paulmataruso/wazuh-docker-mirror
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-docker.git synced 2025-10-23 16:13:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: paulmataruso:v4.3.2
Branches Tags
paulmataruso:main paulmataruso:4.14.1 paulmataruso:2693-delete-config-files paulmataruso:test_adapt_arm paulmataruso:4.14.0 paulmataruso:4.10.4 paulmataruso:4.13.0-rc4-tag paulmataruso:2577-test-bucket paulmataruso:6.0.0 paulmataruso:change/1824-rootless-podman-with-selinux paulmataruso:test-arm-build paulmataruso:enhancement/1624-docker-compose-v2 paulmataruso:4.9.0 paulmataruso:461-centralize-conf-files paulmataruso:4.5 paulmataruso:4.4 paulmataruso:4.4.4 paulmataruso:4.3 paulmataruso:816-persistent-files-that-should-not-be-kept paulmataruso:817-automatic-release-of-docker-images paulmataruso:4.3.11 paulmataruso:3.13 paulmataruso:4.2 paulmataruso:4.1 paulmataruso:4.0 paulmataruso:4.0.4 paulmataruso:devel paulmataruso:3.11.2_7.5.1-oss paulmataruso:3.10.2_7.5.0 paulmataruso:3.10.0_7.3.2 paulmataruso:3.10.2_7.3.2 paulmataruso:3.10-wazuh-refactor paulmataruso:3.9.5_7.2.1 paulmataruso:3.9.4_7.2.0 paulmataruso:3.9.5_7.3.0-oss paulmataruso:3.10_7.3.0 paulmataruso:3.9.4_7.1.1-opendistro-security paulmataruso:3.9.3_6.8.1 paulmataruso:3.9.1_6.8.0 paulmataruso:3.9.2_6.8.0 paulmataruso:3.9.4_6.8.2 paulmataruso:3.9.3_7.1.1-opendistro paulmataruso:3.9.3_7.1.1-opendistro-security paulmataruso:3.9.3_7.2.0_oss paulmataruso:3.9.3_7.2.0 paulmataruso:3.9.2_7.1.1 paulmataruso:3.9.0_6.7.2 paulmataruso:3.9.0_6.7.1 paulmataruso:3.8.2_6.5.4-oss paulmataruso:3.9.1_7.1.0 paulmataruso:3.8.2_6.5.4 paulmataruso:3.10.0_7.0.0 paulmataruso:3.8.2_6.7.0 paulmataruso:3.8.2_6.6.2 paulmataruso:3.8.2_6.6.1 paulmataruso:6.8.2_6.6.1 paulmataruso:3.8.1_6.5.4 paulmataruso:3.8.0_6.5.4 paulmataruso:3.7.2_6.5.4 paulmataruso:3.7.2_6.5.3 paulmataruso:3.7.1_6.5.3 paulmataruso:3.7.0_6.5.0 paulmataruso:3.7.0_6.4.3 paulmataruso:3.6.1_6.4.2 paulmataruso:3.6.1_6.4.1 paulmataruso:3.6.1_6.4.0 paulmataruso:3.6.0_6.4.0 paulmataruso:3.5.0_6.3.2 paulmataruso:3.4.0_6.3.2 paulmataruso:3.4.0_6.3.1 paulmataruso:3.3.1_6.3.1 paulmataruso:3.3.1_6.3.0 paulmataruso:3.3.1_6.2.4 paulmataruso:3.3.0_6.2.4 paulmataruso:3.2.4_6.2.4 paulmataruso:3.2.3_6.2.4 paulmataruso:3.2.2_6.2.4 paulmataruso:3.2.1_6.2.4 paulmataruso:3.2.1_6.2.3 paulmataruso:3.2.1_6.2.2 paulmataruso:3.2.0_6.2.1 paulmataruso:3.1.0_6.1.3 paulmataruso:3.1.0_6.1.2 paulmataruso:3.1.0_6.1.1 paulmataruso:3.1.0_6.1.0 paulmataruso:2.1.1_5.6.4 paulmataruso:2.1.0_5.5.2 paulmataruso:2.1.0_5.5.1 paulmataruso:2.0.1_5.5.1 paulmataruso:2.0.1_5.5.0 paulmataruso:2.0_5.4.2 paulmataruso:2.0
