Merge pull request #244 from wazuh/243-fix-s3-plugin

Fixed S3 plugin

.github/workflows/push.yml

@@ -1,14 +0,0 @@
-name: Wazuh Docker pipeline
-
-on: [push]
-
-jobs:
-  build-stack:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Check out code
-      uses: actions/checkout@v2
-    - name: Build the docker-compose stack
-      run: docker-compose -f build-from-sources.yml up -d --build
-    - name: Check running containers
-      run: docker ps -a

CHANGELOG.md

@@ -1,167 +1,6 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
-## Wazuh Docker v4.0.3_1.11.0
-
-### Added
-
-- Update to Wazuh version 4.0.3
-
-
-## Wazuh Docker v4.0.2_1.11.0
-
-### Added
-
-- Update to Wazuh version 4.0.2
-
-## Wazuh Docker v4.0.1_1.11.0
-
-### Added
-
-- Update to Wazuh version 4.0.1
-- Opendistro 1.11.0 compatiblity
-- Re-enabled dumping ossec.log to stdout
-
-## Wazuh Docker v4.0.0_1.10.1
-
-### Added
-
-- Update to Wazuh version 4.0.0
-- Updating Wazuh cluster key dynamically ([@1stOfHisGame](https://github.com/1stOfHisGame))  [#393](https://github.com/wazuh/wazuh-docker/pull/393)
-- Switched to CentOS 7 for base image ([@xr09](https://github.com/xr09)) [#259](https://github.com/wazuh/wazuh-docker/issues/259)
-- Using s6-overlay for process management ([@xr09](https://github.com/xr09)) [#274](https://github.com/wazuh/wazuh-docker/issues/274)
-- Allow the creation of custom API users ([@xr09](https://github.com/xr09)) [#395](https://github.com/wazuh/wazuh-docker/issues/395)
-- OpenDistro support ([@xr09](https://github.com/xr09)) [#373](https://github.com/wazuh/wazuh-docker/pull/373)
-
-
-### Changed
-
-- Removal of Elastic images
-
-
-## Wazuh Docker v3.13.2_7.9.1
-
-### Added
-
-- Update to Wazuh version 3.13.2_7.9.1
-- Add CLUSTER_NETWORK_HOST environment variable ([@jfut](https://github.com/jfut)) [#372](https://github.com/wazuh/wazuh-docker/pull/372)
-
-### Fixed
-
-- Too many redirects when running on port 80 ([@chowmean](https://github.com/chowmean)) [#377](https://github.com/wazuh/wazuh-docker/pull/377)
-- Move Filebeat installation to build stage ([@xr09](https://github.com/xr09)) [#378](https://github.com/wazuh/wazuh-docker/pull/378)
-
-
-## Wazuh Docker v3.13.1_7.8.0
-
-### Added
-
-- Update to Wazuh version 3.13.1_7.8.0
-
-
-## Wazuh Docker v3.13.0_7.7.1
-
-### Added
-
-- Update to Wazuh version 3.13.3_7.7.1
-
-### Fixed
-
-- Save agentless state ([@xr09](https://github.com/xr09)) [#350](https://github.com/wazuh/wazuh-docker/pull/350)
-- Use HTTP credentials for service check when required ([@xr09](https://github.com/xr09)) [#356](https://github.com/wazuh/wazuh-docker/pull/356)
-
-## Wazuh Docker v3.12.3_7.6.2
-
-### Added
-
-- Update to Wazuh version 3.12.3_7.6.2
-
-
-## Wazuh Docker v3.12.2_7.6.2
-
-### Added
-
-- Update to Wazuh version 3.12.2_7.6.2
-
-## Wazuh Docker v3.12.1_7.6.2
-
-### Added
-
-- Update to Wazuh version 3.12.1_7.6.2
-
-### Fixed
-
-- Agent timestamp not being properly saved ([@xr09](https://github.com/xr09)) [#323](https://github.com/wazuh/wazuh-docker/pull/323)
-
-
-## Wazuh Docker v3.12.0_7.6.1
-
-### Added
-
-- Update to Wazuh version 3.12.0_7.6.1
-
-
-## Wazuh Docker v3.11.4_7.6.1
-
-### Added
-
-- Update to Wazuh version 3.11.4_7.6.1
-
-- Enable HTTP v2 on nginx ([@xr09](https://github.com/xr09)) [#308](https://github.com/wazuh/wazuh-docker/pull/308)
-
-### Fixed
-
-- Updated NGINX config syntax ([@xr09](https://github.com/xr09)) [#303](https://github.com/wazuh/wazuh-docker/pull/303)
-
-
-## Wazuh Docker v3.11.3_7.5.2
-
-### Added
-
-- Update to Wazuh version 3.11.3_7.5.2
-
-## Wazuh Docker v3.11.2_7.5.1
-
-### Added
-
-- Bumped Node.js to version 10 ([@xr09](https://github.com/xr09)) [#8615cd4](https://github.com/wazuh/wazuh-docker/commit/8615cd4d2152601e55becc7c3675360938e74b6a)
-
-### Fixed
-
-- Fix S3 Plugin ([@AnthonySendra](https://github.com/AnthonySendra)) [#293](https://github.com/wazuh/wazuh-docker/pull/293)
-
-## Wazuh Docker v3.11.1_7.5.1
-
-### Added
-
-- Update to Wazuh version 3.11.1_7.5.1
-- Filebeat configuration file updated to latest version ([@manuasir](https://github.com/manuasir)) [#271](https://github.com/wazuh/wazuh-docker/pull/271)
-- Allow using the hostname as node_name for managers ([@JPLachance](https://github.com/JPLachance)) [#261](https://github.com/wazuh/wazuh-docker/pull/261)
-
-## Wazuh Docker v3.11.0_7.5.1
-
-### Added
-
-- Update to Wazuh version 3.11.0_7.5.1
-
-## Wazuh Docker v3.10.2_7.5.0
-
-### Added
-
-- Update to Wazuh version 3.10.2_7.5.0
-
-## Wazuh Docker v3.10.2_7.3.2
-
-### Added
-
-- Update to Wazuh version 3.10.2_7.3.2
-
-## Wazuh Docker v3.10.0_7.3.2
-
-### Added
-
-- Update to Wazuh version 3.10.0_7.3.2
-
 ## Wazuh Docker v3.9.5_7.2.1
 
 ### Added
@@ -301,7 +140,7 @@ All notable changes to this project will be documented in this file.
 - Add env credentials for nginx. ([#86](https://github.com/wazuh/wazuh-docker/pull/86))
 - Improve filebeat configuration ([#88](https://github.com/wazuh/wazuh-docker/pull/88))
 
-### Fixed
+### Fixed 
 
 - Temporary fix for Wazuh cluster master node in Kubernetes. ([#84](https://github.com/wazuh/wazuh-docker/pull/84))
 

LICENSE

@@ -1,5 +1,5 @@
 
- Portions Copyright (C) 2020 Wazuh, Inc.
+ Portions Copyright (C) 2019 Wazuh, Inc.
  Based on work Copyright (C) 2003 - 2013 Trend Micro, Inc.
 
  This program is a free software; you can redistribute it and/or modify

README.md

@@ -7,11 +7,12 @@
 
 In this repository you will find the containers to run:
 
-* wazuh-opendistro: It runs the Wazuh manager, Wazuh API and Filebeat OSS (for integration with ODFE)
-* wazuh-kibana-opendistro: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status.
-* opendistro-for-elasticsearch: An Elasticsearch (ODFE) container (working as a single-node cluster) using ODFE Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).**
+* wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack)
+* wazuh-kibana: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status.
+* wazuh-nginx: Proxies the Kibana container, adding HTTPS (via self-signed SSL certificate) and [Basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Basic_authentication_scheme).
+* wazuh-elasticsearch: An Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).** 
 
-In addition, a docker-compose file is provided to launch the containers mentioned above.
+In addition, a docker-compose file is provided to launch the containers mentioned above. 
 
 * Elasticsearch cluster. In the Elasticsearch Dockerfile we can visualize variables to configure an Elasticsearch Cluster. These variables are used in the file *config_cluster.sh* to set them in the *elasticsearch.yml* configuration file. You can see the meaning of the node variables [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html) and other cluster settings [here](https://github.com/elastic/elasticsearch/blob/master/distribution/src/config/elasticsearch.yml).
 
@@ -21,147 +22,42 @@ In addition, a docker-compose file is provided to launch the containers mentione
 * [Wazuh documentation for Docker](https://documentation.wazuh.com/current/docker/index.html)
 * [Docker hub](https://hub.docker.com/u/wazuh)
 
-
-### Setup SSL certificate and Basic Authentication
-
-Before starting the environment it is required to provide an SSL certificate (or just generate one self-signed) and setup the basic auth.
-
-Documentation on how to provide these two can be found at [nginx_conf/README.md](nginx_conf/README.md).
-
-
-## Environment Variables
-
-Default values are included when available.
-
-### Wazuh
-```
-API_USERNAME="wazuh"                                # Wazuh API username
-API_PASSWORD="wazuh"                                # Wazuh API password - Must comply with requirements
-                                                    # (8+ length, uppercase, lowercase, specials chars)
-
-ELASTICSEARCH_URL=https://elasticsearch:9200        # Elasticsearch URL
-ELASTIC_USERNAME=admin                              # Elasticsearch Username
-ELASTIC_PASSWORD=admin                              # Elasticsearch Password
-FILEBEAT_SSL_VERIFICATION_MODE=full                 # Filebeat SSL Verification mode (full or none)
-SSL_CERTIFICATE_AUTHORITIES=""                      # Path of Filebeat SSL CA
-SSL_CERTIFICATE=""                                  # Path of Filebeat SSL Certificate
-SSL_KEY=""                                          # Path of Filebeat SSL Key
-```
-
-### Kibana
-```
-PATTERN="wazuh-alerts-*"        # Default index pattern to use
-
-CHECKS_PATTERN=true             # Defines which checks must to be consider by the healthcheck
-CHECKS_TEMPLATE=true            # step once the Wazuh app starts. Values must to be true or false
-CHECKS_API=true
-CHECKS_SETUP=true
-
-EXTENSIONS_PCI=true             # Enable PCI Extension
-EXTENSIONS_GDPR=true            # Enable GDPR Extension
-EXTENSIONS_HIPAA=true           # Enable HIPAA Extension
-EXTENSIONS_NIST=true            # Enable NIST Extension
-EXTENSIONS_TSC=true             # Enable TSC Extension
-EXTENSIONS_AUDIT=true           # Enable Audit Extension
-EXTENSIONS_OSCAP=false          # Enable OpenSCAP Extension
-EXTENSIONS_CISCAT=false         # Enable CISCAT Extension
-EXTENSIONS_AWS=false            # Enable AWS Extension
-EXTENSIONS_GCP=false            # Enable GCP Extension
-EXTENSIONS_VIRUSTOTAL=false     # Enable Virustotal Extension
-EXTENSIONS_OSQUERY=false        # Enable OSQuery Extension
-EXTENSIONS_DOCKER=false         # Enable Docker Extension
-
-APP_TIMEOUT=20000               # Defines maximum timeout to be used on the Wazuh app requests
-
-API_SELECTOR=true               Defines if the user is allowed to change the selected API directly from the Wazuh app top menu
-IP_SELECTOR=true                # Defines if the user is allowed to change the selected index pattern directly from the Wazuh app top menu
-IP_IGNORE="[]"                  # List of index patterns to be ignored
-
-WAZUH_MONITORING_ENABLED=true       # Custom settings to enable/disable wazuh-monitoring indices
-WAZUH_MONITORING_FREQUENCY=900      # Custom setting to set the frequency for wazuh-monitoring indices cron task
-WAZUH_MONITORING_SHARDS=2           # Configure wazuh-monitoring-* indices shards and replicas
-WAZUH_MONITORING_REPLICAS=0         #
-
-ADMIN_PRIVILEGES=true               # App privileges
-```
-
 ## Directory structure
 
-    ├── CHANGELOG.md
-    ├── docker-compose.yml
-    ├── generate-opendistro-certs.yml
-    ├── kibana-odfe
-    │   ├── config
-    │   │   ├── custom_welcome
-    │   │   │   ├── light_theme.style.css
-    │   │   │   ├── template.js.hbs
-    │   │   │   ├── wazuh_logo_circle.svg
-    │   │   │   └── wazuh_wazuh_bg.svg
-    │   │   ├── entrypoint.sh
-    │   │   ├── kibana_settings.sh
-    │   │   ├── wazuh_app_config.sh
-    │   │   ├── wazuh.yml
-    │   │   └── welcome_wazuh.sh
-    │   └── Dockerfile
-    ├── LICENSE
-    ├── production_cluster
-    │   ├── elastic_opendistro
-    │   │   ├── elasticsearch-node1.yml
-    │   │   ├── elasticsearch-node2.yml
-    │   │   ├── elasticsearch-node3.yml
-    │   │   └── internal_users.yml
-    │   ├── kibana_ssl
-    │   │   └── generate-self-signed-cert.sh
-    │   ├── nginx
-    │   │   ├── nginx.conf
-    │   │   └── ssl
-    │   │       └── generate-self-signed-cert.sh
-    │   ├── ssl_certs
-    │   │   └── certs.yml
-    │   └── wazuh_cluster
-    │       ├── wazuh_manager.conf
-    │       └── wazuh_worker.conf
-    ├── production-cluster.yml
-    ├── README.md
-    ├── VERSION
-    └── wazuh-odfe
-        ├── config
-        │   ├── create_user.py
-        │   ├── etc
-        │   │   ├── cont-init.d
-        │   │   │   ├── 0-wazuh-init
-        │   │   │   ├── 1-config-filebeat
-        │   │   │   └── 2-manager
-        │   │   └── services.d
-        │   │       └── filebeat
-        │   │           ├── finish
-        │   │           └── run
-        │   ├── filebeat.yml
-        │   ├── permanent_data.env
-        │   ├── permanent_data.sh
-        │   └── wazuh.repo
-        └── Dockerfile
-
+	wazuh-docker
+	├── docker-compose.yml
+	├── kibana
+	│   ├── config
+	│   │   ├── entrypoint.sh
+	│   │   └── kibana.yml
+	│   └── Dockerfile
+	├── LICENSE
+	├── nginx
+	│   ├── config
+	│   │   └── entrypoint.sh
+	│   └── Dockerfile
+	├── README.md
+	├── CHANGELOG.md
+	├── VERSION
+	├── test.txt
+	└── wazuh
+	    ├── config
+	    │   ├── data_dirs.env
+	    │   ├── entrypoint.sh
+	    │   ├── filebeat.runit.service
+	    │   ├── filebeat.yml
+	    │   ├── init.bash
+	    │   ├── postfix.runit.service
+	    │   ├── wazuh-api.runit.service
+	    │   └── wazuh.runit.service
+	    └── Dockerfile
 
 
 ## Branches
 
-* `4.0` branch on correspond to the latest Wazuh-Docker stable version.
+* `stable` branch on correspond to the latest Wazuh-Docker stable version.
 * `master` branch contains the latest code, be aware of possible bugs on this branch.
-* `Wazuh.Version_ElasticStack.Version` (for example 3.13.1_7.8.0) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
-
-
-## Compatibility Matrix
-
-| Wazuh version | ODFE    |
-|---------------|---------|
-| v4.0.3        | 1.11.0  |
-|---------------|---------|
-| v4.0.2        | 1.11.0  |
-|---------------|---------|
-| v4.0.1        | 1.11.0  |
-|---------------|---------|
-| v4.0.0        | 1.10.1  |
+* `Wazuh.Version_ElasticStack.Version` (for example 3.9.5_7.2.1) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
 
 ## Credits and Thank you
 
@@ -174,7 +70,7 @@ We thank you them and everyone else who has contributed to this project.
 
