Update Wazuh app for cloud-0.21 (#338)

Former-commit-id: 3949283bd3

VERSION

@@ -1,2 +1,2 @@
-WAZUH-DOCKER_VERSION="3.10.2_7.3.2"
-REVISION="31020"
+WAZUH-DOCKER_VERSION="3.11.5_7.3.2"
+REVISION="31150"

elasticsearch/Dockerfile

@@ -1,7 +1,7 @@
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-ARG ELASTIC_VERSION=7.3.2
+ARG ELASTIC_VERSION=7.4.2
 FROM docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION}
-ARG TEMPLATE_VERSION=v3.10.2
+ARG TEMPLATE_VERSION=v3.11.4
 
 ENV ELASTICSEARCH_URL="http://elasticsearch:9200"
 

elasticsearch/config/35-entrypoint_load_settings.sh

@@ -28,13 +28,9 @@ echo "LOAD SETTINGS - Elasticsearch url: $el_url"
 ##############################################################################
 
 ELASTIC_PASS=""
-WAZH_API_USER=""
-WAZH_API_PASS=""
 
 if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
   ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
-  WAZH_API_USER=${API_USER}
-  WAZH_API_PASS=${API_PASS}
 else
   input=${SECURITY_CREDENTIALS_FILE}
   while IFS= read -r line
@@ -42,12 +38,6 @@ else
     if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
       arrIN=(${line//:/ })
       ELASTIC_PASS=${arrIN[1]}
-    elif [[ $line == *"WAZUH_API_USER"* ]]; then
-      arrIN=(${line//:/ })
-      WAZH_API_USER=${arrIN[1]}
-    elif [[ $line == *"WAZUH_API_PASSWORD"* ]]; then
-      arrIN=(${line//:/ })
-      WAZH_API_PASS=${arrIN[1]}
     fi
   done < "$input"
  
@@ -154,93 +144,9 @@ fi
 
 
 ##############################################################################
-# Prepare Wazuh API credentials
+# Enable xpack.monitoring.collection
 ##############################################################################
 
-API_PASS_Q=`echo "$WAZH_API_PASS" | tr -d '"'`
-API_USER_Q=`echo "$WAZH_API_USER" | tr -d '"'`
-API_PASSWORD=`echo -n $API_PASS_Q | base64`
-
-echo "LOAD SETTINGS - Setting API credentials into Wazuh APP"
-CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013 ${auth})
-
-if [ "x$CONFIG_CODE" != "x200" ]; then
-  curl -s -XPOST $el_url/.wazuh/_doc/1513629884013 ${auth} -H 'Content-Type: application/json' -d'
-  {
-    "api_user": "'"$API_USER_Q"'",
-    "api_password": "'"$API_PASSWORD"'",
-    "url": "'"$wazuh_url"'",
-    "api_port": "55000",
-    "insecure": "true",
-    "component": "API",
-    "cluster_info": {
-      "manager": "wazuh-manager",
-      "cluster": "Disabled",
-      "status": "disabled"
-    },
-    "extensions": {
-      "oscap": true,
-      "audit": true,
-      "pci": true,
-      "aws": true,
-      "virustotal": true,
-      "gdpr": true,
-      "ciscat": true
-    }
-  }
-  ' > /dev/null
-else
-  echo "LOAD SETTINGS - Wazuh APP already configured"
-  echo "LOAD SETTINGS - Check if it is an upgrade from Elasticsearch 6.x to 7.x"
-  wazuh_search_request=`curl -s ${auth} "$el_url/.wazuh/_search?pretty"`
-  full_type=`echo $wazuh_search_request | jq .hits.hits | jq .[] | jq ._type`
-  elasticsearch_request=`curl -s $auth "$el_url"`
-  full_elasticsearch_version=`echo $elasticsearch_request | jq .version.number`
-  type=`echo "$full_type" | tr -d '"'`
-  elasticsearch_version=`echo "$full_elasticsearch_version" | tr -d '"'`
-  elasticsearch_major="${elasticsearch_version:0:1}"
-
-  if [[ $type == "wazuh-configuration" ]] && [[ $elasticsearch_major == "7" ]]; then
-    echo "LOAD SETTINGS - Elasticsearch major = $elasticsearch_major."
-    echo "LOAD SETTINGS - Reindex .wazuh in .wazuh-backup."
-    
-    curl -s ${auth} -XPOST "$el_url/_reindex" -H 'Content-Type: application/json' -d'
-    {
-      "source": {
-        "index": ".wazuh"
-      },
-      "dest": {
-        "index": ".wazuh-backup"
-      }
-    }
-    '
-    echo "LOAD SETTINGS - Remove .wazuh index."
-    curl -s  ${auth} -XDELETE "$el_url/.wazuh"
-
-    echo "LOAD SETTINGS - Reindex .wazuh-backup in .wazuh."
-    curl -s ${auth} -XPOST "$el_url/_reindex" -H 'Content-Type: application/json' -d'
-    {
-      "source": {
-        "index": ".wazuh-backup"
-      },
-      "dest": {
-        "index": ".wazuh"
-      }
-    }
-    '
-    curl -s ${auth} -XPUT "https://elasticsearch:9200/.wazuh-backup/_settings?pretty" -H 'Content-Type: application/json' -d'
-    {
-        "index" : {
-            "number_of_replicas" : 0
-        }
-    }
-    '
-
-  fi
-
-fi
-sleep 5
-
 curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/json' -d'
 {
   "persistent": {
@@ -249,6 +155,7 @@ curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/jso
 }
 '
 
