paulmataruso/wazuh-docker-mirror
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-docker.git synced 2025-10-23 16:13:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: paulmataruso:enhancement/1624-docker-compose-v2
Branches Tags
paulmataruso:main paulmataruso:4.14.1 paulmataruso:2693-delete-config-files paulmataruso:test_adapt_arm paulmataruso:4.14.0 paulmataruso:4.10.4 paulmataruso:4.13.0-rc4-tag paulmataruso:2577-test-bucket paulmataruso:6.0.0 paulmataruso:change/1824-rootless-podman-with-selinux paulmataruso:test-arm-build paulmataruso:enhancement/1624-docker-compose-v2 paulmataruso:4.9.0 paulmataruso:461-centralize-conf-files paulmataruso:4.5 paulmataruso:4.4 paulmataruso:4.4.4 paulmataruso:4.3 paulmataruso:816-persistent-files-that-should-not-be-kept paulmataruso:817-automatic-release-of-docker-images paulmataruso:4.3.11 paulmataruso:3.13 paulmataruso:4.2 paulmataruso:4.1 paulmataruso:4.0 paulmataruso:4.0.4 paulmataruso:devel paulmataruso:3.11.2_7.5.1-oss paulmataruso:3.10.2_7.5.0 paulmataruso:3.10.0_7.3.2 paulmataruso:3.10.2_7.3.2 paulmataruso:3.10-wazuh-refactor paulmataruso:3.9.5_7.2.1 paulmataruso:3.9.4_7.2.0 paulmataruso:3.9.5_7.3.0-oss paulmataruso:3.10_7.3.0 paulmataruso:3.9.4_7.1.1-opendistro-security paulmataruso:3.9.3_6.8.1 paulmataruso:3.9.1_6.8.0 paulmataruso:3.9.2_6.8.0 paulmataruso:3.9.4_6.8.2 paulmataruso:3.9.3_7.1.1-opendistro paulmataruso:3.9.3_7.1.1-opendistro-security paulmataruso:3.9.3_7.2.0_oss paulmataruso:3.9.3_7.2.0 paulmataruso:3.9.2_7.1.1 paulmataruso:3.9.0_6.7.2 paulmataruso:3.9.0_6.7.1 paulmataruso:3.8.2_6.5.4-oss paulmataruso:3.9.1_7.1.0 paulmataruso:3.8.2_6.5.4 paulmataruso:3.10.0_7.0.0 paulmataruso:3.8.2_6.7.0 paulmataruso:3.8.2_6.6.2 paulmataruso:3.8.2_6.6.1 paulmataruso:6.8.2_6.6.1 paulmataruso:3.8.1_6.5.4 paulmataruso:3.8.0_6.5.4 paulmataruso:3.7.2_6.5.4 paulmataruso:3.7.2_6.5.3 paulmataruso:3.7.1_6.5.3 paulmataruso:3.7.0_6.5.0 paulmataruso:3.7.0_6.4.3 paulmataruso:3.6.1_6.4.2 paulmataruso:3.6.1_6.4.1 paulmataruso:3.6.1_6.4.0 paulmataruso:3.6.0_6.4.0 paulmataruso:3.5.0_6.3.2 paulmataruso:3.4.0_6.3.2 paulmataruso:3.4.0_6.3.1 paulmataruso:3.3.1_6.3.1 paulmataruso:3.3.1_6.3.0 paulmataruso:3.3.1_6.2.4 paulmataruso:3.3.0_6.2.4 paulmataruso:3.2.4_6.2.4 paulmataruso:3.2.3_6.2.4 paulmataruso:3.2.2_6.2.4 paulmataruso:3.2.1_6.2.4 paulmataruso:3.2.1_6.2.3 paulmataruso:3.2.1_6.2.2 paulmataruso:3.2.0_6.2.1 paulmataruso:3.1.0_6.1.3 paulmataruso:3.1.0_6.1.2 paulmataruso:3.1.0_6.1.1 paulmataruso:3.1.0_6.1.0 paulmataruso:2.1.1_5.6.4 paulmataruso:2.1.0_5.5.2 paulmataruso:2.1.0_5.5.1 paulmataruso:2.0.1_5.5.1 paulmataruso:2.0.1_5.5.0 paulmataruso:2.0_5.4.2 paulmataruso:2.0
paulmataruso:v4.14.0 paulmataruso:v4.14.0-rc2 paulmataruso:v4.14.0-rc1 paulmataruso:v4.14.0-alpha1 paulmataruso:v4.13.1 paulmataruso:v4.13.0 paulmataruso:v4.10.3 paulmataruso:v4.10.2 paulmataruso:v4.12.0 paulmataruso:v4.11.2 paulmataruso:v4.11.1 paulmataruso:v4.11.0 paulmataruso:v4.10.1 paulmataruso:v4.10.0 paulmataruso:v4.9.2 paulmataruso:v4.9.1 paulmataruso:v4.9.0 paulmataruso:v4.8.2 paulmataruso:v4.8.1 paulmataruso:v4.8.0 paulmataruso:v4.7.5 paulmataruso:v4.7.4 paulmataruso:cloud-2.0.6 paulmataruso:cloud-2.0.7 paulmataruso:v4.7.3 paulmataruso:cloud-2.0.2 paulmataruso:cloud-2.0.4 paulmataruso:cloud-2.0.3 paulmataruso:v4.7.2 paulmataruso:v4.7.1 paulmataruso:cloud-v1.22.0 paulmataruso:v4.7.0 paulmataruso:cloud-v1.21.0 paulmataruso:cloud-v1.20.0 paulmataruso:cloud-v1.20.1 paulmataruso:v4.6.0 paulmataruso:v4.5.4 paulmataruso:v4.5.3 paulmataruso:v4.6.0-beta1 paulmataruso:v4.5.3-rc1 paulmataruso:v4.5.2 paulmataruso:v4.6.0-alpha1 paulmataruso:v4.5.1 paulmataruso:v4.5.1-rc2 paulmataruso:v4.5.1-rc1 paulmataruso:v4.5.0 paulmataruso:cloud-v1.18.5 paulmataruso:cloud-v1.18.4 paulmataruso:svc-envs-v1.18.3 paulmataruso:v4.4.5 paulmataruso:v4.6.0-pre-alpha1 paulmataruso:cloud-v1.18.1 paulmataruso:v4.4.4 paulmataruso:v4.4.3 paulmataruso:v4.4.2 paulmataruso:v4.3.11 paulmataruso:v4.4.1 paulmataruso:v4.4.0 paulmataruso:cloud-v1.17.4 paulmataruso:cloud-1.18.0 paulmataruso:v4.3.10 paulmataruso:v4.3.9 paulmataruso:cloud-v1.16.12 paulmataruso:v3.13.6_7.9.2 paulmataruso:v4.3.8 paulmataruso:v4.3.7 paulmataruso:v3.13.5 paulmataruso:cloud-v1.16.11 paulmataruso:svc-envs-v1.16.10 paulmataruso:cloud-v1.16.8 paulmataruso:v4.3.6 paulmataruso:v4.3.5 paulmataruso:cloud-v1.16.7 paulmataruso:test paulmataruso:cloud-v1.16.6 paulmataruso:v4.3.4 paulmataruso:v4.3.3 paulmataruso:cloud-v1.16.5 paulmataruso:v4.3.2 paulmataruso:v3.13.4_7.9.2 paulmataruso:v4.2.7 paulmataruso:cloud-v1.16.0 paulmataruso:v4.3.1 paulmataruso:v4.3.0 paulmataruso:v4.2.6 paulmataruso:cloud-v1.15.0 paulmataruso:v4.2.5 paulmataruso:v4.2.4 paulmataruso:v4.2.3 paulmataruso:v4.2.2 paulmataruso:v4.2.1 paulmataruso:v4.2.0 paulmataruso:v4.1.5 paulmataruso:v3.13.3_7.9.2 paulmataruso:v4.1.2 paulmataruso:v4.1.1 paulmataruso:v4.1.0 paulmataruso:v4.0.4_1.11.0 paulmataruso:cloud-v0.60.3 paulmataruso:v4.0.3_1.11.0 paulmataruso:v4.0.2_1.11.0 paulmataruso:cloud-v0.60.0 paulmataruso:v4.0.1_1.11.0 paulmataruso:v4.0.0_1.10.1 paulmataruso:v3.13.2_7.9.1 paulmataruso:v3.13.1_7.8.0 paulmataruso:cloud-v0.32.0 paulmataruso:cloud-v0.30.0 paulmataruso:v3.13.0_7.7.1 paulmataruso:cloud-v0.22.0 paulmataruso:v3.12.3_7.6.2 paulmataruso:cloud-v0.21.2 paulmataruso:cloud-v0.21.1 paulmataruso:v3.12.2_7.6.2 paulmataruso:v3.12.1_7.6.2 paulmataruso:cloud-v0.21.0 paulmataruso:v3.12.0_7.6.1 paulmataruso:cloud-v0.20.0 paulmataruso:v3.11.4_7.6.1 paulmataruso:v3.11.3_7.5.2 paulmataruso:v3.11.2_7.5.1 paulmataruso:cloud-v0.11.0 paulmataruso:v3.11.1_7.5.1 paulmataruso:v3.11.0_7.5.1 paulmataruso:cloud-v0.9.0 paulmataruso:v3.10.2_7.5.0 paulmataruso:v0.9.0-rc1 paulmataruso:v3.10.0_7.3.2 paulmataruso:v3.10.2_7.3.2 paulmataruso:cloud-v0.6.0 paulmataruso:v3.9.5_7.2.1 paulmataruso:v3.9.4_7.2.0 paulmataruso:v3.9.5_7.3.0-oss paulmataruso:v3.9.3_6.8.1 paulmataruso:v3.9.1_6.8.0 paulmataruso:v3.9.2_6.8.0 paulmataruso:v3.9.4_6.8.2 paulmataruso:v3.9.3_7.1.1-opendistro paulmataruso:v3.9.3_7.2.0-oss paulmataruso:v3.9.3_7.2.0 paulmataruso:v3.9.2_7.1.1 paulmataruso:v3.9.0_6.7.2 paulmataruso:v3.9.0_6.7.1 paulmataruso:v3.9.1_7.1.0 paulmataruso:v3.8.2_6.5.4 paulmataruso:v3.8.2_6.7.0 paulmataruso:v3.8.2_6.6.2 paulmataruso:v3.8.2_6.6.1 paulmataruso:v3.8.1_6.5.4 paulmataruso:v3.8.0_6.5.4 paulmataruso:v3.7.2_6.5.4 paulmataruso:v3.7.2_6.5.3 paulmataruso:v3.7.0_6.5.0 paulmataruso:3.1.0_6.1.1 paulmataruso:2.1.0_5.5.2 paulmataruso:2.1.0_5.5.1 paulmataruso:2.0.1_5.5.1 paulmataruso:2.0.1_5.5.0 paulmataruso:2.0_5.4.2 paulmataruso:v2.0
..
compare: paulmataruso:cloud-v0.6.0
Branches Tags
paulmataruso:main paulmataruso:4.14.1 paulmataruso:2693-delete-config-files paulmataruso:test_adapt_arm paulmataruso:4.14.0 paulmataruso:4.10.4 paulmataruso:4.13.0-rc4-tag paulmataruso:2577-test-bucket paulmataruso:6.0.0 paulmataruso:change/1824-rootless-podman-with-selinux paulmataruso:test-arm-build paulmataruso:enhancement/1624-docker-compose-v2 paulmataruso:4.9.0 paulmataruso:461-centralize-conf-files paulmataruso:4.5 paulmataruso:4.4 paulmataruso:4.4.4 paulmataruso:4.3 paulmataruso:816-persistent-files-that-should-not-be-kept paulmataruso:817-automatic-release-of-docker-images paulmataruso:4.3.11 paulmataruso:3.13 paulmataruso:4.2 paulmataruso:4.1 paulmataruso:4.0 paulmataruso:4.0.4 paulmataruso:devel paulmataruso:3.11.2_7.5.1-oss paulmataruso:3.10.2_7.5.0 paulmataruso:3.10.0_7.3.2 paulmataruso:3.10.2_7.3.2 paulmataruso:3.10-wazuh-refactor paulmataruso:3.9.5_7.2.1 paulmataruso:3.9.4_7.2.0 paulmataruso:3.9.5_7.3.0-oss paulmataruso:3.10_7.3.0 paulmataruso:3.9.4_7.1.1-opendistro-security paulmataruso:3.9.3_6.8.1 paulmataruso:3.9.1_6.8.0 paulmataruso:3.9.2_6.8.0 paulmataruso:3.9.4_6.8.2 paulmataruso:3.9.3_7.1.1-opendistro paulmataruso:3.9.3_7.1.1-opendistro-security paulmataruso:3.9.3_7.2.0_oss paulmataruso:3.9.3_7.2.0 paulmataruso:3.9.2_7.1.1 paulmataruso:3.9.0_6.7.2 paulmataruso:3.9.0_6.7.1 paulmataruso:3.8.2_6.5.4-oss paulmataruso:3.9.1_7.1.0 paulmataruso:3.8.2_6.5.4 paulmataruso:3.10.0_7.0.0 paulmataruso:3.8.2_6.7.0 paulmataruso:3.8.2_6.6.2 paulmataruso:3.8.2_6.6.1 paulmataruso:6.8.2_6.6.1 paulmataruso:3.8.1_6.5.4 paulmataruso:3.8.0_6.5.4 paulmataruso:3.7.2_6.5.4 paulmataruso:3.7.2_6.5.3 paulmataruso:3.7.1_6.5.3 paulmataruso:3.7.0_6.5.0 paulmataruso:3.7.0_6.4.3 paulmataruso:3.6.1_6.4.2 paulmataruso:3.6.1_6.4.1 paulmataruso:3.6.1_6.4.0 paulmataruso:3.6.0_6.4.0 paulmataruso:3.5.0_6.3.2 paulmataruso:3.4.0_6.3.2 paulmataruso:3.4.0_6.3.1 paulmataruso:3.3.1_6.3.1 paulmataruso:3.3.1_6.3.0 paulmataruso:3.3.1_6.2.4 paulmataruso:3.3.0_6.2.4 paulmataruso:3.2.4_6.2.4 paulmataruso:3.2.3_6.2.4 paulmataruso:3.2.2_6.2.4 paulmataruso:3.2.1_6.2.4 paulmataruso:3.2.1_6.2.3 paulmataruso:3.2.1_6.2.2 paulmataruso:3.2.0_6.2.1 paulmataruso:3.1.0_6.1.3 paulmataruso:3.1.0_6.1.2 paulmataruso:3.1.0_6.1.1 paulmataruso:3.1.0_6.1.0 paulmataruso:2.1.1_5.6.4 paulmataruso:2.1.0_5.5.2 paulmataruso:2.1.0_5.5.1 paulmataruso:2.0.1_5.5.1 paulmataruso:2.0.1_5.5.0 paulmataruso:2.0_5.4.2 paulmataruso:2.0
paulmataruso:v4.14.0 paulmataruso:v4.14.0-rc2 paulmataruso:v4.14.0-rc1 paulmataruso:v4.14.0-alpha1 paulmataruso:v4.13.1 paulmataruso:v4.13.0 paulmataruso:v4.10.3 paulmataruso:v4.10.2 paulmataruso:v4.12.0 paulmataruso:v4.11.2 paulmataruso:v4.11.1 paulmataruso:v4.11.0 paulmataruso:v4.10.1 paulmataruso:v4.10.0 paulmataruso:v4.9.2 paulmataruso:v4.9.1 paulmataruso:v4.9.0 paulmataruso:v4.8.2 paulmataruso:v4.8.1 paulmataruso:v4.8.0 paulmataruso:v4.7.5 paulmataruso:v4.7.4 paulmataruso:cloud-2.0.6 paulmataruso:cloud-2.0.7 paulmataruso:v4.7.3 paulmataruso:cloud-2.0.2 paulmataruso:cloud-2.0.4 paulmataruso:cloud-2.0.3 paulmataruso:v4.7.2 paulmataruso:v4.7.1 paulmataruso:cloud-v1.22.0 paulmataruso:v4.7.0 paulmataruso:cloud-v1.21.0 paulmataruso:cloud-v1.20.0 paulmataruso:cloud-v1.20.1 paulmataruso:v4.6.0 paulmataruso:v4.5.4 paulmataruso:v4.5.3 paulmataruso:v4.6.0-beta1 paulmataruso:v4.5.3-rc1 paulmataruso:v4.5.2 paulmataruso:v4.6.0-alpha1 paulmataruso:v4.5.1 paulmataruso:v4.5.1-rc2 paulmataruso:v4.5.1-rc1 paulmataruso:v4.5.0 paulmataruso:cloud-v1.18.5 paulmataruso:cloud-v1.18.4 paulmataruso:svc-envs-v1.18.3 paulmataruso:v4.4.5 paulmataruso:v4.6.0-pre-alpha1 paulmataruso:cloud-v1.18.1 paulmataruso:v4.4.4 paulmataruso:v4.4.3 paulmataruso:v4.4.2 paulmataruso:v4.3.11 paulmataruso:v4.4.1 paulmataruso:v4.4.0 paulmataruso:cloud-v1.17.4 paulmataruso:cloud-1.18.0 paulmataruso:v4.3.10 paulmataruso:v4.3.9 paulmataruso:cloud-v1.16.12 paulmataruso:v3.13.6_7.9.2 paulmataruso:v4.3.8 paulmataruso:v4.3.7 paulmataruso:v3.13.5 paulmataruso:cloud-v1.16.11 paulmataruso:svc-envs-v1.16.10 paulmataruso:cloud-v1.16.8 paulmataruso:v4.3.6 paulmataruso:v4.3.5 paulmataruso:cloud-v1.16.7 paulmataruso:test paulmataruso:cloud-v1.16.6 paulmataruso:v4.3.4 paulmataruso:v4.3.3 paulmataruso:cloud-v1.16.5 paulmataruso:v4.3.2 paulmataruso:v3.13.4_7.9.2 paulmataruso:v4.2.7 paulmataruso:cloud-v1.16.0 paulmataruso:v4.3.1 paulmataruso:v4.3.0 paulmataruso:v4.2.6 paulmataruso:cloud-v1.15.0 paulmataruso:v4.2.5 paulmataruso:v4.2.4 paulmataruso:v4.2.3 paulmataruso:v4.2.2 paulmataruso:v4.2.1 paulmataruso:v4.2.0 paulmataruso:v4.1.5 paulmataruso:v3.13.3_7.9.2 paulmataruso:v4.1.2 paulmataruso:v4.1.1 paulmataruso:v4.1.0 paulmataruso:v4.0.4_1.11.0 paulmataruso:cloud-v0.60.3 paulmataruso:v4.0.3_1.11.0 paulmataruso:v4.0.2_1.11.0 paulmataruso:cloud-v0.60.0 paulmataruso:v4.0.1_1.11.0 paulmataruso:v4.0.0_1.10.1 paulmataruso:v3.13.2_7.9.1 paulmataruso:v3.13.1_7.8.0 paulmataruso:cloud-v0.32.0 paulmataruso:cloud-v0.30.0 paulmataruso:v3.13.0_7.7.1 paulmataruso:cloud-v0.22.0 paulmataruso:v3.12.3_7.6.2 paulmataruso:cloud-v0.21.2 paulmataruso:cloud-v0.21.1 paulmataruso:v3.12.2_7.6.2 paulmataruso:v3.12.1_7.6.2 paulmataruso:cloud-v0.21.0 paulmataruso:v3.12.0_7.6.1 paulmataruso:cloud-v0.20.0 paulmataruso:v3.11.4_7.6.1 paulmataruso:v3.11.3_7.5.2 paulmataruso:v3.11.2_7.5.1 paulmataruso:cloud-v0.11.0 paulmataruso:v3.11.1_7.5.1 paulmataruso:v3.11.0_7.5.1 paulmataruso:cloud-v0.9.0 paulmataruso:v3.10.2_7.5.0 paulmataruso:v0.9.0-rc1 paulmataruso:v3.10.0_7.3.2 paulmataruso:v3.10.2_7.3.2 paulmataruso:cloud-v0.6.0 paulmataruso:v3.9.5_7.2.1 paulmataruso:v3.9.4_7.2.0 paulmataruso:v3.9.5_7.3.0-oss paulmataruso:v3.9.3_6.8.1 paulmataruso:v3.9.1_6.8.0 paulmataruso:v3.9.2_6.8.0 paulmataruso:v3.9.4_6.8.2 paulmataruso:v3.9.3_7.1.1-opendistro paulmataruso:v3.9.3_7.2.0-oss paulmataruso:v3.9.3_7.2.0 paulmataruso:v3.9.2_7.1.1 paulmataruso:v3.9.0_6.7.2 paulmataruso:v3.9.0_6.7.1 paulmataruso:v3.9.1_7.1.0 paulmataruso:v3.8.2_6.5.4 paulmataruso:v3.8.2_6.7.0 paulmataruso:v3.8.2_6.6.2 paulmataruso:v3.8.2_6.6.1 paulmataruso:v3.8.1_6.5.4 paulmataruso:v3.8.0_6.5.4 paulmataruso:v3.7.2_6.5.4 paulmataruso:v3.7.2_6.5.3 paulmataruso:v3.7.0_6.5.0 paulmataruso:3.1.0_6.1.1 paulmataruso:2.1.0_5.5.2 paulmataruso:2.1.0_5.5.1 paulmataruso:2.0.1_5.5.1 paulmataruso:2.0.1_5.5.0 paulmataruso:2.0_5.4.2 paulmataruso:v2.0

41 Commits
enhancemen ... cloud-v0.6

Author SHA1 Message Date
Mayte Ariza
303e0f6557 Add wodles to permanent_data (#239) 
Former-commit-id: 7a8b332c93
 2019-09-06 15:29:25 +02:00
Mayte Ariza
1d35f292db Fix copy except files (#238) 
Former-commit-id: bd2fa5c40d
 2019-09-06 10:42:39 +02:00
Mayte Ariza
4c3f149428 Change v6.8.1 version to v6.8.2 (#237) 
Former-commit-id: c427c971a4
 2019-09-05 17:18:55 +02:00
Jesus Linares
7cb82937dc Update version: 3.9.4 - 6.8.1 
Former-commit-id: 0644dd36e0
 2019-09-05 10:56:51 +02:00
Jesús Linares
f494f6eca2 Merge pull request #236 from wazuh/cloud-0.6-debug 
Cloud 0.6 - fixes

Former-commit-id: 93eb42bb96
 2019-09-05 10:52:07 +02:00
AlfonsoRBJ
84a06e2fbc Wazuh 3.9.4 Elastic 6.8.1_3.9.3 
Former-commit-id: e88be1d4bb
 2019-09-05 10:29:55 +02:00
AlfonsoRBJ
c346863593 Merge branch 'issue-234-cloud0.6-wodles' into cloud-0.6-debug 
Former-commit-id: 62499ce622
 2019-09-05 10:22:32 +02:00
Mayte Ariza
dccb8aca54 Set filebeat to 6.8.1 
Former-commit-id: e22eba52b9
 2019-09-05 10:20:16 +02:00
Mayte Ariza
18971e3fde Remove 6.8.2 version 
Former-commit-id: abbe2f20e4
 2019-09-05 10:16:07 +02:00
Josemi Hernandez
7faed76e44 Added TLS version filter (#227) 
Former-commit-id: af007c69d4
 2019-09-05 09:46:55 +02:00
Mayte Ariza
f3e3abfaf0 Add agents.js 
Former-commit-id: 2c5a1f7c58
 2019-09-04 13:11:49 +02:00
Mayte Ariza
27c37d808a Changed versions: wazuh 3.9.4 and kibana 6.8.2 
Former-commit-id: 6b13810e6a
 2019-09-04 12:29:02 +02:00
AlfonsoRBJ
3a06c32e62 add minimun_master_nodes 
Former-commit-id: 816549c3b6
 2019-09-04 11:26:06 +02:00
AlfonsoRBJ
2918502fd1 save original elasticserach.yml 
Former-commit-id: eed444bbbb
 2019-09-04 11:11:59 +02:00
Mayte Ariza
d1eb6e7b98 Removed chmod command in entrypoint 
Former-commit-id: 9460780adb
 2019-09-04 08:38:43 +02:00
Mayte Ariza
6656fddf70 Added new volume: wodles folder 
Former-commit-id: 36e3fa403d
 2019-09-04 08:32:56 +02:00
AlfonsoRBJ
131d25979b improve workaround description 
Former-commit-id: 24da1f4d0f
 2019-09-03 16:31:55 +02:00
AlfonsoRBJ
abfe509753 workaround for wazuh-api issue 440 and 443 
Former-commit-id: d3cfd2234a
 2019-09-03 16:21:16 +02:00
AlfonsoRBJ
9d71a6cbcc install wazuh without custom package 
Former-commit-id: db733fc849
 2019-09-03 11:50:30 +02:00
AlfonsoRBJ
610f6f49ce add debug to S3 repository creation in elasticsearch image 
Former-commit-id: 0c571ad3f9
 2019-09-03 11:15:35 +02:00
AlfonsoRBJ
71933d6625 Merge branch 'k8s' into cloud-0.5 
Former-commit-id: 901c29c3ab
 2019-09-02 15:12:46 +02:00
Mayte Ariza
7afe64b238 Removed write permissions for group and other in Integrations folder (#226) 
* Removed go-w permissions in integrations folder

* Modified permissions command
 2019-08-27 13:31:04 +02:00
Daniel Ruiz
37f50dac1c Fix docker volumes error 
Former-commit-id: e8ecb63183
 2019-07-24 09:26:23 +02:00
Mayte Ariza
7c11a8568c Fixing remove files (#210) 2019-07-15 09:43:08 +02:00
Mayte Ariza
0bf9766883 Check if file exists before removing it (#209) 2019-07-15 08:37:31 +02:00
AlfonsoRBJ
59f60f63b6 Upgrade to 3.9.3_6.8.1 version (#207) 2019-07-12 16:35:26 +02:00
Mayte Ariza
c9ed007771 Permissions rw for group added (#206) 2019-07-12 16:03:32 +02:00
Mayte Ariza
15dbd60605 New volumes declaration in Wazuh Dockerfile (#203) 2019-07-09 13:59:36 +02:00
AlfonsoRBJ
eca30fb709 add CA correct management for Logstash (#202) 2019-07-08 18:32:36 +02:00
AlfonsoRBJ
065b5bb5cf Security for Elastic Stack (#196) 2019-07-08 14:02:19 +02:00
Mayte Ariza
d98ab1b4f3 Wazuh image improvements (#188) 2019-07-08 13:37:57 +02:00
AlfonsoRBJ
c077b496bd resolve merge conflicts from branch 3.9.2_6.8.0 2019-06-17 16:02:12 +02:00
Manuel J. Bernal
815039333d Updated CHANGELOG 2019-06-12 18:09:33 +02:00
Manuel J. Bernal
9b2ecdb47d Bump version 3.8.2_6.8.0 2019-06-12 18:08:23 +02:00
AlfonsoRBJ
651077e2c7 Update CHANGELOG.md 2019-06-04 13:12:46 +02:00
AlfonsoRBJ
d8ac9e617b Update CHANGELOG.md 2019-06-04 13:12:13 +02:00
AlfonsoRBJ
9db0001e08 conflicts resolved in merge 3.9.1_6.8.0 over k8s branch 2019-05-28 12:43:16 +02:00
Mayte Ariza
096246abcb Removing log files (#169) 2019-05-15 08:14:33 +02:00
AlfonsoRBJ
d2766454d0 Disable additionals X-Pack applications and hide unnecesary management links (#163) 2019-05-08 15:50:42 +02:00
Mayte Ariza
a88e5495d5 Merge branch '3.9.0_6.7.1' into k8s 2019-05-06 11:56:05 +02:00
Mayte Ariza
3f94f734d4 Removing logs from Wazuh image (#153) 2019-04-26 08:08:49 +02:00
99 changed files with 3293 additions and 6251 deletions
Expand all files Collapse all files

6
.env
View File

@@ -1,6 +0,0 @@
WAZUH_VERSION=5.0.0
WAZUH_IMAGE_VERSION=5.0.0
WAZUH_TAG_REVISION=1
FILEBEAT_TEMPLATE_BRANCH=5.0.0
WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.4.tar.gz
WAZUH_UI_REVISION=1

103
.github/.goss.yaml vendored
View File

@@ -1,103 +0,0 @@
file:
/etc/filebeat/filebeat.yml:
exists: true
mode: "0644"
owner: root
group: root
filetype: file
contains: []
/var/ossec/bin/wazuh-control:
exists: true
mode: "0750"
owner: root
group: root
filetype: file
contains: []
/var/ossec/etc/lists/audit-keys:
exists: true
mode: "0660"
owner: wazuh
group: wazuh
filetype: file
contains: []
/var/ossec/etc/ossec.conf:
exists: true
mode: "0660"
owner: root
group: wazuh
filetype: file
contains: []
/var/ossec/etc/rules/local_rules.xml:
exists: true
mode: "0660"
owner: wazuh
group: wazuh
filetype: file
contains: []
/var/ossec/etc/sslmanager.cert:
exists: true
mode: "0640"
owner: root
group: root
filetype: file
contains: []
/var/ossec/etc/sslmanager.key:
exists: true
mode: "0640"
owner: root
group: root
filetype: file
contains: []
package:
filebeat:
installed: true
versions:
- 7.10.2
wazuh-manager:
installed: true
versions:
- 5.0.0-1
port:
tcp:1514:
listening: true
ip:
- 0.0.0.0
tcp:1515:
listening: true
ip:
- 0.0.0.0
tcp:55000:
listening: true
ip:
- 0.0.0.0
process:
filebeat:
running: true
wazuh-analysisd:
running: true
wazuh-authd:
running: true
wazuh-execd:
running: true
wazuh-monitord:
running: true
wazuh-remoted:
running: true
wazuh-syscheckd:
running: true
s6-supervise:
running: true
wazuh-db:
running: true
wazuh-modulesd:
running: true
user:
wazuh:
exists: true
groups:
- wazuh
home: /var/ossec
shell: /sbin/nologin
group:
wazuh:
exists: true

18
.github/multi-node-filebeat-check.sh vendored
View File

@@ -1,18 +0,0 @@
filebeatout1=$(docker exec multi-node_wazuh.master_1 sh -c 'filebeat test output')
filebeatstatus1=$(echo "${filebeatout1}" | grep -c OK)
if [[ filebeatstatus1 -eq 7 ]]; then
echo "No errors in master filebeat"
else
echo "Errors in master filebeat"
echo "${filebeatout1}"
exit 1
fi
filebeatout2=$(docker exec multi-node_wazuh.worker_1 sh -c 'filebeat test output')
filebeatstatus2=$(echo "${filebeatout2}" | grep -c OK)
if [[ filebeatstatus2 -eq 7 ]]; then
echo "No errors in worker filebeat"
else
echo "Errors in worker filebeat"
echo "${filebeatout2}"
exit 1
fi

16
.github/multi-node-log-check.sh vendored
View File

@@ -1,16 +0,0 @@
log1=$(docker exec multi-node_wazuh.master_1 sh -c 'cat /var/ossec/logs/ossec.log' | grep -P "ERR|WARN|CRIT")
if [[ -z "$log1" ]]; then
echo "No errors in master ossec.log"
else
echo "Errors in master ossec.log:"
echo "${log1}"
exit 1
fi
log2=$(docker exec multi-node_wazuh.worker_1 sh -c 'cat /var/ossec/logs/ossec.log' | grep -P "ERR|WARN|CRIT")
if [[ -z "${log2}" ]]; then
echo "No errors in worker ossec.log"
else
echo "Errors in worker ossec.log:"
echo "${log2}"
exit 1
fi

9
.github/single-node-filebeat-check.sh vendored
View File

@@ -1,9 +0,0 @@
filebeatout=$(docker exec single-node_wazuh.manager_1 sh -c 'filebeat test output')
filebeatstatus=$(echo "${filebeatout}" | grep -c OK)
if [[ filebeatstatus -eq 7 ]]; then
echo "No errors in filebeat"
else
echo "Errors in filebeat"
echo "${filebeatout}"
exit 1
fi

8
.github/single-node-log-check.sh vendored
View File

@@ -1,8 +0,0 @@
log=$(docker exec single-node_wazuh.manager_1 sh -c 'cat /var/ossec/logs/ossec.log' | grep -P "ERR|WARN|CRIT")
if [[ -z "$log" ]]; then
echo "No errors in ossec.log"
else
echo "Errors in ossec.log:"
echo "${log}"
exit 1
fi

