Merge pull request #2030 from wazuh/enhancement/1933-server-clean-up

Wazuh server clean-up

.env

@@ -1,6 +1,6 @@
-WAZUH_VERSION=4.12.0
-WAZUH_IMAGE_VERSION=4.12.0
+WAZUH_VERSION=5.0.0
+WAZUH_IMAGE_VERSION=5.0.0
 WAZUH_TAG_REVISION=1
-FILEBEAT_TEMPLATE_BRANCH=4.12.0
+FILEBEAT_TEMPLATE_BRANCH=5.0.0
 WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.4.tar.gz
 WAZUH_UI_REVISION=1

.github/.goss.yaml

@@ -56,7 +56,7 @@ package:
   wazuh-manager:
     installed: true
     versions:
-    - 4.12.0
+    - 5.0.0
 port:
   tcp:1514:
     listening: true

.github/multi-node-filebeat-check.sh

@@ -1,18 +1,39 @@
-filebeatout1=$(docker exec multi-node_wazuh.master_1 sh -c 'filebeat test output')
-filebeatstatus1=$(echo "${filebeatout1}" | grep -c OK)
-if [[ filebeatstatus1 -eq 7 ]]; then
-  echo "No errors in master filebeat"
+COMMAND_TO_EXECUTE="filebeat test output"
+
+MASTER_CONTAINERS=$(docker ps --format '{{.Names}}' | grep -E 'master')
+
+if [ -z "$MASTER_CONTAINERS" ]; then
+  echo "No containers were found with 'master' in their name."
 else
-  echo "Errors in master filebeat"
-  echo "${filebeatout1}"
-  exit 1
+  for MASTER_CONTAINERS in $MASTER_CONTAINERS; do
+    FILEBEAT_OUTPUT=$(docker exec "$MASTER_CONTAINERS" $COMMAND_TO_EXECUTE)
+    FILEBEAT_STATUS=$(echo "${FILEBEAT_OUTPUT}" | grep -c OK)
+    if [[ $FILEBEAT_STATUS -eq 7 ]]; then
+      echo "No errors in filebeat"
+      echo "${FILEBEAT_OUTPUT}"
+    else
+      echo "Errors in filebeat"
+      echo "${FILEBEAT_OUTPUT}"
+      exit 1
+    fi
+  done
 fi
-filebeatout2=$(docker exec multi-node_wazuh.worker_1 sh -c 'filebeat test output')
-filebeatstatus2=$(echo "${filebeatout2}" | grep -c OK)
-if [[ filebeatstatus2 -eq 7 ]]; then
- echo "No errors in worker filebeat"
+
+MASTER_CONTAINERS=$(docker ps --format '{{.Names}}' | grep -E 'worker')
+
+if [ -z "$MASTER_CONTAINERS" ]; then
+  echo "No containers were found with 'worker' in their name."
 else
- echo "Errors in worker filebeat"
- echo "${filebeatout2}"
- exit 1
+  for MASTER_CONTAINERS in $MASTER_CONTAINERS; do
+    FILEBEAT_OUTPUT=$(docker exec "$MASTER_CONTAINERS" $COMMAND_TO_EXECUTE)
+    FILEBEAT_STATUS=$(echo "${FILEBEAT_OUTPUT}" | grep -c OK)
+    if [[ $FILEBEAT_STATUS -eq 7 ]]; then
+      echo "No errors in filebeat"
+      echo "${FILEBEAT_OUTPUT}"
+    else
+      echo "Errors in filebeat"
+      echo "${FILEBEAT_OUTPUT}"
+      exit 1
+    fi
+  done
 fi

.github/single-node-filebeat-check.sh

@@ -1,9 +1,20 @@
-filebeatout=$(docker exec single-node_wazuh.manager_1 sh -c 'filebeat test output')
-filebeatstatus=$(echo "${filebeatout}" | grep -c OK)
-if [[ filebeatstatus -eq 7 ]]; then
-  echo "No errors in filebeat"
+COMMAND_TO_EXECUTE="filebeat test output"
+
+MASTER_CONTAINERS=$(docker ps --format '{{.Names}}' | grep -E 'manager')
+
+if [ -z "$MASTER_CONTAINERS" ]; then
+  echo "No containers were found with 'manager' in their name."
 else
-  echo "Errors in filebeat"
-  echo "${filebeatout}"
-  exit 1
+  for MASTER_CONTAINERS in $MASTER_CONTAINERS; do
+    FILEBEAT_OUTPUT=$(docker exec "$MASTER_CONTAINERS" $COMMAND_TO_EXECUTE)
+    FILEBEAT_STATUS=$(echo "${FILEBEAT_OUTPUT}" | grep -c OK)
+    if [[ $FILEBEAT_STATUS -eq 7 ]]; then
+      echo "No errors in filebeat"
+      echo "${FILEBEAT_OUTPUT}"
+    else
+      echo "Errors in filebeat"
+      echo "${FILEBEAT_OUTPUT}"
+      exit 1
+    fi
+  done
 fi

.github/workflows/4_bumper_repository.yml

@@ -0,0 +1,142 @@
+name: Repository bumper
+run-name: Bump ${{ github.ref_name }} (${{ inputs.id }})
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Target version (e.g. 1.2.3)'
+        default: ''
+        required: false
+        type: string
+      stage:
+        description: 'Version stage (e.g. alpha0)'
+        default: ''
+        required: false
+        type: string
+      tag:
+        description: 'Change branches references to tag-like references (e.g. v4.12.0-alpha7)'
+        default: false
+        required: false
+        type: boolean
+      issue-link:
+        description: 'Issue link in format https://github.com/wazuh/<REPO>/issues/<ISSUE-NUMBER>'
+        required: true
+        type: string
+      id:
+        description: 'Optional identifier for the run'
+        required: false
+        type: string
+
+jobs:
+  bump:
+    name: Repository bumper
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: write
+      pull-requests: write
+
+    env:
+      CI_COMMIT_AUTHOR: wazuhci
+      CI_COMMIT_EMAIL: 22834044+wazuhci@users.noreply.github.com
+      CI_GPG_PRIVATE_KEY: ${{ secrets.CI_WAZUHCI_GPG_PRIVATE }}
+      GH_TOKEN: ${{ secrets.CI_WAZUHCI_BUMPER_TOKEN }}
+      BUMP_SCRIPT_PATH: tools/repository_bumper.sh
+      BUMP_LOG_PATH: tools
+
+    steps:
+      - name: Dump event payload
+        run: |
+          cat $GITHUB_EVENT_PATH | jq '.inputs'
+
+      - name: Set up GPG key
+        id: signing_setup
+        run: |
+          echo "${{ env.CI_GPG_PRIVATE_KEY }}" | gpg --batch --import
+          KEY_ID=$(gpg --list-secret-keys --with-colons | awk -F: '/^sec/ {print $5; exit}')
+          echo "gpg_key_id=$KEY_ID" >> $GITHUB_OUTPUT
+
+      - name: Set up git
+        run: |
+          git config --global user.name "${{ env.CI_COMMIT_AUTHOR }}"
+          git config --global user.email "${{ env.CI_COMMIT_EMAIL }}"
+          git config --global commit.gpgsign true
+          git config --global user.signingkey "${{ steps.signing_setup.outputs.gpg_key_id }}"
+          echo "use-agent" >> ~/.gnupg/gpg.conf
+          echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf
+          echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf
+          echo RELOADAGENT | gpg-connect-agent
+          export DEBIAN_FRONTEND=noninteractive
+          export GPG_TTY=$(tty)
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          # Using workflow-specific GITHUB_TOKEN because currently CI_WAZUHCI_BUMPER_TOKEN
+          # doesn't have all the necessary permissions
+          token: ${{ env.GH_TOKEN }}
+
+      - name: Determine branch name
+        id: vars
+        env:
+          VERSION: ${{ inputs.version }}
+          STAGE: ${{ inputs.stage }}
+          TAG: ${{ inputs.tag }}
+        run: |
+          script_params=""
+          version=${{ env.VERSION }}
+          stage=${{ env.STAGE }}
+          tag=${{ env.TAG }}
+
+          # Both version and stage provided
+          if [[ -n "$version" && -n "$stage" && "$tag" != "true" ]]; then
+            script_params="--version ${version} --stage ${stage}"
+          elif [[ -n "$version" && -n "$stage" && "$tag" == "true" ]]; then
+            script_params="--version ${version} --stage ${stage} --tag ${tag}"
+          fi
+
+          issue_number=$(echo "${{ inputs.issue-link }}" | awk -F'/' '{print $NF}')
+          BRANCH_NAME="enhancement/wqa${issue_number}-bump-${{ github.ref_name }}"
+          echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT
+          echo "script_params=${script_params}" >> $GITHUB_OUTPUT
+
+      - name: Create and switch to bump branch
+        run: |
+          git checkout -b ${{ steps.vars.outputs.branch_name }}
+
+      - name: Make version bump changes
+        run: |
+          echo "Running bump script"
+          bash ${{ env.BUMP_SCRIPT_PATH }} ${{ steps.vars.outputs.script_params }}
+
+      - name: Commit and push changes
+        run: |
+          git add .
+          git commit -m "feat: bump ${{ github.ref_name }}"
+          git push origin ${{ steps.vars.outputs.branch_name }}
+
+      - name: Create pull request
+        id: create_pr
+        run: |
+          gh auth setup-git
+          PR_URL=$(gh pr create \
+            --title "Bump ${{ github.ref_name }} branch" \
+            --body "Issue: ${{ inputs.issue-link }}" \
+            --base ${{ github.ref_name }} \
+            --head ${{ steps.vars.outputs.branch_name }})
+
+          echo "Pull request created: ${PR_URL}"
+          echo "pull_request_url=${PR_URL}" >> $GITHUB_OUTPUT
+
+      - name: Merge pull request
+        run: |
+          # Any checks for the PR are bypassed since the branch is expected to be functional (i.e. the bump process does not introduce any bugs)
+          gh pr merge "${{ steps.create_pr.outputs.pull_request_url }}" --merge --admin
+
+      - name: Show logs
+        run: |
+          echo "Bump complete."
+          echo "Branch: ${{ steps.vars.outputs.branch_name }}"
+          echo "PR: ${{ steps.create_pr.outputs.pull_request_url }}"
+          echo "Bumper scripts logs:"
+          cat ${BUMP_LOG_PATH}/repository_bumper*log

.github/workflows/Procedure_push_docker_images.yml

@@ -6,15 +6,14 @@ on:
     inputs:
       image_tag:
         description: 'Docker image tag'
-        default: '4.12.0'
+        default: '5.0.0'
         required: true
       docker_reference:
         description: 'wazuh-docker reference'
-        default: 'v4.12.0'
         required: true
       products:
         description: 'Comma-separated list of the image names to build and push'
-        default: 'wazuh-manager,wazuh-dashboard,wazuh-indexer'
+        default: 'wazuh-manager,wazuh-dashboard,wazuh-indexer,wazuh-agent'
         required: true
       filebeat_module_version:
         description: 'Filebeat module version'
@@ -42,17 +41,16 @@ on:
     inputs:
       image_tag:
         description: 'Docker image tag'
-        default: '4.12.0'
+        default: '5.0.0'
         required: true
         type: string
       docker_reference:
         description: 'wazuh-docker reference'
-        default: 'v4.12.0'
         required: false
         type: string
       products:
         description: 'Comma-separated list of the image names to build and push'
-        default: 'wazuh-manager,wazuh-dashboard,wazuh-indexer'
+        default: 'wazuh-manager,wazuh-dashboard,wazuh-indexer,wazuh-agent'
         required: true
         type: string
       filebeat_module_version:
@@ -116,12 +114,6 @@ jobs:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
-    - name: Install Docker Compose
-      run: |
-        sudo apt-get update
-        sudo apt-get install -y docker-compose
-        echo "Installed Docker Compose version: $(docker-compose --version)"
-
     - name: Build Wazuh images
       run: |
         IMAGE_TAG=${{ inputs.image_tag }}

.github/workflows/push.yml

@@ -8,12 +8,7 @@ jobs:
     steps:
 
     - name: Check out code
-      uses: actions/checkout@v3
-
-    - name: Install docker-compose
-      run: |
-        curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
-        chmod +x /usr/local/bin/docker-compose
+      uses: actions/checkout@v4
 
     - name: Build Wazuh images
       run: build-docker-images/build-images.sh
@@ -27,6 +22,7 @@ jobs:
         docker save wazuh/wazuh-manager:${{env.WAZUH_IMAGE_VERSION}} -o /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-manager.tar
         docker save wazuh/wazuh-indexer:${{env.WAZUH_IMAGE_VERSION}} -o /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-indexer.tar
         docker save wazuh/wazuh-dashboard:${{env.WAZUH_IMAGE_VERSION}} -o /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-dashboard.tar
+        docker save wazuh/wazuh-agent:${{env.WAZUH_IMAGE_VERSION}} -o /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-agent.tar
 
     - name: Temporarily save Wazuh manager Docker image
       uses: actions/upload-artifact@v4
@@ -49,6 +45,13 @@ jobs:
         path: /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-dashboard.tar
         retention-days: 1
 
+    - name: Temporarily save Wazuh agent Docker image
+      uses: actions/upload-artifact@v4
+      with:
+        name: docker-artifact-agent
+        path: /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-agent.tar
+        retention-days: 1
+
     - name: Install Goss
       uses: e1himself/goss-installation-action@v1.0.3
       with:
@@ -66,12 +69,7 @@ jobs:
     steps:
 
     - name: Check out code
-      uses: actions/checkout@v3
-
-    - name: Install docker-compose
-      run: |
-        curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
-        chmod +x /usr/local/bin/docker-compose
+      uses: actions/checkout@v4
 
     - name: Create enviroment variables
       run: cat .env > $GITHUB_ENV
@@ -91,18 +89,23 @@ jobs:
       with:
         name: docker-artifact-dashboard
 
+    - name: Retrieve saved Wazuh agent Docker image
+      uses: actions/download-artifact@v4
+      with:
+        name: docker-artifact-agent
+
     - name: Docker load
       run: |
         docker load --input ./wazuh-indexer.tar
         docker load --input ./wazuh-dashboard.tar
         docker load --input ./wazuh-manager.tar
-
+        docker load --input ./wazuh-agent.tar
 
     - name: Create single node certficates
-      run: docker-compose -f single-node/generate-indexer-certs.yml run --rm generator
+      run: docker compose -f single-node/generate-indexer-certs.yml run --rm generator
 
     - name: Start single node stack
-      run: docker-compose -f single-node/docker-compose.yml up -d
+      run: docker compose -f single-node/docker-compose.yml up -d
 
     - name: Check Wazuh indexer start
       run: |
@@ -185,7 +188,20 @@ jobs:
         exit 1
        fi
 
-    - name: Check errors in ossec.log
+    - name: Modify Docker endpoint into Wazuh agent docker-compose.yml file
+      run: sed -i "s/<WAZUH_MANAGER_IP>/$(ip addr show docker0 | grep 'inet ' | awk '{print $2}' | cut -d'/' -f1)/g" wazuh-agent/docker-compose.yml
+
+    - name: Start Wazuh agent
+      run: docker compose -f wazuh-agent/docker-compose.yml up -d
+
+    - name: Check Wazuh agent enrollment
+      run: |
+        sleep 20
+        curl -k -s -X GET "https://localhost:55000/agents?pretty=true" -H  "Authorization: Bearer ${{env.TOKEN}}"
+      env:
+        TOKEN: $(curl -s -u wazuh-wui:MyS3cr37P450r.*- -k -X GET "https://0.0.0.0:55000/security/user/authenticate?raw=true")
+
+    - name: Check errors in ossec.log for Wazuh manager
       run: ./.github/single-node-log-check.sh
 
   check-multi-node:
@@ -194,12 +210,7 @@ jobs:
     steps:
 
     - name: Check out code
-      uses: actions/checkout@v3
-
-    - name: Install docker-compose
-      run: |
-        curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
-        chmod +x /usr/local/bin/docker-compose
+      uses: actions/checkout@v4
 
     - name: Create enviroment variables
       run: cat .env > $GITHUB_ENV
@@ -222,18 +233,24 @@ jobs:
       with:
         name: docker-artifact-indexer
 
+    - name: Retrieve saved Wazuh agent Docker image
+      uses: actions/download-artifact@v4
+      with:
+        name: docker-artifact-agent
+
     - name: Docker load
       run: |
         docker load --input ./wazuh-manager.tar
         docker load --input ./wazuh-indexer.tar
         docker load --input ./wazuh-dashboard.tar
-        rm -rf wazuh-manager.tar wazuh-indexer.tar wazuh-dashboard.tar
+        docker load --input ./wazuh-agent.tar
+        rm -rf wazuh-manager.tar wazuh-indexer.tar wazuh-dashboard.tar wazuh-agent.tar
 
     - name: Create multi node certficates
-      run: docker-compose -f multi-node/generate-indexer-certs.yml run --rm generator
+      run: docker compose -f multi-node/generate-indexer-certs.yml run --rm generator
 
     - name: Start multi node stack
-      run: docker-compose -f multi-node/docker-compose.yml up -d
+      run: docker compose -f multi-node/docker-compose.yml up -d
 
     - name: Check Wazuh indexer start
       run: |
@@ -334,5 +351,18 @@ jobs:
         exit 1
        fi
 
-    - name: Check errors in ossec.log
-      run: ./.github/multi-node-log-check.sh
+    - name: Modify Docker endpoint into Wazuh agent docker-compose.yml file
+      run: sed -i "s/<WAZUH_MANAGER_IP>/$(ip addr show docker0 | grep 'inet ' | awk '{print $2}' | cut -d'/' -f1)/g" wazuh-agent/docker-compose.yml
+
+    - name: Start Wazuh agent
+      run: docker compose -f wazuh-agent/docker-compose.yml up -d
+
+    - name: Check Wazuh agent enrollment
+      run: |
+        sleep 20
+        curl -k -s -X GET "https://localhost:55000/agents?pretty=true" -H  "Authorization: Bearer ${{env.TOKEN}}"
+      env:
+        TOKEN: $(curl -s -u wazuh-wui:MyS3cr37P450r.*- -k -X GET "https://0.0.0.0:55000/security/user/authenticate?raw=true")
+
+    - name: Check errors in ossec.log for Wazuh manager
+      run: ./.github/multi-node-log-check.sh

.github/workflows/trivy-dashboard.yml

@@ -11,8 +11,7 @@ on:
     - published
   pull_request:
     branches:
-      - master
-      - stable
+      - main
   schedule:
     - cron: '34 2 * * 1'
   workflow_dispatch:

.github/workflows/trivy-indexer.yml

@@ -11,8 +11,7 @@ on:
     - published
   pull_request:
     branches:
-      - master
-      - stable
+      - main
   schedule:
     - cron: '34 2 * * 1'
   workflow_dispatch:

.github/workflows/trivy-manager.yml

@@ -11,8 +11,7 @@ on:
     - published
   pull_request:
     branches:
-      - master
-      - stable
+      - main
   schedule:
     - cron: '34 2 * * 1'
   workflow_dispatch:

.gitignore

@@ -1,4 +1,5 @@
 single-node/config/wazuh_indexer_ssl_certs/*.pem
 single-node/config/wazuh_indexer_ssl_certs/*.key
 multi-node/config/wazuh_indexer_ssl_certs/*.pem
-multi-node/config/wazuh_indexer_ssl_certs/*.key
+multi-node/config/wazuh_indexer_ssl_certs/*.key
+*.log

CHANGELOG.md

@@ -1,6 +1,114 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+## [5.0.0]
+
+### Added
+
+- None
+
+### Changed
+
+- Wazuh server clean-up ([#2030](https://github.com/wazuh/wazuh-puppet/issues/2030))
+- Fix OpenSearch deprecated settings ([#1366](https://github.com/wazuh/wazuh-puppet/issues/1366))
+
+### Fixed
+
+- None
+
+### Deleted
+
+- None
+
+## [4.14.1]
+
+### Added
+
+- None
+
+### Changed
+
+- None
+
+### Fixed
+
+- None
+
+### Deleted
+
+- None
+
+## [4.14.0]
+
+### Added
+
+- None
+
+### Changed
+
+- Rollback data source setting ([#1999](https://github.com/wazuh/wazuh-docker/pull/1999))
+- Dashboard settings added ([#1998](https://github.com/wazuh/wazuh-docker/pull/1998))
+- Add filebeat config file in the PERMANENT_DATA_EXCP list ([#1898](https://github.com/wazuh/wazuh-docker/pull/1898))
+- Change validation of existing certs tool in S3 buckets ([#1880](https://github.com/wazuh/wazuh-docker/pull/1880))
+
+### Fixed
+
+- Double the amount of space consumed in Wazuh Indexer ([#1953](https://github.com/wazuh/wazuh-docker/pull/1953))
+- Fix config directory for opensearch_security plugin work ([#1951](https://github.com/wazuh/wazuh-docker/pull/1951))
+- Update Dockerfile to copy opensearch-security files ([#1928](https://github.com/wazuh/wazuh-docker/pull/1928))
+
+### Deleted
+
+- None
+
+## [4.13.1]
+
+### Added
+
+- None
+
+### Changed
+
+- None
+
+### Fixed
+
+- None
+
+### Deleted
+
+- None
+
+## [4.13.0]
+
+### Added
+
+- Add opensearch_dashboard.yml parameters. ([#1985](https://github.com/wazuh/wazuh-docker/pull/1985))
+- Set right ownership for malicious-ioc files on container start ([#1926](https://github.com/wazuh/wazuh-docker/pull/1926))
+- Delete services statement in wazuh agent deployment. ([#1925](https://github.com/wazuh/wazuh-docker/pull/1925))
+- Add permanent_data exceptions. ([#1890](https://github.com/wazuh/wazuh-docker/pull/1890))
+- Integrate bumper script via GitHub action. ([#1863](https://github.com/wazuh/wazuh-docker/pull/1863))
+- Add missing malicious-ioc ruleset lists ([#1870](https://github.com/wazuh/wazuh-docker/pull/1870))
+- Added repository_bumper script. ([#1781](https://github.com/wazuh/wazuh-docker/pull/1781))
+- Fix Warning message when migrating Docker compose v2 ([#1828](https://github.com/wazuh/wazuh-docker/pull/1828))
+- Add technical documentation ([#1822](https://github.com/wazuh/wazuh-docker/pull/1822))
+- Add wazuh agent test and push ([#1817](https://github.com/wazuh/wazuh-docker/pull/1817))
+- Add Wazuh agent image build and deploy ([#1816](https://github.com/wazuh/wazuh-docker/pull/1816))
+
+### Changed
+
+- Syscollector configuration change ([#1994](https://github.com/wazuh/wazuh-docker/pull/1994))
+- Modify wazuh-keystore use ([#1750](https://github.com/wazuh/wazuh-docker/pull/1750)) \- (wazuh-keystore)
+
+### Fixed
+
+- Add wazuh-template.json into permanent data exception ([#1968](https://github.com/wazuh/wazuh-docker/pull/1968))
+
+### Deleted
+
+- Remove default docker reference version from workflow ([#1761](https://github.com/wazuh/wazuh-docker/pull/1761))
+- Remove 'stable' branch ocurrencies ([#1757](https://github.com/wazuh/wazuh-docker/pull/1757))
+
 ## [4.12.0]
 
 ### Added
@@ -129,7 +237,6 @@ All notable changes to this project will be documented in this file.
 
 - None
 
-
 ### Fixed
 
 - Fix typos into Wazuh manager entrypoint ([#1569](https://github.com/wazuh/wazuh-docker/pull/1569))
@@ -138,7 +245,6 @@ All notable changes to this project will be documented in this file.
 
