Merge pull request #530 from wazuh/529-release-423

Release v4.2.3

.goss.kibana.yaml

@@ -6,28 +6,28 @@ file:
     group: root
     filetype: file
     contains: []
-  /usr/share/kibana/optimize/bundles/light_theme.style.css:
+  /usr/share/kibana/src/core/server/core_app/assets/legacy_light_theme.css:
     exists: true
     mode: "0664"
     owner: kibana
     group: root
     filetype: file
     contains: []
-  /usr/share/kibana/optimize/bundles/wazuh_logo_circle.svg:
+  /usr/share/kibana/src/core/server/core_app/assets/wazuh_logo_circle.svg:
     exists: true
     mode: "0644"
     owner: kibana
     group: root
     filetype: file
     contains: []
-  /usr/share/kibana/optimize/bundles/wazuh_wazuh_bg.svg:
+  /usr/share/kibana/src/core/server/core_app/assets/wazuh_wazuh_bg.svg:
     exists: true
     mode: "0644"
     owner: kibana
     group: root
     filetype: file
     contains: []
-  /usr/share/kibana/optimize/wazuh/config/wazuh.yml:
+  /usr/share/kibana/data/wazuh/config/wazuh.yml:
     exists: true
     mode: "0644"
     owner: kibana

.goss.yaml

@@ -6,7 +6,7 @@ file:
     group: root
     filetype: file
     contains: []
-  /var/ossec/bin/ossec-control:
+  /var/ossec/bin/wazuh-control:
     exists: true
     mode: "0750"
     owner: root
@@ -52,11 +52,11 @@ package:
   filebeat:
     installed: true
     versions:
-    - 7.9.1
+    - 7.10.2
   wazuh-manager:
     installed: true
     versions:
-    - 4.0.4
+    - 4.2.3
 port:
   tcp:1514:
     listening: true
@@ -95,17 +95,17 @@ group:
 process:
   filebeat:
     running: true
-  ossec-analysisd:
+  wazuh-analysisd:
     running: true
-  ossec-authd:
+  wazuh-authd:
     running: true
-  ossec-execd:
+  wazuh-execd:
     running: true
-  ossec-monitord:
+  wazuh-monitord:
     running: true
-  ossec-remoted:
+  wazuh-remoted:
     running: true
-  ossec-syscheckd:
+  wazuh-syscheckd:
     running: true
   s6-supervise:
     running: true

CHANGELOG.md

@@ -1,6 +1,62 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+## Wazuh Docker v4.2.3
+### Added
+
+- Update Wazuh to version [4.2.3](https://github.com/wazuh/wazuh/blob/v4.2.3/CHANGELOG.md#v423)
+
+## Wazuh Docker v4.2.2
+### Added
+
+- Update Wazuh to version [4.2.2](https://github.com/wazuh/wazuh/blob/v4.2.2/CHANGELOG.md#v422)
+
+## Wazuh Docker v4.2.1
+### Added
+
+- Update Wazuh to version [4.2.1](https://github.com/wazuh/wazuh/blob/v4.2.1/CHANGELOG.md#v421)
+
+## Wazuh Docker v4.2.0
+### Added
+
+- Update Wazuh to version [4.2.0](https://github.com/wazuh/wazuh/blob/v4.2.0/CHANGELOG.md#v420)
+
+## Wazuh Docker v4.1.5
+### Added
+
+- Update Wazuh to version [4.1.5](https://github.com/wazuh/wazuh/blob/v4.1.5/CHANGELOG.md#v415)
+- Update ODFE compatibility to version 1.13.2
+
+## Wazuh Docker v4.1.4
+### Added
+
+- Update Wazuh to version [4.1.4](https://github.com/wazuh/wazuh/blob/v4.1.4/CHANGELOG.md#v414)
+
+## Wazuh Docker v4.1.3
+### Added
+
+- Update Wazuh to version [4.1.3](https://github.com/wazuh/wazuh/blob/v4.1.3/CHANGELOG.md#v413)
+
+## Wazuh Docker v4.1.2
+### Added
+
+- Update Wazuh to version [4.1.2](https://github.com/wazuh/wazuh/blob/v4.1.2/CHANGELOG.md#v412)
+
+## Wazuh Docker v4.1.1
+### Added
+
+- Update Wazuh to version [4.1.1](https://github.com/wazuh/wazuh/blob/v4.1.1/CHANGELOG.md#v411)
+
+## Wazuh Docker v4.1.0
+### Added
+
+- Update Wazuh to version [4.1.0](https://github.com/wazuh/wazuh/blob/v4.1.0/CHANGELOG.md#v410)
+- Update ODFE compatibility to version 1.12.0
+- Add support for Elasticsearch (xpack) images once again (7.10.2)  ([@xr09](https://github.com/xr09)) [#409](https://github.com/wazuh/wazuh-docker/pull/409)
+- Re-enable entrypoint scripts  ([@xr09](https://github.com/xr09)) [#435](https://github.com/wazuh/wazuh-docker/pull/435)
+- Add Goss binary for healthchecks ([@xr09](https://github.com/xr09)) [$441](https://github.com/wazuh/wazuh-docker/pull/441)
+- Update s6-overlay to latest version
+
 ## Wazuh Docker v4.0.4_1.11.0
 
 ### Added

README.md

@@ -22,11 +22,11 @@ In addition, a docker-compose file is provided to launch the containers mentione
 * [Docker hub](https://hub.docker.com/u/wazuh)
 
 
-### Setup SSL certificate and Basic Authentication
+### Setup SSL certificate
 
-Before starting the environment it is required to provide an SSL certificate (or just generate one self-signed) and setup the basic auth.
+Before starting the environment it is required to provide an SSL certificate (or just generate one self-signed).
 
-Documentation on how to provide these two can be found at [nginx_conf/README.md](nginx_conf/README.md).
+Documentation on how to provide these two can be found at [Wazuh Docer Documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#production-deployment).
 
 
 ## Environment Variables
@@ -146,24 +146,29 @@ ADMIN_PRIVILEGES=true               # App privileges
 
 ## Branches
 
-* `4.0` branch on correspond to the latest Wazuh-Docker stable version.
 * `master` branch contains the latest code, be aware of possible bugs on this branch.
-* `Wazuh.Version_ElasticStack.Version` (for example 3.13.1_7.8.0) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
+* `stable` branch on correspond to the last Wazuh stable version.
 
