && \ 
     rm -f /var/ossec/logs/api/*/*/* && \
     rm -f /var/ossec/logs/cluster/*/*/* && \
-    rm -f /var/ossec/logs/wazuh/*/*/* && \
-    curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-x86_64.rpm && \
-    rpm -vi filebeat-${FILEBEAT_VERSION}-x86_64.rpm && rm -f filebeat-${FILEBEAT_VERSION}-x86_64.rpm
+    rm -f /var/ossec/logs/ossec/*/*/* && \
+    rm /var/ossec/var/run/* && \
+    curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb && \
+    dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm -f filebeat-${FILEBEAT_VERSION}-amd64.deb && \
+    curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v3.9.5/extensions/elasticsearch/7.x/wazuh-template.json && \
+    chmod go+r /etc/filebeat/wazuh-template.json && \
+    curl -s https://packages.wazuh.com/3.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module && \
+    mkdir -p /usr/share/filebeat/module/wazuh && \
+    chmod 755 -R /usr/share/filebeat/module/wazuh
 
 # Services
 RUN mkdir /etc/service/wazuh && \
-   mkdir /etc/service/postfix && \
-   mkdir /etc/service/filebeat
+    mkdir /etc/service/wazuh-api && \
+    mkdir /etc/service/postfix && \
+    mkdir /etc/service/filebeat
 
 COPY config/wazuh.runit.service /etc/service/wazuh/run
+COPY config/wazuh-api.runit.service /etc/service/wazuh-api/run
 COPY config/postfix.runit.service /etc/service/postfix/run
 COPY config/filebeat.runit.service /etc/service/filebeat/run
 
-RUN chmod +x /etc/service/wazuh/run && \
-   chmod +x /etc/service/postfix/run && \
-   chmod +x /etc/service/filebeat/run 
+RUN chmod +x /etc/service/wazuh-api/run && \
+    chmod +x /etc/service/wazuh/run && \
+    chmod +x /etc/service/postfix/run && \
+    chmod +x /etc/service/filebeat/run 
 
 # Copy configuration files from repository
-COPY config/filebeat_to_elasticsearch.yml ./
-COPY config/filebeat_to_logstash.yml ./
+COPY config/filebeat.yml /etc/filebeat/
+RUN chmod go-w /etc/filebeat/filebeat.yml 
 
 # Prepare permanent data
 # Sync calls are due to https://github.com/docker/docker/issues/9547
@@ -61,7 +70,10 @@ RUN chmod 755 /permanent_data.sh && \
     sync && \
     /permanent_data.sh && \
     sync && \
-    rm /permanent_data.sh 
+    rm /permanent_data.sh
+
+# Expose ports
+EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp
 
 # Setting volumes
 # Once we declared a volume in the Dockerfile, changes made to that path will have no effect. In other words, any changes made
@@ -70,11 +82,9 @@ VOLUME ["/var/ossec/api/configuration"]
 VOLUME ["/var/ossec/etc"]
 VOLUME ["/var/ossec/logs"]
 VOLUME ["/var/ossec/queue"]
-VOLUME ["/var/ossec/agentless"]
 VOLUME ["/var/ossec/var/multigroups"]
 VOLUME ["/var/ossec/integrations"]
 VOLUME ["/var/ossec/active-response/bin"]
-VOLUME ["/var/ossec/wodles"]
 VOLUME ["/etc/filebeat"]
 VOLUME ["/etc/postfix"]
 VOLUME ["/var/lib/filebeat"]
@@ -84,31 +94,15 @@ VOLUME ["/var/lib/filebeat"]
 RUN mkdir /entrypoint-scripts
 