 - None
 
-
 ## Wazuh Docker v4.9.0
 ### Added
 

README.md

@@ -2,251 +2,51 @@
 
 [![Slack](https://img.shields.io/badge/slack-join-blue.svg)](https://wazuh.com/community/join-us-on-slack/)
 [![Email](https://img.shields.io/badge/email-join-blue.svg)](https://groups.google.com/forum/#!forum/wazuh)
-[![Documentation](https://img.shields.io/badge/docs-view-green.svg)](https://documentation.wazuh.com)
-[![Documentation](https://img.shields.io/badge/web-view-green.svg)](https://wazuh.com)
 
-In this repository you will find the containers to run:
+## Description
 
-* Wazuh manager: it runs the Wazuh manager, Wazuh API and Filebeat OSS
-* Wazuh dashboard: provides a web user interface to browse through alert data and allows you to visualize the agents configuration and status.
-* Wazuh indexer: Wazuh indexer container (working as a single-node cluster or as a multi-node cluster). **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).**
+The `wazuh/wazuh-docker` repository provides resources to deploy the Wazuh cybersecurity platform using Docker containers. This setup enables easy installation and orchestration of the full Wazuh stack, including the Wazuh server, dashboard (based on OpenSearch Dashboards), and OpenSearch for indexing and search.
 
-The folder `build-docker-images` contains a README explaining how to build the Wazuh images and the necessary assets.
-The folder `indexer-certs-creator` contains a README explaining how to create the certificates creator tool and the necessary assets.
-The folder `single-node` contains a README explaining how to run a Wazuh environment with one Wazuh manager, one Wazuh indexer, and one Wazuh dashboard.
-The folder `multi-node` contains a README explaining how to run a Wazuh environment with two Wazuh managers, three Wazuh indexers, and one Wazuh dashboard.
+## Capabilities
+
+- Full deployment of the Wazuh stack using Docker.
+- `docker compose` support for orchestration.
+- Scalable architecture with multi-node support.
+- Data persistence through configurable volumes.
+- Ready-to-use configurations for production or testing environments.
+
+## Branch Convention
+
+- `main`: Developing and testing of new features.
+- `X.Y.Z`: Version-specific branches (e.g., `5.0.0`, `4.14.0`, etc.).
 
 ## Documentation
 
-* [Wazuh full documentation](http://documentation.wazuh.com)
-* [Wazuh documentation for Docker](https://documentation.wazuh.com/current/docker/index.html)
-* [Docker Hub](https://hub.docker.com/u/wazuh)
+Official documentation is available at:
 
+[https://documentation.wazuh.com/current/deployment-options/docker/index.html](https://documentation.wazuh.com/current/deployment-options/docker/index.html)
 
-### Setup SSL certificate
+You can also explore internal documentation in the [`docs`](https://github.com/wazuh/wazuh-docker/tree/main/docs) folder of this repository.
 
-Before starting the environment it is required to provide an SSL certificate (or just generate one self-signed).
+## Get Involved
 
-Documentation on how to provide these two can be found at [Wazuh Docker Documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#production-deployment).
+- **Fork the repository** and create your own branches to add features or fix bugs.
+- **Open issues** to report bugs or request features.
+- **Submit pull requests** following the contributing guidelines.
+- Participate in [discussions](https://github.com/wazuh/wazuh-docker/discussions) if available.
 
-
-## Environment Variables
-
-Default values are included when available.
-
-### Wazuh
-```
-API_USERNAME="wazuh-wui"                            # Wazuh API username
-API_PASSWORD="MyS3cr37P450r.*-"                     # Wazuh API password - Must comply with requirements
-                                                    # (8+ length, uppercase, lowercase, special chars)
-
-INDEXER_URL=https://wazuh.indexer:9200              # Wazuh indexer URL
-INDEXER_USERNAME=admin                              # Wazuh indexer Username
-INDEXER_PASSWORD=SecretPassword                     # Wazuh indexer Password
-FILEBEAT_SSL_VERIFICATION_MODE=full                 # Filebeat SSL Verification mode (full or none)
-SSL_CERTIFICATE_AUTHORITIES=""                      # Path of Filebeat SSL CA
-SSL_CERTIFICATE=""                                  # Path of Filebeat SSL Certificate
-SSL_KEY=""                                          # Path of Filebeat SSL Key
-```
-
-### Dashboard
-```
-PATTERN="wazuh-alerts-*"        # Default index pattern to use
-
-CHECKS_PATTERN=true             # Defines which checks must be considered by the healthcheck
-CHECKS_TEMPLATE=true            # step once the Wazuh app starts. Values must be true or false
-CHECKS_API=true
-CHECKS_SETUP=true
-
-APP_TIMEOUT=20000               # Defines maximum timeout to be used on the Wazuh app requests
-
-API_SELECTOR=true               Defines if the user is allowed to change the selected API directly from the Wazuh app top menu
-IP_SELECTOR=true                # Defines if the user is allowed to change the selected index pattern directly from the Wazuh app top menu
-IP_IGNORE="[]"                  # List of index patterns to be ignored
-
-DASHBOARD_USERNAME=kibanaserver     # Custom user saved in the dashboard keystore
-DASHBOARD_PASSWORD=kibanaserver     # Custom password saved in the dashboard keystore
-WAZUH_MONITORING_ENABLED=true       # Custom settings to enable/disable wazuh-monitoring indices
-WAZUH_MONITORING_FREQUENCY=900      # Custom setting to set the frequency for wazuh-monitoring indices cron task
-WAZUH_MONITORING_SHARDS=2           # Configure wazuh-monitoring-* indices shards and replicas
-WAZUH_MONITORING_REPLICAS=0         ##
-```
-
-## Directory structure
-
-    ├── build-docker-images
-    │   ├── build-images.sh
-    │   ├── build-images.yml
-    │   ├── README.md
-    │   ├── wazuh-dashboard
-    │   │   ├── config
-    │   │   │   ├── config.sh
-    │   │   │   ├── config.yml
-    │   │   │   ├── dl_base.sh
-    │   │   │   ├── entrypoint.sh
-    │   │   │   ├── install_wazuh_app.sh
-    │   │   │   ├── opensearch_dashboards.yml
-    │   │   │   ├── wazuh_app_config.sh
-    │   │   │   └── wazuh.yml
-    │   │   └── Dockerfile
-    │   ├── wazuh-indexer
-    │   │   ├── config
-    │   │   │   ├── action_groups.yml
-    │   │   │   ├── config.sh
-    │   │   │   ├── config.yml
-    │   │   │   ├── entrypoint.sh
-    │   │   │   ├── internal_users.yml
-    │   │   │   ├── opensearch.yml
-    │   │   │   ├── roles_mapping.yml
-    │   │   │   ├── roles.yml
-    │   │   │   └── securityadmin.sh
-    │   │   └── Dockerfile
-    │   └── wazuh-manager
-    │       ├── config
-    │       │   ├── check_repository.sh
-    │       │   ├── create_user.py
-    │       │   ├── etc
-    │       │   │   ├── cont-init.d
-    │       │   │   │   ├── 0-wazuh-init
-    │       │   │   │   ├── 1-config-filebeat
-    │       │   │   │   └── 2-manager
-    │       │   │   └── services.d
-    │       │   │       ├── filebeat
-    │       │   │       │   ├── finish
-    │       │   │       │   └── run
-    │       │   │       └── ossec-logs
-    │       │   │           └── run
-    │       │   ├── filebeat_module.sh
-    │       │   ├── filebeat.yml
-    │       │   ├── permanent_data.env
-    │       │   └── permanent_data.sh
-    │       └── Dockerfile
-    ├── CHANGELOG.md
-    ├── indexer-certs-creator
-    │   ├── config
-    │   │   └── entrypoint.sh
-    │   ├── Dockerfile
-    │   └── README.md
-    ├── LICENSE
-    ├── multi-node
-    │   ├── config
-    │   │   ├── certs.yml
-    │   │   ├── nginx
-    │   │   │   └── nginx.conf
-    │   │   ├── wazuh_cluster
-    │   │   │   ├── wazuh_manager.conf
-    │   │   │   └── wazuh_worker.conf
-    │   │   ├── wazuh_dashboard
-    │   │   │   ├── opensearch_dashboards.yml
-    │   │   │   └── wazuh.yml
-    │   │   └── wazuh_indexer
-    │   │       ├── internal_users.yml
-    │   │       ├── wazuh1.indexer.yml
-    │   │       ├── wazuh2.indexer.yml
-    │   │       └── wazuh3.indexer.yml
-    │   ├── docker-compose.yml
-    │   ├── generate-indexer-certs.yml
-    │   ├── Migration-to-Wazuh-4.4.md
-    │   ├── README.md
-    │   └── volume-migrator.sh
-    ├── README.md
-    ├── SECURITY.md
-    ├── single-node
-    │   ├── config
-    │   │   ├── certs.yml
-    │   │   ├── wazuh_cluster
-    │   │   │   └── wazuh_manager.conf
-    │   │   ├── wazuh_dashboard
-    │   │   │   ├── opensearch_dashboards.yml
-    │   │   │   └── wazuh.yml
-    │   │   └── wazuh_indexer
-    │   │       ├── internal_users.yml
-    │   │       └── wazuh.indexer.yml
-    │   ├── docker-compose.yml
-    │   ├── generate-indexer-certs.yml
-    │   └── README.md
-    └── VERSION.json
-
-
-
-## Branches
-
-* `master` branch contains the latest code, be aware of possible bugs on this branch.
-* `stable` branch corresponds to the last Wazuh stable version.
-
-## Compatibility Matrix
-
-| Wazuh version | ODFE    | XPACK  |
-|---------------|---------|--------|
-| v4.12.0       |         |        |
-| v4.11.2       |         |        |
-| v4.11.1       |         |        |
-| v4.11.0       |         |        |
-| v4.10.1       |         |        |
-| v4.10.0       |         |        |
-| v4.9.2        |         |        |
-| v4.9.1        |         |        |
-| v4.9.0        |         |        |
-| v4.8.2        |         |        |
-| v4.8.1        |         |        |
-| v4.8.0        |         |        |
-| v4.7.5        |         |        |
-| v4.7.4        |         |        |
-| v4.7.3        |         |        |
-| v4.7.2        |         |        |
-| v4.7.1        |         |        |
-| v4.7.0        |         |        |
-| v4.6.0        |         |        |
-| v4.5.4        |         |        |
-| v4.5.3        |         |        |
-| v4.5.2        |         |        |
-| v4.5.1        |         |        |
-| v4.5.0        |         |        |
-| v4.4.5        |         |        |
-| v4.4.4        |         |        |
-| v4.4.3        |         |        |
-| v4.4.2        |         |        |
-| v4.4.1        |         |        |
-| v4.4.0        |         |        |
-| v4.3.11       |         |        |
-| v4.3.10       |         |        |
-| v4.3.9        |         |        |
-| v4.3.8        |         |        |
-| v4.3.7        |         |        |
-| v4.3.6        |         |        |
-| v4.3.5        |         |        |
-| v4.3.4        |         |        |
-| v4.3.3        |         |        |
-| v4.3.2        |         |        |
-| v4.3.1        |         |        |
-| v4.3.0        |         |        |
-| v4.2.7        | 1.13.2  | 7.11.2 |
-| v4.2.6        | 1.13.2  | 7.11.2 |
-| v4.2.5        | 1.13.2  | 7.11.2 |
-| v4.2.4        | 1.13.2  | 7.11.2 |
-| v4.2.3        | 1.13.2  | 7.11.2 |
-| v4.2.2        | 1.13.2  | 7.11.2 |
-| v4.2.1        | 1.13.2  | 7.11.2 |
-| v4.2.0        | 1.13.2  | 7.10.2 |
-| v4.1.5        | 1.13.2  | 7.10.2 |
-| v4.1.4        | 1.12.0  | 7.10.2 |
-| v4.1.3        | 1.12.0  | 7.10.2 |
-| v4.1.2        | 1.12.0  | 7.10.2 |
-| v4.1.1        | 1.12.0  | 7.10.2 |
-| v4.1.0        | 1.12.0  | 7.10.2 |
-| v4.0.4        | 1.11.0  |        |
-| v4.0.3        | 1.11.0  |        |
-| v4.0.2        | 1.11.0  |        |
-| v4.0.1        | 1.11.0  |        |
-| v4.0.0        | 1.10.1  |        |
-
-## Credits and Thank you
+## Authors / Maintainers
 
 These Docker containers are based on:
 
 *  "deviantony" dockerfiles which can be found at [https://github.com/deviantony/docker-elk](https://github.com/deviantony/docker-elk)
 *  "xetus-oss" dockerfiles, which can be found at [https://github.com/xetus-oss/docker-ossec-server](https://github.com/xetus-oss/docker-ossec-server)
 
+This project is maintained by the [Wazuh](https://wazuh.com) team, with active contributions from the community.
+
+See the full list of contributors at:
+[https://github.com/wazuh/wazuh-docker/graphs/contributors](https://github.com/wazuh/wazuh-docker/graphs/contributors)
+
 We thank them and everyone else who has contributed to this project.
 
 ## License and copyright

VERSION.json

@@ -1,4 +1,4 @@
 {
-    "version": "4.12.0",
-    "stage": "rc1"
+    "version": "5.0.0",
+    "stage": "alpha0"
 }

build-docker-images/README.md

@@ -13,7 +13,7 @@ This script initializes the environment variables needed to build each of the im
 The script allows you to build images from other versions of Wazuh, to do this you must use the -v or --version argument:
 
 ```
-$ build-docker-images/build-images.sh -v 4.12.0
+$ build-docker-images/build-images.sh -v 5.0.0
 ```
 