paulmataruso:v4.14.0 paulmataruso:v4.14.0-rc2 paulmataruso:v4.14.0-rc1 paulmataruso:v4.14.0-alpha1 paulmataruso:v4.13.1 paulmataruso:v4.13.0 paulmataruso:v4.10.3 paulmataruso:v4.10.2 paulmataruso:v4.12.0 paulmataruso:v4.11.2 paulmataruso:v4.11.1 paulmataruso:v4.11.0 paulmataruso:v4.10.1 paulmataruso:v4.10.0 paulmataruso:v4.9.2 paulmataruso:v4.9.1 paulmataruso:v4.9.0 paulmataruso:v4.8.2 paulmataruso:v4.8.1 paulmataruso:v4.8.0 paulmataruso:v4.7.5 paulmataruso:v4.7.4 paulmataruso:cloud-2.0.6 paulmataruso:cloud-2.0.7 paulmataruso:v4.7.3 paulmataruso:cloud-2.0.2 paulmataruso:cloud-2.0.4 paulmataruso:cloud-2.0.3 paulmataruso:v4.7.2 paulmataruso:v4.7.1 paulmataruso:cloud-v1.22.0 paulmataruso:v4.7.0 paulmataruso:cloud-v1.21.0 paulmataruso:cloud-v1.20.0 paulmataruso:cloud-v1.20.1 paulmataruso:v4.6.0 paulmataruso:v4.5.4 paulmataruso:v4.5.3 paulmataruso:v4.6.0-beta1 paulmataruso:v4.5.3-rc1 paulmataruso:v4.5.2 paulmataruso:v4.6.0-alpha1 paulmataruso:v4.5.1 paulmataruso:v4.5.1-rc2 paulmataruso:v4.5.1-rc1 paulmataruso:v4.5.0 paulmataruso:cloud-v1.18.5 paulmataruso:cloud-v1.18.4 paulmataruso:svc-envs-v1.18.3 paulmataruso:v4.4.5 paulmataruso:v4.6.0-pre-alpha1 paulmataruso:cloud-v1.18.1 paulmataruso:v4.4.4 paulmataruso:v4.4.3 paulmataruso:v4.4.2 paulmataruso:v4.3.11 paulmataruso:v4.4.1 paulmataruso:v4.4.0 paulmataruso:cloud-v1.17.4 paulmataruso:cloud-1.18.0 paulmataruso:v4.3.10 paulmataruso:v4.3.9 paulmataruso:cloud-v1.16.12 paulmataruso:v3.13.6_7.9.2 paulmataruso:v4.3.8 paulmataruso:v4.3.7 paulmataruso:v3.13.5 paulmataruso:cloud-v1.16.11 paulmataruso:svc-envs-v1.16.10 paulmataruso:cloud-v1.16.8 paulmataruso:v4.3.6 paulmataruso:v4.3.5 paulmataruso:cloud-v1.16.7 paulmataruso:test paulmataruso:cloud-v1.16.6 paulmataruso:v4.3.4 paulmataruso:v4.3.3 paulmataruso:cloud-v1.16.5 paulmataruso:v4.3.2 paulmataruso:v3.13.4_7.9.2 paulmataruso:v4.2.7 paulmataruso:cloud-v1.16.0 paulmataruso:v4.3.1 paulmataruso:v4.3.0 paulmataruso:v4.2.6 paulmataruso:cloud-v1.15.0 paulmataruso:v4.2.5 paulmataruso:v4.2.4 paulmataruso:v4.2.3 paulmataruso:v4.2.2 paulmataruso:v4.2.1 paulmataruso:v4.2.0 paulmataruso:v4.1.5 paulmataruso:v3.13.3_7.9.2 paulmataruso:v4.1.2 paulmataruso:v4.1.1 paulmataruso:v4.1.0 paulmataruso:v4.0.4_1.11.0 paulmataruso:cloud-v0.60.3 paulmataruso:v4.0.3_1.11.0 paulmataruso:v4.0.2_1.11.0 paulmataruso:cloud-v0.60.0 paulmataruso:v4.0.1_1.11.0 paulmataruso:v4.0.0_1.10.1 paulmataruso:v3.13.2_7.9.1 paulmataruso:v3.13.1_7.8.0 paulmataruso:cloud-v0.32.0 paulmataruso:cloud-v0.30.0 paulmataruso:v3.13.0_7.7.1 paulmataruso:cloud-v0.22.0 paulmataruso:v3.12.3_7.6.2 paulmataruso:cloud-v0.21.2 paulmataruso:cloud-v0.21.1 paulmataruso:v3.12.2_7.6.2 paulmataruso:v3.12.1_7.6.2 paulmataruso:cloud-v0.21.0 paulmataruso:v3.12.0_7.6.1 paulmataruso:cloud-v0.20.0 paulmataruso:v3.11.4_7.6.1 paulmataruso:v3.11.3_7.5.2 paulmataruso:v3.11.2_7.5.1 paulmataruso:cloud-v0.11.0 