 ## License and copyright
 
-Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
+Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 ## Web references
 

VERSION

@@ -1,2 +1,2 @@
-WAZUH-DOCKER_VERSION="4.0.3_1.11.0"
-REVISION="40300"
+WAZUH-DOCKER_VERSION="3.9.5_7.2.1"
+REVISION="3950"

build-from-sources.yml

@@ -1,84 +0,0 @@
-# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2)
-version: '3.7'
-
-services:
-  wazuh:
-    build:  wazuh-odfe/
-    image: wazuh/wazuh-odfe:dev-version
-    hostname: wazuh-manager
-    restart: always
-    ports:
-      - "1514:1514"
-      - "1515:1515"
-      - "514:514/udp"
-      - "55000:55000"
-    environment:
-      - ELASTICSEARCH_URL=https://elasticsearch:9200
-      - ELASTIC_USERNAME=admin
-      - ELASTIC_PASSWORD=admin
-      - FILEBEAT_SSL_VERIFICATION_MODE=none
-    volumes:
-      - ossec_api_configuration:/var/ossec/api/configuration
-      - ossec_etc:/var/ossec/etc
-      - ossec_logs:/var/ossec/logs
-      - ossec_queue:/var/ossec/queue
-      - ossec_var_multigroups:/var/ossec/var/multigroups
-      - ossec_integrations:/var/ossec/integrations
-      - ossec_active_response:/var/ossec/active-response/bin
-      - ossec_agentless:/var/ossec/agentless
-      - ossec_wodles:/var/ossec/wodles
-      - filebeat_etc:/etc/filebeat
-      - filebeat_var:/var/lib/filebeat
-
-  elasticsearch:
-    image: amazon/opendistro-for-elasticsearch:1.11.0
-    hostname: elasticsearch
-    restart: always
-    ports:
-      - "9200:9200"
-    environment:
-      - discovery.type=single-node
-      - cluster.name=wazuh-cluster
-      - network.host=0.0.0.0
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
-      - bootstrap.memory_lock=true
-    ulimits:
-      memlock:
-        soft: -1
-        hard: -1
-      nofile:
-        soft: 65536
-        hard: 65536
-
-  kibana:
-    build: kibana-odfe/
-    image: wazuh/wazuh-kibana-odfe:dev-version
-    hostname: kibana
-    restart: always
-    ports:
-      - 443:5601
-    environment:
-      - ELASTICSEARCH_USERNAME=admin
-      - ELASTICSEARCH_PASSWORD=admin
-      - SERVER_SSL_ENABLED=true
-      - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/opendistroforelasticsearch.example.org.cert
-      - SERVER_SSL_KEY=/usr/share/kibana/config/opendistroforelasticsearch.example.org.key
-
-    depends_on:
-      - elasticsearch
-    links:
-      - elasticsearch:elasticsearch
-      - wazuh:wazuh
-
-volumes:
-  ossec_api_configuration:
-  ossec_etc:
-  ossec_logs:
-  ossec_queue:
-  ossec_var_multigroups:
-  ossec_integrations:
-  ossec_active_response:
-  ossec_agentless:
-  ossec_wodles:
-  filebeat_etc:
-  filebeat_var:

docker-compose.yml

@@ -1,82 +1,56 @@
-# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2)
-version: '3.7'
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+version: '2'
 
 services:
   wazuh:
-    image: wazuh/wazuh-odfe:4.0.3_1.11.0
+    build: wazuh
     hostname: wazuh-manager
     restart: always
     ports:
-      - "1514:1514"
+      - "1514:1514/udp"
       - "1515:1515"
       - "514:514/udp"
       - "55000:55000"
-    environment:
-      - ELASTICSEARCH_URL=https://elasticsearch:9200
-      - ELASTIC_USERNAME=admin
-      - ELASTIC_PASSWORD=admin
-      - FILEBEAT_SSL_VERIFICATION_MODE=none
     volumes:
-      - ossec_api_configuration:/var/ossec/api/configuration
-      - ossec_etc:/var/ossec/etc
-      - ossec_logs:/var/ossec/logs
-      - ossec_queue:/var/ossec/queue
-      - ossec_var_multigroups:/var/ossec/var/multigroups
-      - ossec_integrations:/var/ossec/integrations
-      - ossec_active_response:/var/ossec/active-response/bin
-      - ossec_agentless:/var/ossec/agentless
-      - ossec_wodles:/var/ossec/wodles
-      - filebeat_etc:/etc/filebeat
-      - filebeat_var:/var/lib/filebeat
-
+      - '/mnt/wazuh/:/var/ossec/data:z'
   elasticsearch:
-    image: amazon/opendistro-for-elasticsearch:1.11.0
+    build: elasticsearch
     hostname: elasticsearch
     restart: always
     ports:
       - "9200:9200"
     environment:
-      - discovery.type=single-node
-      - cluster.name=wazuh-cluster
-      - network.host=0.0.0.0
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
-      - bootstrap.memory_lock=true
+      - "ES_JAVA_OPTS=-Xms1g -Xmx1g"
+      - ELASTIC_CLUSTER=true
+      - CLUSTER_NODE_MASTER=true
+      - CLUSTER_MASTER_NODE_NAME=es01
     ulimits:
       memlock:
         soft: -1
         hard: -1
-      nofile:
-        soft: 65536
-        hard: 65536
+    mem_limit: 2g
 
   kibana:
-    image: wazuh/wazuh-kibana-odfe:4.0.3_1.11.0
+    build: kibana
     hostname: kibana
     restart: always
-    ports:
-      - 443:5601
-    environment:
-      - ELASTICSEARCH_USERNAME=admin
-      - ELASTICSEARCH_PASSWORD=admin
-      - SERVER_SSL_ENABLED=true
-      - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/opendistroforelasticsearch.example.org.cert
-      - SERVER_SSL_KEY=/usr/share/kibana/config/opendistroforelasticsearch.example.org.key
-
     depends_on:
       - elasticsearch
     links:
       - elasticsearch:elasticsearch
       - wazuh:wazuh
 
-volumes:
-  ossec_api_configuration:
-  ossec_etc:
-  ossec_logs:
-  ossec_queue:
-  ossec_var_multigroups:
-  ossec_integrations:
-  ossec_active_response:
-  ossec_agentless:
-  ossec_wodles:
-  filebeat_etc:
-  filebeat_var:
+  nginx:
+    build: nginx
+    hostname: nginx
+    restart: always
+    environment:
+      - NGINX_PORT=443
+      - NGINX_CREDENTIALS
+    ports:
+      - "80:80"
+      - "443:443"
+    depends_on:
+      - kibana
+    links:
+      - kibana:kibana

elasticsearch/Dockerfile

@@ -0,0 +1,53 @@
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+ARG ELASTIC_VERSION=7.3.0
+FROM docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION}
+
+ENV ELASTICSEARCH_URL="http://elasticsearch:9200"
+
+ENV ALERTS_SHARDS="1" \
+    ALERTS_REPLICAS="0"
+
+ENV API_USER="foo" \
+    API_PASS="bar"
+
+ENV XPACK_ML="true" 
+
+ENV ENABLE_CONFIGURE_S3="false"
+
+ARG TEMPLATE_VERSION=v3.9.5
+
+# Elasticearch cluster configuration environment variables
+# If ELASTIC_CLUSTER is set to "true" the following variables will be added to the Elasticsearch configuration
+# CLUSTER_INITIAL_MASTER_NODES set to own node by default.
+ENV ELASTIC_CLUSTER="false" \
+    CLUSTER_NAME="wazuh" \
+    CLUSTER_NODE_MASTER="false" \
+    CLUSTER_NODE_DATA="true" \
+    CLUSTER_NODE_INGEST="true" \
+    CLUSTER_NODE_NAME="wazuh-elasticsearch" \
+    CLUSTER_MASTER_NODE_NAME="master-node" \
+    CLUSTER_MEMORY_LOCK="true" \
+    CLUSTER_DISCOVERY_SERVICE="wazuh-elasticsearch" \
+    CLUSTER_NUMBER_OF_MASTERS="2" \
+    CLUSTER_MAX_NODES="1" \
+    CLUSTER_DELAYED_TIMEOUT="1m" \
+    CLUSTER_INITIAL_MASTER_NODES="wazuh-elasticsearch"
+
+COPY config/entrypoint.sh /entrypoint.sh 
+
+RUN chmod 755 /entrypoint.sh
+
+COPY --chown=elasticsearch:elasticsearch ./config/load_settings.sh ./
+
+RUN chmod +x ./load_settings.sh
+
+RUN ${bin/elasticsearch-plugin install --batch repository-s3}
+
+COPY config/configure_s3.sh ./config/configure_s3.sh
+RUN chmod 755 ./config/configure_s3.sh
+
+COPY --chown=elasticsearch:elasticsearch ./config/config_cluster.sh ./
+RUN chmod +x ./config_cluster.sh
+
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["elasticsearch"]

elasticsearch/config/config_cluster.sh

@@ -0,0 +1,57 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
+
+remove_single_node_conf(){
+  if grep -Fq "discovery.type" $1; then
+    sed -i '/discovery.type\: /d' $1 
+  fi
+}
+
+remove_cluster_config(){
+  sed -i '/# cluster node/,/# end cluster config/d' $1
+}
+
+# If Elasticsearch cluster is enable, then set up the elasticsearch.yml
+if [[ $ELASTIC_CLUSTER == "true" && $CLUSTER_NODE_MASTER != "" && $CLUSTER_NODE_DATA != "" && $CLUSTER_NODE_INGEST != "" && $CLUSTER_MASTER_NODE_NAME != "" ]]; then
+  # Remove the old configuration
+  remove_single_node_conf $elastic_config_file
+  remove_cluster_config $elastic_config_file
+
+if [[ $CLUSTER_NODE_MASTER == "true" ]]; then
+# Add the master configuration
+# cluster.initial_master_nodes for bootstrap the cluster
+cat > $elastic_config_file << EOF
+# cluster node
+network.host: 0.0.0.0
+node.name: $CLUSTER_MASTER_NODE_NAME
+node.master: $CLUSTER_NODE_MASTER
+cluster.initial_master_nodes: 
+  - $CLUSTER_MASTER_NODE_NAME
+# end cluster config" 
+EOF
+
+elif [[ $CLUSTER_NODE_NAME != "" ]];then
+# Remove the old configuration
+remove_single_node_conf $elastic_config_file
+remove_cluster_config $elastic_config_file
+
+cat > $elastic_config_file << EOF
+# cluster node
+network.host: 0.0.0.0
+node.name: $CLUSTER_NODE_NAME
+node.master: false
+discovery.seed_hosts: 
+  - $CLUSTER_MASTER_NODE_NAME
+  - $CLUSTER_NODE_NAME
+# end cluster config" 
+EOF
+fi
+# If the cluster is disabled, then set a single-node configuration
+else
+  # Remove the old configuration
+  remove_single_node_conf $elastic_config_file
+  remove_cluster_config $elastic_config_file
+  echo "discovery.type: single-node" >> $elastic_config_file
+fi

elasticsearch/config/configure_s3.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+set -e
+
+# Check number of arguments passed to configure_s3.sh. If it is different from 4 or 5, the process will finish with error.
+# param 1: number of arguments passed to configure_s3.sh
+
+function CheckArgs()
+{
+    if [ $1 != 4 ] && [ $1 != 5 ];then
+        echo "Use: configure_s3.sh <Elastic_Server_IP:Port> <Bucket> <Path> <RepositoryName> (By default <current_elasticsearch_major_version> is added to the path and the repository name)"
+        echo "or use: configure_s3.sh <Elastic_Server_IP:Port> <Bucket> <Path> <RepositoryName> <Elasticsearch major version>" 
+        exit 1
+
+    fi
+}
+
+# Create S3 repository from base_path <path>/<elasticsearch_major_version> (if there is no <Elasticsearch major version> argument, current version is added)
+# Repository name would be <RepositoryName>-<elasticsearch_major_version> (if there is no <Elasticsearch major version> argument, current version is added)
+# param 1: <Elastic_Server_IP:Port>
+# param 2: <Bucket>
+# param 3: <Path>
+# param 4: <RepositoryName>
+# param 5: Optional <Elasticsearch major version>
+# output: It will show "acknowledged" if the repository has been successfully created
+
+function CreateRepo()
+{
+
+    elastic_ip_port="$2"
+    bucket_name="$3"
+    path="$4"
+    repository_name="$5"
+
+    if [ $1 == 5 ];then
+        version="$6"
+    else
+        version=`curl -s $elastic_ip_port | grep number | cut -d"\"" -f4 | cut -c1`
+    fi
+
+    if ! [[ "$version" =~ ^[0-9]+$ ]];then
+        echo "Elasticsearch major version must be an integer"
+        exit 1
+    fi
+
+    repository="$repository_name-$version"
+    s3_path="$path/$version"
+
+    curl -X PUT "$elastic_ip_port/_snapshot/$repository" -H 'Content-Type: application/json' -d'
+        {
+            "type": "s3",
+            "settings": {
+            "bucket": "'$bucket_name'",
+            "base_path": "'$s3_path'"
+        }
+    }
+    '
+
+}
+
+# Run functions CheckArgs and CreateRepo
+# param 1: number of arguments passed to configure_s3.sh
+# param 2: <Elastic_Server_IP:Port>
+# param 3: <Bucket>
+# param 4: <Path>
+# param 5: <RepositoryName>
+# param 6: Optional <Elasticsearch major version>
+
+function Main()
+{
+    CheckArgs $1
+
+    CreateRepo $1 $2 $3 $4 $5 $6
+}
+
+Main $# $1 $2 $3 $4 $5

elasticsearch/config/entrypoint.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+# For more information https://github.com/elastic/elasticsearch-docker/blob/6.8.0/build/elasticsearch/bin/docker-entrypoint.sh
+
+set -e
+
+# Files created by Elasticsearch should always be group writable too
+umask 0002
+
+run_as_other_user_if_needed() {
+  if [[ "$(id -u)" == "0" ]]; then
+    # If running as root, drop to specified UID and run command
+    exec chroot --userspec=1000 / "${@}"
+  else
+    # Either we are running in Openshift with random uid and are a member of the root group
+    # or with a custom --user
+    exec "${@}"
+  fi
+}
+
+
+#Disabling xpack features
+
+elasticsearch_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
+if grep -Fq  "#xpack features" "$elasticsearch_config_file";
+then 
+  declare -A CONFIG_MAP=(
+  [xpack.ml.enabled]=$XPACK_ML
+  )
+  for i in "${!CONFIG_MAP[@]}"
+  do
+    if [ "${CONFIG_MAP[$i]}" != "" ]; then
+      sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $elasticsearch_config_file
+    fi
+  done
+else
+  echo "
+#xpack features
+xpack.ml.enabled: $XPACK_ML
+ " >> $elasticsearch_config_file
+fi
+
+# Run load settings script.
+
+./config_cluster.sh
+
+./load_settings.sh &
+
+# Execute elasticsearch
+
+run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch 

elasticsearch/config/load_settings.sh

@@ -0,0 +1,103 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+set -e
+
+el_url=${ELASTICSEARCH_URL}
+
+if [ "x${WAZUH_API_URL}" = "x" ]; then
+  wazuh_url="https://wazuh"
+else
+  wazuh_url="${WAZUH_API_URL}"
+fi
+
+if [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
+  auth=""
+else
+  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
+fi
+
+until curl ${auth} -XGET $el_url; do
+  >&2 echo "Elastic is unavailable - sleeping"
+  sleep 5
+done
+
+>&2 echo "Elastic is up - executing command"
+
+if [ $ENABLE_CONFIGURE_S3 ]; then
+  #Wait for Elasticsearch to be ready to create the repository
+  sleep 10
+  IP_PORT="${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
+
+  if [ "x$S3_PATH" != "x" ]; then 
+
+    if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then 
+      ./config/configure_s3.sh $IP_PORT $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR 
+
+    else
+      ./config/configure_s3.sh $IP_PORT $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME 
+
+    fi
+
+  fi
+
+fi
+
+#Insert default templates
+
+API_PASS_Q=`echo "$API_PASS" | tr -d '"'`
+API_USER_Q=`echo "$API_USER" | tr -d '"'`
+API_PASSWORD=`echo -n $API_PASS_Q | base64`
+
+echo "Setting API credentials into Wazuh APP"
+CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013 ${auth})
+
+if [ "x$CONFIG_CODE" != "x200" ]; then
+  curl -s -XPOST $el_url/.wazuh/_doc/1513629884013 ${auth} -H 'Content-Type: application/json' -d'
+  {
+    "api_user": "'"$API_USER_Q"'",
+    "api_password": "'"$API_PASSWORD"'",
+    "url": "'"$wazuh_url"'",
+    "api_port": "55000",
+    "insecure": "true",
+    "component": "API",
+    "cluster_info": {
+      "manager": "wazuh-manager",
+      "cluster": "Disabled",
+      "status": "disabled"
+    },
+    "extensions": {
+      "oscap": true,
+      "audit": true,
+      "pci": true,
+      "aws": true,
+      "virustotal": true,
+      "gdpr": true,
+      "ciscat": true
+    }
+  }
+  ' > /dev/null
+else
+  echo "Wazuh APP already configured"
+fi
+sleep 5
+
+curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/json' -d'
+{
+  "persistent": {
+    "xpack.monitoring.collection.enabled": true
+  }
+}
+'
+
+# Set cluster delayed timeout when node falls
+curl -X PUT "$el_url/_all/_settings" -H 'Content-Type: application/json' -d'
+{
+  "settings": {
+    "index.unassigned.node_left.delayed_timeout": "'"$CLUSTER_DELAYED_TIMEOUT"'"
+  }
+}
+'
+
+
+echo "Elasticsearch is ready."