 To get all the available script options use the -h or --help option:
@@ -26,7 +26,7 @@ Usage: build-docker-images/build-images.sh [OPTIONS]
     -d, --dev <ref>              [Optional] Set the development stage you want to build, example rc1 or beta1, not used by default.
     -f, --filebeat-module <ref>  [Optional] Set Filebeat module version. By default 0.4.
     -r, --revision <rev>         [Optional] Package revision. By default 1
-    -v, --version <ver>          [Optional] Set the Wazuh version should be builded. By default, 4.12.0.
+    -v, --version <ver>          [Optional] Set the Wazuh version should be builded. By default, 5.0.0.
     -h, --help                   Show this help.
 
 ```

build-docker-images/build-images.sh

@@ -1,4 +1,4 @@
-WAZUH_IMAGE_VERSION=4.12.0
+WAZUH_IMAGE_VERSION=5.0.0
 WAZUH_VERSION=$(echo $WAZUH_IMAGE_VERSION | sed -e 's/\.//g')
 WAZUH_TAG_REVISION=1
 WAZUH_CURRENT_VERSION=$(curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '["]tag_name["]:' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 2- | sed -e 's/\.//g')
@@ -12,7 +12,7 @@ IMAGE_VERSION=${WAZUH_IMAGE_VERSION}
 # License (version 2) as published by the FSF - Free Software
 # Foundation.
 
-WAZUH_IMAGE_VERSION="4.12.0"
+WAZUH_IMAGE_VERSION="5.0.0"
 WAZUH_TAG_REVISION="1"
 WAZUH_DEV_STAGE=""
 FILEBEAT_MODULE_VERSION="0.4"
@@ -65,7 +65,7 @@ build() {
     echo WAZUH_FILEBEAT_MODULE=$WAZUH_FILEBEAT_MODULE >> .env
     echo WAZUH_UI_REVISION=$WAZUH_UI_REVISION >> .env
 
-    docker-compose -f build-docker-images/build-images.yml --env-file .env build --no-cache || clean 1
+    docker compose -f build-docker-images/build-images.yml --env-file .env build --no-cache || clean 1
 
     return 0
 }

build-docker-images/build-images.yml

@@ -1,6 +1,4 @@
 # Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
-version: '3.7'
-
 services:
   wazuh.manager:
     build:
@@ -29,13 +27,21 @@ services:
       - wazuh_logs:/var/ossec/logs
       - wazuh_queue:/var/ossec/queue
       - wazuh_var_multigroups:/var/ossec/var/multigroups
-      - wazuh_integrations:/var/ossec/integrations
       - wazuh_active_response:/var/ossec/active-response/bin
-      - wazuh_agentless:/var/ossec/agentless
       - wazuh_wodles:/var/ossec/wodles
       - filebeat_etc:/etc/filebeat
       - filebeat_var:/var/lib/filebeat
 
+  wazuh.agent:
+    build:
+      context: wazuh-agent/
+      args:
+        WAZUH_VERSION: ${WAZUH_VERSION}
+        WAZUH_TAG_REVISION: ${WAZUH_TAG_REVISION}
+    image: wazuh/wazuh-agent:${WAZUH_IMAGE_VERSION}
+    hostname: wazuh.agent
+    restart: always
+
   wazuh.indexer:
     build:
       context: wazuh-indexer/
@@ -86,9 +92,7 @@ volumes:
   wazuh_logs:
   wazuh_queue:
   wazuh_var_multigroups:
-  wazuh_integrations:
   wazuh_active_response:
-  wazuh_agentless:
   wazuh_wodles:
   filebeat_etc:
   filebeat_var:

build-docker-images/wazuh-agent/Dockerfile

@@ -0,0 +1,36 @@
+# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
+FROM amazonlinux:2023
+
+RUN rm /bin/sh && ln -s /bin/bash /bin/sh
+
+ARG WAZUH_VERSION
+ARG WAZUH_TAG_REVISION
+ARG S6_VERSION="v2.2.0.3"
+ARG WAZUH_MANAGER='CHANGE_MANAGER_IP'
+ARG WAZUH_MANAGER_PORT='CHANGE_MANAGER_PORT'
+ARG WAZUH_REGISTRATION_SERVER='CHANGE_ENROLL_IP'
+ARG WAZUH_REGISTRATION_PORT='CHANGE_ENROLL_PORT'
+ARG WAZUH_AGENT_NAME='CHANGEE_AGENT_NAME'
+
+COPY config/check_repository.sh /
+
+RUN yum install curl-minimal tar gzip procps -y &&\
+    yum clean all
+
+RUN chmod 775 /check_repository.sh
+RUN source /check_repository.sh
+
+RUN yum install wazuh-agent-${WAZUH_VERSION}-${WAZUH_TAG_REVISION} -y && \
+    yum clean all && \
+    sed -i '/<authorization_pass_path>/d' /var/ossec/etc/ossec.conf && \
+    curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \
+    -o /tmp/s6-overlay-amd64.tar.gz && \
+    tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" && \
+    tar xzf /tmp/s6-overlay-amd64.tar.gz -C /usr ./bin && \
+    rm  /tmp/s6-overlay-amd64.tar.gz
+
+COPY config/etc/ /etc/
+
+RUN rm /etc/yum.repos.d/wazuh.repo
+
+ENTRYPOINT [ "/init" ]

build-docker-images/wazuh-agent/config/check_repository.sh

@@ -0,0 +1,15 @@
+## variables
+APT_KEY=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
+GPG_SIGN="gpgcheck=1\ngpgkey=${APT_KEY}]"
+REPOSITORY="[wazuh]\n${GPG_SIGN}\nenabled=1\nname=EL-\$releasever - Wazuh\nbaseurl=https://packages-dev.wazuh.com/pre-release/yum/\nprotect=1"
+WAZUH_TAG=$(curl --silent https://api.github.com/repos/wazuh/wazuh/git/refs/tags | grep '["]ref["]:' | sed -E 's/.*\"([^\"]+)\".*/\1/'  | cut -c 11- | grep ^v${WAZUH_VERSION}$)
+
+## check tag to use the correct repository
+if [[ -n "${WAZUH_TAG}" ]]; then
+  APT_KEY=https://packages.wazuh.com/key/GPG-KEY-WAZUH
+  GPG_SIGN="gpgcheck=1\ngpgkey=${APT_KEY}]"
+  REPOSITORY="[wazuh]\n${GPG_SIGN}\nenabled=1\nname=EL-\$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1"
+fi
+
+rpm --import "${APT_KEY}"
+echo -e "${REPOSITORY}" | tee /etc/yum.repos.d/wazuh.repo

build-docker-images/wazuh-agent/config/etc/cont-init.d/0-wazuh-init

@@ -0,0 +1,90 @@
+#!/usr/bin/with-contenv bash
+# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
+
+WAZUH_INSTALL_PATH=/var/ossec
+WAZUH_CONFIG_MOUNT=/wazuh-config-mount
+WAZUH_MANAGER_SERVER=$WAZUH_MANAGER_SERVER
+WAZUH_MANAGER_PORT=${WAZUH_MANAGER_PORT:-"1514"}
+WAZUH_REGISTRATION_SERVER=${WAZUH_REGISTRATION_SERVER:-$WAZUH_MANAGER_SERVER}
+WAZUH_REGISTRATION_PORT=${WAZUH_REGISTRATION_PORT:-"1515"}
+WAZUH_REGISTRATION_PASSWORD=$WAZUH_REGISTRATION_PASSWORD
+WAZUH_AGENT_NAME=${WAZUH_AGENT_NAME:-"wazuh-agent-$HOSTNAME"}
+
+##############################################################################
+# Aux functions
+##############################################################################
+print() {
+  echo -e $1
+}
+
+error_and_exit() {
+  echo "Error executing command: '$1'."
+  echo 'Exiting.'
+  exit 1
+}
+
+exec_cmd() {
+  eval $1 > /dev/null 2>&1 || error_and_exit "$1"
+}
+
+exec_cmd_stdout() {
+  eval $1 2>&1 || error_and_exit "$1"
+}
+
+##############################################################################
+# Copy all files from $WAZUH_CONFIG_MOUNT to $WAZUH_INSTALL_PATH and respect
+# destination files permissions
+#
+# For example, to mount the file /var/ossec/data/etc/ossec.conf, mount it at
+# $WAZUH_CONFIG_MOUNT/etc/ossec.conf in your container and this code will
+# replace the ossec.conf file in /var/ossec/data/etc with yours.
+##############################################################################
+
+mount_files() {
+  if [ -e "$WAZUH_CONFIG_MOUNT" ]
+  then
+    print "Identified Wazuh configuration files to mount..."
+    exec_cmd_stdout "cp --verbose -r $WAZUH_CONFIG_MOUNT/* $WAZUH_INSTALL_PATH"
+  else
+    print "No Wazuh configuration files to mount..."
+  fi
+}
+
+##############################################################################
+# Allow users to set the manager ip and port, enrollment ip and port and
+# enroll dynamically on container start.
+#
+# To use this:
+# 1. Create your own ossec.conf file
+# 2. In your ossec.conf file, use the <agent> configuration
+# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf
+##############################################################################
+
+set_manager_conn() {
+  echo "ossec.conf configuration"
+  sed -i "s#<address>CHANGE_MANAGER_IP</address>#<address>$WAZUH_MANAGER_SERVER</address>#g" ${WAZUH_INSTALL_PATH}/etc/ossec.conf
+  sed -i "s#<port>CHANGE_MANAGER_PORT</port>#<port>$WAZUH_MANAGER_PORT</port>#g" ${WAZUH_INSTALL_PATH}/etc/ossec.conf
+  sed -i "s#<manager_address>CHANGE_ENROLL_IP</manager_address>#<manager_address>$WAZUH_REGISTRATION_SERVER</manager_address>#g" ${WAZUH_INSTALL_PATH}/etc/ossec.conf
+  sed -i "s#<port>CHANGE_ENROLL_PORT</port>#<port>$WAZUH_REGISTRATION_PORT</port>#g" ${WAZUH_INSTALL_PATH}/etc/ossec.conf
+  sed -i "s#<agent_name>CHANGEE_AGENT_NAME</agent_name>#<agent_name>$WAZUH_AGENT_NAME</agent_name>#g" ${WAZUH_INSTALL_PATH}/etc/ossec.conf
+  [ -n "$WAZUH_REGISTRATION_PASSWORD" ] && \
+  echo "$WAZUH_REGISTRATION_PASSWORD" > ${WAZUH_INSTALL_PATH}/etc/authd.pass && \
+  chown root:wazuh ${WAZUH_INSTALL_PATH}/etc/authd.pass && \
+  chmod 640 ${WAZUH_INSTALL_PATH}/etc/authd.pass
+}
+
+##############################################################################
+# Main function
+##############################################################################
+
+main() {
+
+  # Mount selected files (WAZUH_CONFIG_MOUNT) to container
+  mount_files
+
+  # Configure agent variables
+  set_manager_conn
+
+}
+
+main

build-docker-images/wazuh-agent/config/etc/cont-init.d/1-agent

@@ -0,0 +1,44 @@
+#!/usr/bin/with-contenv bash
+
+##############################################################################
+# Migration sequence
+# Detect if there is a mounted volume on /wazuh-migration and copy the data
+# to /var/ossec, finally it will create a flag ".migration-completed" inside
+# the mounted volume
+##############################################################################
+
+function __colortext()
+{
+  echo -e " \e[1;$2m$1\e[0m"
+}
+
+function echogreen()
+{
+  echo $(__colortext "$1" "32")
+}
+
+function echoyellow()
+{
+  echo $(__colortext "$1" "33")
+}
+
+function echored()
+{
+  echo $(__colortext "$1" "31")
+}
+
+function_entrypoint_scripts() {
+  # It will run every .sh script located in entrypoint-scripts folder in lexicographical order
+  if [ -d "/entrypoint-scripts/" ]
+  then
+    for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
+      bash "$script"
+    done
+  fi
+}
+
+# run entrypoint scripts
+function_entrypoint_scripts
+
+# Start Wazuh
+/var/ossec/bin/wazuh-control start

build-docker-images/wazuh-agent/config/etc/services.d/ossec-logs/run

@@ -0,0 +1,4 @@
+#!/usr/bin/with-contenv sh
+
+# dumping ossec.log to standard output
+exec tail -F /var/ossec/logs/ossec.log

build-docker-images/wazuh-dashboard/config/check_repository.sh

@@ -8,7 +8,7 @@ WAZUH_TAG=$(curl --silent https://api.github.com/repos/wazuh/wazuh/git/refs/tags
 if [[ -n "${WAZUH_TAG}" ]]; then
   APT_KEY=https://packages.wazuh.com/key/GPG-KEY-WAZUH
   GPG_SIGN="gpgcheck=1\ngpgkey=${APT_KEY}]"
-  REPOSITORY="[wazuh]\n${GPG_SIGN}\nenabled=1\nname=EL-\$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1"
+  REPOSITORY="[wazuh]\n${GPG_SIGN}\nenabled=1\nname=EL-\$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/5.x/yum/\nprotect=1"
 fi
 
 rpm --import "${APT_KEY}"

build-docker-images/wazuh-dashboard/config/config.sh

@@ -9,8 +9,8 @@ export CONFIG_DIR=${INSTALLATION_DIR}/config
 
 ## Variables
 CERT_TOOL=wazuh-certs-tool.sh
-PACKAGES_URL=https://packages.wazuh.com/4.12/
-PACKAGES_DEV_URL=https://packages-dev.wazuh.com/4.12/
+PACKAGES_URL=https://packages.wazuh.com/5.0/
+PACKAGES_DEV_URL=https://packages-dev.wazuh.com/5.0/
 
 ## Check if the cert tool exists in S3 buckets
 CERT_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$CERT_TOOL | grep -E "^HTTP" | awk  '{print $2}')

build-docker-images/wazuh-indexer/Dockerfile

@@ -67,20 +67,20 @@ RUN chmod 700 /entrypoint.sh && chmod 700 /securityadmin.sh
 RUN chown 1000:1000 /*.sh
 
 COPY --from=builder --chown=1000:1000 /usr/share/wazuh-indexer /usr/share/wazuh-indexer
-COPY --from=builder --chown=1000:1000 /etc/wazuh-indexer /usr/share/wazuh-indexer
+COPY --from=builder --chown=1000:1000 /etc/wazuh-indexer /usr/share/wazuh-indexer/config
+COPY --from=builder --chown=1000:1000 /debian/wazuh-indexer/usr/share/wazuh-indexer /usr/share/wazuh-indexer
 COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/systemd /usr/lib/systemd
 COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/sysctl.d /usr/lib/sysctl.d
 COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/tmpfiles.d /usr/lib/tmpfiles.d
 
-RUN chown -R 1000:1000 /usr/share/wazuh-indexer
-
 RUN mkdir -p /var/lib/wazuh-indexer && chown 1000:1000 /var/lib/wazuh-indexer && \
     mkdir -p /usr/share/wazuh-indexer/logs && chown 1000:1000 /usr/share/wazuh-indexer/logs && \
     mkdir -p /run/wazuh-indexer && chown 1000:1000 /run/wazuh-indexer && \
     mkdir -p /var/log/wazuh-indexer && chown 1000:1000 /var/log/wazuh-indexer && \
     chmod 700 /usr/share/wazuh-indexer && \
-    chmod 600 /usr/share/wazuh-indexer/jvm.options && \
-    chmod 600 /usr/share/wazuh-indexer/opensearch.yml
+    chmod 700 /usr/share/wazuh-indexer/config && \
+    chmod 600 /usr/share/wazuh-indexer/config/jvm.options && \
+    chmod 600 /usr/share/wazuh-indexer/config/opensearch.yml
 
 USER wazuh-indexer
 

build-docker-images/wazuh-indexer/config/check_repository.sh

@@ -8,7 +8,7 @@ WAZUH_TAG=$(curl --silent https://api.github.com/repos/wazuh/wazuh/git/refs/tags
 if [[ -n "${WAZUH_TAG}" ]]; then
   APT_KEY=https://packages.wazuh.com/key/GPG-KEY-WAZUH
   GPG_SIGN="gpgcheck=1\ngpgkey=${APT_KEY}]"
-  REPOSITORY="[wazuh]\n${GPG_SIGN}\nenabled=1\nname=EL-\$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1"
+  REPOSITORY="[wazuh]\n${GPG_SIGN}\nenabled=1\nname=EL-\$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/5.x/yum/\nprotect=1"
 fi
 
 rpm --import "${APT_KEY}"

build-docker-images/wazuh-indexer/config/config.sh

@@ -13,7 +13,7 @@ export LOG_DIR=/var/log/${NAME}
 export LIB_DIR=/var/lib/${NAME}
 export PID_DIR=/run/${NAME}
 export INSTALLATION_DIR=/usr/share/${NAME}
-export CONFIG_DIR=${INSTALLATION_DIR}
+export CONFIG_DIR=${INSTALLATION_DIR}/config
 export BASE_DIR=${NAME}-*
 export INDEXER_FILE=wazuh-indexer-base.tar.xz
 export BASE_FILE=wazuh-indexer-base-${VERSION}-linux-x64.tar.xz
@@ -22,8 +22,8 @@ export REPO_DIR=/unattended_installer
 ## Variables
 CERT_TOOL=wazuh-certs-tool.sh
 PASSWORD_TOOL=wazuh-passwords-tool.sh
-PACKAGES_URL=https://packages.wazuh.com/4.12/
-PACKAGES_DEV_URL=https://packages-dev.wazuh.com/4.12/
+PACKAGES_URL=https://packages.wazuh.com/5.0/
+PACKAGES_DEV_URL=https://packages-dev.wazuh.com/5.0/
 
 ## Check if the cert tool exists in S3 buckets
 CERT_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$CERT_TOOL | grep -E "^HTTP" | awk  '{print $2}')

build-docker-images/wazuh-indexer/config/entrypoint.sh

@@ -6,7 +6,7 @@ umask 0002
 
 export USER=wazuh-indexer
 export INSTALLATION_DIR=/usr/share/wazuh-indexer
-export OPENSEARCH_PATH_CONF=${INSTALLATION_DIR}
+export OPENSEARCH_PATH_CONF=${INSTALLATION_DIR}/config
 export JAVA_HOME=${INSTALLATION_DIR}/jdk
 export DISCOVERY=$(grep -oP "(?<=discovery.type: ).*" ${OPENSEARCH_PATH_CONF}/opensearch.yml)
 export CACERT=$(grep -oP "(?<=plugins.security.ssl.transport.pemtrustedcas_filepath: ).*" ${OPENSEARCH_PATH_CONF}/opensearch.yml)

build-docker-images/wazuh-indexer/config/opensearch.yml

@@ -1,9 +1,9 @@
 network.host: "0.0.0.0"
 node.name: "wazuh.indexer"
+cluster.name: "wazuh-cluster"
 path.data: /var/lib/wazuh-indexer
 path.logs: /var/log/wazuh-indexer
 discovery.type: single-node
-compatibility.override_main_response_version: true
 plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/indexer.pem
 plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/indexer-key.pem
 plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem

build-docker-images/wazuh-manager/Dockerfile

@@ -50,9 +50,6 @@ RUN chmod go-w /etc/filebeat/wazuh-template.json
 RUN mkdir -p /var/ossec/var/multigroups && \
     chown root:wazuh /var/ossec/var/multigroups && \
     chmod 770 /var/ossec/var/multigroups && \
-    mkdir -p /var/ossec/agentless && \
-    chown root:wazuh /var/ossec/agentless && \
-    chmod 770 /var/ossec/agentless && \
     mkdir -p /var/ossec/active-response/bin && \
     chown root:wazuh /var/ossec/active-response/bin && \
     chmod 770 /var/ossec/active-response/bin && \

build-docker-images/wazuh-manager/config/check_repository.sh

@@ -8,7 +8,7 @@ WAZUH_TAG=$(curl --silent https://api.github.com/repos/wazuh/wazuh/git/refs/tags
 if [[ -n "${WAZUH_TAG}" ]]; then
   APT_KEY=https://packages.wazuh.com/key/GPG-KEY-WAZUH
   GPG_SIGN="gpgcheck=1\ngpgkey=${APT_KEY}]"
-  REPOSITORY="[wazuh]\n${GPG_SIGN}\nenabled=1\nname=EL-\$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1"
+  REPOSITORY="[wazuh]\n${GPG_SIGN}\nenabled=1\nname=EL-\$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/5.x/yum/\nprotect=1"
 fi
 
 rpm --import "${APT_KEY}"

build-docker-images/wazuh-manager/config/etc/cont-init.d/0-wazuh-init

@@ -167,16 +167,17 @@ set_custom_cluster_key() {
 }
 
 ##############################################################################
-# Modify /var/ossec/queue/rids directory owner on
-# container start.
+# Set correct ownership for Wazuh related directories
+# on container start.
 ##############################################################################
 
-set_rids_owner() {
+configure_permissions() {
   chown -R wazuh:wazuh /var/ossec/queue/rids
+  chown -R wazuh:wazuh /var/ossec/etc/lists
 }
 
 ##############################################################################
-# Change any ossec user/group to wazuh user/group 
+# Change any ossec user/group to wazuh user/group
 ##############################################################################
 
 set_correct_permOwner() {
@@ -226,8 +227,8 @@ main() {
   # Delete temporary data folder
   rm -rf ${WAZUH_INSTALL_PATH}/data_tmp
 
-  # Set rids directory owner
-  set_rids_owner
+  # Set correct ownership for Wazuh related directories
+  configure_permissions
 }
 
 main

build-docker-images/wazuh-manager/config/etc/cont-init.d/2-manager

@@ -60,12 +60,6 @@ function_wazuh_migration(){
       chown wazuh:wazuh /var/ossec/etc/rules/*
       chmod 660 /var/ossec/etc/rules/*
 
-      if [ -e /wazuh-migration/data/agentless/.passlist ]; then
-        \cp -f /wazuh-migration/data/agentless/.passlist /var/ossec/agentless/.passlist
-        chown root:wazuh /var/ossec/agentless/.passlist
-        chmod 640 /var/ossec/agentless/.passlist
-      fi
-
       \cp -f /wazuh-migration/global.db /var/ossec/queue/db/global.db
       chown wazuh:wazuh /var/ossec/queue/db/global.db
       chmod 640 /var/ossec/queue/db/global.db
@@ -115,8 +109,8 @@ function_entrypoint_scripts() {
 function_configure_vulnerability_detection() {
 if [ "$INDEXER_PASSWORD" != "" ]; then
   >&2 echo "Configuring password."
-  /var/ossec/bin/wazuh-keystore -f indexer -k username -v $INDEXER_USERNAME
-  /var/ossec/bin/wazuh-keystore -f indexer -k password -v $INDEXER_PASSWORD
+    echo "$INDEXER_USERNAME" | /var/ossec/bin/wazuh-keystore -f indexer -k username
+    echo "$INDEXER_PASSWORD" | /var/ossec/bin/wazuh-keystore -f indexer -k password
 fi
 }
 

build-docker-images/wazuh-manager/config/filebeat_module.sh

@@ -4,7 +4,7 @@ WAZUH_TAG=$(curl --silent https://api.github.com/repos/wazuh/wazuh/git/refs/tags
 
 ## check tag to use the correct repository
 if [[ -n "${WAZUH_TAG}" ]]; then
-  REPOSITORY="packages.wazuh.com/4.x"
+  REPOSITORY="packages.wazuh.com/5.x"
 fi
 
 curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-x86_64.rpm &&\

build-docker-images/wazuh-manager/config/permanent_data.env

@@ -4,9 +4,7 @@ PERMANENT_DATA[((i++))]="/var/ossec/api/configuration"
 PERMANENT_DATA[((i++))]="/var/ossec/etc"
 PERMANENT_DATA[((i++))]="/var/ossec/logs"
 PERMANENT_DATA[((i++))]="/var/ossec/queue"
-PERMANENT_DATA[((i++))]="/var/ossec/agentless"
 PERMANENT_DATA[((i++))]="/var/ossec/var/multigroups"
-PERMANENT_DATA[((i++))]="/var/ossec/integrations"
 PERMANENT_DATA[((i++))]="/var/ossec/active-response/bin"
 PERMANENT_DATA[((i++))]="/var/ossec/wodles"
 PERMANENT_DATA[((i++))]="/etc/filebeat"
@@ -16,16 +14,6 @@ export PERMANENT_DATA
 # Files mounted in a volume that should not be permanent
 i=0
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/etc/internal_options.conf"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/shuffle"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/shuffle.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/pagerduty"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/pagerduty.py"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/maltiverse"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/maltiverse.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/default-firewall-drop"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/disable-account"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewalld-drop"
@@ -41,18 +29,6 @@ PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/pf"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-wazuh"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart.sh"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/sshlogin.exp"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_pixconfig_diff"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_asa-fwsmconfig_diff"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_bsd"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/main.exp"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/su.exp"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_linux"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/register_host.sh"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_generic_diff"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_foundry_diff"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_nopass.exp"
-PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh.exp"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/utils.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3.py"
@@ -97,6 +73,11 @@ PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/exceptions.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/buckets/bucket.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/buckets/access_logs.py"
 PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/pubsub/subscriber.py"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/etc/lists/malicious-ioc/malicious-ip"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/etc/lists/malicious-ioc/malicious-domains"
+PERMANENT_DATA_EXCP[((i++))]="/var/ossec/etc/lists/malicious-ioc/malware-hashes"
+PERMANENT_DATA_EXCP[((i++))]="/etc/filebeat/wazuh-template.json"
+PERMANENT_DATA_EXCP[((i++))]="/etc/filebeat/filebeat.yml"
 export PERMANENT_DATA_EXCP
 
 # Files mounted in a volume that should be deleted

docs/.gitignore

@@ -0,0 +1 @@
+book

docs/README.md

@@ -0,0 +1,212 @@
+# Wazuh containers for Docker
+
+[![Slack](https://img.shields.io/badge/slack-join-blue.svg)](https://wazuh.com/community/join-us-on-slack/)
+[![Email](https://img.shields.io/badge/email-join-blue.svg)](https://groups.google.com/forum/#!forum/wazuh)
+[![Documentation](https://img.shields.io/badge/docs-view-green.svg)](https://documentation.wazuh.com)
+[![Documentation](https://img.shields.io/badge/web-view-green.svg)](https://wazuh.com)
+
+In this repository you will find the containers to run:
+
+* Wazuh manager: it runs the Wazuh manager, Wazuh API and Filebeat OSS
+* Wazuh dashboard: provides a web user interface to browse through alert data and allows you to visualize the agents configuration and status.
+* Wazuh indexer: Wazuh indexer container (working as a single-node cluster or as a multi-node cluster). **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).**
+* Wazuh agent: This container contains the Wazuh agent services. Current functionality is limited.
+
+The folder `build-docker-images` contains a README explaining how to build the Wazuh images and the necessary assets.
+The folder `indexer-certs-creator` contains a README explaining how to create the certificates creator tool and the necessary assets.
+The folder `single-node` contains a README explaining how to run a Wazuh environment with one Wazuh manager, one Wazuh indexer, and one Wazuh dashboard.
+The folder `multi-node` contains a README explaining how to run a Wazuh environment with two Wazuh managers, three Wazuh indexers, and one Wazuh dashboard.
+The folder `wazuh-agent` contains a README explaining how to run a container with Wazuh agent.
+
+## Documentation
+
+* [Wazuh full documentation](http://documentation.wazuh.com)
+* [Wazuh documentation for Docker](https://documentation.wazuh.com/current/docker/index.html)
+* [Docker Hub](https://hub.docker.com/u/wazuh)
+
+## Directory structure
+
+	├── build-docker-images
+	│   ├── build-images.sh
+	│   ├── build-images.yml
+	│   ├── README.md
+	│   ├── wazuh-agent
+	│   │   ├── config
+	│   │   │   ├── check_repository.sh
+	│   │   │   └── etc
+	│   │   │       ├── cont-init.d
+	│   │   │       │   ├── 0-wazuh-init
+	│   │   │       │   └── 1-agent
+	│   │   │       └── services.d
+	│   │   │           └── ossec-logs
+	│   │   │               └── run
+	│   │   └── Dockerfile
+	│   ├── wazuh-dashboard
+	│   │   ├── config
+	│   │   │   ├── check_repository.sh
+	│   │   │   ├── config.sh
+	│   │   │   ├── config.yml
+	│   │   │   ├── entrypoint.sh
+	│   │   │   ├── wazuh_app_config.sh
+	│   │   │   └── wazuh.yml
+	│   │   └── Dockerfile
+	│   ├── wazuh-indexer
+	│   │   ├── config
+	│   │   │   ├── action_groups.yml
+	│   │   │   ├── check_repository.sh
+	│   │   │   ├── config.sh
+	│   │   │   ├── config.yml
+	│   │   │   ├── entrypoint.sh
+	│   │   │   ├── internal_users.yml
+	│   │   │   ├── opensearch.yml
+	│   │   │   ├── roles_mapping.yml
+	│   │   │   ├── roles.yml
+	│   │   │   └── securityadmin.sh
+	│   │   └── Dockerfile
+	│   └── wazuh-manager
+	│       ├── config
+	│       │   ├── check_repository.sh
+	│       │   ├── create_user.py
+	│       │   ├── etc
+	│       │   │   ├── cont-init.d
+	│       │   │   │   ├── 0-wazuh-init
+	│       │   │   │   ├── 1-config-filebeat
+	│       │   │   │   └── 2-manager
+	│       │   │   └── services.d
+	│       │   │       ├── filebeat
+	│       │   │       │   ├── finish
+	│       │   │       │   └── run
+	│       │   │       └── ossec-logs
+	│       │   │           └── run
+	│       │   ├── filebeat_module.sh
+	│       │   ├── filebeat.yml
+	│       │   ├── permanent_data.env
+	│       │   └── permanent_data.sh
+	│       └── Dockerfile
+	├── CHANGELOG.md
+	├── docs
+	│   ├── book.toml
+	│   ├── build.sh
+	│   ├── dev
+	│   │   ├── build-image.md
+	│   │   ├── README.md
+	│   │   ├── run-tests.md
+	│   │   └── setup.md
+	│   ├── README.md
+	│   ├── ref
+	│   │   ├── configuration
+	│   │   │   ├── configuration-files.md
+	│   │   │   ├── environment-variables.md