 
 ## Compatibility Matrix
 
-| Wazuh version | ODFE    |
+| Wazuh version | ODFE    | XPACK  |
-|---------------|---------|
+|---------------|---------|--------|
-| v4.0.4        | 1.11.0  |
+| v4.2.3        | 1.13.2  | 7.11.2 |
-|---------------|---------|
+| v4.2.2        | 1.13.2  | 7.11.2 |
-| v4.0.3        | 1.11.0  |
+| v4.2.1        | 1.13.2  | 7.11.2 |
-|---------------|---------|
+| v4.2.0        | 1.13.2  | 7.10.2 |
-| v4.0.2        | 1.11.0  |
+| v4.1.5        | 1.13.2  | 7.10.2 |
-|---------------|---------|
+| v4.1.4        | 1.12.0  | 7.10.2 |
-| v4.0.1        | 1.11.0  |
+| v4.1.3        | 1.12.0  | 7.10.2 |
-|---------------|---------|
+| v4.1.2        | 1.12.0  | 7.10.2 |
-| v4.0.0        | 1.10.1  |
+| v4.1.1        | 1.12.0  | 7.10.2 |
+| v4.1.0        | 1.12.0  | 7.10.2 |
+| v4.0.4        | 1.11.0  |        |
+| v4.0.3        | 1.11.0  |        |
+| v4.0.2        | 1.11.0  |        |
+| v4.0.1        | 1.11.0  |        |
+| v4.0.0        | 1.10.1  |        |
 
 ## Credits and Thank you
 

VERSION

@@ -1,2 +1,2 @@
-WAZUH-DOCKER_VERSION="4.0.4_1.11.0"
+WAZUH-DOCKER_VERSION="4.2.3"
-REVISION="40400"
+REVISION="40217"

build-from-sources.yml

@@ -31,7 +31,7 @@ services:
       - filebeat_var:/var/lib/filebeat
 
   elasticsearch:
-    image: amazon/opendistro-for-elasticsearch:1.11.0
+    image: amazon/opendistro-for-elasticsearch:1.13.2
     hostname: elasticsearch
     restart: always
     ports:

docker-compose.yml

@@ -3,7 +3,7 @@ version: '3.7'
 
 services:
   wazuh:
-    image: wazuh/wazuh-odfe:4.0.4_1.11.0
+    image: wazuh/wazuh-odfe:4.2.3
     hostname: wazuh-manager
     restart: always
     ports:
@@ -30,7 +30,7 @@ services:
       - filebeat_var:/var/lib/filebeat
 
   elasticsearch:
-    image: amazon/opendistro-for-elasticsearch:1.11.0
+    image: amazon/opendistro-for-elasticsearch:1.13.2
     hostname: elasticsearch
     restart: always
     ports:
@@ -50,7 +50,7 @@ services:
         hard: 65536
 
   kibana:
-    image: wazuh/wazuh-kibana-odfe:4.0.4_1.11.0
+    image: wazuh/wazuh-kibana-odfe:4.2.3
     hostname: kibana
     restart: always
     ports:

generate-elasticsearch-certs.yml

@@ -0,0 +1,17 @@
+version: '2.2'
+
+services:
+  generator:
+    container_name: generator
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
+    command: >
+      bash -c '
+        if [[ ! -f config/certificates/bundle.zip ]]; then
+          bin/elasticsearch-certutil cert --silent --pem --in config/certificates/instances.yml -out config/certificates/bundle.zip;
+          unzip config/certificates/bundle.zip -d config/certificates/;
+        fi;
+        chown -R 1000:0 config/certificates
+      '
+    user: "0"
+    working_dir: /usr/share/elasticsearch
+    volumes: ['./xpack:/usr/share/elasticsearch/config/certificates']

kibana-odfe/Dockerfile

@@ -1,8 +1,8 @@
 # Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
-FROM amazon/opendistro-for-elasticsearch-kibana:1.11.0
+FROM amazon/opendistro-for-elasticsearch-kibana:1.13.2
 USER kibana
-ARG ELASTIC_VERSION=7.9.1
+ARG ELASTIC_VERSION=7.10.2
-ARG WAZUH_VERSION=4.0.4
+ARG WAZUH_VERSION=4.2.3
 ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
 
 WORKDIR /usr/share/kibana
@@ -42,7 +42,6 @@ ENV PATTERN="" \
     ADMIN_PRIVILEGES=""
 
 USER kibana
-RUN NODE_OPTIONS="--max-old-space-size=2048" /usr/local/bin/kibana-docker --optimize
 
 COPY ./config/custom_welcome /tmp/custom_welcome
 COPY --chown=kibana:kibana ./config/welcome_wazuh.sh ./
@@ -50,7 +49,7 @@ RUN chmod +x ./welcome_wazuh.sh
 ARG CHANGE_WELCOME="true"
 RUN ./welcome_wazuh.sh
 
-COPY --chown=kibana:kibana ./config/wazuh.yml /usr/share/kibana/optimize/wazuh/config/wazuh.yml
+COPY --chown=kibana:kibana ./config/wazuh.yml /usr/share/kibana/data/wazuh/config/wazuh.yml
 COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./
 RUN chmod +x ./wazuh_app_config.sh
 

kibana-odfe/config/kibana_settings.sh

@@ -18,8 +18,6 @@ WAZUH_MAJOR=4
 # Customize elasticsearch ip
 ##############################################################################
 sed -i "s|elasticsearch.hosts:.*|elasticsearch.hosts: $el_url|g" /usr/share/kibana/config/kibana.yml
-# disable multitenancy
-sed -i "s|opendistro_security.multitenancy.enabled:.*|opendistro_security.multitenancy.enabled: false|g" /usr/share/kibana/config/kibana.yml
 
 # If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate.
 if [ "$KIBANA_INDEX" != "" ]; then
@@ -55,6 +53,6 @@ rm -f ${default_index}
 sleep 5
 # Configuring Kibana TimePicker.
 curl ${auth} -POST -k "https://127.0.0.1:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
-'{"changes":{"timepicker:timeDefaults":"{\n  \"from\": \"now-12h\",\n  \"to\": \"now\",\n  \"mode\": \"quick\"}"}}'
+'{"changes":{"timepicker:timeDefaults":"{\n  \"from\": \"now-12h\",\n  \"to\": \"now\"}"}}'
 
 echo "End settings"

kibana-odfe/config/wazuh_app_config.sh

@@ -6,7 +6,7 @@ wazuh_port="${API_PORT:-55000}"
 api_username="${API_USERNAME:-wazuh-wui}"
 api_password="${API_PASSWORD:-wazuh-wui}"
 
-kibana_config_file="/usr/share/kibana/optimize/wazuh/config/wazuh.yml"
+kibana_config_file="/usr/share/kibana/data/wazuh/config/wazuh.yml"
 
 declare -A CONFIG_MAP=(
   [pattern]=$PATTERN

kibana-odfe/config/welcome_wazuh.sh

@@ -4,11 +4,11 @@
 if [[ $CHANGE_WELCOME == "true" ]]
 then
     echo "Set Wazuh app as the default landing page"
-    echo "server.defaultRoute: /app/wazuh" >> /usr/share/kibana/config/kibana.yml
+    echo "server.defaultRoute: /app/wazuh?security_tenant=global" >> /usr/share/kibana/config/kibana.yml
 
     echo "Set custom welcome styles"
     cp -f /tmp/custom_welcome/template.js.hbs /usr/share/kibana/src/legacy/ui/ui_render/bootstrap/template.js.hbs
-    cp -f /tmp/custom_welcome/light_theme.style.css /usr/share/kibana/optimize/bundles/light_theme.style.css
+    cp -f /tmp/custom_welcome/light_theme.style.css /usr/share/kibana/src/core/server/core_app/assets/legacy_light_theme.css
-    cp -f /tmp/custom_welcome/*svg /usr/share/kibana/optimize/bundles/
+    cp -f /tmp/custom_welcome/*svg /usr/share/kibana/src/core/server/core_app/assets/
 fi
 