paulmataruso:v3.11.1_7.5.1 paulmataruso:v3.11.0_7.5.1 paulmataruso:cloud-v0.9.0 paulmataruso:v3.10.2_7.5.0 paulmataruso:v0.9.0-rc1 paulmataruso:v3.10.0_7.3.2 paulmataruso:v3.10.2_7.3.2 paulmataruso:cloud-v0.6.0 paulmataruso:v3.9.5_7.2.1 paulmataruso:v3.9.4_7.2.0 paulmataruso:v3.9.5_7.3.0-oss paulmataruso:v3.9.3_6.8.1 paulmataruso:v3.9.1_6.8.0 paulmataruso:v3.9.2_6.8.0 paulmataruso:v3.9.4_6.8.2 paulmataruso:v3.9.3_7.1.1-opendistro paulmataruso:v3.9.3_7.2.0-oss paulmataruso:v3.9.3_7.2.0 paulmataruso:v3.9.2_7.1.1 paulmataruso:v3.9.0_6.7.2 paulmataruso:v3.9.0_6.7.1 paulmataruso:v3.9.1_7.1.0 paulmataruso:v3.8.2_6.5.4 paulmataruso:v3.8.2_6.7.0 paulmataruso:v3.8.2_6.6.2 paulmataruso:v3.8.2_6.6.1 paulmataruso:v3.8.1_6.5.4 paulmataruso:v3.8.0_6.5.4 paulmataruso:v3.7.2_6.5.4 paulmataruso:v3.7.2_6.5.3 paulmataruso:v3.7.0_6.5.0 paulmataruso:3.1.0_6.1.1 paulmataruso:2.1.0_5.5.2 paulmataruso:2.1.0_5.5.1 paulmataruso:2.0.1_5.5.1 paulmataruso:2.0.1_5.5.0 paulmataruso:2.0_5.4.2 paulmataruso:v2.0
..
compare: paulmataruso:3.13
Branches Tags
paulmataruso:main paulmataruso:4.14.1 paulmataruso:2693-delete-config-files paulmataruso:test_adapt_arm paulmataruso:4.14.0 paulmataruso:4.10.4 paulmataruso:4.13.0-rc4-tag paulmataruso:2577-test-bucket paulmataruso:6.0.0 paulmataruso:change/1824-rootless-podman-with-selinux paulmataruso:test-arm-build paulmataruso:enhancement/1624-docker-compose-v2 paulmataruso:4.9.0 paulmataruso:461-centralize-conf-files paulmataruso:4.5 paulmataruso:4.4 paulmataruso:4.4.4 paulmataruso:4.3 paulmataruso:816-persistent-files-that-should-not-be-kept paulmataruso:817-automatic-release-of-docker-images paulmataruso:4.3.11 paulmataruso:3.13 paulmataruso:4.2 paulmataruso:4.1 paulmataruso:4.0 paulmataruso:4.0.4 paulmataruso:devel paulmataruso:3.11.2_7.5.1-oss paulmataruso:3.10.2_7.5.0 paulmataruso:3.10.0_7.3.2 paulmataruso:3.10.2_7.3.2 paulmataruso:3.10-wazuh-refactor paulmataruso:3.9.5_7.2.1 paulmataruso:3.9.4_7.2.0 paulmataruso:3.9.5_7.3.0-oss paulmataruso:3.10_7.3.0 paulmataruso:3.9.4_7.1.1-opendistro-security paulmataruso:3.9.3_6.8.1 paulmataruso:3.9.1_6.8.0 paulmataruso:3.9.2_6.8.0 paulmataruso:3.9.4_6.8.2 paulmataruso:3.9.3_7.1.1-opendistro paulmataruso:3.9.3_7.1.1-opendistro-security paulmataruso:3.9.3_7.2.0_oss paulmataruso:3.9.3_7.2.0 paulmataruso:3.9.2_7.1.1 paulmataruso:3.9.0_6.7.2 paulmataruso:3.9.0_6.7.1 paulmataruso:3.8.2_6.5.4-oss paulmataruso:3.9.1_7.1.0 paulmataruso:3.8.2_6.5.4 paulmataruso:3.10.0_7.0.0 paulmataruso:3.8.2_6.7.0 paulmataruso:3.8.2_6.6.2 paulmataruso:3.8.2_6.6.1 paulmataruso:6.8.2_6.6.1 paulmataruso:3.8.1_6.5.4 paulmataruso:3.8.0_6.5.4 paulmataruso:3.7.2_6.5.4 paulmataruso:3.7.2_6.5.3 paulmataruso:3.7.1_6.5.3 paulmataruso:3.7.0_6.5.0 paulmataruso:3.7.0_6.4.3 paulmataruso:3.6.1_6.4.2 