 COPY config/entrypoint.sh /entrypoint.sh
-COPY --chown=root:wazuh config/create_user.py /var/ossec/framework/scripts/create_user.py
-COPY config/00-decrypt_credentials.sh /entrypoint-scripts/00-decrypt_credentials.sh
 COPY config/01-wazuh.sh /entrypoint-scripts/01-wazuh.sh
-COPY config/02-set_filebeat_destination.sh /entrypoint-scripts/02-set_filebeat_destination.sh
-COPY config/03-config_filebeat.sh /entrypoint-scripts/03-config_filebeat.sh
-COPY config/20-ossec-configuration.sh /entrypoint-scripts/20-ossec-configuration.sh
-COPY config/25-backups.sh /entrypoint-scripts/25-backups.sh
-COPY config/35-remove_credentials_file.sh /entrypoint-scripts/35-remove_credentials_file.sh
-COPY config/85-save_wazuh_version.sh /entrypoint-scripts/85-save_wazuh_version.sh
+
+# Migration scripts
+COPY migration/data_dirs.env /data_dirs.env
+COPY migration/02-volume_loader.sh /entrypoint-scripts/02-volume_loader.sh
+
 RUN chmod 755 /entrypoint.sh && \
-    chmod 755 /entrypoint-scripts/00-decrypt_credentials.sh && \
     chmod 755 /entrypoint-scripts/01-wazuh.sh && \
-    chmod 755 /entrypoint-scripts/02-set_filebeat_destination.sh && \
-    chmod 755 /entrypoint-scripts/03-config_filebeat.sh && \
-    chmod 755 /entrypoint-scripts/20-ossec-configuration.sh && \
-    chmod 755 /entrypoint-scripts/25-backups.sh && \
-    chmod 755 /entrypoint-scripts/35-remove_credentials_file.sh && \
-    chmod 755 /entrypoint-scripts/85-save_wazuh_version.sh
-
-# Load wazuh alerts template.
-#ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat
-#RUN chmod go-w /etc/filebeat/wazuh-template.json 
-
-# Expose ports
-EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp
+    chmod 755 /entrypoint-scripts/02-volume_loader.sh
 
 # Run all services
 ENTRYPOINT ["/entrypoint.sh"]

wazuh/config/00-decrypt_credentials.sh

@@ -1,15 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-##############################################################################
-# Decrypt credentials.
-# If the credentials of the API user to be created are encrypted,
-# it must be decrypted for later use. 
-##############################################################################
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-    echo "CREDENTIALS - Security credentials file not used. Nothing to do."
-else
-    echo "CREDENTIALS - TO DO"
-fi
-# TO DO

wazuh/config/01-wazuh.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 # Variables
 source /permanent_data.env
@@ -32,75 +32,6 @@ exec_cmd_stdout() {
 }
 