+
 ##############################################################################
 # Set cluster delayed timeout when node falls
 ##############################################################################

kibana/Dockerfile

@@ -1,15 +1,14 @@
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
-FROM docker.elastic.co/kibana/kibana:7.3.2
-ARG ELASTIC_VERSION=7.3.2
-ARG WAZUH_VERSION=3.10.2
+FROM docker.elastic.co/kibana/kibana:7.4.2
+ARG ELASTIC_VERSION=7.4.2
+ARG WAZUH_VERSION=3.11.5
 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
 
 USER root
 
-# App: 3.10.2 - 7.3.2 with this fix: https://github.com/wazuh/wazuh-kibana-app/issues/1815
-#ADD  https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
 COPY config/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
 USER kibana
+#RUN /usr/share/kibana/bin/kibana-plugin install  --allow-root https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip
 RUN /usr/share/kibana/bin/kibana-plugin install  --allow-root file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip 
 USER root
 RUN rm -rf /tmp/wazuhapp-${WAZUH_APP_VERSION}.zip
@@ -47,7 +46,8 @@ ENV PATTERN="" \
     WAZUH_MONITORING_FREQUENCY="" \
     WAZUH_MONITORING_SHARDS="" \
     WAZUH_MONITORING_REPLICAS="" \
-    ADMIN_PRIVILEGES=""
+    ADMIN_PRIVILEGES="" \
+    API_SELECTOR=""
 
 ARG XPACK_CANVAS="false"
 ARG XPACK_LOGS="false"
@@ -62,13 +62,15 @@ ARG XPACK_SIEM="false"
 
 ARG CHANGE_WELCOME="true"
 
+COPY --chown=kibana:kibana ./config/05-decrypt_credentials.sh /entrypoint-scripts/05-decrypt_credentials.sh
 COPY --chown=kibana:kibana ./config/10-wazuh_app_config.sh /entrypoint-scripts/10-wazuh_app_config.sh
-COPY --chown=kibana:kibana ./config/15-decrypt_credentials.sh /entrypoint-scripts/15-decrypt_credentials.sh
+COPY --chown=kibana:kibana ./config/12-custom_logos.sh /entrypoint-scripts/12-custom_logos.sh
 COPY --chown=kibana:kibana ./config/20-entrypoint.sh /entrypoint-scripts/20-entrypoint.sh
 COPY --chown=kibana:kibana ./config/20-entrypoint_kibana_settings.sh ./
 COPY --chown=kibana:kibana ./config/20-entrypoint_certs_management.sh ./
-RUN chmod +x /entrypoint-scripts/10-wazuh_app_config.sh && \
-    chmod +x /entrypoint-scripts/15-decrypt_credentials.sh && \
+RUN chmod +x /entrypoint-scripts/05-decrypt_credentials.sh  && \
+    chmod +x /entrypoint-scripts/10-wazuh_app_config.sh && \
+    chmod +x /entrypoint-scripts/12-custom_logos.sh && \
     chmod +x /entrypoint-scripts/20-entrypoint.sh && \
     chmod +x ./20-entrypoint_kibana_settings.sh && \
     chmod +x ./20-entrypoint_certs_management.sh
@@ -89,9 +91,9 @@ RUN /usr/local/bin/kibana-docker --optimize
 