kibana/Dockerfile

@@ -0,0 +1,64 @@
+# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+FROM docker.elastic.co/kibana/kibana:7.10.2
+USER kibana
+ARG ELASTIC_VERSION=7.10.2
+ARG WAZUH_VERSION=4.2.3
+ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
+
+WORKDIR /usr/share/kibana
+RUN ./bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-${WAZUH_APP_VERSION}-1.zip
+
+ENV PATTERN="" \
+    CHECKS_PATTERN="" \
+    CHECKS_TEMPLATE="" \
+    CHECKS_API="" \
+    CHECKS_SETUP="" \
+    EXTENSIONS_PCI="" \
+    EXTENSIONS_GDPR="" \
+    EXTENSIONS_HIPAA="" \
+    EXTENSIONS_NIST="" \
+    EXTENSIONS_TSC="" \
+    EXTENSIONS_AUDIT="" \
+    EXTENSIONS_OSCAP="" \
+    EXTENSIONS_CISCAT="" \
+    EXTENSIONS_AWS="" \
+    EXTENSIONS_GCP="" \
+    EXTENSIONS_VIRUSTOTAL="" \
+    EXTENSIONS_OSQUERY="" \
+    EXTENSIONS_DOCKER="" \
+    APP_TIMEOUT="" \
+    API_SELECTOR="" \
+    IP_SELECTOR="" \
+    IP_IGNORE="" \
+    WAZUH_MONITORING_ENABLED="" \
+    WAZUH_MONITORING_FREQUENCY="" \
+    WAZUH_MONITORING_SHARDS="" \
+    WAZUH_MONITORING_REPLICAS="" \
+    ADMIN_PRIVILEGES="" \
+    XPACK_CANVAS="true" \
+    XPACK_LOGS="true"   \
+    XPACK_INFRA="true"  \
+    XPACK_ML="true" \
+    XPACK_DEVTOOLS="true"   \
+    XPACK_MONITORING="true" \
+    XPACK_APM="true"
+
+WORKDIR /
+USER kibana
+
+COPY --chown=kibana:kibana config/entrypoint.sh ./entrypoint.sh
+RUN chmod 755 ./entrypoint.sh
+
+RUN printf "\nserver.defaultRoute: /app/wazuh\n" >> /usr/share/kibana/config/kibana.yml
+
+COPY --chown=kibana:kibana ./config/wazuh.yml /usr/share/kibana/data/wazuh/config/wazuh.yml
+COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./
+RUN chmod +x ./wazuh_app_config.sh
+
+COPY --chown=kibana:kibana ./config/kibana_settings.sh ./
+RUN chmod +x ./kibana_settings.sh
+
+COPY --chown=kibana:kibana ./config/xpack_config.sh ./
+RUN chmod +x ./xpack_config.sh
+
+ENTRYPOINT ./entrypoint.sh

kibana/config/entrypoint.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+
+set -e
+
+##############################################################################
+# Waiting for elasticsearch
+##############################################################################
+
+if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
+  export el_url="http://elasticsearch:9200"
+else
+  export el_url="${ELASTICSEARCH_URL}"
+fi
+
+if [[ ${ENABLED_SECURITY} == "false" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
+  export auth=""
+else
+  export auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} -k"
+fi
+
+until curl -XGET $el_url ${auth}; do
+  >&2 echo "Elastic is unavailable - sleeping"
+  sleep 5
+done
+
+sleep 2
+
+>&2 echo "Elasticsearch is up."
+
+
+##############################################################################
+# Waiting for wazuh alerts template
+##############################################################################
+
+strlen=0
+
+while [[ $strlen -eq 0 ]]
+do
+  template=$(curl ${auth} $el_url/_cat/templates/wazuh -s)
+  strlen=${#template}
+  >&2 echo "Wazuh alerts template not loaded - sleeping."
+  sleep 2
+done
+
+sleep 2
+
+>&2 echo "Wazuh alerts template is loaded."
+
+./xpack_config.sh
+
+./wazuh_app_config.sh
+
+sleep 5
+
+./kibana_settings.sh &
+
+sleep 2
+
+/usr/local/bin/kibana-docker

kibana/config/kibana_settings.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+
+WAZUH_MAJOR=4
+
+##############################################################################
+# Wait for the Kibana API to start. It is necessary to do it in this container
+# because the others are running Elastic Stack and we can not interrupt them.
+#
+# The following actions are performed:
+#
+# Add the wazuh alerts index as default.
+# Set the Discover time interval to 24 hours instead of 15 minutes.
+# Do not ask user to help providing usage statistics to Elastic.
+##############################################################################
+
+##############################################################################
+# Customize elasticsearch ip
+##############################################################################
+sed -i "s|elasticsearch.hosts:.*|elasticsearch.hosts: $el_url|g" /usr/share/kibana/config/kibana.yml
+
+# If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate.
+if [ "$KIBANA_INDEX" != "" ]; then
+  if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then
+    sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml
+  fi
+    echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml
+fi
+
+kibana_proto="http"
+
+if [ "$XPACK_SECURITY_ENABLED" != "" ]; then
+  kibana_proto="https"
+  if grep -q 'xpack.security.enabled' /usr/share/kibana/config/kibana.yml; then
+    sed -i '/xpack.security.enabled/d' /usr/share/kibana/config/kibana.yml
+  fi
+    echo "xpack.security.enabled: $XPACK_SECURITY_ENABLED" >> /usr/share/kibana/config/kibana.yml
+fi
+
+# Add auth headers if required
+if [ "$ELASTICSEARCH_USERNAME" != "" ] && [ "$ELASTICSEARCH_PASSWORD" != "" ]; then
+    curl_auth="-u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD"
+fi
+
+while [[ "$(curl $curl_auth -XGET -I  -s -o /dev/null -w ''%{http_code}'' -k $kibana_proto://127.0.0.1:5601/status)" != "200" ]]; do
+  echo "Waiting for Kibana API. Sleeping 5 seconds"
+  sleep 5
+done
+
+
+
+# Prepare index selection.
+echo "Kibana API is running"
+
+default_index="/tmp/default_index.json"
+
+cat > ${default_index} << EOF
+{
+  "changes": {
+    "defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*"
+  }
+}
+EOF
+
+sleep 5
+# Add the wazuh alerts index as default.
+curl ${auth} -POST -k "$kibana_proto://127.0.0.1:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
+rm -f ${default_index}
+
+sleep 5
+# Configuring Kibana TimePicker.
+curl ${auth} -POST -k "$kibana_proto://127.0.0.1:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
+'{"changes":{"timepicker:timeDefaults":"{\n  \"from\": \"now-12h\",\n  \"to\": \"now\"}"}}'
+
+sleep 5
+# Do not ask user to help providing usage statistics to Elastic
+curl ${auth} -POST -k "$kibana_proto://127.0.0.1:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'
+
+echo "End settings"