paulmataruso:3.6.1_6.4.1 paulmataruso:3.6.1_6.4.0 paulmataruso:3.6.0_6.4.0 paulmataruso:3.5.0_6.3.2 paulmataruso:3.4.0_6.3.2 paulmataruso:3.4.0_6.3.1 paulmataruso:3.3.1_6.3.1 paulmataruso:3.3.1_6.3.0 paulmataruso:3.3.1_6.2.4 paulmataruso:3.3.0_6.2.4 paulmataruso:3.2.4_6.2.4 paulmataruso:3.2.3_6.2.4 paulmataruso:3.2.2_6.2.4 paulmataruso:3.2.1_6.2.4 paulmataruso:3.2.1_6.2.3 paulmataruso:3.2.1_6.2.2 paulmataruso:3.2.0_6.2.1 paulmataruso:3.1.0_6.1.3 paulmataruso:3.1.0_6.1.2 paulmataruso:3.1.0_6.1.1 paulmataruso:3.1.0_6.1.0 paulmataruso:2.1.1_5.6.4 paulmataruso:2.1.0_5.5.2 paulmataruso:2.1.0_5.5.1 paulmataruso:2.0.1_5.5.1 paulmataruso:2.0.1_5.5.0 paulmataruso:2.0_5.4.2 paulmataruso:2.0
paulmataruso:v4.14.0 paulmataruso:v4.14.0-rc2 paulmataruso:v4.14.0-rc1 paulmataruso:v4.14.0-alpha1 paulmataruso:v4.13.1 paulmataruso:v4.13.0 paulmataruso:v4.10.3 paulmataruso:v4.10.2 paulmataruso:v4.12.0 paulmataruso:v4.11.2 paulmataruso:v4.11.1 paulmataruso:v4.11.0 paulmataruso:v4.10.1 paulmataruso:v4.10.0 paulmataruso:v4.9.2 paulmataruso:v4.9.1 paulmataruso:v4.9.0 paulmataruso:v4.8.2 paulmataruso:v4.8.1 paulmataruso:v4.8.0 paulmataruso:v4.7.5 paulmataruso:v4.7.4 paulmataruso:cloud-2.0.6 paulmataruso:cloud-2.0.7 paulmataruso:v4.7.3 paulmataruso:cloud-2.0.2 paulmataruso:cloud-2.0.4 paulmataruso:cloud-2.0.3 paulmataruso:v4.7.2 paulmataruso:v4.7.1 paulmataruso:cloud-v1.22.0 paulmataruso:v4.7.0 paulmataruso:cloud-v1.21.0 paulmataruso:cloud-v1.20.0 paulmataruso:cloud-v1.20.1 paulmataruso:v4.6.0 paulmataruso:v4.5.4 paulmataruso:v4.5.3 paulmataruso:v4.6.0-beta1 paulmataruso:v4.5.3-rc1 paulmataruso:v4.5.2 paulmataruso:v4.6.0-alpha1 paulmataruso:v4.5.1 paulmataruso:v4.5.1-rc2 paulmataruso:v4.5.1-rc1 paulmataruso:v4.5.0 paulmataruso:cloud-v1.18.5 paulmataruso:cloud-v1.18.4 paulmataruso:svc-envs-v1.18.3 paulmataruso:v4.4.5 paulmataruso:v4.6.0-pre-alpha1 paulmataruso:cloud-v1.18.1 paulmataruso:v4.4.4 paulmataruso:v4.4.3 paulmataruso:v4.4.2 paulmataruso:v4.3.11 paulmataruso:v4.4.1 paulmataruso:v4.4.0 paulmataruso:cloud-v1.17.4 paulmataruso:cloud-1.18.0 paulmataruso:v4.3.10 paulmataruso:v4.3.9 paulmataruso:cloud-v1.16.12 paulmataruso:v3.13.6_7.9.2 paulmataruso:v4.3.8 paulmataruso:v4.3.7 paulmataruso:v3.13.5 paulmataruso:cloud-v1.16.11 paulmataruso:svc-envs-v1.16.10 paulmataruso:cloud-v1.16.8 paulmataruso:v4.3.6 paulmataruso:v4.3.5 paulmataruso:cloud-v1.16.7 paulmataruso:test paulmataruso:cloud-v1.16.6 paulmataruso:v4.3.4 paulmataruso:v4.3.3 paulmataruso:cloud-v1.16.5 paulmataruso:v4.3.2 paulmataruso:v3.13.4_7.9.2 paulmataruso:v4.2.7 paulmataruso:cloud-v1.16.0 paulmataruso:v4.3.1 paulmataruso:v4.3.0 paulmataruso:v4.2.6 paulmataruso:cloud-v1.15.0 paulmataruso:v4.2.5 paulmataruso:v4.2.4 paulmataruso:v4.2.3 paulmataruso:v4.2.2 