generate-opendistro-certs.yml

@@ -1,10 +0,0 @@
-# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2)
-version: '3'
-
-services:
-  generator:
-    image: wazuh/opendistro-certs-generator:0.1
-    hostname: opendistro-certs-generator
-    volumes:
-      - ./production_cluster/ssl_certs/certs.yml:/usr/src/config/myconf.yml
-      - ./production_cluster/ssl_certs/:/usr/src/certs/out/ 

kibana-odfe/config/custom_welcome/template.js.hbs

@@ -1,112 +0,0 @@
-var kbnCsp = JSON.parse(document.querySelector('kbn-csp').getAttribute('data'));
-window.__kbnStrictCsp__ = kbnCsp.strictCsp;
-window.__kbnThemeTag__ = "{{themeTag}}";
-window.__kbnPublicPath__ = {{publicPathMap}};
-window.__kbnBundles__ = {{kbnBundlesLoaderSource}}
-
-if (window.__kbnStrictCsp__ && window.__kbnCspNotEnforced__) {
-  var legacyBrowserError = document.getElementById('kbn_legacy_browser_error');
-  legacyBrowserError.style.display = 'flex';
-} else {
-  if (!window.__kbnCspNotEnforced__ && window.console) {
-    window.console.log("^ A single error about an inline script not firing due to content security policy is expected!");
-  }
-  var loadingMessage = document.getElementById('kbn_loading_message');
-  loadingMessage.style.display = 'flex';
-
-  window.onload = function () {
-    //WAZUH 
-      var interval = setInterval(() => {  
-        var title = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > div.euiText.euiText--medium > div")
-        if (!!title) {
-          clearInterval(interval);
-	  var content = document.querySelector("#kibana-body > div");
-          content.classList.add("wz-login")
-          title.textContent = "Welcome to Wazuh";
-          var subtitle = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > div.euiText.euiText--small > div")
-          subtitle.textContent = "The Open Source Security Platform";
-          var logo = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul > figure");
-          logo.remove();
-          var logoContainer = document.querySelector("#kibana-body > div > div.app-wrapper.hidden-chrome > div > div.application > div > ul");
-          $(logoContainer).prepend('<span class="loginWelcome__logo"></span>');
-        } 
-      })  
-    //
-
-    function failure() {
-      // make subsequent calls to failure() noop
-      failure = function () {};
-
-      var err = document.createElement('h1');
-      err.style['color'] = 'white';
-      err.style['font-family'] = 'monospace';
-      err.style['text-align'] = 'center';
-      err.style['background'] = '#F44336';
-      err.style['padding'] = '25px';
-      err.innerText = document.querySelector('[data-error-message]').dataset.errorMessage;
-
-      document.body.innerHTML = err.outerHTML;
-    }
-
-    var stylesheetTarget = document.querySelector('head meta[name="add-styles-here"]')
-    function loadStyleSheet(url, cb) {
-      var dom = document.createElement('link');
-      dom.rel = 'stylesheet';
-      dom.type = 'text/css';
-      dom.href = url;
-      dom.addEventListener('error', failure);
-      dom.addEventListener('load', cb);
-      document.head.insertBefore(dom, stylesheetTarget);
-    }
-
-    var scriptsTarget = document.querySelector('head meta[name="add-scripts-here"]')
-    function loadScript(url, cb) {
-      var dom = document.createElement('script');
-      {{!-- NOTE: async = false is used to trigger async-download/ordered-execution as outlined here: https://www.html5rocks.com/en/tutorials/speed/script-loading/ --}}
-      dom.async = false;
-      dom.src = url;
-      dom.addEventListener('error', failure);
-      dom.addEventListener('load', cb);
-      document.head.insertBefore(dom, scriptsTarget);
-    }
-
-    function load(urls, cb) {
-      var pending = urls.length;
-      urls.forEach(function (url) {
-        var innerCb = function () {
-          pending = pending - 1;
-          if (pending === 0 && typeof cb === 'function') {
-            cb();
-          }
-        }
-
-        if (typeof url !== 'string') {
-          load(url, innerCb);
-        } else if (url.slice(-4) === '.css') {
-          loadStyleSheet(url, innerCb);
-        } else {
-          loadScript(url, innerCb);
-        }
-      });
-    }
-
-    load([
-      {{#each jsDependencyPaths}}
-        '{{this}}',
-      {{/each}}
-    ], function () {
-      {{#unless legacyBundlePath}}
-        __kbnBundles__.get('entry/core/public').__kbnBootstrap__();
-      {{/unless}}
-
-      load([
-        {{#if legacyBundlePath}}
-          '{{legacyBundlePath}}',
-        {{/if}}
-        {{#each styleSheetPaths}}
-          '{{this}}',
-        {{/each}}
-      ]);
-    });
-  }
-}

kibana-odfe/config/custom_welcome/wazuh_logo_circle.svg

@@ -1 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 84.67 84.67"><defs><style>.a{fill:#fff;}.b{fill:#00a9e5;}</style></defs><title>wazuh_logo_circle</title><circle class="a" cx="42.34" cy="42.34" r="42.34"/><path class="b" d="M58.13,9.2,50,26.32H35.07L26.16,9.2,20,31l-8.53,9.72,19.18,17.6,7.47,17.21h8.53l7-16.91L73.24,40.83l-8.73-9.57ZM48.58,55.13a1.79,1.79,0,0,1-.74.62,2.49,2.49,0,0,1-1,.2,2.52,2.52,0,0,1-1-.2,1.84,1.84,0,0,1-.71-.62l-2.88-4.36-2.9,4.36a1.87,1.87,0,0,1-.72.62,2.48,2.48,0,0,1-.95.2,1.94,1.94,0,0,1-1.7-.82L21.3,41.37h4.09L37.87,52.3l2.49-3.89h3.93L47,52.3,59.63,40.9h3.74Z"/></svg>

kibana-odfe/config/wazuh.yml

@@ -1,162 +0,0 @@
----
-#
-# Wazuh app - App configuration file
-# Copyright (C) 2015-2020 Wazuh, Inc.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# Find more information about this on the LICENSE file.
-#
-# ======================== Wazuh app configuration file ========================
-#
-# Please check the documentation for more information on configuration options:
-# https://documentation.wazuh.com/current/installation-guide/index.html
-#
-# Also, you can check our repository:
-# https://github.com/wazuh/wazuh-kibana-app
-#
-# ------------------------------- Index patterns -------------------------------
-#
-# Default index pattern to use.
-#pattern: wazuh-alerts-*
-#
-# ----------------------------------- Checks -----------------------------------
-#
-# Defines which checks must to be consider by the healthcheck
-# step once the Wazuh app starts. Values must to be true or false.
-#checks.pattern : true
-#checks.template: true
-#checks.api     : true
-#checks.setup   : true
-#checks.metaFields: true
-#
-# --------------------------------- Extensions ---------------------------------
-#
-# Defines which extensions should be activated when you add a new API entry.
-# You can change them after Wazuh app starts.
-# Values must to be true or false.
-#extensions.pci       : true
-#extensions.gdpr      : true
-#extensions.hipaa     : true
-#extensions.nist      : true
-#extensions.tsc       : true
-#extensions.audit     : true
-#extensions.oscap     : false
-#extensions.ciscat    : false
-#extensions.aws       : false
-#extensions.gcp       : false
-#extensions.virustotal: false
-#extensions.osquery   : false
-#extensions.docker    : false
-#
-# ---------------------------------- Time out ----------------------------------
-#
-# Defines maximum timeout to be used on the Wazuh app requests.
-# It will be ignored if it is bellow 1500.
-# It means milliseconds before we consider a request as failed.
-# Default: 20000
-#timeout: 20000
-#
-# -------------------------------- API selector --------------------------------
-#
-# Defines if the user is allowed to change the selected
-# API directly from the Wazuh app top menu.
-# Default: true
-#api.selector: true
-#
-# --------------------------- Index pattern selector ---------------------------
-#
-# Defines if the user is allowed to change the selected
-# index pattern directly from the Wazuh app top menu.
-# Default: true
-#ip.selector: true
-#
-# List of index patterns to be ignored
-#ip.ignore: []
-#
-# -------------------------------- X-Pack RBAC ---------------------------------
-#
-# Custom setting to enable/disable built-in X-Pack RBAC security capabilities.
-# Default: enabled
-#xpack.rbac.enabled: true
-#
-# ------------------------------ wazuh-monitoring ------------------------------
-#
-# Custom setting to enable/disable wazuh-monitoring indices.
-# Values: true, false, worker
-# If worker is given as value, the app will show the Agents status
-# visualization but won't insert data on wazuh-monitoring indices.
-# Default: true
-#wazuh.monitoring.enabled: true
-#
-# Custom setting to set the frequency for wazuh-monitoring indices cron task.
-# Default: 900 (s)
-#wazuh.monitoring.frequency: 900
-#
-# Configure wazuh-monitoring-* indices shards and replicas.
-#wazuh.monitoring.shards: 2
-#wazuh.monitoring.replicas: 0
-#
-# Configure wazuh-monitoring-* indices custom creation interval.
-# Values: h (hourly), d (daily), w (weekly), m (monthly)
-# Default: d
-#wazuh.monitoring.creation: d
-#
-# Default index pattern to use for Wazuh monitoring
-#wazuh.monitoring.pattern: wazuh-monitoring-*
-#
-# --------------------------------- wazuh-cron ----------------------------------
-#
-# Customize the index prefix of predefined jobs
-# This change is not retroactive, if you change it new indexes will be created
-# cron.prefix: test
-#
-# ------------------------------ wazuh-statistics -------------------------------
-#
-# Custom setting to enable/disable statistics tasks.
-#cron.statistics.status: true
-#
-# Enter the ID of the APIs you want to save data from, leave this empty to run
-# the task on all configured APIs
-#cron.statistics.apis: []
-#
-# Define the frequency of task execution using cron schedule expressions
-#cron.statistics.interval: 0 0 * * * *
-#
-# Define the name of the index in which the documents are to be saved.
-#cron.statistics.index.name: statistics
-#
-# Define the interval in which the index will be created
-#cron.statistics.index.creation: w
-#
-# ------------------------------- App privileges --------------------------------
-#admin: true
-#
-# ---------------------------- Hide manager alerts ------------------------------
-# Hide the alerts of the manager in all dashboards and discover
-#hideManagerAlerts: false
-#
-# ------------------------------- App logging level -----------------------------
-# Set the logging level for the Wazuh App log files.
-# Default value: info
-# Allowed values: info, debug
-#logs.level: info
-#
-# -------------------------------- Enrollment DNS -------------------------------
-# Set the variable WAZUH_REGISTRATION_SERVER in agents deployment.
-# Default value: ''
-#enrollment.dns: ''
-#
-#-------------------------------- API entries -----------------------------------
-#The following configuration is the default structure to define an API entry.
-#
-#hosts:
-#  - <id>:
-#     url: http(s)://<url>
-#     port: <port>
-#     username: <username>
-#     password: <password>
-

kibana-odfe/config/welcome_wazuh.sh

@@ -1,14 +0,0 @@
-#!/bin/bash
-# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
-
-if [[ $CHANGE_WELCOME == "true" ]]
-then
-    echo "Set Wazuh app as the default landing page"
-    echo "server.defaultRoute: /app/wazuh" >> /usr/share/kibana/config/kibana.yml
-
-    echo "Set custom welcome styles"
-    cp -f /tmp/custom_welcome/template.js.hbs /usr/share/kibana/src/legacy/ui/ui_render/bootstrap/template.js.hbs
-    cp -f /tmp/custom_welcome/light_theme.style.css /usr/share/kibana/optimize/bundles/light_theme.style.css
-    cp -f /tmp/custom_welcome/*svg /usr/share/kibana/optimize/bundles/
-fi
-

kibana/Dockerfile

@@ -1,18 +1,21 @@
-# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
-FROM amazon/opendistro-for-elasticsearch-kibana:1.11.0
-USER kibana
-ARG ELASTIC_VERSION=7.9.1
-ARG WAZUH_VERSION=4.0.3
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+FROM docker.elastic.co/kibana/kibana:7.3.0
+ARG ELASTIC_VERSION=7.3.0
+ARG WAZUH_VERSION=3.9.5
 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
 
-WORKDIR /usr/share/kibana
-RUN ./bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-${WAZUH_APP_VERSION}-1.zip
-
-WORKDIR /
 USER root
+
+ADD  https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
+
+RUN /usr/share/kibana/bin/kibana-plugin install --allow-root file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip 
+RUN rm -rf /tmp/wazuhapp-${WAZUH_APP_VERSION}.zip
+
 COPY config/entrypoint.sh ./entrypoint.sh
 RUN chmod 755 ./entrypoint.sh
 
+USER kibana
+
 ENV PATTERN="" \
     CHECKS_PATTERN="" \
     CHECKS_TEMPLATE="" \
@@ -20,41 +23,56 @@ ENV PATTERN="" \
     CHECKS_SETUP="" \
     EXTENSIONS_PCI="" \
     EXTENSIONS_GDPR="" \
-    EXTENSIONS_HIPAA="" \
-    EXTENSIONS_NIST="" \
-    EXTENSIONS_TSC="" \
     EXTENSIONS_AUDIT="" \
     EXTENSIONS_OSCAP="" \
     EXTENSIONS_CISCAT="" \
     EXTENSIONS_AWS="" \
-    EXTENSIONS_GCP="" \
     EXTENSIONS_VIRUSTOTAL="" \
     EXTENSIONS_OSQUERY="" \
-    EXTENSIONS_DOCKER="" \
     APP_TIMEOUT="" \
-    API_SELECTOR="" \
+    WAZUH_SHARDS="" \
+    WAZUH_REPLICAS="" \
+    WAZUH_VERSION_SHARDS="" \
+    WAZUH_VERSION_REPLICAS="" \
     IP_SELECTOR="" \
     IP_IGNORE="" \
+    XPACK_RBAC_ENABLED="" \
     WAZUH_MONITORING_ENABLED="" \
     WAZUH_MONITORING_FREQUENCY="" \
     WAZUH_MONITORING_SHARDS="" \
     WAZUH_MONITORING_REPLICAS="" \
     ADMIN_PRIVILEGES=""
 
-USER kibana
-RUN NODE_OPTIONS="--max-old-space-size=2048" /usr/local/bin/kibana-docker --optimize
+ARG XPACK_CANVAS="true"
+ARG XPACK_LOGS="true"
+ARG XPACK_INFRA="true"
+ARG XPACK_ML="true"
+ARG XPACK_DEVTOOLS="true"
+ARG XPACK_MONITORING="true"
+ARG XPACK_APM="true"
 
-COPY ./config/custom_welcome /tmp/custom_welcome
-COPY --chown=kibana:kibana ./config/welcome_wazuh.sh ./
-RUN chmod +x ./welcome_wazuh.sh
-ARG CHANGE_WELCOME="true"
-RUN ./welcome_wazuh.sh
+ARG CHANGE_WELCOME="false"
 
-COPY --chown=kibana:kibana ./config/wazuh.yml /usr/share/kibana/optimize/wazuh/config/wazuh.yml
 COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./
+
 RUN chmod +x ./wazuh_app_config.sh
 
 COPY --chown=kibana:kibana ./config/kibana_settings.sh ./
+
 RUN chmod +x ./kibana_settings.sh
 
+COPY --chown=kibana:kibana ./config/xpack_config.sh ./
+
+RUN chmod +x ./xpack_config.sh
+
+RUN ./xpack_config.sh
+
+COPY --chown=kibana:kibana ./config/welcome_wazuh.sh ./
+
+RUN chmod +x ./welcome_wazuh.sh
+
+RUN ./welcome_wazuh.sh
+
+RUN /usr/local/bin/kibana-docker --optimize
+
 ENTRYPOINT ./entrypoint.sh

kibana/config/entrypoint.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 set -e
 
@@ -7,22 +7,16 @@ set -e
 # Waiting for elasticsearch
 ##############################################################################
 
-if [ "x${ELASTICSEARCH_URL}" == "x" ]; then
-  if [[ ${ENABLED_SECURITY} == "false" ]]; then
-    export el_url="http://elasticsearch:9200"
-  else
-    export el_url="https://elasticsearch:9200"
-  fi
+if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
+  el_url="http://elasticsearch:9200"
 else
-  export el_url="${ELASTICSEARCH_URL}"
+  el_url="${ELASTICSEARCH_URL}"
 fi
 
-if [[ ${ENABLED_SECURITY} == "false" || "x${ELASTICSEARCH_USERNAME}" == "x" || "x${ELASTICSEARCH_PASSWORD}" == "x" ]]; then
+if [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
   auth=""
-  # remove security plugin from kibana if elasticsearch is not using it either
-  /usr/share/kibana/bin/kibana-plugin remove opendistro_security
 else
-  export auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} -k"
+  auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
 fi
 
 until curl -XGET $el_url ${auth}; do
@@ -43,7 +37,7 @@ strlen=0
 
 while [[ $strlen -eq 0 ]]
 do
-  template=$(curl ${auth} $el_url/_cat/templates/wazuh -s)
+  template=$(curl $el_url/_cat/templates/wazuh -s)
   strlen=${#template}
   >&2 echo "Wazuh alerts template not loaded - sleeping."
   sleep 2
@@ -60,6 +54,4 @@ sleep 5
 
 ./kibana_settings.sh &
 
-sleep 2
-
 /usr/local/bin/kibana-docker

kibana/config/kibana_settings.sh

@@ -1,12 +1,12 @@
 #!/bin/bash
-# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
-WAZUH_MAJOR=4
+WAZUH_MAJOR=3
 
 ##############################################################################
 # Wait for the Kibana API to start. It is necessary to do it in this container
-# because the others are running Elastic Stack and we can not interrupt them.
-#
+# because the others are running Elastic Stack and we can not interrupt them. 
+# 
 # The following actions are performed:
 #
 # Add the wazuh alerts index as default.
@@ -17,9 +17,10 @@ WAZUH_MAJOR=4
 ##############################################################################
 # Customize elasticsearch ip
 ##############################################################################
-sed -i "s|elasticsearch.hosts:.*|elasticsearch.hosts: $el_url|g" /usr/share/kibana/config/kibana.yml
-# disable multitenancy
-sed -i "s|opendistro_security.multitenancy.enabled:.*|opendistro_security.multitenancy.enabled: false|g" /usr/share/kibana/config/kibana.yml
+if [ "$ELASTICSEARCH_KIBANA_IP" != "" ]; then
+  sed -i "s:#elasticsearch.hosts:elasticsearch.hosts:g" /usr/share/kibana/config/kibana.yml
+  sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml
+fi
 
 # If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate.
 if [ "$KIBANA_INDEX" != "" ]; then
@@ -29,12 +30,26 @@ if [ "$KIBANA_INDEX" != "" ]; then
     echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml
 fi
 
-while [[ "$(curl -XGET -I  -s -o /dev/null -w '%{http_code}' -k https://127.0.0.1:5601/app/login)" != "200" ]]; do
+# If XPACK_SECURITY_ENABLED was set, then change the xpack.security.enabled option from true (default) to false.
+if [ "$XPACK_SECURITY_ENABLED" != "" ]; then
+  if grep -q 'xpack.security.enabled' /usr/share/kibana/config/kibana.yml; then
+    sed -i '/xpack.security.enabled/d' /usr/share/kibana/config/kibana.yml
+  fi
+    echo "xpack.security.enabled: $XPACK_SECURITY_ENABLED" >> /usr/share/kibana/config/kibana.yml
+fi
+
+if [ "$KIBANA_IP" != "" ]; then
+  kibana_ip="$KIBANA_IP"
+else
+  kibana_ip="kibana"
+fi
+
+while [[ "$(curl -XGET -I  -s -o /dev/null -w ''%{http_code}'' $kibana_ip:5601/status)" != "200" ]]; do
   echo "Waiting for Kibana API. Sleeping 5 seconds"
   sleep 5
 done
 