 USER root
 
-RUN chmod 660 /usr/share/kibana/plugins/wazuh/config.yml && \
+RUN chmod 660 /usr/share/kibana/plugins/wazuh/wazuh.yml && \
     chmod 775 /usr/share/kibana/plugins/wazuh && \
-    chown root:kibana /usr/share/kibana/plugins/wazuh/config.yml && \
+    chown root:kibana /usr/share/kibana/plugins/wazuh/wazuh.yml && \
     chown root:kibana /usr/share/kibana/plugins/wazuh
 
 USER kibana

kibana/config/10-wazuh_app_config.sh

@@ -1,7 +1,60 @@
 #!/bin/bash
-# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
 
-kibana_config_file="/usr/share/kibana/plugins/wazuh/config.yml"
+##############################################################################
+# If Elasticsearch security is enabled get the kibana user, the Kibana 
+# password and WAZUH API credentials.
+##############################################################################
+
+KIBANA_USER=""
+KIBANA_PASS=""
+WAZH_API_USER=""
+WAZH_API_PASS=""
+
+if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+  KIBANA_USER=${SECURITY_KIBANA_USER}
+  KIBANA_PASS=${SECURITY_KIBANA_PASS}
+  WAZH_API_USER=${API_USER}
+  WAZH_API_PASS=${API_PASS}
+  echo "USERS - Credentials obtained from environment variables."
+else
+  input=${SECURITY_CREDENTIALS_FILE}
+  while IFS= read -r line
+  do
+    if [[ $line == *"KIBANA_USER"* ]]; then
+      arrIN=(${line//:/ })
+      KIBANA_USER=${arrIN[1]}
+    elif [[ $line == *"KIBANA_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      KIBANA_PASS=${arrIN[1]}
+    elif [[ $line == *"WAZUH_API_USER"* ]]; then
+      arrIN=(${line//:/ })
+      WAZH_API_USER=${arrIN[1]}
+    elif [[ $line == *"WAZUH_API_PASSWORD"* ]]; then
+      arrIN=(${line//:/ })
+      WAZH_API_PASS=${arrIN[1]}
+    fi
+  done < "$input"
+  echo "USERS - Credentials obtained from file."
+fi
+
+##############################################################################
+# Establish the way to run the curl command, with or without authentication. 
+##############################################################################
+
+if [ ${SECURITY_ENABLED} != "no" ]; then
+  auth="-u ${KIBANA_USER}:${KIBANA_PASS} -k"
+elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
+  auth=""
+else
+  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
+fi
+
+##############################################################################
+# Set custom wazuh.yml config
+##############################################################################
+
+kibana_config_file="/usr/share/kibana/plugins/wazuh/wazuh.yml"
 
 declare -A CONFIG_MAP=(
   [pattern]=$PATTERN
@@ -30,6 +83,7 @@ declare -A CONFIG_MAP=(
   [wazuh.monitoring.shards]=$WAZUH_MONITORING_SHARDS
   [wazuh.monitoring.replicas]=$WAZUH_MONITORING_REPLICAS
   [admin]=$ADMIN_PRIVILEGES
+  [api.selector]=$API_SELECTOR
 )
 