+	│   │   │   └── README.md
+	│   │   ├── getting-started
+	│   │   │   ├── deployment
+	│   │   │   │   ├── multi-node.md
+	│   │   │   │   ├── README.md
+	│   │   │   │   ├── single-node.md
+	│   │   │   │   └── wazuh-agent.md
+	│   │   │   ├── README.md
+	│   │   │   └── requirements.md
+	│   │   ├── glossary.md
+	│   │   ├── Introduction
+	│   │   │   ├── compatibility.md
+	│   │   │   ├── description.md
+	│   │   │   └── README.md
+	│   │   ├── README.md
+	│   │   └── upgrade.md
+	│   ├── server.sh
+	│   └── SUMMARY.md
+	├── indexer-certs-creator
+	│   ├── config
+	│   │   └── entrypoint.sh
+	│   ├── Dockerfile
+	│   └── README.md
+	├── LICENSE
+	├── multi-node
+	│   ├── config
+	│   │   ├── certs.yml
+	│   │   ├── nginx
+	│   │   │   └── nginx.conf
+	│   │   ├── wazuh_cluster
+	│   │   │   ├── wazuh_manager.conf
+	│   │   │   └── wazuh_worker.conf
+	│   │   ├── wazuh_dashboard
+	│   │   │   ├── opensearch_dashboards.yml
+	│   │   │   └── wazuh.yml
+	│   │   └── wazuh_indexer
+	│   │       ├── internal_users.yml
+	│   │       ├── wazuh1.indexer.yml
+	│   │       ├── wazuh2.indexer.yml
+	│   │       └── wazuh3.indexer.yml
+	│   ├── docker-compose.yml
+	│   ├── generate-indexer-certs.yml
+	│   ├── Migration-to-Wazuh-4.4.md
+	│   ├── README.md
+	│   └── volume-migrator.sh
+	├── README.md
+	├── SECURITY.md
+	├── single-node
+	│   ├── config
+	│   │   ├── certs.yml
+	│   │   ├── wazuh_cluster
+	│   │   │   └── wazuh_manager.conf
+	│   │   ├── wazuh_dashboard
+	│   │   │   ├── opensearch_dashboards.yml
+	│   │   │   └── wazuh.yml
+	│   │   ├── wazuh_indexer
+	│   │   │   ├── internal_users.yml
+	│   │   │   └── wazuh.indexer.yml
+	│   │   └── wazuh_indexer_ssl_certs  [error opening dir]
+	│   ├── docker-compose.yml
+	│   ├── generate-indexer-certs.yml
+	│   └── README.md
+	├── VERSION.json
+	└── wazuh-agent
+		├── config
+		│   └── wazuh-agent-conf
+		└── docker-compose.yml
+
+## Branches
+
+* `main` branch contains the latest code, be aware of possible bugs on this branch.
+
+## Compatibility Matrix
+
+| Wazuh version | ODFE    | XPACK  |
+|---------------|---------|--------|
+| v4.3.0+       |         |        |
+| v4.2.7        | 1.13.2  | 7.11.2 |
+| v4.2.6        | 1.13.2  | 7.11.2 |
+| v4.2.5        | 1.13.2  | 7.11.2 |
+| v4.2.4        | 1.13.2  | 7.11.2 |
+| v4.2.3        | 1.13.2  | 7.11.2 |
+| v4.2.2        | 1.13.2  | 7.11.2 |
+| v4.2.1        | 1.13.2  | 7.11.2 |
+| v4.2.0        | 1.13.2  | 7.10.2 |
+| v4.1.5        | 1.13.2  | 7.10.2 |
+| v4.1.4        | 1.12.0  | 7.10.2 |
+| v4.1.3        | 1.12.0  | 7.10.2 |
+| v4.1.2        | 1.12.0  | 7.10.2 |
+| v4.1.1        | 1.12.0  | 7.10.2 |
+| v4.1.0        | 1.12.0  | 7.10.2 |
+| v4.0.4        | 1.11.0  |        |
+| v4.0.3        | 1.11.0  |        |
+| v4.0.2        | 1.11.0  |        |
+| v4.0.1        | 1.11.0  |        |
+| v4.0.0        | 1.10.1  |        |
+
+## Credits and Thank you
+
+These Docker containers are based on:
+
+*  "deviantony" dockerfiles which can be found at [https://github.com/deviantony/docker-elk](https://github.com/deviantony/docker-elk)
+*  "xetus-oss" dockerfiles, which can be found at [https://github.com/xetus-oss/docker-ossec-server](https://github.com/xetus-oss/docker-ossec-server)
+
+We thank them and everyone else who has contributed to this project.
+
+## License and copyright
+
+Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
+
+## Web references
+
+[Wazuh website](http://wazuh.com)

docs/SUMMARY.md

@@ -0,0 +1,26 @@
+# Summary
+
+- [Introduction](README.md)
+
+# Development Guide
+
+- [Introduction](dev/introduction.md)
+- [Setup Environment](dev/setup.md)
+- [Build Image](dev/build-image.md)
+- [Run Tests](dev/run-tests.md)
+
+# Reference Manual
+
+- [Introduction](ref/Introduction/introduction.md)
+  - [Description](ref/Introduction/description.md)
+- [Getting Started](ref/getting-started/getting-started.md)
+  - [Requirements](ref/getting-started/requirements.md)
+  - [Deployment](ref/getting-started/deployment/deployment.md)
+    - [Single Node Wazuh Stack](ref/getting-started/deployment/single-node.md)
+    - [Multi Node Wazuh Stack](ref/getting-started/deployment/multi-node.md)
+    - [Wazuh Agent](ref/getting-started/deployment/wazuh-agent.md)
+- [Configuration](ref/configuration/configuration.md)
+  - [Environment Variabless](ref/configuration/environment-variables.md)
+  - [Configuration files](ref/configuration/configuration-files.md)
+- [Upgrade](ref/upgrade.md)
+- [Glossary](ref/glossary.md)

docs/book.toml

@@ -0,0 +1,7 @@
+[book]
+title = "Wazuh Docker Documentation"
+description = "Technical documentation for Wazuh Docker deployment."
+authors = ["Victor Erenu"]
+multilingual = false
+src = "."
+language = "en"

docs/build.sh

@@ -0,0 +1,3 @@
+#! /bin/sh
+
+mdbook build

docs/dev/build-image.md

@@ -0,0 +1,32 @@
+# Wazuh Docker Image Builder
+
+The creation of the images for the Wazuh stack deployment in Docker is done with the build-images.yml script
+
+To execute the process, the following must be executed in the root of the wazuh-docker repository:
+
+```
+$ build-docker-images/build-images.sh
+```
+
+This script initializes the environment variables needed to build each of the images.
+
+The script allows you to build images from other versions of Wazuh, to do this you must use the -v or --version argument:
+
+```
+$ build-docker-images/build-images.sh -v 5.0.0
+```
+
+To get all the available script options use the -h or --help option:
+
+```
+$ build-docker-images/build-images.sh -h
+
+Usage: build-docker-images/build-images.sh [OPTIONS]
+
+    -d, --dev <ref>              [Optional] Set the development stage you want to build, example rc1 or beta1, not used by default.
+    -f, --filebeat-module <ref>  [Optional] Set Filebeat module version. By default 0.4.
+    -r, --revision <rev>         [Optional] Package revision. By default 1
+    -v, --version <ver>          [Optional] Set the Wazuh version should be builded. By default, 5.0.0.
+    -h, --help                   Show this help.
+
+```

docs/dev/introduction.md

@@ -0,0 +1,40 @@
+# Development Guide - Introduction
+
+Welcome to the Development Guide for Wazuh-docker version 5.0.0 This guide is intended for developers, contributors, and advanced users who wish to understand the development aspects of the Wazuh-Docker project, build custom Docker images, or contribute to its development.
+
+## Purpose of This Guide
+
+The primary goals of this guide are:
+
+-   To provide a clear understanding of the development environment setup.
+-   To outline the process for building Wazuh Docker images from source.
+-   To explain how to run tests to ensure the integrity and functionality of the images.
+-   To offer insights into the project structure and contribution guidelines (though detailed contribution guidelines are typically found in `CONTRIBUTING.md` in the repository).
+
+## Who Should Use This Guide?
+
+This guide is for you if you want to:
+
+-   Modify existing Wazuh Docker images.
+-   Build Wazuh Docker images for a specific Wazuh version or with custom configurations.
+-   Understand the build process and scripts used in this project.
+-   Contribute code, features, or bug fixes to the Wazuh-Docker repository.
+
+## What This Guide Covers
+
+This guide is organized into the following sections:
+
+-   **[Setup Environment](setup.md)**: Instructions on how to prepare your local machine for Wazuh-Docker development, including necessary tools and dependencies.
+-   **[Build Image](build-image.md)**: Step-by-step procedures for building the various Wazuh Docker images (Wazuh manager, Wazuh indexer, Wazuh dashboard).
+-   **[Run Tests](run-tests.md)**: Information on how to execute automated tests to validate the built images and configurations.
+
+## Prerequisites
+
+Before you begin, it's assumed that you have a basic understanding of:
+
+-   Docker and Docker Compose.
+-   Linux command-line interface.
+-   Version control systems like Git.
+-   The Wazuh platform and its components.
+
+We encourage you to explore the Wazuh-Docker repository and familiarize yourself with its structure. If you plan to contribute, please also review the project's contribution guidelines.

docs/dev/run-tests.md

@@ -0,0 +1,28 @@
+# Pull Request Test Execution
+
+This repository includes automated tests designed to validate the correct deployment of Wazuh using Docker. These tests are executed on every pull request (PR) to ensure the integrity and stability of the system when changes are introduced.
+
+## Purpose
+
+The main objective of the tests is to verify that the Wazuh Docker environment can be successfully deployed and that all its core components (Wazuh Manager, Indexer, Dashboard, and Agents) operate as expected after any modification in the codebase.
+
+## When Tests Run
+
+- Tests are automatically triggered on every pull request (PR) opened against the repository.
+- They also run when changes are pushed to an existing PR.
+
+## What Is Tested
+
+The tests aim to ensure:
+- Successful build and startup of all Docker containers.
+- Proper communication between components (e.g., Manager ↔ Indexer, Dashboard ↔ API).
+- No critical errors appear in the logs.
+- Key services are healthy and accessible.
+
+## Benefits
+
+- Reduces the risk of breaking the deployment flow.
+- Ensures system consistency during feature development and refactoring.
+- Provides early feedback on integration issues before merging.
+
+---

docs/dev/setup.md

@@ -0,0 +1,55 @@
+# Development Guide - Setup Environment
+
+This section outlines the steps required to set up your local development environment for working with the Wazuh-Docker project (version 5.0.0). A proper setup is crucial for building images, running tests, and contributing effectively.
+
+## Prerequisites
+
+Before you begin, ensure your system meets the following requirements:
+
+1.  **Operating System**:
+    * A Linux-based distribution is recommended (e.g., Ubuntu, RedHat).
+    * macOS or Windows with WSL 2 can also be used, but some scripts might require adjustments.
+
+2.  **Docker and Docker Compose**:
+    * **Docker Engine**: Install the latest stable version of Docker Engine. Refer to the [official Docker documentation](https://docs.docker.com/engine/install/) for installation instructions specific to your OS.
+
+3.  **Git**:
+    * Install Git for cloning the repository and managing versions. Most systems have Git pre-installed. If not, visit [https://git-scm.com/downloads](https://git-scm.com/downloads).
+
+5.  **Sufficient System Resources**:
+    * **RAM**: At least 8GB of RAM is recommended, especially if you plan to run multiple Wazuh components locally. 16GB or more is ideal.
+    * **CPU**: A multi-core processor (2+ cores) is recommended.
+    * **Disk Space**: Ensure you have sufficient disk space (at least 20-30GB) for Docker images, containers, and Wazuh data.
+
+## Setting Up the Environment
+
+Follow these steps to prepare your development environment:
+
+1.  **Clone the Repository**:
+    Clone the `wazuh-docker` repository from GitHub. It's important to check out the specific branch you intend to work with, in this case, `5.0.0`.
+
+    ```bash
+    git clone [https://github.com/wazuh/wazuh-docker.git](https://github.com/wazuh/wazuh-docker.git)
+    cd wazuh-docker
+    git checkout v5.0.0
+    ```
+
+2.  **Verify Docker Installation**:
+    Ensure Docker is running and accessible by your user (you might need to add your user to the `docker` group or use `sudo`).
+
+    ```bash
+    docker --version
+    docker info
+    ```
+    These commands should output the versions of Docker and information about your Docker setup without errors.
+
+3.  **Review Project Structure**:
+    Familiarize yourself with the directory structure of the cloned repository. Key directories often include:
+    * `build-docker-images/wazuh-manager/`: Dockerfile and related files for the Wazuh manager.
+    * `build-docker-images/wazuh-indexer/`: Dockerfile and related files for the Wazuh indexer.
+    * `build-docker-images/wazuh-dashboard/`: Dockerfile and related files for the Wazuh dashboard.
+    * `build-docker-images/wazuh-agent/` : Dockerfile and related files for Wazuh agents.
+    * `single-node/` : Compose and configuration files for Wazuh deployment with 1 container of each Wazuh component.
+    * `multi-node/` : Compose and configuration files for Wazuh deployment with 1 container of Wazuh dashboardm 2 containers of Wazuh manager (1 master and 1 worker) and 3 containers of Wazuh indexer.
+    * `wazuh-agent/` : Compose and configuration files for Wazuh agent deployment.
+

docs/ref/Introduction/description.md

@@ -0,0 +1,45 @@
+# Reference Manual - Description
+
+This section provides a detailed description of Wazuh-docker (version 5.0.0), its components, and its architecture when deployed using Docker containers. Understanding these aspects is key to effectively deploying and managing your Wazuh environment.
+
+## What is Wazuh?
+
+Wazuh is a free, open-source, and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response, and compliance. It consists of several key components that work together to provide comprehensive security visibility.
+
+## What is Wazuh-docker?
+
+Wazuh-docker is a project that provides Docker images and `docker compose` configurations to simplify the deployment and management of the Wazuh platform. By containerizing Wazuh components, Wazuh-docker offers:
+
+-   **Rapid Deployment**: Quickly set up a full Wazuh environment.
+-   **Consistency**: Ensures that Wazuh runs the same way across different environments.
+-   **Scalability**: Easier to scale components as needed (especially with orchestrators like Kubernetes, though this documentation primarily focuses on Docker Compose).
+-   **Isolation**: Components run in isolated containers, reducing conflicts.
+-   **Portability**: Run Wazuh on Linux system that supports Docker.
+
+## Core Components in Wazuh-Docker
+
+The Wazuh-Docker project typically provides images for the following core Wazuh components, adapted for version 5.0.0:
+
+1.  **Wazuh Manager**:
+    -   The central component that collects and analyzes data from deployed Wazuh agents.
+    -   It performs log analysis, file integrity checking, rootkit detection, real-time alerting, and active response.
+    -   In a Docker deployment, the Wazuh manager runs in its own container. It exposes ports for agent communication and API access.
+
+2.  **Wazuh Indexer**:
+    -   A highly scalable, full-text search and analytics engine.
+    -   Based on OpenSearch (or historically Elasticsearch), it stores and indexes alerts and monitoring data generated by the Wazuh manager.
+    -   The Wazuh indexer container provides the data persistence layer for Wazuh alerts and events. For version 5.0.0, this is typically an OpenSearch-based component.
+
+3.  **Wazuh Dashboard**:
+    -   A flexible visualization tool based on OpenSearch Dashboards (or historically Kibana).
+    -   It provides a web interface for querying, visualizing, and analyzing Wazuh data stored in the Wazuh indexer.
+    -   Users can explore security events, manage agent configurations (via the Wazuh plugin), and generate reports.
+
+## Key Features of Wazuh-Docker Deployments
+
+-   **Docker Compose**: Most deployments are orchestrated using `docker-compose.yml` files, which define the services, networks, volumes, and configurations for the Wazuh stack.
+-   **Persistent Data**: Docker volumes are used to persist critical data, such as Wazuh manager configurations, agent keys, Wazuh indexer data, and Wazuh dashboard settings, even if containers are stopped or recreated.
+-   **Networking**: Docker networks are configured to allow communication between the Wazuh components.
+-   **Environment Variables**: Configuration of containers is often managed through environment variables passed at runtime.
+
+Understanding this architecture and the role of each component is fundamental for successful deployment, troubleshooting, and scaling of your Wazuh environment using Wazuh-Docker.

docs/ref/Introduction/introduction.md

@@ -0,0 +1,47 @@
+# Reference Manual - Introduction
+
+Welcome to the Reference Manual for Wazuh-Docker, version 5.0.0. This manual provides comprehensive information about deploying, configuring, and managing your Wazuh environment using Docker.
+
+## Purpose of This Manual
+
+This Reference Manual is designed to be your go-to resource for understanding the intricacies of Wazuh-Docker. It aims to cover:
+
+-   The core concepts and architecture of Wazuh when deployed with Docker.
+-   Step-by-step guidance for getting started, from requirements to various deployment scenarios.
+-   Detailed explanations of configuration options, including environment variables and persistent data management.
+-   Procedures for common operational tasks like upgrading your deployment.
+-   A glossary of terms to help you understand Wazuh and Docker-specific terminology.
+
+## Who Should Use This Manual?
+
+This manual is intended for:
+
+-   **System Administrators** responsible for deploying and maintaining Wazuh.
+-   **Security Analysts** who use Wazuh and need to understand its Dockerized deployment.
+-   **DevOps Engineers** integrating Wazuh into their CI/CD pipelines or containerized infrastructure.
+-   Anyone seeking detailed technical information about Wazuh-Docker.
+
+## How This Manual is Organized
+
+This manual is structured to help you find information efficiently:
+
+-   **[Description](description.md)**: Provides a detailed overview of Wazuh-Docker, its components, and how they work together in a containerized setup.
+-   **[Getting Started](getting-started/getting-started.md)**: Guides you through the initial setup, from prerequisites to deploying your first Wazuh stack.
+    -   **[Requirements](getting-started/requirements.md)**: Lists the necessary hardware and software.
+    -   **[Deployment](getting-started/deployment/README.md)**: Offers instructions for different deployment models:
+        -   [Single Node Wazuh Stack](getting-started/deployment/single-node.md)
+        -   [Multi Node Wazuh Stack](getting-started/deployment/multi-node.md)
+        -   [Wazuh Agent](getting-started/deployment/wazuh-agent.md)
+-   **[Configuration](configuration/configuration.md)**: Explains how to customize your Wazuh-Docker deployment.
+    -   [Environment Variables](configuration/environment-variables.md)
+    -   [Configuration Files](configuration/configuration-files.md)
+-   **[Upgrade](upgrade.md)**: Provides instructions for upgrading your Wazuh-Docker deployment to a newer version.
+-   **[Glossary](glossary.md)**: Defines key terms and concepts.
+
+## Using This Manual
+
+-   If you are new to Wazuh-docker, we recommend starting with the [Description](description.md) and then proceeding to the [Getting Started](getting-started/getting-started.md) section.
+-   If you need to customize your deployment, refer to the [Configuration](configuration/configuration.md) section.
+-   For specific terms or concepts, consult the [Glossary](glossary.md).
+
+This manual refers to version 5.0.0 of Wazuh-Docker. Ensure you are using the documentation that corresponds to your deployed version.

docs/ref/configuration/configuration-files.md

@@ -0,0 +1,32 @@
+# Configuration files
+
+### 1. Wazuh Manager Configuration
+
+* **`ossec.conf`**: The main configuration file for the Wazuh manager. It controls rules, decoders, agent enrollment, active responses, clustering, and more.
+    * **Customization**: Mount a custom `ossec.conf` or specific configuration snippets (e.g., local rules in `local_rules.xml`) into the manager container at `/wazuh-mount-point/`, which will be copied to the path `/var/ossec` (e.g., the file `/var/ossec/etc/ossec.conf` must be mounted at `/wazuh-mount-point/etc/ossec.conf`) .
+
+### 2. Wazuh Indexer Configuration
+
+* **`opensearch.yml`**: The primary configuration file for OpenSearch. Controls cluster settings, network binding, path settings, discovery, memory allocation, etc.
+    * **Customization**: Mount a custom `opensearch.yml` into the indexer container(s) at `/usr/share/wazuh-indexer/config/opensearch.yml`.
+* **JVM Settings (`jvm.options`)**: Manages Java Virtual Machine settings, especially heap size (`-Xms`, `-Xmx`). Critical for performance and stability.
+    * **Customization**: Mount a custom `jvm.options` file or set `OPENSEARCH_JAVA_OPTS` environment variable.
+
+### 3. Wazuh Dashboard (OpenSearch Dashboards) Configuration
+
+* **`opensearch_dashboards.yml`**: The main configuration file for OpenSearch Dashboards. Controls server host/port, OpenSearch connection URL, SSL settings, and Wazuh plugin settings.
+    * **Customization**: Mount a custom `opensearch_dashboards.yml` into the dashboard container at `/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml` and custom `wazuh.yml` into the dashboard container at `/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml` .
+* **Wazuh Plugin Settings**: The Wazuh plugin for the dashboard has its own configuration, often within `opensearch_dashboards.yml` or managed through environment variables, specifying the Wazuh API URL and credentials.
+
+## Applying Configuration Changes
+
+1.  **Modify `docker-compose.yml`**:
+    * For changes to environment variables, port mappings, or volume mounts.
+    * After changes, you typically need to stop and restart the containers:
+        ```bash
+        docker compose down
+        docker compose up -d
+        ```
+
+
+Consult the official Wazuh documentation for version 5.0.0 for detailed information on all possible configuration parameters for each component.

docs/ref/configuration/configuration.md

@@ -0,0 +1,28 @@
+# Reference Manual - Configuration
+
+This section details how to configure your Wazuh-Docker deployment (version 5.0.0). Proper configuration is key to tailoring the Wazuh stack to your specific needs, managing data persistence, and integrating with your environment.
+
+## Overview of Configuration Methods
+
+Configuring Wazuh components within a Docker environment typically involves several methods:
+
+1.  **[Environment Variables](environment-variables.md)**:
+    * Many container settings are controlled by passing environment variables at runtime (e.g., via the `docker-compose.yml` file or `docker run` commands).
+    * These are often used for setting up initial passwords, component versions, cluster names, or basic operational parameters.
+
+2.  **[Configuration Files](configuration-files.md)**:
+    * Core Wazuh components (manager, indexer, dashboard) rely on their traditional configuration files (e.g., `ossec.conf`, `opensearch.yml`, `opensearch_dashboards.yml`).
+    * To customize these, you typically mount your custom configuration files into the containers, replacing or supplementing the defaults. This is managed using Docker volumes in your `docker-compose.yml`.
+
+3.  **Docker Compose File (`docker-compose.yml`)**:
+    * The `docker-compose.yml` file itself is a primary configuration tool. It defines:
+        * Which services (containers) to run.
+        * The Docker images to use.
+        * Port mappings.
+        * Volume mounts for persistent data and custom configurations.
+        * Network configurations.
+        * Resource limits (CPU, memory).
+        * Dependencies between services.
+
+4.  **Persistent Data Volumes**:
+    * Configuration related to data storage (e.g., paths for Wazuh Indexer data, Wazuh manager logs and agent keys) is managed through Docker volumes. Persisting these volumes ensures your data and critical configurations survive container restarts or recreations.

docs/ref/configuration/environment-variables.md

@@ -0,0 +1,116 @@
+# Environment Variables in Wazuh Docker Deployment
+
+This document outlines the environment variables applicable to the Wazuh Docker deployment, covering the Wazuh Manager, Indexer, Dashboard, and Agent components. It also explains how to override configuration settings using environment variables.
+
+## Table of Contents
+
+- [Wazuh Manager](#wazuh-manager)
+- [Wazuh Indexer](#wazuh-indexer)
+- [Wazuh Dashboard](#wazuh-dashboard)
+- [Wazuh Agent](#wazuh-agent)
+- [Overriding Configuration Files with Environment Variables](#overriding-configuration-files-with-environment-variables)
+
+---
+
+## Wazuh Manager
+
+The Wazuh Manager container accepts the following environment variables, which can be set in the `docker-compose.yml` file under the `environment` section:
+
+```yaml
+environment:
+  - INDEXER_USERNAME=admin
+  - INDEXER_PASSWORD=SecretPassword
+  - WAZUH_API_URL=https://wazuh.manager
+  - DASHBOARD_USERNAME=kibanaserver
+  - DASHBOARD_PASSWORD=kibanaserver
+  - API_USERNAME=wazuh-wui
+  - API_PASSWORD=MyS3cr37P450r.*-
+```
+
+**Variable Descriptions:**
+
+- `INDEXER_USERNAME` / `INDEXER_PASSWORD`: Credentials for accessing the Wazuh Indexer with `admin` user or a user with the same permissions.
+- `WAZUH_API_URL`: URL of the Wazuh API, used by other services for communication.
+- `DASHBOARD_USERNAME` / `DASHBOARD_PASSWORD`: Credentials for the Wazuh Dashboard to authenticate with the Indexer.
+- `API_USERNAME` / `API_PASSWORD`: Credentials for the Wazuh API user, utilized by the Dashboard for API interactions.
+
+---
+
+## Wazuh Indexer
+
+The Wazuh Indexer services (`single-node` and `multi-node`) use the following environment variable:
+
+```yaml
+environment:
+  - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
+```
+
+**Variable Descriptions:**
+
+- `OPENSEARCH_JAVA_OPTS`: Sets JVM heap size and other Java options.
+
+---
+
+## Wazuh Dashboard
+
+The Wazuh Dashboard container accepts the following environment variables, which should be set in the `docker-compose.yml` file:
+
+```yaml
+environment:
+  - INDEXER_USERNAME=admin
+  - INDEXER_PASSWORD=SecretPassword
+  - WAZUH_API_URL=https://wazuh.manager
+  - DASHBOARD_USERNAME=kibanaserver
+  - DASHBOARD_PASSWORD=kibanaserver
+  - API_USERNAME=wazuh-wui
+  - API_PASSWORD=MyS3cr37P450r.*-
+```
+
+**Variable Descriptions:**
+