kibana/config/wazuh.yml

@@ -0,0 +1,162 @@
+---
+#
+# Wazuh app - App configuration file
+# Copyright (C) 2015-2021 Wazuh, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Find more information about this on the LICENSE file.
+#
+# ======================== Wazuh app configuration file ========================
+#
+# Please check the documentation for more information on configuration options:
+# https://documentation.wazuh.com/current/installation-guide/index.html
+#
+# Also, you can check our repository:
+# https://github.com/wazuh/wazuh-kibana-app
+#
+# ------------------------------- Index patterns -------------------------------
+#
+# Default index pattern to use.
+#pattern: wazuh-alerts-*
+#
+# ----------------------------------- Checks -----------------------------------
+#
+# Defines which checks must to be consider by the healthcheck
+# step once the Wazuh app starts. Values must to be true or false.
+#checks.pattern : true
+#checks.template: true
+#checks.api     : true
+#checks.setup   : true
+#checks.metaFields: true
+#
+# --------------------------------- Extensions ---------------------------------
+#
+# Defines which extensions should be activated when you add a new API entry.
+# You can change them after Wazuh app starts.
+# Values must to be true or false.
+#extensions.pci       : true
+#extensions.gdpr      : true
+#extensions.hipaa     : true
+#extensions.nist      : true
+#extensions.tsc       : true
+#extensions.audit     : true
+#extensions.oscap     : false
+#extensions.ciscat    : false
+#extensions.aws       : false
+#extensions.gcp       : false
+#extensions.virustotal: false
+#extensions.osquery   : false
+#extensions.docker    : false
+#
+# ---------------------------------- Time out ----------------------------------
+#
+# Defines maximum timeout to be used on the Wazuh app requests.
+# It will be ignored if it is bellow 1500.
+# It means milliseconds before we consider a request as failed.
+# Default: 20000
+#timeout: 20000
+#
+# -------------------------------- API selector --------------------------------
+#
+# Defines if the user is allowed to change the selected
+# API directly from the Wazuh app top menu.
+# Default: true
+#api.selector: true
+#
+# --------------------------- Index pattern selector ---------------------------
+#
+# Defines if the user is allowed to change the selected
+# index pattern directly from the Wazuh app top menu.
+# Default: true
+#ip.selector: true
+#
+# List of index patterns to be ignored
+#ip.ignore: []
+#
+# -------------------------------- X-Pack RBAC ---------------------------------
+#
+# Custom setting to enable/disable built-in X-Pack RBAC security capabilities.
+# Default: enabled
+#xpack.rbac.enabled: true
+#
+# ------------------------------ wazuh-monitoring ------------------------------
+#
+# Custom setting to enable/disable wazuh-monitoring indices.
+# Values: true, false, worker
+# If worker is given as value, the app will show the Agents status
+# visualization but won't insert data on wazuh-monitoring indices.
+# Default: true
+#wazuh.monitoring.enabled: true
+#
+# Custom setting to set the frequency for wazuh-monitoring indices cron task.
+# Default: 900 (s)
+#wazuh.monitoring.frequency: 900
+#
+# Configure wazuh-monitoring-* indices shards and replicas.
+#wazuh.monitoring.shards: 2
+#wazuh.monitoring.replicas: 0
+#
+# Configure wazuh-monitoring-* indices custom creation interval.
+# Values: h (hourly), d (daily), w (weekly), m (monthly)
+# Default: d
+#wazuh.monitoring.creation: d
+#
+# Default index pattern to use for Wazuh monitoring
+#wazuh.monitoring.pattern: wazuh-monitoring-*
+#
+# --------------------------------- wazuh-cron ----------------------------------
+#
+# Customize the index prefix of predefined jobs
+# This change is not retroactive, if you change it new indexes will be created
+# cron.prefix: test
+#
+# ------------------------------ wazuh-statistics -------------------------------
+#
+# Custom setting to enable/disable statistics tasks.
+#cron.statistics.status: true
+#
+# Enter the ID of the APIs you want to save data from, leave this empty to run
+# the task on all configured APIs
+#cron.statistics.apis: []
+#
+# Define the frequency of task execution using cron schedule expressions
+#cron.statistics.interval: 0 0 * * * *
+#
+# Define the name of the index in which the documents are to be saved.
+#cron.statistics.index.name: statistics
+#
+# Define the interval in which the index will be created
+#cron.statistics.index.creation: w
+#
+# ------------------------------- App privileges --------------------------------
+#admin: true
+#
+# ---------------------------- Hide manager alerts ------------------------------
+# Hide the alerts of the manager in all dashboards and discover
+#hideManagerAlerts: false
+#
+# ------------------------------- App logging level -----------------------------
+# Set the logging level for the Wazuh App log files.
+# Default value: info
+# Allowed values: info, debug
+#logs.level: info
+#
+# -------------------------------- Enrollment DNS -------------------------------
+# Set the variable WAZUH_REGISTRATION_SERVER in agents deployment.
+# Default value: ''
+#enrollment.dns: ''
+#
+#-------------------------------- API entries -----------------------------------
+#The following configuration is the default structure to define an API entry.
+#
+#hosts:
+#  - <id>:
+#     url: http(s)://<url>
+#     port: <port>
+#     username: <username>
+#     password: <password>
+

kibana/config/wazuh_app_config.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+
+wazuh_url="${WAZUH_API_URL:-https://wazuh}"
+wazuh_port="${API_PORT:-55000}"
+api_username="${API_USERNAME:-wazuh-wui}"
+api_password="${API_PASSWORD:-wazuh-wui}"
+
+kibana_config_file="/usr/share/kibana/data/wazuh/config/wazuh.yml"
+
+declare -A CONFIG_MAP=(
+  [pattern]=$PATTERN
+  [checks.pattern]=$CHECKS_PATTERN
+  [checks.template]=$CHECKS_TEMPLATE
+  [checks.api]=$CHECKS_API
+  [checks.setup]=$CHECKS_SETUP
+  [extensions.pci]=$EXTENSIONS_PCI
+  [extensions.gdpr]=$EXTENSIONS_GDPR
+  [extensions.hipaa]=$EXTENSIONS_HIPAA
+  [extensions.nist]=$EXTENSIONS_NIST
+  [extensions.tsc]=$EXTENSIONS_TSC
+  [extensions.audit]=$EXTENSIONS_AUDIT
+  [extensions.oscap]=$EXTENSIONS_OSCAP
+  [extensions.ciscat]=$EXTENSIONS_CISCAT
+  [extensions.aws]=$EXTENSIONS_AWS
+  [extensions.gcp]=$EXTENSIONS_GCP
+  [extensions.virustotal]=$EXTENSIONS_VIRUSTOTAL
+  [extensions.osquery]=$EXTENSIONS_OSQUERY
+  [extensions.docker]=$EXTENSIONS_DOCKER
+  [timeout]=$APP_TIMEOUT
+  [api.selector]=$API_SELECTOR
+  [ip.selector]=$IP_SELECTOR
+  [ip.ignore]=$IP_IGNORE
+  [wazuh.monitoring.enabled]=$WAZUH_MONITORING_ENABLED
+  [wazuh.monitoring.frequency]=$WAZUH_MONITORING_FREQUENCY
+  [wazuh.monitoring.shards]=$WAZUH_MONITORING_SHARDS
+  [wazuh.monitoring.replicas]=$WAZUH_MONITORING_REPLICAS
+  [admin]=$ADMIN_PRIVILEGES
+)
+
+for i in "${!CONFIG_MAP[@]}"
+do
+    if [ "${CONFIG_MAP[$i]}" != "" ]; then
+        sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
+    fi
+done
+
+CONFIG_CODE=$(curl ${auth} -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013)
+
+grep -q 1513629884013 $kibana_config_file
+_config_exists=$?
+
+if [[ "x$CONFIG_CODE" != "x200" && $_config_exists -ne 0 ]]; then
+cat << EOF >> $kibana_config_file
+hosts:
+  - 1513629884013:
+      url: $wazuh_url
+      port: $wazuh_port
+      username: $api_username
+      password: $api_password
+EOF
+else
+  echo "Wazuh APP already configured"
+fi