-# Prepare index selection.
+# Prepare index selection. 
 echo "Kibana API is running"
 
 default_index="/tmp/default_index.json"
@@ -49,12 +64,16 @@ EOF
 
 sleep 5
 # Add the wazuh alerts index as default.
-curl ${auth} -POST -k https://127.0.0.1:5601/api/kibana/settings -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
+curl -POST "http://$kibana_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
 rm -f ${default_index}
 
 sleep 5
 # Configuring Kibana TimePicker.
-curl ${auth} -POST -k "https://127.0.0.1:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
-'{"changes":{"timepicker:timeDefaults":"{\n  \"from\": \"now-12h\",\n  \"to\": \"now\",\n  \"mode\": \"quick\"}"}}'
+curl -POST "http://$kibana_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
+'{"changes":{"timepicker:timeDefaults":"{\n  \"from\": \"now-24h\",\n  \"to\": \"now\",\n  \"mode\": \"quick\"}"}}'
+
+sleep 5
+# Do not ask user to help providing usage statistics to Elastic
+curl -POST "http://$kibana_ip:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'
 
 echo "End settings"

kibana/config/wazuh_app_config.sh

@@ -1,12 +1,7 @@
 #!/bin/bash
-# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
-wazuh_url="${WAZUH_API_URL:-https://wazuh}"
-wazuh_port="${API_PORT:-55000}"
-api_username="${API_USERNAME:-wazuh-wui}"
-api_password="${API_PASSWORD:-wazuh-wui}"
-
-kibana_config_file="/usr/share/kibana/optimize/wazuh/config/wazuh.yml"
+kibana_config_file="/usr/share/kibana/plugins/wazuh/config.yml"
 
 declare -A CONFIG_MAP=(
   [pattern]=$PATTERN
@@ -16,21 +11,20 @@ declare -A CONFIG_MAP=(
   [checks.setup]=$CHECKS_SETUP
   [extensions.pci]=$EXTENSIONS_PCI
   [extensions.gdpr]=$EXTENSIONS_GDPR
-  [extensions.hipaa]=$EXTENSIONS_HIPAA
-  [extensions.nist]=$EXTENSIONS_NIST
-  [extensions.tsc]=$EXTENSIONS_TSC
   [extensions.audit]=$EXTENSIONS_AUDIT
   [extensions.oscap]=$EXTENSIONS_OSCAP
   [extensions.ciscat]=$EXTENSIONS_CISCAT
   [extensions.aws]=$EXTENSIONS_AWS
-  [extensions.gcp]=$EXTENSIONS_GCP
   [extensions.virustotal]=$EXTENSIONS_VIRUSTOTAL
   [extensions.osquery]=$EXTENSIONS_OSQUERY
-  [extensions.docker]=$EXTENSIONS_DOCKER
   [timeout]=$APP_TIMEOUT
-  [api.selector]=$API_SELECTOR
+  [wazuh.shards]=$WAZUH_SHARDS
+  [wazuh.replicas]=$WAZUH_REPLICAS
+  [wazuh-version.shards]=$WAZUH_VERSION_SHARDS
+  [wazuh-version.replicas]=$WAZUH_VERSION_REPLICAS
   [ip.selector]=$IP_SELECTOR
   [ip.ignore]=$IP_IGNORE
+  [xpack.rbac.enabled]=$XPACK_RBAC_ENABLED
   [wazuh.monitoring.enabled]=$WAZUH_MONITORING_ENABLED
   [wazuh.monitoring.frequency]=$WAZUH_MONITORING_FREQUENCY
   [wazuh.monitoring.shards]=$WAZUH_MONITORING_SHARDS
@@ -44,21 +38,3 @@ do
         sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
     fi
 done
-
-CONFIG_CODE=$(curl ${auth} -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013)
-
-grep -q 1513629884013 $kibana_config_file
-_config_exists=$?
-
-if [[ "x$CONFIG_CODE" != "x200" && $_config_exists -ne 0 ]]; then
-cat << EOF >> $kibana_config_file
-hosts:
-  - 1513629884013:
-      url: $wazuh_url
-      port: $wazuh_port
-      username: $api_username
-      password: $api_password
-EOF
-else
-  echo "Wazuh APP already configured"
-fi

kibana/config/welcome_wazuh.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+if [[ $CHANGE_WELCOME == "true" ]]
+then
+
+    rm -rf ./optimize/bundles
+
+    kibana_path="/usr/share/kibana"
+    # Set Wazuh app as the default landing page
+    echo "Set Wazuh app as the default landing page"
+    echo "server.defaultRoute: /app/wazuh" >> /usr/share/kibana/config/kibana.yml
+
+    # Redirect Kibana welcome screen to Discover
+    echo "Redirect Kibana welcome screen to Discover"
+    sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/global_nav/global_nav.html
+    sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/header_global_nav/header_global_nav.js
+
+    # Redirect Kibana welcome screen to Discover
+    echo "Hide undesired links"
+    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/rollup/public/crud_app/index.js
+    sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/license_management/public/management_section.js
+fi
+

kibana/config/xpack_config.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+kibana_config_file="/usr/share/kibana/config/kibana.yml"
+if grep -Fq  "#xpack features" "$kibana_config_file";
+then 
+  declare -A CONFIG_MAP=(
+    [xpack.apm.ui.enabled]=$XPACK_APM
+    [xpack.grokdebugger.enabled]=$XPACK_DEVTOOLS
+    [xpack.searchprofiler.enabled]=$XPACK_DEVTOOLS
+    [xpack.ml.enabled]=$XPACK_ML
+    [xpack.canvas.enabled]=$XPACK_CANVAS
+    [xpack.infra.enabled]=$XPACK_INFRA
+    [xpack.monitoring.enabled]=$XPACK_MONITORING
+    [console.enabled]=$XPACK_DEVTOOLS
+  )
+  for i in "${!CONFIG_MAP[@]}"
+  do
+    if [ "${CONFIG_MAP[$i]}" != "" ]; then
+      sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
+    fi
+  done
+else
+  echo "
+#xpack features
+xpack.apm.ui.enabled: $XPACK_APM 
+xpack.grokdebugger.enabled: $XPACK_DEVTOOLS
+xpack.searchprofiler.enabled: $XPACK_DEVTOOLS
+xpack.ml.enabled: $XPACK_ML
+xpack.canvas.enabled: $XPACK_CANVAS
+xpack.infra.enabled: $XPACK_INFRA
+xpack.monitoring.enabled: $XPACK_MONITORING
+console.enabled: $XPACK_DEVTOOLS
+" >> $kibana_config_file
+fi

migration/volumes.sh

@@ -0,0 +1,138 @@
+#!/bin/bash 
+# Copyright (C) 2019, Wazuh Inc.
+
+# Script to update old environments containing /var/ossec/data with symbolic links the new structure
+
+wazuh_path=/var/ossec/
+data_path=/var/ossec/data/
+wazuh_dirs=(api/configuration etc logs queue var/multigroups active-response/bin integrations)
+no_wazuh_dirs=(/etc/filebeat)
+
+wazuh_preserve_links=(/var/ossec/api/configuration/auth/htpasswd /var/ossec/etc/ossec-init.conf)
+wazuh_files=(/var/ossec/queue/agents-timestamp)
+filebeat_files=(/var/lib/filebeat/registry /var/lib/filebeat/meta.json)
+postfix_files=(/etc/postfix/dynamicmaps.cf /etc/postfix/main.cf /etc/postfix/main.cf.proto /etc/postfix/master.cf /etc/postfix/master.cf.proto /etc/postfix/postfix-files /etc/postfix/sasl /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db /etc/postfix/postfix-script /etc/postfix/post-install)
+
+for dir in "${wazuh_dirs[@]}"; do
+  if [ ! -e $data_path"wazuh"$wazuh_path$dir ]
+  then
+    mkdir -p $data_path"wazuh"$wazuh_path$dir
+  fi
+  echo "Copying $wazuh_path$dir to $data_path"wazuh"$wazuh_path$dir"
+  cp -LR --preserve=all $wazuh_path$dir/* $data_path"wazuh"$wazuh_path$dir
+done
+
+for dir in "${no_wazuh_dirs[@]}"; do
+  base=$(basename $dir)
+  if [ ! -e $data_path$base$dir ]
+  then
+    mkdir -p $data_path$base$dir
+  fi
+  echo "Copying $dir to $data_path$base$dir"
+  cp -a $dir/* $data_path$base$dir
+done
+
+
+for file in "${wazuh_files[@]}"; do
+  echo "Copying $file to $data_path"wazuh"$file"
+  cp -LR --preserve=all $file $data_path"wazuh"$file
+done
+
+echo ">> Checking filebeat files" 
+mkdir -p $data_path"filebeat/var/lib/filebeat"
+
+for file in "${filebeat_files[@]}"; do
+  if [[ -e $file ]]; then
+    if [[ -d $file ]]; then
+        mkdir -p $data_path"filebeat"$file
+        echo "Copying $file to $data_path"filebeat"$file"
+        cp -a $file/* $data_path"filebeat"$file
+    else
+        echo "Copying $file to $data_path"filebeat"$file"
+        cp -a $file $data_path"filebeat"$file
+    fi
+  fi
+done
+
+echo ">> Checking postfix files"
+mkdir -p $data_path"postfix/etc/postfix"
+
+for file in "${postfix_files[@]}"; do
+  if [[ -e $file ]]; then
+    if [[ -d $file ]]; then
+        mkdir -p $data_path"postfix"$file
+        echo "Copying $file to $data_path"postfix"$file"
+        cp -a $file/* $data_path"postfix"$file
+    else
+        echo "Copying $file to $data_path"postfix"$file"
+        cp -a $file $data_path"postfix"$file
+    fi
+  fi
+done
+
+echo ">> Preserving Wazuh symbolic links files"
+for file in "${wazuh_preserve_links[@]}"; do
+  rm  $wazuh_path"data/wazuh"$file
+  cp -a $file $wazuh_path"data/wazuh"$file
+done
+
+# Grant proper permissions
+
+chmod 750 /var/ossec/data/wazuh/var/ossec/api/configuration
+chown root:ossec /var/ossec/data/wazuh/var/ossec/api/configuration
+chmod 750 /var/ossec/data/wazuh/var/ossec/api/configuration/auth
+chmod 740 /var/ossec/data/wazuh/var/ossec/api/configuration/config.js
+chmod 750 /var/ossec/data/wazuh/var/ossec/api/configuration/preloaded_vars.conf
+chmod 750 /var/ossec/data/wazuh/var/ossec/api/configuration/ssl
+chmod 400 /var/ossec/data/wazuh/var/ossec/api/configuration/ssl/server.crt
+chmod 400 /var/ossec/data/wazuh/var/ossec/api/configuration/ssl/server.key
+chmod 770 /var/ossec/data/wazuh/var/ossec/etc
+chown ossec:ossec /var/ossec/data/wazuh/var/ossec/etc
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/client.keys
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/decoders/local_decoder.xml
+chown root:ossec /var/ossec/data/wazuh/var/ossec/etc/decoders/local_decoder.xml
+chmod 660 /var/ossec/data/wazuh/var/ossec/etc/lists/amazon/aws-sources.cdb
+chown ossec:ossec /var/ossec/data/wazuh/var/ossec/etc/lists/amazon/aws-sources.cdb
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/lists/audit-keys
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/lists/audit-keys.cdb
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/lists/security-eventchannel
+chmod 640 /var/ossec/data/wazuh//var/ossec/etc/lists/security-eventchannel.cdb
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/local_internal_options.conf
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/localtime
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/ossec.conf
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/rules/local_rules.xml
+chown root:ossec /var/ossec/data/wazuh/var/ossec/etc/rules/local_rules.xml
+chown root:ossec /var/ossec/data/wazuh/var/ossec/etc/shared/default/agent.conf
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/sslmanager.cert
+chmod 640 /var/ossec/data/wazuh/var/ossec/etc/sslmanager.key
+chmod 770 /var/ossec/data/wazuh/var/ossec/logs
+chown ossec:ossec /var/ossec/data/wazuh/var/ossec/logs
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/alerts
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/alerts/2019
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/alerts/2019/May
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/api
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/archives
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/archives/2019
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/archives/2019/May
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/cluster
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/firewall
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/firewall/2019
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/firewall/2019/May
+chmod 640 /var/ossec/data/wazuh/var/ossec/logs/integrations.log
+chmod 750 /var/ossec/data/wazuh/var/ossec/logs/ossec
+chmod 750 /var/ossec/data/wazuh/var/ossec/queue
+chown root:ossec /var/ossec/data/wazuh/var/ossec/queue
+chmod 750 /var/ossec/data/wazuh/var/ossec/queue/agentless
+chmod 600 /var/ossec/data/wazuh/var/ossec/queue/agents-timestamp
+chmod 750 /var/ossec/data/wazuh/var/ossec/queue/db 
+chmod 640 /var/ossec/data/wazuh/var/ossec/queue/db/000.db
+chmod 640 /var/ossec/data/wazuh/var/ossec/queue/db/000.db-shm
+chmod 640 /var/ossec/data/wazuh/var/ossec/queue/db/000.db-wal
+chmod 750 /var/ossec/data/wazuh/var/ossec/queue/fts
+chmod 640 /var/ossec/data/wazuh/var/ossec/queue/fts/fts-queue
+chmod 640 /var/ossec/data/wazuh/var/ossec/queue/fts/hostinfo
+chmod 640 /var/ossec/data/wazuh/var/ossec/queue/fts/ig-queue
+chmod 644 /var/ossec/data/wazuh/var/ossec/queue/rids/sender_counter
+chmod 750 /var/ossec/data/wazuh/var/ossec/queue/rootcheck
+chmod 770 /var/ossec/data/wazuh/var/ossec/var/multigroups
+chown root:ossec /var/ossec/data/wazuh/var/ossec/var/multigroups

nginx/Dockerfile

@@ -0,0 +1,19 @@
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+FROM nginx:latest
+
+ENV DEBIAN_FRONTEND noninteractive
+
+RUN apt-get update && apt-get install -y openssl apache2-utils
+
+COPY config/entrypoint.sh /entrypoint.sh
+
+RUN chmod 755 /entrypoint.sh
+
+RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+VOLUME ["/etc/nginx/conf.d"]
+
+ENV NGINX_NAME="foo" \
+    NGINX_PWD="bar"
+
+ENTRYPOINT /entrypoint.sh

nginx/config/entrypoint.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+set -e
+
+# Generating certificates.
+if [ ! -d /etc/nginx/conf.d/ssl ]; then
+  echo "Generating SSL certificates"
+  mkdir -p /etc/nginx/conf.d/ssl/certs /etc/nginx/conf.d/ssl/private
+  openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/conf.d/ssl/private/kibana-access.key -out /etc/nginx/conf.d/ssl/certs/kibana-access.pem >/dev/null
+else
+  echo "SSL certificates already present"
+fi
+
+# Setting users credentials.
+# In order to set NGINX_CREDENTIALS, before "docker-compose up -d" run (a or b):
+#
+# a) export NGINX_CREDENTIALS="user1:pass1;user2:pass2;" or
+#    export NGINX_CREDENTIALS="user1:pass1;user2:pass2"
+#
+# b) Set NGINX_CREDENTIALS in docker-compose.yml:
+#    NGINX_CREDENTIALS=user1:pass1;user2:pass2; or
+#    NGINX_CREDENTIALS=user1:pass1;user2:pass2
+#
+if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then
+  echo "Setting users credentials"
+  if [ ! -z "$NGINX_CREDENTIALS" ]; then
+    IFS=';' read -r -a users <<< "$NGINX_CREDENTIALS"
+    for index in "${!users[@]}"
+    do
+      IFS=':' read -r -a credentials <<< "${users[index]}"
+      if [ $index -eq 0 ]; then
+        echo ${credentials[1]}|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd ${credentials[0]} >/dev/null
+      else
+        echo ${credentials[1]}|htpasswd -i /etc/nginx/conf.d/kibana.htpasswd  ${credentials[0]} >/dev/null
+      fi
+    done
+  else
+    # NGINX_PWD and NGINX_NAME are declared in nginx/Dockerfile 
+    echo $NGINX_PWD|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd $NGINX_NAME >/dev/null
+  fi
+else
+  echo "Kibana credentials already configured"
+fi
+
+if [ "x${NGINX_PORT}" = "x" ]; then
+  NGINX_PORT=443
+fi
+
+if [ "x${KIBANA_HOST}" = "x" ]; then
+  KIBANA_HOST="kibana:5601"
+fi
+
+echo "Configuring NGINX"
+cat > /etc/nginx/conf.d/default.conf <<EOF
+server {
+    listen 80;
+    listen [::]:80;
+    return 301 https://\$host:${NGINX_PORT}\$request_uri;
+}
+
+server {
+    listen ${NGINX_PORT} default_server;
+    listen [::]:${NGINX_PORT};
+    ssl on;
+    ssl_certificate /etc/nginx/conf.d/ssl/certs/kibana-access.pem;
+    ssl_certificate_key /etc/nginx/conf.d/ssl/private/kibana-access.key;
+    location / {
+        auth_basic "Restricted";
+        auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
+        proxy_pass http://${KIBANA_HOST}/;
+        proxy_buffer_size          128k;
+        proxy_buffers              4 256k;
+        proxy_busy_buffers_size    256k;
+    }
+}
+EOF
+
+nginx -g 'daemon off;'