161
.github/workflows/Procedure_push_docker_images.yml vendored
View File

@@ -1,161 +0,0 @@
run-name: Launch Push Docker Images - ${{ inputs.id }}
name: Push Docker Images
on:
workflow_dispatch:
inputs:
image_tag:
description: 'Docker image tag'
default: '5.0.0'
required: true
docker_reference:
description: 'wazuh-docker reference'
default: 'v5.0.0'
required: true
PRODUCTS:
description: 'Comma-separated list of the image names to build and push'
default: 'wazuh-manager,wazuh-dashboard,wazuh-indexer'
required: true
filebeat_module_version:
description: 'Filebeat module version'
default: '0.4'
required: true
revision:
description: 'Package revision'
default: '1'
required: true
push_images:
description: 'Push images'
type: boolean
default: true
required: true
id:
description: "ID used to identify the workflow uniquely."
type: string
required: false
dev:
description: "Add tag suffix '-dev' to the image tag ?"
type: boolean
default: true
required: false
workflow_call:
inputs:
image_tag:
description: 'Docker image tag'
default: '5.0.0'
required: true
type: string
docker_reference:
description: 'wazuh-docker reference'
default: 'v5.0.0'
required: false
type: string
products:
description: 'Comma-separated list of the image names to build and push'
default: 'wazuh-manager,wazuh-dashboard,wazuh-indexer'
required: true
type: string
filebeat_module_version:
description: 'Filebeat module version'
default: '0.4'
required: true
type: string
revision:
description: 'Package revision'
default: '1'
required: true
type: string
push_images:
description: 'Push images'
type: boolean
default: true
required: true
id:
description: "ID used to identify the workflow uniquely."
type: string
required: false
dev:
description: "Add tag suffix '-dev' to the image tag ?"
type: boolean
default: false
required: false
jobs:
build-and-push:
runs-on: ubuntu-latest
steps:
- name: Print inputs
run: |
echo "---------------------------------------------"
echo "Running Procedure_push_docker_images workflow"
echo "---------------------------------------------"
echo "* BRANCH: ${{ github.ref }}"
echo "* COMMIT: ${{ github.sha }}"
echo "---------------------------------------------"
echo "Inputs provided:"
echo "---------------------------------------------"
echo "* id: ${{ inputs.id }}"
echo "* image_tag: ${{ inputs.image_tag }}"
echo "* docker_reference: ${{ inputs.docker_reference }}"
echo "* products: ${{ inputs.products }}"
echo "* filebeat_module_version: ${{ inputs.filebeat_module_version }}"
echo "* revision: ${{ inputs.revision }}"
echo "* push_images: ${{ inputs.push_images }}"
echo "* dev: ${{ inputs.dev }}"
echo "---------------------------------------------"
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ inputs.docker_reference }}
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: Build Wazuh images
run: |
IMAGE_TAG=${{ inputs.image_tag }}
FILEBEAT_MODULE_VERSION=${{ inputs.filebeat_module_version }}
REVISION=${{ inputs.revision }}
if [[ "$IMAGE_TAG" == *"-"* ]]; then
IFS='-' read -r -a tokens <<< "$IMAGE_TAG"
if [ -z "${tokens[1]}" ]; then
echo "Invalid image tag: $IMAGE_TAG"
exit 1
fi
DEV_STAGE=${tokens[1]}
WAZUH_VER=${tokens[0]}
./build-docker-images/build-images.sh -v $WAZUH_VER -r $REVISION -d $DEV_STAGE -f $FILEBEAT_MODULE_VERSION
else
./build-docker-images/build-images.sh -v $IMAGE_TAG -r $REVISION -f $FILEBEAT_MODULE_VERSION
fi
# Save .env file (generated by build-images.sh) contents to $GITHUB_ENV
ENV_FILE_PATH=".env"
if [ -f $ENV_FILE_PATH ]; then
while IFS= read -r line || [ -n "$line" ]; do
echo "$line" >> $GITHUB_ENV
done < $ENV_FILE_PATH
else
echo "The environment file $ENV_FILE_PATH does not exist!"
exit 1
fi
- name: Tag and Push Wazuh images
if: ${{ inputs.push_images }}
run: |
IMAGE_TAG="${{ inputs.image_tag }}$( [ "${{ inputs.dev }}" == "true" ] && echo '-dev' || true )"
IMAGE_NAMES=${{ inputs.products }}
IFS=',' read -r -a images <<< "$IMAGE_NAMES"
for image in "${images[@]}"; do
echo "Tagging and pushing wazuh/$image:${WAZUH_VERSION} to wazuh/$image:$IMAGE_TAG"
docker tag wazuh/$image:${WAZUH_VERSION} wazuh/$image:$IMAGE_TAG
echo "Pushing wazuh/$image:$IMAGE_TAG ..."
docker push wazuh/$image:$IMAGE_TAG
done

349
.github/workflows/push.yml vendored
View File

@@ -1,349 +0,0 @@
name: Wazuh Docker pipeline
on: [pull_request]
jobs:
build-docker-images:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v3
- name: Build Wazuh images
run: build-docker-images/build-images.sh
- name: Create enviroment variables
run: cat .env > $GITHUB_ENV
- name: Create backup Docker images
run: |
mkdir -p /home/runner/work/wazuh-docker/wazuh-docker/docker-images/
docker save wazuh/wazuh-manager:${{env.WAZUH_IMAGE_VERSION}} -o /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-manager.tar
docker save wazuh/wazuh-indexer:${{env.WAZUH_IMAGE_VERSION}} -o /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-indexer.tar
docker save wazuh/wazuh-dashboard:${{env.WAZUH_IMAGE_VERSION}} -o /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-dashboard.tar
docker save wazuh/wazuh-cert-tool:${{env.WAZUH_IMAGE_VERSION}} -o /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-cert-tool.tar
- name: Temporarily save Wazuh manager Docker image
uses: actions/upload-artifact@v3
with:
name: docker-artifact-manager
path: /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-manager.tar
retention-days: 1
- name: Temporarily save Wazuh indexer Docker image
uses: actions/upload-artifact@v3
with:
name: docker-artifact-indexer
path: /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-indexer.tar
retention-days: 1
- name: Temporarily save Wazuh dashboard Docker image
uses: actions/upload-artifact@v3
with:
name: docker-artifact-dashboard
path: /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-dashboard.tar
retention-days: 1
- name: Temporarily save Wazuh Cert Tool Docker image
uses: actions/upload-artifact@v3
with:
name: docker-artifact-cert-tool
path: /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-cert-tool.tar
retention-days: 1
- name: Install Goss
uses: e1himself/goss-installation-action@v1.0.3
with:
version: v0.3.16
- name: Execute Goss tests (wazuh-manager)
run: dgoss run wazuh/wazuh-manager:${{env.WAZUH_IMAGE_VERSION}}
env:
GOSS_SLEEP: 30
GOSS_FILE: .github/.goss.yaml
check-single-node:
runs-on: ubuntu-latest
needs: build-docker-images
steps:
- name: Check out code
uses: actions/checkout@v3
- name: Create enviroment variables
run: cat .env > $GITHUB_ENV
- name: Retrieve saved Wazuh indexer Docker image
uses: actions/download-artifact@v3
with:
name: docker-artifact-indexer
- name: Retrieve saved Wazuh manager Docker image
uses: actions/download-artifact@v3
with:
name: docker-artifact-manager
- name: Retrieve saved Wazuh dashboard Docker image
uses: actions/download-artifact@v3
with:
name: docker-artifact-dashboard
- name: Retrieve saved Wazuh Cert Tool Docker image
uses: actions/download-artifact@v3
with:
name: docker-artifact-cert-tool
- name: Docker load
run: |
docker load --input ./wazuh-indexer.tar
docker load --input ./wazuh-dashboard.tar
docker load --input ./wazuh-manager.tar
docker load --input ./wazuh-cert-tool.tar
rm -rf wazuh-manager.tar wazuh-indexer.tar wazuh-dashboard.tar wazuh-cert-tool.tar
- name: Create single node certficates
run: docker compose -f single-node/generate-certs.yml run --rm generator
- name: Start single node stack
run: docker compose -f single-node/docker-compose.yml up -d
- name: Check Wazuh indexer start
run: |
sleep 60
status_green="`curl -XGET "https://0.0.0.0:9200/_cluster/health" -u admin:SecretPassword -k -s | grep green | wc -l`"
if [[ $status_green -eq 1 ]]; then
curl -XGET "https://0.0.0.0:9200/_cluster/health" -u admin:SecretPassword -k -s
else
curl -XGET "https://0.0.0.0:9200/_cluster/health" -u admin:SecretPassword -k -s
exit 1
fi
status_index="`curl -XGET "https://0.0.0.0:9200/_cat/indices" -u admin:SecretPassword -k -s | wc -l`"
status_index_green="`curl -XGET "https://0.0.0.0:9200/_cat/indices" -u admin:SecretPassword -k -s | grep "green" | wc -l`"
if [[ $status_index_green -eq $status_index ]]; then
curl -XGET "https://0.0.0.0:9200/_cat/indices" -u admin:SecretPassword -k -s
else
curl -XGET "https://0.0.0.0:9200/_cat/indices" -u admin:SecretPassword -k -s
exit 1
fi
- name: Check Wazuh indexer nodes
run: |
nodes="`curl -XGET "https://0.0.0.0:9200/_cat/nodes" -u admin:SecretPassword -k -s | grep -E "indexer" | wc -l`"
if [[ $nodes -eq 1 ]]; then
echo "Wazuh indexer nodes: ${nodes}"
else
echo "Wazuh indexer nodes: ${nodes}"
exit 1
fi
- name: Check documents into wazuh-alerts index
run: |
sleep 120
docs="`curl -XGET "https://0.0.0.0:9200/wazuh-alerts*/_count" -u admin:SecretPassword -k -s | jq -r ".count"`"
if [[ $docs -gt 0 ]]; then
echo "wazuh-alerts index documents: ${docs}"
else
echo "wazuh-alerts index documents: ${docs}"
exit 1
fi
- name: Check Wazuh templates
run: |
qty_templates="`curl -XGET "https://0.0.0.0:9200/_cat/templates" -u admin:SecretPassword -k -s | grep -P "wazuh|wazuh-agent|wazuh-statistics" | wc -l`"
templates="`curl -XGET "https://0.0.0.0:9200/_cat/templates" -u admin:SecretPassword -k -s | grep -P "wazuh|wazuh-agent|wazuh-statistics"`"
if [[ $qty_templates -gt 3 ]]; then
echo "wazuh templates:"
echo "${templates}"
else
echo "wazuh templates:"
echo "${templates}"
exit 1
fi
- name: Check Wazuh manager start
run: |
services="`curl -k -s -X GET "https://0.0.0.0:55000/manager/status?pretty=true" -H "Authorization: Bearer ${{env.TOKEN}}" | jq -r .data.affected_items | grep running | wc -l`"
if [[ $services -gt 9 ]]; then
echo "Wazuh Manager Services: ${services}"
echo "OK"
else
echo "Wazuh indexer nodes: ${nodes}"
curl -k -X GET "https://0.0.0.0:55000/manager/status?pretty=true" -H "Authorization: Bearer ${{env.TOKEN}}" | jq -r .data.affected_items
exit 1
fi
env:
TOKEN: $(curl -s -u wazuh-wui:MyS3cr37P450r.*- -k -X GET "https://0.0.0.0:55000/security/user/authenticate?raw=true")
- name: Check filebeat output
run: ./.github/single-node-filebeat-check.sh
- name: Check Wazuh dashboard service URL
run: |
status=$(curl -XGET --silent https://0.0.0.0:443/app/status -k -u admin:SecretPassword -I -s | grep -E "^HTTP" | awk '{print $2}')
if [[ $status -eq 200 ]]; then
echo "Wazuh dashboard status: ${status}"
else
echo "Wazuh dashboard status: ${status}"
exit 1
fi
- name: Check errors in ossec.log
run: ./.github/single-node-log-check.sh
check-multi-node:
runs-on: ubuntu-latest
needs: build-docker-images
steps:
- name: Check out code
uses: actions/checkout@v3
- name: Create enviroment variables
run: cat .env > $GITHUB_ENV
- name: free disk space
run: |
sudo swapoff -a
sudo rm -f /swapfile
sudo apt clean
docker rmi $(docker image ls -aq)
df -h
- name: Retrieve saved Wazuh dashboard Docker image
uses: actions/download-artifact@v3
with:
name: docker-artifact-dashboard
- name: Retrieve saved Wazuh manager Docker image
uses: actions/download-artifact@v3
with:
name: docker-artifact-manager
- name: Retrieve saved Wazuh indexer Docker image
uses: actions/download-artifact@v3
with:
name: docker-artifact-indexer
- name: Retrieve saved Wazuh Cert Tool Docker image
uses: actions/download-artifact@v3
with:
name: docker-artifact-cert-tool
- name: Docker load
run: |
docker load --input ./wazuh-indexer.tar
docker load --input ./wazuh-dashboard.tar
docker load --input ./wazuh-manager.tar
docker load --input ./wazuh-cert-tool.tar
rm -rf wazuh-manager.tar wazuh-indexer.tar wazuh-dashboard.tar wazuh-cert-tool.tar
- name: Create multi node certficates
run: docker compose -f multi-node/generate-certs.yml run --rm generator
- name: Start multi node stack
run: docker compose -f multi-node/docker-compose.yml up -d
- name: Check Wazuh indexer start
run: |
until [[ `curl -XGET "https://0.0.0.0:9200/_cluster/health" -u admin:SecretPassword -k -s | grep green | wc -l` -eq 1 ]]
do
echo 'Waiting for Wazuh indexer start'
free -m
df -h
sleep 120
done
status_green="`curl -XGET "https://0.0.0.0:9200/_cluster/health" -u admin:SecretPassword -k -s | grep green | wc -l`"
if [[ $status_green -eq 1 ]]; then
curl -XGET "https://0.0.0.0:9200/_cluster/health" -u admin:SecretPassword -k -s
else
curl -XGET "https://0.0.0.0:9200/_cluster/health" -u admin:SecretPassword -k -s
exit 1
fi
status_index="`curl -XGET "https://0.0.0.0:9200/_cat/indices" -u admin:SecretPassword -k -s | wc -l`"
status_index_green="`curl -XGET "https://0.0.0.0:9200/_cat/indices" -u admin:SecretPassword -k -s | grep -E "green" | wc -l`"
if [[ $status_index_green -eq $status_index ]]; then
curl -XGET "https://0.0.0.0:9200/_cat/indices" -u admin:SecretPassword -k -s
else
curl -XGET "https://0.0.0.0:9200/_cat/indices" -u admin:SecretPassword -k -s
exit 1
fi
- name: Check Wazuh indexer nodes
run: |
nodes="`curl -XGET "https://0.0.0.0:9200/_cat/nodes" -u admin:SecretPassword -k -s | grep -E "indexer" | wc -l`"
if [[ $nodes -eq 3 ]]; then
echo "Wazuh indexer nodes: ${nodes}"
else
echo "Wazuh indexer nodes: ${nodes}"
exit 1
fi
- name: Check documents into wazuh-alerts index
run: |
until [[ $(``curl -XGET "https://0.0.0.0:9200/wazuh-alerts*/_count" -u admin:SecretPassword -k -s | jq -r ".count"``) -gt 0 ]]
do
echo 'Waiting for Wazuh indexer events'
free -m
df -h
sleep 10
done
docs="`curl -XGET "https://0.0.0.0:9200/wazuh-alerts*/_count" -u admin:SecretPassword -k -s | jq -r ".count"`"
if [[ $docs -gt 0 ]]; then
echo "wazuh-alerts index documents: ${docs}"
else
echo "wazuh-alerts index documents: ${docs}"
exit 1
fi
- name: Check Wazuh templates
run: |
qty_templates="`curl -XGET "https://0.0.0.0:9200/_cat/templates" -u admin:SecretPassword -k -s | grep "wazuh" | wc -l`"
templates="`curl -XGET "https://0.0.0.0:9200/_cat/templates" -u admin:SecretPassword -k -s | grep "wazuh"`"
if [[ $qty_templates -gt 3 ]]; then
echo "wazuh templates:"
echo "${templates}"
else
echo "wazuh templates:"
echo "${templates}"
exit 1
fi
- name: Check Wazuh manager start
run: |
services="`curl -k -s -X GET "https://0.0.0.0:55000/manager/status?pretty=true" -H "Authorization: Bearer ${{env.TOKEN}}" | jq -r .data.affected_items | grep running | wc -l`"
if [[ $services -gt 10 ]]; then
echo "Wazuh Manager Services: ${services}"
echo "OK"
else
echo "Wazuh indexer nodes: ${nodes}"
curl -k -s -X GET "https://0.0.0.0:55000/manager/status?pretty=true" -H "Authorization: Bearer ${{env.TOKEN}}" | jq -r .data.affected_items
exit 1
fi
nodes=$(curl -k -s -X GET "https://0.0.0.0:55000/cluster/nodes" -H "Authorization: Bearer ${{env.TOKEN}}" | jq -r ".data.affected_items[].name" | wc -l)
if [[ $nodes -eq 2 ]]; then
echo "Wazuh manager nodes: ${nodes}"
else
echo "Wazuh manager nodes: ${nodes}"
exit 1
fi
env:
TOKEN: $(curl -s -u wazuh-wui:MyS3cr37P450r.*- -k -X GET "https://0.0.0.0:55000/security/user/authenticate?raw=true")
- name: Check filebeat output
run: ./.github/multi-node-filebeat-check.sh
- name: Check Wazuh dashboard service URL
run: |
status=$(curl -XGET --silent https://0.0.0.0:443/app/status -k -u admin:SecretPassword -I | grep -E "^HTTP" | awk '{print $2}')
if [[ $status -eq 200 ]]; then
echo "Wazuh dashboard status: ${status}"
else
echo "Wazuh dashboard status: ${status}"
exit 1
fi
- name: Check errors in ossec.log
run: ./.github/multi-node-log-check.sh

77
.github/workflows/trivy-dashboard.yml vendored
View File

@@ -1,77 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: Trivy scan Wazuh dashboard
on:
release:
types:
- published
pull_request:
branches:
- master
- stable
schedule:
- cron: '34 2 * * 1'
workflow_dispatch:
permissions:
contents: read
jobs:
build:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Build images and upload Trivy results
runs-on: "ubuntu-latest"
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Installing dependencies
run: |
sudo apt-get update
sudo apt-get install -y jq
- name: Checkout latest tag
run: |
latest=$(curl -s "https://api.github.com/repos/wazuh/wazuh-docker/releases/latest" | jq -r '.tag_name')
git fetch origin
git checkout $latest
- name: Build Wazuh images
run: build-docker-images/build-images.sh
- name: Create enviroment variables
run: |
cat .env > $GITHUB_ENV
echo "GITHUB_REF_NAME="${GITHUB_REF_NAME%/*} >> $GITHUB_ENV
- name: Run Trivy vulnerability scanner for Wazuh dashboard
uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2
with:
image-ref: 'wazuh/wazuh-dashboard:${{env.WAZUH_IMAGE_VERSION}}'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results-dashboard.sarif'
severity: 'LOW,MEDIUM,CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results-dashboard.sarif'
- name: Slack notification
uses: rtCamp/action-slack-notify@v2
env:
SLACK_CHANNEL: cicd-monitoring
SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff'
#SLACK_ICON: https://github.com/rtCamp.png?size=48
SLACK_MESSAGE: "Check the results: https://github.com/wazuh/wazuh-docker/security/code-scanning?query=is%3Aopen+branch%3A${{ env.GITHUB_REF_NAME }}"
SLACK_TITLE: Wazuh docker Trivy vulnerability scan finished.
SLACK_USERNAME: github_actions
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}

77
.github/workflows/trivy-indexer.yml vendored
View File

@@ -1,77 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: Trivy scan Wazuh indexer
on:
release:
types:
- published
pull_request:
branches:
- master
- stable
schedule:
- cron: '34 2 * * 1'
workflow_dispatch:
permissions:
contents: read
jobs:
build:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Build images and upload Trivy results
runs-on: "ubuntu-latest"
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Installing dependencies
run: |
sudo apt-get update
sudo apt-get install -y jq
- name: Checkout latest tag
run: |
latest=$(curl -s "https://api.github.com/repos/wazuh/wazuh-docker/releases/latest" | jq -r '.tag_name')
git fetch origin
git checkout $latest
- name: Build Wazuh images
run: build-docker-images/build-images.sh
- name: Create enviroment variables
run: |
cat .env > $GITHUB_ENV
echo "GITHUB_REF_NAME="${GITHUB_REF_NAME%/*} >> $GITHUB_ENV
- name: Run Trivy vulnerability scanner for Wazuh indexer
uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2
with:
image-ref: 'wazuh/wazuh-indexer:${{env.WAZUH_IMAGE_VERSION}}'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results-indexer.sarif'
severity: 'LOW,MEDIUM,CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results-indexer.sarif'
- name: Slack notification
uses: rtCamp/action-slack-notify@v2
env:
SLACK_CHANNEL: cicd-monitoring
SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff'
#SLACK_ICON: https://github.com/rtCamp.png?size=48
SLACK_MESSAGE: "Check the results: https://github.com/wazuh/wazuh-docker/security/code-scanning?query=is%3Aopen+branch%3A${{ env.GITHUB_REF_NAME }}"
SLACK_TITLE: Wazuh docker Trivy vulnerability scan finished.
SLACK_USERNAME: github_actions
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}

77
.github/workflows/trivy-manager.yml vendored
View File

@@ -1,77 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: Trivy scan Wazuh manager
on:
release:
types:
- published
pull_request:
branches:
- master
- stable
schedule:
- cron: '34 2 * * 1'
workflow_dispatch:
permissions:
contents: read
jobs:
build:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Build images and upload Trivy results
runs-on: "ubuntu-latest"
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Installing dependencies
run: |
sudo apt-get update
sudo apt-get install -y jq
- name: Checkout latest tag
run: |
latest=$(curl -s "https://api.github.com/repos/wazuh/wazuh-docker/releases/latest" | jq -r '.tag_name')
git fetch origin
git checkout $latest
- name: Build Wazuh images
run: build-docker-images/build-images.sh
- name: Create enviroment variables
run: |
cat .env > $GITHUB_ENV
echo "GITHUB_REF_NAME="${GITHUB_REF_NAME%/*} >> $GITHUB_ENV
- name: Run Trivy vulnerability scanner for Wazuh manager
uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2
with:
image-ref: 'wazuh/wazuh-manager:${{env.WAZUH_IMAGE_VERSION}}'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results-manager.sarif'
severity: 'LOW,MEDIUM,CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results-manager.sarif'
- name: Slack notification
uses: rtCamp/action-slack-notify@v2
env:
SLACK_CHANNEL: cicd-monitoring
SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff'
#SLACK_ICON: https://github.com/rtCamp.png?size=48
SLACK_MESSAGE: "Check the results: https://github.com/wazuh/wazuh-docker/security/code-scanning?query=is%3Aopen+branch%3A${{ env.GITHUB_REF_NAME }}"
SLACK_TITLE: Wazuh docker Trivy vulnerability scan finished.
SLACK_USERNAME: github_actions
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}

4
.gitignore vendored
View File

@@ -1,4 +0,0 @@
single-node/config/wazuh_indexer_ssl_certs/*.pem
single-node/config/wazuh_indexer_ssl_certs/*.key
multi-node/config/wazuh_indexer_ssl_certs/*.pem
multi-node/config/wazuh_indexer_ssl_certs/*.key

545
CHANGELOG.md
View File

@@ -1,544 +1,17 @@
# Change Log
All notable changes to this project will be documented in this file.
## [5.0.0]
## Wazuh Docker v3.9.4_6.8.1
### Added
- none
### Changed
- Delete service tag and modifiy docker-compose execution for a new version ([#1632](https://github.com/wazuh/wazuh-docker/pull/1632))
- Remove deprecated attribute version in docker-compose.yml ([#1595](https://github.com/wazuh/wazuh-docker/pull/1595)) by https://github.com/h3ssan
### Fixed
- None
### Deleted
- None
## [4.10.2]
### Added
- none
### Changed
- None
### Fixed
- None
### Deleted
- None
## [4.10.1]
### Added
- none
### Changed
- None
### Fixed
- None
### Deleted
- None
## [4.10.0]
### Added
- Migrate the push docker images procedure to GitHub Actions ([#5651](https://github.com/wazuh/wazuh-qa/issues/5651))
### Changed
- None
### Fixed
- None
### Deleted
- None
## [4.9.2]
### Added
- Update Wazuh to version [4.9.2](https://github.com/wazuh/wazuh/blob/v4.9.2/CHANGELOG.md#v492)
## [4.9.1]
### Added
- None
### Changed
- None
### Fixed
- Fix typos into Wazuh manager entrypoint ([#1569](https://github.com/wazuh/wazuh-docker/pull/1569))
### Deleted
- None
## Wazuh Docker v4.9.0
### Added
- Update Wazuh to version [4.9.0](https://github.com/wazuh/wazuh/blob/v4.9.0/CHANGELOG.md#v490)
## Wazuh Docker v4.8.2
### Added
- Update Wazuh to version [4.8.2](https://github.com/wazuh/wazuh/blob/v4.8.2/CHANGELOG.md#v482)
## Wazuh Docker v4.8.1
### Added
- Update Wazuh to version [4.8.1](https://github.com/wazuh/wazuh/blob/v4.8.1/CHANGELOG.md#v481)
## Wazuh Docker v4.8.0
### Added
- Update Wazuh to version [4.8.0](https://github.com/wazuh/wazuh/blob/v4.8.0/CHANGELOG.md#v480)
## Wazuh Docker v4.7.5
### Added
- Update Wazuh to version [4.7.5](https://github.com/wazuh/wazuh/blob/v4.7.5/CHANGELOG.md#v475)
## Wazuh Docker v4.7.4
### Added
- Update Wazuh to version [4.7.4](https://github.com/wazuh/wazuh/blob/v4.7.4/CHANGELOG.md#v474)
## Wazuh Docker v4.7.3
### Added
- Update Wazuh to version [4.7.3](https://github.com/wazuh/wazuh/blob/v4.7.3/CHANGELOG.md#v473)
## Wazuh Docker v4.7.2
### Added
- Update Wazuh to version [4.7.2](https://github.com/wazuh/wazuh/blob/v4.7.2/CHANGELOG.md#v472)
## Wazuh Docker v3.9.3_6.8.1
## Wazuh Docker v4.7.1
### Added
- Update Wazuh to version [4.7.1](https://github.com/wazuh/wazuh/blob/v4.7.1/CHANGELOG.md#v471)
## Wazuh Docker v4.7.0
### Added
- Update Wazuh to version [4.7.0](https://github.com/wazuh/wazuh/blob/v4.7.0/CHANGELOG.md#v470)
## Wazuh Docker v4.6.0
### Added
- Update Wazuh to version [4.6.0](https://github.com/wazuh/wazuh/blob/v4.6.0/CHANGELOG.md#v460)
## Wazuh Docker v4.5.4
### Added
- Update Wazuh to version [4.5.4](https://github.com/wazuh/wazuh/blob/v4.5.4/CHANGELOG.md#v454)
## Wazuh Docker v4.5.3
### Added
- Update Wazuh to version [4.5.3](https://github.com/wazuh/wazuh/blob/v4.5.3/CHANGELOG.md#v453)
## Wazuh Docker v4.5.2
### Added
- Update Wazuh to version [4.5.2](https://github.com/wazuh/wazuh/blob/v4.5.2/CHANGELOG.md#v452)
## Wazuh Docker v4.5.1
### Added
- Update Wazuh to version [4.5.1](https://github.com/wazuh/wazuh/blob/v4.5.1/CHANGELOG.md#v451)
## Wazuh Docker v4.5.0
### Added
- Update Wazuh to version [4.5.0](https://github.com/wazuh/wazuh/blob/v4.5.0/CHANGELOG.md#v450)
## Wazuh Docker v4.4.5
### Added
- Update Wazuh to version [4.4.5](https://github.com/wazuh/wazuh/blob/v4.4.5/CHANGELOG.md#v445)
## Wazuh Docker v4.4.4
### Added
- Update Wazuh to version [4.4.4](https://github.com/wazuh/wazuh/blob/v4.4.4/CHANGELOG.md#v444)
## Wazuh Docker v4.4.3
### Added
- Update Wazuh to version [4.4.3](https://github.com/wazuh/wazuh/blob/v4.4.3/CHANGELOG.md#v443)
## Wazuh Docker v4.4.2
### Added
- Update Wazuh to version [4.4.2](https://github.com/wazuh/wazuh/blob/v4.4.2/CHANGELOG.md#v442)
## Wazuh Docker v4.4.1
### Added
- Update Wazuh to version [4.4.1](https://github.com/wazuh/wazuh/blob/v4.4.1/CHANGELOG.md#v441)
## Wazuh Docker v4.4.0
### Added
- Update Wazuh to version [4.4.0](https://github.com/wazuh/wazuh/blob/v4.4.0/CHANGELOG.md#v440)
## Wazuh Docker v4.3.11
### Added
- Update Wazuh to version [4.3.11](https://github.com/wazuh/wazuh/blob/v4.3.11/CHANGELOG.md#v4311)
## Wazuh Docker v4.3.10
### Added
- Update Wazuh to version [4.3.10](https://github.com/wazuh/wazuh/blob/v4.3.10/CHANGELOG.md#v4310)
## Wazuh Docker v4.3.9
### Added
- Update Wazuh to version [4.3.9](https://github.com/wazuh/wazuh/blob/v4.3.9/CHANGELOG.md#v439)
## Wazuh Docker v4.3.8
### Added
- Update Wazuh to version [4.3.8](https://github.com/wazuh/wazuh/blob/v4.3.8/CHANGELOG.md#v438)
## Wazuh Docker v4.3.7
### Added
- Update Wazuh to version [4.3.7](https://github.com/wazuh/wazuh/blob/v4.3.7/CHANGELOG.md#v437)
## Wazuh Docker v4.3.6
### Added
- Update Wazuh to version [4.3.6](https://github.com/wazuh/wazuh/blob/v4.3.6/CHANGELOG.md#v436)
## Wazuh Docker v4.3.5
### Added
- Update Wazuh to version [4.3.5](https://github.com/wazuh/wazuh/blob/v4.3.5/CHANGELOG.md#v435)
## Wazuh Docker v4.3.4
### Added
- Update Wazuh to version [4.3.4](https://github.com/wazuh/wazuh/blob/v4.3.4/CHANGELOG.md#v434)
## Wazuh Docker v4.3.3
### Added
- Update Wazuh to version [4.3.3](https://github.com/wazuh/wazuh/blob/v4.3.3/CHANGELOG.md#v433)
## Wazuh Docker v4.3.2
### Added
- Update Wazuh to version [4.3.2](https://github.com/wazuh/wazuh/blob/v4.3.2/CHANGELOG.md#v432)
## Wazuh Docker v4.3.1
### Added
- Update Wazuh to version [4.3.1](https://github.com/wazuh/wazuh/blob/v4.3.1/CHANGELOG.md#v431)
## Wazuh Docker v4.3.0
### Added
- Update Wazuh to version [4.3.0](https://github.com/wazuh/wazuh/blob/v4.3.0/CHANGELOG.md#v430)
## Wazuh Docker v4.2.7
### Added
- Update Wazuh to version [4.2.7](https://github.com/wazuh/wazuh/blob/v4.2.7/CHANGELOG.md#v427)
## Wazuh Docker v4.2.6
### Added
- Update Wazuh to version [4.2.6](https://github.com/wazuh/wazuh/blob/v4.2.6/CHANGELOG.md#v426)
## Wazuh Docker v4.2.5
### Added
- Update Wazuh to version [4.2.5](https://github.com/wazuh/wazuh/blob/v4.2.5/CHANGELOG.md#v425)
## Wazuh Docker v4.2.4
### Added
- Update Wazuh to version [4.2.4](https://github.com/wazuh/wazuh/blob/v4.2.4/CHANGELOG.md#v424)
## Wazuh Docker v4.2.3
### Added
- Update Wazuh to version [4.2.3](https://github.com/wazuh/wazuh/blob/v4.2.3/CHANGELOG.md#v423)
## Wazuh Docker v4.2.2
### Added
- Update Wazuh to version [4.2.2](https://github.com/wazuh/wazuh/blob/v4.2.2/CHANGELOG.md#v422)
## Wazuh Docker v4.2.1
### Added
- Update Wazuh to version [4.2.1](https://github.com/wazuh/wazuh/blob/v4.2.1/CHANGELOG.md#v421)
## Wazuh Docker v4.2.0
### Added
- Update Wazuh to version [4.2.0](https://github.com/wazuh/wazuh/blob/v4.2.0/CHANGELOG.md#v420)
## Wazuh Docker v4.1.5
### Added
- Update Wazuh to version [4.1.5](https://github.com/wazuh/wazuh/blob/v4.1.5/CHANGELOG.md#v415)
- Update ODFE compatibility to version 1.13.2
## Wazuh Docker v4.1.4
### Added
- Update Wazuh to version [4.1.4](https://github.com/wazuh/wazuh/blob/v4.1.4/CHANGELOG.md#v414)
## Wazuh Docker v4.1.3
### Added
- Update Wazuh to version [4.1.3](https://github.com/wazuh/wazuh/blob/v4.1.3/CHANGELOG.md#v413)
## Wazuh Docker v4.1.2
### Added
- Update Wazuh to version [4.1.2](https://github.com/wazuh/wazuh/blob/v4.1.2/CHANGELOG.md#v412)
## Wazuh Docker v4.1.1
### Added
- Update Wazuh to version [4.1.1](https://github.com/wazuh/wazuh/blob/v4.1.1/CHANGELOG.md#v411)
## Wazuh Docker v4.1.0
### Added
- Update Wazuh to version [4.1.0](https://github.com/wazuh/wazuh/blob/v4.1.0/CHANGELOG.md#v410)
- Update ODFE compatibility to version 1.12.0
- Add support for Elasticsearch (xpack) images once again (7.10.2) ([@xr09](https://github.com/xr09)) [#409](https://github.com/wazuh/wazuh-docker/pull/409)
- Re-enable entrypoint scripts ([@xr09](https://github.com/xr09)) [#435](https://github.com/wazuh/wazuh-docker/pull/435)
- Add Goss binary for healthchecks ([@xr09](https://github.com/xr09)) [$441](https://github.com/wazuh/wazuh-docker/pull/441)
- Update s6-overlay to latest version
## Wazuh Docker v4.0.4_1.11.0
### Added
- Update to Wazuh version [4.0.4](https://github.com/wazuh/wazuh/blob/v4.0.4/CHANGELOG.md#v404)
## Wazuh Docker v4.0.3_1.11.0
### Added
- Update to Wazuh version 4.0.3
## Wazuh Docker v4.0.2_1.11.0
### Added
- Update to Wazuh version 4.0.2
## Wazuh Docker v4.0.1_1.11.0
### Added
- Update to Wazuh version 4.0.1
- Opendistro 1.11.0 compatiblity
- Re-enabled dumping ossec.log to stdout
## Wazuh Docker v4.0.0_1.10.1
### Added
- Update to Wazuh version 4.0.0
- Updating Wazuh cluster key dynamically ([@1stOfHisGame](https://github.com/1stOfHisGame)) [#393](https://github.com/wazuh/wazuh-docker/pull/393)
- Switched to CentOS 7 for base image ([@xr09](https://github.com/xr09)) [#259](https://github.com/wazuh/wazuh-docker/issues/259)
- Using s6-overlay for process management ([@xr09](https://github.com/xr09)) [#274](https://github.com/wazuh/wazuh-docker/issues/274)
- Allow the creation of custom API users ([@xr09](https://github.com/xr09)) [#395](https://github.com/wazuh/wazuh-docker/issues/395)
- OpenDistro support ([@xr09](https://github.com/xr09)) [#373](https://github.com/wazuh/wazuh-docker/pull/373)
### Changed
- Removal of Elastic images
## Wazuh Docker v3.13.2_7.9.1
### Added
- Update to Wazuh version 3.13.2_7.9.1
- Add CLUSTER_NETWORK_HOST environment variable ([@jfut](https://github.com/jfut)) [#372](https://github.com/wazuh/wazuh-docker/pull/372)
### Fixed
- Too many redirects when running on port 80 ([@chowmean](https://github.com/chowmean)) [#377](https://github.com/wazuh/wazuh-docker/pull/377)
- Move Filebeat installation to build stage ([@xr09](https://github.com/xr09)) [#378](https://github.com/wazuh/wazuh-docker/pull/378)
## Wazuh Docker v3.13.1_7.8.0
### Added
- Update to Wazuh version 3.13.1_7.8.0
## Wazuh Docker v3.13.0_7.7.1
### Added
- Update to Wazuh version 3.13.3_7.7.1
### Fixed
- Save agentless state ([@xr09](https://github.com/xr09)) [#350](https://github.com/wazuh/wazuh-docker/pull/350)
- Use HTTP credentials for service check when required ([@xr09](https://github.com/xr09)) [#356](https://github.com/wazuh/wazuh-docker/pull/356)
## Wazuh Docker v3.12.3_7.6.2
### Added
- Update to Wazuh version 3.12.3_7.6.2
## Wazuh Docker v3.12.2_7.6.2
### Added
- Update to Wazuh version 3.12.2_7.6.2
## Wazuh Docker v3.12.1_7.6.2
### Added
- Update to Wazuh version 3.12.1_7.6.2
### Fixed
- Agent timestamp not being properly saved ([@xr09](https://github.com/xr09)) [#323](https://github.com/wazuh/wazuh-docker/pull/323)
## Wazuh Docker v3.12.0_7.6.1
### Added
- Update to Wazuh version 3.12.0_7.6.1
## Wazuh Docker v3.11.4_7.6.1
### Added
- Update to Wazuh version 3.11.4_7.6.1
- Enable HTTP v2 on nginx ([@xr09](https://github.com/xr09)) [#308](https://github.com/wazuh/wazuh-docker/pull/308)
### Fixed
- Updated NGINX config syntax ([@xr09](https://github.com/xr09)) [#303](https://github.com/wazuh/wazuh-docker/pull/303)
## Wazuh Docker v3.11.3_7.5.2
### Added
- Update to Wazuh version 3.11.3_7.5.2
## Wazuh Docker v3.11.2_7.5.1
### Added
- Bumped Node.js to version 10 ([@xr09](https://github.com/xr09)) [#8615cd4](https://github.com/wazuh/wazuh-docker/commit/8615cd4d2152601e55becc7c3675360938e74b6a)
### Fixed
- Fix S3 Plugin ([@AnthonySendra](https://github.com/AnthonySendra)) [#293](https://github.com/wazuh/wazuh-docker/pull/293)
## Wazuh Docker v3.11.1_7.5.1
### Added
- Update to Wazuh version 3.11.1_7.5.1
- Filebeat configuration file updated to latest version ([@manuasir](https://github.com/manuasir)) [#271](https://github.com/wazuh/wazuh-docker/pull/271)
- Allow using the hostname as node_name for managers ([@JPLachance](https://github.com/JPLachance)) [#261](https://github.com/wazuh/wazuh-docker/pull/261)
## Wazuh Docker v3.11.0_7.5.1
### Added
- Update to Wazuh version 3.11.0_7.5.1
## Wazuh Docker v3.10.2_7.5.0
### Added
- Update to Wazuh version 3.10.2_7.5.0
## Wazuh Docker v3.10.2_7.3.2
### Added
- Update to Wazuh version 3.10.2_7.3.2
## Wazuh Docker v3.10.0_7.3.2
### Added
- Update to Wazuh version 3.10.0_7.3.2
## Wazuh Docker v3.9.5_7.2.1
### Added
- Update to Wazuh version 3.9.5_7.2.1
## Wazuh Docker v3.9.4_7.2.0
### Added
- Update to Wazuh version 3.9.4_7.2.0
- Implemented Wazuh Filebeat Module ([jm404](https://www.github.com/jm404)) [#2a77c6a](https://github.com/wazuh/wazuh-docker/commit/2a77c6a6e6bf78f2492adeedbade7a507d9974b2)
## Wazuh Docker v3.9.3_7.2.0
### Fixed
- Wazuh-docker reinserts cluster settings after resuming containers ([@manuasir](https://github.com/manuasir)) [#213](https://github.com/wazuh/wazuh-docker/pull/213)
## Wazuh Docker v3.9.2_7.1.1
- Update to Wazuh version 3.9.3_6.8.1
### Added
- Update to Wazuh version 3.9.2_7.1.1
- Option to disable additionals X-Pack applications and hide unnecesary management links ([@SitoRBJ](https://github.com/SitoRBJ)) ([#163](https://github.com/wazuh/wazuh-docker/pull/163))
## Wazuh Docker v3.9.2_6.8.0
@@ -546,18 +19,13 @@ All notable changes to this project will be documented in this file.
- Update to Wazuh version 3.9.2_6.8.0
## Wazuh Docker v3.9.1_7.1.0
### Added
- Support for Elastic v7.1.0
- New environment variables for Kibana ([@manuasir](https://github.com/manuasir)) [#22ad43](https://github.com/wazuh/wazuh-docker/commit/22ad4360f548e54bb0c5e929f8c84a186ad2ab88)
## Wazuh Docker v3.9.1_6.8.0
### Added
- Update to Wazuh version 3.9.1_6.8.0 ([#181](https://github.com/wazuh/wazuh-docker/pull/181))
- Security for Elastic Stack in Docker implemented ([#186](https://github.com/wazuh/wazuh-docker/issues/186))
### Fixed
@@ -571,6 +39,7 @@ All notable changes to this project will be documented in this file.
## Wazuh Docker v3.9.0_6.7.1
### Added
- Support for xPACK authorized requests ([@manuasir](https://github.com/manuasir)) ([#119](https://github.com/wazuh/wazuh-docker/pull/119))
@@ -655,7 +124,7 @@ All notable changes to this project will be documented in this file.
- Add env credentials for nginx. ([#86](https://github.com/wazuh/wazuh-docker/pull/86))
- Improve filebeat configuration ([#88](https://github.com/wazuh/wazuh-docker/pull/88))
### Fixed
### Fixed
- Temporary fix for Wazuh cluster master node in Kubernetes. ([#84](https://github.com/wazuh/wazuh-docker/pull/84))