kibana/config/xpack_config.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+
+kibana_config_file="/usr/share/kibana/config/kibana.yml"
+if grep -Fq  "#xpack features" "$kibana_config_file";
+then
+  declare -A CONFIG_MAP=(
+    [xpack.apm.ui.enabled]=$XPACK_APM
+    [xpack.grokdebugger.enabled]=$XPACK_DEVTOOLS
+    [xpack.searchprofiler.enabled]=$XPACK_DEVTOOLS
+    [xpack.ml.enabled]=$XPACK_ML
+    [xpack.canvas.enabled]=$XPACK_CANVAS
+    [xpack.infra.enabled]=$XPACK_INFRA
+    [xpack.monitoring.enabled]=$XPACK_MONITORING
+    [console.enabled]=$XPACK_DEVTOOLS
+  )
+  for i in "${!CONFIG_MAP[@]}"
+  do
+    if [ "${CONFIG_MAP[$i]}" != "" ]; then
+      sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
+    fi
+  done
+else
+  echo "
+#xpack features
+xpack.apm.ui.enabled: $XPACK_APM
+xpack.grokdebugger.enabled: $XPACK_DEVTOOLS
+xpack.searchprofiler.enabled: $XPACK_DEVTOOLS
+xpack.ml.enabled: $XPACK_ML
+xpack.canvas.enabled: $XPACK_CANVAS
+xpack.infra.enabled: $XPACK_INFRA
+xpack.monitoring.enabled: $XPACK_MONITORING
+console.enabled: $XPACK_DEVTOOLS
+" >> $kibana_config_file
+fi

production-cluster.yml

@@ -3,7 +3,7 @@ version: '3.7'
 
 services:
   wazuh-master:
-    image: wazuh/wazuh-odfe:4.0.4_1.11.0
+    image: wazuh/wazuh-odfe:4.2.3
     hostname: wazuh-master
     restart: always
     ports:
@@ -38,7 +38,7 @@ services:
       - ./production_cluster/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
 
   wazuh-worker:
-    image: wazuh/wazuh-odfe:4.0.4_1.11.0
+    image: wazuh/wazuh-odfe:4.2.3
     hostname: wazuh-worker
     restart: always
     environment:
@@ -67,7 +67,7 @@ services:
       - ./production_cluster/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf
 
   elasticsearch:
-    image: amazon/opendistro-for-elasticsearch:1.11.0
+    image: amazon/opendistro-for-elasticsearch:1.13.2
     hostname: elasticsearch
     restart: always
     ports:
@@ -86,11 +86,13 @@ services:
       - ./production_cluster/ssl_certs/root-ca.pem:/usr/share/elasticsearch/config/root-ca.pem
       - ./production_cluster/ssl_certs/node1.key:/usr/share/elasticsearch/config/node1.key
       - ./production_cluster/ssl_certs/node1.pem:/usr/share/elasticsearch/config/node1.pem
+      - ./production_cluster/ssl_certs/admin.pem:/usr/share/elasticsearch/config/admin.pem
+      - ./production_cluster/ssl_certs/admin.key:/usr/share/elasticsearch/config/admin.key
       - ./production_cluster/elastic_opendistro/elasticsearch-node1.yml:/usr/share/elasticsearch/config/elasticsearch.yml
       - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
 
   elasticsearch-2:
-    image: amazon/opendistro-for-elasticsearch:1.11.0
+    image: amazon/opendistro-for-elasticsearch:1.13.2
     hostname: elasticsearch-2
     restart: always
     environment:
@@ -111,7 +113,7 @@ services:
       - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
 
   elasticsearch-3:
-    image: amazon/opendistro-for-elasticsearch:1.11.0
+    image: amazon/opendistro-for-elasticsearch:1.13.2
     hostname: elasticsearch-3
     restart: always
     environment:
@@ -132,7 +134,7 @@ services:
       - ./production_cluster/elastic_opendistro/internal_users.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
 
   kibana:
-    image: wazuh/wazuh-kibana-odfe:4.0.4_1.11.0
+    image: wazuh/wazuh-kibana-odfe:4.2.3
     hostname: kibana
     restart: always
     ports:

production_cluster/elastic_opendistro/elasticsearch-node1.yml

@@ -20,7 +20,7 @@ opendistro_security.nodes_dn:
     - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
     - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
     - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-opendistro_security.authcz.admin_dn: []
+opendistro_security.authcz.admin_dn: ['CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com']
 opendistro_security.audit.type: internal_elasticsearch
 opendistro_security.enable_snapshot_restore_privilege: true
 opendistro_security.check_snapshot_restore_write_privileges: true

production_cluster/elastic_opendistro/elasticsearch-node2.yml

@@ -20,7 +20,7 @@ opendistro_security.nodes_dn:
     - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
     - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
     - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-opendistro_security.authcz.admin_dn: []
+opendistro_security.authcz.admin_dn: ['CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com']
 opendistro_security.audit.type: internal_elasticsearch
 opendistro_security.enable_snapshot_restore_privilege: true
 opendistro_security.check_snapshot_restore_write_privileges: true

production_cluster/elastic_opendistro/elasticsearch-node3.yml

@@ -20,7 +20,7 @@ opendistro_security.nodes_dn:
     - 'CN=node2,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
     - 'CN=node3,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
     - 'CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com'
-opendistro_security.authcz.admin_dn: []
+opendistro_security.authcz.admin_dn: ['CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com']
 opendistro_security.audit.type: internal_elasticsearch
 opendistro_security.enable_snapshot_restore_privilege: true
 opendistro_security.check_snapshot_restore_write_privileges: true

production_cluster/kibana_ssl/generate-self-signed-cert.sh

@@ -9,4 +9,5 @@ then
     exit
 else
     openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem
+    chown -R 1000:1000 *.pem
 fi

production_cluster/ssl_certs/certs.yml

@@ -28,3 +28,8 @@ nodes:
     dn: CN=filebeat,OU=Ops,O=Example\, Inc.,DC=example,DC=com
     dns: 
       - wazuh
+
+clients:
+  - name: admin
+    dn: CN=admin,OU=Ops,O=Example\, Inc.,DC=example,DC=com
+    admin: true

production_cluster/wazuh_cluster/wazuh_manager.conf

@@ -200,8 +200,8 @@
   <global>
     <white_list>127.0.0.1</white_list>
     <white_list>^localhost.localdomain$</white_list>
-    <white_list>4.2.2.1</white_list>
+    <white_list>4.2.3.1</white_list>
-    <white_list>4.2.2.2</white_list>
+    <white_list>4.2.3.2</white_list>
     <white_list>208.67.220.220</white_list>
   </global>
 