production-cluster.yml

@@ -1,204 +0,0 @@
-# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2)
-version: '3.7'
-
-services:
-  wazuh-master:
-    image: wazuh/wazuh-odfe:4.0.3_1.11.0
-    hostname: wazuh-master
-    restart: always
-    ports:
-      - "1515:1515"
-      - "514:514/udp"
-      - "55000:55000"
-    environment:
-      - ELASTICSEARCH_URL=https://elasticsearch:9200
-      - ELASTIC_USERNAME=admin
-      - ELASTIC_PASSWORD=SecretPassword
-      - FILEBEAT_SSL_VERIFICATION_MODE=full
-      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
-      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
-      - SSL_KEY=/etc/ssl/filebeat.key
-      - API_USERNAME=acme-user
-      - API_PASSWORD=MyS3cr37P450r.*-
-    volumes:
-      - ossec-api-configuration:/var/ossec/api/configuration
-      - ossec-etc:/var/ossec/etc
-      - ossec-logs:/var/ossec/logs
-      - ossec-queue:/var/ossec/queue
-      - ossec-var-multigroups:/var/ossec/var/multigroups
-      - ossec-integrations:/var/ossec/integrations
-      - ossec-active-response:/var/ossec/active-response/bin
-      - ossec-agentless:/var/ossec/agentless
-      - ossec-wodles:/var/ossec/wodles
-      - filebeat-etc:/etc/filebeat
-      - filebeat-var:/var/lib/filebeat
-      - ./production_cluster/ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
-      - ./production_cluster/ssl_certs/filebeat.pem:/etc/ssl/filebeat.pem
-      - ./production_cluster/ssl_certs/filebeat.key:/etc/ssl/filebeat.key
-      - ./production_cluster/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
-
-  wazuh-worker:
-    image: wazuh/wazuh-odfe:4.0.3_1.11.0
-    hostname: wazuh-worker
-    restart: always
-    environment:
-      - ELASTICSEARCH_URL=https://elasticsearch:9200
-      - ELASTIC_USERNAME=admin
-      - ELASTIC_PASSWORD=SecretPassword
-      - FILEBEAT_SSL_VERIFICATION_MODE=full
-      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
-      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
-      - SSL_KEY=/etc/ssl/filebeat.key
-    volumes:
-      - worker-ossec-api-configuration:/var/ossec/api/configuration
-      - worker-ossec-etc:/var/ossec/etc
-      - worker-ossec-logs:/var/ossec/logs
-      - worker-ossec-queue:/var/ossec/queue
-      - worker-ossec-var-multigroups:/var/ossec/var/multigroups
-      - worker-ossec-integrations:/var/ossec/integrations
-      - worker-ossec-active-response:/var/ossec/active-response/bin
-      - worker-ossec-agentless:/var/ossec/agentless
-      - worker-ossec-wodles:/var/ossec/wodles
-      - worker-filebeat-etc:/etc/filebeat
-      - worker-filebeat-var:/var/lib/filebeat
-      - ./production_cluster/ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
-      - ./production_cluster/ssl_certs/filebeat.pem:/etc/ssl/filebeat.pem
-      - ./production_cluster/ssl_certs/filebeat.key:/etc/ssl/filebeat.key
-      - ./production_cluster/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf
-
-  elasticsearch:
-    image: amazon/opendistro-for-elasticsearch:1.11.0
-    hostname: elasticsearch
-    restart: always
-    ports:
-      - "9200:9200"
-    environment:
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
-    ulimits:
-      memlock:
-        soft: -1
-        hard: -1
-      nofile:
-        soft: 65536
-        hard: 65536
-    volumes:
-      - elastic-data-1:/usr/share/elasticsearch/data
-      - ./production_cluster/ssl_certs/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
-      - ./production_cluster/ssl_certs/node1.key:/usr/share/elasticsearch/config/node1.key
-      - ./production_cluster/ssl_certs/node1.pem:/usr/share/elasticsearch/config/node1.pem
-      - ./production_cluster/elastic_opendistro/elasticsearch-node1.yml:/usr/share/elasticsearch/config/elasticsearch.yml
-      - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
-
-  elasticsearch-2:
-    image: amazon/opendistro-for-elasticsearch:1.11.0
-    hostname: elasticsearch-2
-    restart: always
-    environment:
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
-    ulimits:
-      memlock:
-        soft: -1
-        hard: -1
-      nofile:
-        soft: 65536
-        hard: 65536
-    volumes:
-      - elastic-data-2:/usr/share/elasticsearch/data
-      - ./production_cluster/ssl_certs/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
-      - ./production_cluster/ssl_certs/node2.key:/usr/share/elasticsearch/config/node2.key
-      - ./production_cluster/ssl_certs/node2.pem:/usr/share/elasticsearch/config/node2.pem
-      - ./production_cluster/elastic_opendistro/elasticsearch-node2.yml:/usr/share/elasticsearch/config/elasticsearch.yml
-      - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
-
-  elasticsearch-3:
-    image: amazon/opendistro-for-elasticsearch:1.11.0
-    hostname: elasticsearch-3
-    restart: always
-    environment:
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
-    ulimits:
-      memlock:
-        soft: -1
-        hard: -1
-      nofile:
-        soft: 65536
-        hard: 65536
-    volumes:
-      - elastic-data-3:/usr/share/elasticsearch/data
-      - ./production_cluster/ssl_certs/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
-      - ./production_cluster/ssl_certs/node3.key:/usr/share/elasticsearch/config/node3.key
-      - ./production_cluster/ssl_certs/node3.pem:/usr/share/elasticsearch/config/node3.pem
-      - ./production_cluster/elastic_opendistro/elasticsearch-node3.yml:/usr/share/elasticsearch/config/elasticsearch.yml
-      - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
-
-  kibana:
-    image: wazuh/wazuh-kibana-odfe:4.0.3_1.11.0
-    hostname: kibana
-    restart: always
-    ports:
-      - 5601:5601
-    environment:
-      - ELASTICSEARCH_USERNAME=admin
-      - ELASTICSEARCH_PASSWORD=SecretPassword
-      - SERVER_SSL_ENABLED=true
-      - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/cert.pem
-      - SERVER_SSL_KEY=/usr/share/kibana/config/key.pem
-      - WAZUH_API_URL="https://wazuh-master"
-      - API_USERNAME=acme-user
-      - API_PASSWORD=MyS3cr37P450r.*-
-    volumes:
-      - ./production_cluster/kibana_ssl/cert.pem:/usr/share/kibana/config/cert.pem
-      - ./production_cluster/kibana_ssl/key.pem:/usr/share/kibana/config/key.pem
-
-    depends_on:
-      - elasticsearch
-    links:
-      - elasticsearch:elasticsearch
-      - wazuh-master:wazuh-master
-
-  nginx:
-    image: nginx:stable
-    hostname: nginx
-    restart: always
-    ports:
-      - "80:80"
-      - "443:443"
-      - "1514:1514"
-    depends_on:
-      - wazuh-master
-      - wazuh-worker
-      - kibana
-    links:
-      - wazuh-master:wazuh-master
-      - wazuh-worker:wazuh-worker
-      - kibana:kibana
-    volumes:
-      - ./production_cluster/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
-      - ./production_cluster/nginx/ssl:/etc/nginx/ssl:ro
-
-volumes:
-  ossec-api-configuration:
-  ossec-etc:
-  ossec-logs:
-  ossec-queue:
-  ossec-var-multigroups:
-  ossec-integrations:
-  ossec-active-response:
-  ossec-agentless:
-  ossec-wodles:
-  filebeat-etc:
-  filebeat-var:
-  worker-ossec-api-configuration:
-  worker-ossec-etc:
-  worker-ossec-logs:
-  worker-ossec-queue:
-  worker-ossec-var-multigroups:
-  worker-ossec-integrations:
-  worker-ossec-active-response:
-  worker-ossec-agentless:
-  worker-ossec-wodles:
-  worker-filebeat-etc:
-  worker-filebeat-var:
-  elastic-data-1:
-  elastic-data-2:
-  elastic-data-3:

production_cluster/elastic_opendistro/elasticsearch-node1.yml

@@ -1,31 +0,0 @@
-network.host: 0.0.0.0
-cluster.name: wazuh-cluster
-node.name: elasticsearch
-discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
-cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
-bootstrap.memory_lock: true
-
-opendistro_security.ssl.transport.pemcert_filepath: node1.pem
-opendistro_security.ssl.transport.pemkey_filepath: node1.key
-opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
-opendistro_security.ssl.transport.enforce_hostname_verification: false
-opendistro_security.ssl.transport.resolve_hostname: false
-opendistro_security.ssl.http.enabled: true
-opendistro_security.ssl.http.pemcert_filepath: node1.pem
-opendistro_security.ssl.http.pemkey_filepath: node1.key
-opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
-opendistro_security.allow_default_init_securityindex: true
-opendistro_security.nodes_dn:
-    - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-    - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-    - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-    - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-opendistro_security.authcz.admin_dn: []
-opendistro_security.audit.type: internal_elasticsearch
-opendistro_security.enable_snapshot_restore_privilege: true
-opendistro_security.check_snapshot_restore_write_privileges: true
-opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
-cluster.routing.allocation.disk.threshold_enabled: false
-#opendistro_security.audit.config.disabled_rest_categories: NONE
-#opendistro_security.audit.config.disabled_transport_categories: NONE
-opendistro_security.audit.log_request_body: false

production_cluster/elastic_opendistro/elasticsearch-node2.yml

@@ -1,31 +0,0 @@
-network.host: 0.0.0.0
-cluster.name: wazuh-cluster
-node.name: elasticsearch-2
-discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
-cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
-bootstrap.memory_lock: true
-
-opendistro_security.ssl.transport.pemcert_filepath: node2.pem
-opendistro_security.ssl.transport.pemkey_filepath: node2.key
-opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
-opendistro_security.ssl.transport.enforce_hostname_verification: false
-opendistro_security.ssl.transport.resolve_hostname: false
-opendistro_security.ssl.http.enabled: true
-opendistro_security.ssl.http.pemcert_filepath: node2.pem
-opendistro_security.ssl.http.pemkey_filepath: node2.key
-opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
-opendistro_security.allow_default_init_securityindex: true
-opendistro_security.nodes_dn:
-    - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-    - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-    - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-    - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-opendistro_security.authcz.admin_dn: []
-opendistro_security.audit.type: internal_elasticsearch
-opendistro_security.enable_snapshot_restore_privilege: true
-opendistro_security.check_snapshot_restore_write_privileges: true
-opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
-cluster.routing.allocation.disk.threshold_enabled: false
-#opendistro_security.audit.config.disabled_rest_categories: NONE
-#opendistro_security.audit.config.disabled_transport_categories: NONE
-opendistro_security.audit.log_request_body: false

production_cluster/elastic_opendistro/elasticsearch-node3.yml

@@ -1,31 +0,0 @@
-network.host: 0.0.0.0
-cluster.name: wazuh-cluster
-node.name: elasticsearch-3
-discovery.seed_hosts: elasticsearch,elasticsearch-2,elasticsearch-3
-cluster.initial_master_nodes: elasticsearch,elasticsearch-2,elasticsearch-3
-bootstrap.memory_lock: true
-
-opendistro_security.ssl.transport.pemcert_filepath: node3.pem
-opendistro_security.ssl.transport.pemkey_filepath: node3.key
-opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
-opendistro_security.ssl.transport.enforce_hostname_verification: false
-opendistro_security.ssl.transport.resolve_hostname: false
-opendistro_security.ssl.http.enabled: true
-opendistro_security.ssl.http.pemcert_filepath: node3.pem
-opendistro_security.ssl.http.pemkey_filepath: node3.key
-opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
-opendistro_security.allow_default_init_securityindex: true
-opendistro_security.nodes_dn:
-    - 'CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-    - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-    - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-    - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-opendistro_security.authcz.admin_dn: []
-opendistro_security.audit.type: internal_elasticsearch
-opendistro_security.enable_snapshot_restore_privilege: true
-opendistro_security.check_snapshot_restore_write_privileges: true
-opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
-cluster.routing.allocation.disk.threshold_enabled: false
-#opendistro_security.audit.config.disabled_rest_categories: NONE
-#opendistro_security.audit.config.disabled_transport_categories: NONE
-opendistro_security.audit.log_request_body: false

production_cluster/elastic_opendistro/internal_users.yml

@@ -1,56 +0,0 @@
----
-# This is the internal user database
-# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
-
-_meta:
-  type: "internalusers"
-  config_version: 2
-
-# Define your internal users here
-
-## Demo users
-
-admin:
-  hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO"
-  reserved: true
-  backend_roles:
-  - "admin"
-  description: "Demo admin user"
-
-kibanaserver:
-  hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
-  reserved: true
-  description: "Demo kibanaserver user"
-
-kibanaro:
-  hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
-  reserved: false
-  backend_roles:
-  - "kibanauser"
-  - "readall"
-  attributes:
-    attribute1: "value1"
-    attribute2: "value2"
-    attribute3: "value3"
-  description: "Demo kibanaro user"
-
-logstash:
-  hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
-  reserved: false
-  backend_roles:
-  - "logstash"
-  description: "Demo logstash user"
-
-readall:
-  hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
-  reserved: false
-  backend_roles:
-  - "readall"
-  description: "Demo readall user"
-
-snapshotrestore:
-  hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
-  reserved: false
-  backend_roles:
-  - "snapshotrestore"
-  description: "Demo snapshotrestore user"

production_cluster/kibana_ssl/generate-self-signed-cert.sh

@@ -1,12 +0,0 @@
-#!/bin/bash
-
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
-cd $DIR
-
-if [ -s key.pem ]
-then
-    echo "Certificate already exists"
-    exit
-else
-    openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem
-fi

production_cluster/nginx/nginx.conf

@@ -1,67 +0,0 @@
-user  nginx;
-worker_processes  1;
-
-error_log  /var/log/nginx/error.log warn;
-pid        /var/run/nginx.pid;
-
-
-events {
-    worker_connections  1024;
-}
-
-
-http {
-    include       /etc/nginx/mime.types;
-    default_type  application/octet-stream;
-
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
-
-    access_log  /var/log/nginx/access.log  main;
-
-    sendfile        on;
-    tcp_nopush     on;
-
-    keepalive_timeout  65;
-
-    server_tokens off;
-    gzip  on;
-
-    # kibana UI
-    server {
-        listen 80;
-        listen [::]:80;
-        return 301 https://$host:443$request_uri;
-    }
-
-    server {
-        listen 443 default_server ssl http2;
-        listen [::]:443 ssl http2;
-        ssl_certificate /etc/nginx/ssl/cert.pem;
-        ssl_certificate_key /etc/nginx/ssl/key.pem;
-        location / {
-            proxy_pass https://kibana:5601/;
-            proxy_ssl_verify off;
-            proxy_buffer_size          128k;
-            proxy_buffers              4 256k;
-            proxy_busy_buffers_size    256k;
-        }
-    }
-
-}
-
-
-
-# load balancer for Wazuh cluster
-stream {
-    upstream mycluster {
-        hash $remote_addr consistent;
-        server wazuh-master:1514;
-        server wazuh-worker:1514;
-    }
-    server {
-        listen 1514;
-        proxy_pass mycluster;
-    }
-}

production_cluster/nginx/ssl/generate-self-signed-cert.sh

@@ -1,12 +0,0 @@
-#!/bin/bash
-
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
-cd $DIR
-
-if [ -s key.pem ]
-then
-    echo "Certificate already exists"
-    exit
-else
-    openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem
-fi

production_cluster/ssl_certs/certs.yml

@@ -1,30 +0,0 @@
-ca:
-   root:
-      dn: CN=root-ca,OU=CA,O=Example\, Inc.,DC=example,DC=com
-      pkPassword: none
-      keysize: 2048
-      file: root-ca.pem 
-   intermediate:
-      dn: CN=intermediate,OU=CA,O=Example\, Inc.,DC=example,DC=com
-      keysize: 2048
-      validityDays: 3650  
-      pkPassword: intermediate-ca-password
-      file: intermediate-ca.pem
-
-nodes:
-  - name: node1
-    dn: CN=node1,OU=Ops,O=Example\, Inc.,DC=example,DC=com
-    dns: 
-      - elasticsearch
-  - name: node2
-    dn: CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com
-    dns: 
-      - elasticsearch-2
-  - name: node3
-    dn: CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com
-    dns: 
-      - elasticsearch-3
-  - name: filebeat
-    dn: CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com
-    dns: 
-      - wazuh 