2
LICENSE
View File

@@ -1,5 +1,5 @@
Portions Copyright (C) 2017, Wazuh Inc.
Portions Copyright (C) 2019 Wazuh, Inc.
Based on work Copyright (C) 2003 - 2013 Trend Micro, Inc.
This program is a free software; you can redistribute it and/or modify

262
README.md
View File

@@ -7,235 +7,63 @@
In this repository you will find the containers to run:
* Wazuh manager: it runs the Wazuh manager, Wazuh API and Filebeat OSS
* Wazuh dashboard: provides a web user interface to browse through alert data and allows you to visualize the agents configuration and status.
* Wazuh indexer: Wazuh indexer container (working as a single-node cluster or as a multi-node cluster). **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).**
* wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack)
* wazuh-logstash: It is used to receive alerts generated by the manager and feed Elasticsearch using an alerts template
* wazuh-kibana: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status.
* wazuh-nginx: Proxies the Kibana container, adding HTTPS (via self-signed SSL certificate) and [Basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Basic_authentication_scheme).
* wazuh-elasticsearch: An Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).**
The folder `build-docker-images` contains a README explaining how to build the Wazuh images and the necessary assets.
The folder `indexer-certs-creator` contains a README explaining how to create the certificates creator tool and the necessary assets.
The folder `single-node` contains a README explaining how to run a Wazuh environment with one Wazuh manager, one Wazuh indexer, and one Wazuh dashboard.
The folder `multi-node` contains a README explaining how to run a Wazuh environment with two Wazuh managers, three Wazuh indexers, and one Wazuh dashboard.
In addition, a docker-compose file is provided to launch the containers mentioned above.
* Elasticsearch cluster. In the Elasticsearch Dockerfile we can visualize variables to configure an Elasticsearch Cluster. These variables are used in the file *config_cluster.sh* to set them in the *elasticsearch.yml* configuration file. You can see the meaning of the node variables [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html) and other cluster settings [here](https://github.com/elastic/elasticsearch/blob/master/distribution/src/config/elasticsearch.yml).
## Documentation
* [Wazuh full documentation](http://documentation.wazuh.com)
* [Wazuh documentation for Docker](https://documentation.wazuh.com/current/docker/index.html)
* [Docker Hub](https://hub.docker.com/u/wazuh)
### Setup SSL certificate
Before starting the environment it is required to provide an SSL certificate (or just generate one self-signed).
Documentation on how to provide these two can be found at [Wazuh Docker Documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#production-deployment).
## Environment Variables
Default values are included when available.
### Wazuh
```
API_USERNAME="wazuh-wui" # Wazuh API username
API_PASSWORD="MyS3cr37P450r.*-" # Wazuh API password - Must comply with requirements
# (8+ length, uppercase, lowercase, special chars)
INDEXER_URL=https://wazuh.indexer:9200 # Wazuh indexer URL
INDEXER_USERNAME=admin # Wazuh indexer Username
INDEXER_PASSWORD=SecretPassword # Wazuh indexer Password
FILEBEAT_SSL_VERIFICATION_MODE=full # Filebeat SSL Verification mode (full or none)
SSL_CERTIFICATE_AUTHORITIES="" # Path of Filebeat SSL CA
SSL_CERTIFICATE="" # Path of Filebeat SSL Certificate
SSL_KEY="" # Path of Filebeat SSL Key
```
### Dashboard
```
PATTERN="wazuh-alerts-*" # Default index pattern to use
CHECKS_PATTERN=true # Defines which checks must be considered by the healthcheck
CHECKS_TEMPLATE=true # step once the Wazuh app starts. Values must be true or false
CHECKS_API=true
CHECKS_SETUP=true
APP_TIMEOUT=20000 # Defines maximum timeout to be used on the Wazuh app requests
API_SELECTOR=true Defines if the user is allowed to change the selected API directly from the Wazuh app top menu
IP_SELECTOR=true # Defines if the user is allowed to change the selected index pattern directly from the Wazuh app top menu
IP_IGNORE="[]" # List of index patterns to be ignored
DASHBOARD_USERNAME=kibanaserver # Custom user saved in the dashboard keystore
DASHBOARD_PASSWORD=kibanaserver # Custom password saved in the dashboard keystore
WAZUH_MONITORING_ENABLED=true # Custom settings to enable/disable wazuh-monitoring indices
WAZUH_MONITORING_FREQUENCY=900 # Custom setting to set the frequency for wazuh-monitoring indices cron task
WAZUH_MONITORING_SHARDS=2 # Configure wazuh-monitoring-* indices shards and replicas
WAZUH_MONITORING_REPLICAS=0 ##
```
* [Docker hub](https://hub.docker.com/u/wazuh)
## Directory structure
├── build-docker-images
│   ├── build-images.sh
│   ├── build-images.yml
│   ├── README.md
│   ├── wazuh-dashboard
│   │   ── config
│   │   │   ├── config.sh
│   │   │   ├── config.yml
│   │   │   ├── dl_base.sh
│   │   │   ├── entrypoint.sh
│   │   │   ├── install_wazuh_app.sh
│   │   │   ── opensearch_dashboards.yml
│   │   │   ├── wazuh_app_config.sh
│   │   │   └── wazuh.yml
│   │   └── Dockerfile
│   ── wazuh-indexer
│   │   ├── config
│   │   │   ├── action_groups.yml
│   │   │   ├── config.sh
│   │   │   ├── config.yml
│   │   │   ├── entrypoint.sh
│   │   │   ├── internal_users.yml
│   │   │   ├── opensearch.yml
│   │   │   ├── roles_mapping.yml
│   │   │   ├── roles.yml
│   │   │   └── securityadmin.sh
│   │   └── Dockerfile
│   ── wazuh-manager
│   ├── config
│   │   ├── check_repository.sh
│   │   ├── create_user.py
│   │   ├── etc
│   │   │   ├── cont-init.d
│   │   │   │   ├── 0-wazuh-init
│   │   │   │   ├── 1-config-filebeat
│   │   │   │   └── 2-manager
│   │   │   └── services.d
│   │   │   ├── filebeat
│   │   │   │   ├── finish
│   │   │   │   └── run
│   │   │   └── ossec-logs
│   │   │   └── run
│   │   ├── filebeat_module.sh
│   │   ├── filebeat.yml
│   │   ├── permanent_data.env
│   │   └── permanent_data.sh
│   └── Dockerfile
├── CHANGELOG.md
├── indexer-certs-creator
│   ├── config
│   │   └── entrypoint.sh
│   ├── Dockerfile
│   └── README.md
├── LICENSE
├── multi-node
│   ├── config
│   │   ├── certs.yml
│   │   ├── nginx
│   │   │   └── nginx.conf
│   │   ├── wazuh_cluster
│   │   │   ├── wazuh_manager.conf
│   │   │   └── wazuh_worker.conf
│   │   ├── wazuh_dashboard
│   │   │   ├── opensearch_dashboards.yml
│   │   │   └── wazuh.yml
│   │   └── wazuh_indexer
│   │   ├── internal_users.yml
│   │   ├── wazuh1.indexer.yml
│   │   ├── wazuh2.indexer.yml
│   │   └── wazuh3.indexer.yml
│   ├── docker-compose.yml
│   ├── generate-indexer-certs.yml
│   ├── Migration-to-Wazuh-4.4.md
│   ├── README.md
│   └── volume-migrator.sh
├── README.md
├── SECURITY.md
├── single-node
│   ├── config
│   │   ├── certs.yml
│   │   ├── wazuh_cluster
│   │   │   └── wazuh_manager.conf
│   │   ├── wazuh_dashboard
│   │   │   ├── opensearch_dashboards.yml
│   │   │   └── wazuh.yml
│   │   └── wazuh_indexer
│   │   ├── internal_users.yml
│   │   └── wazuh.indexer.yml
│   ├── docker-compose.yml
│   ├── generate-indexer-certs.yml
│   └── README.md
└── VERSION
wazuh-docker
├── docker-compose.yml
├── kibana
│   ├── config
│   │   ├── entrypoint.sh
│   │   ── kibana.yml
│   └── Dockerfile
├── LICENSE
├── logstash
│   ├── config
│   │   ├── 01-wazuh.conf
│   │   ── run.sh
│   └── Dockerfile
├── nginx
│   ├── config
│   │   ── entrypoint.sh
│   └── Dockerfile
├── README.md
├── CHANGELOG.md
├── VERSION
├── test.txt
└── wazuh
├── config
│   ├── data_dirs.env
│   ├── entrypoint.sh
│   ├── filebeat.runit.service
│   ├── filebeat.yml
│   ── init.bash
│   ├── postfix.runit.service
│   ├── wazuh-api.runit.service
│   └── wazuh.runit.service
└── Dockerfile
## Branches
* `stable` branch on correspond to the latest Wazuh-Docker stable version.
* `master` branch contains the latest code, be aware of possible bugs on this branch.
* `stable` branch corresponds to the last Wazuh stable version.
## Compatibility Matrix
| Wazuh version | ODFE | XPACK |
|---------------|---------|--------|
| v5.0.0 | | |
| v4.10.2 | | |
| v4.10.1 | | |
| v4.10.0 | | |
| v4.9.2 | | |
| v4.9.1 | | |
| v4.9.0 | | |
| v4.8.2 | | |
| v4.8.1 | | |
| v4.8.0 | | |
| v4.7.5 | | |
| v4.7.4 | | |
| v4.7.3 | | |
| v4.7.2 | | |
| v4.7.1 | | |
| v4.7.0 | | |
| v4.6.0 | | |
| v4.5.4 | | |
| v4.5.3 | | |
| v4.5.2 | | |
| v4.5.1 | | |
| v4.5.0 | | |
| v4.4.5 | | |
| v4.4.4 | | |
| v4.4.3 | | |
| v4.4.2 | | |
| v4.4.1 | | |
| v4.4.0 | | |
| v4.3.11 | | |
| v4.3.10 | | |
| v4.3.9 | | |
| v4.3.8 | | |
| v4.3.7 | | |
| v4.3.6 | | |
| v4.3.5 | | |
| v4.3.4 | | |
| v4.3.3 | | |
| v4.3.2 | | |
| v4.3.1 | | |
| v4.3.0 | | |
| v4.2.7 | 1.13.2 | 7.11.2 |
| v4.2.6 | 1.13.2 | 7.11.2 |
| v4.2.5 | 1.13.2 | 7.11.2 |
| v4.2.4 | 1.13.2 | 7.11.2 |
| v4.2.3 | 1.13.2 | 7.11.2 |
| v4.2.2 | 1.13.2 | 7.11.2 |
| v4.2.1 | 1.13.2 | 7.11.2 |
| v4.2.0 | 1.13.2 | 7.10.2 |
| v4.1.5 | 1.13.2 | 7.10.2 |
| v4.1.4 | 1.12.0 | 7.10.2 |
| v4.1.3 | 1.12.0 | 7.10.2 |
| v4.1.2 | 1.12.0 | 7.10.2 |
| v4.1.1 | 1.12.0 | 7.10.2 |
| v4.1.0 | 1.12.0 | 7.10.2 |
| v4.0.4 | 1.11.0 | |
| v4.0.3 | 1.11.0 | |
| v4.0.2 | 1.11.0 | |
| v4.0.1 | 1.11.0 | |
| v4.0.0 | 1.10.1 | |
* `Wazuh.Version_ElasticStack.Version` (for example 3.9.3_6.8.1) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
## Credits and Thank you
@@ -244,11 +72,11 @@ These Docker containers are based on:
* "deviantony" dockerfiles which can be found at [https://github.com/deviantony/docker-elk](https://github.com/deviantony/docker-elk)
* "xetus-oss" dockerfiles, which can be found at [https://github.com/xetus-oss/docker-ossec-server](https://github.com/xetus-oss/docker-ossec-server)
We thank them and everyone else who has contributed to this project.
We thank you them and everyone else who has contributed to this project.
## License and copyright
Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
## Web references

45
SECURITY.md
View File

@@ -1,45 +0,0 @@
# Wazuh Open Source Project Security Policy
Version: 2023-06-12
## Introduction
This document outlines the Security Policy for Wazuh's open source projects. It emphasizes our commitment to maintain a secure environment for our users and contributors, and reflects our belief in the power of collaboration to identify and resolve security vulnerabilities.
## Scope
This policy applies to all open source projects developed, maintained, or hosted by Wazuh.
## Reporting Security Vulnerabilities
If you believe you've discovered a potential security vulnerability in one of our open source projects, we strongly encourage you to report it to us responsibly.
Please submit your findings as security advisories under the "Security" tab in the relevant GitHub repository. Alternatively, you may send the details of your findings to [security@wazuh.com](mailto:security@wazuh.com).
## Vulnerability Disclosure Policy
Upon receiving a report of a potential vulnerability, our team will initiate an investigation. If the reported issue is confirmed as a vulnerability, we will take the following steps:
1. Acknowledgment: We will acknowledge the receipt of your vulnerability report and begin our investigation.
2. Validation: We will validate the issue and work on reproducing it in our environment.
3. Remediation: We will work on a fix and thoroughly test it
4. Release & Disclosure: After 90 days from the discovery of the vulnerability, or as soon as a fix is ready and thoroughly tested (whichever comes first), we will release a security update for the affected project. We will also publicly disclose the vulnerability by publishing a CVE (Common Vulnerabilities and Exposures) and acknowledging the discovering party.
5. Exceptions: In order to preserve the security of the Wazuh community at large, we might extend the disclosure period to allow users to patch their deployments.
This 90-day period allows for end-users to update their systems and minimizes the risk of widespread exploitation of the vulnerability.
## Automatic Scanning
We leverage GitHub Actions to perform automated scans of our supply chain. These scans assist us in identifying vulnerabilities and outdated dependencies in a proactive and timely manner.
## Credit
We believe in giving credit where credit is due. If you report a security vulnerability to us, and we determine that it is a valid vulnerability, we will publicly credit you for the discovery when we disclose the vulnerability. If you wish to remain anonymous, please indicate so in your initial report.
We do appreciate and encourage feedback from our community, but currently we do not have a bounty program. We might start bounty programs in the future.
## Compliance with this Policy
We consider the discovery and reporting of security vulnerabilities an important public service. We encourage responsible reporting of any vulnerabilities that may be found in our site or applications.
Furthermore, we will not take legal action against or suspend or terminate access to the site or services of those who discover and report security vulnerabilities in accordance with this policy because of the fact.
We ask that all users and contributors respect this policy and the security of our community's users by disclosing vulnerabilities to us in accordance with this policy.
## Changes to this Security Policy
This policy may be revised from time to time. Each version of the policy will be identified at the top of the page by its effective date.
If you have any questions about this Security Policy, please contact us at [security@wazuh.com](mailto:security@wazuh.com)

4
VERSION
View File

@@ -1,2 +1,2 @@
WAZUH-DOCKER_VERSION="5.0.0"
REVISION="50000"
WAZUH-DOCKER_VERSION="3.9.4_6.8.1"
REVISION="3942"

32
build-docker-images/README.md
View File

@@ -1,32 +0,0 @@
# Wazuh Docker Image Builder
The creation of the images for the Wazuh stack deployment in Docker is done with the build-images.yml script
To execute the process, the following must be executed in the root of the wazuh-docker repository:
```
$ build-docker-images/build-images.sh
```
This script initializes the environment variables needed to build each of the images.
The script allows you to build images from other versions of Wazuh, to do this you must use the -v or --version argument:
```
$ build-docker-images/build-images.sh -v 5.0.0
```
To get all the available script options use the -h or --help option:
```
$ build-docker-images/build-images.sh -h
Usage: build-docker-images/build-images.sh [OPTIONS]
-d, --dev <ref> [Optional] Set the development stage you want to build, example rc1 or beta1, not used by default.
-f, --filebeat-module <ref> [Optional] Set Filebeat module version. By default 0.4.
-r, --revision <rev> [Optional] Package revision. By default 1
-v, --version <ver> [Optional] Set the Wazuh version should be builded. By default, 5.0.0.
-h, --help Show this help.
```

145
build-docker-images/build-images.sh
View File

@@ -1,145 +0,0 @@
WAZUH_IMAGE_VERSION=5.0.0
WAZUH_VERSION=$(echo $WAZUH_IMAGE_VERSION | sed -e 's/\.//g')
WAZUH_TAG_REVISION=1
WAZUH_CURRENT_VERSION=$(curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '["]tag_name["]:' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 2- | sed -e 's/\.//g')
IMAGE_VERSION=${WAZUH_IMAGE_VERSION}
# Wazuh package generator
# Copyright (C) 2023, Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.
WAZUH_IMAGE_VERSION="5.0.0"
WAZUH_TAG_REVISION="1"
WAZUH_DEV_STAGE=""
FILEBEAT_MODULE_VERSION="0.4"
# -----------------------------------------------------------------------------
trap ctrl_c INT
clean() {
exit_code=$1
exit ${exit_code}
}
ctrl_c() {
clean 1
}
# -----------------------------------------------------------------------------
build() {
WAZUH_VERSION="$(echo $WAZUH_IMAGE_VERSION | sed -e 's/\.//g')"
FILEBEAT_TEMPLATE_BRANCH="${WAZUH_IMAGE_VERSION}"
WAZUH_FILEBEAT_MODULE="wazuh-filebeat-${FILEBEAT_MODULE_VERSION}.tar.gz"
WAZUH_UI_REVISION="${WAZUH_TAG_REVISION}"
if [ "${WAZUH_DEV_STAGE}" ];then
FILEBEAT_TEMPLATE_BRANCH="v${FILEBEAT_TEMPLATE_BRANCH}-${WAZUH_DEV_STAGE,,}"
if ! curl --output /dev/null --silent --head --fail "https://github.com/wazuh/wazuh/tree/${FILEBEAT_TEMPLATE_BRANCH}"; then
echo "The indicated branch does not exist in the wazuh/wazuh repository: ${FILEBEAT_TEMPLATE_BRANCH}"
clean 1
fi
else
if curl --output /dev/null --silent --head --fail "https://github.com/wazuh/wazuh/tree/v${FILEBEAT_TEMPLATE_BRANCH}"; then
FILEBEAT_TEMPLATE_BRANCH="v${FILEBEAT_TEMPLATE_BRANCH}"
elif curl --output /dev/null --silent --head --fail "https://github.com/wazuh/wazuh/tree/${FILEBEAT_TEMPLATE_BRANCH}"; then
FILEBEAT_TEMPLATE_BRANCH="${FILEBEAT_TEMPLATE_BRANCH}"
else
WAZUH_MASTER_VERSION="$(curl -s https://raw.githubusercontent.com/wazuh/wazuh/master/src/VERSION | sed -e 's/v//g')"
if [ "${FILEBEAT_TEMPLATE_BRANCH}" == "${WAZUH_MASTER_VERSION}" ]; then
FILEBEAT_TEMPLATE_BRANCH="master"
else
echo "The indicated branch does not exist in the wazuh/wazuh repository: ${FILEBEAT_TEMPLATE_BRANCH}"
clean 1
fi
fi
fi
echo WAZUH_VERSION=$WAZUH_IMAGE_VERSION > .env
echo WAZUH_IMAGE_VERSION=$WAZUH_IMAGE_VERSION >> .env
echo WAZUH_TAG_REVISION=$WAZUH_TAG_REVISION >> .env
echo FILEBEAT_TEMPLATE_BRANCH=$FILEBEAT_TEMPLATE_BRANCH >> .env
echo WAZUH_FILEBEAT_MODULE=$WAZUH_FILEBEAT_MODULE >> .env
echo WAZUH_UI_REVISION=$WAZUH_UI_REVISION >> .env
docker compose -f build-docker-images/build-images.yml --env-file .env build --no-cache
docker build -t wazuh/wazuh-cert-tool:$WAZUH_IMAGE_VERSION build-docker-images/cert-tool-image/
return 0
}
# -----------------------------------------------------------------------------
help() {
echo
echo "Usage: $0 [OPTIONS]"
echo
echo " -d, --dev <ref> [Optional] Set the development stage you want to build, example rc1 or beta1, not used by default."
echo " -f, --filebeat-module <ref> [Optional] Set Filebeat module version. By default ${FILEBEAT_MODULE_VERSION}."
echo " -r, --revision <rev> [Optional] Package revision. By default ${WAZUH_TAG_REVISION}"
echo " -v, --version <ver> [Optional] Set the Wazuh version should be builded. By default, ${WAZUH_IMAGE_VERSION}."
echo " -h, --help Show this help."
echo
exit $1
}
# -----------------------------------------------------------------------------
main() {
while [ -n "${1}" ]
do
case "${1}" in
"-h"|"--help")
help 0
;;
"-d"|"--dev")
if [ -n "${2}" ]; then
WAZUH_DEV_STAGE="${2}"
shift 2
else
help 1
fi
;;
"-f"|"--filebeat-module")
if [ -n "${2}" ]; then
FILEBEAT_MODULE_VERSION="${2}"
shift 2
else
help 1
fi
;;
"-r"|"--revision")
if [ -n "${2}" ]; then
WAZUH_TAG_REVISION="${2}"
shift 2
else
help 1
fi
;;
"-v"|"--version")
if [ -n "$2" ]; then
WAZUH_IMAGE_VERSION="$2"
shift 2
else
help 1
fi
;;
*)
help 1
esac
done
build || clean 1
clean 0
}
main "$@"

92
build-docker-images/build-images.yml
View File

@@ -1,92 +0,0 @@
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
services:
wazuh.manager:
build:
context: wazuh-manager/
args:
WAZUH_VERSION: ${WAZUH_VERSION}
WAZUH_TAG_REVISION: ${WAZUH_TAG_REVISION}
FILEBEAT_TEMPLATE_BRANCH: ${FILEBEAT_TEMPLATE_BRANCH}
WAZUH_FILEBEAT_MODULE: ${WAZUH_FILEBEAT_MODULE}
image: wazuh/wazuh-manager:${WAZUH_IMAGE_VERSION}
hostname: wazuh.manager
restart: always
ports:
- "1514:1514"
- "1515:1515"
- "514:514/udp"
- "55000:55000"
environment:
- INDEXER_URL=https://wazuh.indexer:9200
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=admin
- FILEBEAT_SSL_VERIFICATION_MODE=none
volumes:
- wazuh_api_configuration:/var/ossec/api/configuration
- wazuh_etc:/var/ossec/etc
- wazuh_logs:/var/ossec/logs
- wazuh_queue:/var/ossec/queue
- wazuh_var_multigroups:/var/ossec/var/multigroups
- wazuh_integrations:/var/ossec/integrations
- wazuh_active_response:/var/ossec/active-response/bin
- wazuh_agentless:/var/ossec/agentless
- wazuh_wodles:/var/ossec/wodles
- filebeat_etc:/etc/filebeat
- filebeat_var:/var/lib/filebeat
wazuh.indexer:
build:
context: wazuh-indexer/
args:
WAZUH_VERSION: ${WAZUH_VERSION}
WAZUH_TAG_REVISION: ${WAZUH_TAG_REVISION}
image: wazuh/wazuh-indexer:${WAZUH_IMAGE_VERSION}
hostname: wazuh.indexer
restart: always
ports:
- "9200:9200"
environment:
- "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
wazuh.dashboard:
build:
context: wazuh-dashboard/
args:
WAZUH_VERSION: ${WAZUH_VERSION}
WAZUH_TAG_REVISION: ${WAZUH_TAG_REVISION}
WAZUH_UI_REVISION: ${WAZUH_UI_REVISION}
image: wazuh/wazuh-dashboard:${WAZUH_IMAGE_VERSION}
hostname: wazuh.dashboard
restart: always
ports:
- 443:443
environment:
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=admin
- SERVER_SSL_ENABLED=false
- WAZUH_API_URL=https://wazuh.manager
depends_on:
- wazuh.indexer
links:
- wazuh.indexer:wazuh.indexer
- wazuh.manager:wazuh.manager
volumes:
wazuh_api_configuration:
wazuh_etc:
wazuh_logs:
wazuh_queue:
wazuh_var_multigroups:
wazuh_integrations:
wazuh_active_response:
wazuh_agentless:
wazuh_wodles:
filebeat_etc:
filebeat_var:

13
build-docker-images/wazuh-cert-tool/Dockerfile
View File

@@ -1,13 +0,0 @@
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
FROM amazonlinux:2023
RUN yum install curl-minimal openssl -y &&\
yum clean all
WORKDIR /
COPY config/entrypoint.sh /
RUN chmod 700 /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]

62
build-docker-images/wazuh-cert-tool/config/entrypoint.sh
View File

@@ -1,62 +0,0 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
##############################################################################
# Downloading Cert Gen Tool
##############################################################################
## Variables
CERT_TOOL=wazuh-certs-tool.sh
PASSWORD_TOOL=wazuh-passwords-tool.sh
PACKAGES_URL=https://packages.wazuh.com/5.0/
PACKAGES_DEV_URL=https://packages-dev.wazuh.com/5.0/
## Check if the cert tool exists in S3 buckets
CERT_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$CERT_TOOL | grep -E "^HTTP" | awk '{print $2}')
CERT_TOOL_PACKAGES_DEV=$(curl --silent -I $PACKAGES_DEV_URL$CERT_TOOL | grep -E "^HTTP" | awk '{print $2}')
## If cert tool exists in some bucket, download it, if not exit 1
if [ "$CERT_TOOL_PACKAGES" = "200" ]; then
curl -o $CERT_TOOL $PACKAGES_URL$CERT_TOOL -s
echo "The tool to create the certificates exists in the in Packages bucket"
elif [ "$CERT_TOOL_PACKAGES_DEV" = "200" ]; then
curl -o $CERT_TOOL $PACKAGES_DEV_URL$CERT_TOOL -s
echo "The tool to create the certificates exists in Packages-dev bucket"
else
echo "The tool to create the certificates does not exist in any bucket"
echo "ERROR: certificates were not created"
exit 1
fi
cp /config/certs.yml /config.yml
chmod 700 /$CERT_TOOL
##############################################################################
# Creating Cluster certificates
##############################################################################
## Execute cert tool and parsin cert.yml to set UID permissions
source /$CERT_TOOL -A
nodes_server=$( cert_parseYaml /config.yml | grep -E "nodes[_]+server[_]+[0-9]+=" | sed -e 's/nodes__server__[0-9]=//' | sed 's/"//g' )
node_names=($nodes_server)
echo "Moving created certificates to the destination directory"
cp /wazuh-certificates/* /certificates/
echo "Changing certificate permissions"
chmod -R 500 /certificates
chmod -R 400 /certificates/*
echo "Setting UID indexer and dashboard"
chown 1000:1000 /certificates/*
echo "Setting UID for wazuh manager and worker"
cp /certificates/root-ca.pem /certificates/root-ca-manager.pem
cp /certificates/root-ca.key /certificates/root-ca-manager.key
chown 999:999 /certificates/root-ca-manager.pem
chown 999:999 /certificates/root-ca-manager.key
for i in ${node_names[@]};
do
chown 999:999 "/certificates/${i}.pem"
chown 999:999 "/certificates/${i}-key.pem"
done