 
-##############################################################################
-# Check_update
-# This function considers the following cases:
-# - If /var/ossec/etc/VERSION does not exist -> Action Nothing. There is no data in the EBS. First time deploying Wazuh
-# - If different Wazuh version -> Action: Update. The previous version is older than the current one.
-# - If the same Wazuh version -> Acton: Nothing. Same Wazuh version.
-##############################################################################
-
-check_update() {
-  if [ -e /var/ossec/etc/VERSION ]
-  then
-    previous_version=$(cat /var/ossec/etc/VERSION | grep -i version | cut -d'"' -f2)
-    echo "CHECK UPDATE - Previous version: $previous_version"
-    current_version=$(/var/ossec/bin/wazuh-control -j info | jq .data[0].WAZUH_VERSION | cut -d'"' -f2)
-    echo "CHECK UPDATE - Current version: $current_version"
-    if [ $previous_version == $current_version ]
-    then
-      echo "CHECK UPDATE - Same Wazuh version in the EBS and image"
-      return 0
-    else
-      echo "CHECK UPDATE - Different Wazuh version: Update"
-      wazuh_version_regex='v4.2.[0-9]'
-      if [[ "$previous_version" =~ $wazuh_version_regex ]]
-      then
-        echo "CHECK UPDATE - Change ossec user to wazuh user"
-        ossec_group_files=$(find /var/ossec -group 1000)
-        ossec_user_files=$(find /var/ossec -user 1000)
-
-        while IFS= read -r group; do
-          chgrp wazuh $group
-        done <<< "$ossec_group_files"
-
-        while IFS= read -r user; do
-          chown wazuh $user
-        done <<< "$ossec_user_files"
-
-        echo "CHECK UPDATE - Change ossecr user to wazuh user"
-        ossecr_group_files=$(find /var/ossec -group 998)
-        ossecr_user_files=$(find /var/ossec -user 998)
-
-        while IFS= read -r group; do
-          chgrp wazuh $group
-        done <<< "$ossecr_group_files"
-
-        while IFS= read -r user; do
-          chown wazuh $user
-        done <<< "$ossecr_user_files"
-
-        echo "CHECK UPDATE - Change ossecm user to wazuh user"
-        ossecm_group_files=$(find /var/ossec -group 997)
-        ossecm_user_files=$(find /var/ossec -user 997)
-
-        while IFS= read -r group; do
-          chgrp wazuh $group
-        done <<< "$ossecm_group_files"
-
-        while IFS= read -r user; do
-          chown wazuh $user
-        done <<< "$ossecm_user_files"
-
-      fi
-      return 1
-    fi
-  else
-    echo "CHECK UPDATE - First time mounting EBS"
-    return 0
-  fi
-}
-
 ##############################################################################
 # Edit configuration
 ##############################################################################
@@ -140,12 +71,6 @@ apply_exclusion_data() {
   for exclusion_file in "${PERMANENT_DATA_EXCP[@]}"; do
     if [  -e ${WAZUH_INSTALL_PATH}/data_tmp/exclusion/${exclusion_file}  ]
     then
-      DIR=$(dirname "${exclusion_file}")
-      if [ ! -e ${DIR}  ]
-      then
-        mkdir -p ${DIR}
-      fi
-      
       print "Updating ${exclusion_file}"
       exec_cmd "cp -p ${WAZUH_INSTALL_PATH}/data_tmp/exclusion/${exclusion_file} ${exclusion_file}"
     fi
@@ -159,7 +84,7 @@ apply_exclusion_data() {
 
 remove_data_files() {
   for del_file in "${PERMANENT_DATA_DEL[@]}"; do
-    if [ $(ls ${del_file} 2> /dev/null | wc -l) -ne 0 ]
+    if [ -e ${del_file} ]
     then 
       print "Removing ${del_file}"
       exec_cmd "rm ${del_file}"
@@ -172,11 +97,26 @@ remove_data_files() {
 ##############################################################################
 
 create_ossec_key_cert() {
-  print "Creating wazuh-authd key and cert"
+  print "Creating ossec-authd key and cert"
   exec_cmd "openssl genrsa -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.key 4096"
   exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/etc/sslmanager.key -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/"
 }
 
+##############################################################################
+# Create certificates: API
+##############################################################################
+
+create_api_key_cert() {
+  print "Enabling Wazuh API HTTPS"
+  edit_configuration "https" "yes"
+  print "Create Wazuh API key and cert"
+  exec_cmd "openssl genrsa -out ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key 4096"
+  exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key -out ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/"
+
+  # Granting proper permissions 
+  chmod 400 ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key
+  chmod 400 ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt
+}
 
 ##############################################################################
 # Copy all files from $WAZUH_CONFIG_MOUNT to $WAZUH_INSTALL_PATH and respect
@@ -202,7 +142,7 @@ mount_files() {
 ##############################################################################
 
 function ossec_shutdown(){
-  ${WAZUH_INSTALL_PATH}/bin/wazuh-control stop;
+  ${WAZUH_INSTALL_PATH}/bin/ossec-control stop;
 }
 