production_cluster/wazuh_cluster/wazuh_manager.conf

@@ -1,349 +0,0 @@
-<ossec_config>
-  <global>
-    <jsonout_output>yes</jsonout_output>
-    <alerts_log>yes</alerts_log>
-    <logall>no</logall>
-    <logall_json>no</logall_json>
-    <email_notification>no</email_notification>
-    <smtp_server>smtp.example.wazuh.com</smtp_server>
-    <email_from>ossecm@example.wazuh.com</email_from>
-    <email_to>recipient@example.wazuh.com</email_to>
-    <email_maxperhour>12</email_maxperhour>
-    <email_log_source>alerts.log</email_log_source>
-  </global>
-
-  <alerts>
-    <log_alert_level>3</log_alert_level>
-    <email_alert_level>12</email_alert_level>
-  </alerts>
-
-  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
-  <logging>
-    <log_format>plain</log_format>
-  </logging>
-
-  <remote>
-    <connection>secure</connection>
-    <port>1514</port>
-    <protocol>tcp</protocol>
-    <queue_size>131072</queue_size>
-  </remote>
-
-  <!-- Policy monitoring -->
-  <rootcheck>
-    <disabled>no</disabled>
-    <check_files>yes</check_files>
-    <check_trojans>yes</check_trojans>
-    <check_dev>yes</check_dev>
-    <check_sys>yes</check_sys>
-    <check_pids>yes</check_pids>
-    <check_ports>yes</check_ports>
-    <check_if>yes</check_if>
-
-    <!-- Frequency that rootcheck is executed - every 12 hours -->
-    <frequency>43200</frequency>
-
-    <rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
-    <rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
-
-    <skip_nfs>yes</skip_nfs>
-  </rootcheck>
-
-  <wodle name="cis-cat">
-    <disabled>yes</disabled>
-    <timeout>1800</timeout>
-    <interval>1d</interval>
-    <scan-on-start>yes</scan-on-start>
-
-    <java_path>wodles/java</java_path>
-    <ciscat_path>wodles/ciscat</ciscat_path>
-  </wodle>
-
-  <!-- Osquery integration -->
-  <wodle name="osquery">
-    <disabled>yes</disabled>
-    <run_daemon>yes</run_daemon>
-    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
-    <config_path>/etc/osquery/osquery.conf</config_path>
-    <add_labels>yes</add_labels>
-  </wodle>
-
-  <!-- System inventory -->
-  <wodle name="syscollector">
-    <disabled>no</disabled>
-    <interval>1h</interval>
-    <scan_on_start>yes</scan_on_start>
-    <hardware>yes</hardware>
-    <os>yes</os>
-    <network>yes</network>
-    <packages>yes</packages>
-    <ports all="no">yes</ports>
-    <processes>yes</processes>
-  </wodle>
-
-  <sca>
-    <enabled>yes</enabled>
-    <scan_on_start>yes</scan_on_start>
-    <interval>12h</interval>
-    <skip_nfs>yes</skip_nfs>
-  </sca>
-
-  <vulnerability-detector>
-    <enabled>no</enabled>
-    <interval>5m</interval>
-    <ignore_time>6h</ignore_time>
-    <run_on_start>yes</run_on_start>
-
-    <!-- Ubuntu OS vulnerabilities --> 
-    <provider name="canonical">
-      <enabled>no</enabled>
-      <os>trusty</os>
-      <os>xenial</os>
-      <os>bionic</os>
-      <os>focal</os>
-      <update_interval>1h</update_interval>
-    </provider>
-
-    <!-- Debian OS vulnerabilities -->  
-    <provider name="debian">
-      <enabled>no</enabled>
-      <os>stretch</os>
-      <os>buster</os>
-      <update_interval>1h</update_interval>
-    </provider>
-
-    <!-- RedHat OS vulnerabilities -->  
-    <provider name="redhat">
-      <enabled>no</enabled>
-      <os>5</os>
-      <os>6</os>
-      <os>7</os>
-      <os>8</os>
-      <update_interval>1h</update_interval>
-    </provider>
-
-    <!-- Windows OS vulnerabilities -->
-    <provider name="msu">
-      <enabled>yes</enabled>
-      <update_interval>1h</update_interval>
-    </provider>
-
-    <!-- Aggregate vulnerabilities -->
-    <provider name="nvd">
-      <enabled>yes</enabled>
-      <update_from_year>2010</update_from_year>
-      <update_interval>1h</update_interval>
-    </provider>
-
-  </vulnerability-detector>
-
-  <!-- File integrity monitoring -->
-  <syscheck>
-    <disabled>no</disabled>
-
-    <!-- Frequency that syscheck is executed default every 12 hours -->
-    <frequency>43200</frequency>
-
-    <scan_on_start>yes</scan_on_start>
-
-    <!-- Generate alert when new file detected -->
-    <alert_new_files>yes</alert_new_files>
-
-    <!-- Don't ignore files that change more than 'frequency' times -->
-    <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
-
-    <!-- Directories to check  (perform all possible verifications) -->
-    <directories>/etc,/usr/bin,/usr/sbin</directories>
-    <directories>/bin,/sbin,/boot</directories>
-
-    <!-- Files/directories to ignore -->
-    <ignore>/etc/mtab</ignore>
-    <ignore>/etc/hosts.deny</ignore>
-    <ignore>/etc/mail/statistics</ignore>
-    <ignore>/etc/random-seed</ignore>
-    <ignore>/etc/random.seed</ignore>
-    <ignore>/etc/adjtime</ignore>
-    <ignore>/etc/httpd/logs</ignore>
-    <ignore>/etc/utmpx</ignore>
-    <ignore>/etc/wtmpx</ignore>
-    <ignore>/etc/cups/certs</ignore>
-    <ignore>/etc/dumpdates</ignore>
-    <ignore>/etc/svc/volatile</ignore>
-
-    <!-- File types to ignore -->
-    <ignore type="sregex">.log$|.swp$</ignore>
-
-    <!-- Check the file, but never compute the diff -->
-    <nodiff>/etc/ssl/private.key</nodiff>
-
-    <skip_nfs>yes</skip_nfs>
-    <skip_dev>yes</skip_dev>
-    <skip_proc>yes</skip_proc>
-    <skip_sys>yes</skip_sys>
-
-    <!-- Nice value for Syscheck process -->
-    <process_priority>10</process_priority>
-
-    <!-- Maximum output throughput -->
-    <max_eps>100</max_eps>
-
-    <!-- Database synchronization settings -->
-    <synchronization>
-      <enabled>yes</enabled>
-      <interval>5m</interval>
-      <max_interval>1h</max_interval>
-      <max_eps>10</max_eps>
-    </synchronization>
-  </syscheck>
-
-  <!-- Active response -->
-  <global>
-    <white_list>127.0.0.1</white_list>
-    <white_list>^localhost.localdomain$</white_list>
-    <white_list>4.2.2.1</white_list>
-    <white_list>4.2.2.2</white_list>
-    <white_list>208.67.220.220</white_list>
-  </global>
-
-  <command>
-    <name>disable-account</name>
-    <executable>disable-account.sh</executable>
-    <expect>user</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <command>
-    <name>restart-ossec</name>
-    <executable>restart-ossec.sh</executable>
-    <expect></expect>
-  </command>
-
-  <command>
-    <name>firewall-drop</name>
-    <executable>firewall-drop.sh</executable>
-    <expect>srcip</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <command>
-    <name>host-deny</name>
-    <executable>host-deny.sh</executable>
-    <expect>srcip</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <command>
-    <name>route-null</name>
-    <executable>route-null.sh</executable>
-    <expect>srcip</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <command>
-    <name>win_route-null</name>
-    <executable>route-null.cmd</executable>
-    <expect>srcip</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <command>
-    <name>win_route-null-2012</name>
-    <executable>route-null-2012.cmd</executable>
-    <expect>srcip</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <command>
-    <name>netsh</name>
-    <executable>netsh.cmd</executable>
-    <expect>srcip</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <command>
-    <name>netsh-win-2016</name>
-    <executable>netsh-win-2016.cmd</executable>
-    <expect>srcip</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <!--
-  <active-response>
-    active-response options here
-  </active-response>
-  -->
-
-  <!-- Log analysis -->
-  <localfile>
-    <log_format>command</log_format>
-    <command>df -P</command>
-    <frequency>360</frequency>
-  </localfile>
-
-  <localfile>
-    <log_format>full_command</log_format>
-    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
-    <alias>netstat listening ports</alias>
-    <frequency>360</frequency>
-  </localfile>
-
-  <localfile>
-    <log_format>full_command</log_format>
-    <command>last -n 20</command>
-    <frequency>360</frequency>
-  </localfile>
-
-  <ruleset>
-    <!-- Default ruleset -->
-    <decoder_dir>ruleset/decoders</decoder_dir>
-    <rule_dir>ruleset/rules</rule_dir>
-    <rule_exclude>0215-policy_rules.xml</rule_exclude>
-    <list>etc/lists/audit-keys</list>
-    <list>etc/lists/amazon/aws-eventnames</list>
-    <list>etc/lists/security-eventchannel</list>
-
-    <!-- User-defined ruleset -->
-    <decoder_dir>etc/decoders</decoder_dir>
-    <rule_dir>etc/rules</rule_dir>
-  </ruleset>
-
-  <!-- Configuration for ossec-authd -->
-  <auth>
-    <disabled>no</disabled>
-    <port>1515</port>
-    <use_source_ip>no</use_source_ip>
-    <force_insert>yes</force_insert>
-    <force_time>0</force_time>
-    <purge>yes</purge>
-    <use_password>no</use_password>
-    <limit_maxagents>yes</limit_maxagents>
-    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
-    <!-- <ssl_agent_ca></ssl_agent_ca> -->
-    <ssl_verify_host>no</ssl_verify_host>
-    <ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
-    <ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
-    <ssl_auto_negotiate>no</ssl_auto_negotiate>
-  </auth>
-
-  <cluster>
-    <name>wazuh</name>
-    <node_name>manager</node_name>
-    <node_type>master</node_type>
-    <key>c98b6ha9b6169zc5f67rae55ae4z5647</key>
-    <port>1516</port>
-    <bind_addr>0.0.0.0</bind_addr>
-    <nodes>
-        <node>wazuh-master</node>
-    </nodes>
-    <hidden>no</hidden>
-    <disabled>no</disabled>
-  </cluster>
-
-</ossec_config>
-
-<ossec_config>
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/ossec/logs/active-responses.log</location>
-  </localfile>
-</ossec_config> 

production_cluster/wazuh_cluster/wazuh_worker.conf

@@ -1,349 +0,0 @@
-<ossec_config>
-  <global>
-    <jsonout_output>yes</jsonout_output>
-    <alerts_log>yes</alerts_log>
-    <logall>no</logall>
-    <logall_json>no</logall_json>
-    <email_notification>no</email_notification>
-    <smtp_server>smtp.example.wazuh.com</smtp_server>
-    <email_from>ossecm@example.wazuh.com</email_from>
-    <email_to>recipient@example.wazuh.com</email_to>
-    <email_maxperhour>12</email_maxperhour>
-    <email_log_source>alerts.log</email_log_source>
-  </global>
-
-  <alerts>
-    <log_alert_level>3</log_alert_level>
-    <email_alert_level>12</email_alert_level>
-  </alerts>
-
-  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
-  <logging>
-    <log_format>plain</log_format>
-  </logging>
-
-  <remote>
-    <connection>secure</connection>
-    <port>1514</port>
-    <protocol>tcp</protocol>
-    <queue_size>131072</queue_size>
-  </remote>
-
-  <!-- Policy monitoring -->
-  <rootcheck>
-    <disabled>no</disabled>
-    <check_files>yes</check_files>
-    <check_trojans>yes</check_trojans>
-    <check_dev>yes</check_dev>
-    <check_sys>yes</check_sys>
-    <check_pids>yes</check_pids>
-    <check_ports>yes</check_ports>
-    <check_if>yes</check_if>
-
-    <!-- Frequency that rootcheck is executed - every 12 hours -->
-    <frequency>43200</frequency>
-
-    <rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
-    <rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
-
-    <skip_nfs>yes</skip_nfs>
-  </rootcheck>
-
-  <wodle name="cis-cat">
-    <disabled>yes</disabled>
-    <timeout>1800</timeout>
-    <interval>1d</interval>
-    <scan-on-start>yes</scan-on-start>
-
-    <java_path>wodles/java</java_path>
-    <ciscat_path>wodles/ciscat</ciscat_path>
-  </wodle>
-
-  <!-- Osquery integration -->
-  <wodle name="osquery">
-    <disabled>yes</disabled>
-    <run_daemon>yes</run_daemon>
-    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
-    <config_path>/etc/osquery/osquery.conf</config_path>
-    <add_labels>yes</add_labels>
-  </wodle>
-
-  <!-- System inventory -->
-  <wodle name="syscollector">
-    <disabled>no</disabled>
-    <interval>1h</interval>
-    <scan_on_start>yes</scan_on_start>
-    <hardware>yes</hardware>
-    <os>yes</os>
-    <network>yes</network>
-    <packages>yes</packages>
-    <ports all="no">yes</ports>
-    <processes>yes</processes>
-  </wodle>
-
-  <sca>
-    <enabled>yes</enabled>
-    <scan_on_start>yes</scan_on_start>
-    <interval>12h</interval>
-    <skip_nfs>yes</skip_nfs>
-  </sca>
-
-  <vulnerability-detector>
-    <enabled>no</enabled>
-    <interval>5m</interval>
-    <ignore_time>6h</ignore_time>
-    <run_on_start>yes</run_on_start>
-
-    <!-- Ubuntu OS vulnerabilities --> 
-    <provider name="canonical">
-      <enabled>no</enabled>
-      <os>trusty</os>
-      <os>xenial</os>
-      <os>bionic</os>
-      <os>focal</os>
-      <update_interval>1h</update_interval>
-    </provider>
-
-    <!-- Debian OS vulnerabilities -->  
-    <provider name="debian">
-      <enabled>no</enabled>
-      <os>stretch</os>
-      <os>buster</os>
-      <update_interval>1h</update_interval>
-    </provider>
-
-    <!-- RedHat OS vulnerabilities -->  
-    <provider name="redhat">
-      <enabled>no</enabled>
-      <os>5</os>
-      <os>6</os>
-      <os>7</os>
-      <os>8</os>
-      <update_interval>1h</update_interval>
-    </provider>
-
-    <!-- Windows OS vulnerabilities -->
-    <provider name="msu">
-      <enabled>yes</enabled>
-      <update_interval>1h</update_interval>
-    </provider>
-
-    <!-- Aggregate vulnerabilities -->
-    <provider name="nvd">
-      <enabled>yes</enabled>
-      <update_from_year>2010</update_from_year>
-      <update_interval>1h</update_interval>
-    </provider>
-
-  </vulnerability-detector>
-
-  <!-- File integrity monitoring -->
-  <syscheck>
-    <disabled>no</disabled>
-
-    <!-- Frequency that syscheck is executed default every 12 hours -->
-    <frequency>43200</frequency>
-
-    <scan_on_start>yes</scan_on_start>
-
-    <!-- Generate alert when new file detected -->
-    <alert_new_files>yes</alert_new_files>
-
-    <!-- Don't ignore files that change more than 'frequency' times -->
-    <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
-
-    <!-- Directories to check  (perform all possible verifications) -->
-    <directories>/etc,/usr/bin,/usr/sbin</directories>
-    <directories>/bin,/sbin,/boot</directories>
-
-    <!-- Files/directories to ignore -->
-    <ignore>/etc/mtab</ignore>
-    <ignore>/etc/hosts.deny</ignore>
-    <ignore>/etc/mail/statistics</ignore>
-    <ignore>/etc/random-seed</ignore>
-    <ignore>/etc/random.seed</ignore>
-    <ignore>/etc/adjtime</ignore>
-    <ignore>/etc/httpd/logs</ignore>
-    <ignore>/etc/utmpx</ignore>
-    <ignore>/etc/wtmpx</ignore>
-    <ignore>/etc/cups/certs</ignore>
-    <ignore>/etc/dumpdates</ignore>
-    <ignore>/etc/svc/volatile</ignore>
-
-    <!-- File types to ignore -->
-    <ignore type="sregex">.log$|.swp$</ignore>
-
-    <!-- Check the file, but never compute the diff -->
-    <nodiff>/etc/ssl/private.key</nodiff>
-
-    <skip_nfs>yes</skip_nfs>
-    <skip_dev>yes</skip_dev>
-    <skip_proc>yes</skip_proc>
-    <skip_sys>yes</skip_sys>
-
-    <!-- Nice value for Syscheck process -->
-    <process_priority>10</process_priority>
-
-    <!-- Maximum output throughput -->
-    <max_eps>100</max_eps>
-
-    <!-- Database synchronization settings -->
-    <synchronization>
-      <enabled>yes</enabled>
-      <interval>5m</interval>
-      <max_interval>1h</max_interval>
-      <max_eps>10</max_eps>
-    </synchronization>
-  </syscheck>
-
-  <!-- Active response -->
-  <global>
-    <white_list>127.0.0.1</white_list>
-    <white_list>^localhost.localdomain$</white_list>
-    <white_list>4.2.2.1</white_list>
-    <white_list>4.2.2.2</white_list>
-    <white_list>208.67.220.220</white_list>
-  </global>
-
-  <command>
-    <name>disable-account</name>
-    <executable>disable-account.sh</executable>
-    <expect>user</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <command>
-    <name>restart-ossec</name>
-    <executable>restart-ossec.sh</executable>
-    <expect></expect>
-  </command>
-
-  <command>
-    <name>firewall-drop</name>
-    <executable>firewall-drop.sh</executable>
-    <expect>srcip</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <command>
-    <name>host-deny</name>
-    <executable>host-deny.sh</executable>
-    <expect>srcip</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <command>
-    <name>route-null</name>
-    <executable>route-null.sh</executable>
-    <expect>srcip</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <command>
-    <name>win_route-null</name>
-    <executable>route-null.cmd</executable>
-    <expect>srcip</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <command>
-    <name>win_route-null-2012</name>
-    <executable>route-null-2012.cmd</executable>
-    <expect>srcip</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <command>
-    <name>netsh</name>
-    <executable>netsh.cmd</executable>
-    <expect>srcip</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <command>
-    <name>netsh-win-2016</name>
-    <executable>netsh-win-2016.cmd</executable>
-    <expect>srcip</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <!--
-  <active-response>
-    active-response options here
-  </active-response>
-  -->
-
-  <!-- Log analysis -->
-  <localfile>
-    <log_format>command</log_format>
-    <command>df -P</command>
-    <frequency>360</frequency>
-  </localfile>
-
-  <localfile>
-    <log_format>full_command</log_format>
-    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
-    <alias>netstat listening ports</alias>
-    <frequency>360</frequency>
-  </localfile>
-
-  <localfile>
-    <log_format>full_command</log_format>
-    <command>last -n 20</command>
-    <frequency>360</frequency>
-  </localfile>
-
-  <ruleset>
-    <!-- Default ruleset -->
-    <decoder_dir>ruleset/decoders</decoder_dir>
-    <rule_dir>ruleset/rules</rule_dir>
-    <rule_exclude>0215-policy_rules.xml</rule_exclude>
-    <list>etc/lists/audit-keys</list>
-    <list>etc/lists/amazon/aws-eventnames</list>
-    <list>etc/lists/security-eventchannel</list>
-
-    <!-- User-defined ruleset -->
-    <decoder_dir>etc/decoders</decoder_dir>
-    <rule_dir>etc/rules</rule_dir>
-  </ruleset>
-
-  <!-- Configuration for ossec-authd -->
-  <auth>
-    <disabled>no</disabled>
-    <port>1515</port>
-    <use_source_ip>no</use_source_ip>
-    <force_insert>yes</force_insert>
-    <force_time>0</force_time>
-    <purge>yes</purge>
-    <use_password>no</use_password>
-    <limit_maxagents>yes</limit_maxagents>
-    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
-    <!-- <ssl_agent_ca></ssl_agent_ca> -->
-    <ssl_verify_host>no</ssl_verify_host>
-    <ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
-    <ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
-    <ssl_auto_negotiate>no</ssl_auto_negotiate>
-  </auth>
-
-  <cluster>
-    <name>wazuh</name>
-    <node_name>worker01</node_name>
-    <node_type>worker</node_type>
-    <key>c98b6ha9b6169zc5f67rae55ae4z5647</key>
-    <port>1516</port>
-    <bind_addr>0.0.0.0</bind_addr>
-    <nodes>
-        <node>wazuh-master</node>
-    </nodes>
-    <hidden>no</hidden>
-    <disabled>no</disabled>
-  </cluster>
-
-</ossec_config>
-
-<ossec_config>
-  <localfile>
-    <log_format>syslog</log_format>
-    <location>/var/ossec/logs/active-responses.log</location>
-  </localfile>
-</ossec_config> 