@@ -307,7 +307,7 @@
     <rule_dir>etc/rules</rule_dir>
   </ruleset>
 
-  <!-- Configuration for ossec-authd -->
+  <!-- Configuration for wazuh-authd -->
   <auth>
     <disabled>no</disabled>
     <port>1515</port>

production_cluster/wazuh_cluster/wazuh_worker.conf

@@ -200,8 +200,8 @@
   <global>
     <white_list>127.0.0.1</white_list>
     <white_list>^localhost.localdomain$</white_list>
-    <white_list>4.2.2.1</white_list>
+    <white_list>4.2.3.1</white_list>
-    <white_list>4.2.2.2</white_list>
+    <white_list>4.2.3.2</white_list>
     <white_list>208.67.220.220</white_list>
   </global>
 
@@ -307,7 +307,7 @@
     <rule_dir>etc/rules</rule_dir>
   </ruleset>
 
-  <!-- Configuration for ossec-authd -->
+  <!-- Configuration for wazuh-authd -->
   <auth>
     <disabled>no</disabled>
     <port>1515</port>

wazuh-odfe/Dockerfile

@@ -1,8 +1,9 @@
 # Wazuh Docker Copyright (C) 2021 Wazuh Inc. (License GPLv2)
 FROM centos:7
 
-ARG FILEBEAT_VERSION=7.9.1
+ARG FILEBEAT_CHANNEL=filebeat-oss
-ARG WAZUH_VERSION=4.0.4-1
+ARG FILEBEAT_VERSION=7.10.2
+ARG WAZUH_VERSION=4.2.3
 ARG TEMPLATE_VERSION="master"
 ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz"
 
@@ -16,12 +17,14 @@ RUN yum --enablerepo=updates clean metadata && \
   sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/wazuh.repo && \
   yum clean all && rm -rf /var/cache/yum
 
-RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm &&\
+RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm &&\
-  rpm -i filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm && rm -f filebeat-oss-${FILEBEAT_VERSION}-x86_64.rpm
+  rpm -i ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm && rm -f ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm
 
 RUN curl -s https://packages.wazuh.com/4.x/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module
 
-ARG S6_VERSION="v2.1.0.2"
+RUN curl -L https://github.com/aelsabbahy/goss/releases/latest/download/goss-linux-amd64 -o /usr/local/bin/goss && chmod +rx /usr/local/bin/goss
+
+ARG S6_VERSION="v2.2.0.3"
 RUN curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \
     -o /tmp/s6-overlay-amd64.tar.gz && \
     tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" && \

wazuh-odfe/config/etc/cont-init.d/0-wazuh-init

@@ -74,6 +74,23 @@ apply_exclusion_data() {
   done
 }
 
+##############################################################################
+# This function will rename in the permanent data volume every file
+# contained in PERMANENT_DATA_MOVE
+##############################################################################
+
+move_data_files() {
+  for mov_file in "${PERMANENT_DATA_MOVE[@]}"; do
+    file_split=( $mov_file )
+    if [ -e ${file_split[0]} ]
+    then
+      print "moving ${mov_file}"
+      exec_cmd "mv -f ${mov_file}"
+    fi
+  done
+}
+
+
 ##############################################################################
 # This function will delete from the permanent data volume every file
 # contained in PERMANENT_DATA_DEL
@@ -84,7 +101,7 @@ remove_data_files() {
     if [ -e ${del_file} ]
     then
       print "Removing ${del_file}"
-      exec_cmd "rm ${del_file}"
+      exec_cmd "rm -f ${del_file}"
     fi
   done
 }
@@ -94,7 +111,7 @@ remove_data_files() {
 ##############################################################################
 
 create_ossec_key_cert() {
-  print "Creating ossec-authd key and cert"
+  print "Creating wazuh-authd key and cert"
   exec_cmd "openssl genrsa -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.key 4096"
   exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/etc/sslmanager.key -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/"
 }
@@ -158,10 +175,13 @@ main() {
   # Restore files stored in permanent data that are not permanent  (i.e. internal_options.conf)
   apply_exclusion_data
 
+  # Rename files stored in permanent data (i.e. queue/ossec)
+  move_data_files
+
   # Remove some files in permanent_data (i.e. .template.db)
   remove_data_files
 
-  # Generate ossec-authd certs if AUTO_ENROLLMENT_ENABLED is true and does not exist
+  # Generate wazuh-authd certs if AUTO_ENROLLMENT_ENABLED is true and does not exist
   if [ $AUTO_ENROLLMENT_ENABLED == true ]
   then
     if [ ! -e ${WAZUH_INSTALL_PATH}/etc/sslmanager.key ]

wazuh-odfe/config/etc/cont-init.d/2-manager

@@ -102,6 +102,16 @@ EOF
   fi
 }
 
+function_entrypoint_scripts() {
+  # It will run every .sh script located in entrypoint-scripts folder in lexicographical order
+  if [ -d "/entrypoint-scripts/" ]
+  then
+    for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
+      bash "$script"
+    done
+  fi
+}
+
 
 # Migrate data from /wazuh-migration volume
 function_wazuh_migration
@@ -109,5 +119,8 @@ function_wazuh_migration
 # create API custom user
 function_create_custom_user
 
+# run entrypoint scripts
+function_entrypoint_scripts
+
 # Start Wazuh
-/var/ossec/bin/ossec-control start
+/var/ossec/bin/wazuh-control start

wazuh-odfe/config/permanent_data.env

@@ -4,6 +4,7 @@ PERMANENT_DATA[((i++))]="/var/ossec/api/configuration"
 PERMANENT_DATA[((i++))]="/var/ossec/etc"
 PERMANENT_DATA[((i++))]="/var/ossec/logs"
 PERMANENT_DATA[((i++))]="/var/ossec/queue"
+PERMANENT_DATA[((i++))]="/var/ossec/queue/logcollector"
 PERMANENT_DATA[((i++))]="/var/ossec/agentless"
 PERMANENT_DATA[((i++))]="/var/ossec/var/multigroups"
 PERMANENT_DATA[((i++))]="/var/ossec/integrations"
@@ -20,23 +21,21 @@ PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/default-firewall-drop.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/default-firewall-drop"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/disable-account.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/disable-account"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewalld-drop.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewalld-drop"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewall-drop.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewall-drop"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/host-deny.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/host-deny"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ip-customblock.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ip-customblock"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw_mac.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw.sh"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/npf.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/npf"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ossec-slack.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/wazuh-slack"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ossec-tweeter.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/pf"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/pf.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-wazuh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-ossec.sh"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null.sh"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/sshlogin.exp"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_pixconfig_diff"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_asa-fwsmconfig_diff"
@@ -59,9 +58,15 @@ PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/gcloud"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/gcloud.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/integration.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/tools.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/utils.py"
 export PERMANENT_DATA_EXCP
 