 for i in "${!CONFIG_MAP[@]}"
@@ -38,3 +92,24 @@ do
         sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
     fi
 done
+
+# remove default API entry (new in 3.11.0_7.5.1)
+sed -ie '/- default:/,+4d' $kibana_config_file
+
+# If this is an update to 3.11
+CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $ELASTICSEARCH_URL/.wazuh/_doc/1513629884013 ${auth})
+
+grep -q 1513629884013 $kibana_config_file
+_config_exists=$?
+
+if [[ "x$CONFIG_CODE" != "x200" && $_config_exists -ne 0 ]]; then
+cat << EOF >> $kibana_config_file 
+  - 1:
+      url: https://wazuh
+      port: 55000
+      user: $WAZH_API_USER
+      password: $WAZH_API_PASS
+EOF
+else
+  echo "Wazuh APP already configured"
+fi

kibana/config/12-custom_logos.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+##############################################################################
+# Kibana logos
+##############################################################################
+
+if [[ $CUSTOM_LOGO == "true" ]]; then
+
+
+    echo "CUSTOM LOGO - Change Kibana logos."
+    # TO DO
+
+fi

kibana/config/wazuhapp-3.10.2_7.3.2.zip.REMOVED.git-id

@@ -1 +0,0 @@
-3cbdd26d9eeaff99f91312f703adccd828723b3c

kibana/config/wazuhapp-3.11.5_7.4.2.zip.REMOVED.git-id

@@ -0,0 +1 @@
+d3370881d16407941e250126bd331db13e7c8b63

kibana/config/welcome_wazuh.sh

@@ -25,5 +25,6 @@ then
     sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/upgrade_assistant/public/index.js
     sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/snapshot_restore/public/plugin.js
     sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/remote_clusters/public/plugin.js
+    sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/index_management/public/register_management_section.js
 fi
 

logstash/Dockerfile

@@ -1,6 +1,6 @@
 # Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
-ARG LOGSTASH_VERSION=7.3.2
+ARG LOGSTASH_VERSION=7.4.2
 FROM docker.elastic.co/logstash/logstash:${LOGSTASH_VERSION}
 
 COPY --chown=logstash:logstash config/entrypoint.sh /entrypoint.sh

logstash/config/01-wazuh.conf

@@ -40,6 +40,22 @@ filter {
         remove_field => [ "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]
     }
 }
+filter {
+    # Workarounds for vulnerability-detector
+    if "vulnerability-detector" in [rule][groups] {
+        # Drop vulnerability-detector events from Manager
+        if [agent][id] == "000"{
+            drop { }
+        }
+
+        # if exists, remove data.vulnerability.published field due to conflicts
+        if [data][vulnerability][published] {
+            mutate {
+                remove_field => [ "[data][vulnerability][published]" ]
+            }
+        }
+    }
+}
 output {
     elasticsearch {
         hosts => ["elasticsearch:9200"]

wazuh/Dockerfile

@@ -2,16 +2,19 @@
 FROM phusion/baseimage:latest
 
 # Arguments
-ARG FILEBEAT_VERSION=7.3.2
-ARG WAZUH_VERSION=3.10.2-1
+ARG FILEBEAT_VERSION=7.4.2
+ARG WAZUH_VERSION=3.11.5-1
 
 # Environment variables
 ENV API_USER="foo" \
    API_PASS="bar"
 
-ARG TEMPLATE_VERSION="v3.10.2"
+ARG TEMPLATE_VERSION="v3.11.5"
 ENV FILEBEAT_DESTINATION="elasticsearch"
 