paulmataruso:v4.2.1 paulmataruso:v4.2.0 paulmataruso:v4.1.5 paulmataruso:v3.13.3_7.9.2 paulmataruso:v4.1.2 paulmataruso:v4.1.1 paulmataruso:v4.1.0 paulmataruso:v4.0.4_1.11.0 paulmataruso:cloud-v0.60.3 paulmataruso:v4.0.3_1.11.0 paulmataruso:v4.0.2_1.11.0 paulmataruso:cloud-v0.60.0 paulmataruso:v4.0.1_1.11.0 paulmataruso:v4.0.0_1.10.1 paulmataruso:v3.13.2_7.9.1 paulmataruso:v3.13.1_7.8.0 paulmataruso:cloud-v0.32.0 paulmataruso:cloud-v0.30.0 paulmataruso:v3.13.0_7.7.1 paulmataruso:cloud-v0.22.0 paulmataruso:v3.12.3_7.6.2 paulmataruso:cloud-v0.21.2 paulmataruso:cloud-v0.21.1 paulmataruso:v3.12.2_7.6.2 paulmataruso:v3.12.1_7.6.2 paulmataruso:cloud-v0.21.0 paulmataruso:v3.12.0_7.6.1 paulmataruso:cloud-v0.20.0 paulmataruso:v3.11.4_7.6.1 paulmataruso:v3.11.3_7.5.2 paulmataruso:v3.11.2_7.5.1 paulmataruso:cloud-v0.11.0 paulmataruso:v3.11.1_7.5.1 paulmataruso:v3.11.0_7.5.1 paulmataruso:cloud-v0.9.0 paulmataruso:v3.10.2_7.5.0 paulmataruso:v0.9.0-rc1 paulmataruso:v3.10.0_7.3.2 paulmataruso:v3.10.2_7.3.2 paulmataruso:cloud-v0.6.0 paulmataruso:v3.9.5_7.2.1 paulmataruso:v3.9.4_7.2.0 paulmataruso:v3.9.5_7.3.0-oss paulmataruso:v3.9.3_6.8.1 paulmataruso:v3.9.1_6.8.0 paulmataruso:v3.9.2_6.8.0 paulmataruso:v3.9.4_6.8.2 paulmataruso:v3.9.3_7.1.1-opendistro paulmataruso:v3.9.3_7.2.0-oss paulmataruso:v3.9.3_7.2.0 paulmataruso:v3.9.2_7.1.1 paulmataruso:v3.9.0_6.7.2 paulmataruso:v3.9.0_6.7.1 paulmataruso:v3.9.1_7.1.0 paulmataruso:v3.8.2_6.5.4 paulmataruso:v3.8.2_6.7.0 paulmataruso:v3.8.2_6.6.2 paulmataruso:v3.8.2_6.6.1 paulmataruso:v3.8.1_6.5.4 paulmataruso:v3.8.0_6.5.4 paulmataruso:v3.7.2_6.5.4 paulmataruso:v3.7.2_6.5.3 paulmataruso:v3.7.0_6.5.0 paulmataruso:3.1.0_6.1.1 paulmataruso:2.1.0_5.5.2 paulmataruso:2.1.0_5.5.1 paulmataruso:2.0.1_5.5.1 paulmataruso:2.0.1_5.5.0 paulmataruso:2.0_5.4.2 paulmataruso:v2.0

11 Commits
v4.3.2 ... 3.13

Author SHA1 Message Date
Alberto Rodríguez
e23971fcbf Merge pull request #722 from wazuh/bump-3-13-6 
Bump 3.13 to 3.13.6
 2022-09-19 13:09:47 +02:00
vcerenu
271ba6d8d1 bump 3.13.6 version 2022-09-16 16:36:45 -03:00
vcerenu
5adeac7e9c bump 3.13.6 version 2022-09-16 13:29:21 -03:00
José Fernández Aguilera
583ee1f43a Merge pull request #713 from wazuh/bump_3_13_5 
Bump 3.13 to 3.13.5
 2022-08-24 09:54:13 +02:00
vcerenu
61df1a6248 bump release 3.13.5 2022-08-22 16:25:20 -03:00
vcerenu
7cf777e9e1 bump release 3.13.5 2022-08-22 15:48:10 -03:00
Alberto Rodríguez
81c56fb6aa Merge pull request #662 from wazuh/bump_3_13_4 
Bump 3.13.4 version
 2022-05-30 19:04:48 +02:00
vcerenu
98d6f63dbc bump 3.13.4 version 2022-05-30 12:56:03 -03:00
Alberto R
723383ab3c Updated Changelog 2021-05-10 11:38:58 +02:00
Alberto R
88029a5a39 Bumped to 7.9.2 2021-05-10 11:05:59 +02:00
Alberto R