wazuh-odfe/Dockerfile

@@ -1,51 +0,0 @@
-# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
-FROM centos:7
-
-ARG FILEBEAT_VERSION=7.9.1
-ARG WAZUH_VERSION=4.0.3-1
-ARG TEMPLATE_VERSION="master"
-ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz"
-
-# Set repositories.
-RUN rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
-
-COPY config/wazuh.repo /etc/yum.repos.d/wazuh.repo
-
-RUN yum --enablerepo=updates clean metadata && \
-  yum -y install openssl which expect openssh-clients && yum -y install wazuh-manager-${WAZUH_VERSION} -y && \
-  sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo && \
-  yum clean all && rm -rf /var/cache/yum
-
-RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm &&\
-  rpm -i filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm && rm -f filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm
-
-RUN curl -s https://packages.wazuh.com/4.x/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module
-
-ARG S6_VERSION="v2.1.0.2"
-RUN curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \
-    -o /tmp/s6-overlay-amd64.tar.gz && \
-    tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" && \
-    tar xzf /tmp/s6-overlay-amd64.tar.gz -C /usr ./bin && \
-    rm  /tmp/s6-overlay-amd64.tar.gz
-
-COPY config/filebeat.yml /etc/filebeat/
-
-RUN chmod go-w /etc/filebeat/filebeat.yml
-
-ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat
-RUN chmod go-w /etc/filebeat/wazuh-template.json
-
-COPY config/etc/ /etc/
-COPY --chown=root:ossec config/create_user.py /var/ossec/framework/scripts/create_user.py
-
-# Prepare permanent data
-# Sync calls are due to https://github.com/docker/docker/issues/9547
-COPY config/permanent_data.env config/permanent_data.sh /
-RUN chmod 755 /permanent_data.sh && \
-    sync && /permanent_data.sh && \
-    sync && rm /permanent_data.sh
-
-# Services ports
-EXPOSE 55000/tcp 1514/tcp 1515/tcp 514/udp 1516/tcp
-
-ENTRYPOINT [ "/init" ]

wazuh-odfe/config/create_user.py

@@ -1,97 +0,0 @@
-import logging
-import sys
-import json
-import random
-import string
-import os
-
-# Set framework path
-sys.path.append(os.path.dirname(sys.argv[0]) + "/../framework")
-
-USER_FILE_PATH = "/var/ossec/api/configuration/admin.json"
-SPECIAL_CHARS = "@$!%*?&-_"
-
-
-try:
-    from wazuh.security import (
-        create_user,
-        get_users,
-        get_roles,
-        set_user_role,
-        update_user,
-    )
-except Exception as e:
-    logging.error("No module 'wazuh' found.")
-    sys.exit(1)
-
-
-def read_user_file(path=USER_FILE_PATH):
-    with open(path) as user_file:
-        data = json.load(user_file)
-        return data["username"], data["password"]
-
-
-def db_users():
-    users_result = get_users()
-    return {user["username"]: user["id"] for user in users_result.affected_items}
-
-
-def db_roles():
-    roles_result = get_roles()
-    return {role["name"]: role["id"] for role in roles_result.affected_items}
-
-def disable_user(uid):
-    random_pass = "".join(
-                random.choices(
-                    string.ascii_uppercase
-                    + string.ascii_lowercase
-                    + string.digits
-                    + SPECIAL_CHARS,
-                    k=8,
-                )
-            )
-    # assure there must be at least one character from each group
-    random_pass = random_pass + ''.join([random.choice(chars) for chars in [string.ascii_lowercase, string.digits, string.ascii_uppercase, SPECIAL_CHARS]])
-    random_pass = ''.join(random.sample(random_pass,len(random_pass)))
-    update_user(
-        user_id=[
-            str(uid),
-        ],
-        password=random_pass,
-    )
-
-
-if __name__ == "__main__":
-    if not os.path.exists(USER_FILE_PATH):
-        # abort if no user file detected
-        sys.exit(0)
-    username, password = read_user_file()
-    initial_users = db_users()
-    if username not in initial_users:
-        # create a new user
-        create_user(username=username, password=password)
-        users = db_users()
-        uid = users[username]
-        roles = db_roles()
-        rid = roles["administrator"]
-        set_user_role(
-            user_id=[
-                str(uid),
-            ],
-            role_ids=[
-                str(rid),
-            ],
-        )
-    else:
-        # modify an existing user ("wazuh" or "wazuh-wui")
-        uid = initial_users[username]
-        update_user(
-            user_id=[
-                str(uid),
-            ],
-            password=password,
-        )
-    # disable unused default users
-    for def_user in ['wazuh', 'wazuh-wui']:
-        if def_user != username:
-            disable_user(initial_users[def_user])

wazuh-odfe/config/etc/cont-init.d/1-config-filebeat

@@ -1,45 +0,0 @@
-#!/usr/bin/with-contenv bash
-# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2)
-
-set -e
-
-if [ "$ELASTICSEARCH_URL" != "" ]; then
-  >&2 echo "Customize Elasticsearch ouput IP"
-  sed -i "s|hosts:.*|hosts: ['$ELASTICSEARCH_URL']|g" /etc/filebeat/filebeat.yml
-fi
-
-# Configure filebeat.yml security settings
-
-if [ "$ELASTIC_USERNAME" != "" ]; then
-  >&2 echo "Configuring username."
-  sed -i "s|#username:.*|username: '$ELASTIC_USERNAME'|g" /etc/filebeat/filebeat.yml
-fi
-
-if [ "$ELASTIC_PASSWORD" != "" ]; then
-  >&2 echo "Configuring password."
-  sed -i "s|#password:.*|password: '$ELASTIC_PASSWORD'|g" /etc/filebeat/filebeat.yml
-fi
-
-if [ "$FILEBEAT_SSL_VERIFICATION_MODE" != "" ]; then
-  >&2 echo "Configuring SSL verification mode."
-  sed -i "s|#ssl.verification_mode:.*|ssl.verification_mode: $FILEBEAT_SSL_VERIFICATION_MODE|g" /etc/filebeat/filebeat.yml
-fi
-
-if [ "$SSL_CERTIFICATE_AUTHORITIES" != "" ]; then
-  >&2 echo "Configuring Certificate Authorities."
-  sed -i "s|#ssl.certificate_authorities:.*|ssl.certificate_authorities: ['$SSL_CERTIFICATE_AUTHORITIES']|g" /etc/filebeat/filebeat.yml
-fi
-
-if [ "$SSL_CERTIFICATE" != "" ]; then
-  >&2 echo "Configuring SSL Certificate."
-  sed -i "s|#ssl.certificate:.*|ssl.certificate: '$SSL_CERTIFICATE'|g" /etc/filebeat/filebeat.yml
-fi
-
-if [ "$SSL_KEY" != "" ]; then
-  >&2 echo "Configuring SSL Key."
-  sed -i "s|#ssl.key:.*|ssl.key: '$SSL_KEY'|g" /etc/filebeat/filebeat.yml
-fi
-
-
-chmod go-w /etc/filebeat/filebeat.yml || true
-chown root: /etc/filebeat/filebeat.yml || true

wazuh-odfe/config/etc/cont-init.d/2-manager

@@ -1,113 +0,0 @@
-#!/usr/bin/with-contenv bash
-
-##############################################################################
-# Migration sequence
-# Detect if there is a mounted volume on /wazuh-migration and copy the data
-# to /var/ossec, finally it will create a flag ".migration-completed" inside
-# the mounted volume
-##############################################################################
-
-function __colortext()
-{
-  echo -e " \e[1;$2m$1\e[0m"
-}
-
-function echogreen()
-{
-  echo $(__colortext "$1" "32")
-}
-
-function echoyellow()
-{
-  echo $(__colortext "$1" "33")
-}
-
-function echored()
-{
-  echo $(__colortext "$1" "31")
-}
-
-function_wazuh_migration(){
-  if [ -d "/wazuh-migration" ]; then
-    if [ ! -e /wazuh-migration/.migration-completed ]; then
-      if [ ! -e /wazuh-migration/global.db ]; then
-        echoyellow "The volume mounted on /wazuh-migration does not contain all the correct files."
-        return
-      fi
-
-      \cp -f /wazuh-migration/data/etc/ossec.conf /var/ossec/etc/ossec.conf
-      chown root:ossec /var/ossec/etc/ossec.conf
-      chmod 640 /var/ossec/etc/ossec.conf
-
-      \cp -f /wazuh-migration/data/etc/client.keys /var/ossec/etc/client.keys
-      chown ossec:ossec /var/ossec/etc/client.keys
-      chmod 640 /var/ossec/etc/client.keys
-
-      \cp -f /wazuh-migration/data/etc/sslmanager.cert /var/ossec/etc/sslmanager.cert
-      \cp -f /wazuh-migration/data/etc/sslmanager.key /var/ossec/etc/sslmanager.key
-      chown root:root /var/ossec/etc/sslmanager.cert /var/ossec/etc/sslmanager.key
-      chmod 640 /var/ossec/etc/sslmanager.cert /var/ossec/etc/sslmanager.key
-
-      \cp -f /wazuh-migration/data/etc/shared/default/agent.conf /var/ossec/etc/shared/default/agent.conf
-      chown ossec:ossec /var/ossec/etc/shared/default/agent.conf
-      chmod 660 /var/ossec/etc/shared/default/agent.conf
-
-      \cp -f /wazuh-migration/data/etc/decoders/* /var/ossec/etc/decoders/
-      chown ossec:ossec /var/ossec/etc/decoders/*
-      chmod 660 /var/ossec/etc/decoders/*
-
-      \cp -f /wazuh-migration/data/etc/rules/* /var/ossec/etc/rules/
-      chown ossec:ossec /var/ossec/etc/rules/*
-      chmod 660 /var/ossec/etc/rules/*
-
-      if [ -e /wazuh-migration/data/agentless/.passlist ]; then
-        \cp -f /wazuh-migration/data/agentless/.passlist /var/ossec/agentless/.passlist
-        chown root:ossec /var/ossec/agentless/.passlist
-        chmod 640 /var/ossec/agentless/.passlist
-      fi
-
-      \cp -f /wazuh-migration/global.db /var/ossec/queue/db/global.db
-      chown ossec:ossec /var/ossec/queue/db/global.db
-      chmod 640 /var/ossec/queue/db/global.db
-
-      # mark volume as migrated
-      touch /wazuh-migration/.migration-completed
-
-      echogreen "Migration completed succesfully"
-    else
-      echoyellow "This volume has already been migrated. You may proceed and remove it from the mount point (/wazuh-migration)"
-    fi
-  fi
-}
-
-function_create_custom_user() {
-  if [[ ! -z $API_USERNAME ]] && [[ ! -z $API_PASSWORD ]]; then
-  cat << EOF > /var/ossec/api/configuration/admin.json
-{
-  "username": "$API_USERNAME",
-  "password": "$API_PASSWORD"
-}
-EOF
-
-    # create or customize API user
-    if /var/ossec/framework/python/bin/python3  /var/ossec/framework/scripts/create_user.py; then
-      # remove json if exit code is 0
-      rm /var/ossec/api/configuration/admin.json
-    else
-      echored "There was an error configuring the API user"
-      # terminate container to avoid unpredictable behavior
-      exec s6-svscanctl -t /var/run/s6/services
-      exit 1
-    fi
-  fi
-}
-
-
-# Migrate data from /wazuh-migration volume
-function_wazuh_migration
-
-# create API custom user
-function_create_custom_user
-
-# Start Wazuh
-/var/ossec/bin/ossec-control start

wazuh-odfe/config/etc/services.d/filebeat/finish

@@ -1,6 +0,0 @@
-#!/usr/bin/env sh
-echo >&2 "Filebeat exited. code=${1}"
-
-# terminate other services to exit from the container
-exec s6-svscanctl -t /var/run/s6/services
-

wazuh-odfe/config/etc/services.d/filebeat/run

@@ -1,4 +0,0 @@
-#!/usr/bin/with-contenv sh
-echo >&2 "starting Filebeat"
-
-exec /usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat

wazuh-odfe/config/etc/services.d/ossec-logs/run

@@ -1,4 +0,0 @@
-#!/usr/bin/with-contenv sh
-
-# dumping ossec.log to standard output
-exec tail -f /var/ossec/logs/ossec.log

wazuh-odfe/config/filebeat.yml

@@ -1,22 +0,0 @@
-
-# Wazuh - Filebeat configuration file
-filebeat.modules:
-  - module: wazuh
-    alerts:
-      enabled: true
-    archives:
-      enabled: false
-
-setup.template.json.enabled: true
-setup.template.json.path: '/etc/filebeat/wazuh-template.json'
-setup.template.json.name: 'wazuh'
-setup.template.overwrite: true
-setup.ilm.enabled: false
-output.elasticsearch:
-  hosts: ['https://elasticsearch:9200']
-  #username:
-  #password:
-  #ssl.verification_mode:
-  #ssl.certificate_authorities:
-  #ssl.certificate:
-  #ssl.key:

wazuh-odfe/config/wazuh.repo

@@ -1,7 +0,0 @@
-[wazuh_repo]
-gpgcheck=1
-gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
-enabled=1
-name=Wazuh repository
-baseurl=https://packages.wazuh.com/4.x/yum/
-protect=1