+COPY config/wazuh-manager_3.11.5-1_amd64.deb /wazuh-manager_3.11.5-1_amd64.deb
+COPY config/wazuh-api_3.11.5-1_amd64.deb /wazuh-api_3.11.5-1_amd64.deb
+
 # Install packages
 RUN set -x && \
     echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list && \
@@ -26,8 +29,14 @@ RUN set -x && \
     apt-get upgrade -y -o Dpkg::Options::="--force-confold" && \
     apt-get --no-install-recommends --no-install-suggests -y install openssl apt-transport-https vim expect python-boto python-pip python-cryptography && \
     apt-get --no-install-recommends --no-install-suggests -y install postfix bsd-mailx mailutils libsasl2-2 ca-certificates libsasl2-modules && \
-    apt-get --no-install-recommends --no-install-suggests -y install wazuh-manager=${WAZUH_VERSION} && \
-    apt-get --no-install-recommends --no-install-suggests -y install nodejs wazuh-api=${WAZUH_VERSION} && \
+#   apt-get --no-install-recommends --no-install-suggests -y install wazuh-manager=${WAZUH_VERSION} && \
+    dpkg -i /wazuh-manager_3.11.5-1_amd64.deb && apt-get install -f && \
+#   apt-get --no-install-recommends --no-install-suggests -y install nodejs wazuh-api=${WAZUH_VERSION} && \
+    apt-get --no-install-recommends --no-install-suggests -y install nodejs && \
+    dpkg -i /wazuh-api_3.11.5-1_amd64.deb && apt-get install -f && \
+#   Disable updates to this package
+    echo "wazuh-manager hold" | dpkg --set-selections && \
+    echo "wazuh-api hold" | dpkg --set-selections && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
     rm -f /var/ossec/logs/alerts/*/*/* && \
@@ -37,6 +46,7 @@ RUN set -x && \
     rm -f /var/ossec/logs/cluster/*/*/* && \
     rm -f /var/ossec/logs/ossec/*/*/* && \
     rm /var/ossec/var/run/* && \
+    rm /wazuh-manager_3.11.5-1_amd64.deb && \
     curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb && \
     dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm -f filebeat-${FILEBEAT_VERSION}-amd64.deb
 
@@ -97,17 +107,17 @@ COPY config/00-decrypt_credentials.sh /entrypoint-scripts/00-decrypt_credentials
 COPY config/01-wazuh.sh /entrypoint-scripts/01-wazuh.sh
 COPY config/02-set_filebeat_destination.sh /entrypoint-scripts/02-set_filebeat_destination.sh
 COPY config/03-config_filebeat.sh /entrypoint-scripts/03-config_filebeat.sh
-COPY config/05-remove_credentials_file.sh /entrypoint-scripts/05-remove_credentials_file.sh
-COPY config/10-backups.sh /entrypoint-scripts/10-backups.sh
 COPY config/20-ossec-configuration.sh /entrypoint-scripts/20-ossec-configuration.sh
+COPY config/25-backups.sh /entrypoint-scripts/25-backups.sh
+COPY config/35-remove_credentials_file.sh /entrypoint-scripts/35-remove_credentials_file.sh
 RUN chmod 755 /entrypoint.sh && \
     chmod 755 /entrypoint-scripts/00-decrypt_credentials.sh && \
     chmod 755 /entrypoint-scripts/01-wazuh.sh && \
     chmod 755 /entrypoint-scripts/02-set_filebeat_destination.sh && \
     chmod 755 /entrypoint-scripts/03-config_filebeat.sh && \
-    chmod 755 /entrypoint-scripts/05-remove_credentials_file.sh && \
-    chmod 755 /entrypoint-scripts/10-backups.sh && \
-    chmod 755 /entrypoint-scripts/20-ossec-configuration.sh
+    chmod 755 /entrypoint-scripts/20-ossec-configuration.sh && \
+    chmod 755 /entrypoint-scripts/25-backups.sh && \
+    chmod 755 /entrypoint-scripts/35-remove_credentials_file.sh
 
 # Workaround. 
 # Issues: Wazuh-api

wazuh/config/entrypoint.sh

@@ -1,6 +1,8 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
+# Trap to kill container if it is necessary.
+trap "exit" SIGINT SIGTERM
 # It will run every .sh script located in entrypoint-scripts folder in lexicographical order
 for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
   bash "$script"

wazuh/config/wazuh-manager_3.11.5-1_amd64.deb.REMOVED.git-id

@@ -0,0 +1 @@
+b4bbb79aca532ca4f5321a89f9dffae1f934bc6f