 ##############################################################################
@@ -210,7 +150,7 @@ function ossec_shutdown(){
 # paths or commands, and execute them. 
 #
 # This can be useful for actions that need to be run before the services are
-# started, such as "/var/ossec/bin/wazuh-control enable agentless".
+# started, such as "/var/ossec/bin/ossec-control enable agentless".
 ##############################################################################
 
 docker_custom_args() {
@@ -225,19 +165,18 @@ docker_custom_args() {
 # Change Wazuh API user credentials.
 ##############################################################################
 
-
-function_create_custom_user() {
-
-  # get custom credentials
+change_api_user_credentials() {
+  pushd /var/ossec/api/configuration/auth/
   if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-    echo "No security credentials file used"
+    WAZUH_API_USER=${API_USER}
+    WAZUH_API_PASS=${API_PASS}
   else
     input=${SECURITY_CREDENTIALS_FILE}
     while IFS= read -r line
     do
-      if [[ $line == *"WUI_API_PASS"* ]]; then
+      if [[ $line == *"WAZUH_API_USER"* ]]; then
         arrIN=(${line//:/ })
-        WUI_API_PASS=${arrIN[1]}
+        WAZUH_API_USER=${arrIN[1]}
       elif [[ $line == *"WAZUH_API_PASS"* ]]; then
         arrIN=(${line//:/ })
         WAZUH_API_PASS=${arrIN[1]}
@@ -245,34 +184,23 @@ function_create_custom_user() {
     done < "$input"
   fi
 
-
-    if [[ ! -z $WAZUH_API_PASS ]]; then
-  cat << EOF > "/var/ossec/api/configuration/wazuh-user.json"
-{
-  "password": "$WAZUH_API_PASS"
+  echo "Change Wazuh API user credentials"
+  change_user="node htpasswd -b -c user $WAZUH_API_USER $WAZUH_API_PASS"
+  eval $change_user
+  popd
 }
-EOF
-  fi
 
-  if [[ ! -z $WUI_API_PASS ]]; then
-  cat << EOF > "/var/ossec/api/configuration/wui-user.json"
-{
-  "password": "$WUI_API_PASS"
-}
-EOF
 
-    # create or customize API user
-    if /var/ossec/framework/python/bin/python3  /var/ossec/framework/scripts/create_user.py; then
-      # remove json if exit code is 0
-      echo "Wazuh API credentials changed"
-      rm /var/ossec/api/configuration/wui-user.json
-      rm /var/ossec/api/configuration/wazuh-user.json
-    else
-      echo "There was an error configuring the API users"
-      sleep 10
-      # terminate container to avoid unpredictable behavior
-      kill -s SIGINT 1
-    fi
+
+
+##############################################################################
+# Customize filebeat output ip
+##############################################################################
+
+
+custom_filebeat_output_ip() {
+  if [ "$FILEBEAT_OUTPUT" != "" ]; then
+    sed 's|http://elasticsearch:9200|$FILEBEAT_OUTPUT|g' filebeat.yml
   fi
 }
 
@@ -282,27 +210,16 @@ EOF
 ##############################################################################
 
 main() {
-
-  # Check Wazuh version in the image and EBS (It returns 1 when updating the environment)
-  check_update
-  update=$?
-
   # Mount permanent data  (i.e. ossec.conf)
   mount_permanent_data
 
   # Restore files stored in permanent data that are not permanent  (i.e. internal_options.conf)
   apply_exclusion_data
 
-  # When updating the environment, remove some files in permanent_data (i.e. .template.db)
-  if [ $update == 1 ]
-  then
-    echo "Removing databases"
-    remove_data_files
-  else
-    echo "Keeping databases"
-  fi
+  # Remove some files in permanent_data (i.e. .template.db)
+  remove_data_files
 
-  # Generate wazuh-authd certs if AUTO_ENROLLMENT_ENABLED is true and does not exist
+  # Generate ossec-authd certs if AUTO_ENROLLMENT_ENABLED is true and does not exist
   if [ $AUTO_ENROLLMENT_ENABLED == true ]
   then
     if [ ! -e ${WAZUH_INSTALL_PATH}/etc/sslmanager.key ]
@@ -311,6 +228,15 @@ main() {
     fi
   fi
 