106
build-docker-images/wazuh-dashboard/Dockerfile
View File

@@ -1,106 +0,0 @@
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
FROM amazonlinux:2023 AS builder
ARG WAZUH_VERSION
ARG WAZUH_TAG_REVISION
ARG WAZUH_UI_REVISION
ARG INSTALL_DIR=/usr/share/wazuh-dashboard
# Update and install dependencies
RUN yum install curl-minimal libcap openssl -y
COPY config/check_repository.sh /
RUN chmod 775 /check_repository.sh && \
source /check_repository.sh
RUN yum install wazuh-dashboard-${WAZUH_VERSION}-${WAZUH_TAG_REVISION} -y && \
yum clean all
# Create and set permissions to data directories
RUN mkdir -p $INSTALL_DIR/data/wazuh && chmod -R 775 $INSTALL_DIR/data/wazuh
RUN mkdir -p $INSTALL_DIR/data/wazuh/config && chmod -R 775 $INSTALL_DIR/data/wazuh/config
RUN mkdir -p $INSTALL_DIR/data/wazuh/logs && chmod -R 775 $INSTALL_DIR/data/wazuh/logs
COPY config/wazuh.yml $INSTALL_DIR/data/wazuh/config/
# Generate certificates
COPY config/config.sh .
COPY config/config.yml /
RUN bash config.sh
################################################################################
# Build stage 1 (the current Wazuh dashboard image):
#
# Copy wazuh-dashboard from stage 0
# Add entrypoint
# Add wazuh_app_config
################################################################################
FROM amazonlinux:2023
# Set environment variables
ENV USER="wazuh-dashboard" \
GROUP="wazuh-dashboard" \
NAME="wazuh-dashboard" \
INSTALL_DIR="/usr/share/wazuh-dashboard"
# Set Wazuh app variables
ENV PATTERN="" \
CHECKS_PATTERN="" \
CHECKS_TEMPLATE="" \
CHECKS_API="" \
CHECKS_SETUP="" \
APP_TIMEOUT="" \
API_SELECTOR="" \
IP_SELECTOR="" \
IP_IGNORE="" \
WAZUH_MONITORING_ENABLED="" \
WAZUH_MONITORING_FREQUENCY="" \
WAZUH_MONITORING_SHARDS="" \
WAZUH_MONITORING_REPLICAS=""
# Update and install dependencies
RUN yum install shadow-utils -y
# Create wazuh-dashboard user and group
RUN getent group $GROUP || groupadd -r -g 1000 $GROUP
RUN useradd --system \
--uid 1000 \
--no-create-home \
--home-dir $INSTALL_DIR \
--gid $GROUP \
--shell /sbin/nologin \
--comment "$USER user" \
$USER
# Copy and set permissions to scripts
COPY config/entrypoint.sh /
COPY config/wazuh_app_config.sh /
RUN chmod 700 /entrypoint.sh
RUN chmod 700 /wazuh_app_config.sh
RUN chown 1000:1000 /*.sh
# Copy Install dir from builder to current image
COPY --from=builder --chown=1000:1000 $INSTALL_DIR $INSTALL_DIR
# Create custom directory
RUN mkdir -p /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
RUN chown 1000:1000 /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
# Set $JAVA_HOME
RUN echo "export JAVA_HOME=$INSTALL_DIR/jdk" >> /etc/profile.d/java_home.sh && \
echo "export PATH=\$PATH:\$JAVA_HOME/bin" >> /etc/profile.d/java_home.sh
ENV JAVA_HOME=$INSTALL_DIR/jdk
ENV PATH=$PATH:$JAVA_HOME/bin:$INSTALL_DIR/bin
# Add k-NN lib directory to library loading path variable
ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$INSTALL_DIR/plugins/opensearch-knn/lib"
# Set workdir and user
WORKDIR $INSTALL_DIR
USER wazuh-dashboard
# Services ports
EXPOSE 443
ENTRYPOINT [ "/entrypoint.sh" ]
CMD ["opensearch-dashboards"]

15
build-docker-images/wazuh-dashboard/config/check_repository.sh
View File

@@ -1,15 +0,0 @@
## variables
APT_KEY=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
GPG_SIGN="gpgcheck=1\ngpgkey=${APT_KEY}]"
REPOSITORY="[wazuh]\n${GPG_SIGN}\nenabled=1\nname=EL-\$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1"
WAZUH_TAG=$(curl --silent https://api.github.com/repos/wazuh/wazuh/git/refs/tags | grep '["]ref["]:' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 11- | grep ^v${WAZUH_VERSION}$)
## check tag to use the correct repository
if [[ -n "${WAZUH_TAG}" ]]; then
APT_KEY=https://packages.wazuh.com/key/GPG-KEY-WAZUH
GPG_SIGN="gpgcheck=1\ngpgkey=${APT_KEY}]"
REPOSITORY="[wazuh]\n${GPG_SIGN}\nenabled=1\nname=EL-\$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1"
fi
rpm --import "${APT_KEY}"
echo -e "${REPOSITORY}" | tee /etc/yum.repos.d/wazuh.repo

42
build-docker-images/wazuh-dashboard/config/config.sh
View File

@@ -1,42 +0,0 @@
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
# This has to be exported to make some magic below work.
export DH_OPTIONS
export NAME=wazuh-dashboard
export TARGET_DIR=${CURDIR}/debian/${NAME}
export INSTALLATION_DIR=/usr/share/${NAME}
export CONFIG_DIR=${INSTALLATION_DIR}/config
## Variables
CERT_TOOL=wazuh-certs-tool.sh
PACKAGES_URL=https://packages.wazuh.com/5.0/
PACKAGES_DEV_URL=https://packages-dev.wazuh.com/5.0/
## Check if the cert tool exists in S3 buckets
CERT_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$CERT_TOOL | grep -E "^HTTP" | awk '{print $2}')
CERT_TOOL_PACKAGES_DEV=$(curl --silent -I $PACKAGES_DEV_URL$CERT_TOOL | grep -E "^HTTP" | awk '{print $2}')
## If cert tool exists in some bucket, download it, if not exit 1
if [ "$CERT_TOOL_PACKAGES" = "200" ]; then
curl -o $CERT_TOOL $PACKAGES_URL$CERT_TOOL
echo "Cert tool exists in Packages bucket"
elif [ "$CERT_TOOL_PACKAGES_DEV" = "200" ]; then
curl -o $CERT_TOOL $PACKAGES_DEV_URL$CERT_TOOL
echo "Cert tool exists in Packages-dev bucket"
else
echo "Cert tool does not exist in any bucket"
exit 1
fi
chmod 755 $CERT_TOOL && bash /$CERT_TOOL -A
# Create certs directory
mkdir -p ${CONFIG_DIR}/certs
# Copy Wazuh dashboard certs to install config dir
cp /wazuh-certificates/dashboard.pem ${CONFIG_DIR}/certs/dashboard.pem
cp /wazuh-certificates/dashboard-key.pem ${CONFIG_DIR}/certs/dashboard-key.pem
cp /wazuh-certificates/root-ca.pem ${CONFIG_DIR}/certs/root-ca.pem
chmod -R 500 ${CONFIG_DIR}/certs
chmod -R 400 ${CONFIG_DIR}/certs/*

5
build-docker-images/wazuh-dashboard/config/config.yml
View File

@@ -1,5 +0,0 @@
nodes:
# Wazuh dashboard server nodes
dashboard:
- name: dashboard
ip: wazuh.dashboard

239
build-docker-images/wazuh-dashboard/config/entrypoint.sh
View File

@@ -1,239 +0,0 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
INSTALL_DIR=/usr/share/wazuh-dashboard
export OPENSEARCH_DASHBOARDS_HOME=$INSTALL_DIR
WAZUH_CONFIG_MOUNT=/wazuh-config-mount
opensearch_dashboards_vars=(
console.enabled
console.proxyConfig
console.proxyFilter
ops.cGroupOverrides.cpuPath
ops.cGroupOverrides.cpuAcctPath
cpu.cgroup.path.override
cpuacct.cgroup.path.override
server.basePath
server.customResponseHeaders
server.compression.enabled
server.compression.referrerWhitelist
server.cors
server.cors.origin
server.defaultRoute
server.host
server.keepAliveTimeout
server.maxPayloadBytes
server.name
server.port
csp.rules
csp.strict
csp.warnLegacyBrowsers
data.search.usageTelemetry.enabled
opensearch.customHeaders
opensearch.hosts
opensearch.logQueries
opensearch.memoryCircuitBreaker.enabled
opensearch.memoryCircuitBreaker.maxPercentage
opensearch.password
opensearch.pingTimeout
opensearch.requestHeadersWhitelist
opensearch.requestHeadersAllowlist
opensearch_security.multitenancy.enabled
opensearch_security.readonly_mode.roles
opensearch.requestTimeout
opensearch.shardTimeout
opensearch.sniffInterval
opensearch.sniffOnConnectionFault
opensearch.sniffOnStart
opensearch.ssl.alwaysPresentCertificate
opensearch.ssl.certificate
opensearch.ssl.key
opensearch.ssl.keyPassphrase
opensearch.ssl.keystore.path
opensearch.ssl.keystore.password
opensearch.ssl.truststore.path
opensearch.ssl.truststore.password
opensearch.ssl.verificationMode
opensearch.username
i18n.locale
interpreter.enableInVisualize
opensearchDashboards.autocompleteTerminateAfter
opensearchDashboards.autocompleteTimeout
opensearchDashboards.defaultAppId
opensearchDashboards.index
logging.dest
logging.json
logging.quiet
logging.rotate.enabled
logging.rotate.everyBytes
logging.rotate.keepFiles
logging.rotate.pollingInterval
logging.rotate.usePolling
logging.silent
logging.useUTC
logging.verbose
map.includeOpenSearchMapsService
map.proxyOpenSearchMapsServiceInMaps
map.regionmap
map.tilemap.options.attribution
map.tilemap.options.maxZoom
map.tilemap.options.minZoom
map.tilemap.options.subdomains
map.tilemap.url
monitoring.cluster_alerts.email_notifications.email_address
monitoring.enabled
monitoring.opensearchDashboards.collection.enabled
monitoring.opensearchDashboards.collection.interval
monitoring.ui.container.opensearch.enabled
monitoring.ui.container.logstash.enabled
monitoring.ui.opensearch.password
monitoring.ui.opensearch.pingTimeout
monitoring.ui.opensearch.hosts
monitoring.ui.opensearch.username
monitoring.ui.opensearch.logFetchCount
monitoring.ui.opensearch.ssl.certificateAuthorities
monitoring.ui.opensearch.ssl.verificationMode
monitoring.ui.enabled
monitoring.ui.max_bucket_size
monitoring.ui.min_interval_seconds
newsfeed.enabled
ops.interval
path.data
pid.file
regionmap
security.showInsecureClusterWarning
server.rewriteBasePath
server.socketTimeout
server.customResponseHeaders
server.ssl.enabled
server.ssl.key
server.ssl.keyPassphrase
server.ssl.keystore.path
server.ssl.keystore.password
server.ssl.truststore.path
server.ssl.truststore.password
server.ssl.cert
server.ssl.certificate
server.ssl.certificateAuthorities
server.ssl.cipherSuites
server.ssl.clientAuthentication
opensearch.ssl.certificateAuthorities
server.ssl.redirectHttpFromPort
server.ssl.supportedProtocols
server.xsrf.disableProtection
server.xsrf.whitelist
status.allowAnonymous
status.v6ApiFormat
tilemap.options.attribution
tilemap.options.maxZoom
tilemap.options.minZoom
tilemap.options.subdomains
tilemap.url
timeline.enabled
vega.enableExternalUrls
apm_oss.apmAgentConfigurationIndex
apm_oss.indexPattern
apm_oss.errorIndices
apm_oss.onboardingIndices
apm_oss.spanIndices
apm_oss.sourcemapIndices
apm_oss.transactionIndices
apm_oss.metricsIndices
telemetry.allowChangingOptInStatus
telemetry.enabled
telemetry.optIn
telemetry.optInStatusUrl
telemetry.sendUsageFrom
vis_builder.enabled
data_source.enabled
data_source.encryption.wrappingKeyName
data_source.encryption.wrappingKeyNamespace
data_source.encryption.wrappingKey
data_source.audit.enabled
data_source.audit.appender.kind
data_source.audit.appender.path
data_source.audit.appender.layout.kind
data_source.audit.appender.layout.highlight
data_source.audit.appender.layout.pattern
ml_commons_dashboards.enabled
assistant.chat.enabled
observability.query_assist.enabled
uiSettings.overrides.defaultRoute
)
print() {
echo -e $1
}
error_and_exit() {
echo "Error executing command: '$1'."
echo 'Exiting.'
exit 1
}
exec_cmd() {
eval $1 > /dev/null 2>&1 || error_and_exit "$1"
}
exec_cmd_stdout() {
eval $1 2>&1 || error_and_exit "$1"
}
function runOpensearchDashboards {
touch $OPENSEARCH_DASHBOARDS_HOME/config/opensearch_dashboards.yml
for opensearch_dashboards_var in ${opensearch_dashboards_vars[*]}; do
env_var=$(echo ${opensearch_dashboards_var^^} | tr . _)
value=${!env_var}
if [[ -n $value ]]; then
longoptfile="${opensearch_dashboards_var}: ${value}"
if grep -q $opensearch_dashboards_var $OPENSEARCH_DASHBOARDS_HOME/config/opensearch_dashboards.yml; then
sed -i "/${opensearch_dashboards_var}/ s|^.*$|${longoptfile}|" $OPENSEARCH_DASHBOARDS_HOME/config/opensearch_dashboards.yml
else
echo $longoptfile >> $OPENSEARCH_DASHBOARDS_HOME/config/opensearch_dashboards.yml
fi
fi
done
umask 0002
/usr/share/wazuh-dashboard/bin/opensearch-dashboards -c $OPENSEARCH_DASHBOARDS_HOME/config/opensearch_dashboards.yml \
--cpu.cgroup.path.override=/ \
--cpuacct.cgroup.path.override=/
}
mount_files() {
if [ -e $WAZUH_CONFIG_MOUNT/* ]
then
print "Identified Wazuh cdashboard onfiguration files to mount..."
exec_cmd_stdout "cp --verbose -r $WAZUH_CONFIG_MOUNT/* $INSTALL_DIR"
else
print "No Wazuh dashboard configuration files to mount..."
fi
}
DASHBOARD_USERNAME="${DASHBOARD_USERNAME:-kibanaserver}"
DASHBOARD_PASSWORD="${DASHBOARD_PASSWORD:-kibanaserver}"
# Create and configure Wazuh dashboard keystore
yes | $INSTALL_DIR/bin/opensearch-dashboards-keystore create --allow-root && \
echo $DASHBOARD_USERNAME | $INSTALL_DIR/bin/opensearch-dashboards-keystore add opensearch.username --stdin --allow-root && \
echo $DASHBOARD_PASSWORD | $INSTALL_DIR/bin/opensearch-dashboards-keystore add opensearch.password --stdin --allow-root
##############################################################################
# Start Wazuh dashboard
##############################################################################
/wazuh_app_config.sh $WAZUH_UI_REVISION
mount_files
if [ $# -eq 0 ] || [ "${1:0:1}" = '-' ]; then
set -- opensearch-dashboards "$@"
fi
if [ "$1" = "opensearch-dashboards" ]; then
runOpensearchDashboards "$@"
else
exec "$@"
fi

155
build-docker-images/wazuh-dashboard/config/wazuh.yml
View File

@@ -1,155 +0,0 @@
---
#
# Wazuh app - App configuration file
# Copyright (C) 2017, Wazuh Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Find more information about this on the LICENSE file.
#
# ======================== Wazuh app configuration file ========================
#
# Please check the documentation for more information on configuration options:
# https://documentation.wazuh.com/current/installation-guide/index.html
#
# Also, you can check our repository:
# https://github.com/wazuh/wazuh-dashboard-plugins
#
# ------------------------------- Index patterns -------------------------------
#
# Default index pattern to use.
#pattern: wazuh-alerts-*
#
# ----------------------------------- Checks -----------------------------------
#
# Defines which checks must to be consider by the healthcheck
# step once the Wazuh app starts. Values must to be true or false.
#checks.pattern : true
#checks.template: true
#checks.api : true
#checks.setup : true
#checks.metaFields: true
#
# --------------------------------- Extensions ---------------------------------
#
# Defines which extensions should be activated when you add a new API entry.
# You can change them after Wazuh app starts.
# Values must to be true or false.
#extensions.pci : true
#extensions.gdpr : true
#extensions.hipaa : true
#extensions.nist : true
#extensions.tsc : true
#extensions.audit : true
#extensions.oscap : false
#extensions.ciscat : false
#extensions.aws : false
#extensions.gcp : false
#extensions.virustotal: false
#extensions.osquery : false
#extensions.docker : false
#
# ---------------------------------- Time out ----------------------------------
#
# Defines maximum timeout to be used on the Wazuh app requests.
# It will be ignored if it is bellow 1500.
# It means milliseconds before we consider a request as failed.
# Default: 20000
#timeout: 20000
#
# -------------------------------- API selector --------------------------------
#
# Defines if the user is allowed to change the selected
# API directly from the Wazuh app top menu.
# Default: true
#api.selector: true
#
# --------------------------- Index pattern selector ---------------------------
#
# Defines if the user is allowed to change the selected
# index pattern directly from the Wazuh app top menu.
# Default: true
#ip.selector: true
#
# List of index patterns to be ignored
#ip.ignore: []
#
# ------------------------------ wazuh-monitoring ------------------------------
#
# Custom setting to enable/disable wazuh-monitoring indices.
# Values: true, false, worker
# If worker is given as value, the app will show the Agents status
# visualization but won't insert data on wazuh-monitoring indices.
# Default: true
#wazuh.monitoring.enabled: true
#
# Custom setting to set the frequency for wazuh-monitoring indices cron task.
# Default: 900 (s)
#wazuh.monitoring.frequency: 900
#
# Configure wazuh-monitoring-* indices shards and replicas.
#wazuh.monitoring.shards: 2
#wazuh.monitoring.replicas: 0
#
# Configure wazuh-monitoring-* indices custom creation interval.
# Values: h (hourly), d (daily), w (weekly), m (monthly)
# Default: d
#wazuh.monitoring.creation: d
#
# Default index pattern to use for Wazuh monitoring
#wazuh.monitoring.pattern: wazuh-monitoring-*
#
# --------------------------------- wazuh-cron ----------------------------------
#
# Customize the index prefix of predefined jobs
# This change is not retroactive, if you change it new indexes will be created
# cron.prefix: test
#
# ------------------------------ wazuh-statistics -------------------------------
#
# Custom setting to enable/disable statistics tasks.
#cron.statistics.status: true
#
# Enter the ID of the APIs you want to save data from, leave this empty to run
# the task on all configured APIs
#cron.statistics.apis: []
#
# Define the frequency of task execution using cron schedule expressions
#cron.statistics.interval: 0 0 * * * *
#
# Define the name of the index in which the documents are to be saved.
#cron.statistics.index.name: statistics
#
# Define the interval in which the index will be created
#cron.statistics.index.creation: w
#
# ------------------------------- App privileges --------------------------------
#admin: true
#
# ---------------------------- Hide manager alerts ------------------------------
# Hide the alerts of the manager in all dashboards and discover
#hideManagerAlerts: false
#
# ------------------------------- App logging level -----------------------------
# Set the logging level for the Wazuh App log files.
# Default value: info
# Allowed values: info, debug
#logs.level: info
#
# -------------------------------- Enrollment DNS -------------------------------
# Set the variable WAZUH_REGISTRATION_SERVER in agents deployment.
# Default value: ''
#enrollment.dns: ''
#
#-------------------------------- API entries -----------------------------------
#The following configuration is the default structure to define an API entry.
#
#hosts:
# - <id>:
# url: http(s)://<url>
# port: <port>
# username: <username>
# password: <password>

52
build-docker-images/wazuh-dashboard/config/wazuh_app_config.sh
View File

@@ -1,52 +0,0 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
wazuh_url="${WAZUH_API_URL:-https://wazuh}"
wazuh_port="${API_PORT:-55000}"
api_username="${API_USERNAME:-wazuh-wui}"
api_password="${API_PASSWORD:-wazuh-wui}"
api_run_as="${RUN_AS:-false}"
dashboard_config_file="/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml"
declare -A CONFIG_MAP=(
[pattern]=$PATTERN
[checks.pattern]=$CHECKS_PATTERN
[checks.template]=$CHECKS_TEMPLATE
[checks.api]=$CHECKS_API
[checks.setup]=$CHECKS_SETUP
[timeout]=$APP_TIMEOUT
[api.selector]=$API_SELECTOR
[ip.selector]=$IP_SELECTOR
[ip.ignore]=$IP_IGNORE
[wazuh.monitoring.enabled]=$WAZUH_MONITORING_ENABLED
[wazuh.monitoring.frequency]=$WAZUH_MONITORING_FREQUENCY
[wazuh.monitoring.shards]=$WAZUH_MONITORING_SHARDS
[wazuh.monitoring.replicas]=$WAZUH_MONITORING_REPLICAS
)
for i in "${!CONFIG_MAP[@]}"
do
if [ "${CONFIG_MAP[$i]}" != "" ]; then
sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $dashboard_config_file
fi
done
grep -q 1513629884013 $dashboard_config_file
_config_exists=$?
if [[ $_config_exists -ne 0 ]]; then
cat << EOF >> $dashboard_config_file
hosts:
- 1513629884013:
url: $wazuh_url
port: $wazuh_port
username: $api_username
password: $api_password
run_as: $api_run_as
EOF
else
echo "Wazuh APP already configured"
fi

93
build-docker-images/wazuh-indexer/Dockerfile
View File

@@ -1,93 +0,0 @@
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
FROM amazonlinux:2023 AS builder
ARG WAZUH_VERSION
ARG WAZUH_TAG_REVISION
RUN yum install curl-minimal openssl xz tar findutils shadow-utils -y
COPY config/check_repository.sh /
RUN chmod 775 /check_repository.sh && \
source /check_repository.sh
RUN yum install wazuh-indexer-${WAZUH_VERSION}-${WAZUH_TAG_REVISION} -y && \
yum clean all
COPY config/opensearch.yml /
COPY config/config.sh .
COPY config/config.yml /
RUN bash config.sh
################################################################################
# Build stage 1 (the actual Wazuh indexer image):
#
# Copy wazuh-indexer from stage 0
# Add entrypoint
################################################################################
FROM amazonlinux:2023
ENV USER="wazuh-indexer" \
GROUP="wazuh-indexer" \
NAME="wazuh-indexer" \
INSTALL_DIR="/usr/share/wazuh-indexer"
# Set $JAVA_HOME
RUN echo "export JAVA_HOME=$INSTALL_DIR/jdk" >> /etc/profile.d/java_home.sh && \
echo "export PATH=\$PATH:\$JAVA_HOME/bin" >> /etc/profile.d/java_home.sh
ENV JAVA_HOME="$INSTALL_DIR/jdk"
ENV PATH=$PATH:$JAVA_HOME/bin:$INSTALL_DIR/bin
# Add k-NN lib directory to library loading path variable
ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$INSTALL_DIR/plugins/opensearch-knn/lib"
RUN yum install curl-minimal shadow-utils findutils hostname -y
RUN getent group $GROUP || groupadd -r -g 1000 $GROUP
RUN useradd --system \
--uid 1000 \
--no-create-home \
--home-dir $INSTALL_DIR \
--gid $GROUP \
--shell /sbin/nologin \
--comment "$USER user" \
$USER
WORKDIR $INSTALL_DIR
COPY config/entrypoint.sh /
COPY config/securityadmin.sh /
RUN chmod 700 /entrypoint.sh && chmod 700 /securityadmin.sh
RUN chown 1000:1000 /*.sh
COPY --from=builder --chown=1000:1000 /usr/share/wazuh-indexer /usr/share/wazuh-indexer
COPY --from=builder --chown=1000:1000 /etc/wazuh-indexer /usr/share/wazuh-indexer
COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/systemd /usr/lib/systemd
COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/sysctl.d /usr/lib/sysctl.d
COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/tmpfiles.d /usr/lib/tmpfiles.d
RUN chown -R 1000:1000 /usr/share/wazuh-indexer
RUN mkdir -p /var/lib/wazuh-indexer && chown 1000:1000 /var/lib/wazuh-indexer && \
mkdir -p /usr/share/wazuh-indexer/logs && chown 1000:1000 /usr/share/wazuh-indexer/logs && \
mkdir -p /run/wazuh-indexer && chown 1000:1000 /run/wazuh-indexer && \
mkdir -p /var/log/wazuh-indexer && chown 1000:1000 /var/log/wazuh-indexer && \
chmod 700 /usr/share/wazuh-indexer && \
chmod 600 /usr/share/wazuh-indexer/jvm.options && \
chmod 600 /usr/share/wazuh-indexer/opensearch.yml
USER wazuh-indexer
# Services ports
EXPOSE 9200
ENTRYPOINT ["/entrypoint.sh"]
# Dummy overridable parameter parsed by entrypoint
CMD ["opensearchwrapper"]

15
build-docker-images/wazuh-indexer/config/check_repository.sh
View File

@@ -1,15 +0,0 @@
## variables
APT_KEY=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
GPG_SIGN="gpgcheck=1\ngpgkey=${APT_KEY}]"
REPOSITORY="[wazuh]\n${GPG_SIGN}\nenabled=1\nname=EL-\$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1"
WAZUH_TAG=$(curl --silent https://api.github.com/repos/wazuh/wazuh/git/refs/tags | grep '["]ref["]:' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 11- | grep ^v${WAZUH_VERSION}$)
## check tag to use the correct repository
if [[ -n "${WAZUH_TAG}" ]]; then
APT_KEY=https://packages.wazuh.com/key/GPG-KEY-WAZUH
GPG_SIGN="gpgcheck=1\ngpgkey=${APT_KEY}]"
REPOSITORY="[wazuh]\n${GPG_SIGN}\nenabled=1\nname=EL-\$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1"
fi
rpm --import "${APT_KEY}"
echo -e "${REPOSITORY}" | tee /etc/yum.repos.d/wazuh.repo

102
build-docker-images/wazuh-indexer/config/config.sh
View File

@@ -1,102 +0,0 @@
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
# This has to be exported to make some magic below work.
export DH_OPTIONS
export NAME=wazuh-indexer
export TARGET_DIR=${CURDIR}/debian/${NAME}
# Package build options
export USER=${NAME}
export GROUP=${NAME}
export VERSION=${WAZUH_VERSION}-${WAZUH_TAG_REVISION}
export LOG_DIR=/var/log/${NAME}
export LIB_DIR=/var/lib/${NAME}
export PID_DIR=/run/${NAME}
export INSTALLATION_DIR=/usr/share/${NAME}
export CONFIG_DIR=${INSTALLATION_DIR}
export BASE_DIR=${NAME}-*
export INDEXER_FILE=wazuh-indexer-base.tar.xz
export BASE_FILE=wazuh-indexer-base-${VERSION}-linux-x64.tar.xz
export REPO_DIR=/unattended_installer
## Variables
CERT_TOOL=wazuh-certs-tool.sh
PASSWORD_TOOL=wazuh-passwords-tool.sh
PACKAGES_URL=https://packages.wazuh.com/5.0/
PACKAGES_DEV_URL=https://packages-dev.wazuh.com/5.0/
## Check if the cert tool exists in S3 buckets
CERT_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$CERT_TOOL | grep -E "^HTTP" | awk '{print $2}')
CERT_TOOL_PACKAGES_DEV=$(curl --silent -I $PACKAGES_DEV_URL$CERT_TOOL | grep -E "^HTTP" | awk '{print $2}')
## If cert tool exists in some bucket, download it, if not exit 1
if [ "$CERT_TOOL_PACKAGES" = "200" ]; then
curl -o $CERT_TOOL $PACKAGES_URL$CERT_TOOL
echo "Cert tool exists in Packages bucket"
elif [ "$CERT_TOOL_PACKAGES_DEV" = "200" ]; then
curl -o $CERT_TOOL $PACKAGES_DEV_URL$CERT_TOOL
echo "Cert tool exists in Packages-dev bucket"
else
echo "Cert tool does not exist in any bucket"
exit 1
fi
## Check if the password tool exists in S3 buckets
PASSWORD_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$PASSWORD_TOOL | grep -E "^HTTP" | awk '{print $2}')
PASSWORD_TOOL_PACKAGES_DEV=$(curl --silent -I $PACKAGES_DEV_URL$PASSWORD_TOOL | grep -E "^HTTP" | awk '{print $2}')
## If password tool exists in some bucket, download it, if not exit 1
if [ "$PASSWORD_TOOL_PACKAGES" = "200" ]; then
curl -o $PASSWORD_TOOL $PACKAGES_URL$PASSWORD_TOOL
echo "Password tool exists in Packages bucket"
elif [ "$PASSWORD_TOOL_PACKAGES_DEV" = "200" ]; then
curl -o $PASSWORD_TOOL $PACKAGES_DEV_URL$PASSWORD_TOOL
echo "Password tool exists in Packages-dev bucket"
else
echo "Password tool does not exist in any bucket"
exit 1
fi
chmod 755 $CERT_TOOL && bash /$CERT_TOOL -A
# copy to target
mkdir -p ${TARGET_DIR}${INSTALLATION_DIR}
mkdir -p ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/
mkdir -p ${TARGET_DIR}${CONFIG_DIR}
mkdir -p ${TARGET_DIR}${LIB_DIR}
mkdir -p ${TARGET_DIR}${LOG_DIR}
mkdir -p ${TARGET_DIR}/etc/init.d
mkdir -p ${TARGET_DIR}/etc/default
mkdir -p ${TARGET_DIR}/usr/lib/tmpfiles.d
mkdir -p ${TARGET_DIR}/usr/lib/sysctl.d
mkdir -p ${TARGET_DIR}/usr/lib/systemd/system
mkdir -p ${TARGET_DIR}${CONFIG_DIR}/certs
# Copy Wazuh's config files for the security plugin
cp -pr /roles_mapping.yml ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/
cp -pr /roles.yml ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/
cp -pr /action_groups.yml ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/
cp -pr /internal_users.yml ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/
cp -pr /opensearch.yml ${TARGET_DIR}${CONFIG_DIR}
# Copy Wazuh indexer's certificates
cp -pr /wazuh-certificates/demo.indexer.pem ${TARGET_DIR}${CONFIG_DIR}/certs/indexer.pem
cp -pr /wazuh-certificates/demo.indexer-key.pem ${TARGET_DIR}${CONFIG_DIR}/certs/indexer-key.pem
cp -pr /wazuh-certificates/root-ca.key ${TARGET_DIR}${CONFIG_DIR}/certs/root-ca.key
cp -pr /wazuh-certificates/root-ca.pem ${TARGET_DIR}${CONFIG_DIR}/certs/root-ca.pem
cp -pr /wazuh-certificates/admin.pem ${TARGET_DIR}${CONFIG_DIR}/certs/admin.pem
cp -pr /wazuh-certificates/admin-key.pem ${TARGET_DIR}${CONFIG_DIR}/certs/admin-key.pem
# Delete xms and xmx parameters in jvm.options
sed '/-Xms/d' -i /etc/wazuh-indexer/jvm.options
sed '/-Xmx/d' -i /etc/wazuh-indexer/jvm.options
sed -i 's/-Djava.security.policy=file:\/\/\/etc\/wazuh-indexer\/opensearch-performance-analyzer\/opensearch_security.policy/-Djava.security.policy=file:\/\/\/usr\/share\/wazuh-indexer\/opensearch-performance-analyzer\/opensearch_security.policy/g' /etc/wazuh-indexer/jvm.options
chmod -R 500 ${TARGET_DIR}${CONFIG_DIR}/certs
chmod -R 400 ${TARGET_DIR}${CONFIG_DIR}/certs/*
find ${TARGET_DIR} -type d -exec chmod 750 {} \;
find ${TARGET_DIR} -type f -perm 644 -exec chmod 640 {} \;
find ${TARGET_DIR} -type f -perm 664 -exec chmod 660 {} \;
find ${TARGET_DIR} -type f -perm 755 -exec chmod 750 {} \;
find ${TARGET_DIR} -type f -perm 744 -exec chmod 740 {} \;

5
build-docker-images/wazuh-indexer/config/config.yml
View File

@@ -1,5 +0,0 @@
nodes:
# Wazuh indexer server nodes
indexer:
- name: demo.indexer
ip: demo.indexer