c370ac2ca8 Bumped to 3.13.3 2021-05-10 10:29:01 +02:00
86 changed files with 1116 additions and 4790 deletions
Expand all files Collapse all files

115
.github/.goss.yaml vendored
View File

@@ -1,115 +0,0 @@
file:
/etc/filebeat/filebeat.yml:
exists: true
mode: "0644"
owner: root
group: root
filetype: file
contains: []
/var/ossec/bin/wazuh-control:
exists: true
mode: "0750"
owner: root
group: root
filetype: file
contains: []
/var/ossec/etc/lists/audit-keys:
exists: true
mode: "0660"
owner: wazuh
group: wazuh
filetype: file
contains: []
/var/ossec/etc/ossec.conf:
exists: true
mode: "0660"
owner: root
group: wazuh
filetype: file
contains: []
/var/ossec/etc/rules/local_rules.xml:
exists: true
mode: "0660"
owner: wazuh
group: wazuh
filetype: file
contains: []
/var/ossec/etc/sslmanager.cert:
exists: true
mode: "0640"
owner: root
group: root
filetype: file
contains: []
/var/ossec/etc/sslmanager.key:
exists: true
mode: "0640"
owner: root
group: root
filetype: file
contains: []
package:
filebeat:
installed: true
versions:
- 7.10.2
wazuh-manager:
installed: true
versions:
- 4.3.2
port:
tcp:1514:
listening: true
ip:
- 0.0.0.0
tcp:1515:
listening: true
ip:
- 0.0.0.0
tcp:55000:
listening: true
ip:
- 0.0.0.0
user:
wazuh:
exists: true
groups:
- wazuh
home: /var/ossec
shell: /sbin/nologin
wazuh:
exists: true
groups:
- wazuh
home: /var/ossec
shell: /sbin/nologin
wazuh:
exists: true
groups:
- wazuh
home: /var/ossec
shell: /sbin/nologin
group:
wazuh:
exists: true
process:
filebeat:
running: true
wazuh-analysisd:
running: true
wazuh-authd:
running: true
wazuh-execd:
running: true
wazuh-monitord:
running: true
wazuh-remoted:
running: true
wazuh-syscheckd:
running: true
s6-supervise:
running: true
wazuh-db:
running: true
wazuh-modulesd:
running: true

31
.github/workflows/push.yml vendored
View File

@@ -1,31 +0,0 @@
name: Wazuh Docker pipeline
on: [push]
jobs:
build-stack:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v2
- name: Build the docker-compose stack
run: docker-compose -f build-wazuh-images.yml up -d --build
- name: Check running containers
run: docker ps -a
- name: Shutdown the stack
run: docker-compose -f build-wazuh-images.yml kill
- name: Install Goss
uses: e1himself/goss-installation-action@v1.0.3
with:
version: v0.3.16
- name: Execute Goss tests (wazuh-odfe)
run: dgoss run wazuh/wazuh-manager:4.3.2
env:
GOSS_SLEEP: 30
GOSS_FILE: .github/.goss.yaml

4
.gitignore vendored
View File

@@ -1,4 +0,0 @@
single-node/config/wazuh_indexer_ssl_certs/*.pem
single-node/config/wazuh_indexer_ssl_certs/*.key
multi-node/config/wazuh_indexer_ssl_certs/*.pem
multi-node/config/wazuh_indexer_ssl_certs/*.key

128
CHANGELOG.md
View File

@@ -1,141 +1,29 @@
# Change Log
All notable changes to this project will be documented in this file.