+  # Generate API certs if API_GENERATE_CERTS is true and does not exist
+  if [ $API_GENERATE_CERTS == true ]
+  then
+    if [ ! -e ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt ]
+    then
+      create_api_key_cert
+    fi
+  fi
+
   # Mount selected files (WAZUH_CONFIG_MOUNT) to container
   mount_files
 
@@ -321,13 +247,18 @@ main() {
   docker_custom_args
 
   # Change API user credentials
-  if [[ ${CLUSTER_NODE_TYPE} == "master" ]]; then
-    function_create_custom_user
-  fi
+  change_api_user_credentials
+
+  # Update filebeat configuration
+  custom_filebeat_output_ip
 
   # Delete temporary data folder
   rm -rf ${WAZUH_INSTALL_PATH}/data_tmp
 
+  # Grant proper permissions
+  # When modifiying some files using the Wazuh API (i.e. /var/ossec/etc/ossec.conf), group rw permissions are needed for changes to take place.  
+  # https://github.com/wazuh/wazuh/issues/3647
+  chmod -R g+rw ${WAZUH_INSTALL_PATH}
 }
 
 main

wazuh/config/02-set_filebeat_destination.sh

@@ -1,30 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-##############################################################################
-# Set Filebeat destination.  
-##############################################################################
-
-if [[ $FILEBEAT_DESTINATION == "elasticsearch" ]]; then
-
-    echo "FILEBEAT - Set destination to Elasticsearch"
-    cp filebeat_to_elasticsearch.yml /etc/filebeat/filebeat.yml
-    if [[ $FILEBEAT_OUTPUT != "" ]]; then
-        sed -i "s/elasticsearch:9200/$FILEBEAT_OUTPUT:9200/" /etc/filebeat/filebeat.yml
-    fi
-
-elif [[ $FILEBEAT_DESTINATION == "logstash" ]]; then
-
-    echo "FILEBEAT - Set destination to Logstash"
-    cp filebeat_to_logstash.yml /etc/filebeat/filebeat.yml
-    if [[ $FILEBEAT_OUTPUT != "" ]]; then
-        sed -i "s/logstash:5000/$FILEBEAT_OUTPUT:5000/" /etc/filebeat/filebeat.yml
-    fi
-
-else
-    echo "FILEBEAT - Error choosing destination. Set default filebeat.yml "
-fi
-
-echo "FILEBEAT - Set permissions"
-
-chmod go-w /etc/filebeat/filebeat.yml

wazuh/config/03-config_filebeat.sh

@@ -1,23 +0,0 @@
-#!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-set -e
-
-if [[ $FILEBEAT_DESTINATION == "elasticsearch" ]]; then
-
-    WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.1.tar.gz
-
-    # Modify the output to Elasticsearch if th ELASTICSEARCH_URL is set
-    if [ "$ELASTICSEARCH_URL" != "" ]; then
-    >&2 echo "FILEBEAT - Customize Elasticsearch ouput IP."
-    sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_URL'|g' /etc/filebeat/filebeat.yml
-    fi
-
-    # Install Wazuh Filebeat Module
-
-    >&2 echo "FILEBEAT - Install Wazuh Filebeat Module."
-    curl -s "https://packages.wazuh.com/3.x/filebeat/${WAZUH_FILEBEAT_MODULE}" | tar -xvz -C /usr/share/filebeat/module
-    mkdir -p /usr/share/filebeat/module/wazuh
-    chmod 755 -R /usr/share/filebeat/module/wazuh
-
-fi