378
build-docker-images/wazuh-indexer/config/entrypoint.sh
View File

@@ -1,378 +0,0 @@
#!/usr/bin/env bash
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
set -e
umask 0002
export USER=wazuh-indexer
export INSTALLATION_DIR=/usr/share/wazuh-indexer
export OPENSEARCH_PATH_CONF=${INSTALLATION_DIR}
export CACERT=$(grep -oP "(?<=plugins.security.ssl.transport.pemtrustedcas_filepath: ).*" ${OPENSEARCH_PATH_CONF}/opensearch.yml)
export CERT="${OPENSEARCH_PATH_CONF}/certs/admin.pem"
export KEY="${OPENSEARCH_PATH_CONF}/certs/admin-key.pem"
opensearch_vars=(
cluster.name
node.name
node.roles
path.data
path.logs
bootstrap.memory_lock
network.host
http.port
transport.port
network.bind_host
network.publish_host
transport.tcp.port
compatibility.override_main_response_version
http.host
http.bind_host
http.publish_host
http.compression
transport.host
transport.bind_host
transport.publish_host
discovery.seed_hosts
discovery.seed_providers
discovery.type
cluster.initial_cluster_manager_nodes
cluster.initial_master_nodes
node.max_local_storage_nodes
gateway.recover_after_nodes
gateway.recover_after_data_nodes
gateway.expected_data_nodes
gateway.recover_after_time
plugins.security.nodes_dn
plugins.security.nodes_dn_dynamic_config_enabled
plugins.security.authcz.admin_dn
plugins.security.roles_mapping_resolution
plugins.security.dls.mode
plugins.security.compliance.salt
config.dynamic.http.anonymous_auth_enabled
plugins.security.restapi.roles_enabled
plugins.security.restapi.password_validation_regex
plugins.security.restapi.password_validation_error_message
plugins.security.restapi.password_min_length
plugins.security.restapi.password_score_based_validation_strength
plugins.security.unsupported.restapi.allow_securityconfig_modification
plugins.security.authcz.impersonation_dn
plugins.security.authcz.rest_impersonation_user
plugins.security.allow_default_init_securityindex
plugins.security.allow_unsafe_democertificates
plugins.security.system_indices.permission.enabled
plugins.security.config_index_name
plugins.security.cert.oid
plugins.security.cert.intercluster_request_evaluator_class
plugins.security.enable_snapshot_restore_privilege
plugins.security.check_snapshot_restore_write_privileges
plugins.security.cache.ttl_minutes
plugins.security.protected_indices.enabled
plugins.security.protected_indices.roles
plugins.security.protected_indices.indices
plugins.security.system_indices.enabled
plugins.security.system_indices.indices
plugins.security.audit.enable_rest
plugins.security.audit.enable_transport
plugins.security.audit.resolve_bulk_requests
plugins.security.audit.config.disabled_categories
plugins.security.audit.ignore_requests
plugins.security.audit.threadpool.size
plugins.security.audit.threadpool.max_queue_len
plugins.security.audit.ignore_users
plugins.security.audit.type
plugins.security.audit.config.http_endpoints
plugins.security.audit.config.index
plugins.security.audit.config.type
plugins.security.audit.config.username
plugins.security.audit.config.password
plugins.security.audit.config.enable_ssl
plugins.security.audit.config.verify_hostnames
plugins.security.audit.config.enable_ssl_client_auth
plugins.security.audit.config.cert_alias
plugins.security.audit.config.pemkey_filepath
plugins.security.audit.config.pemkey_content
plugins.security.audit.config.pemkey_password
plugins.security.audit.config.pemcert_filepath
plugins.security.audit.config.pemcert_content
plugins.security.audit.config.pemtrustedcas_filepath
plugins.security.audit.config.pemtrustedcas_content
plugins.security.audit.config.webhook.url
plugins.security.audit.config.webhook.format
plugins.security.audit.config.webhook.ssl.verify
plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepath
plugins.security.audit.config.webhook.ssl.pemtrustedcas_content
plugins.security.audit.config.log4j.logger_name
plugins.security.audit.config.log4j.level
opendistro_security.audit.config.disabled_rest_categories
opendistro_security.audit.config.disabled_transport_categories
plugins.security.ssl.transport.enforce_hostname_verification
plugins.security.ssl.transport.resolve_hostname
plugins.security.ssl.http.clientauth_mode
plugins.security.ssl.http.enabled_ciphers
plugins.security.ssl.http.enabled_protocols
plugins.security.ssl.transport.enabled_ciphers
plugins.security.ssl.transport.enabled_protocols
plugins.security.ssl.transport.keystore_type
plugins.security.ssl.transport.keystore_filepath
plugins.security.ssl.transport.keystore_alias
plugins.security.ssl.transport.keystore_password
plugins.security.ssl.transport.truststore_type
plugins.security.ssl.transport.truststore_filepath
plugins.security.ssl.transport.truststore_alias
plugins.security.ssl.transport.truststore_password
plugins.security.ssl.http.enabled
plugins.security.ssl.http.keystore_type
plugins.security.ssl.http.keystore_filepath
plugins.security.ssl.http.keystore_alias
plugins.security.ssl.http.keystore_password
plugins.security.ssl.http.truststore_type
plugins.security.ssl.http.truststore_filepath
plugins.security.ssl.http.truststore_alias
plugins.security.ssl.http.truststore_password
plugins.security.ssl.transport.enable_openssl_if_available
plugins.security.ssl.http.enable_openssl_if_available
plugins.security.ssl.transport.pemkey_filepath
plugins.security.ssl.transport.pemkey_password
plugins.security.ssl.transport.pemcert_filepath
plugins.security.ssl.transport.pemtrustedcas_filepath
plugins.security.ssl.http.pemkey_filepath
plugins.security.ssl.http.pemkey_password
plugins.security.ssl.http.pemcert_filepath
plugins.security.ssl.http.pemtrustedcas_filepath
plugins.security.ssl.transport.enabled
plugins.security.ssl.transport.client.pemkey_password
plugins.security.ssl.transport.keystore_keypassword
plugins.security.ssl.transport.server.keystore_keypassword
plugins.sercurity.ssl.transport.server.keystore_alias
plugins.sercurity.ssl.transport.client.keystore_alias
plugins.sercurity.ssl.transport.server.truststore_alias
plugins.sercurity.ssl.transport.client.truststore_alias
plugins.security.ssl.client.external_context_id
plugins.secuirty.ssl.transport.principal_extractor_class
plugins.security.ssl.http.crl.file_path
plugins.security.ssl.http.crl.validate
plugins.security.ssl.http.crl.prefer_crlfile_over_ocsp
plugins.security.ssl.http.crl.check_only_end_entitites
plugins.security.ssl.http.crl.disable_ocsp
plugins.security.ssl.http.crl.disable_crldp
plugins.security.ssl.allow_client_initiated_renegotiation
indices.breaker.total.use_real_memory
indices.breaker.total.limit
indices.breaker.fielddata.limit
indices.breaker.fielddata.overhead
indices.breaker.request.limit
indices.breaker.request.overhead
network.breaker.inflight_requests.limit
network.breaker.inflight_requests.overhead
cluster.routing.allocation.enable
cluster.routing.allocation.node_concurrent_incoming_recoveries
cluster.routing.allocation.node_concurrent_outgoing_recoveries
cluster.routing.allocation.node_concurrent_recoveries
cluster.routing.allocation.node_initial_primaries_recoveries
cluster.routing.allocation.same_shard.host
cluster.routing.rebalance.enable
cluster.routing.allocation.allow_rebalance
cluster.routing.allocation.cluster_concurrent_rebalance
cluster.routing.allocation.balance.shard
cluster.routing.allocation.balance.index
cluster.routing.allocation.balance.threshold
cluster.routing.allocation.balance.prefer_primary
cluster.routing.allocation.disk.threshold_enabled
cluster.routing.allocation.disk.watermark.low
cluster.routing.allocation.disk.watermark.high
cluster.routing.allocation.disk.watermark.flood_stage
cluster.info.update.interval
cluster.routing.allocation.shard_movement_strategy
cluster.blocks.read_only
cluster.blocks.read_only_allow_delete
cluster.max_shards_per_node
cluster.persistent_tasks.allocation.enable
cluster.persistent_tasks.allocation.recheck_interval
cluster.search.request.slowlog.threshold.warn
cluster.search.request.slowlog.threshold.info
cluster.search.request.slowlog.threshold.debug
cluster.search.request.slowlog.threshold.trace
cluster.search.request.slowlog.level
cluster.fault_detection.leader_check.timeout
cluster.fault_detection.follower_check.timeout
action.auto_create_index
action.destructive_requires_name
cluster.default.index.refresh_interval
cluster.minimum.index.refresh_interval
cluster.indices.close.enable
indices.recovery.max_bytes_per_sec
indices.recovery.max_concurrent_file_chunks
indices.recovery.max_concurrent_operations
indices.recovery.max_concurrent_remote_store_streams
indices.time_series_index.default_index_merge_policy
indices.fielddata.cache.size
index.number_of_shards
index.number_of_routing_shards
index.shard.check_on_startup
index.codec
index.codec.compression_level
index.routing_partition_size
index.soft_deletes.retention_lease.period
index.load_fixed_bitset_filters_eagerly
index.hidden
index.merge.policy
index.merge_on_flush.enabled
index.merge_on_flush.max_full_flush_merge_wait_time
index.merge_on_flush.policy
index.check_pending_flush.enabled
index.number_of_replicas
index.auto_expand_replicas
index.search.idle.after
index.refresh_interval
index.max_result_window
index.max_inner_result_window
index.max_rescore_window
index.max_docvalue_fields_search
index.max_script_fields
index.max_ngram_diff
index.max_shingle_diff
index.max_refresh_listeners
index.analyze.max_token_count
index.highlight.max_analyzed_offset
index.max_terms_count
index.max_regex_length
index.query.default_field
index.query.max_nested_depth
index.routing.allocation.enable
index.routing.rebalance.enable
index.gc_deletes
index.default_pipeline
index.final_pipeline
index.optimize_doc_id_lookup.fuzzy_set.enabled
index.optimize_doc_id_lookup.fuzzy_set.false_positive_probability
search.max_buckets
search.phase_took_enabled
search.allow_expensive_queries
search.default_allow_partial_results
search.cancel_after_time_interval
search.default_search_timeout
search.default_keep_alive
search.keep_alive_interval
search.max_keep_alive
search.low_level_cancellation
search.max_open_scroll_context
search.request_stats_enabled
search.highlight.term_vector_multi_value
snapshot.max_concurrent_operations
cluster.remote_store.translog.buffer_interval
remote_store.moving_average_window_size
opensearch.notifications.core.allowed_config_types
opensearch.notifications.core.email.minimum_header_length
opensearch.notifications.core.email.size_limit
opensearch.notifications.core.http.connection_timeout
opensearch.notifications.core.http.host_deny_list
opensearch.notifications.core.http.max_connection_per_route
opensearch.notifications.core.http.max_connections
opensearch.notifications.core.http.socket_timeout
opensearch.notifications.core.tooltip_support
opensearch.notifications.general.filter_by_backend_roles
)
run_as_other_user_if_needed() {
if [[ "$(id -u)" == "0" ]]; then
# If running as root, drop to specified UID and run command
exec chroot --userspec=1000:0 / "${@}"
else
# Either we are running in Openshift with random uid and are a member of the root group
# or with a custom --user
exec "${@}"
fi
}
function buildOpensearchConfig {
echo "" >> $OPENSEARCH_PATH_CONF/opensearch.yml
for opensearch_var in ${opensearch_vars[*]}; do
env_var=$(echo ${opensearch_var^^} | tr . _)
value=${!env_var}
if [[ -n $value ]]; then
if grep -q $opensearch_var $OPENSEARCH_PATH_CONF/opensearch.yml; then
lineNum="$(grep -n "$opensearch_var" $OPENSEARCH_PATH_CONF/opensearch.yml | head -n 1 | cut -d: -f1)"
sed -i "${lineNum}d" $OPENSEARCH_PATH_CONF/opensearch.yml
charline=$(awk "NR == ${lineNum}" $OPENSEARCH_PATH_CONF/opensearch.yml | head -c 1)
fi
while :
do
case "$charline" in
"-"| "#" |" ") sed -i "${lineNum}d" $OPENSEARCH_PATH_CONF/opensearch.yml;;
*) break;;
esac
charline=$(awk "NR == ${lineNum}" $OPENSEARCH_PATH_CONF/opensearch.yml | head -c 1)
done
longoptfile="${opensearch_var}: ${value}"
if grep -q $opensearch_var $OPENSEARCH_PATH_CONF/opensearch.yml; then
sed -i "/${opensearch_var}/ s|^.*$|${longoptfile}|" $OPENSEARCH_PATH_CONF/opensearch.yml
else
echo $longoptfile >> $OPENSEARCH_PATH_CONF/opensearch.yml
fi
fi
done
}
buildOpensearchConfig
# Allow user specify custom CMD, maybe bin/opensearch itself
# for example to directly specify `-E` style parameters for opensearch on k8s
# or simply to run /bin/bash to check the image
if [[ "$1" != "opensearchwrapper" ]]; then
if [[ "$(id -u)" == "0" && $(basename "$1") == "opensearch" ]]; then
# Rewrite CMD args to replace $1 with `opensearch` explicitly,
# Without this, user could specify `opensearch -E x.y=z` but
# `bin/opensearch -E x.y=z` would not work.
set -- "opensearch" "${@:2}"
# Use chroot to switch to UID 1000 / GID 0
exec chroot --userspec=1000:0 / "$@"
else
# User probably wants to run something else, like /bin/bash, with another uid forced (Openshift?)
exec "$@"
fi
fi
# Allow environment variables to be set by creating a file with the
# contents, and setting an environment variable with the suffix _FILE to
# point to it. This can be used to provide secrets to a container, without
# the values being specified explicitly when running the container.
#
# This is also sourced in opensearch-env, and is only needed here
# as well because we use INDEXER_PASSWORD below. Sourcing this script
# is idempotent.
source /usr/share/wazuh-indexer/bin/opensearch-env-from-file
if [[ -f bin/opensearch-users ]]; then
# Check for the INDEXER_PASSWORD environment variable to set the
# bootstrap password for Security.
#
# This is only required for the first node in a cluster with Security
# enabled, but we have no way of knowing which node we are yet. We'll just
# honor the variable if it's present.
if [[ -n "$INDEXER_PASSWORD" ]]; then
[[ -f /usr/share/wazuh-indexer/opensearch.keystore ]] || (run_as_other_user_if_needed opensearch-keystore create)
if ! (run_as_other_user_if_needed opensearch-keystore has-passwd --silent) ; then
# keystore is unencrypted
if ! (run_as_other_user_if_needed opensearch-keystore list | grep -q '^bootstrap.password$'); then
(run_as_other_user_if_needed echo "$INDEXER_PASSWORD" | opensearch-keystore add -x 'bootstrap.password')
fi
else
# keystore requires password
if ! (run_as_other_user_if_needed echo "$KEYSTORE_PASSWORD" \
| opensearch-keystore list | grep -q '^bootstrap.password$') ; then
COMMANDS="$(printf "%s\n%s" "$KEYSTORE_PASSWORD" "$INDEXER_PASSWORD")"
(run_as_other_user_if_needed echo "$COMMANDS" | opensearch-keystore add -x 'bootstrap.password')
fi
fi
fi
fi
if [[ "$(id -u)" == "0" ]]; then
# If requested and running as root, mutate the ownership of bind-mounts
if [[ -n "$TAKE_FILE_OWNERSHIP" ]]; then
chown -R 1000:0 /usr/share/wazuh-indexer/{data,logs}
fi
fi
run_as_other_user_if_needed /usr/share/wazuh-indexer/bin/opensearch <<<"$KEYSTORE_PASSWORD"

3
build-docker-images/wazuh-indexer/config/securityadmin.sh
View File

@@ -1,3 +0,0 @@
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
sleep 30
bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/opensearch-security/ -nhnv -cacert $CACERT -cert $CERT -key $KEY -p 9200 -icl

68
build-docker-images/wazuh-manager/Dockerfile
View File

@@ -1,68 +0,0 @@
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
FROM amazonlinux:2023
RUN rm /bin/sh && ln -s /bin/bash /bin/sh
ARG WAZUH_VERSION
ARG WAZUH_TAG_REVISION
ARG FILEBEAT_TEMPLATE_BRANCH
ARG FILEBEAT_CHANNEL=filebeat-oss
ARG FILEBEAT_VERSION=7.10.2
ARG WAZUH_FILEBEAT_MODULE
ARG S6_VERSION="v2.2.0.3"
RUN yum install curl-minimal xz gnupg tar gzip openssl findutils procps -y &&\
yum clean all
COPY config/check_repository.sh /
COPY config/filebeat_module.sh /
COPY config/permanent_data.env config/permanent_data.sh /
RUN chmod 775 /check_repository.sh
RUN source /check_repository.sh
RUN yum install wazuh-manager-${WAZUH_VERSION}-${WAZUH_TAG_REVISION} -y && \
yum clean all && \
chmod 775 /filebeat_module.sh && \
source /filebeat_module.sh && \
rm /filebeat_module.sh && \
curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \
-o /tmp/s6-overlay-amd64.tar.gz && \
tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" && \
tar xzf /tmp/s6-overlay-amd64.tar.gz -C /usr ./bin && \
rm /tmp/s6-overlay-amd64.tar.gz
COPY config/etc/ /etc/
COPY --chown=root:wazuh config/create_user.py /var/ossec/framework/scripts/create_user.py
COPY config/filebeat.yml /etc/filebeat/
RUN chmod go-w /etc/filebeat/filebeat.yml
ADD https://raw.githubusercontent.com/wazuh/wazuh/$FILEBEAT_TEMPLATE_BRANCH/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat
RUN chmod go-w /etc/filebeat/wazuh-template.json
# Prepare permanent data
# Sync calls are due to https://github.com/docker/docker/issues/9547
#Make mount directories for keep permissions
RUN mkdir -p /var/ossec/var/multigroups && \
chown root:wazuh /var/ossec/var/multigroups && \
chmod 770 /var/ossec/var/multigroups && \
mkdir -p /var/ossec/agentless && \
chown root:wazuh /var/ossec/agentless && \
chmod 770 /var/ossec/agentless && \
mkdir -p /var/ossec/active-response/bin && \
chown root:wazuh /var/ossec/active-response/bin && \
chmod 770 /var/ossec/active-response/bin && \
chmod 755 /permanent_data.sh && \
sync && /permanent_data.sh && \
sync && rm /permanent_data.sh
RUN rm /etc/yum.repos.d/wazuh.repo
# Services ports
EXPOSE 55000/tcp 1514/tcp 1515/tcp 514/udp 1516/tcp
ENTRYPOINT [ "/init" ]

15
build-docker-images/wazuh-manager/config/check_repository.sh
View File

@@ -1,15 +0,0 @@
## variables
APT_KEY=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
GPG_SIGN="gpgcheck=1\ngpgkey=${APT_KEY}]"
REPOSITORY="[wazuh]\n${GPG_SIGN}\nenabled=1\nname=EL-\$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1"
WAZUH_TAG=$(curl --silent https://api.github.com/repos/wazuh/wazuh/git/refs/tags | grep '["]ref["]:' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 11- | grep ^v${WAZUH_VERSION}$)
## check tag to use the correct repository
if [[ -n "${WAZUH_TAG}" ]]; then
APT_KEY=https://packages.wazuh.com/key/GPG-KEY-WAZUH
GPG_SIGN="gpgcheck=1\ngpgkey=${APT_KEY}]"
REPOSITORY="[wazuh]\n${GPG_SIGN}\nenabled=1\nname=EL-\$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1"
fi
rpm --import "${APT_KEY}"
echo -e "${REPOSITORY}" | tee /etc/yum.repos.d/wazuh.repo

102
build-docker-images/wazuh-manager/config/create_user.py
View File

@@ -1,102 +0,0 @@
import logging
import sys
import json
import random
import string
import os
# Set framework path
sys.path.append(os.path.dirname(sys.argv[0]) + "/../framework")
USER_FILE_PATH = "/var/ossec/api/configuration/admin.json"
SPECIAL_CHARS = "@$!%*?&-_"
try:
from wazuh.rbac.orm import check_database_integrity
from wazuh.security import (
create_user,
get_users,
get_roles,
set_user_role,
update_user,
)
except ModuleNotFoundError as e:
logging.error("No module 'wazuh' found.")
sys.exit(1)
def read_user_file(path=USER_FILE_PATH):
with open(path) as user_file:
data = json.load(user_file)
return data["username"], data["password"]
def db_users():
users_result = get_users()
return {user["username"]: user["id"] for user in users_result.affected_items}
def db_roles():
roles_result = get_roles()
return {role["name"]: role["id"] for role in roles_result.affected_items}
def disable_user(uid):
random_pass = "".join(
random.choices(
string.ascii_uppercase
+ string.ascii_lowercase
+ string.digits
+ SPECIAL_CHARS,
k=8,
)
)
# assure there must be at least one character from each group
random_pass = random_pass + ''.join([random.choice(chars) for chars in [string.ascii_lowercase, string.digits, string.ascii_uppercase, SPECIAL_CHARS]])
random_pass = ''.join(random.sample(random_pass,len(random_pass)))
update_user(
user_id=[
str(uid),
],
password=random_pass,
)
if __name__ == "__main__":
if not os.path.exists(USER_FILE_PATH):
# abort if no user file detected
sys.exit(0)
username, password = read_user_file()
# create RBAC database
check_database_integrity()
initial_users = db_users()
if username not in initial_users:
# create a new user
create_user(username=username, password=password)
users = db_users()
uid = users[username]
roles = db_roles()
rid = roles["administrator"]
set_user_role(
user_id=[
str(uid),
],
role_ids=[
str(rid),
],
)
else:
# modify an existing user ("wazuh" or "wazuh-wui")
uid = initial_users[username]
update_user(
user_id=[
str(uid),
],
password=password,
)
# disable unused default users
for def_user in ['wazuh', 'wazuh-wui']:
if def_user != username:
disable_user(initial_users[def_user])

51
build-docker-images/wazuh-manager/config/etc/cont-init.d/1-config-filebeat
View File

@@ -1,51 +0,0 @@
#!/usr/bin/with-contenv bash
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
set -e
if [ "$INDEXER_URL" != "" ]; then
>&2 echo "Customize Elasticsearch output IP"
sed -i "s|hosts:.*|hosts: ['$INDEXER_URL']|g" /etc/filebeat/filebeat.yml
fi
# Configure filebeat.yml security settings
if [ "$INDEXER_USERNAME" != "" ]; then
>&2 echo "Configuring username."
sed -i "s|#username:.*|username:|g" /etc/filebeat/filebeat.yml
sed -i "s|username:.*|username: '$INDEXER_USERNAME'|g" /etc/filebeat/filebeat.yml
fi
if [ "$INDEXER_PASSWORD" != "" ]; then
>&2 echo "Configuring password."
sed -i "s|#password:.*|password:|g" /etc/filebeat/filebeat.yml
sed -i "s|password:.*|password: '$INDEXER_PASSWORD'|g" /etc/filebeat/filebeat.yml
fi
if [ "$FILEBEAT_SSL_VERIFICATION_MODE" != "" ]; then
>&2 echo "Configuring SSL verification mode."
sed -i "s|#ssl.verification_mode:.*|ssl.verification_mode:|g" /etc/filebeat/filebeat.yml
sed -i "s|ssl.verification_mode:.*|ssl.verification_mode: '$FILEBEAT_SSL_VERIFICATION_MODE'|g" /etc/filebeat/filebeat.yml
fi
if [ "$SSL_CERTIFICATE_AUTHORITIES" != "" ]; then
>&2 echo "Configuring Certificate Authorities."
sed -i "s|#ssl.certificate_authorities:.*|ssl.certificate_authorities:|g" /etc/filebeat/filebeat.yml
sed -i "s|ssl.certificate_authorities:.*|ssl.certificate_authorities: ['$SSL_CERTIFICATE_AUTHORITIES']|g" /etc/filebeat/filebeat.yml
fi
if [ "$SSL_CERTIFICATE" != "" ]; then
>&2 echo "Configuring SSL Certificate."
sed -i "s|#ssl.certificate:.*|ssl.certificate:|g" /etc/filebeat/filebeat.yml
sed -i "s|ssl.certificate:.*|ssl.certificate: '$SSL_CERTIFICATE'|g" /etc/filebeat/filebeat.yml
fi
if [ "$SSL_KEY" != "" ]; then
>&2 echo "Configuring SSL Key."
sed -i "s|#ssl.key:.*|ssl.key:|g" /etc/filebeat/filebeat.yml
sed -i "s|ssl.key:.*|ssl.key: '$SSL_KEY'|g" /etc/filebeat/filebeat.yml
fi
chmod go-w /etc/filebeat/filebeat.yml || true
chown root: /etc/filebeat/filebeat.yml || true

136
build-docker-images/wazuh-manager/config/etc/cont-init.d/2-manager
View File

@@ -1,136 +0,0 @@
#!/usr/bin/with-contenv bash
##############################################################################
# Migration sequence
# Detect if there is a mounted volume on /wazuh-migration and copy the data
# to /var/ossec, finally it will create a flag ".migration-completed" inside
# the mounted volume
##############################################################################
function __colortext()
{
echo -e " \e[1;$2m$1\e[0m"
}
function echogreen()
{
echo $(__colortext "$1" "32")
}
function echoyellow()
{
echo $(__colortext "$1" "33")
}
function echored()
{
echo $(__colortext "$1" "31")
}
function_wazuh_migration(){
if [ -d "/wazuh-migration" ]; then
if [ ! -e /wazuh-migration/.migration-completed ]; then
if [ ! -e /wazuh-migration/global.db ]; then
echoyellow "The volume mounted on /wazuh-migration does not contain all the correct files."
return
fi
\cp -f /wazuh-migration/data/etc/ossec.conf /var/ossec/etc/ossec.conf
chown root:wazuh /var/ossec/etc/ossec.conf
chmod 640 /var/ossec/etc/ossec.conf
\cp -f /wazuh-migration/data/etc/client.keys /var/ossec/etc/client.keys
chown wazuh:wazuh /var/ossec/etc/client.keys
chmod 640 /var/ossec/etc/client.keys
\cp -f /wazuh-migration/data/etc/sslmanager.cert /var/ossec/etc/sslmanager.cert
\cp -f /wazuh-migration/data/etc/sslmanager.key /var/ossec/etc/sslmanager.key
chown root:root /var/ossec/etc/sslmanager.cert /var/ossec/etc/sslmanager.key
chmod 640 /var/ossec/etc/sslmanager.cert /var/ossec/etc/sslmanager.key
\cp -f /wazuh-migration/data/etc/shared/default/agent.conf /var/ossec/etc/shared/default/agent.conf
chown wazuh:wazuh /var/ossec/etc/shared/default/agent.conf
chmod 660 /var/ossec/etc/shared/default/agent.conf
\cp -f /wazuh-migration/data/etc/decoders/* /var/ossec/etc/decoders/
chown wazuh:wazuh /var/ossec/etc/decoders/*
chmod 660 /var/ossec/etc/decoders/*
\cp -f /wazuh-migration/data/etc/rules/* /var/ossec/etc/rules/
chown wazuh:wazuh /var/ossec/etc/rules/*
chmod 660 /var/ossec/etc/rules/*
if [ -e /wazuh-migration/data/agentless/.passlist ]; then
\cp -f /wazuh-migration/data/agentless/.passlist /var/ossec/agentless/.passlist
chown root:wazuh /var/ossec/agentless/.passlist
chmod 640 /var/ossec/agentless/.passlist
fi
\cp -f /wazuh-migration/global.db /var/ossec/queue/db/global.db
chown wazuh:wazuh /var/ossec/queue/db/global.db
chmod 640 /var/ossec/queue/db/global.db
# mark volume as migrated
touch /wazuh-migration/.migration-completed
echogreen "Migration completed succesfully"
else
echoyellow "This volume has already been migrated. You may proceed and remove it from the mount point (/wazuh-migration)"
fi
fi
}
function_create_custom_user() {
if [[ ! -z $API_USERNAME ]] && [[ ! -z $API_PASSWORD ]]; then
cat << EOF > /var/ossec/api/configuration/admin.json
{
"username": "$API_USERNAME",
"password": "$API_PASSWORD"
}
EOF
# create or customize API user
if /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/create_user.py; then
# remove json if exit code is 0
rm /var/ossec/api/configuration/admin.json
else
echored "There was an error configuring the API user"
# terminate container to avoid unpredictable behavior
exec s6-svscanctl -t /var/run/s6/services
exit 1
fi
fi
}
function_entrypoint_scripts() {
# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
if [ -d "/entrypoint-scripts/" ]
then
for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
bash "$script"
done
fi
}
function_configure_vulnerability_detection() {
if [ "$INDEXER_PASSWORD" != "" ]; then
>&2 echo "Configuring password."
/var/ossec/bin/wazuh-keystore -f indexer -k username -v $INDEXER_USERNAME
/var/ossec/bin/wazuh-keystore -f indexer -k password -v $INDEXER_PASSWORD
fi
}
# Migrate data from /wazuh-migration volume
function_wazuh_migration
# create API custom user
function_create_custom_user
# configure Vulnerabilty detection
function_configure_vulnerability_detection
# run entrypoint scripts
function_entrypoint_scripts
# Start Wazuh
/var/ossec/bin/wazuh-control start

6
build-docker-images/wazuh-manager/config/etc/services.d/filebeat/finish
View File

@@ -1,6 +0,0 @@
#!/usr/bin/env sh
echo >&2 "Filebeat exited. code=${1}"
# terminate other services to exit from the container
exec s6-svscanctl -t /var/run/s6/services

4
build-docker-images/wazuh-manager/config/etc/services.d/filebeat/run
View File

@@ -1,4 +0,0 @@
#!/usr/bin/with-contenv sh
echo >&2 "starting Filebeat"
exec /usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat

4
build-docker-images/wazuh-manager/config/etc/services.d/ossec-logs/run
View File

@@ -1,4 +0,0 @@
#!/usr/bin/with-contenv sh
# dumping ossec.log to standard output
exec tail -F /var/ossec/logs/ossec.log

31
build-docker-images/wazuh-manager/config/filebeat.yml
View File

@@ -1,31 +0,0 @@
# Wazuh - Filebeat configuration file
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
setup.template.json.enabled: true
setup.template.overwrite: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.enabled: false
output.elasticsearch:
hosts: ['https://wazuh.indexer:9200']
#username:
#password:
#ssl.verification_mode:
#ssl.certificate_authorities:
#ssl.certificate:
#ssl.key:
logging.metrics.enabled: false
seccomp:
default_action: allow
syscalls:
- action: allow
names:
- rseq

12
build-docker-images/wazuh-manager/config/filebeat_module.sh
View File

@@ -1,12 +0,0 @@
## variables
REPOSITORY="packages-dev.wazuh.com/pre-release"
WAZUH_TAG=$(curl --silent https://api.github.com/repos/wazuh/wazuh/git/refs/tags | grep '["]ref["]:' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 11- | grep ^v${WAZUH_VERSION}$)
## check tag to use the correct repository
if [[ -n "${WAZUH_TAG}" ]]; then
REPOSITORY="packages.wazuh.com/4.x"
fi
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm &&\
yum install -y ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && rm -f ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && \
curl -s https://${REPOSITORY}/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module

102
build-docker-images/wazuh-manager/config/permanent_data.env
View File

@@ -1,102 +0,0 @@
# Permanent data mounted in volumes
i=0
PERMANENT_DATA[((i++))]="/var/ossec/api/configuration"
PERMANENT_DATA[((i++))]="/var/ossec/etc"
PERMANENT_DATA[((i++))]="/var/ossec/logs"
PERMANENT_DATA[((i++))]="/var/ossec/queue"
PERMANENT_DATA[((i++))]="/var/ossec/agentless"
PERMANENT_DATA[((i++))]="/var/ossec/var/multigroups"
PERMANENT_DATA[((i++))]="/var/ossec/integrations"
PERMANENT_DATA[((i++))]="/var/ossec/active-response/bin"
PERMANENT_DATA[((i++))]="/var/ossec/wodles"
PERMANENT_DATA[((i++))]="/etc/filebeat"
export PERMANENT_DATA
# Files mounted in a volume that should not be permanent
i=0
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/etc/internal_options.conf"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/shuffle"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/shuffle.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/pagerduty"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/pagerduty.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/maltiverse"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/maltiverse.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/default-firewall-drop"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/disable-account"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewalld-drop"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewall-drop"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/host-deny"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ip-customblock"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/npf"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/wazuh-slack"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/pf"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-wazuh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/sshlogin.exp"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_pixconfig_diff"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_asa-fwsmconfig_diff"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_bsd"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/main.exp"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/su.exp"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_linux"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/register_host.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_generic_diff"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_foundry_diff"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_nopass.exp"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh.exp"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/utils.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/__init__.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws_tools.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/wazuh_integration.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/buckets_s3/__init__.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/buckets_s3/aws_bucket.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/buckets_s3/cloudtrail.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/buckets_s3/config.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/buckets_s3/guardduty.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/buckets_s3/load_balancers.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/buckets_s3/server_access.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/buckets_s3/umbrella.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/buckets_s3/vpcflow.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/buckets_s3/waf.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/services/__init__.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/services/aws_service.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/services/cloudwatchlogs.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/services/inspector.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/subscribers/__init__.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/subscribers/s3_log_handler.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/subscribers/sqs_message_processor.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/subscribers/sqs_queue.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/db/orm.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/db/utils.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/db/__init__.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/gcloud"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/gcloud.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/integration.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/tools.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/exceptions.py"
export PERMANENT_DATA_EXCP
# Files mounted in a volume that should be deleted
i=0
PERMANENT_DATA_DEL[((i++))]="/var/ossec/queue/db/.template.db"
export PERMANENT_DATA_DEL
i=0
PERMANENT_DATA_MOVE[((i++))]="/var/ossec/logs/ossec /var/ossec/logs/wazuh"
PERMANENT_DATA_MOVE[((i++))]="/var/ossec/queue/ossec /var/ossec/queue/sockets"
export PERMANENT_DATA_MOVE

90
docker-compose.yml Normal file
View File

@@ -0,0 +1,90 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
version: '2'
services:
wazuh:
image: wazuh/wazuh:3.9.3_6.8.1
hostname: wazuh-manager
restart: always
ports:
- "1514:1514/udp"
- "1515:1515"
- "514:514/udp"
- "55000:55000"
depends_on:
- logstash
logstash:
image: wazuh/wazuh-logstash:3.9.3_6.8.1
hostname: logstash
restart: always
links:
- elasticsearch:elasticsearch
ports:
- "5000:5000"
depends_on:
- elasticsearch
environment:
- LS_HEAP_SIZE=2048m
- SECURITY_ENABLED=yes
- SECURITY_LOGSTASH_USER=service_logstash
- SECURITY_LOGSTASH_PASS=logstash_pass
- LOGSTASH_OUTPUT=https://elasticsearch:9200
- ELASTICSEARCH_URL=https://elasticsearch:9200
- SECURITY_CA_PEM=server.TEST-CA-signed.pem
elasticsearch:
image: wazuh/wazuh-elasticsearch:3.9.3_6.8.1
hostname: elasticsearch
restart: always
ports:
- "9200:9200"
environment:
- node.name=node-1
- cluster.name=wazuh
- network.host=0.0.0.0
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms1g -Xmx1g"
- ELASTICSEARCH_PROTOCOL=https
- ELASTICSEARCH_IP=elasticsearch
- ELASTICSEARCH_PORT=9200
- SECURITY_ENABLED=yes
- SECURITY_ADMIN_USER=wazuh_admin
- SECURITY_ADMIN_PASS=admin_pass
- SECURITY_ELASTIC_PASSWORD=elastic_pass
- SECURITY_KIBANA_USER=service_kibana
- SECURITY_KIBANA_PASS=kibana_pass
- SECURITY_LOGSTASH_USER=service_logstash
- SECURITY_LOGSTASH_PASS=logstash_pass
- SECURITY_CA_PASSPHRASE=ca_pass
- SECURITY_CERTIFICATE_DNS=elasticsearch
- SECURITY_CA_PEM=server.TEST-CA-signed.pem
- SECURITY_CA_KEY=server.TEST-CA.key
- SECURITY_CA_TRUST=server.TEST-CA-signed.pem
- SECURITY_MAIN_NODE=elasticsearch
- SECURITY_OPENSSL_CONF=TEST_openssl.cnf
- SECURITY_MONITORING_USER=service_monitoring
- SECURITY_MONITORING_PASS=monitoring_pass
ulimits:
memlock:
soft: -1
hard: -1
mem_limit: 2g
kibana:
image: wazuh/wazuh-kibana:3.9.3_6.8.1
hostname: kibana
restart: always
depends_on:
- elasticsearch
links:
- elasticsearch:elasticsearch
- wazuh:wazuh
environment:
- ELASTICSEARCH_URL=https://elasticsearch:9200
- SECURITY_ENABLED=yes
- SECURITY_KIBANA_USER=service_kibana
- SECURITY_KIBANA_PASS=kibana_pass
- SECURITY_KIBANA_SSL_KEY_PATH=/usr/share/kibana/config/ssl/private
- SECURITY_KIBANA_SSL_CERT_PATH=/usr/share/kibana/config/ssl/certs
- ELASTICSEARCH_KIBANA_IP=https://elasticsearch:9200
- SECURITY_CA_PEM=server.TEST-CA-signed.pem
ports:
- "5601:5601"