wazuh/Dockerfile

@@ -0,0 +1,108 @@
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+FROM phusion/baseimage:master
+
+# Arguments
+ARG FILEBEAT_VERSION=7.3.0
+ARG WAZUH_VERSION=3.9.5-1
+
+# Environment variables
+ENV API_USER="foo" \
+    API_PASS="bar"
+
+# Install packages
+RUN set -x && \ 
+    echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list && \
+    curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - && \
+    curl --silent --location https://deb.nodesource.com/setup_8.x | bash - && \
+    echo "postfix postfix/mailname string wazuh-manager" | debconf-set-selections && \
+    echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections && \
+    groupadd -g 1000 ossec && \
+    useradd -u 1000 -g 1000 -d /var/ossec ossec && \
+    add-apt-repository universe && \
+    apt-get update && \
+    apt-get upgrade -y -o Dpkg::Options::="--force-confold" && \
+    apt-get --no-install-recommends --no-install-suggests -y install openssl apt-transport-https vim expect python-boto python-pip python-cryptography && \
+    apt-get --no-install-recommends --no-install-suggests -y install postfix bsd-mailx mailutils libsasl2-2 ca-certificates libsasl2-modules && \
+    apt-get --no-install-recommends --no-install-suggests -y install wazuh-manager=${WAZUH_VERSION} && \
+    apt-get --no-install-recommends --no-install-suggests -y install nodejs wazuh-api=${WAZUH_VERSION} && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
+    rm -f /var/ossec/logs/alerts/*/*/* && \
+    rm -f /var/ossec/logs/archives/*/*/* && \
+    rm -f /var/ossec/logs/firewall/*/*/* && \ 
+    rm -f /var/ossec/logs/api/*/*/* && \
+    rm -f /var/ossec/logs/cluster/*/*/* && \
+    rm -f /var/ossec/logs/ossec/*/*/* && \
+    rm /var/ossec/var/run/* && \
+    curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb && \
+    dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm -f filebeat-${FILEBEAT_VERSION}-amd64.deb && \
+    curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/v3.9.5/extensions/elasticsearch/7.x/wazuh-template.json && \
+    chmod go+r /etc/filebeat/wazuh-template.json && \
+    curl -s https://packages.wazuh.com/3.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module && \
+    mkdir -p /usr/share/filebeat/module/wazuh && \
+    chmod 755 -R /usr/share/filebeat/module/wazuh
+
+# Services
+RUN mkdir /etc/service/wazuh && \
+    mkdir /etc/service/wazuh-api && \
+    mkdir /etc/service/postfix && \
+    mkdir /etc/service/filebeat
+
+COPY config/wazuh.runit.service /etc/service/wazuh/run
+COPY config/wazuh-api.runit.service /etc/service/wazuh-api/run
+COPY config/postfix.runit.service /etc/service/postfix/run
+COPY config/filebeat.runit.service /etc/service/filebeat/run
+
+RUN chmod +x /etc/service/wazuh-api/run && \
+    chmod +x /etc/service/wazuh/run && \
+    chmod +x /etc/service/postfix/run && \
+    chmod +x /etc/service/filebeat/run 
+
+# Copy configuration files from repository
+COPY config/filebeat.yml /etc/filebeat/
+RUN chmod go-w /etc/filebeat/filebeat.yml 
+
+# Prepare permanent data
+# Sync calls are due to https://github.com/docker/docker/issues/9547
+COPY config/permanent_data.env /permanent_data.env
+COPY config/permanent_data.sh /permanent_data.sh
+RUN chmod 755 /permanent_data.sh && \
+    sync && \
+    /permanent_data.sh && \
+    sync && \
+    rm /permanent_data.sh
+
+# Expose ports
+EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp
+
+# Setting volumes
+# Once we declared a volume in the Dockerfile, changes made to that path will have no effect. In other words, any changes made
+# to the these paths from here to the end of the Dockerfile will not be taken into account when mounting the volume.
+VOLUME ["/var/ossec/api/configuration"]
+VOLUME ["/var/ossec/etc"]
+VOLUME ["/var/ossec/logs"]
+VOLUME ["/var/ossec/queue"]
+VOLUME ["/var/ossec/var/multigroups"]
+VOLUME ["/var/ossec/integrations"]
+VOLUME ["/var/ossec/active-response/bin"]
+VOLUME ["/etc/filebeat"]
+VOLUME ["/etc/postfix"]
+VOLUME ["/var/lib/filebeat"]
+
+# Prepare entrypoint scripts
+# Entrypoint scripts must be added to the entrypoint-scripts directory
+RUN mkdir /entrypoint-scripts
+
+COPY config/entrypoint.sh /entrypoint.sh
+COPY config/01-wazuh.sh /entrypoint-scripts/01-wazuh.sh
+
+# Migration scripts
+COPY migration/data_dirs.env /data_dirs.env
+COPY migration/02-volume_loader.sh /entrypoint-scripts/02-volume_loader.sh
+
+RUN chmod 755 /entrypoint.sh && \
+    chmod 755 /entrypoint-scripts/01-wazuh.sh && \
+    chmod 755 /entrypoint-scripts/02-volume_loader.sh
+
+# Run all services
+ENTRYPOINT ["/entrypoint.sh"]

wazuh/config/01-wazuh.sh

@@ -1,5 +1,5 @@
-#!/usr/bin/with-contenv bash
-# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2)
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 # Variables
 source /permanent_data.env
@@ -7,6 +7,7 @@ source /permanent_data.env
 WAZUH_INSTALL_PATH=/var/ossec
 WAZUH_CONFIG_MOUNT=/wazuh-config-mount
 AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
+API_GENERATE_CERTS=${API_GENERATE_CERTS:-true}
 
 
 ##############################################################################
@@ -32,10 +33,18 @@ exec_cmd_stdout() {
 
 
 ##############################################################################
-# This function will attempt to mount every directory in PERMANENT_DATA
-# into the respective path.
-# If the path is empty means permanent data volume is also empty, so a backup
-# will be copied into it. Otherwise it will not be copied because there is
+# Edit configuration
+##############################################################################
+
+edit_configuration() { # $1 -> setting,  $2 -> value
+  sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${WAZUH_INSTALL_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)"
+}
+
+##############################################################################
+# This function will attempt to mount every directory in PERMANENT_DATA 
+# into the respective path. 
+# If the path is empty means permanent data volume is also empty, so a backup  
+# will be copied into it. Otherwise it will not be copied because there is  
 # already data inside the volume for the specified path.
 ##############################################################################
 
@@ -52,9 +61,9 @@ mount_permanent_data() {
 }
 
 ##############################################################################
-# This function will replace from the permanent data volume every file
+# This function will replace from the permanent data volume every file 
 # contained in PERMANENT_DATA_EXCP
-# Some files as 'internal_options.conf' are saved as permanent data, but
+# Some files as 'internal_options.conf' are saved as permanent data, but 
 # they must be updated to work properly if wazuh version is changed.
 ##############################################################################
 
@@ -62,12 +71,6 @@ apply_exclusion_data() {
   for exclusion_file in "${PERMANENT_DATA_EXCP[@]}"; do
     if [  -e ${WAZUH_INSTALL_PATH}/data_tmp/exclusion/${exclusion_file}  ]
     then
-      DIR=$(dirname "${exclusion_file}")
-      if [ ! -e ${DIR}  ]
-      then
-        mkdir -p ${DIR}
-      fi
-
       print "Updating ${exclusion_file}"
       exec_cmd "cp -p ${WAZUH_INSTALL_PATH}/data_tmp/exclusion/${exclusion_file} ${exclusion_file}"
     fi
@@ -75,14 +78,14 @@ apply_exclusion_data() {
 }
 
 ##############################################################################
-# This function will delete from the permanent data volume every file
+# This function will delete from the permanent data volume every file 
 # contained in PERMANENT_DATA_DEL
 ##############################################################################
 
 remove_data_files() {
   for del_file in "${PERMANENT_DATA_DEL[@]}"; do
     if [ -e ${del_file} ]
-    then
+    then 
       print "Removing ${del_file}"
       exec_cmd "rm ${del_file}"
     fi
@@ -99,6 +102,22 @@ create_ossec_key_cert() {
   exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/etc/sslmanager.key -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/"
 }
 
+##############################################################################
+# Create certificates: API
+##############################################################################
+
+create_api_key_cert() {
+  print "Enabling Wazuh API HTTPS"
+  edit_configuration "https" "yes"
+  print "Create Wazuh API key and cert"
+  exec_cmd "openssl genrsa -out ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key 4096"
+  exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key -out ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/"
+
+  # Granting proper permissions 
+  chmod 400 ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.key
+  chmod 400 ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt
+}
+
 ##############################################################################
 # Copy all files from $WAZUH_CONFIG_MOUNT to $WAZUH_INSTALL_PATH and respect
 # destination files permissions
@@ -118,35 +137,74 @@ mount_files() {
   fi
 }
 
-
 ##############################################################################
-# Allow users to set the container hostname as <node_name> dynamically on
-# container start.
-#
-# To use this:
-# 1. Create your own ossec.conf file
-# 2. In your ossec.conf file, set to_be_replaced_by_hostname as your node_name
-# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf
+# Stop OSSEC
 ##############################################################################
 
-set_custom_hostname() {
-  sed -i 's/<node_name>to_be_replaced_by_hostname<\/node_name>/<node_name>'"${HOSTNAME}"'<\/node_name>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf
+function ossec_shutdown(){
+  ${WAZUH_INSTALL_PATH}/bin/ossec-control stop;
 }
 
 ##############################################################################
-# Allow users to set the container cluster key dynamically on
-# container start.
+# Interpret any passed arguments (via docker command to this entrypoint) as
+# paths or commands, and execute them. 
 #
-# To use this:
-# 1. Create your own ossec.conf file
-# 2. In your ossec.conf file, set to_be_replaced_by_cluster_key as your key
-# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf
+# This can be useful for actions that need to be run before the services are
+# started, such as "/var/ossec/bin/ossec-control enable agentless".
 ##############################################################################
 
-set_custom_cluster_key() {
-  sed -i 's/<key>to_be_replaced_by_cluster_key<\/key>/<key>'"${WAZUH_CLUSTER_KEY}"'<\/key>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf
+docker_custom_args() {
+  for CUSTOM_COMMAND in "$@"
+  do
+    echo "Executing command \`${CUSTOM_COMMAND}\`"
+    exec_cmd_stdout "${CUSTOM_COMMAND}"
+  done
 }
 
+##############################################################################
+# Change Wazuh API user credentials.
+##############################################################################
+
+change_api_user_credentials() {
+  pushd /var/ossec/api/configuration/auth/
+  if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
+    WAZUH_API_USER=${API_USER}
+    WAZUH_API_PASS=${API_PASS}
+  else
+    input=${SECURITY_CREDENTIALS_FILE}
+    while IFS= read -r line
+    do
+      if [[ $line == *"WAZUH_API_USER"* ]]; then
+        arrIN=(${line//:/ })
+        WAZUH_API_USER=${arrIN[1]}
+      elif [[ $line == *"WAZUH_API_PASS"* ]]; then
+        arrIN=(${line//:/ })
+        WAZUH_API_PASS=${arrIN[1]}
+      fi
+    done < "$input"
+  fi
+
+  echo "Change Wazuh API user credentials"
+  change_user="node htpasswd -b -c user $WAZUH_API_USER $WAZUH_API_PASS"
+  eval $change_user
+  popd
+}
+
+
+
+
+##############################################################################
+# Customize filebeat output ip
+##############################################################################
+
+
+custom_filebeat_output_ip() {
+  if [ "$FILEBEAT_OUTPUT" != "" ]; then
+    sed 's|http://elasticsearch:9200|$FILEBEAT_OUTPUT|g' filebeat.yml
+  fi
+}
+
+
 ##############################################################################
 # Main function
 ##############################################################################
@@ -170,18 +228,37 @@ main() {
     fi
   fi
 
+  # Generate API certs if API_GENERATE_CERTS is true and does not exist
+  if [ $API_GENERATE_CERTS == true ]
+  then
+    if [ ! -e ${WAZUH_INSTALL_PATH}/api/configuration/ssl/server.crt ]
+    then
+      create_api_key_cert
+    fi
+  fi
+
   # Mount selected files (WAZUH_CONFIG_MOUNT) to container
   mount_files
 
-  # Allow setting custom hostname
-  set_custom_hostname
+  # Trap exit signals and do a proper shutdown
+  trap "ossec_shutdown; exit" SIGINT SIGTERM
 
-  # Allow setting custom cluster key
-  set_custom_cluster_key
+  # Execute custom args
+  docker_custom_args
+
+  # Change API user credentials
+  change_api_user_credentials
+
+  # Update filebeat configuration
+  custom_filebeat_output_ip
 
   # Delete temporary data folder
   rm -rf ${WAZUH_INSTALL_PATH}/data_tmp
 
+  # Grant proper permissions
+  # When modifiying some files using the Wazuh API (i.e. /var/ossec/etc/ossec.conf), group rw permissions are needed for changes to take place.  
+  # https://github.com/wazuh/wazuh/issues/3647
+  chmod -R g+rw ${WAZUH_INSTALL_PATH}
 }
 
 main

wazuh/config/entrypoint.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
+for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
+  bash "$script"
+done
+
+##############################################################################
+# Start Wazuh Server.
+##############################################################################
+
+/sbin/my_init 

wazuh/config/filebeat.runit.service

@@ -0,0 +1,3 @@
+#!/bin/sh
+service filebeat start
+tail -f /var/log/filebeat/filebeat

wazuh/config/filebeat.yml

@@ -0,0 +1,53 @@
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+filebeat.inputs:
+  - type: log
+    paths:
+      - '/var/ossec/logs/alerts/alerts.json'
+
+setup.template.json.enabled: true
+setup.template.json.path: "/etc/filebeat/wazuh-template.json"
+setup.template.json.name: "wazuh"
+setup.template.overwrite: true
+
+processors:
+  - decode_json_fields:
+      fields: ['message']
+      process_array: true
+      max_depth: 200
+      target: ''
+      overwrite_keys: true
+  - drop_fields:
+      fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host']
+  - rename:
+      fields:
+        - from: "data.aws.sourceIPAddress"
+          to: "@src_ip"
+      ignore_missing: true
+      fail_on_error: false
+      when:
+        regexp:
+          data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
+  - rename:
+      fields:
+        - from: "data.srcip"
+          to: "@src_ip"
+      ignore_missing: true
+      fail_on_error: false
+      when:
+        regexp:
+          data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
+  - rename:
+      fields:
+        - from: "data.win.eventdata.ipAddress"
+          to: "@src_ip"
+      ignore_missing: true
+      fail_on_error: false
+      when:
+        regexp:
+          data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
+
+output.elasticsearch:
+  hosts: ['http://elasticsearch:9200']
+  #pipeline: geoip
+  indices:
+    - index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}'

wazuh/config/permanent_data.env

@@ -4,12 +4,11 @@ PERMANENT_DATA[((i++))]="/var/ossec/api/configuration"
 PERMANENT_DATA[((i++))]="/var/ossec/etc"
 PERMANENT_DATA[((i++))]="/var/ossec/logs"
 PERMANENT_DATA[((i++))]="/var/ossec/queue"
-PERMANENT_DATA[((i++))]="/var/ossec/agentless"
 PERMANENT_DATA[((i++))]="/var/ossec/var/multigroups"
 PERMANENT_DATA[((i++))]="/var/ossec/integrations"
 PERMANENT_DATA[((i++))]="/var/ossec/active-response/bin"
-PERMANENT_DATA[((i++))]="/var/ossec/wodles"
 PERMANENT_DATA[((i++))]="/etc/filebeat"
+PERMANENT_DATA[((i++))]="/etc/postfix"
 export PERMANENT_DATA
 
 # Files mounted in a volume that should not be permanent
@@ -37,31 +36,9 @@ PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/pf.sh"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-ossec.sh"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart.sh"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/sshlogin.exp"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_pixconfig_diff"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_asa-fwsmconfig_diff"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_bsd"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/main.exp"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/su.exp"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_linux"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/register_host.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_generic_diff"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_foundry_diff"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_nopass.exp"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh.exp"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/gcloud"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/gcloud.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/integration.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/tools.py"
 export PERMANENT_DATA_EXCP
 
-# Files mounted in a volume that should be deleted
+# Files mounted in a volume that should be deleted 
 i=0
 PERMANENT_DATA_DEL[((i++))]="/var/ossec/queue/db/.template.db"
-export PERMANENT_DATA_DEL
+export PERMANENT_DATA_DEL

wazuh/config/permanent_data.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 
 # Variables
 source /permanent_data.env
@@ -37,4 +37,4 @@ for permanent_dir in "${PERMANENT_DATA[@]}"; do
   
   mv ${permanent_dir} ${PERMANENT_PATH}${permanent_dir}
 
-done
+done

wazuh/config/postfix.runit.service

@@ -0,0 +1,3 @@
+#!/bin/sh
+service postfix start
+tail -f /var/log/mail.log

wazuh/config/wazuh-api.runit.service

@@ -0,0 +1,4 @@
+#!/bin/sh
+service wazuh-api start
+tail -f /var/ossec/logs/api.log
+

wazuh/config/wazuh.runit.service

@@ -0,0 +1,4 @@
+#!/bin/sh
+service wazuh-manager start
+tail -f /var/ossec/logs/ossec.log
+

wazuh/migration/02-volume_loader.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+
+source /data_dirs.env
+
+##############################################################################
+# Copy will be executed from the custom mounting path (key) 
+# to destination path (value) when iterating through the array  
+# For example in the first custom path:
+#    cp -pr "/migration/ossec_backup/ /var/ossec/" will be executed
+# Please ensure the key path is correctly mounted in the container
+# For more information please check:
+##############################################################################
+
+declare -A custom_paths
+
+custom_paths+=( ["/migration/ossec_backup/"]=/var/ossec/ )
+custom_paths+=( ["/migration/filebeat_backup/"]=/etc/filebeat/ )
+custom_paths+=( ["/migration/filebeat-lib_backup/"]=/var/lib/filebeat/ )
+custom_paths+=( ["/migration/postfix_backup/"]=/etc/postfix/ )
+
+### Auxiliar methods
+
+print() {
+    echo -e "$1"
+}
+
+error_and_exit() {
+    echo "Error executing command: '$1'."
+    echo 'Exiting.'
+    exit 1
+}
+
+exec_cmd() {
+    eval "$1" > /dev/null 2>&1 || error_and_exit "$1"
+}
+
+exec_cmd_stdout() {
+    eval "$1" 2>&1 || error_and_exit "$1"
+}
+
+### Restoring directories 
+
+declare -A custom_paths
+
+custom_paths+=( ["/migration/ossec_backup/"]=/var/ossec/ )
+custom_paths+=( ["/migration/filebeat_backup/"]=/etc/filebeat/ )
+custom_paths+=( ["/migration/filebeat-lib_backup/"]=/var/lib/filebeat/ )
+custom_paths+=( ["/migration/postfix_backup/"]=/etc/postfix/ )
+
+for sourcedir in "${!custom_paths[@]}"; do
+    if [[ ! -e "${custom_paths[${sourcedir}]}" ]]
+    then
+        print "BACKUP: The folder ${custom_paths[${sourcedir}]} doesn't exists in the container. Creating it..."
+        exec_cmd "mkdir -p ${custom_paths[${sourcedir}]}"
+    fi
+
+    if [[ -e "${sourcedir}" ]]
+    then
+        if [[ -d "${sourcedir}" ]]; then
+            print "BACKUP: Copying data from folder ${sourcedir} in 3.9 volume to ${custom_paths[${sourcedir}]}"
+            exec_cmd "cp -pr ${sourcedir}* ${custom_paths[${sourcedir}]}"
+        elif [[ -f "${sourcedir}" ]]; then
+            print "BACKUP: Copying file ${sourcedir} in 3.9 volume to ${custom_paths[${sourcedir}]}"
+            exec_cmd "cp -pr ${sourcedir} ${custom_paths[${sourcedir}]}"
+        fi
+    else
+        print "The folder ${sourcedir} doesn't exists in the volume. Ignoring it..."
+    fi
+
+done