 # Files mounted in a volume that should be deleted
 i=0
 PERMANENT_DATA_DEL[((i++))]="/var/ossec/queue/db/.template.db"
 export PERMANENT_DATA_DEL
+
+i=0
+PERMANENT_DATA_MOVE[((i++))]="/var/ossec/logs/ossec /var/ossec/logs/wazuh"
+PERMANENT_DATA_MOVE[((i++))]="/var/ossec/queue/ossec /var/ossec/queue/sockets"
+export PERMANENT_DATA_MOVE

xpack-compose.yml

@@ -0,0 +1,186 @@
+# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+version: '3.7'
+
+services:
+  wazuh:
+    image: wazuh/wazuh:4.2.3
+    hostname: wazuh-manager
+    restart: always
+    ports:
+      - "1514:1514"
+      - "1515:1515"
+      - "514:514/udp"
+      - "55000:55000"
+    environment:
+      - ELASTICSEARCH_URL=https://elasticsearch:9200
+      - ELASTIC_USERNAME=elastic
+      - ELASTIC_PASSWORD=SecretPassword
+      - FILEBEAT_SSL_VERIFICATION_MODE=none
+      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/ca.crt
+      - SSL_CERTIFICATE=/etc/ssl/wazuh.crt
+      - SSL_KEY=/etc/ssl/wazuh.key
+    volumes:
+      - ossec_api_configuration:/var/ossec/api/configuration
+      - ossec_etc:/var/ossec/etc
+      - ossec_logs:/var/ossec/logs
+      - ossec_queue:/var/ossec/queue
+      - ossec_var_multigroups:/var/ossec/var/multigroups
+      - ossec_integrations:/var/ossec/integrations
+      - ossec_active_response:/var/ossec/active-response/bin
+      - ossec_agentless:/var/ossec/agentless
+      - ossec_wodles:/var/ossec/wodles
+      - filebeat_etc:/etc/filebeat
+      - filebeat_var:/var/lib/filebeat
+      - ./xpack/ca/ca.crt:/etc/ssl/ca.crt
+      - ./xpack/wazuh/wazuh.crt:/etc/ssl/wazuh.crt
+      - ./xpack/wazuh/wazuh.key:/etc/ssl/wazuh.key
+
+
+  elasticsearch:
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
+    hostname: elasticsearch
+    restart: always
+    ports:
+      - "9200:9200"
+    environment:
+      - cluster.name=wazuh-cluster
+      - node.name=elasticsearch
+      - discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3
+      - cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3
+      - ELASTIC_PASSWORD=SecretPassword
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - bootstrap.memory_lock=true
+      - xpack.license.self_generated.type=basic
+      - xpack.security.enabled=true
+      - xpack.security.http.ssl.enabled=true
+      - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
+      - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
+      - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
+      - xpack.security.transport.ssl.enabled=true
+      - xpack.security.transport.ssl.verification_mode=certificate
+      - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
+      - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
+      - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    volumes:
+      - ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt
+      - ./xpack/elasticsearch/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key
+      - ./xpack/elasticsearch/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt
+
+  elasticsearch2:
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
+    hostname: elasticsearch2
+    restart: always
+    environment:
+      - cluster.name=wazuh-cluster
+      - node.name=elasticsearch2
+      - discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3
+      - cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3
+      - ELASTIC_PASSWORD=SecretPassword
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - bootstrap.memory_lock=true
+      - xpack.license.self_generated.type=basic
+      - xpack.security.enabled=true
+      - xpack.security.http.ssl.enabled=true
+      - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
+      - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
+      - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
+      - xpack.security.transport.ssl.enabled=true
+      - xpack.security.transport.ssl.verification_mode=certificate
+      - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
+      - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
+      - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    volumes:
+      - ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt
+      - ./xpack/elasticsearch2/elasticsearch2.key:/usr/share/elasticsearch/config/elasticsearch.key
+      - ./xpack/elasticsearch2/elasticsearch2.crt:/usr/share/elasticsearch/config/elasticsearch.crt
+
+  elasticsearch3:
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
+    hostname: elasticsearch3
+    restart: always
+    environment:
+      - cluster.name=wazuh-cluster
+      - node.name=elasticsearch3
+      - discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3
+      - cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3
+      - ELASTIC_PASSWORD=SecretPassword
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - bootstrap.memory_lock=true
+      - xpack.license.self_generated.type=basic
+      - xpack.security.enabled=true
+      - xpack.security.http.ssl.enabled=true
+      - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
+      - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
+      - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
+      - xpack.security.transport.ssl.enabled=true
+      - xpack.security.transport.ssl.verification_mode=certificate
+      - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
+      - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
+      - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    volumes:
+      - ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt
+      - ./xpack/elasticsearch3/elasticsearch3.key:/usr/share/elasticsearch/config/elasticsearch.key
+      - ./xpack/elasticsearch3/elasticsearch3.crt:/usr/share/elasticsearch/config/elasticsearch.crt
+
+
+
+  kibana:
+    image: wazuh/wazuh-kibana:4.2.3
+    hostname: kibana
+    restart: always
+    ports:
+      - 443:5601
+    environment:
+      - SERVERNAME=localhost
+      - ELASTICSEARCH_USERNAME=elastic
+      - ELASTICSEARCH_PASSWORD=SecretPassword
+      - ELASTICSEARCH_URL=https://elasticsearch:9200
+      - ELASTICSEARCH_HOSTS=https://elasticsearch:9200
+      - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=/usr/share/kibana/config/ca.crt
+      - SERVER_SSL_ENABLED=true
+      - XPACK_SECURITY_ENABLED=true
+      - SERVER_SSL_KEY=/usr/share/kibana/config/kibana.key
+      - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/kibana.crt
+    volumes:
+      - ./xpack/ca/ca.crt:/usr/share/kibana/config/ca.crt
+      - ./xpack/kibana/kibana.key:/usr/share/kibana/config/kibana.key
+      - ./xpack/kibana/kibana.crt:/usr/share/kibana/config/kibana.crt
+    depends_on:
+      - elasticsearch
+    links:
+      - elasticsearch:elasticsearch
+      - wazuh:wazuh
+
+volumes:
+  ossec_api_configuration:
+  ossec_etc:
+  ossec_logs:
+  ossec_queue:
+  ossec_var_multigroups:
+  ossec_integrations:
+  ossec_active_response:
+  ossec_agentless:
+  ossec_wodles:
+  filebeat_etc:
+  filebeat_var:

xpack-from-sources.yml

@@ -0,0 +1,192 @@
+# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+version: '3.7'
+
+services:
+  wazuh:
+    build:
+      context: wazuh-odfe/
+      args:
+        - FILEBEAT_CHANNEL=filebeat
+        - FILEBEAT_VERSION=7.11.2
+    image: wazuh/wazuh:4.2.3
+    hostname: wazuh-manager
+    restart: always
+    ports:
+      - "1514:1514"
+      - "1515:1515"
+      - "514:514/udp"
+      - "55000:55000"
+    environment:
+      - ELASTICSEARCH_URL=https://elasticsearch:9200
+      - ELASTIC_USERNAME=elastic
+      - ELASTIC_PASSWORD=SecretPassword
+      - FILEBEAT_SSL_VERIFICATION_MODE=none
+      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/ca.crt
+      - SSL_CERTIFICATE=/etc/ssl/wazuh.crt
+      - SSL_KEY=/etc/ssl/wazuh.key
+    volumes:
+      - ossec_api_configuration:/var/ossec/api/configuration
+      - ossec_etc:/var/ossec/etc
+      - ossec_logs:/var/ossec/logs
+      - ossec_queue:/var/ossec/queue
+      - ossec_var_multigroups:/var/ossec/var/multigroups
+      - ossec_integrations:/var/ossec/integrations
+      - ossec_active_response:/var/ossec/active-response/bin
+      - ossec_agentless:/var/ossec/agentless
+      - ossec_wodles:/var/ossec/wodles
+      - filebeat_etc:/etc/filebeat
+      - filebeat_var:/var/lib/filebeat
+      - ./xpack/ca/ca.crt:/etc/ssl/ca.crt
+      - ./xpack/wazuh/wazuh.crt:/etc/ssl/wazuh.crt
+      - ./xpack/wazuh/wazuh.key:/etc/ssl/wazuh.key
+
+
+  elasticsearch:
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.11.2
+    hostname: elasticsearch
+    restart: always
+    ports:
+      - "9200:9200"
+    environment:
+      - cluster.name=wazuh-cluster
+      - node.name=elasticsearch
+      - discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3
+      - cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3
+      - ELASTIC_PASSWORD=SecretPassword
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - bootstrap.memory_lock=true
+      - xpack.license.self_generated.type=basic
+      - xpack.security.enabled=true
+      - xpack.security.http.ssl.enabled=true
+      - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
+      - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
+      - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
+      - xpack.security.transport.ssl.enabled=true
+      - xpack.security.transport.ssl.verification_mode=certificate
+      - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
+      - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
+      - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    volumes:
+      - ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt
+      - ./xpack/elasticsearch/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key
+      - ./xpack/elasticsearch/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt
+
+  elasticsearch2:
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.11.2
+    hostname: elasticsearch2
+    restart: always
+    environment:
+      - cluster.name=wazuh-cluster
+      - node.name=elasticsearch2
+      - discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3
+      - cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3
+      - ELASTIC_PASSWORD=SecretPassword
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - bootstrap.memory_lock=true
+      - xpack.license.self_generated.type=basic
+      - xpack.security.enabled=true
+      - xpack.security.http.ssl.enabled=true
+      - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
+      - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
+      - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
+      - xpack.security.transport.ssl.enabled=true
+      - xpack.security.transport.ssl.verification_mode=certificate
+      - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
+      - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
+      - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    volumes:
+      - ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt
+      - ./xpack/elasticsearch2/elasticsearch2.key:/usr/share/elasticsearch/config/elasticsearch.key
+      - ./xpack/elasticsearch2/elasticsearch2.crt:/usr/share/elasticsearch/config/elasticsearch.crt
+
+  elasticsearch3:
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.11.2
+    hostname: elasticsearch3
+    restart: always
+    environment:
+      - cluster.name=wazuh-cluster
+      - node.name=elasticsearch3
+      - discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3
+      - cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3
+      - ELASTIC_PASSWORD=SecretPassword
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+      - bootstrap.memory_lock=true
+      - xpack.license.self_generated.type=basic
+      - xpack.security.enabled=true
+      - xpack.security.http.ssl.enabled=true
+      - xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
+      - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
+      - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
+      - xpack.security.transport.ssl.enabled=true
+      - xpack.security.transport.ssl.verification_mode=certificate
+      - xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/ca.crt
+      - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/elasticsearch.key
+      - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/elasticsearch.crt
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    volumes:
+      - ./xpack/ca/ca.crt:/usr/share/elasticsearch/config/ca.crt
+      - ./xpack/elasticsearch3/elasticsearch3.key:/usr/share/elasticsearch/config/elasticsearch.key
+      - ./xpack/elasticsearch3/elasticsearch3.crt:/usr/share/elasticsearch/config/elasticsearch.crt
+
+
+
+  kibana:
+    build: kibana/
+    image: wazuh/wazuh-kibana:4.2.3
+    hostname: kibana
+    restart: always
+    ports:
+      - 443:5601
+    environment:
+      - SERVERNAME=localhost
+      - ELASTICSEARCH_USERNAME=elastic
+      - ELASTICSEARCH_PASSWORD=SecretPassword
+      - ELASTICSEARCH_URL=https://elasticsearch:9200
+      - ELASTICSEARCH_HOSTS=https://elasticsearch:9200
+      - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=/usr/share/kibana/config/ca.crt
+      - SERVER_SSL_ENABLED=true
+      - XPACK_SECURITY_ENABLED=true
+      - SERVER_SSL_KEY=/usr/share/kibana/config/kibana.key
+      - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/kibana.crt
+    volumes:
+      - ./xpack/ca/ca.crt:/usr/share/kibana/config/ca.crt
+      - ./xpack/kibana/kibana.key:/usr/share/kibana/config/kibana.key
+      - ./xpack/kibana/kibana.crt:/usr/share/kibana/config/kibana.crt
+    depends_on:
+      - elasticsearch
+    links:
+      - elasticsearch:elasticsearch
+      - wazuh:wazuh
+
+volumes:
+  ossec_api_configuration:
+  ossec_etc:
+  ossec_logs:
+  ossec_queue:
+  ossec_var_multigroups:
+  ossec_integrations:
+  ossec_active_response:
+  ossec_agentless:
+  ossec_wodles:
+  filebeat_etc:
+  filebeat_var:

xpack/instances.yml

@@ -0,0 +1,35 @@
+instances:
+  - name: elasticsearch
+    dns:
+      - elasticsearch
+      - localhost
+    ip:
+      - 127.0.0.1
+
+  - name: elasticsearch2
+    dns:
+      - elasticsearch2
+      - localhost
+    ip:
+      - 127.0.0.1
+
+  - name: elasticsearch3
+    dns:
+      - elasticsearch3
+      - localhost
+    ip:
+      - 127.0.0.1
+
+  - name: kibana
+    dns:
+      - kibana
+      - localhost
+    ip:
+      - 127.0.0.1
+
+  - name: wazuh
+    dns:
+      - wazuh
+      - localhost
+    ip:
+      - 127.0.0.1