79
elasticsearch/Dockerfile Normal file
View File

@@ -0,0 +1,79 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
FROM docker.elastic.co/elasticsearch/elasticsearch:6.8.2
ENV ALERTS_SHARDS="1" \
ALERTS_REPLICAS="0"
ENV API_USER="foo" \
API_PASS="bar"
ENV XPACK_ML="true"
ENV ENABLE_CONFIGURE_S3="false"
ENV TEMPLATE_VERSION=v3.9.4
# This CA is created for testing. Please set your own CA zip containing the key and the signed certificate.
# command: $ docker build <elasticsearch_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION> --build-arg SECURITY_CA_KEY_LOCATION=<CA_KEY_LOCATION>
# ENV variables are necessary: SECURITY_CA_PEM, SECURITY_CA_KEY, SECURITY_CA_TRUST, SECURITY_OPENSSL_CONF
# Example:
# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem"
# ARG SECURITY_CA_KEY_LOCATION="config/server.TEST-CA.key"
# ARG SECURITY_OPENSSL_CONF_LOCATION="config/TEST_openssl.cnf"
# ARG SECURITY_CA_TRUST_LOCATION="config/server.TEST-CA-signed.pem"
ARG SECURITY_CA_PEM_LOCATION=""
ARG SECURITY_CA_KEY_LOCATION=""
ARG SECURITY_OPENSSL_CONF_LOCATION=""
ARG SECURITY_CA_TRUST_LOCATION=""
# Elasticearch cluster configuration environment variables
# If ELASTIC_CLUSTER is set to "true" the following variables will be added to the Elasticsearch configuration
ENV ELASTIC_CLUSTER="false" \
CLUSTER_NAME="wazuh" \
CLUSTER_NODE_MASTER="true" \
CLUSTER_NODE_DATA="true" \
CLUSTER_NODE_INGEST="true" \
CLUSTER_NODE_NAME="wazuh-elasticsearch" \
CLUSTER_MEMORY_LOCK="true" \
CLUSTER_DISCOVERY_SERVICE="wazuh-elasticsearch" \
CLUSTER_NUMBER_OF_MASTERS="2" \
CLUSTER_MAX_NODES="1" \
CLUSTER_DELAYED_TIMEOUT="1m"
ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/6.x/wazuh-template.json /usr/share/elasticsearch/config
# CA cert for Transport SSL
ADD $SECURITY_CA_PEM_LOCATION /usr/share/elasticsearch/config
ADD $SECURITY_CA_KEY_LOCATION /usr/share/elasticsearch/config
ADD $SECURITY_OPENSSL_CONF_LOCATION /usr/share/elasticsearch/config
ADD $SECURITY_CA_TRUST_LOCATION /usr/share/elasticsearch/config
RUN yum install openssl -y
RUN mkdir /entrypoint-scripts
COPY config/entrypoint.sh /entrypoint.sh
RUN chmod 755 /entrypoint.sh
COPY --chown=elasticsearch:elasticsearch ./config/load_settings.sh ./
RUN chmod +x ./load_settings.sh
RUN bin/elasticsearch-plugin install --batch https://artifacts.elastic.co/downloads/elasticsearch-plugins/repository-s3/repository-s3-6.8.2.zip
COPY config/configure_s3.sh ./config/configure_s3.sh
RUN chmod 755 ./config/configure_s3.sh
COPY --chown=elasticsearch:elasticsearch ./config/10-config_cluster.sh /entrypoint-scripts/10-config_cluster.sh
RUN chmod +x /entrypoint-scripts/10-config_cluster.sh
COPY --chown=elasticsearch:elasticsearch ./config/20-config_secure.sh /entrypoint-scripts/20-config_secure.sh
RUN chmod +x /entrypoint-scripts/10-config_cluster.sh
COPY --chown=elasticsearch:elasticsearch ./config/30-entrypoint.sh /entrypoint-scripts/30-entrypoint.sh
RUN chmod +x /entrypoint-scripts/30-entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
CMD ["elasticsearch"]

36
elasticsearch/config/10-config_cluster.sh Normal file
View File

@@ -0,0 +1,36 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
original_file="/usr/share/elasticsearch/config/original-elasticsearch.yml"
cp $elastic_config_file $original_file
# If Elasticsearch cluster is enable
if [[ $ELASTIC_CLUSTER == "true" ]]
then
# Set the cluster.name and discovery.zen.minimun_master_nodes variables
sed -i 's:cluster.name\: "docker-cluster":cluster.name\: "'$CLUSTER_NAME'":g' $elastic_config_file
# Add the cluster configuration
echo "
#cluster node
node:
master: ${CLUSTER_NODE_MASTER}
data: ${CLUSTER_NODE_DATA}
ingest: ${CLUSTER_NODE_INGEST}
name: ${CLUSTER_NODE_NAME}
max_local_storage_nodes: ${CLUSTER_MAX_NODES}
bootstrap:
memory_lock: ${CLUSTER_MEMORY_LOCK}
discovery:
zen:
ping.unicast.hosts: ${CLUSTER_DISCOVERY_SERVICE}
minimum_master_nodes: ${CLUSTER_NUMBER_OF_MASTERS}
" >> $elastic_config_file
fi

111
elasticsearch/config/20-config_secure.sh Normal file
View File

@@ -0,0 +1,111 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
##############################################################################
# Setup bootstrap password to chagne all Elastic Stack passwords.
# Set xpack.security.enabled to true. In Elastic 7 must add ssl options
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "Creating certificate."
pushd /usr/share/elasticsearch/config/
echo "Setting configuration options."
# Create instances.yml for elasticsearch .p12 certificate and key
echo "
instances:
- name: \"elasticsearch\"
dns:
- $SECURITY_CERTIFICATE_DNS
" > instances.yml
# Change permissions and owner of ca
chown elasticsearch: /usr/share/elasticsearch/config/$SECURITY_CA_PEM
chmod 440 /usr/share/elasticsearch/config/$SECURITY_CA_PEM
# Genereate .p12 certificate and key
SECURITY_KEY_PASSPHRASE=`date +%s | sha256sum | base64 | head -c 32 ; echo`
/usr/share/elasticsearch/bin/elasticsearch-certutil csr --in instances.yml --out certs.zip --pass $SECURITY_KEY_PASSPHRASE
unzip certs.zip
rm certs.zip
# Change permissions and owner of certificates
chown -R elasticsearch: /usr/share/elasticsearch/config/elasticsearch
chmod -R 770 /usr/share/elasticsearch/config/elasticsearch
chmod 400 /usr/share/elasticsearch/config/elasticsearch/elasticsearch.csr
# Prepare directories for openssl
mkdir /root/ca
mkdir /root/ca/certs /root/ca/crl /root/ca/newcerts /root/ca/private
chmod 700 /root/ca/private
touch /root/ca/index.txt
echo 1000 > /root/ca/serial
mkdir /root/ca/intermediate
mkdir /root/ca/intermediate/certs /root/ca/intermediate/crl /root/ca/intermediate/csr /root/ca/intermediate/newcerts /root/ca/intermediate/private
chmod 700 /root/ca/intermediate/private
touch /root/ca/intermediate/index.txt
echo 1000 > /root/ca/intermediate/serial
echo 1000 > /root/ca/intermediate/crlnumber
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
openssl ca -batch -config $SECURITY_OPENSSL_CONF -in elasticsearch/elasticsearch.csr -cert $SECURITY_CA_PEM -keyfile $SECURITY_CA_KEY -key $SECURITY_CA_PASSPHRASE -out elasticsearch.cert.pem
else
input=${SECURITY_CREDENTIALS_FILE}
CA_PASSPHRASE_FROM_FILE=""
while IFS= read -r line
do
if [[ $line == *"CA_PASSPHRASE"* ]]; then
arrIN=(${line//:/ })
CA_PASSPHRASE_FROM_FILE=${arrIN[1]}
fi
done < "$input"
openssl ca -batch -config $SECURITY_OPENSSL_CONF -in elasticsearch/elasticsearch.csr -cert $SECURITY_CA_PEM -keyfile $SECURITY_CA_KEY -key $CA_PASSPHRASE_FROM_FILE -out elasticsearch.cert.pem
fi
chmod 440 /usr/share/elasticsearch/config/elasticsearch.cert.pem
# remove CA key
rm $SECURITY_CA_KEY
popd
echo "Setting configuration options."
# Settings for elasticsearch.yml
echo "
# Required to set the passwords and TLS options
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
xpack.security.transport.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/$SECURITY_CA_TRUST\"]
# HTTP layer
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
xpack.security.http.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/$SECURITY_CA_TRUST\"]
" >> $elastic_config_file
# Create keystore
/usr/share/elasticsearch/bin/elasticsearch-keystore create
# Add keys to keystore
echo -e "$SECURITY_KEY_PASSPHRASE" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.secure_key_passphrase --stdin
echo -e "$SECURITY_KEY_PASSPHRASE" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase --stdin
fi

70
elasticsearch/config/30-entrypoint.sh Normal file
View File

@@ -0,0 +1,70 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# For more information https://github.com/elastic/elasticsearch-docker/blob/6.8.1/build/elasticsearch/bin/docker-entrypoint.sh
set -e
# Files created by Elasticsearch should always be group writable too
umask 0002
run_as_other_user_if_needed() {
if [[ "$(id -u)" == "0" ]]; then
# If running as root, drop to specified UID and run command
exec chroot --userspec=1000 / "${@}"
else
# Either we are running in Openshift with random uid and are a member of the root group
# or with a custom --user
exec "${@}"
fi
}
#Disabling xpack features
elasticsearch_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
if grep -Fq "#xpack features" "$elasticsearch_config_file" ;
then
declare -A CONFIG_MAP=(
[xpack.ml.enabled]=$XPACK_ML
)
for i in "${!CONFIG_MAP[@]}"
do
if [ "${CONFIG_MAP[$i]}" != "" ]; then
sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $elasticsearch_config_file
fi
done
else
echo "
#xpack features
xpack.ml.enabled: $XPACK_ML
" >> $elasticsearch_config_file
fi
# Run load settings script.
bash /usr/share/elasticsearch/load_settings.sh &
# Execute elasticsearch
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "Change Elastic password"
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
run_as_other_user_if_needed echo "$SECURITY_ELASTIC_PASSWORD" | elasticsearch-keystore add -xf 'bootstrap.password'
else
input=${SECURITY_CREDENTIALS_FILE}
ELASTIC_PASSWORD_FROM_FILE=""
while IFS= read -r line
do
if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ELASTIC_PASSWORD_FROM_FILE=${arrIN[1]}
fi
done < "$input"
run_as_other_user_if_needed echo "$ELASTIC_PASSWORD_FROM_FILE" | elasticsearch-keystore add -xf 'bootstrap.password'
fi
echo "Elastic password changed"
fi
run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch

132
elasticsearch/config/TEST_openssl.cnf Normal file
View File

@@ -0,0 +1,132 @@
# OpenSSL intermediate CA configuration file.
# Copy to `/root/ca/intermediate/openssl.cnf`.
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = /root/ca/intermediate
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
# The root key and root certificate.
private_key = $dir/private/intermediate.key.pem
certificate = $dir/certs/intermediate.cert.pem
# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/intermediate.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_loose
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = GB
stateOrProvinceName_default = England
localityName_default =
0.organizationName_default = Alice Ltd
organizationalUnitName_default =
emailAddress_default =
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

106
elasticsearch/config/configure_s3.sh Normal file
View File

@@ -0,0 +1,106 @@
#!/bin/bash
set -e
##############################################################################
# If Secure access to Kibana is enabled, we must set the credentials for
# monitoring
##############################################################################
ELASTIC_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ELASTIC_PASS=${arrIN[1]}
fi
done < "$input"
fi
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-u elastic:${ELASTIC_PASS} -k"
else
auth=""
fi
# Check number of arguments passed to configure_s3.sh. If it is different from 4 or 5, the process will finish with error.
# param 1: number of arguments passed to configure_s3.sh
function CheckArgs()
{
if [ $1 != 4 ] && [ $1 != 5 ];then
echo "Use: configure_s3.sh <Elastic_Server_IP:Port> <Bucket> <Path> <RepositoryName> (By default <current_elasticsearch_major_version> is added to the path and the repository name)"
echo "or use: configure_s3.sh <Elastic_Server_IP:Port> <Bucket> <Path> <RepositoryName> <Elasticsearch major version>"
exit 1
fi
}
# Create S3 repository from base_path <path>/<elasticsearch_major_version> (if there is no <Elasticsearch major version> argument, current version is added)
# Repository name would be <RepositoryName>-<elasticsearch_major_version> (if there is no <Elasticsearch major version> argument, current version is added)
# param 1: <Elastic_Server_IP:Port>
# param 2: <Bucket>
# param 3: <Path>
# param 4: <RepositoryName>
# param 5: Optional <Elasticsearch major version>
# output: It will show "acknowledged" if the repository has been successfully created
function CreateRepo()
{
elastic_ip_port="$2"
bucket_name="$3"
path="$4"
repository_name="$5"
if [ $1 == 5 ];then
version="$6"
else
version=`curl ${auth} -s $elastic_ip_port | grep number | cut -d"\"" -f4 | cut -c1`
fi
if ! [[ "$version" =~ ^[0-9]+$ ]];then
echo "Elasticsearch major version must be an integer"
exit 1
fi
repository="$repository_name-$version"
s3_path="$path/$version"
>&2 echo "Create S3 repository"
until curl ${auth} -X PUT "$elastic_ip_port/_snapshot/$repository" -H 'Content-Type: application/json' -d' {"type": "s3", "settings": { "bucket": "'$bucket_name'", "base_path": "'$s3_path'"} }'; do
>&2 echo "Elastic is unavailable, S3 repository not created - sleeping"
sleep 5
done
>&2 echo "S3 repository created"
}
# Run functions CheckArgs and CreateRepo
# param 1: number of arguments passed to configure_s3.sh
# param 2: <Elastic_Server_IP:Port>
# param 3: <Bucket>
# param 4: <Path>
# param 5: <RepositoryName>
# param 6: Optional <Elasticsearch major version>
function Main()
{
CheckArgs $1
CreateRepo $1 $2 $3 $4 $5 $6
}
Main $# $1 $2 $3 $4 $5

8
elasticsearch/config/entrypoint.sh Normal file
View File

@@ -0,0 +1,8 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
bash "$script"
done

232
elasticsearch/config/load_settings.sh Normal file
View File

@@ -0,0 +1,232 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
fi
if [[ "x${WAZUH_API_URL}" = "x" ]]; then
wazuh_url="https://wazuh"
else
wazuh_url="${WAZUH_API_URL}"
fi
ELASTIC_PASS=""
KIBANA_USER=""
KIBANA_PASS=""
LOGSTASH_USER=""
LOGSTASH_PASS=""
ADMIN_USER=""
ADMIN_PASS=""
WAZH_API_USER=""
WAZH_API_PASS=""
MONITORING_USER=""
MONITORING_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
KIBANA_USER=${SECURITY_KIBANA_USER}
KIBANA_PASS=${SECURITY_KIBANA_PASS}
LOGSTASH_USER=${SECURITY_LOGSTASH_USER}
LOGSTASH_PASS=${SECURITY_LOGSTASH_PASS}
ADMIN_USER=${SECURITY_ADMIN_USER}
ADMIN_PASS=${SECURITY_ADMIN_PASS}
WAZH_API_USER=${API_USER}
WAZH_API_PASS=${API_PASS}
MONITORING_USER=${SECURITY_MONITORING_USER}
MONITORING_PASS=${SECURITY_MONITORING_PASS}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ELASTIC_PASS=${arrIN[1]}
elif [[ $line == *"KIBANA_USER"* ]]; then
arrIN=(${line//:/ })
KIBANA_USER=${arrIN[1]}
elif [[ $line == *"KIBANA_PASSWORD"* ]]; then
arrIN=(${line//:/ })
KIBANA_PASS=${arrIN[1]}
elif [[ $line == *"LOGSTASH_USER"* ]]; then
arrIN=(${line//:/ })
LOGSTASH_USER=${arrIN[1]}
elif [[ $line == *"LOGSTASH_PASSWORD"* ]]; then
arrIN=(${line//:/ })
LOGSTASH_PASS=${arrIN[1]}
elif [[ $line == *"ADMIN_USER"* ]]; then
arrIN=(${line//:/ })
ADMIN_USER=${arrIN[1]}
elif [[ $line == *"ADMIN_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ADMIN_PASS=${arrIN[1]}
elif [[ $line == *"WAZUH_API_USER"* ]]; then
arrIN=(${line//:/ })
WAZH_API_USER=${arrIN[1]}
elif [[ $line == *"WAZUH_API_PASSWORD"* ]]; then
arrIN=(${line//:/ })
WAZH_API_PASS=${arrIN[1]}
elif [[ $line == *"MONITORING_USER"* ]]; then
arrIN=(${line//:/ })
MONITORING_USER=${arrIN[1]}
elif [[ $line == *"MONITORING_PASSWORD"* ]]; then
arrIN=(${line//:/ })
MONITORING_PASS=${arrIN[1]}
fi
done < "$input"
fi
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-uelastic:${ELASTIC_PASS} -k"
elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
auth=""
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
fi
until curl ${auth} -XGET $el_url; do
>&2 echo "Elastic is unavailable - sleeping"
sleep 5
done
>&2 echo "Elastic is up - executing command"
if [ $ENABLE_CONFIGURE_S3 ]; then
#Wait for Elasticsearch to be ready to create the repository
sleep 10
>&2 echo "Configure S3"
if [ "x$S3_PATH" != "x" ]; then
>&2 echo "S3_PATH"
>&2 echo $S3_PATH
if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then
>&2 echo "Elasticsearch major version:"
>&2 echo $S3_ELASTIC_MAJOR
bash /usr/share/elasticsearch/config/configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR
else
>&2 echo "Elasticserach major version not given"
bash /usr/share/elasticsearch/config/configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME
fi
fi
fi
##############################################################################
# Setup passwords for Elastic Stack users
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
MY_HOSTNAME=`hostname`
echo "Hostname:"
echo $MY_HOSTNAME
if [[ $SECURITY_MAIN_NODE == $MY_HOSTNAME ]]; then
echo "Setting up passwords for all Elastic Stack users"
echo "Setting remote monitoring password"
SECURITY_REMOTE_USER_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo`
until curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/remote_monitoring_user/_password ' -d '{ "password":"'$SECURITY_REMOTE_USER_PASS'" }'; do
>&2 echo "Unavailable password seeting- sleeping"
sleep 2
done
echo "Setting Kibana password"
curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_wazuh_app ' -d ' { "indices": [ { "names": [ ".kibana*", ".reporting*", ".monitoring*" ], "privileges": ["read"] }, { "names": [ "wazuh-monitoring*", ".wazuh*" ], "privileges": ["all"] } , { "names": [ "wazuh-alerts*" ], "privileges": ["read", "view_index_metadata"] } ] }'
sleep 5
curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$KIBANA_USER" -d '{ "password":"'$KIBANA_PASS'", "roles" : [ "kibana_system", "service_wazuh_app"], "full_name" : "Service Internal Kibana User" }'
echo "Setting APM password"
SECURITY_APM_SYSTEM_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo`
curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/apm_system/_password ' -d '{ "password":"'$SECURITY_APM_SYSTEM_PASS'" }'
echo "Setting Beats password"
SECURITY_BEATS_SYSTEM_PASS=`date +%s | sha256sum | base64 | head -c 16 ; echo`
curl -u elastic:${ELASTIC_PASS} -k -XPUT -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/beats_system/_password ' -d '{ "password":"'$SECURITY_BEATS_SYSTEM_PASS'" }'
echo "Setting Logstash password"
curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_logstash_writer ' -d '{ "cluster": ["manage_index_templates", "monitor", "manage_ilm"], "indices": [ { "names": [ "*" ], "privileges": ["write","delete","create_index","manage","manage_ilm"] } ] }'
sleep 5
curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$LOGSTASH_USER" -d '{ "password":"'$LOGSTASH_PASS'", "roles" : [ "service_logstash_writer", "logstash_system"], "full_name" : "Service Internal Logstash User" }'
echo "Passwords established for all Elastic Stack users"
echo "Creating Admin user"
curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$ADMIN_USER" -d '{ "password":"'$ADMIN_PASS'", "roles" : [ "superuser"], "full_name" : "Wazuh admin" }'
echo "Admin user created"
echo "Setting monitoring user"
curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/service_monitoring_reader ' -d '{ "cluster": ["manage", "monitor"], "indices": [ { "names": [ "*" ], "privileges": ["write","create_index","manage","read", "index"] } ] }'
sleep 5
curl -u elastic:${ELASTIC_PASS} -k -XPOST -H 'Content-Type: application/json' "https://localhost:9200/_xpack/security/user/$MONITORING_USER" -d '{ "password":"'$MONITORING_PASS'", "roles" : [ "service_monitoring_reader", "snapshot_user"], "full_name" : "Service Internal Monitoring User" }'
fi
fi
#Insert default templates
sed -i 's| "index.refresh_interval": "5s"| "index.refresh_interval": "5s", "number_of_shards" : '"${ALERTS_SHARDS}"', "number_of_replicas" : '"${ALERTS_REPLICAS}"'|' /usr/share/elasticsearch/config/wazuh-template.json
cat /usr/share/elasticsearch/config/wazuh-template.json | curl -XPUT "$el_url/_template/wazuh" ${auth} -H 'Content-Type: application/json' -d @-
sleep 5
API_PASS_Q=`echo "$WAZH_API_PASS" | tr -d '"'`
API_USER_Q=`echo "$WAZH_API_USER" | tr -d '"'`
API_PASSWORD=`echo -n $API_PASS_Q | base64`
echo "Setting API credentials into Wazuh APP"
CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/wazuh-configuration/1513629884013 ${auth})
if [ "x$CONFIG_CODE" = "x404" ]; then
curl -s -XPOST $el_url/.wazuh/wazuh-configuration/1513629884013 ${auth} -H 'Content-Type: application/json' -d'
{
"api_user": "'"$API_USER_Q"'",
"api_password": "'"$API_PASSWORD"'",
"url": "'"$wazuh_url"'",
"api_port": "55000",
"insecure": "true",
"component": "API",
"cluster_info": {
"manager": "wazuh-manager",
"cluster": "Disabled",
"status": "disabled"
},
"extensions": {
"oscap": true,
"audit": true,
"pci": true,
"aws": true,
"virustotal": true,
"gdpr": true,
"ciscat": true
}
}
' > /dev/null
else
echo "Wazuh APP already configured"
fi
sleep 5
curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/json' -d'
{
"persistent": {
"xpack.monitoring.collection.enabled": true
}
}
'
# Set cluster delayed timeout when node falls
curl -X PUT "$el_url/_all/_settings" ${auth} -H 'Content-Type: application/json' -d'
{
"settings": {
"index.unassigned.node_left.delayed_timeout": "'"$CLUSTER_DELAYED_TIMEOUT"'"
}
}
'
# Remove credentials file.
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "Security credentials file not used. Nothing to do."
else
shred -zvu ${SECURITY_CREDENTIALS_FILE}
fi
echo "Elasticsearch is ready."

93
kibana/Dockerfile Normal file
View File

@@ -0,0 +1,93 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
FROM docker.elastic.co/kibana/kibana:6.8.2
ARG WAZUH_APP_VERSION=3.9.4_6.8.2
USER root
ADD https://packages-dev.wazuh.com/pre-release/app/kibana/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
# This CA is created for testing. Please set your own CA pem signed certificate.
# command: $ docker build <kibana_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION>
# ENV variables are necessary: SECURITY_CA_PEM
# Sample:
# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem"
ARG SECURITY_CA_PEM_LOCATION=""
# CA for secure communication with Elastic
ADD $SECURITY_CA_PEM_LOCATION /usr/share/kibana/config
RUN NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip &&\
chown -R kibana:kibana /usr/share/kibana &&\
rm -rf /tmp/*
RUN yum install openssl -y
COPY config/entrypoint.sh ./entrypoint.sh
RUN chmod 755 ./entrypoint.sh
RUN mkdir /entrypoint-scripts
USER kibana
ENV PATTERN="" \
CHECKS_PATTERN="" \
CHECKS_TEMPLATE="" \
CHECKS_API="" \
CHECKS_SETUP="" \
EXTENSIONS_PCI="" \
EXTENSIONS_GDPR="" \
EXTENSIONS_AUDIT="" \
EXTENSIONS_OSCAP="" \
EXTENSIONS_CISCAT="" \
EXTENSIONS_AWS="" \
EXTENSIONS_VIRUSTOTAL="" \
EXTENSIONS_OSQUERY="" \
APP_TIMEOUT="" \
WAZUH_SHARDS="" \
WAZUH_REPLICAS="" \
WAZUH_VERSION_SHARDS="" \
WAZUH_VERSION_REPLICAS="" \
IP_SELECTOR="" \
IP_IGNORE="" \
XPACK_RBAC_ENABLED="" \
WAZUH_MONITORING_ENABLED="" \
WAZUH_MONITORING_FREQUENCY="" \
WAZUH_MONITORING_SHARDS="" \
WAZUH_MONITORING_REPLICAS="" \
ADMIN_PRIVILEGES=""
ARG XPACK_CANVAS="false"
ARG XPACK_LOGS="false"
ARG XPACK_INFRA="false"
ARG XPACK_ML="false"
ARG XPACK_DEVTOOLS="false"
ARG XPACK_MONITORING="false"
ARG XPACK_APM="false"
ARG XPACK_MAPS="false"
ARG XPACK_UPTIME="false"
ARG CHANGE_WELCOME="true"
COPY --chown=kibana:kibana ./config/10-wazuh_app_config.sh /entrypoint-scripts/10-wazuh_app_config.sh
RUN chmod +x /entrypoint-scripts/10-wazuh_app_config.sh
COPY --chown=kibana:kibana ./config/20-entrypoint.sh /entrypoint-scripts/20-entrypoint.sh
RUN chmod +x /entrypoint-scripts/20-entrypoint.sh
COPY --chown=kibana:kibana ./config/kibana_settings.sh ./
RUN chmod +x ./kibana_settings.sh
COPY --chown=kibana:kibana ./config/xpack_config.sh ./
RUN chmod +x ./xpack_config.sh
RUN ./xpack_config.sh
COPY --chown=kibana:kibana ./config/welcome_wazuh.sh ./
RUN chmod +x ./welcome_wazuh.sh
RUN ./welcome_wazuh.sh
RUN /usr/local/bin/kibana-docker --optimize
ENTRYPOINT ./entrypoint.sh

40
kibana/config/10-wazuh_app_config.sh Normal file
View File

@@ -0,0 +1,40 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
kibana_config_file="/usr/share/kibana/plugins/wazuh/config.yml"
declare -A CONFIG_MAP=(
[pattern]=$PATTERN
[checks.pattern]=$CHECKS_PATTERN
[checks.template]=$CHECKS_TEMPLATE
[checks.api]=$CHECKS_API
[checks.setup]=$CHECKS_SETUP
[extensions.pci]=$EXTENSIONS_PCI
[extensions.gdpr]=$EXTENSIONS_GDPR
[extensions.audit]=$EXTENSIONS_AUDIT
[extensions.oscap]=$EXTENSIONS_OSCAP
[extensions.ciscat]=$EXTENSIONS_CISCAT
[extensions.aws]=$EXTENSIONS_AWS
[extensions.virustotal]=$EXTENSIONS_VIRUSTOTAL
[extensions.osquery]=$EXTENSIONS_OSQUERY
[timeout]=$APP_TIMEOUT
[wazuh.shards]=$WAZUH_SHARDS
[wazuh.replicas]=$WAZUH_REPLICAS
[wazuh-version.shards]=$WAZUH_VERSION_SHARDS
[wazuh-version.replicas]=$WAZUH_VERSION_REPLICAS
[ip.selector]=$IP_SELECTOR
[ip.ignore]=$IP_IGNORE
[xpack.rbac.enabled]=$XPACK_RBAC_ENABLED
[wazuh.monitoring.enabled]=$WAZUH_MONITORING_ENABLED
[wazuh.monitoring.frequency]=$WAZUH_MONITORING_FREQUENCY
[wazuh.monitoring.shards]=$WAZUH_MONITORING_SHARDS
[wazuh.monitoring.replicas]=$WAZUH_MONITORING_REPLICAS
[admin]=$ADMIN_PRIVILEGES
)
for i in "${!CONFIG_MAP[@]}"
do
if [ "${CONFIG_MAP[$i]}" != "" ]; then
sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
fi
done

133
kibana/config/20-entrypoint.sh Normal file
View File

@@ -0,0 +1,133 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
##############################################################################
# Waiting for elasticsearch
##############################################################################
if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_URL}"
fi
KIBANA_USER=""
KIBANA_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
KIBANA_USER=${SECURITY_KIBANA_USER}
KIBANA_PASS=${SECURITY_KIBANA_PASS}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"KIBANA_PASSWORD"* ]]; then
arrIN=(${line//:/ })
KIBANA_PASS=${arrIN[1]}
elif [[ $line == *"KIBANA_USER"* ]]; then
arrIN=(${line//:/ })
KIBANA_USER=${arrIN[1]}
fi
done < "$input"
fi
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-u ${KIBANA_USER}:${KIBANA_PASS} -k"
elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
auth=""
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
fi
until curl -XGET $el_url ${auth}; do
>&2 echo "Elastic is unavailable - sleeping"
sleep 5
done
sleep 2
>&2 echo "Elasticsearch is up."
##############################################################################
# Waiting for wazuh alerts template
##############################################################################
strlen=0
while [[ $strlen -eq 0 ]]
do
template=$(curl $auth $el_url/_cat/templates/wazuh -s)
strlen=${#template}
>&2 echo "Wazuh alerts template not loaded - sleeping."
sleep 2
done
sleep 2
>&2 echo "Wazuh alerts template is loaded."
##############################################################################
# If Secure access to Kibana is enabled, we must set the credentials.
# We must create the ssl certificate.
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
# Create keystore
/usr/share/kibana/bin/kibana-keystore create
echo "Setting security Kibana configuiration options."
echo "
# Elasticsearch from/to Kibana
elasticsearch.ssl.certificateAuthorities: [\"/usr/share/kibana/config/$SECURITY_CA_PEM\"]
server.ssl.enabled: true
server.ssl.certificate: $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem
server.ssl.key: $SECURITY_KIBANA_SSL_KEY_PATH/kibana-access.key
server.ssl.supportedProtocols:
- TLSv1.1
- TLSv1.2
" >> /usr/share/kibana/config/kibana.yml
echo "Create SSL directories."
mkdir -p $SECURITY_KIBANA_SSL_KEY_PATH $SECURITY_KIBANA_SSL_CERT_PATH
CA_PATH="/usr/share/kibana/config"
echo "Creating SSL certificates."
pushd $CA_PATH
chown kibana: $CA_PATH/$SECURITY_CA_PEM
chmod 400 $CA_PATH/$SECURITY_CA_PEM
SECURITY_KEY_PASS=`openssl rand -base64 32`
openssl req -batch -x509 -days 18250 -newkey rsa:2048 -keyout $SECURITY_KIBANA_SSL_KEY_PATH/kibana-access.key -out $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem -passout pass:"$SECURITY_KEY_PASS" >/dev/null
chown -R kibana: $CA_PATH/ssl
chmod -R 770 $CA_PATH/ssl
chmod 440 $SECURITY_KIBANA_SSL_CERT_PATH/kibana-access.pem
popd
echo "SSL certificates created."
# Add keys to keystore
echo -e "$KIBANA_PASS" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.password --stdin
echo -e "$SECURITY_KEY_PASS" | /usr/share/kibana/bin/kibana-keystore add server.ssl.keyPassphrase --stdin
echo -e "$KIBANA_USER" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.username --stdin
fi
##############################################################################
# Run more configuration scripts.
##############################################################################
bash /usr/share/kibana/kibana_settings.sh &
/usr/local/bin/kibana-docker

8
kibana/config/entrypoint.sh Normal file
View File

@@ -0,0 +1,8 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
bash "$script"
done

101
kibana/config/kibana_settings.sh Normal file
View File

@@ -0,0 +1,101 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
WAZUH_MAJOR=3
##############################################################################
# Wait for the Kibana API to start. It is necessary to do it in this container
# because the others are running Elastic Stack and we can not interrupt them.
#
# The following actions are performed:
#
# Add the wazuh alerts index as default.
# Set the Discover time interval to 24 hours instead of 15 minutes.
# Do not ask user to help providing usage statistics to Elastic.
##############################################################################
##############################################################################
# Customize elasticsearch ip
##############################################################################
if [ "$ELASTICSEARCH_KIBANA_IP" != "" ]; then
sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml
fi
if [ "$KIBANA_IP" != "" ]; then
kibana_ip="$KIBANA_IP"
else
kibana_ip="kibana"
fi
KIBANA_USER=""
KIBANA_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
KIBANA_USER=${SECURITY_KIBANA_USER}
KIBANA_PASS=${SECURITY_KIBANA_PASS}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"KIBANA_PASSWORD"* ]]; then
arrIN=(${line//:/ })
KIBANA_PASS=${arrIN[1]}
elif [[ $line == *"KIBANA_USER"* ]]; then
arrIN=(${line//:/ })
KIBANA_USER=${arrIN[1]}
fi
done < "$input"
fi
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-u $KIBANA_USER:${KIBANA_PASS}"
kibana_secure_ip="https://$kibana_ip"
else
auth=""
kibana_secure_ip="http://$kibana_ip"
fi
while [[ "$(curl $auth -k -XGET -I -s -o /dev/null -w ''%{http_code}'' $kibana_secure_ip:5601/status)" != "200" ]]; do
echo "Waiting for Kibana API. Sleeping 5 seconds"
sleep 5
done
# Prepare index selection.
echo "Kibana API is running"
default_index="/tmp/default_index.json"
cat > ${default_index} << EOF
{
"changes": {
"defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*"
}
}
EOF
sleep 5
# Add the wazuh alerts index as default.
curl $auth -k -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
rm -f ${default_index}
sleep 5
# Configuring Kibana TimePicker.
curl $auth -k -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
'{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}'
sleep 5
# Do not ask user to help providing usage statistics to Elastic
curl $auth -k -POST "$kibana_secure_ip:5601/api/telemetry/v1/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'
# Remove credentials file
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "Security credentials file not used. Nothing to do."
else
shred -zvu ${SECURITY_CREDENTIALS_FILE}
fi
echo "End settings"

27
kibana/config/welcome_wazuh.sh Normal file
View File

@@ -0,0 +1,27 @@
#!/bin/bash
if [[ $CHANGE_WELCOME == "true" ]]
then
rm -rf ./optimize/bundles
kibana_path="/usr/share/kibana"
# Set Wazuh app as the default landing page
echo "Set Wazuh app as the default landing page"
echo "server.defaultRoute: /app/wazuh" >> /usr/share/kibana/config/kibana.yml
# Redirect Kibana welcome screen to Discover
echo "Redirect Kibana welcome screen to Discover"
sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/global_nav/global_nav.html
sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/header_global_nav/header_global_nav.js
# Hide management undesired links
echo "Hide management undesired links"
sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/rollup/public/crud_app/index.js
sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/license_management/public/management_section.js
sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/index_lifecycle_management/public/register_management_section.js
sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/cross_cluster_replication/public/register_routes.js
sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/remote_clusters/public/index.js
sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/upgrade_assistant/public/index.js
fi