+- `INDEXER_USERNAME` / `INDEXER_PASSWORD`: Credentials used by the Dashboard to authenticate with the Wazuh Indexer.
+- `WAZUH_API_URL`: Base URL of the Wazuh API, used for querying and visualizing security data.
+- `DASHBOARD_USERNAME` / `DASHBOARD_PASSWORD`: User credentials for the Dashboard interface.
+- `API_USERNAME` / `API_PASSWORD`: API user credentials for authenticating Wazuh API requests initiated by the Dashboard.
+
+These variables are critical for enabling communication between the Wazuh Dashboard, the Wazuh Indexer, and the Wazuh API.
+
+---
+
+## Wazuh Agent
+
+The Wazuh Agent container uses the following environment variables to dynamically update the `ossec.conf` configuration file at runtime:
+
+```yaml
+environment:
+  - WAZUH_MANAGER_SERVER=wazuh.manager
+  - WAZUH_MANAGER_PORT=1514
+  - WAZUH_REGISTRATION_SERVER=wazuh.manager
+  - WAZUH_REGISTRATION_PORT=1515
+  - WAZUH_AGENT_NAME=my-agent
+  - WAZUH_REGISTRATION_PASSWORD=StrongPassword
+```
+
+These variables are used by the `set_manager_conn()` function in the entrypoint script to replace placeholder values in `ossec.conf` and set the enrollment password.
+
+---
+
+## Overriding Configuration Files with Environment Variables
+
+To override configuration values from files such as `opensearch.yml` and `opensearch_dashboards.yml` using environment variables:
+
+1. Convert the configuration key to uppercase.
+2. Replace any dots (`.`) in the key with underscores (`_`).
+3. Assign the corresponding value.
+
+### Examples:
+
+| YAML Key                                | Environment Variable                       |
+|-----------------------------------------|--------------------------------------------|
+| `discovery.type: single-node`           | `DISCOVERY_TYPE=single-node`               |
+| `opensearch.hosts: https://url:9200`    | `OPENSEARCH_HOSTS=https://url:9200`        |
+| `server.port: 5601`                     | `SERVER_PORT=5601`                         |
+
+This approach allows you to configure the services dynamically via Docker without modifying internal files.
+
+---

docs/ref/getting-started/deployment/deployment.md

@@ -0,0 +1,46 @@
+# Reference Manual - Deployment
+
+This section provides detailed instructions for deploying Wazuh-Docker (version 5.0.0) in various configurations. Choose the deployment model that best suits your needs, from simple single-node setups for testing to more robust multi-node configurations for production environments.
+
+## Overview of Deployment Options
+
+Wazuh-Docker offers flexibility in how you can deploy the Wazuh stack. The primary methods covered in this documentation are:
+
+1.  **[Single Node Wazuh Stack](single-node.md)**:
+    * **Description**: Deploys all core Wazuh components (Wazuh manager, Wazuh indexer, Wazuh dashboard) as Docker containers on a single host machine.
+    * **Use Cases**: Ideal for development, testing, demonstrations, proof-of-concepts, and small-scale production environments where simplicity is prioritized and high availability is not a critical concern.
+    * **Pros**: Easiest and quickest to set up.
+    * **Cons**: Single point of failure; limited scalability compared to multi-node.
+
+2.  **[Multi Node Wazuh Stack](multi-node.md)**:
+    * **Description**: This typically refers to deploying a Wazuh Indexer cluster and potentially multiple Wazuh managers for improved scalability and resilience. While true multi-host orchestration often uses tools like Kubernetes, this section may cover configurations achievable with Docker Compose, possibly across multiple Docker hosts or with clustered services on a single powerful host.
+    * **Use Cases**: Production environments requiring higher availability, data redundancy (for Wazuh Indexer), and the ability to handle a larger number of agents.
+    * **Pros**: Improved fault tolerance (for clustered components like the Indexer), better performance distribution.
+    * **Cons**: More complex to set up and manage than a single-node deployment.
+
+## Before You Begin Deployment
+
+Ensure you have:
+
+-   Met all the [System Requirements](ref/getting-started/requirements.md).
+-   Installed Docker and Docker Compose on your host(s).
+-   Cloned the `wazuh-docker` repository (version `5.0.0`) or downloaded the necessary deployment files.
+    ```bash
+    git clone [https://github.com/wazuh/wazuh-docker.git](https://github.com/wazuh/wazuh-docker.git)
+    cd wazuh-docker
+    git checkout v5.0.0
+    ```
+-   Made a backup of any existing Wazuh data if you are migrating or upgrading.
+
+## Choosing the Right Deployment
+
+Consider the following factors when choosing a deployment model:
+
+-   **Scale**: How many agents do you plan to connect?
+-   **Availability**: What are your uptime requirements?
+-   **Resources**: What hardware resources (CPU, RAM, disk) are available?
+-   **Complexity**: What is your team's familiarity with Docker and distributed systems?
+
+For most new users, starting with the [Single Node Wazuh Stack](single-node.md) is recommended to familiarize themselves with Wazuh-Docker. You can then explore more complex setups as your needs grow.
+
+Navigate to the specific deployment guide linked above for detailed, step-by-step instructions.

docs/ref/getting-started/deployment/multi-node.md

@@ -0,0 +1,34 @@
+# Wazuh Docker Deployment
+
+## Deploying Wazuh Docker in a Multi-Node Configuration
+
+This deployment utilizes the `multi-node/docker-compose.yml` file, which defines a cluster setup with two Wazuh manager containers, three Wazuh indexer containers, and one Wazuh dashboard container. Follow these steps to deploy this configuration:
+
+1.  Navigate to the `multi-node` directory within your repository:
+    ```bash
+    cd multi-node
+    ```
+
+2.  Increase `vm.max_map_count` on each Docker host that will run a Wazuh Indexer container (Linux). This setting is crucial for Wazuh Indexer to operate correctly. This command requires root permissions:
+    ```bash
+    sudo sysctl -w vm.max_map_count=262144
+    ```
+    **Note:** This change is temporary and will revert upon reboot. To make it permanent on each relevant host, you'll need to edit the `/etc/sysctl.conf` file, add `vm.max_map_count=262144`, and then apply the change with `sudo sysctl -p`.
+
+3.  Run the script to generate the necessary certificates for the Wazuh Stack. This ensures secure communication between the nodes:
+    ```bash
+    docker compose -f generate-indexer-certs.yml run --rm generator
+    ```
+
+4.  Start the Wazuh environment using `docker compose`:
+
+    * To run in the foreground (logs will be displayed in your current terminal; press `Ctrl+C` to stop):
+        ```bash
+        docker compose up
+        ```
+    * To run in the background (detached mode, allowing the containers to run independently of your terminal):
+        ```bash
+        docker compose up -d
+        ```
+
+Please allow some time for the environment to initialize, especially on the first run. A multi-node setup can take a few minutes (depending on your host resources and network) as the Wazuh Indexer cluster forms, and the necessary indexes and index patterns are generated.

docs/ref/getting-started/deployment/single-node.md

@@ -0,0 +1,35 @@
+# Wazuh Docker Deployment
+
+## Deploying Wazuh Docker in a Single-Node Configuration
+
+This deployment uses the `single-node/docker-compose.yml` file, which defines a setup with one Wazuh manager container, one Wazuh indexer container, and one Wazuh dashboard container. Follow these steps to deploy it:
+
+1.  Navigate to the `single-node` directory within your repository:
+    ```bash
+    cd single-node
+    ```
+
+2.  Increase `vm.max_map_count` on each Docker host that will run a Wazuh Indexer container (Linux). This setting is crucial for Wazuh Indexer to operate correctly. This command requires root permissions:
+    ```bash
+    sudo sysctl -w vm.max_map_count=262144
+    ```
+    **Note:** This change is temporary and will revert upon reboot. To make it permanent, you'll need to edit the `/etc/sysctl.conf` file and add `vm.max_map_count=262144`, then apply with `sudo sysctl -p`.
+
+3.  Run the script to generate the necessary certificates for the Wazuh Stack. This ensures secure communication between the nodes:
+    ```bash
+    docker compose -f generate-indexer-certs.yml run --rm generator
+    ```
+
+4.  Start the Wazuh environment using `docker compose`:
+
+    * To run in the foreground (logs will be displayed in your current terminal; press `Ctrl+C` to stop):
+        ```bash
+        docker compose up
+        ```
+    * To run in the background (detached mode, allowing the containers to run independently of your terminal):
+        ```bash
+        docker compose up -d
+        ```
+
+Please allow some time for the environment to initialize, especially on the first run. It can take approximately a minute or two (depending on your host's resources) as the Wazuh Indexer starts up and generates the necessary indexes and index patterns.
+

docs/ref/getting-started/deployment/wazuh-agent.md

@@ -0,0 +1,36 @@
+# Wazuh Docker Deployment
+
+## Deploying the Wazuh Agent
+
+Follow these steps to deploy the Wazuh agent using Docker.
+
+1.  Navigate to the `wazuh-agent` directory within your repository:
+    ```bash
+    cd wazuh-agent
+    ```
+
+2.  Edit the `docker-compose.yml` file. You need to update the `WAZUH_MANAGER_SERVER` environment variable with the IP address or hostname of your Wazuh manager.
+
+    Locate the `environment` section for the agent service and update it as follows:
+    ```yaml
+    # Inside your docker-compose.yml file
+    # services:
+    #   wazuh-agent:
+    #     ...
+    environment:
+      - WAZUH_MANAGER_SERVER=<YOUR_WAZUH_MANAGER_IP_OR_HOSTNAME>
+    #     ...
+    ```
+    **Note:** Replace `<YOUR_WAZUH_MANAGER_IP_OR_HOSTNAME>` with the actual IP address or hostname of your Wazuh manager.
+
+3.  Start the environment using `docker compose`:
+
+    * To run in the foreground (logs will be displayed in your current terminal, and you can stop it with `Ctrl+C`):
+        ```bash
+        docker compose up
+        ```
+
+    * To run in the background (detached mode, allowing the container to run independently of your terminal):
+        ```bash
+        docker compose up -d
+        ```

docs/ref/getting-started/getting-started.md

@@ -0,0 +1,58 @@
+# Reference Manual - Getting Started
+
+This section guides you through the initial steps to get your Wazuh-docker (version 5.0.0) environment up and running. We will cover the prerequisites and point you to the deployment instructions.
+
+## Overview
+
+Getting started with Wazuh-Docker involves the following general steps:
+
+1.  **Understanding Requirements**: Ensuring your system meets the necessary hardware and software prerequisites.
+2.  **Choosing a Deployment Type**: Deciding whether a single-node or multi-node deployment is suitable for your needs.
+3.  **Setting up Docker**: Installing Docker and Docker Compose if you haven't already.
+4.  **Obtaining Wazuh-Docker Files**: Cloning the `wazuh-docker` repository or downloading the necessary `docker-compose.yml` and configuration files.
+5.  **Deploying the Stack**: Running `docker compose up` to launch the Wazuh components.
+6.  **Initial Configuration & Verification**: Performing any initial setup steps and verifying that all components are working correctly.
+7.  **Deploying Wazuh Agents**: Installing and configuring Wazuh agents on the endpoints you want to monitor and connecting them to your Wazuh manager.
+
+## Before You Begin
+
+Before diving into the deployment, please ensure you have reviewed:
+
+-   The [Description](ref/Introduction/description.md) of Wazuh-docker to understand the components and architecture.
+-   The [Requirements](ref/getting-started/requirements.md) to confirm your environment is suitable.
+
+## Steps to Get Started
+
+1.  **Meet the [Requirements](requirements.md)**:
+    Verify that your host system has sufficient RAM, CPU, and disk space. Ensure Docker and Docker Compose are installed and functioning correctly.
+
+2.  **Obtain Wazuh-docker Configuration**:
+    You'll need the Docker Compose files and any associated configuration files from the `wazuh-docker` repository for version 5.0.0.
+    ```bash
+    git clone [https://github.com/wazuh/wazuh-docker.git](https://github.com/wazuh/wazuh-docker.git)
+    cd wazuh-docker
+    git checkout v5.0.0
+    # Navigate to the specific docker-compose directory, e.g., single-node or multi-node
+    # cd docker-compose/single-node/ (example path)
+    ```
+    Alternatively, you might download specific `docker-compose.yml` files if provided as part of a release package.
+
+3.  **Choose Your [Deployment Strategy](deployment/deployment.md)**:
+    Wazuh-docker supports different deployment models. Select the one that best fits your use case:
+    * **[Single Node Wazuh Stack](deployment/single-node.md)**: Ideal for testing, small environments, or proof-of-concept deployments. All main components (Wazuh manager, Wazuh indexer, Wazuh dashboard) run on a single Docker host.
+    * **[Multi Node Wazuh Stack](deployment/multi-node.md)**: Suitable for production environments requiring high availability and scalability. Components might be distributed across multiple hosts or configured in a clustered mode. (Note: True multi-host orchestration often involves Kubernetes, but multi-node within Docker Compose typically refers to clustered Wazuh Indexer/Manager setups on one or more Docker hosts managed carefully).
+    * **[Wazuh Agent Deployment](deployment/wazuh-agent.md)**: Instructions for deploying Wazuh agents on your endpoints and connecting them to the Wazuh manager running in Docker.
+
+4.  **Follow Deployment Instructions**:
+    Once you've chosen a deployment strategy, follow the detailed instructions provided in the respective sections linked above. This will typically involve:
+    * Configuring environment variables (if necessary).
+    * Initializing persistent volumes.
+    * Starting the services.
+
+5.  **Post-Deployment**:
+    After the stack is running:
+    * Access the Wazuh Dashboard via your web browser.
+    * Verify that all services are healthy.
+    * Begin enrolling Wazuh agents.
+
+This Getting Started guide provides a high-level overview. For detailed, step-by-step instructions, please refer to the specific pages linked within this section.

docs/ref/getting-started/requirements.md

@@ -0,0 +1,73 @@
+# Reference Manual - Requirements
+
+Before deploying Wazuh-Docker (version 5.0.0), it's essential to ensure your environment meets the necessary hardware and software requirements. Meeting these prerequisites will help ensure a stable and performant Wazuh deployment.
+
+## Host System Requirements
+
+These are general recommendations. Actual needs may vary based on the number of agents, data volume, and usage patterns.
+
+### Hardware:
+
+* **CPU**:
+    * **Minimum**: 2 CPU cores.
+    * **Recommended**: 4 CPU cores or more, especially for production environments or deployments with a significant number of agents.
+* **RAM**:
+    * **Minimum (Single-Node Test/Small Environment)**: 4 GB RAM. This is a tight minimum; 6 GB is safer.
+        * Wazuh Indexer (OpenSearch): Typically requires at least 1 GB RAM allocated to its JVM heap.
+        * Wazuh Manager: Resource usage depends on the number of agents.
+        * Wazuh Dashboard (OpenSearch Dashboards): Also consumes memory.
+    * **Recommended (Production/Multiple Agents)**: 8 GB RAM or more.
+* **Disk Space**:
+    * **Minimum**: 50 GB of free disk space.
+    * **Recommended**: 100 GB or more, particularly for the Wazuh Indexer data. Disk space requirements will grow over time as more data is collected and indexed.
+    * **Disk Type**: SSDs (Solid State Drives) are highly recommended for the Wazuh Indexer data volumes for optimal performance.
+* **Network**:
+    * A stable network connection with sufficient bandwidth, especially if agents are reporting from remote locations.
+
+### Software:
+
+* **Operating System**:
+    * A 64-bit Linux distribution is preferred (e.g., Ubuntu, CentOS, RHEL, Debian).
+* **Docker Engine**:
+    * Version `20.10.0` or newer.
+    * Install Docker by following the official instructions: [Install Docker Engine](https://docs.docker.com/engine/install/).
+* **Git Client**:
+    * Required for cloning the `wazuh-docker` repository.
+* **Web Browser**:
+    * A modern web browser (e.g., Chrome, Firefox, Edge, Safari) for accessing the Wazuh Dashboard.
+* **`vm.max_map_count` (Linux Hosts for Wazuh Indexer/OpenSearch)**:
+    * The Wazuh Indexer (OpenSearch) requires a higher `vm.max_map_count` setting than the default on most Linux systems.
+    * Set it permanently:
+        1.  Edit `/etc/sysctl.conf` and add/modify the line:
+            ```
+            vm.max_map_count=262144
+            ```
+        2.  Apply the change without rebooting:
+            ```bash
+            sudo sysctl -p
+            ```
+    * This is crucial for the stability of the Wazuh Indexer.
+
+## Network Ports
+
+Ensure that the necessary network ports are open and available on the Docker host and any firewalls:
+
+* **Wazuh Manager**:
+    * `1514/UDP`: For agent communication (syslog).
+    * `1514/TCP`: For agent communication (if using TCP).
+    * `1515/TCP`: For agent enrollment.
+    * `55000/TCP`: For Wazuh API (default).
+* **Wazuh Indexer**:
+    * `9200/TCP`: For HTTP REST API.
+    * `9300/TCP`: For inter-node communication (if clustered).
+* **Wazuh Dashboard**:
+    * `5601/TCP` (or `443/TCP` if HTTPS is configured via a reverse proxy): For web access.
+
+Port mappings in `docker-compose.yml` will expose these container ports on the host. Adjust host ports if defaults cause conflicts.
+
+## Important Considerations
+
+* **Production Environments**: For production, it's highly recommended to follow best practices for securing Docker and your host system. Consider using a multi-node setup for resilience.
+* **Resource Allocation**: Monitor resource usage after deployment and adjust allocations (CPU, RAM for Docker, JVM heap for Wazuh Indexer) as necessary.
+
+Meeting these requirements will pave the way for a smoother deployment and a more stable Wazuh-Docker experience.

docs/ref/glossary.md

@@ -0,0 +1,89 @@
+# Reference Manual - Glossary
+
+This glossary defines key terms and concepts related to Wazuh, Docker, and their use together in the Wazuh-Docker project (version 5.0.0).
+
+---
+
+**A**
+
+-   **Active Response**: A Wazuh capability that allows automatic actions to be taken on an agent or manager in response to specific triggers or alerts (e.g., blocking an IP address, stopping a process).
+-   **Agent (Wazuh Agent)**: Software installed on monitored endpoints (servers, workstations, cloud instances) that collects security data (logs, file integrity, configuration assessments, etc.) and forwards it to the Wazuh Manager.
+-   **Alert**: A notification generated by the Wazuh Manager when an event or a series of events matches a predefined rule, indicating a potential security issue, misconfiguration, or policy violation.
+-   **API (Wazuh API)**: An application programming interface provided by the Wazuh Manager that allows for programmatic interaction with the Wazuh system, such as managing agents, retrieving alerts, updating rulesets, and checking system health.
+
+**C**
+
+-   **CDB List (Constant DataBase List)**: Key-value pair files used by Wazuh rules for fast lookups. Useful for whitelisting, blacklisting, or correlating events with known indicators.
+-   **Cluster**:
+    -   **Wazuh Indexer Cluster (OpenSearch/Elasticsearch Cluster)**: A group of interconnected Wazuh Indexer nodes that work together to store, index, and search data, providing scalability and high availability.
+    -   **Wazuh Manager Cluster**: A group of Wazuh managers working together to provide load balancing and high availability for agent connections and event processing.
+-   **Container (Docker Container)**: A lightweight, standalone, executable package of software that includes everything needed to run it: code, runtime, system tools, system libraries, and settings. Wazuh-Docker runs each Wazuh component (manager, indexer, dashboard) in its own container.
+-   **Containerization**: The process of packaging an application and its dependencies into a container.
+
+**D**
+
+-   **Dashboard (Wazuh Dashboard / OpenSearch Dashboards / Kibana)**: A web-based visualization tool used to explore, analyze, and visualize data stored in the Wazuh Indexer. It provides dashboards, visualizations, and a query interface for security events and alerts. For Wazuh 5.0.0, this is typically OpenSearch Dashboards.
+-   **Decoder**: A component in the Wazuh Manager that parses and extracts relevant information (fields) from raw log messages or event data.
+-   **Docker**: An open platform for developing, shipping, and running applications inside containers.
+-   **Docker Compose**: A tool for defining and running multi-container Docker applications. It uses a YAML file (`docker-compose.yml`) to configure the application's services, networks, and volumes.
+-   **Dockerfile**: A text document that contains all the commands a user could call on the command line to assemble an image. Docker can build images automatically by reading the instructions from a Dockerfile.
+-   **Docker Hub**: A cloud-based registry service that allows you to link to code repositories, build your images and test them, stores manually pushed images, and links to Docker Cloud so you can deploy images to your hosts. Wazuh Docker images are often hosted here.
+-   **Docker Image**: A read-only template with instructions for creating a Docker container. Images are used to instantiate containers.
+-   **Docker Volume**: A mechanism for persisting data generated by and used by Docker containers. Volumes are managed by Docker and are stored on the host filesystem, separate from the container's lifecycle. Essential for storing Wazuh data, configurations, and logs.
+
+**E**
+
+-   **Endpoint**: Any device (server, desktop, laptop, virtual machine, cloud instance) that is monitored by a Wazuh agent.
+-   **Environment Variable**: A variable whose value is set outside the program, typically by the operating system or a container runtime, and can be accessed by the program to modify its behavior. Used extensively in Wazuh-Docker for configuration.
+
+**F**
+
+-   **File Integrity Monitoring (FIM)**: A Wazuh capability that monitors files and directories for changes, additions, or deletions, helping to detect unauthorized modifications.
+
+**I**
+
+-   **Indexer (Wazuh Indexer / OpenSearch / Elasticsearch)**: The component responsible for storing, indexing, and making searchable the alerts and event data generated by the Wazuh Manager. For Wazuh 5.0.0, this is typically OpenSearch.
+
+**L**
+
+-   **Log Analysis**: A core function of the Wazuh Manager, involving the collection, normalization, parsing, and analysis of log data from various sources.
+
+**M**
+
+-   **Manager (Wazuh Manager)**: The central component of the Wazuh platform. It collects data from agents, analyzes it using rules and decoders, generates alerts, and manages agents.
+
+**N**
+
+-   **Node**:
+    -   **Wazuh Indexer Node**: A single instance of a Wazuh Indexer (OpenSearch/Elasticsearch) process, typically running in a container. Multiple nodes can form a cluster.
+    -   **Wazuh Manager Node**: A single instance of a Wazuh manager, which can operate standalone or as part of a manager cluster.
+
+**O**
+
+-   **`ossec.conf`**: The main configuration file for the Wazuh Manager and Wazuh Agent.
+
+**R**
+
+-   **Rule**: A set of conditions defined in the Wazuh Manager that, when met by an event or a sequence of events, trigger an alert.
+-   **Ruleset**: The collection of all rules and decoders used by the Wazuh Manager.
+
+**S**
+
+-   **Scalability**: The ability of the system to handle a growing amount of work by adding resources. In Wazuh-Docker, this can refer to scaling the number of agents, or the capacity of the indexer/manager cluster.
+-   **Security Information and Event Management (SIEM)**: A field of computer security that combines security information management (SIM) and security event management (SEM) to provide real-time analysis of security alerts generated by applications and network hardware. Wazuh is a SIEM solution.
+-   **Service (Docker Compose Service)**: A definition of a container within a `docker-compose.yml` file, including its image, ports, volumes, environment variables, etc.
+
+**V**
+
+-   **Volume (Docker Volume)**: See Docker Volume.
+
+**W**
+
+-   **Wazuh**: An open-source security platform that provides threat prevention, detection, and response.
+-   **Wazuh API**: See API.
+-   **Wazuh Dashboard**: See Dashboard.
+-   **Wazuh Indexer**: See Indexer.
+-   **Wazuh Manager**: See Manager.
+
+---
+This glossary provides a starting point. For more detailed definitions or terms not listed here, please refer to the official Wazuh and Docker documentation.

docs/ref/upgrade.md

@@ -0,0 +1,10 @@
+# Upgrading Wazuh in Docker
+
+To upgrade your Wazuh deployment when using Docker, we recommend following the official Wazuh documentation. It contains the most accurate and up-to-date information for upgrading from previous versions to the current one.
+
+> 📘 Please refer to the official guide:
+> [Upgrading Wazuh Docker](https://documentation.wazuh.com/current/deployment-options/docker/upgrading-wazuh-docker.html)
+
+This external guide provides detailed upgrade instructions that cover multiple scenarios and configurations.
+
+Following the official documentation ensures a smoother and safer upgrade process, with fewer risks of data loss or configuration issues.

docs/server.sh

@@ -0,0 +1,3 @@
+#! /bin/sh
+
+mdbook serve

indexer-certs-creator/README.md

@@ -5,5 +5,5 @@ The dockerfile hosted in this directory is used to build the image used to boot
 To create the image, the following command must be executed:
 