wazuh/config/20-ossec-configuration.sh

@@ -1,13 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-##############################################################################
-# Change Wazuh manager configuration. 
-##############################################################################
-
-# # Example: 
-# # Change remote protocol from udp to tcp
-# PROTOCOL="tcp"
-# sed -i -e '/<remote>/,/<\/remote>/ s|<protocol>udp</protocol>|<protocol>'$PROTOCOL'</protocol>|g' /var/ossec/etc/ossec.conf
-# # It is necessary to restart the service in order to apply the new configuration. 
-# service wazuh-manager restart

wazuh/config/25-backups.sh

@@ -1,10 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-##############################################################################
-# Enable Wazuh backups and store them in a repository. 
-##############################################################################
-
-
-# TO DO
-echo "BACKUPS - TO DO"

wazuh/config/35-remove_credentials_file.sh

@@ -1,14 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-##############################################################################
-# Decrypt credentials.
-# Remove the credentials file for security reasons.
-##############################################################################
-
-if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
-  echo "CREDENTIALS - Security credentials file not used. Nothing to do."
-else
-  echo "CREDENTIALS - Remove credentiasl file."
-  shred -zvu ${SECURITY_CREDENTIALS_FILE}
-fi

wazuh/config/85-save_wazuh_version.sh

@@ -1,6 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
-
-# Copy /var/ossec/etc/ossec-init.conf contents in /var/ossec/etc/VERSION to be able to check the previous Wazuh version in pod.
-echo "Adding Wazuh version to /var/ossec/etc/VERSION"
-/var/ossec/bin/wazuh-control info > /var/ossec/etc/VERSION

wazuh/config/create_user.py

@@ -1,63 +0,0 @@
-import logging
-import sys
-import json
-import random
-import string
-import os
-import re
-# Set framework path
-sys.path.append(os.path.dirname(sys.argv[0]) + "/../framework")
-WUI_USER_FILE_PATH = "/var/ossec/api/configuration/wui-user.json"
-WAZUH_USER_FILE_PATH = "/var/ossec/api/configuration/wazuh-user.json"
-
-try:
-    from wazuh.rbac.orm import create_rbac_db
-    from wazuh.security import (
-        create_user,
-        get_users,
-        get_roles,
-        set_user_role,
-        update_user,
-    )
-except Exception as e:
-    logging.error("No module 'wazuh' found.")
-    sys.exit(1)
-
-def read_wui_user_file(path=WUI_USER_FILE_PATH):
-    with open(path) as wui_user_file:
-        data = json.load(wui_user_file)
-        return data["password"]
-
-def read_wazuh_user_file(path=WAZUH_USER_FILE_PATH):
-    with open(path) as wazuh_user_file:
-        data = json.load(wazuh_user_file)
-        return data["password"]
-
-def db_users():
-    users_result = get_users()
-    return {user["username"]: user["id"] for user in users_result.affected_items}
-
-if __name__ == "__main__":
-    if not os.path.exists(WUI_USER_FILE_PATH):
-        # abort if no user file detected
-        sys.exit(0)
-
-    wui_password = read_wui_user_file()
-    wazuh_password = read_wazuh_user_file()
-    create_rbac_db()
-    initial_users = db_users()
-
-    # set a random password for all other users (not wazuh-wui)
-    for name, id in initial_users.items():
-        custom_pass = None
-        if name == "wazuh-wui":
-            custom_pass = wui_password
-        elif name == "wazuh":
-            custom_pass = wazuh_password
-        if custom_pass:
-            update_user(
-                user_id=[
-                    str(id),
-                ],
-                password=custom_pass,
-            )

wazuh/config/entrypoint.sh

@@ -1,8 +1,6 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
-# Trap to kill container if it is necessary.
-trap "exit" SIGINT SIGTERM
 # It will run every .sh script located in entrypoint-scripts folder in lexicographical order
 for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
   bash "$script"

wazuh/config/filebeat.runit.service

@@ -1,4 +1,3 @@
 #!/bin/sh
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-/etc/init.d/filebeat start
+service filebeat start
 tail -f /var/log/filebeat/filebeat