40
kibana/config/xpack_config.sh Normal file
View File

@@ -0,0 +1,40 @@
#!/bin/bash
kibana_config_file="/usr/share/kibana/config/kibana.yml"
if grep -Fq "#xpack features" "$kibana_config_file";
then
declare -A CONFIG_MAP=(
[xpack.apm.ui.enabled]=$XPACK_APM
[xpack.grokdebugger.enabled]=$XPACK_DEVTOOLS
[xpack.searchprofiler.enabled]=$XPACK_DEVTOOLS
[xpack.ml.enabled]=$XPACK_ML
[xpack.canvas.enabled]=$XPACK_CANVAS
[xpack.logstash.enabled]=$XPACK_LOGS
[xpack.infra.enabled]=$XPACK_INFRA
[xpack.monitoring.enabled]=$XPACK_MONITORING
[xpack.maps.enabled]=$XPACK_MAPS
[xpack.uptime.enabled]=$XPACK_UPTIME
[console.enabled]=$XPACK_DEVTOOLS
)
for i in "${!CONFIG_MAP[@]}"
do
if [ "${CONFIG_MAP[$i]}" != "" ]; then
sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
fi
done
else
echo "
#xpack features
xpack.apm.ui.enabled: $XPACK_APM
xpack.grokdebugger.enabled: $XPACK_DEVTOOLS
xpack.searchprofiler.enabled: $XPACK_DEVTOOLS
xpack.ml.enabled: $XPACK_ML
xpack.canvas.enabled: $XPACK_CANVAS
xpack.logstash.enabled: $XPACK_LOGS
xpack.infra.enabled: $XPACK_INFRA
xpack.monitoring.enabled: $XPACK_MONITORING
xpack.maps.enabled: $XPACK_MAPS
xpack.uptime.enabled: $XPACK_UPTIME
console.enabled: $XPACK_DEVTOOLS
" >> $kibana_config_file
fi

37
logstash/Dockerfile Normal file
View File

@@ -0,0 +1,37 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
FROM docker.elastic.co/logstash/logstash:6.8.2
COPY --chown=logstash:logstash config/entrypoint.sh /entrypoint.sh
RUN chmod 755 /entrypoint.sh
RUN rm -f /usr/share/logstash/pipeline/logstash.conf
COPY config/01-wazuh.conf /usr/share/logstash/pipeline/01-wazuh.conf
# This CA is created for testing. Please set your own CA pem signed certificate.
# command: $ docker build <logstash_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION> --build-arg SECURITY_CA_PEM_ARG=<CA_PEM_NAME>
# ENV variables are necessary: SECURITY_CA_PEM
# Sample:
# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem"
# ARG SECURITY_CA_PEM_ARG="server.TEST-CA-signed.pem"
ARG SECURITY_CA_PEM_LOCATION=""
ARG SECURITY_CA_PEM_ARG=""
# CA for secure communication with Elastic
ADD $SECURITY_CA_PEM_LOCATION /usr/share/logstash/config
# Set permissions for CA
USER root
RUN if [[ "x$SECURITY_CA_PEM_LOCATION" == x ]] ; then echo Nothing to do ; else chown logstash: /usr/share/logstash/config/$SECURITY_CA_PEM_ARG ; fi
RUN if [[ "x$SECURITY_CA_PEM_LOCATION" == x ]] ; then echo Nothing to do ; else chmod 400 /usr/share/logstash/config/$SECURITY_CA_PEM_ARG ; fi
# Add entrypoint scripts
RUN mkdir /entrypoint-scripts
RUN chmod -R 774 /entrypoint-scripts
RUN chown -R logstash:logstash /entrypoint-scripts
COPY --chown=logstash:logstash ./config/10-entrypoint.sh /entrypoint-scripts/10-entrypoint.sh
RUN chmod +x /entrypoint-scripts/10-entrypoint.sh
USER logstash
ENTRYPOINT /entrypoint.sh

49
logstash/config/01-wazuh.conf Normal file
View File

@@ -0,0 +1,49 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Wazuh - Logstash configuration file
## Remote Wazuh Manager - Filebeat input
input {
beats {
port => 5000
codec => "json_lines"
# ssl => true
# ssl_certificate => "/etc/logstash/logstash.crt"
# ssl_key => "/etc/logstash/logstash.key"
}
}
filter {
if [data][srcip] {
mutate {
add_field => [ "@src_ip", "%{[data][srcip]}" ]
}
}
if [data][aws][sourceIPAddress] {
mutate {
add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
}
}
}
filter {
geoip {
source => "@src_ip"
target => "GeoLocation"
fields => ["city_name", "country_name", "region_name", "location"]
}
date {
match => ["timestamp", "ISO8601"]
target => "@timestamp"
}
mutate {
remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]
}
}
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
document_type => "wazuh"
#user => service_logstash
#password => service_logstash_internal_password
#ssl => true
#cacert => "/path/to/cert.pem"
}
}

158
logstash/config/10-entrypoint.sh Normal file
View File

@@ -0,0 +1,158 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
#
# OSSEC container bootstrap. See the README for information of the environment
# variables expected by this script.
#
set -e
##############################################################################
# Waiting for elasticsearch
##############################################################################
if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_URL}"
fi
LOGSTASH_USER=""
LOGSTASH_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
LOGSTASH_USER=${SECURITY_LOGSTASH_USER}
LOGSTASH_PASS=${SECURITY_LOGSTASH_PASS}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"LOGSTASH_PASSWORD"* ]]; then
arrIN=(${line//:/ })
LOGSTASH_PASS=${arrIN[1]}
elif [[ $line == *"LOGSTASH_USER"* ]]; then
arrIN=(${line//:/ })
LOGSTASH_USER=${arrIN[1]}
fi
done < "$input"
fi
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-u ${LOGSTASH_USER}:${LOGSTASH_PASS} -k"
elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
auth=""
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
fi
##############################################################################
# Customize logstash output ip
##############################################################################
if [ "$LOGSTASH_OUTPUT" != "" ]; then
>&2 echo "Customize Logstash ouput ip."
sed -i 's|elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/pipeline/01-wazuh.conf
sed -i 's|http://elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/config/logstash.yml
fi
until curl $auth -XGET $el_url; do
>&2 echo "Elastic is unavailable - sleeping."
sleep 5
done
sleep 2
>&2 echo "Elasticsearch is up."
##############################################################################
# Set Logstash password
##############################################################################
##############################################################################
# If Secure access to Kibana is enabled, we must set the credentials.
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
## Create secure keystore
SECURITY_RANDOM_PASS=`date +%s | sha256sum | base64 | head -c 32 ; echo`
export LOGSTASH_KEYSTORE_PASS=$SECURITY_RANDOM_PASS
/usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config create
## Settings for logstash.yml
echo "
# Required set the passwords
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: \${LOGSTASH_KS_USER}
xpack.monitoring.elasticsearch.password: \${LOGSTASH_KS_PASS}
xpack.monitoring.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/$SECURITY_CA_PEM
xpack.management.elasticsearch.hosts: \"$LOGSTASH_OUTPUT/\"
xpack.management.elasticsearch.username: \${LOGSTASH_KS_USER}
xpack.management.elasticsearch.password: \${LOGSTASH_KS_PASS}
xpack.management.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/$SECURITY_CA_PEM
" >> /usr/share/logstash/config/logstash.yml
## Settings for 01-wazuh.conf
sed -i 's:#user => service_logstash:user => "${LOGSTASH_KS_USER}":g' /usr/share/logstash/pipeline/01-wazuh.conf
sed -i 's:#password => service_logstash_internal_password:password => "${LOGSTASH_KS_PASS}":g' /usr/share/logstash/pipeline/01-wazuh.conf
sed -i 's:#ssl => true:ssl => true:g' /usr/share/logstash/pipeline/01-wazuh.conf
sed -i 's:#cacert => "/path/to/cert.pem":cacert => "/usr/share/logstash/config/'$SECURITY_CA_PEM'":g' /usr/share/logstash/pipeline/01-wazuh.conf
## Add keys to the keystore
echo -e "$LOGSTASH_USER" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_USER
echo -e "$LOGSTASH_PASS" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_PASS
fi
##############################################################################
# Waiting for wazuh alerts template
##############################################################################
strlen=0
while [[ $strlen -eq 0 ]]
do
template=$(curl $auth $el_url/_cat/templates/wazuh -s)
strlen=${#template}
>&2 echo "Wazuh alerts template not loaded - sleeping."
sleep 2
done
sleep 2
>&2 echo "Wazuh alerts template is loaded."
##############################################################################
# Remove credentials file
##############################################################################
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "Security credentials file not used. Nothing to do."
else
shred -zvu ${SECURITY_CREDENTIALS_FILE}
fi
##############################################################################
# Map environment variables to entries in logstash.yml.
# Note that this will mutate logstash.yml in place if any such settings are found.
# This may be undesirable, especially if logstash.yml is bind-mounted from the
# host system.
##############################################################################
env2yaml /usr/share/logstash/config/logstash.yml
export LS_JAVA_OPTS="-Dls.cgroup.cpuacct.path.override=/ -Dls.cgroup.cpu.path.override=/ $LS_JAVA_OPTS"
if [[ -z $1 ]] || [[ ${1:0:1} == '-' ]] ; then
exec logstash "$@"
else
exec "$@"
fi

8
logstash/config/entrypoint.sh Normal file
View File

@@ -0,0 +1,8 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
bash "$script"
done

361
multi-node/Migration-to-Wazuh-4.4.md
View File

@@ -1,361 +0,0 @@
# Opendistro data migration to Wazuh indexer on docker.
This procedure explains how to migrate Opendistro data from Opendistro to Wazuh indexer in docker production deployments.
The example is migrating from v4.2 to v4.4.
## Procedure
Assuming that you have a v4.2 production deployment, perform the following steps.
**1. Stop 4.2 environment**
`docker-compose -f production-cluster.yml stop`
**2. List elasticsearch volumes**
`docker volume ls --filter name='wazuh-docker_elastic-data'`
**3. Inspect elasticsearch volume**
`docker volume inspect wazuh-docker_elastic-data-1`
**4. Spin down the 4.2 environment.**
`docker-compose -f production-cluster.yml down`
**Steps 5 and 6 can be done with the volume-migrator.sh script, specifying Docker compose version and project name as parameters.**
Ex: $ multi-node/volume-migrator.sh 1.25.0 multi-node
**5. Run the volume create command:** create new indexer and Wazuh manager volumes using the `com.docker.compose.version` label value from the previous command.
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=wazuh-indexer-data-1 \
multi-node_wazuh-indexer-data-1
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=wazuh-indexer-data-2 \
multi-node_wazuh-indexer-data-2
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=wazuh-indexer-data-3 \
multi-node_wazuh-indexer-data-3
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master_wazuh_api_configuration \
multi-node_master_wazuh_api_configuration
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master_wazuh_etc \
multi-node_docker_wazuh_etc
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-logs \
multi-node_master-wazuh-logs
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-queue \
multi-node_master-wazuh-queue
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-var-multigroups \
multi-node_master-wazuh-var-multigroups
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-integrations \
multi-node_master-wazuh-integrations
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-active-response \
multi-node_master-wazuh-active-response
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-agentless \
multi-node_master-wazuh-agentless
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-wodles \
multi-node_master-wazuh-wodles
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-filebeat-etc \
multi-node_master-filebeat-etc
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-filebeat-var \
multi-node_master-filebeat-var
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker_wazuh_api_configuration \
multi-node_worker_wazuh_api_configuration
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker_wazuh_etc \
multi-node_worker-wazuh-etc
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-logs \
multi-node_worker-wazuh-logs
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-queue \
multi-node_worker-wazuh-queue
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-var-multigroups \
multi-node_worker-wazuh-var-multigroups
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-integrations \
multi-node_worker-wazuh-integrations
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-active-response \
multi-node_worker-wazuh-active-response
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-agentless \
multi-node_worker-wazuh-agentless
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-wodles \
multi-node_worker-wazuh-wodles
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-filebeat-etc \
multi-node_worker-filebeat-etc
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-filebeat-var \
multi-node_worker-filebeat-var
```
**6. Copy the volume content from elasticsearch to Wazuh indexer volumes and old Wazuh manager content to new volumes.**
```
docker container run --rm -it \
-v wazuh-docker_elastic-data-1:/from \
-v multi-node_wazuh-indexer-data-1:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_elastic-data-2:/from \
-v multi-node_wazuh-indexer-data-2:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_elastic-data-3:/from \
-v multi-node_wazuh-indexer-data-3:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-api-configuration:/from \
-v multi-node_master-wazuh-api-configuration:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-etc:/from \
-v multi-node_master-wazuh-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-logs:/from \
-v multi-node_master-wazuh-logs:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-queue:/from \
-v multi-node_master-wazuh-queue:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-var-multigroups:/from \
-v multi-node_master-wazuh-var-multigroups:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-integrations:/from \
-v multi-node_master-wazuh-integrations:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-active-response:/from \
-v multi-node_master-wazuh-active-response:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-agentless:/from \
-v multi-node_master-wazuh-agentless:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-wodles:/from \
-v multi-node_master-wazuh-wodles:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_filebeat-etc:/from \
-v multi-node_master-filebeat-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_filebeat-var:/from \
-v multi-node_master-filebeat-var:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-api-configuration:/from \
-v multi-node_worker-wazuh-api-configuration:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-etc:/from \
-v multi-node_worker-wazuh-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-logs:/from \
-v multi-node_worker-wazuh-logs:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-queue:/from \
-v multi-node_worker-wazuh-queue:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-var-multigroups:/from \
-v multi-node_worker-wazuh-var-multigroups:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-integrations:/from \
-v multi-node_worker-wazuh-integrations:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-active-response:/from \
-v multi-node_worker-wazuh-active-response:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-agentless:/from \
-v multi-node_worker-wazuh-agentless:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-wodles:/from \
-v multi-node_worker-wazuh-wodles:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-filebeat-etc:/from \
-v multi-node_worker-filebeat-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-filebeat-var:/from \
-v multi-node_worker-filebeat-var:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
**7. Start the 4.4 environment.**
```
git checkout 4.4
cd multi-node
docker-compose -f generate-certs.yml run --rm generator
docker-compose up -d
```
**8. Check the access to Wazuh dashboard**: go to the Wazuh dashboard using the web browser and check the data.

26
multi-node/README.md
View File

@@ -1,26 +0,0 @@
# Deploy Wazuh Docker in multi node configuration
This deployment is defined in the `docker-compose.yml` file with two Wazuh manager containers, three Wazuh indexer containers, and one Wazuh dashboard container. It can be deployed by following these steps:
1) Increase max_map_count on your host (Linux). This command must be run with root permissions:
```
$ sysctl -w vm.max_map_count=262144
```
2) Run the certificate creation script:
```
$ docker compose -f generate-certs.yml run --rm generator
```
3) Start the environment with docker compose:
- In the foregroud:
```
$ docker compose up
```
- In the background:
```
$ docker compose up -d
```
The environment takes about 1 minute to get up (depending on your Docker host) for the first time since Wazuh Indexer must be started for the first time and the indexes and index patterns must be generated.

24
multi-node/config/certs.yml
View File

@@ -1,24 +0,0 @@
nodes:
# Wazuh indexer server nodes
indexer:
- name: wazuh1.indexer
ip: wazuh1.indexer
- name: wazuh2.indexer
ip: wazuh2.indexer
- name: wazuh3.indexer
ip: wazuh3.indexer
# Wazuh server nodes
# Use node_type only with more than one Wazuh manager
server:
- name: wazuh.master
ip: wazuh.master
node_type: master
- name: wazuh.worker
ip: wazuh.worker
node_type: worker
# Wazuh dashboard node
dashboard:
- name: wazuh.dashboard
ip: wazuh.dashboard

46
multi-node/config/nginx/nginx.conf
View File

@@ -1,46 +0,0 @@
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
server_tokens off;
gzip on;
}
# load balancer for Wazuh cluster
stream {
upstream mycluster {
hash $remote_addr consistent;
server wazuh.master:1514;
server wazuh.worker:1514;
}
server {
listen 1514;
proxy_pass mycluster;
}
}

310
multi-node/config/wazuh_cluster/wazuh_manager.conf
View File

@@ -1,310 +0,0 @@
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wazuh@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>
<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://wazuh1.indexer:9200</host>
<host>https://wazuh2.indexer:9200</host>
<host>https://wazuh3.indexer:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/ssl/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/ssl/filebeat.pem</certificate>
<key>/etc/ssl/filebeat.key</key>
</ssl>
</indexer>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-wazuh</name>
<executable>restart-wazuh</executable>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<rule_test>
<enabled>yes</enabled>
<threads>1</threads>
<max_sessions>64</max_sessions>
<session_timeout>15m</session_timeout>
</rule_test>
<!-- Configuration for wazuh-authd -->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<purge>yes</purge>
<use_password>no</use_password>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>manager</node_name>
<node_type>master</node_type>
<key>c98b6ha9b6169zc5f67rae55ae4z5647</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>wazuh.master</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
</ossec_config>

310
multi-node/config/wazuh_cluster/wazuh_worker.conf
View File

@@ -1,310 +0,0 @@
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wazuh@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>
<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://wazuh1.indexer:9200</host>
<host>https://wazuh2.indexer:9200</host>
<host>https://wazuh3.indexer:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/ssl/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/ssl/filebeat.pem</certificate>
<key>/etc/ssl/filebeat.key</key>
</ssl>
</indexer>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-wazuh</name>
<executable>restart-wazuh</executable>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<rule_test>
<enabled>yes</enabled>
<threads>1</threads>
<max_sessions>64</max_sessions>
<session_timeout>15m</session_timeout>
</rule_test>
<!-- Configuration for wazuh-authd -->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<purge>yes</purge>
<use_password>no</use_password>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>worker01</node_name>
<node_type>worker</node_type>
<key>c98b6ha9b6169zc5f67rae55ae4z5647</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>wazuh.master</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
</ossec_config>

7
multi-node/config/wazuh_dashboard/wazuh.yml
View File

@@ -1,7 +0,0 @@
hosts:
- 1513629884013:
url: "https://wazuh.master"
port: 55000
username: wazuh-wui
password: "MyS3cr37P450r.*-"
run_as: false

56
multi-node/config/wazuh_indexer/internal_users.yml
View File

@@ -1,56 +0,0 @@
---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
_meta:
type: "internalusers"
config_version: 2
# Define your internal users here
## Demo users
admin:
hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO"
reserved: true
backend_roles:
- "admin"
description: "Demo admin user"
kibanaserver:
hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
reserved: true
description: "Demo kibanaserver user"
kibanaro:
hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
reserved: false
backend_roles:
- "kibanauser"
- "readall"
attributes:
attribute1: "value1"
attribute2: "value2"
attribute3: "value3"
description: "Demo kibanaro user"
logstash:
hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
reserved: false
backend_roles:
- "logstash"
description: "Demo logstash user"
readall:
hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
reserved: false
backend_roles:
- "readall"
description: "Demo readall user"
snapshotrestore:
hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
reserved: false
backend_roles:
- "snapshotrestore"
description: "Demo snapshotrestore user"

324
multi-node/docker-compose.yml
View File

@@ -1,324 +0,0 @@
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
version: '3.7'
services:
wazuh.master:
image: wazuh/wazuh-manager:5.0.0
hostname: wazuh.master
restart: always
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 655360
hard: 655360
ports:
- "1515:1515"
- "514:514/udp"
- "55000:55000"
environment:
INDEXER_URL: https://wazuh1.indexer:9200
INDEXER_USERNAME: admin
INDEXER_PASSWORD: admin
FILEBEAT_SSL_VERIFICATION_MODE: full
SSL_CERTIFICATE_AUTHORITIES: /etc/ssl/root-ca.pem
SSL_CERTIFICATE: /etc/ssl/filebeat.pem
SSL_KEY: /etc/ssl/filebeat.key
API_USERNAME: wazuh-wui
API_PASSWORD: MyS3cr37P450r.*-
volumes:
- master-wazuh-api-configuration:/var/ossec/api/configuration
- master-wazuh-etc:/var/ossec/etc
- master-wazuh-logs:/var/ossec/logs
- master-wazuh-queue:/var/ossec/queue
- master-wazuh-var-multigroups:/var/ossec/var/multigroups
- master-wazuh-integrations:/var/ossec/integrations
- master-wazuh-active-response:/var/ossec/active-response/bin
- master-wazuh-agentless:/var/ossec/agentless
- master-wazuh-wodles:/var/ossec/wodles
- master-filebeat-etc:/etc/filebeat
- master-filebeat-var:/var/lib/filebeat
- ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.master.pem:/etc/ssl/filebeat.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.master-key.pem:/etc/ssl/filebeat.key
- ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
wazuh.worker:
image: wazuh/wazuh-manager:5.0.0
hostname: wazuh.worker
restart: always
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 655360
hard: 655360
environment:
INDEXER_URL: https://wazuh1.indexer:9200
INDEXER_USERNAME: admin
INDEXER_PASSWORD: admin
FILEBEAT_SSL_VERIFICATION_MODE: full
SSL_CERTIFICATE_AUTHORITIES: /etc/ssl/root-ca.pem
SSL_CERTIFICATE: /etc/ssl/filebeat.pem
SSL_KEY: /etc/ssl/filebeat.key
volumes:
- worker-wazuh-api-configuration:/var/ossec/api/configuration
- worker-wazuh-etc:/var/ossec/etc
- worker-wazuh-logs:/var/ossec/logs
- worker-wazuh-queue:/var/ossec/queue
- worker-wazuh-var-multigroups:/var/ossec/var/multigroups
- worker-wazuh-integrations:/var/ossec/integrations
- worker-wazuh-active-response:/var/ossec/active-response/bin
- worker-wazuh-agentless:/var/ossec/agentless
- worker-wazuh-wodles:/var/ossec/wodles
- worker-filebeat-etc:/etc/filebeat
- worker-filebeat-var:/var/lib/filebeat
- ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.worker.pem:/etc/ssl/filebeat.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.worker-key.pem:/etc/ssl/filebeat.key
- ./config/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf
wazuh1.indexer:
image: wazuh/wazuh-indexer:5.0.0
hostname: wazuh1.indexer
restart: always
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
ports:
- "9200:9200"
environment:
OPENSEARCH_JAVA_OPTS: "-Xms1g -Xmx1g"
bootstrap.memory_lock: "true"
NETWORK_HOST: wazuh1.indexer
NODE_NAME: wazuh1.indexer
CLUSTER_INITIAL_MASTER_NODES: '["wazuh1.indexer", "wazuh2.indexer", "wazuh3.indexer"]'
CLUSTER_NAME: "wazuh-cluster"
DISCOVERY_SEED_HOSTS: '["wazuh1.indexer", "wazuh2.indexer", "wazuh3.indexer"]'
NODE_MAX_LOCAL_STORAGE_NODES: "3"
PATH_DATA: /var/lib/wazuh-indexer
PATH_LOGS: /var/log/wazuh-indexer
PLUGINS_SECURITY_SSL_HTTP_PEMCERT_FILEPATH: /usr/share/wazuh-indexer/certs/wazuh1.indexer.pem
PLUGINS_SECURITY_SSL_HTTP_PEMKEY_FILEPATH: /usr/share/wazuh-indexer/certs/wazuh1.indexer.key
PLUGINS_SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH: /usr/share/wazuh-indexer/certs/root-ca.pem
PLUGINS_SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH: /usr/share/wazuh-indexer/certs/wazuh1.indexer.pem
PLUGINS_SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH: /usr/share/wazuh-indexer/certs/wazuh1.indexer.key
PLUGINS_SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH: /usr/share/wazuh-indexer/certs/root-ca.pem
PLUGINS_SECURITY_SSL_HTTP_ENABLED: "true"
PLUGINS_SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION: "false"
PLUGINS_SECURITY_SSL_TRANSPORT_RESOLVE_HOSTNAME: "false"
PLUGINS_SECURITY_AUTHCZ_ADMIN_DN: "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
PLUGINS_SECURITY_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES: "true"
PLUGINS_SECURITY_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE: "true"
PLUGINS_SECURITY_NODES_DN: '["CN=wazuh1.indexer,OU=Wazuh,O=Wazuh,L=California,C=US", "CN=wazuh2.indexer,OU=Wazuh,O=Wazuh,L=California,C=US", "CN=wazuh3.indexer,OU=Wazuh,O=Wazuh,L=California,C=US", "CN=filebeat,OU=Wazuh,O=Wazuh,L=California,C=US"]'
PLUGINS_SECURITY_RESTAPI_ROLES_ENABLED: '["all_access", "security_rest_api_access"]'
PLUGINS_SECURITY_SYSTEM_INDICES_ENABLED: "true"
PLUGINS_SECURITY_SYSTEM_INDICES_INDICES: '[".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]'
PLUGINS_SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX: "true"
CLUSTER_ROUTING_ALLOCATION_DISK_THRESHOLD_ENABLED: "false"
COMPATIBILITY_OVERRIDE_MAIN_RESPONSE_VERSION: "true"
volumes:
- wazuh-indexer-data-1:/var/lib/wazuh-indexer
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh1.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh1.indexer.key
- ./config/wazuh_indexer_ssl_certs/wazuh1.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh1.indexer.pem
- ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
- ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
# if you need mount a custom opensearch.yml, uncomment the next line and delete the environment variables
# - ./config/wazuh_indexer/wazuh1.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
wazuh2.indexer:
image: wazuh/wazuh-indexer:5.0.0
hostname: wazuh2.indexer
restart: always
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
environment:
OPENSEARCH_JAVA_OPTS: "-Xms1g -Xmx1g"
bootstrap.memory_lock: "true"
NETWORK_HOST: wazuh2.indexer
NODE_NAME: wazuh2.indexer
CLUSTER_INITIAL_MASTER_NODES: '["wazuh1.indexer", "wazuh2.indexer", "wazuh3.indexer"]'
CLUSTER_NAME: "wazuh-cluster"
DISCOVERY_SEED_HOSTS: '["wazuh1.indexer", "wazuh2.indexer", "wazuh3.indexer"]'
NODE_MAX_LOCAL_STORAGE_NODES: "3"
PATH_DATA: /var/lib/wazuh-indexer
PATH_LOGS: /var/log/wazuh-indexer
PLUGINS_SECURITY_SSL_HTTP_PEMCERT_FILEPATH: /usr/share/wazuh-indexer/certs/wazuh2.indexer.pem
PLUGINS_SECURITY_SSL_HTTP_PEMKEY_FILEPATH: /usr/share/wazuh-indexer/certs/wazuh2.indexer.key
PLUGINS_SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH: /usr/share/wazuh-indexer/certs/root-ca.pem
PLUGINS_SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH: /usr/share/wazuh-indexer/certs/wazuh2.indexer.pem
PLUGINS_SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH: /usr/share/wazuh-indexer/certs/wazuh2.indexer.key
PLUGINS_SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH: /usr/share/wazuh-indexer/certs/root-ca.pem
PLUGINS_SECURITY_SSL_HTTP_ENABLED: "true"
PLUGINS_SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION: "false"
PLUGINS_SECURITY_SSL_TRANSPORT_RESOLVE_HOSTNAME: "false"
PLUGINS_SECURITY_AUTHCZ_ADMIN_DN: "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
PLUGINS_SECURITY_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES: "true"
PLUGINS_SECURITY_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE: "true"
PLUGINS_SECURITY_NODES_DN: '["CN=wazuh1.indexer,OU=Wazuh,O=Wazuh,L=California,C=US", "CN=wazuh2.indexer,OU=Wazuh,O=Wazuh,L=California,C=US", "CN=wazuh3.indexer,OU=Wazuh,O=Wazuh,L=California,C=US", "CN=filebeat,OU=Wazuh,O=Wazuh,L=California,C=US"]'
PLUGINS_SECURITY_RESTAPI_ROLES_ENABLED: '["all_access", "security_rest_api_access"]'
PLUGINS_SECURITY_SYSTEM_INDICES_ENABLED: "true"
PLUGINS_SECURITY_SYSTEM_INDICES_INDICES: '[".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]'
PLUGINS_SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX: "true"
CLUSTER_ROUTING_ALLOCATION_DISK_THRESHOLD_ENABLED: "false"
COMPATIBILITY_OVERRIDE_MAIN_RESPONSE_VERSION: "true"
volumes:
- wazuh-indexer-data-2:/var/lib/wazuh-indexer
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh2.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh2.indexer.key
- ./config/wazuh_indexer_ssl_certs/wazuh2.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh2.indexer.pem
# if you need mount a custom opensearch.yml, uncomment the next line and delete the environment variables
# - ./config/wazuh_indexer/wazuh2.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
wazuh3.indexer:
image: wazuh/wazuh-indexer:5.0.0
hostname: wazuh3.indexer
restart: always
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
environment:
OPENSEARCH_JAVA_OPTS: "-Xms1g -Xmx1g"
bootstrap.memory_lock: "true"
NETWORK_HOST: wazuh3.indexer
NODE_NAME: wazuh3.indexer
CLUSTER_INITIAL_MASTER_NODES: '["wazuh1.indexer", "wazuh2.indexer", "wazuh3.indexer"]'
CLUSTER_NAME: "wazuh-cluster"
DISCOVERY_SEED_HOSTS: '["wazuh1.indexer", "wazuh2.indexer", "wazuh3.indexer"]'
NODE_MAX_LOCAL_STORAGE_NODES: "3"
PATH_DATA: /var/lib/wazuh-indexer
PATH_LOGS: /var/log/wazuh-indexer
PLUGINS_SECURITY_SSL_HTTP_PEMCERT_FILEPATH: /usr/share/wazuh-indexer/certs/wazuh3.indexer.pem
PLUGINS_SECURITY_SSL_HTTP_PEMKEY_FILEPATH: /usr/share/wazuh-indexer/certs/wazuh3.indexer.key
PLUGINS_SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH: /usr/share/wazuh-indexer/certs/root-ca.pem
PLUGINS_SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH: /usr/share/wazuh-indexer/certs/wazuh3.indexer.pem
PLUGINS_SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH: /usr/share/wazuh-indexer/certs/wazuh3.indexer.key
PLUGINS_SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH: /usr/share/wazuh-indexer/certs/root-ca.pem
PLUGINS_SECURITY_SSL_HTTP_ENABLED: "true"
PLUGINS_SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION: "false"
PLUGINS_SECURITY_SSL_TRANSPORT_RESOLVE_HOSTNAME: "false"
PLUGINS_SECURITY_AUTHCZ_ADMIN_DN: "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
PLUGINS_SECURITY_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES: "true"
PLUGINS_SECURITY_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE: "true"
PLUGINS_SECURITY_NODES_DN: '["CN=wazuh1.indexer,OU=Wazuh,O=Wazuh,L=California,C=US", "CN=wazuh2.indexer,OU=Wazuh,O=Wazuh,L=California,C=US", "CN=wazuh3.indexer,OU=Wazuh,O=Wazuh,L=California,C=US", "CN=filebeat,OU=Wazuh,O=Wazuh,L=California,C=US"]'
PLUGINS_SECURITY_RESTAPI_ROLES_ENABLED: '["all_access", "security_rest_api_access"]'
PLUGINS_SECURITY_SYSTEM_INDICES_ENABLED: "true"
PLUGINS_SECURITY_SYSTEM_INDICES_INDICES: '[".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]'
PLUGINS_SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX: "true"
CLUSTER_ROUTING_ALLOCATION_DISK_THRESHOLD_ENABLED: "false"
COMPATIBILITY_OVERRIDE_MAIN_RESPONSE_VERSION: "true"
volumes:
- wazuh-indexer-data-3:/var/lib/wazuh-indexer
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh3.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh3.indexer.key
- ./config/wazuh_indexer_ssl_certs/wazuh3.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh3.indexer.pem
# if you need mount a custom opensearch.yml, uncomment the next line and delete the environment variables
# - ./config/wazuh_indexer/wazuh3.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
wazuh.dashboard:
image: wazuh/wazuh-dashboard:5.0.0
hostname: wazuh.dashboard
restart: always
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
ports:
- 443:5601
environment:
OPENSEARCH_HOSTS: "https://wazuh1.indexer:9200"
WAZUH_API_URL: "https://wazuh.master"
API_USERNAME: wazuh-wui
API_PASSWORD: MyS3cr37P450r.*-
DASHBOARD_USERNAME: kibanaserver
DASHBOARD_PASSWORD: kibanaserver
SERVER_HOST: "0.0.0.0"
SERVER_PORT: "5601"
OPENSEARCH_SSL_VERIFICATIONMODE: certificate
OPENSEARCH_REQUESTHEADERSALLOWLIST: '["securitytenant","Authorization"]'
OPENSEARCH_SECURITY_MULTITENANCY_ENABLED: "false"
SERVER_SSL_ENABLED: "true"
OPENSEARCH_SECURITY_READONLY_MODE_ROLES: '["kibana_read_only"]'
SERVER_SSL_KEY: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
SERVER_SSL_CERTIFICATE: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem"
OPENSEARCH_SSL_CERTIFICATEAUTHORITIES: '["/usr/share/wazuh-dashboard/certs/root-ca.pem"]'
UISETTINGS_OVERRIDES_DEFAULTROUTE: /app/wz-home
volumes:
- wazuh-dashboard-config:/usr/share/wazuh-dashboard/data/wazuh/config
- wazuh-dashboard-custom:/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
- ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
- ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
# if you need mount a custom opensearch-dashboards.yml, uncomment the next line and delete the environment variables
# - ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
depends_on:
- wazuh1.indexer
links:
- wazuh1.indexer:wazuh1.indexer
- wazuh.master:wazuh.master
nginx:
image: nginx:stable
hostname: nginx
restart: always
ports:
- "1514:1514"
depends_on:
- wazuh.master
- wazuh.worker
- wazuh.dashboard
links:
- wazuh.master:wazuh.master
- wazuh.worker:wazuh.worker
- wazuh.dashboard:wazuh.dashboard
volumes:
- ./config/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
volumes:
master-wazuh-api-configuration:
master-wazuh-etc:
master-wazuh-logs:
master-wazuh-queue:
master-wazuh-var-multigroups:
master-wazuh-integrations:
master-wazuh-active-response:
master-wazuh-agentless:
master-wazuh-wodles:
master-filebeat-etc:
master-filebeat-var:
worker-wazuh-api-configuration:
worker-wazuh-etc:
worker-wazuh-logs:
worker-wazuh-queue:
worker-wazuh-var-multigroups:
worker-wazuh-integrations:
worker-wazuh-active-response:
worker-wazuh-agentless:
worker-wazuh-wodles:
worker-filebeat-etc:
worker-filebeat-var:
wazuh-indexer-data-1:
wazuh-indexer-data-2:
wazuh-indexer-data-3:
wazuh-dashboard-config:
wazuh-dashboard-custom:

9
multi-node/generate-certs.yml
View File

@@ -1,9 +0,0 @@
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
services:
generator:
image: wazuh/wazuh-cert-tool:5.0.0
hostname: wazuh-cert-tool
container_name: wazuh-cert-tool
volumes:
- ./config/wazuh_indexer_ssl_certs/:/certificates/
- ./config/certs.yml:/config/certs.yml

279
multi-node/volume-migrator.sh
View File

@@ -1,279 +0,0 @@
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=wazuh-indexer-data-1 \
$2_wazuh-indexer-data-1
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=wazuh-indexer-data-2 \
$2_wazuh-indexer-data-2
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=wazuh-indexer-data-3 \
$2_wazuh-indexer-data-3
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master_wazuh_api_configuration \
$2_master_wazuh_api_configuration
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master_wazuh_etc \
$2_docker_wazuh_etc
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-logs \
$2_master-wazuh-logs
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-queue \
$2_master-wazuh-queue
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-var-multigroups \
$2_master-wazuh-var-multigroups
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-integrations \
$2_master-wazuh-integrations
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-active-response \
$2_master-wazuh-active-response
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-agentless \
$2_master-wazuh-agentless
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-wodles \
$2_master-wazuh-wodles
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-filebeat-etc \
$2_master-filebeat-etc
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-filebeat-var \
$2_master-filebeat-var
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker_wazuh_api_configuration \
$2_worker_wazuh_api_configuration
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker_wazuh_etc \
$2_worker-wazuh-etc
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-logs \
$2_worker-wazuh-logs
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-queue \
$2_worker-wazuh-queue
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-var-multigroups \
$2_worker-wazuh-var-multigroups
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-integrations \
$2_worker-wazuh-integrations
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-active-response \
$2_worker-wazuh-active-response
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-agentless \
$2_worker-wazuh-agentless
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-wodles \
$2_worker-wazuh-wodles
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-filebeat-etc \
$2_worker-filebeat-etc
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-filebeat-var \
$2_worker-filebeat-var
docker container run --rm -it \
-v wazuh-docker_worker-filebeat-var:/from \
-v $2_worker-filebeat-var:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_elastic-data-1:/from \
-v $2_wazuh-indexer-data-1:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_elastic-data-2:/from \
-v $2_wazuh-indexer-data-2:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_elastic-data-3:/from \
-v $2_wazuh-indexer-data-3:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-api-configuration:/from \
-v $2_master-wazuh-api-configuration:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-etc:/from \
-v $2_master-wazuh-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-logs:/from \
-v $2_master-wazuh-logs:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-queue:/from \
-v $2_master-wazuh-queue:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-var-multigroups:/from \
-v $2_master-wazuh-var-multigroups:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-integrations:/from \
-v $2_master-wazuh-integrations:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-active-response:/from \
-v $2_master-wazuh-active-response:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-agentless:/from \
-v $2_master-wazuh-agentless:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-wodles:/from \
-v $2_master-wazuh-wodles:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_filebeat-etc:/from \
-v $2_master-filebeat-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_filebeat-var:/from \
-v $2_master-filebeat-var:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-api-configuration:/from \
-v $2_worker-wazuh-api-configuration:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-etc:/from \
-v $2_worker-wazuh-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-logs:/from \
-v $2_worker-wazuh-logs:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-queue:/from \
-v $2_worker-wazuh-queue:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-var-multigroups:/from \
-v $2_worker-wazuh-var-multigroups:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-integrations:/from \
-v $2_worker-wazuh-integrations:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-active-response:/from \
-v $2_worker-wazuh-active-response:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-agentless:/from \
-v $2_worker-wazuh-agentless:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-wodles:/from \
-v $2_worker-wazuh-wodles:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-filebeat-etc:/from \
-v $2_worker-filebeat-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-filebeat-var:/from \
-v $2_worker-filebeat-var:/to \
alpine ash -c "cd /from ; cp -avp . /to"

19
nginx/Dockerfile Normal file
View File

@@ -0,0 +1,19 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
FROM nginx:latest
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update && apt-get install -y openssl apache2-utils
COPY config/entrypoint.sh /entrypoint.sh
RUN chmod 755 /entrypoint.sh
RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
VOLUME ["/etc/nginx/conf.d"]
ENV NGINX_NAME="foo" \
NGINX_PWD="bar"
ENTRYPOINT /entrypoint.sh

79
nginx/config/entrypoint.sh Normal file
View File

@@ -0,0 +1,79 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
# Generating certificates.
if [ ! -d /etc/nginx/conf.d/ssl ]; then
echo "Generating SSL certificates"
mkdir -p /etc/nginx/conf.d/ssl/certs /etc/nginx/conf.d/ssl/private
openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/conf.d/ssl/private/kibana-access.key -out /etc/nginx/conf.d/ssl/certs/kibana-access.pem >/dev/null
else
echo "SSL certificates already present"
fi
# Setting users credentials.
# In order to set NGINX_CREDENTIALS, before "docker-compose up -d" run (a or b):
#
# a) export NGINX_CREDENTIALS="user1:pass1;user2:pass2;" or
# export NGINX_CREDENTIALS="user1:pass1;user2:pass2"
#
# b) Set NGINX_CREDENTIALS in docker-compose.yml:
# NGINX_CREDENTIALS=user1:pass1;user2:pass2; or
# NGINX_CREDENTIALS=user1:pass1;user2:pass2
#
if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then
echo "Setting users credentials"
if [ ! -z "$NGINX_CREDENTIALS" ]; then
IFS=';' read -r -a users <<< "$NGINX_CREDENTIALS"
for index in "${!users[@]}"
do
IFS=':' read -r -a credentials <<< "${users[index]}"
if [ $index -eq 0 ]; then
echo ${credentials[1]}|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd ${credentials[0]} >/dev/null
else
echo ${credentials[1]}|htpasswd -i /etc/nginx/conf.d/kibana.htpasswd ${credentials[0]} >/dev/null
fi
done
else
# NGINX_PWD and NGINX_NAME are declared in nginx/Dockerfile
echo $NGINX_PWD|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd $NGINX_NAME >/dev/null
fi
else
echo "Kibana credentials already configured"
fi
if [ "x${NGINX_PORT}" = "x" ]; then
NGINX_PORT=443
fi
if [ "x${KIBANA_HOST}" = "x" ]; then
KIBANA_HOST="kibana:5601"
fi
echo "Configuring NGINX"
cat > /etc/nginx/conf.d/default.conf <<EOF
server {
listen 80;
listen [::]:80;
return 301 https://\$host:${NGINX_PORT}\$request_uri;
}
server {
listen ${NGINX_PORT} default_server;
listen [::]:${NGINX_PORT};
ssl on;
ssl_certificate /etc/nginx/conf.d/ssl/certs/kibana-access.pem;
ssl_certificate_key /etc/nginx/conf.d/ssl/private/kibana-access.key;
location / {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
proxy_pass http://${KIBANA_HOST}/;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
}
}
EOF
nginx -g 'daemon off;'

24
single-node/README.md
View File

@@ -1,24 +0,0 @@
# Deploy Wazuh Docker in single node configuration
This deployment is defined in the `docker-compose.yml` file with one Wazuh manager containers, one Wazuh indexer containers, and one Wazuh dashboard container. It can be deployed by following these steps:
1) Increase max_map_count on your host (Linux). This command must be run with root permissions:
```
$ sysctl -w vm.max_map_count=262144
```
2) Run the certificate creation script:
```
$ docker compose -f generate-certs.yml run --rm generator
```
3) Start the environment with docker compose:
- In the foregroud:
```
$ docker compose up
```
- In the background:
```
$ docker compose up -d
```
The environment takes about 1 minute to get up (depending on your Docker host) for the first time since Wazuh Indexer must be started for the first time and the indexes and index patterns must be generated.

16
single-node/config/certs.yml
View File

@@ -1,16 +0,0 @@
nodes:
# Wazuh indexer server nodes
indexer:
- name: wazuh.indexer
ip: wazuh.indexer
# Wazuh server nodes
# Use node_type only with more than one Wazuh manager
server:
- name: wazuh.manager
ip: wazuh.manager
# Wazuh dashboard node
dashboard:
- name: wazuh.dashboard
ip: wazuh.dashboard

308
single-node/config/wazuh_cluster/wazuh_manager.conf
View File

@@ -1,308 +0,0 @@
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wazuh@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>
<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://wazuh.indexer:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/ssl/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/ssl/filebeat.pem</certificate>
<key>/etc/ssl/filebeat.key</key>
</ssl>
</indexer>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-wazuh</name>
<executable>restart-wazuh</executable>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<rule_test>
<enabled>yes</enabled>
<threads>1</threads>
<max_sessions>64</max_sessions>
<session_timeout>15m</session_timeout>
</rule_test>
<!-- Configuration for wazuh-authd -->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<purge>yes</purge>
<use_password>no</use_password>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>node01</node_name>
<node_type>master</node_type>
<key>aa093264ef885029653eea20dfcf51ae</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>wazuh.manager</node>
</nodes>
<hidden>no</hidden>
<disabled>yes</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
</ossec_config>

12
single-node/config/wazuh_dashboard/opensearch_dashboards.yml
View File

@@ -1,12 +0,0 @@
server.host: 0.0.0.0
server.port: 5601
opensearch.hosts: https://wazuh.indexer:9200
opensearch.ssl.verificationMode: certificate
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wz-home

7
single-node/config/wazuh_dashboard/wazuh.yml
View File

@@ -1,7 +0,0 @@
hosts:
- 1513629884013:
url: "https://wazuh.manager"
port: 55000
username: wazuh-wui
password: "MyS3cr37P450r.*-"
run_as: false

56
single-node/config/wazuh_indexer/internal_users.yml
View File

@@ -1,56 +0,0 @@
---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
_meta:
type: "internalusers"
config_version: 2
# Define your internal users here
## Demo users
admin:
hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO"
reserved: true
backend_roles:
- "admin"
description: "Demo admin user"
kibanaserver:
hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
reserved: true
description: "Demo kibanaserver user"
kibanaro:
hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
reserved: false
backend_roles:
- "kibanauser"
- "readall"
attributes:
attribute1: "value1"
attribute2: "value2"
attribute3: "value3"
description: "Demo kibanaro user"
logstash:
hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
reserved: false
backend_roles:
- "logstash"
description: "Demo logstash user"
readall:
hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
reserved: false
backend_roles:
- "readall"
description: "Demo readall user"
snapshotrestore:
hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
reserved: false
backend_roles:
- "snapshotrestore"
description: "Demo snapshotrestore user"

30
single-node/config/wazuh_indexer/wazuh.indexer.yml
View File

@@ -1,30 +0,0 @@
network.host: "0.0.0.0"
node.name: "wazuh.indexer"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer
discovery.type: single-node
http.port: 9200-9299
transport.tcp.port: 9300-9399
compatibility.override_main_response_version: true
plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
plugins.security.allow_default_init_securityindex: true
cluster.routing.allocation.disk.threshold_enabled: false

160
single-node/docker-compose.yml
View File

@@ -1,160 +0,0 @@
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
version: '3.7'
services:
wazuh.manager:
image: wazuh/wazuh-manager:5.0.0
hostname: wazuh.manager
restart: always
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 655360
hard: 655360
ports:
- "1514:1514"
- "1515:1515"
- "514:514/udp"
- "55000:55000"
environment:
INDEXER_URL: https://wazuh.indexer:9200
INDEXER_USERNAME: admin
INDEXER_PASSWORD: admin
FILEBEAT_SSL_VERIFICATION_MODE: full
SSL_CERTIFICATE_AUTHORITIES: /etc/ssl/root-ca.pem
SSL_CERTIFICATE: /etc/ssl/filebeat.pem
SSL_KEY: /etc/ssl/filebeat.key
API_USERNAME: wazuh-wui
API_PASSWORD: MyS3cr37P450r.*-
volumes:
- wazuh_api_configuration:/var/ossec/api/configuration
- wazuh_etc:/var/ossec/etc
- wazuh_logs:/var/ossec/logs
- wazuh_queue:/var/ossec/queue
- wazuh_var_multigroups:/var/ossec/var/multigroups
- wazuh_integrations:/var/ossec/integrations
- wazuh_active_response:/var/ossec/active-response/bin
- wazuh_agentless:/var/ossec/agentless
- wazuh_wodles:/var/ossec/wodles
- filebeat_etc:/etc/filebeat
- filebeat_var:/var/lib/filebeat
- ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
- ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
wazuh.indexer:
image: wazuh/wazuh-indexer:5.0.0
hostname: wazuh.indexer
restart: always
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
ports:
- "9200:9200"
environment:
OPENSEARCH_JAVA_OPTS: "-Xms1g -Xmx1g"
bootstrap.memory_lock: "true"
NODE_NAME: "wazuh.indexer"
CLUSTER_INITIAL_MASTER_NODES: "wazuh.indexer"
CLUSTER_NAME: "wazuh-cluster"
PATH_DATA: /var/lib/wazuh-indexer
PATH_LOGS: /var/log/wazuh-indexer
HTTP_PORT: 9200-9299
TRANSPORT_TCP_PORT: 9300-9399
COMPATIBILITY_OVERRIDE_MAIN_RESPONSE_VERSION: "true"
PLUGINS_SECURITY_SSL_HTTP_PEMCERT_FILEPATH: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
PLUGINS_SECURITY_SSL_HTTP_PEMKEY_FILEPATH: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
PLUGINS_SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH: /usr/share/wazuh-indexer/certs/root-ca.pem
PLUGINS_SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
PLUGINS_SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
PLUGINS_SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH: /usr/share/wazuh-indexer/certs/root-ca.pem
PLUGINS_SECURITY_SSL_HTTP_ENABLED: "true"
PLUGINS_SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION: "false"
PLUGINS_SECURITY_SSL_TRANSPORT_RESOLVE_HOSTNAME: "false"
PLUGINS_SECURITY_AUTHCZ_ADMIN_DN: "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
PLUGINS_SECURITY_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES: "true"
PLUGINS_SECURITY_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE: "true"
PLUGINS_SECURITY_NODES_DN: "CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
PLUGINS_SECURITY_RESTAPI_ROLES_ENABLED: '["all_access", "security_rest_api_access"]'
PLUGINS_SECURITY_SYSTEM_INDICES_ENABLED: "true"
PLUGINS_SECURITY_SYSTEM_INDICES_INDICES: '[".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]'
PLUGINS_SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX: "true"
CLUSTER_ROUTING_ALLOCATION_DISK_THRESHOLD_ENABLED: "false"
volumes:
- wazuh-indexer-data:/var/lib/wazuh-indexer
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.key
- ./config/wazuh_indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.pem
- ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
- ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
# if you need mount a custom opensearch.yml, uncomment the next line and delete the environment variables
# - ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
wazuh.dashboard:
image: wazuh/wazuh-dashboard:5.0.0
hostname: wazuh.dashboard
restart: always
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
ports:
- 443:5601
environment:
WAZUH_API_URL: https://wazuh.manager
DASHBOARD_USERNAME: kibanaserver
DASHBOARD_PASSWORD: kibanaserver
API_USERNAME: wazuh-wui
API_PASSWORD: MyS3cr37P450r.*-
SERVER_HOST: 0.0.0.0
SERVER_PORT: 5601
OPENSEARCH_HOSTS: https://wazuh.indexer:9200
OPENSEARCH_SSL_VERIFICATIONMODE: certificate
OPENSEARCH_REQUESTHEADERSALLOWLIST: '["securitytenant","Authorization"]'
OPENSEARCH_SECURITY_MULTITENANCY_ENABLED: "false"
SERVER_SSL_ENABLED: "true"
OPENSEARCH_SECURITY_READONLY_MODE_ROLES: '["kibana_read_only"]'
SERVER_SSL_KEY: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
SERVER_SSL_CERTIFICATE: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem"
OPENSEARCH_SSL_CERTIFICATEAUTHORITIES: '["/usr/share/wazuh-dashboard/certs/root-ca.pem"]'
UISETTINGS_OVERRIDES_DEFAULTROUTE: /app/wz-home
volumes:
- wazuh-dashboard-config:/usr/share/wazuh-dashboard/data/wazuh/config
- wazuh-dashboard-custom:/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
- ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
- ./config/wazuh_dashboard/wazuh.yml:/wazuh-config-mount/data/wazuh/config/wazuh.yml
# if you need mount a custom opensearch-dashboards.yml, uncomment the next line and delete the environment variables
# - ./config/wazuh_dashboard/opensearch_dashboards.yml:/wazuh-config-mount/config/opensearch_dashboards.yml
depends_on:
- wazuh.indexer
links:
- wazuh.indexer:wazuh.indexer
- wazuh.manager:wazuh.manager
volumes:
wazuh_api_configuration:
wazuh_etc:
wazuh_logs:
wazuh_queue:
wazuh_var_multigroups:
wazuh_integrations:
wazuh_active_response:
wazuh_agentless:
wazuh_wodles:
filebeat_etc:
filebeat_var:
wazuh-indexer-data:
wazuh-dashboard-config:
wazuh-dashboard-custom:

10
single-node/generate-certs.yml
View File

@@ -1,10 +0,0 @@
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
services:
generator:
image: wazuh/wazuh-cert-tool:5.0.0
hostname: wazuh-cert-tool
container_name: wazuh-cert-tool
volumes:
- ./config/wazuh_indexer_ssl_certs/:/certificates/
- ./config/certs.yml:/config/certs.yml

106
wazuh/Dockerfile Normal file
View File

@@ -0,0 +1,106 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
FROM phusion/baseimage:latest
# Arguments
ARG FILEBEAT_VERSION=6.8.2
ARG WAZUH_VERSION=3.9.4-1
# Environment variables
ENV API_USER="foo" \
API_PASS="bar"
# Install packages
RUN set -x && \
echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list && \
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - && \
curl --silent --location https://deb.nodesource.com/setup_8.x | bash - && \
echo "postfix postfix/mailname string wazuh-manager" | debconf-set-selections && \
echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections && \
groupadd -g 1000 ossec && \
useradd -u 1000 -g 1000 -d /var/ossec ossec && \
add-apt-repository universe && \
apt-get update && \
apt-get upgrade -y -o Dpkg::Options::="--force-confold" && \
apt-get --no-install-recommends --no-install-suggests -y install openssl apt-transport-https vim expect python-boto python-pip python-cryptography && \
apt-get --no-install-recommends --no-install-suggests -y install postfix bsd-mailx mailutils libsasl2-2 ca-certificates libsasl2-modules && \
apt-get --no-install-recommends --no-install-suggests -y install wazuh-manager=${WAZUH_VERSION} && \
apt-get --no-install-recommends --no-install-suggests -y install nodejs wazuh-api=${WAZUH_VERSION} && \
apt-get clean && \
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
rm -f /var/ossec/logs/alerts/*/*/* && \
rm -f /var/ossec/logs/archives/*/*/* && \
rm -f /var/ossec/logs/firewall/*/*/* && \
rm -f /var/ossec/logs/api/*/*/* && \
rm -f /var/ossec/logs/cluster/*/*/* && \
rm -f /var/ossec/logs/ossec/*/*/* && \
rm /var/ossec/var/run/* && \
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb && \
dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm -f filebeat-${FILEBEAT_VERSION}-amd64.deb
# Services
RUN mkdir /etc/service/wazuh && \
mkdir /etc/service/wazuh-api && \
mkdir /etc/service/postfix && \
mkdir /etc/service/filebeat
COPY config/wazuh.runit.service /etc/service/wazuh/run
COPY config/wazuh-api.runit.service /etc/service/wazuh-api/run
COPY config/postfix.runit.service /etc/service/postfix/run
COPY config/filebeat.runit.service /etc/service/filebeat/run
RUN chmod +x /etc/service/wazuh-api/run && \
chmod +x /etc/service/wazuh/run && \
chmod +x /etc/service/postfix/run && \
chmod +x /etc/service/filebeat/run
# Copy configuration files from repository
COPY config/filebeat.yml /etc/filebeat/
RUN chmod go-w /etc/filebeat/filebeat.yml
# Prepare permanent data
# Sync calls are due to https://github.com/docker/docker/issues/9547
COPY config/permanent_data.env /permanent_data.env
COPY config/permanent_data.sh /permanent_data.sh
RUN chmod 755 /permanent_data.sh && \
sync && \
/permanent_data.sh && \
sync && \
rm /permanent_data.sh
# Expose ports
EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp
# Setting volumes
# Once we declared a volume in the Dockerfile, changes made to that path will have no effect. In other words, any changes made
# to the these paths from here to the end of the Dockerfile will not be taken into account when mounting the volume.
VOLUME ["/var/ossec/api/configuration"]
VOLUME ["/var/ossec/etc"]
VOLUME ["/var/ossec/logs"]
VOLUME ["/var/ossec/queue"]
VOLUME ["/var/ossec/var/multigroups"]
VOLUME ["/var/ossec/integrations"]
VOLUME ["/var/ossec/active-response/bin"]
VOLUME ["/var/ossec/wodles"]
VOLUME ["/etc/filebeat"]
VOLUME ["/etc/postfix"]
VOLUME ["/var/lib/filebeat"]
# Prepare entrypoint scripts
# Entrypoint scripts must be added to the entrypoint-scripts directory
RUN mkdir /entrypoint-scripts
COPY config/entrypoint.sh /entrypoint.sh
COPY config/01-wazuh.sh /entrypoint-scripts/01-wazuh.sh
RUN chmod 755 /entrypoint.sh && \
chmod 755 /entrypoint-scripts/01-wazuh.sh
# Workaround.
# Issues: Wazuh-api
# https://github.com/wazuh/wazuh-api/issues/440
# https://github.com/wazuh/wazuh-api/issues/443
COPY --chown=root:ossec config/agents.js /var/ossec/api/controllers/agents.js
RUN chmod 770 /var/ossec/api/controllers/agents.js
# Run all services
ENTRYPOINT ["/entrypoint.sh"]

191
build-docker-images/wazuh-manager/config/etc/cont-init.d/0-wazuh-init → wazuh/config/01-wazuh.sh
View File

@@ -1,5 +1,5 @@
#!/usr/bin/with-contenv bash
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Variables
source /permanent_data.env
@@ -7,6 +7,7 @@ source /permanent_data.env
WAZUH_INSTALL_PATH=/var/ossec
WAZUH_CONFIG_MOUNT=/wazuh-config-mount
AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
API_GENERATE_CERTS=${API_GENERATE_CERTS:-true}
##############################################################################
@@ -32,35 +33,37 @@ exec_cmd_stdout() {
##############################################################################
# This function will attempt to mount every directory in PERMANENT_DATA
# into the respective path.
# If the path is empty means permanent data volume is also empty, so a backup
# will be copied into it. Otherwise it will not be copied because there is
# Edit configuration
##############################################################################
edit_configuration() { # $1 -> setting, $2 -> value
sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${WAZUH_INSTALL_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)"
}
##############################################################################
# This function will attempt to mount every directory in PERMANENT_DATA
# into the respective path.
# If the path is empty means permanent data volume is also empty, so a backup
# will be copied into it. Otherwise it will not be copied because there is
# already data inside the volume for the specified path.
##############################################################################
mount_permanent_data() {
for permanent_dir in "${PERMANENT_DATA[@]}"; do
data_tmp="${WAZUH_INSTALL_PATH}/data_tmp/permanent${permanent_dir}/"
print ${data_tmp}
# Check if the path is not empty
if find ${permanent_dir} -mindepth 1 | read; then
print "The path ${permanent_dir} is already mounted"
else
if find ${data_tmp} -mindepth 1 | read; then
print "Installing ${permanent_dir}"
exec_cmd "cp -a ${data_tmp}. ${permanent_dir}"
else
print "The path ${permanent_dir} is empty, skipped"
fi
print "Installing ${permanent_dir}"
exec_cmd "cp -a ${WAZUH_INSTALL_PATH}/data_tmp/permanent${permanent_dir}/. ${permanent_dir}"
fi
done
}
##############################################################################
# This function will replace from the permanent data volume every file
# This function will replace from the permanent data volume every file
# contained in PERMANENT_DATA_EXCP
# Some files as 'internal_options.conf' are saved as permanent data, but
# Some files as 'internal_options.conf' are saved as permanent data, but
# they must be updated to work properly if wazuh version is changed.
##############################################################################
@@ -73,7 +76,7 @@ apply_exclusion_data() {
then
mkdir -p ${DIR}
fi
print "Updating ${exclusion_file}"
exec_cmd "cp -p ${WAZUH_INSTALL_PATH}/data_tmp/exclusion/${exclusion_file} ${exclusion_file}"
fi
@@ -81,33 +84,16 @@ apply_exclusion_data() {
}
##############################################################################
# This function will rename in the permanent data volume every file
# contained in PERMANENT_DATA_MOVE
##############################################################################
move_data_files() {
for mov_file in "${PERMANENT_DATA_MOVE[@]}"; do
file_split=( $mov_file )
if [ -e ${file_split[0]} ]
then
print "moving ${mov_file}"
exec_cmd "mv -f ${mov_file}"
fi
done
}
##############################################################################
# This function will delete from the permanent data volume every file
# This function will delete from the permanent data volume every file
# contained in PERMANENT_DATA_DEL
##############################################################################
remove_data_files() {
for del_file in "${PERMANENT_DATA_DEL[@]}"; do
if [ -e ${del_file} ]
then
then
print "Removing ${del_file}"
exec_cmd "rm -f ${del_file}"
exec_cmd "rm ${del_file}"
fi
done
}
@@ -117,11 +103,27 @@ remove_data_files() {
##############################################################################
create_ossec_key_cert() {
print "Creating wazuh-authd key and cert"
print "Creating ossec-authd key and cert"
exec_cmd "openssl genrsa -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.key 4096"
exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/etc/sslmanager.key -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/"
}
##############################################################################
# Create certificates: API
##############################################################################
create_api_key_cert() {
print "Enabling Wazuh API HTTPS"
edit_configuration "https" "yes"
print "Create Wazuh API key and cert"
exec_cmd "openssl genrsa -out ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key 4096"
exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key -out ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/"
# Granting proper permissions
chmod 400 ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key
chmod 400 ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt
}
##############################################################################
# Copy all files from $WAZUH_CONFIG_MOUNT to $WAZUH_INSTALL_PATH and respect
# destination files permissions
@@ -141,53 +143,73 @@ mount_files() {
fi
}
##############################################################################
# Stop OSSEC
##############################################################################
function ossec_shutdown(){
${WAZUH_INSTALL_PATH}/bin/ossec-control stop;
}
##############################################################################
# Allow users to set the container hostname as <node_name> dynamically on
# container start.
# Interpret any passed arguments (via docker command to this entrypoint) as
# paths or commands, and execute them.
#
# To use this:
# 1. Create your own ossec.conf file
# 2. In your ossec.conf file, set to_be_replaced_by_hostname as your node_name
# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf
# This can be useful for actions that need to be run before the services are
# started, such as "/var/ossec/bin/ossec-control enable agentless".
##############################################################################
set_custom_hostname() {
sed -i 's/<node_name>to_be_replaced_by_hostname<\/node_name>/<node_name>'"${HOSTNAME}"'<\/node_name>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf
docker_custom_args() {
for CUSTOM_COMMAND in "$@"
do
echo "Executing command \`${CUSTOM_COMMAND}\`"
exec_cmd_stdout "${CUSTOM_COMMAND}"
done
}
##############################################################################
# Allow users to set the container cluster key dynamically on
# container start.
#
# To use this:
# 1. Create your own ossec.conf file
# 2. In your ossec.conf file, set to_be_replaced_by_cluster_key as your key
# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf
# Change Wazuh API user credentials.
##############################################################################
set_custom_cluster_key() {
sed -i 's/<key>to_be_replaced_by_cluster_key<\/key>/<key>'"${WAZUH_CLUSTER_KEY}"'<\/key>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf
change_api_user_credentials() {
pushd /var/ossec/api/configuration/auth/
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
WAZUH_API_USER=${API_USER}
WAZUH_API_PASS=${API_PASS}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"WAZUH_API_USER"* ]]; then
arrIN=(${line//:/ })
WAZUH_API_USER=${arrIN[1]}
elif [[ $line == *"WAZUH_API_PASS"* ]]; then
arrIN=(${line//:/ })
WAZUH_API_PASS=${arrIN[1]}
fi
done < "$input"
fi
echo "Change Wazuh API user credentials"
change_user="node htpasswd -b -c user $WAZUH_API_USER $WAZUH_API_PASS"
eval $change_user
popd
}
##############################################################################
# Modify /var/ossec/queue/rids directory owner on
# container start.
# Customize filebeat output ip
##############################################################################
set_rids_owner() {
chown -R wazuh:wazuh /var/ossec/queue/rids
custom_filebeat_output_ip() {
if [ "$FILEBEAT_OUTPUT" != "" ]; then
sed -i "s/logstash:5000/$FILEBEAT_OUTPUT:5000/" /etc/filebeat/filebeat.yml
fi
}
##############################################################################
# Change any ossec user/group to wazuh user/group
##############################################################################
set_correct_permOwner() {
find / -group 997 -exec chown :999 {} +;
find / -group 101 -exec chown :999 {} +;
find / -user 101 -exec chown 999 {} +;
}
##############################################################################
# Main function
@@ -200,16 +222,10 @@ main() {
# Restore files stored in permanent data that are not permanent (i.e. internal_options.conf)
apply_exclusion_data
# Apply correct permission and ownership
set_correct_permOwner
# Rename files stored in permanent data (i.e. queue/ossec)
move_data_files
# Remove some files in permanent_data (i.e. .template.db)
remove_data_files
# Generate wazuh-authd certs if AUTO_ENROLLMENT_ENABLED is true and does not exist
# Generate ossec-authd certs if AUTO_ENROLLMENT_ENABLED is true and does not exist
if [ $AUTO_ENROLLMENT_ENABLED == true ]
then
if [ ! -e ${WAZUH_INSTALL_PATH}/etc/sslmanager.key ]
@@ -218,20 +234,33 @@ main() {
fi
fi
# Generate API certs if API_GENERATE_CERTS is true and does not exist
if [ $API_GENERATE_CERTS == true ]
then
if [ ! -e ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt ]
then
create_api_key_cert
fi
fi
# Mount selected files (WAZUH_CONFIG_MOUNT) to container
mount_files
# Allow setting custom hostname
set_custom_hostname
# Trap exit signals and do a proper shutdown
trap "ossec_shutdown; exit" SIGINT SIGTERM
# Allow setting custom cluster key
set_custom_cluster_key
# Execute custom args
docker_custom_args
# Change API user credentials
change_api_user_credentials
# Update filebeat configuration
custom_filebeat_output_ip
# Delete temporary data folder
rm -rf ${WAZUH_INSTALL_PATH}/data_tmp
# Set rids directory owner
set_rids_owner
}
main

1258
wazuh/config/agents.js Normal file
View File

File diff suppressed because it is too large Load Diff

13
wazuh/config/entrypoint.sh Normal file
View File

@@ -0,0 +1,13 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
bash "$script"
done
##############################################################################
# Start Wazuh Server.
##############################################################################
/sbin/my_init

3
wazuh/config/filebeat.runit.service Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/sh
service filebeat start
tail -f /var/log/filebeat/filebeat

18
wazuh/config/filebeat.yml Normal file
View File

@@ -0,0 +1,18 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
filebeat:
prospectors:
- type: log
paths:
- "/var/ossec/logs/alerts/alerts.json"
document_type: json
json.message_key: log
json.keys_under_root: true
json.overwrite_keys: true
tail_files: true
output:
logstash:
# The Logstash hosts
hosts: ["logstash:5000"]
# ssl:
# certificate_authorities: ["/etc/filebeat/logstash.crt"]

61
wazuh/config/permanent_data.env Normal file
View File

@@ -0,0 +1,61 @@
# Permanent data mounted in volumes
i=0
PERMANENT_DATA[((i++))]="/var/ossec/api/configuration"
PERMANENT_DATA[((i++))]="/var/ossec/etc"
PERMANENT_DATA[((i++))]="/var/ossec/logs"
PERMANENT_DATA[((i++))]="/var/ossec/queue"
PERMANENT_DATA[((i++))]="/var/ossec/var/multigroups"
PERMANENT_DATA[((i++))]="/var/ossec/integrations"
PERMANENT_DATA[((i++))]="/var/ossec/active-response/bin"
PERMANENT_DATA[((i++))]="/var/ossec/wodles"
PERMANENT_DATA[((i++))]="/etc/filebeat"
PERMANENT_DATA[((i++))]="/etc/postfix"
export PERMANENT_DATA
# Files mounted in a volume that should not be permanent
i=0
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/etc/internal_options.conf"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/pagerduty"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/default-firewall-drop.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/disable-account.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewalld-drop.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewall-drop.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/host-deny.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ip-customblock.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw_mac.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/npf.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ossec-slack.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ossec-tweeter.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/pf.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-ossec.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/oscap"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/oscap.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/template_oval.xsl"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/template_xccdf.xsl"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-debian-8-oval.xml"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-debian-9-oval.xml"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/cve-ubuntu-xenial-oval.xml"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-debian-8-ds.xml"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-ubuntu-1404-ds.xml"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/oscap/content/ssg-ubuntu-1604-ds.xml"
export PERMANENT_DATA_EXCP
# Files mounted in a volume that should be deleted
i=0
PERMANENT_DATA_DEL[((i++))]="/var/ossec/queue/db/.template.db"
export PERMANENT_DATA_DEL

4
build-docker-images/wazuh-manager/config/permanent_data.sh → wazuh/config/permanent_data.sh
View File

@@ -1,5 +1,5 @@
#!/bin/bash
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Variables
source /permanent_data.env
@@ -37,4 +37,4 @@ for permanent_dir in "${PERMANENT_DATA[@]}"; do
mv ${permanent_dir} ${PERMANENT_PATH}${permanent_dir}
done
done

3
wazuh/config/postfix.runit.service Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/sh
service postfix start
tail -f /var/log/mail.log

4
wazuh/config/wazuh-api.runit.service Normal file
View File

@@ -0,0 +1,4 @@
#!/bin/sh
service wazuh-api start
tail -f /var/ossec/logs/api.log

4
wazuh/config/wazuh.runit.service Normal file
View File

@@ -0,0 +1,4 @@
#!/bin/sh
service wazuh-manager start
tail -f /var/ossec/logs/ossec.log