 ```
-$ docker build -t wazuh/wazuh-certs-generator:0.0.1 .
+$ docker build -t wazuh/wazuh-certs-generator:0.0.2 .
 ```

indexer-certs-creator/config/entrypoint.sh

@@ -8,12 +8,12 @@
 ## Variables
 CERT_TOOL=wazuh-certs-tool.sh
 PASSWORD_TOOL=wazuh-passwords-tool.sh
-PACKAGES_URL=https://packages.wazuh.com/4.12/
-PACKAGES_DEV_URL=https://packages-dev.wazuh.com/4.12/
+PACKAGES_URL=https://packages.wazuh.com/5.0/
+PACKAGES_DEV_URL=https://packages-dev.wazuh.com/5.0/
 
 ## Check if the cert tool exists in S3 buckets
-CERT_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$CERT_TOOL | grep -E "^HTTP" | awk  '{print $2}')
-CERT_TOOL_PACKAGES_DEV=$(curl --silent -I $PACKAGES_DEV_URL$CERT_TOOL | grep -E "^HTTP" | awk  '{print $2}')
+CERT_TOOL_PACKAGES=$(curl --silent --head --location --output /dev/null --write-out "%{http_code}" "$PACKAGES_URL$CERT_TOOL")
+CERT_TOOL_PACKAGES_DEV=$(curl --silent --head --location --output /dev/null --write-out "%{http_code}" "$PACKAGES_DEV_URL$CERT_TOOL")
 
 ## If cert tool exists in some bucket, download it, if not exit 1
 if [ "$CERT_TOOL_PACKAGES" = "200" ]; then

multi-node/Migration-to-Wazuh-4.4.md

@@ -80,13 +80,6 @@ docker volume create \
            multi-node_master-wazuh-var-multigroups
 ```
 ```
-docker volume create \
-           --label com.docker.compose.project=multi-node \
-           --label com.docker.compose.version=1.25.0 \
-           --label com.docker.compose.volume=master-wazuh-integrations \
-           multi-node_master-wazuh-integrations
-```
-```
 docker volume create \
            --label com.docker.compose.project=multi-node \
            --label com.docker.compose.version=1.25.0 \
@@ -94,13 +87,6 @@ docker volume create \
            multi-node_master-wazuh-active-response
 ```
 ```
-docker volume create \
-           --label com.docker.compose.project=multi-node \
-           --label com.docker.compose.version=1.25.0 \
-           --label com.docker.compose.volume=master-wazuh-agentless \
-           multi-node_master-wazuh-agentless
-```
-```
 docker volume create \
            --label com.docker.compose.project=multi-node \
            --label com.docker.compose.version=1.25.0 \
@@ -157,13 +143,6 @@ docker volume create \
            multi-node_worker-wazuh-var-multigroups
 ```
 ```
-docker volume create \
-           --label com.docker.compose.project=multi-node \
-           --label com.docker.compose.version=1.25.0 \
-           --label com.docker.compose.volume=worker-wazuh-integrations \
-           multi-node_worker-wazuh-integrations
-```
-```
 docker volume create \
            --label com.docker.compose.project=multi-node \
            --label com.docker.compose.version=1.25.0 \
@@ -171,13 +150,6 @@ docker volume create \
            multi-node_worker-wazuh-active-response
 ```
 ```
-docker volume create \
-           --label com.docker.compose.project=multi-node \
-           --label com.docker.compose.version=1.25.0 \
-           --label com.docker.compose.volume=worker-wazuh-agentless \
-           multi-node_worker-wazuh-agentless
-```
-```
 docker volume create \
            --label com.docker.compose.project=multi-node \
            --label com.docker.compose.version=1.25.0 \
@@ -248,24 +220,12 @@ docker container run --rm -it \
            alpine ash -c "cd /from ; cp -avp . /to"
 ```
 ```
-docker container run --rm -it \
-           -v wazuh-docker_ossec-integrations:/from \
-           -v multi-node_master-wazuh-integrations:/to \
-           alpine ash -c "cd /from ; cp -avp . /to"
-```
-```
 docker container run --rm -it \
            -v wazuh-docker_ossec-active-response:/from \
            -v multi-node_master-wazuh-active-response:/to \
            alpine ash -c "cd /from ; cp -avp . /to"
 ```
 ```
-docker container run --rm -it \
-           -v wazuh-docker_ossec-agentless:/from \
-           -v multi-node_master-wazuh-agentless:/to \
-           alpine ash -c "cd /from ; cp -avp . /to"
-```
-```
 docker container run --rm -it \
            -v wazuh-docker_ossec-wodles:/from \
            -v multi-node_master-wazuh-wodles:/to \
@@ -314,24 +274,12 @@ docker container run --rm -it \
            alpine ash -c "cd /from ; cp -avp . /to"
 ```
 ```
-docker container run --rm -it \
-           -v wazuh-docker_worker-ossec-integrations:/from \
-           -v multi-node_worker-wazuh-integrations:/to \
-           alpine ash -c "cd /from ; cp -avp . /to"
-```
-```
 docker container run --rm -it \
            -v wazuh-docker_worker-ossec-active-response:/from \
            -v multi-node_worker-wazuh-active-response:/to \
            alpine ash -c "cd /from ; cp -avp . /to"
 ```
 ```
-docker container run --rm -it \
-           -v wazuh-docker_worker-ossec-agentless:/from \
-           -v multi-node_worker-wazuh-agentless:/to \
-           alpine ash -c "cd /from ; cp -avp . /to"
-```
-```
 docker container run --rm -it \
            -v wazuh-docker_worker-ossec-wodles:/from \
            -v multi-node_worker-wazuh-wodles:/to \

multi-node/README.md

@@ -1,6 +1,6 @@
 # Deploy Wazuh Docker in multi node configuration
 
-This deployment is defined in the `docker-compose.yml` file with two Wazuh manager containers, three Wazuh indexer containers, and one Wazuh dashboard container. It can be deployed by following these steps: 
+This deployment is defined in the `docker-compose.yml` file with two Wazuh manager containers, three Wazuh indexer containers, and one Wazuh dashboard container. It can be deployed by following these steps:
 
 1) Increase max_map_count on your host (Linux). This command must be run with root permissions:
 ```
@@ -8,18 +8,18 @@ $ sysctl -w vm.max_map_count=262144
 ```
 2) Run the certificate creation script:
 ```
-$ docker-compose -f generate-indexer-certs.yml run --rm generator
+$ docker compose -f generate-indexer-certs.yml run --rm generator
 ```
-3) Start the environment with docker-compose:
+3) Start the environment with docker compose:
 
 - In the foregroud:
 ```
-$ docker-compose up
+$ docker compose up
 ```
 
 - In the background:
 ```
-$ docker-compose up -d
+$ docker compose up -d
 ```
 
 

multi-node/config/wazuh_cluster/wazuh_manager.conf

@@ -1,24 +1,10 @@
 <ossec_config>
   <global>
-    <jsonout_output>yes</jsonout_output>
-    <alerts_log>yes</alerts_log>
-    <logall>no</logall>
-    <logall_json>no</logall_json>
-    <email_notification>no</email_notification>
-    <smtp_server>smtp.example.wazuh.com</smtp_server>
-    <email_from>wazuh@example.wazuh.com</email_from>
-    <email_to>recipient@example.wazuh.com</email_to>
-    <email_maxperhour>12</email_maxperhour>
-    <email_log_source>alerts.log</email_log_source>
-    <agents_disconnection_time>10m</agents_disconnection_time>
+    <agents_disconnection_time>15m</agents_disconnection_time>
     <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
+    <update_check>yes</update_check>
   </global>
 
-  <alerts>
-    <log_alert_level>3</log_alert_level>
-    <email_alert_level>12</email_alert_level>
-  </alerts>
-
   <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
   <logging>
     <log_format>plain</log_format>
@@ -34,8 +20,6 @@
   <!-- Policy monitoring -->
   <rootcheck>
     <disabled>no</disabled>
-    <check_files>yes</check_files>
-    <check_trojans>yes</check_trojans>
     <check_dev>yes</check_dev>
     <check_sys>yes</check_sys>
     <check_pids>yes</check_pids>
@@ -45,31 +29,12 @@
     <!-- Frequency that rootcheck is executed - every 12 hours -->
     <frequency>43200</frequency>
 
-    <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
-    <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
-
     <skip_nfs>yes</skip_nfs>
+
+    <ignore>/var/lib/containerd</ignore>
+    <ignore>/var/lib/docker/overlay2</ignore>
   </rootcheck>
 
-  <wodle name="cis-cat">
-    <disabled>yes</disabled>
-    <timeout>1800</timeout>
-    <interval>1d</interval>
-    <scan-on-start>yes</scan-on-start>
-
-    <java_path>wodles/java</java_path>
-    <ciscat_path>wodles/ciscat</ciscat_path>
-  </wodle>
-
-  <!-- Osquery integration -->
-  <wodle name="osquery">
-    <disabled>yes</disabled>
-    <run_daemon>yes</run_daemon>
-    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
-    <config_path>/etc/osquery/osquery.conf</config_path>
-    <add_labels>yes</add_labels>
-  </wodle>
-
   <!-- System inventory -->
   <wodle name="syscollector">
     <disabled>no</disabled>
@@ -79,11 +44,17 @@
     <os>yes</os>
     <network>yes</network>
     <packages>yes</packages>
-    <ports all="no">yes</ports>
+    <ports all="yes">yes</ports>
     <processes>yes</processes>
+    <users>yes</users>
+    <groups>yes</groups>
+    <services>yes</services>
+    <browser_extensions>yes</browser_extensions>
 
     <!-- Database synchronization settings -->
     <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
       <max_eps>10</max_eps>
     </synchronization>
   </wodle>
@@ -92,7 +63,13 @@
     <enabled>yes</enabled>
     <scan_on_start>yes</scan_on_start>
     <interval>12h</interval>
-    <skip_nfs>yes</skip_nfs>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
+      <max_eps>10</max_eps>
+    </synchronization>
   </sca>
 
   <vulnerability-detection>
@@ -124,8 +101,6 @@
     <!-- Frequency that syscheck is executed default every 12 hours -->
     <frequency>43200</frequency>
 
-    <scan_on_start>yes</scan_on_start>
-
     <!-- Generate alert when new file detected -->
     <alert_new_files>yes</alert_new_files>
 
@@ -165,13 +140,12 @@
     <process_priority>10</process_priority>
 
     <!-- Maximum output throughput -->
-    <max_eps>100</max_eps>
+    <max_eps>50</max_eps>
 
     <!-- Database synchronization settings -->
     <synchronization>
       <enabled>yes</enabled>
       <interval>5m</interval>
-      <max_interval>1h</max_interval>
       <max_eps>10</max_eps>
     </synchronization>
   </syscheck>
@@ -257,19 +231,15 @@
     <list>etc/lists/audit-keys</list>
     <list>etc/lists/amazon/aws-eventnames</list>
     <list>etc/lists/security-eventchannel</list>
+    <list>etc/lists/malicious-ioc/malicious-ip</list>
+    <list>etc/lists/malicious-ioc/malicious-domains</list>
+    <list>etc/lists/malicious-ioc/malware-hashes</list>
 
     <!-- User-defined ruleset -->
     <decoder_dir>etc/decoders</decoder_dir>
     <rule_dir>etc/rules</rule_dir>
   </ruleset>
 
-  <rule_test>
-    <enabled>yes</enabled>
-    <threads>1</threads>
-    <max_sessions>64</max_sessions>
-    <session_timeout>15m</session_timeout>
-  </rule_test>
-
   <!-- Configuration for wazuh-authd -->
   <auth>
     <disabled>no</disabled>
@@ -302,9 +272,19 @@
 </ossec_config>
 
 <ossec_config>
+  <localfile>
+    <log_format>journald</log_format>
+    <location>journald</location>
+  </localfile>
+
+  <localfile>
+    <log_format>audit</log_format>
+    <location>/var/log/audit/audit.log</location>
+  </localfile>
+
   <localfile>
     <log_format>syslog</log_format>
     <location>/var/ossec/logs/active-responses.log</location>
   </localfile>
 
-</ossec_config>
+</ossec_config>

multi-node/config/wazuh_cluster/wazuh_worker.conf

@@ -1,24 +1,10 @@
 <ossec_config>
   <global>
-    <jsonout_output>yes</jsonout_output>
-    <alerts_log>yes</alerts_log>
-    <logall>no</logall>
-    <logall_json>no</logall_json>
-    <email_notification>no</email_notification>
-    <smtp_server>smtp.example.wazuh.com</smtp_server>
-    <email_from>wazuh@example.wazuh.com</email_from>
-    <email_to>recipient@example.wazuh.com</email_to>
-    <email_maxperhour>12</email_maxperhour>
-    <email_log_source>alerts.log</email_log_source>
-    <agents_disconnection_time>10m</agents_disconnection_time>
+    <agents_disconnection_time>15m</agents_disconnection_time>
     <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
+    <update_check>yes</update_check>
   </global>
 
-  <alerts>
-    <log_alert_level>3</log_alert_level>
-    <email_alert_level>12</email_alert_level>
-  </alerts>
-
   <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
   <logging>
     <log_format>plain</log_format>
@@ -34,8 +20,6 @@
   <!-- Policy monitoring -->
   <rootcheck>
     <disabled>no</disabled>
-    <check_files>yes</check_files>
-    <check_trojans>yes</check_trojans>
     <check_dev>yes</check_dev>
     <check_sys>yes</check_sys>
     <check_pids>yes</check_pids>
@@ -45,31 +29,12 @@
     <!-- Frequency that rootcheck is executed - every 12 hours -->
     <frequency>43200</frequency>
 
-    <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
-    <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
-
     <skip_nfs>yes</skip_nfs>
+
+    <ignore>/var/lib/containerd</ignore>
+    <ignore>/var/lib/docker/overlay2</ignore>
   </rootcheck>
 
-  <wodle name="cis-cat">
-    <disabled>yes</disabled>
-    <timeout>1800</timeout>
-    <interval>1d</interval>
-    <scan-on-start>yes</scan-on-start>
-
-    <java_path>wodles/java</java_path>
-    <ciscat_path>wodles/ciscat</ciscat_path>
-  </wodle>
-
-  <!-- Osquery integration -->
-  <wodle name="osquery">
-    <disabled>yes</disabled>
-    <run_daemon>yes</run_daemon>
-    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
-    <config_path>/etc/osquery/osquery.conf</config_path>
-    <add_labels>yes</add_labels>
-  </wodle>
-
   <!-- System inventory -->
   <wodle name="syscollector">
     <disabled>no</disabled>
@@ -79,11 +44,17 @@
     <os>yes</os>
     <network>yes</network>
     <packages>yes</packages>
-    <ports all="no">yes</ports>
+    <ports all="yes">yes</ports>
     <processes>yes</processes>
+    <users>yes</users>
+    <groups>yes</groups>
+    <services>yes</services>
+    <browser_extensions>yes</browser_extensions>
 
     <!-- Database synchronization settings -->
     <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
       <max_eps>10</max_eps>
     </synchronization>
   </wodle>
@@ -92,7 +63,13 @@
     <enabled>yes</enabled>
     <scan_on_start>yes</scan_on_start>
     <interval>12h</interval>
-    <skip_nfs>yes</skip_nfs>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
+      <max_eps>10</max_eps>
+    </synchronization>
   </sca>
 
   <vulnerability-detection>
@@ -124,8 +101,6 @@
     <!-- Frequency that syscheck is executed default every 12 hours -->
     <frequency>43200</frequency>
 
-    <scan_on_start>yes</scan_on_start>
-
     <!-- Generate alert when new file detected -->
     <alert_new_files>yes</alert_new_files>
 
@@ -165,13 +140,12 @@
     <process_priority>10</process_priority>
 
     <!-- Maximum output throughput -->
-    <max_eps>100</max_eps>
+    <max_eps>50</max_eps>
 
     <!-- Database synchronization settings -->
     <synchronization>
       <enabled>yes</enabled>
       <interval>5m</interval>
-      <max_interval>1h</max_interval>
       <max_eps>10</max_eps>
     </synchronization>
   </syscheck>
@@ -257,19 +231,15 @@
     <list>etc/lists/audit-keys</list>
     <list>etc/lists/amazon/aws-eventnames</list>
     <list>etc/lists/security-eventchannel</list>
+    <list>etc/lists/malicious-ioc/malicious-ip</list>
+    <list>etc/lists/malicious-ioc/malicious-domains</list>
+    <list>etc/lists/malicious-ioc/malware-hashes</list>
 
     <!-- User-defined ruleset -->
     <decoder_dir>etc/decoders</decoder_dir>
     <rule_dir>etc/rules</rule_dir>
   </ruleset>
 
-  <rule_test>
-    <enabled>yes</enabled>
-    <threads>1</threads>
-    <max_sessions>64</max_sessions>
-    <session_timeout>15m</session_timeout>
-  </rule_test>
-
   <!-- Configuration for wazuh-authd -->
   <auth>
     <disabled>no</disabled>
@@ -302,9 +272,19 @@
 </ossec_config>
 
 <ossec_config>
+  <localfile>
+    <log_format>journald</log_format>
+    <location>journald</location>
+  </localfile>
+
+  <localfile>
+    <log_format>audit</log_format>
+    <location>/var/log/audit/audit.log</location>
+  </localfile>
+
   <localfile>
     <log_format>syslog</log_format>
     <location>/var/ossec/logs/active-responses.log</location>
   </localfile>
 
-</ossec_config>
+</ossec_config>

multi-node/config/wazuh_dashboard/opensearch_dashboards.yml

@@ -2,7 +2,7 @@ server.host: 0.0.0.0
 server.port: 5601
 opensearch.hosts: https://wazuh1.indexer:9200
 opensearch.ssl.verificationMode: certificate
-opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
+opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
 opensearch_security.multitenancy.enabled: false
 opensearch_security.readonly_mode.roles: ["kibana_read_only"]
 server.ssl.enabled: true
@@ -10,3 +10,8 @@ server.ssl.key: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
 server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem"
 opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/root-ca.pem"]
 uiSettings.overrides.defaultRoute: /app/wz-home
+# Session expiration settings
+opensearch_security.cookie.ttl: 900000
+opensearch_security.session.ttl: 900000
+opensearch_security.session.keepalive: true
+assistant.chat.enabled: true

multi-node/config/wazuh_indexer/wazuh1.indexer.yml

@@ -1,6 +1,6 @@
 network.host: wazuh1.indexer
 node.name: wazuh1.indexer
-cluster.initial_master_nodes:
+cluster.initial_cluster_manager_nodes:
         - wazuh1.indexer
         - wazuh2.indexer
         - wazuh3.indexer
@@ -35,4 +35,3 @@ plugins.security.restapi.roles_enabled:
 - "security_rest_api_access"
 plugins.security.allow_default_init_securityindex: true
 cluster.routing.allocation.disk.threshold_enabled: false
-compatibility.override_main_response_version: true

multi-node/config/wazuh_indexer/wazuh2.indexer.yml

@@ -1,6 +1,6 @@
 network.host: wazuh2.indexer
 node.name: wazuh2.indexer
-cluster.initial_master_nodes:
+cluster.initial_cluster_manager_nodes:
         - wazuh1.indexer
         - wazuh2.indexer
         - wazuh3.indexer
@@ -35,4 +35,3 @@ plugins.security.restapi.roles_enabled:
 - "security_rest_api_access"
 plugins.security.allow_default_init_securityindex: true
 cluster.routing.allocation.disk.threshold_enabled: false
-compatibility.override_main_response_version: true

multi-node/config/wazuh_indexer/wazuh3.indexer.yml

@@ -1,6 +1,6 @@
 network.host: wazuh3.indexer
 node.name: wazuh3.indexer
-cluster.initial_master_nodes:
+cluster.initial_cluster_manager_nodes:
         - wazuh1.indexer
         - wazuh2.indexer
         - wazuh3.indexer
@@ -35,4 +35,3 @@ plugins.security.restapi.roles_enabled:
 - "security_rest_api_access"
 plugins.security.allow_default_init_securityindex: true
 cluster.routing.allocation.disk.threshold_enabled: false
-compatibility.override_main_response_version: true

multi-node/docker-compose.yml

@@ -1,9 +1,7 @@
 # Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
-version: '3.7'
-
 services:
   wazuh.master:
-    image: wazuh/wazuh-manager:4.12.0
+    image: wazuh/wazuh-manager:5.0.0
     hostname: wazuh.master
     restart: always
     ulimits:
@@ -33,9 +31,7 @@ services:
       - master-wazuh-logs:/var/ossec/logs
       - master-wazuh-queue:/var/ossec/queue
       - master-wazuh-var-multigroups:/var/ossec/var/multigroups
-      - master-wazuh-integrations:/var/ossec/integrations
       - master-wazuh-active-response:/var/ossec/active-response/bin
-      - master-wazuh-agentless:/var/ossec/agentless
       - master-wazuh-wodles:/var/ossec/wodles
       - master-filebeat-etc:/etc/filebeat
       - master-filebeat-var:/var/lib/filebeat
@@ -45,7 +41,7 @@ services:
       - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
 
   wazuh.worker:
-    image: wazuh/wazuh-manager:4.12.0
+    image: wazuh/wazuh-manager:5.0.0
     hostname: wazuh.worker
     restart: always
     ulimits:
@@ -69,9 +65,7 @@ services:
       - worker-wazuh-logs:/var/ossec/logs
       - worker-wazuh-queue:/var/ossec/queue
       - worker-wazuh-var-multigroups:/var/ossec/var/multigroups
-      - worker-wazuh-integrations:/var/ossec/integrations
       - worker-wazuh-active-response:/var/ossec/active-response/bin
-      - worker-wazuh-agentless:/var/ossec/agentless
       - worker-wazuh-wodles:/var/ossec/wodles
       - worker-filebeat-etc:/etc/filebeat
       - worker-filebeat-var:/var/lib/filebeat
@@ -81,7 +75,7 @@ services:
       - ./config/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf
 
   wazuh1.indexer:
-    image: wazuh/wazuh-indexer:4.12.0
+    image: wazuh/wazuh-indexer:5.0.0
     hostname: wazuh1.indexer
     restart: always
     ports:
@@ -98,16 +92,16 @@ services:
         hard: 65536
     volumes:
       - wazuh-indexer-data-1:/var/lib/wazuh-indexer
-      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
-      - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh1.indexer.key
-      - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh1.indexer.pem
-      - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
-      - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
-      - ./config/wazuh_indexer/wazuh1.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
-      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/certs/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer-key.pem:/usr/share/wazuh-indexer/config/certs/wazuh1.indexer.key
+      - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer.pem:/usr/share/wazuh-indexer/config/certs/wazuh1.indexer.pem
+      - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/config/certs/admin.pem
+      - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/config/certs/admin-key.pem
+      - ./config/wazuh_indexer/wazuh1.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
+      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/config/opensearch-security/internal_users.yml
 
   wazuh2.indexer:
-    image: wazuh/wazuh-indexer:4.12.0
+    image: wazuh/wazuh-indexer:5.0.0
     hostname: wazuh2.indexer
     restart: always
     environment:
@@ -122,14 +116,14 @@ services:
         hard: 65536
     volumes:
       - wazuh-indexer-data-2:/var/lib/wazuh-indexer
-      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
-      - ./config/wazuh_indexer_ssl_certs/wazuh2.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh2.indexer.key
-      - ./config/wazuh_indexer_ssl_certs/wazuh2.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh2.indexer.pem
-      - ./config/wazuh_indexer/wazuh2.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
-      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/certs/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh2.indexer-key.pem:/usr/share/wazuh-indexer/config/certs/wazuh2.indexer.key
+      - ./config/wazuh_indexer_ssl_certs/wazuh2.indexer.pem:/usr/share/wazuh-indexer/config/certs/wazuh2.indexer.pem
+      - ./config/wazuh_indexer/wazuh2.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
+      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/config/opensearch-security/internal_users.yml
 
   wazuh3.indexer:
-    image: wazuh/wazuh-indexer:4.12.0
+    image: wazuh/wazuh-indexer:5.0.0
     hostname: wazuh3.indexer
     restart: always
     environment:
@@ -144,14 +138,14 @@ services:
         hard: 65536
     volumes:
       - wazuh-indexer-data-3:/var/lib/wazuh-indexer
-      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
-      - ./config/wazuh_indexer_ssl_certs/wazuh3.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh3.indexer.key
-      - ./config/wazuh_indexer_ssl_certs/wazuh3.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh3.indexer.pem
-      - ./config/wazuh_indexer/wazuh3.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
-      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/certs/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh3.indexer-key.pem:/usr/share/wazuh-indexer/config/certs/wazuh3.indexer.key
+      - ./config/wazuh_indexer_ssl_certs/wazuh3.indexer.pem:/usr/share/wazuh-indexer/config/certs/wazuh3.indexer.pem
+      - ./config/wazuh_indexer/wazuh3.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
+      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/config/opensearch-security/internal_users.yml
 
   wazuh.dashboard:
-    image: wazuh/wazuh-dashboard:4.12.0
+    image: wazuh/wazuh-dashboard:5.0.0
     hostname: wazuh.dashboard
     restart: always
     ports:
@@ -200,9 +194,7 @@ volumes:
   master-wazuh-logs:
   master-wazuh-queue:
   master-wazuh-var-multigroups:
-  master-wazuh-integrations:
   master-wazuh-active-response:
-  master-wazuh-agentless:
   master-wazuh-wodles:
   master-filebeat-etc:
   master-filebeat-var:
@@ -211,9 +203,7 @@ volumes:
   worker-wazuh-logs:
   worker-wazuh-queue:
   worker-wazuh-var-multigroups:
-  worker-wazuh-integrations:
   worker-wazuh-active-response:
-  worker-wazuh-agentless:
   worker-wazuh-wodles:
   worker-filebeat-etc:
   worker-filebeat-var:

multi-node/generate-indexer-certs.yml

@@ -1,6 +1,4 @@
 # Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
-version: '3'
-
 services:
   generator:
     image: wazuh/wazuh-certs-generator:0.0.2

multi-node/volume-migrator.sh

@@ -46,24 +46,12 @@ docker volume create \
            --label com.docker.compose.volume=master-wazuh-var-multigroups \
            $2_master-wazuh-var-multigroups
 
-docker volume create \
-           --label com.docker.compose.project=$2 \
-           --label com.docker.compose.version=$1 \
-           --label com.docker.compose.volume=master-wazuh-integrations \
-           $2_master-wazuh-integrations
-
 docker volume create \
            --label com.docker.compose.project=$2 \
            --label com.docker.compose.version=$1 \
            --label com.docker.compose.volume=master-wazuh-active-response \
            $2_master-wazuh-active-response
 
-docker volume create \
-           --label com.docker.compose.project=$2 \
-           --label com.docker.compose.version=$1 \
-           --label com.docker.compose.volume=master-wazuh-agentless \
-           $2_master-wazuh-agentless
-
 docker volume create \
            --label com.docker.compose.project=$2 \
            --label com.docker.compose.version=$1 \
@@ -112,24 +100,12 @@ docker volume create \
            --label com.docker.compose.volume=worker-wazuh-var-multigroups \
            $2_worker-wazuh-var-multigroups
 
-docker volume create \
-           --label com.docker.compose.project=$2 \
-           --label com.docker.compose.version=$1 \
-           --label com.docker.compose.volume=worker-wazuh-integrations \
-           $2_worker-wazuh-integrations
-
 docker volume create \
            --label com.docker.compose.project=$2 \
            --label com.docker.compose.version=$1 \
            --label com.docker.compose.volume=worker-wazuh-active-response \
            $2_worker-wazuh-active-response
 
-docker volume create \
-           --label com.docker.compose.project=$2 \
-           --label com.docker.compose.version=$1 \
-           --label com.docker.compose.volume=worker-wazuh-agentless \
-           $2_worker-wazuh-agentless
-
 docker volume create \
            --label com.docker.compose.project=$2 \
            --label com.docker.compose.version=$1 \
@@ -193,21 +169,11 @@ docker container run --rm -it \
            -v $2_master-wazuh-var-multigroups:/to \
            alpine ash -c "cd /from ; cp -avp . /to"
 
-docker container run --rm -it \
-           -v wazuh-docker_ossec-integrations:/from \
-           -v $2_master-wazuh-integrations:/to \
-           alpine ash -c "cd /from ; cp -avp . /to"
-
 docker container run --rm -it \
            -v wazuh-docker_ossec-active-response:/from \
            -v $2_master-wazuh-active-response:/to \
            alpine ash -c "cd /from ; cp -avp . /to"
 
-docker container run --rm -it \
-           -v wazuh-docker_ossec-agentless:/from \
-           -v $2_master-wazuh-agentless:/to \
-           alpine ash -c "cd /from ; cp -avp . /to"
-
 docker container run --rm -it \
            -v wazuh-docker_ossec-wodles:/from \
            -v $2_master-wazuh-wodles:/to \
@@ -248,21 +214,11 @@ docker container run --rm -it \
            -v $2_worker-wazuh-var-multigroups:/to \
            alpine ash -c "cd /from ; cp -avp . /to"
 
-docker container run --rm -it \
-           -v wazuh-docker_worker-ossec-integrations:/from \
-           -v $2_worker-wazuh-integrations:/to \
-           alpine ash -c "cd /from ; cp -avp . /to"
-
 docker container run --rm -it \
            -v wazuh-docker_worker-ossec-active-response:/from \
            -v $2_worker-wazuh-active-response:/to \
            alpine ash -c "cd /from ; cp -avp . /to"
 
-docker container run --rm -it \
-           -v wazuh-docker_worker-ossec-agentless:/from \
-           -v $2_worker-wazuh-agentless:/to \
-           alpine ash -c "cd /from ; cp -avp . /to"
-
 docker container run --rm -it \
            -v wazuh-docker_worker-ossec-wodles:/from \
            -v $2_worker-wazuh-wodles:/to \

single-node/README.md

@@ -8,17 +8,17 @@ $ sysctl -w vm.max_map_count=262144
 ```
 2) Run the certificate creation script:
 ```
-$ docker-compose -f generate-indexer-certs.yml run --rm generator
+$ docker compose -f generate-indexer-certs.yml run --rm generator
 ```
-3) Start the environment with docker-compose:
+3) Start the environment with docker compose:
 