wazuh/config/filebeat.yml

@@ -1,6 +1,4 @@
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-# Wazuh - Filebeat configuration file
 filebeat.inputs:
   - type: log
     paths:
@@ -52,4 +50,4 @@ output.elasticsearch:
   hosts: ['http://elasticsearch:9200']
   #pipeline: geoip
   indices:
-    - index: 'wazuh-alerts-4.x-%{+yyyy.MM.dd}'
+    - index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}'

wazuh/config/filebeat_to_logstash.yml

@@ -1,20 +0,0 @@
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-
-# Wazuh - Filebeat configuration file
-filebeat:
- inputs:
-  - type: log
-    paths:
-      - "/var/ossec/logs/alerts/alerts.json"
-  # - type: log
-  #   paths:
-  #     - "/var/ossec/logs/archives/archives.json"
-  #   fields:
-  #     wazuh_log_file: "archives"
-
-output:
- logstash:
-   # The Logstash hosts
-         hosts: ["logstash:5000"]
-#   ssl:
-#     certificate_authorities: ["/etc/filebeat/logstash.crt"]

wazuh/config/permanent_data.env

@@ -4,14 +4,11 @@ PERMANENT_DATA[((i++))]="/var/ossec/api/configuration"
 PERMANENT_DATA[((i++))]="/var/ossec/etc"
 PERMANENT_DATA[((i++))]="/var/ossec/logs"
 PERMANENT_DATA[((i++))]="/var/ossec/queue"
-PERMANENT_DATA[((i++))]="/var/ossec/agentless"
 PERMANENT_DATA[((i++))]="/var/ossec/var/multigroups"
 PERMANENT_DATA[((i++))]="/var/ossec/integrations"
 PERMANENT_DATA[((i++))]="/var/ossec/active-response/bin"
-PERMANENT_DATA[((i++))]="/var/ossec/wodles"
 PERMANENT_DATA[((i++))]="/etc/filebeat"
 PERMANENT_DATA[((i++))]="/etc/postfix"
-PERMANENT_DATA[((i++))]="/var/ossec/var/db"
 export PERMANENT_DATA
 
 # Files mounted in a volume that should not be permanent
@@ -22,62 +19,26 @@ PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/shuffle.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/shuffle"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/default-firewall-drop"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/disable-account"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewalld-drop"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewall-drop"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/host-deny"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ip-customblock"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/default-firewall-drop.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/disable-account.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewalld-drop.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewall-drop.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/host-deny.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ip-customblock.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw_mac.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw.sh"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/npf"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/wazuh-slack"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/pf"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-wazuh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/npf.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ossec-slack.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ossec-tweeter.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/pf.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-ossec.sh"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/sshlogin.exp"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_pixconfig_diff"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_asa-fwsmconfig_diff"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_bsd"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/main.exp"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/su.exp"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_linux"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/register_host.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_generic_diff"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_foundry_diff"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_nopass.exp"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh.exp"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/orm.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/gcloud"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/gcloud.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/buckets/access_logs.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/buckets/bucket.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/pubsub/subscriber.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/integration.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/tools.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/exceptions.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/utils.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/queue/vulnerabilities/dictionaries/cpe_helper.json"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/var/db/mitre.db"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null.sh"
 export PERMANENT_DATA_EXCP
 
-# Files mounted in a volume that should be deleted when updating
+# Files mounted in a volume that should be deleted 
 i=0
 PERMANENT_DATA_DEL[((i++))]="/var/ossec/queue/db/.template.db"
-PERMANENT_DATA_DEL[((i++))]="/var/ossec/var/db/.profile.db*"
-PERMANENT_DATA_DEL[((i++))]="/var/ossec/var/db/.template.db*"
-PERMANENT_DATA_DEL[((i++))]="/var/ossec/var/db/agents/*"
-PERMANENT_DATA_DEL[((i++))]="/var/ossec/wodles/cve.db"
-PERMANENT_DATA_DEL[((i++))]="/var/ossec/queue/vulnerabilities/cve.db"
-PERMANENT_DATA_DEL[((i++))]="/var/ossec/queue/fim/db/fim.db"
 export PERMANENT_DATA_DEL