 - In the foregroud:
 ```
-$ docker-compose up
+$ docker compose up
 ```
 - In the background:
 ```
-$ docker-compose up -d
+$ docker compose up -d
 ```
 
 The environment takes about 1 minute to get up (depending on your Docker host) for the first time since Wazuh Indexer must be started for the first time and the indexes and index patterns must be generated.

single-node/config/wazuh_cluster/wazuh_manager.conf

@@ -1,24 +1,10 @@
 <ossec_config>
   <global>
-    <jsonout_output>yes</jsonout_output>
-    <alerts_log>yes</alerts_log>
-    <logall>no</logall>
-    <logall_json>no</logall_json>
-    <email_notification>no</email_notification>
-    <smtp_server>smtp.example.wazuh.com</smtp_server>
-    <email_from>wazuh@example.wazuh.com</email_from>
-    <email_to>recipient@example.wazuh.com</email_to>
-    <email_maxperhour>12</email_maxperhour>
-    <email_log_source>alerts.log</email_log_source>
-    <agents_disconnection_time>10m</agents_disconnection_time>
+    <agents_disconnection_time>15m</agents_disconnection_time>
     <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
+    <update_check>yes</update_check>
   </global>
 
-  <alerts>
-    <log_alert_level>3</log_alert_level>
-    <email_alert_level>12</email_alert_level>
-  </alerts>
-
   <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
   <logging>
     <log_format>plain</log_format>
@@ -34,8 +20,6 @@
   <!-- Policy monitoring -->
   <rootcheck>
     <disabled>no</disabled>
-    <check_files>yes</check_files>
-    <check_trojans>yes</check_trojans>
     <check_dev>yes</check_dev>
     <check_sys>yes</check_sys>
     <check_pids>yes</check_pids>
@@ -45,31 +29,12 @@
     <!-- Frequency that rootcheck is executed - every 12 hours -->
     <frequency>43200</frequency>
 
-    <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
-    <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
-
     <skip_nfs>yes</skip_nfs>
+
+    <ignore>/var/lib/containerd</ignore>
+    <ignore>/var/lib/docker/overlay2</ignore>
   </rootcheck>
 
-  <wodle name="cis-cat">
-    <disabled>yes</disabled>
-    <timeout>1800</timeout>
-    <interval>1d</interval>
-    <scan-on-start>yes</scan-on-start>
-
-    <java_path>wodles/java</java_path>
-    <ciscat_path>wodles/ciscat</ciscat_path>
-  </wodle>
-
-  <!-- Osquery integration -->
-  <wodle name="osquery">
-    <disabled>yes</disabled>
-    <run_daemon>yes</run_daemon>
-    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
-    <config_path>/etc/osquery/osquery.conf</config_path>
-    <add_labels>yes</add_labels>
-  </wodle>
-
   <!-- System inventory -->
   <wodle name="syscollector">
     <disabled>no</disabled>
@@ -79,11 +44,17 @@
     <os>yes</os>
     <network>yes</network>
     <packages>yes</packages>
-    <ports all="no">yes</ports>
+    <ports all="yes">yes</ports>
     <processes>yes</processes>
+    <users>yes</users>
+    <groups>yes</groups>
+    <services>yes</services>
+    <browser_extensions>yes</browser_extensions>
 