wazuh/config/permanent_data.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 # Variables
 source /permanent_data.env

wazuh/config/postfix.runit.service

@@ -1,4 +1,3 @@
 #!/bin/sh
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-/usr/sbin/postfix start
+service postfix start
 tail -f /var/log/mail.log

wazuh/config/wazuh-api.runit.service

@@ -0,0 +1,4 @@
+#!/bin/sh
+service wazuh-api start
+tail -f /var/ossec/logs/api.log
+

wazuh/config/wazuh.runit.service

@@ -1,4 +1,4 @@
 #!/bin/sh
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-/etc/init.d/wazuh-manager start
-tail -f /var/ossec/logs/ossec.log
+service wazuh-manager start
+tail -f /var/ossec/logs/ossec.log
+

wazuh/migration/02-volume_loader.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+
+source /data_dirs.env
+
+##############################################################################
+# Copy will be executed from the custom mounting path (key) 
+# to destination path (value) when iterating through the array  
+# For example in the first custom path:
+#    cp -pr "/migration/ossec_backup/ /var/ossec/" will be executed
+# Please ensure the key path is correctly mounted in the container
+# For more information please check:
+##############################################################################
+
+declare -A custom_paths
+
+custom_paths+=( ["/migration/ossec_backup/"]=/var/ossec/ )
+custom_paths+=( ["/migration/filebeat_backup/"]=/etc/filebeat/ )
+custom_paths+=( ["/migration/filebeat-lib_backup/"]=/var/lib/filebeat/ )
+custom_paths+=( ["/migration/postfix_backup/"]=/etc/postfix/ )
+
+### Auxiliar methods
+
+print() {
+    echo -e "$1"
+}
+
+error_and_exit() {
+    echo "Error executing command: '$1'."
+    echo 'Exiting.'
+    exit 1
+}
+
+exec_cmd() {
+    eval "$1" > /dev/null 2>&1 || error_and_exit "$1"
+}
+
+exec_cmd_stdout() {
+    eval "$1" 2>&1 || error_and_exit "$1"
+}
+
+### Restoring directories 
+
+declare -A custom_paths
+
+custom_paths+=( ["/migration/ossec_backup/"]=/var/ossec/ )
+custom_paths+=( ["/migration/filebeat_backup/"]=/etc/filebeat/ )
+custom_paths+=( ["/migration/filebeat-lib_backup/"]=/var/lib/filebeat/ )
+custom_paths+=( ["/migration/postfix_backup/"]=/etc/postfix/ )
+
+for sourcedir in "${!custom_paths[@]}"; do
+    if [[ ! -e "${custom_paths[${sourcedir}]}" ]]
+    then
+        print "BACKUP: The folder ${custom_paths[${sourcedir}]} doesn't exists in the container. Creating it..."
+        exec_cmd "mkdir -p ${custom_paths[${sourcedir}]}"
+    fi
+
+    if [[ -e "${sourcedir}" ]]
+    then
+        if [[ -d "${sourcedir}" ]]; then
+            print "BACKUP: Copying data from folder ${sourcedir} in 3.9 volume to ${custom_paths[${sourcedir}]}"
+            exec_cmd "cp -pr ${sourcedir}* ${custom_paths[${sourcedir}]}"
+        elif [[ -f "${sourcedir}" ]]; then
+            print "BACKUP: Copying file ${sourcedir} in 3.9 volume to ${custom_paths[${sourcedir}]}"
+            exec_cmd "cp -pr ${sourcedir} ${custom_paths[${sourcedir}]}"
+        fi
+    else
+        print "The folder ${sourcedir} doesn't exists in the volume. Ignoring it..."
+    fi
+
+done