     <!-- Database synchronization settings -->
     <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
       <max_eps>10</max_eps>
     </synchronization>
   </wodle>
@@ -92,7 +63,13 @@
     <enabled>yes</enabled>
     <scan_on_start>yes</scan_on_start>
     <interval>12h</interval>
-    <skip_nfs>yes</skip_nfs>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
+      <max_eps>10</max_eps>
+    </synchronization>
   </sca>
 
   <vulnerability-detection>
@@ -122,8 +99,6 @@
     <!-- Frequency that syscheck is executed default every 12 hours -->
     <frequency>43200</frequency>
 
-    <scan_on_start>yes</scan_on_start>
-
     <!-- Generate alert when new file detected -->
     <alert_new_files>yes</alert_new_files>
 
@@ -163,13 +138,12 @@
     <process_priority>10</process_priority>
 
     <!-- Maximum output throughput -->
-    <max_eps>100</max_eps>
+    <max_eps>50</max_eps>
 
     <!-- Database synchronization settings -->
     <synchronization>
       <enabled>yes</enabled>
       <interval>5m</interval>
-      <max_interval>1h</max_interval>
       <max_eps>10</max_eps>
     </synchronization>
   </syscheck>
@@ -255,19 +229,15 @@
     <list>etc/lists/audit-keys</list>
     <list>etc/lists/amazon/aws-eventnames</list>
     <list>etc/lists/security-eventchannel</list>
+    <list>etc/lists/malicious-ioc/malicious-ip</list>
+    <list>etc/lists/malicious-ioc/malicious-domains</list>
+    <list>etc/lists/malicious-ioc/malware-hashes</list>
 
     <!-- User-defined ruleset -->
     <decoder_dir>etc/decoders</decoder_dir>
     <rule_dir>etc/rules</rule_dir>
   </ruleset>
 
-  <rule_test>
-    <enabled>yes</enabled>
-    <threads>1</threads>
-    <max_sessions>64</max_sessions>
-    <session_timeout>15m</session_timeout>
-  </rule_test>
-
   <!-- Configuration for wazuh-authd -->
   <auth>
     <disabled>no</disabled>
@@ -300,9 +270,19 @@
 </ossec_config>
 
 <ossec_config>
+  <localfile>
+    <log_format>journald</log_format>
+    <location>journald</location>
+  </localfile>
+
+  <localfile>
+    <log_format>audit</log_format>
+    <location>/var/log/audit/audit.log</location>
+  </localfile>
+
   <localfile>
     <log_format>syslog</log_format>
     <location>/var/ossec/logs/active-responses.log</location>
   </localfile>
 
-</ossec_config>
+</ossec_config>

single-node/config/wazuh_dashboard/opensearch_dashboards.yml

@@ -2,7 +2,7 @@ server.host: 0.0.0.0
 server.port: 5601
 opensearch.hosts: https://wazuh.indexer:9200
 opensearch.ssl.verificationMode: certificate
-opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
+opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
 opensearch_security.multitenancy.enabled: false
 opensearch_security.readonly_mode.roles: ["kibana_read_only"]
 server.ssl.enabled: true
@@ -10,3 +10,8 @@ server.ssl.key: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
 server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem"
 opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/root-ca.pem"]
 uiSettings.overrides.defaultRoute: /app/wz-home
+# Session expiration settings
+opensearch_security.cookie.ttl: 900000
+opensearch_security.session.ttl: 900000
+opensearch_security.session.keepalive: true
+assistant.chat.enabled: true

single-node/config/wazuh_indexer/wazuh.indexer.yml

@@ -1,11 +1,11 @@
 network.host: "0.0.0.0"
 node.name: "wazuh.indexer"
+cluster.name: "wazuh-cluster"
 path.data: /var/lib/wazuh-indexer
 path.logs: /var/log/wazuh-indexer
 discovery.type: single-node
 http.port: 9200-9299
 transport.tcp.port: 9300-9399
-compatibility.override_main_response_version: true
 plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
 plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
 plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem

single-node/docker-compose.yml

@@ -1,9 +1,7 @@
 # Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
-version: '3.7'
-
 services:
   wazuh.manager:
-    image: wazuh/wazuh-manager:4.12.0
+    image: wazuh/wazuh-manager:5.0.0
     hostname: wazuh.manager
     restart: always
     ulimits:
@@ -34,9 +32,7 @@ services:
       - wazuh_logs:/var/ossec/logs
       - wazuh_queue:/var/ossec/queue
       - wazuh_var_multigroups:/var/ossec/var/multigroups
-      - wazuh_integrations:/var/ossec/integrations
       - wazuh_active_response:/var/ossec/active-response/bin
-      - wazuh_agentless:/var/ossec/agentless
       - wazuh_wodles:/var/ossec/wodles
       - filebeat_etc:/etc/filebeat
       - filebeat_var:/var/lib/filebeat
@@ -46,7 +42,7 @@ services:
       - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
 
   wazuh.indexer:
-    image: wazuh/wazuh-indexer:4.12.0
+    image: wazuh/wazuh-indexer:5.0.0
     hostname: wazuh.indexer
     restart: always
     ports:
@@ -62,16 +58,16 @@ services:
         hard: 65536
     volumes:
       - wazuh-indexer-data:/var/lib/wazuh-indexer
-      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
-      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.key
-      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.pem
-      - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
-      - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
-      - ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
-      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/certs/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/config/certs/wazuh.indexer.key
+      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/config/certs/wazuh.indexer.pem
+      - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/config/certs/admin.pem
+      - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/config/certs/admin-key.pem
+      - ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
+      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/config/opensearch-security/internal_users.yml
 
   wazuh.dashboard:
-    image: wazuh/wazuh-dashboard:4.12.0
+    image: wazuh/wazuh-dashboard:5.0.0
     hostname: wazuh.dashboard
     restart: always
     ports:
@@ -104,9 +100,7 @@ volumes:
   wazuh_logs:
   wazuh_queue:
   wazuh_var_multigroups:
-  wazuh_integrations:
   wazuh_active_response:
-  wazuh_agentless:
   wazuh_wodles:
   filebeat_etc:
   filebeat_var:

single-node/generate-indexer-certs.yml

@@ -1,6 +1,4 @@
 # Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
-version: '3'
-
 services:
   generator:
     image: wazuh/wazuh-certs-generator:0.0.2

tools/repository_bumper.sh

@@ -0,0 +1,179 @@
+#!/bin/bash
+
+# This script is used to update the version of a repository in the specified files.
+# It takes a version number as an argument and updates the version in the specified files.
+# Usage: ./repository_bumper.sh <version>
+
+# Global variables
+DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+LOG_FILE="${DIR}/tools/repository_bumper_$(date +"%Y-%m-%d_%H-%M-%S-%3N").log"
+VERSION=""
+STAGE=""
+FILES_EDITED=()
+FILES_EXCLUDED='--exclude="repository_bumper_*.log" --exclude="CHANGELOG.md" --exclude="repository_bumper.sh" --exclude="*_bumper_repository.yml"'
+
+get_old_version_and_stage() {
+    local VERSION_FILE="${DIR}/VERSION.json"
+
+    OLD_VERSION=$(jq -r '.version' "${VERSION_FILE}")
+    OLD_STAGE=$(jq -r '.stage' "${VERSION_FILE}")
+    echo "Old version: ${OLD_VERSION}" | tee -a "${LOG_FILE}"
+    echo "Old stage: ${OLD_STAGE}" | tee -a "${LOG_FILE}"
+}
+
+grep_command() {
+    # This function is used to search for a specific string in the specified directory.
+    # It takes two arguments: the string to search for and the directory to search in.
+    # Usage: grep_command <string> <directory>
+    eval grep -Rl "${1}" "${2}" --exclude-dir=".git" $FILES_EXCLUDED "${3}"
+}
+
+update_version_in_files() {
+
+    local OLD_MAYOR="$(echo "${OLD_VERSION}" | cut -d '.' -f 1)"
+    local OLD_MINOR="$(echo "${OLD_VERSION}" | cut -d '.' -f 2)"
+    local OLD_PATCH="$(echo "${OLD_VERSION}" | cut -d '.' -f 3)"
+    local NEW_MAYOR="$(echo "${VERSION}" | cut -d '.' -f 1)"
+    local NEW_MINOR="$(echo "${VERSION}" | cut -d '.' -f 2)"
+    local NEW_PATCH="$(echo "${VERSION}" | cut -d '.' -f 3)"
+    m_m_p_files=( $(grep_command "${OLD_MAYOR}\.${OLD_MINOR}\.${OLD_PATCH}" "${DIR}") )
+    for file in "${m_m_p_files[@]}"; do
+        sed -i "s/\bv${OLD_MAYOR}\.${OLD_MINOR}\.${OLD_PATCH}\b/v${NEW_MAYOR}\.${NEW_MINOR}\.${NEW_PATCH}/g; s/\b${OLD_MAYOR}\.${OLD_MINOR}\.${OLD_PATCH}/${NEW_MAYOR}\.${NEW_MINOR}\.${NEW_PATCH}/g" "${file}"
+        if [[ $(git diff --name-only "${file}") ]]; then
+            FILES_EDITED+=("${file}")
+        fi
+    done
+    m_m_files=( $(grep_command "${OLD_MAYOR}\.${OLD_MINOR}" "${DIR}") )
+    for file in "${m_m_files[@]}"; do
+        sed -i -E "/[0-9]+\.[0-9]+\.[0-9]+/! s/(^|[^0-9.])(${OLD_MAYOR}\.${OLD_MINOR})([^0-9.]|$)/\1${NEW_MAYOR}.${NEW_MINOR}\3/g" "$file"
+        if [[ $(git diff --name-only "${file}") ]]; then
+            FILES_EDITED+=("${file}")
+        fi
+    done
+    m_x_files=( $(grep_command "${OLD_MAYOR}\.x" "${DIR}") )
+    for file in "${m_x_files[@]}"; do
+        sed -i "s/\b${OLD_MAYOR}\.x\b/${NEW_MAYOR}\.x/g" "${file}"
+        if [[ $(git diff --name-only "${file}") ]]; then
+            FILES_EDITED+=("${file}")
+        fi
+    done
+    if ! sed -i "/^All notable changes to this project will be documented in this file.$/a \\\n## [${VERSION}]\\n\\n### Added\\n\\n- None\\n\\n### Changed\\n\\n- None\\n\\n### Fixed\\n\\n- None\\n\\n### Deleted\\n\\n- None" "${DIR}/CHANGELOG.md"; then
+        echo "Error: Failed to update CHANGELOG.md" | tee -a "${LOG_FILE}"
+    fi
+    if [[ $(git diff --name-only "${DIR}/CHANGELOG.md") ]]; then
+        FILES_EDITED+=("${DIR}/CHANGELOG.md")
+    fi
+}
+
+update_stage_in_files() {
+    local OLD_STAGE="$(echo "${OLD_STAGE}")"
+    files=( $(grep_command "${OLD_STAGE}" "${DIR}" --exclude="README.md") )
+    for file in "${files[@]}"; do
+        sed -i "s/${OLD_STAGE}/${STAGE}/g" "${file}"
+        if [[ $(git diff --name-only "${file}") ]]; then
+            FILES_EDITED+=("${file}")
+        fi
+    done
+}
+
+update_docker_images_tag() {
+    local NEW_TAG="$1"
+    local DOCKERFILES=( $(grep_command "wazuh/wazuh-[a-zA-Z0-9._-]*" "${DIR}" "--exclude="README.md"  --exclude="generate-indexer-certs.yml"") )
+    for file in "${DOCKERFILES[@]}"; do
+        sed -i -E "s/(wazuh\/wazuh-[a-zA-Z0-9._-]*):[a-zA-Z0-9._-]+/\1:${NEW_TAG}/g" "${file}"
+        if [[ $(git diff --name-only "${file}") ]]; then
+            FILES_EDITED+=("${file}")
+        fi
+    done
+}
+
+main() {
+
+    echo "Starting repository version bumping process..." | tee -a "${LOG_FILE}"
+    echo "Log file: ${LOG_FILE}"
+    # Parse arguments
+    while [[ $# -gt 0 ]]; do
+        case $1 in
+            --version)
+                VERSION="$2"
+                shift 2
+                ;;
+            --stage)
+                STAGE="$2"
+                shift 2
+                ;;
+            --tag)
+                TAG="$2"
+                shift 2
+                ;;
+            *)
+                echo "Unknown argument: $1"
+                exit 1
+                ;;
+        esac
+    done
+
+    # Validate arguments
+    if [[ -z "${VERSION}" ]]; then
+        echo "Error: --version argument is required." | tee -a "${LOG_FILE}"
+        exit 1
+    fi
+
+    if [[ -z "${STAGE}" ]]; then
+        echo "Error: --stage argument is required." | tee -a "${LOG_FILE}"
+        exit 1
+    fi
+
+    # Validate if version is in the correct format
+    if ! [[ "${VERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+        echo "Error: Version must be in the format X.Y.Z (e.g., 1.2.3)." | tee -a "${LOG_FILE}"
+        exit 1
+    fi
+
+    # Validate if stage is in the correct format
+    STAGE=$(echo "${STAGE}" | tr '[:upper:]' '[:lower:]')
+    if ! [[ "${STAGE}" =~ ^(alpha[0-9]*|beta[0-9]*|rc[0-9]*|stable)$ ]]; then
+        echo "Error: Stage must be one of the following examples: alpha1, beta1, rc1, stable." | tee -a "${LOG_FILE}"
+        exit 1
+    fi
+
+    # Validate if tag is true or false
+    if [[ -n "${TAG}" && ! "${TAG}" =~ ^(true|false)$ ]]; then
+        echo "Error: --tag must be either true or false." | tee -a "${LOG_FILE}"
+        exit 1
+    fi
+
+    # Get old version and stage
+    get_old_version_and_stage
+
+    if [[ "${OLD_VERSION}" == "${VERSION}" && "${OLD_STAGE}" == "${STAGE}" ]]; then
+        echo "Version and stage are already up to date." | tee -a "${LOG_FILE}"
+        echo "No changes needed." | tee -a "${LOG_FILE}"
+        exit 0
+    fi
+    if [[ "${OLD_VERSION}" != "${VERSION}" ]]; then
+        echo "Updating version from ${OLD_VERSION} to ${VERSION}" | tee -a "${LOG_FILE}"
+        update_version_in_files "${VERSION}"
+    fi
+    if [[ "${OLD_STAGE}" != "${STAGE}" ]]; then
+        echo "Updating stage from ${OLD_STAGE} to ${STAGE}" | tee -a "${LOG_FILE}"
+        update_stage_in_files "${STAGE}"
+    fi
+
+    # Update Docker images tag if tag is true
+    if [[ "${TAG}" == "true" ]]; then
+        echo "Updating Docker images tag to ${VERSION}-${STAGE}" | tee -a "${LOG_FILE}"
+        update_docker_images_tag "${VERSION}-${STAGE}"
+    fi
+
+
+    echo "The following files were edited:" | tee -a "${LOG_FILE}"
+    for file in $(printf "%s\n" "${FILES_EDITED[@]}" | sort -u); do
+        echo "${file}" | tee -a "${LOG_FILE}"
+    done
+
+    echo "Version and stage updated successfully." | tee -a "${LOG_FILE}"
+}
+
+# Call the main method with all arguments
+main "$@"

wazuh-agent/config/wazuh-agent-conf

@@ -0,0 +1,194 @@
+<!--
+  Wazuh - Agent - Default configuration for amzn 2023
+  More info at: https://documentation.wazuh.com
+  Mailing list: https://groups.google.com/forum/#!forum/wazuh
+-->
+
+<ossec_config>
+  <client>
+    <server>
+      <address>CHANGE_MANAGER_IP</address>
+      <port>CHANGE_MANAGER_PORT</port>
+      <protocol>tcp</protocol>
+    </server>
+    <config-profile>amzn, amzn2023</config-profile>
+    <notify_time>10</notify_time>
+    <time-reconnect>60</time-reconnect>
+    <auto_restart>yes</auto_restart>
+    <crypto_method>aes</crypto_method>
+    <enrollment>
+      <enabled>yes</enabled>
+      <manager_address>CHANGE_ENROLL_IP</manager_address>
+      <port>CHANGE_ENROLL_PORT</port>
+      <agent_name>CHANGEE_AGENT_NAME</agent_name>
+      <authorization_pass_path>etc/authd.pass</authorization_pass_path>
+    </enrollment>
+  </client>
+
+  <client_buffer>
+    <!-- Agent buffer options -->
+    <disabled>no</disabled>
+    <queue_size>5000</queue_size>
+    <events_per_second>500</events_per_second>
+  </client_buffer>
+
+  <!-- Policy monitoring -->
+  <rootcheck>
+    <disabled>no</disabled>
+    <check_files>yes</check_files>
+    <check_trojans>yes</check_trojans>
+    <check_dev>yes</check_dev>
+    <check_sys>yes</check_sys>
+    <check_pids>yes</check_pids>
+    <check_ports>yes</check_ports>
+    <check_if>yes</check_if>
+
+    <!-- Frequency that rootcheck is executed - every 12 hours -->
+    <frequency>43200</frequency>
+
+    <rootkit_files>etc/shared/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>etc/shared/rootkit_trojans.txt</rootkit_trojans>
+
+    <skip_nfs>yes</skip_nfs>
+
+    <ignore>/var/lib/containerd</ignore>
+    <ignore>/var/lib/docker/overlay2</ignore>
+  </rootcheck>
+
+  <wodle name="cis-cat">
+    <disabled>yes</disabled>
+    <timeout>1800</timeout>
+    <interval>1d</interval>
+    <scan-on-start>yes</scan-on-start>
+
+    <java_path>wodles/java</java_path>
+    <ciscat_path>wodles/ciscat</ciscat_path>
+  </wodle>
+
+  <!-- Osquery integration -->
+  <wodle name="osquery">
+    <disabled>yes</disabled>
+    <run_daemon>yes</run_daemon>
+    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
+    <config_path>/etc/osquery/osquery.conf</config_path>
+    <add_labels>yes</add_labels>
+  </wodle>
+
+  <!-- System inventory -->
+  <wodle name="syscollector">
+    <disabled>no</disabled>
+    <interval>1h</interval>
+    <scan_on_start>yes</scan_on_start>
+    <hardware>yes</hardware>
+    <os>yes</os>
+    <network>yes</network>
+    <packages>yes</packages>
+    <ports all="yes">yes</ports>
+    <processes>yes</processes>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <max_eps>10</max_eps>
+    </synchronization>
+  </wodle>
+
+  <sca>
+    <enabled>yes</enabled>
+    <scan_on_start>yes</scan_on_start>
+    <interval>12h</interval>
+    <skip_nfs>yes</skip_nfs>
+  </sca>
+
+  <!-- File integrity monitoring -->
+  <syscheck>
+    <disabled>no</disabled>
+
+    <!-- Frequency that syscheck is executed default every 12 hours -->
+    <frequency>43200</frequency>
+
+    <scan_on_start>yes</scan_on_start>
+
+    <!-- Directories to check  (perform all possible verifications) -->
+    <directories>/etc,/usr/bin,/usr/sbin</directories>
+    <directories>/bin,/sbin,/boot</directories>
+
+    <!-- Files/directories to ignore -->
+    <ignore>/etc/mtab</ignore>
+    <ignore>/etc/hosts.deny</ignore>
+    <ignore>/etc/mail/statistics</ignore>
+    <ignore>/etc/random-seed</ignore>
+    <ignore>/etc/random.seed</ignore>
+    <ignore>/etc/adjtime</ignore>
+    <ignore>/etc/httpd/logs</ignore>
+    <ignore>/etc/utmpx</ignore>
+    <ignore>/etc/wtmpx</ignore>
+    <ignore>/etc/cups/certs</ignore>
+    <ignore>/etc/dumpdates</ignore>
+    <ignore>/etc/svc/volatile</ignore>
+
+    <!-- File types to ignore -->
+    <ignore type="sregex">.log$|.swp$</ignore>
+
+    <!-- Check the file, but never compute the diff -->
+    <nodiff>/etc/ssl/private.key</nodiff>
+
+    <skip_nfs>yes</skip_nfs>
+    <skip_dev>yes</skip_dev>
+    <skip_proc>yes</skip_proc>
+    <skip_sys>yes</skip_sys>
+
+    <!-- Nice value for Syscheck process -->
+    <process_priority>10</process_priority>
+
+    <!-- Maximum output throughput -->
+    <max_eps>50</max_eps>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
+      <max_eps>10</max_eps>
+    </synchronization>
+  </syscheck>
+
+  <!-- Log analysis -->
+  <localfile>
+    <log_format>command</log_format>
+    <command>df -P</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
+    <alias>netstat listening ports</alias>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>last -n 20</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <!-- Active response -->
+  <active-response>
+    <disabled>no</disabled>
+    <ca_store>etc/wpk_root.pem</ca_store>
+    <ca_verification>yes</ca_verification>
+  </active-response>
+
+  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
+  <logging>
+    <log_format>plain</log_format>
+  </logging>
+
+</ossec_config>
+
+<ossec_config>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/ossec/logs/active-responses.log</location>
+  </localfile>
+
+</ossec_config>

wazuh-agent/docker-compose.yml

@@ -0,0 +1,9 @@
+# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
+services:
+  wazuh.agent:
+    image: wazuh/wazuh-agent:5.0.0
+    restart: always
+    environment:
+      - WAZUH_MANAGER_SERVER=<WAZUH_MANAGER_IP>
+    volumes:
+      - ./config/wazuh-agent-conf:/wazuh-config-mount/etc/ossec.conf