## Wazuh Docker v4.3.2
### Added
- Update Wazuh to version [4.3.2](https://github.com/wazuh/wazuh/blob/v4.3.2/CHANGELOG.md#v432)
## Wazuh Docker v4.3.1
### Added
- Update Wazuh to version [4.3.1](https://github.com/wazuh/wazuh/blob/v4.3.1/CHANGELOG.md#v431)
## Wazuh Docker v4.3.0
### Added
- Update Wazuh to version [4.3.0](https://github.com/wazuh/wazuh/blob/v4.3.0/CHANGELOG.md#v430)
## Wazuh Docker v4.2.7
### Added
- Update Wazuh to version [4.2.7](https://github.com/wazuh/wazuh/blob/v4.2.7/CHANGELOG.md#v427)
## Wazuh Docker v4.2.6
### Added
- Update Wazuh to version [4.2.6](https://github.com/wazuh/wazuh/blob/v4.2.6/CHANGELOG.md#v426)
## Wazuh Docker v4.2.5
### Added
- Update Wazuh to version [4.2.5](https://github.com/wazuh/wazuh/blob/v4.2.5/CHANGELOG.md#v425)
## Wazuh Docker v4.2.4
### Added
- Update Wazuh to version [4.2.4](https://github.com/wazuh/wazuh/blob/v4.2.4/CHANGELOG.md#v424)
## Wazuh Docker v4.2.3
### Added
- Update Wazuh to version [4.2.3](https://github.com/wazuh/wazuh/blob/v4.2.3/CHANGELOG.md#v423)
## Wazuh Docker v4.2.2
### Added
- Update Wazuh to version [4.2.2](https://github.com/wazuh/wazuh/blob/v4.2.2/CHANGELOG.md#v422)
## Wazuh Docker v4.2.1
### Added
- Update Wazuh to version [4.2.1](https://github.com/wazuh/wazuh/blob/v4.2.1/CHANGELOG.md#v421)
## Wazuh Docker v4.2.0
### Added
- Update Wazuh to version [4.2.0](https://github.com/wazuh/wazuh/blob/v4.2.0/CHANGELOG.md#v420)
## Wazuh Docker v4.1.5
### Added
- Update Wazuh to version [4.1.5](https://github.com/wazuh/wazuh/blob/v4.1.5/CHANGELOG.md#v415)
- Update ODFE compatibility to version 1.13.2
## Wazuh Docker v4.1.4
### Added
- Update Wazuh to version [4.1.4](https://github.com/wazuh/wazuh/blob/v4.1.4/CHANGELOG.md#v414)
## Wazuh Docker v4.1.3
### Added
- Update Wazuh to version [4.1.3](https://github.com/wazuh/wazuh/blob/v4.1.3/CHANGELOG.md#v413)
## Wazuh Docker v4.1.2
### Added
- Update Wazuh to version [4.1.2](https://github.com/wazuh/wazuh/blob/v4.1.2/CHANGELOG.md#v412)
## Wazuh Docker v4.1.1
### Added
- Update Wazuh to version [4.1.1](https://github.com/wazuh/wazuh/blob/v4.1.1/CHANGELOG.md#v411)
## Wazuh Docker v4.1.0
### Added
- Update Wazuh to version [4.1.0](https://github.com/wazuh/wazuh/blob/v4.1.0/CHANGELOG.md#v410)
- Update ODFE compatibility to version 1.12.0
- Add support for Elasticsearch (xpack) images once again (7.10.2) ([@xr09](https://github.com/xr09)) [#409](https://github.com/wazuh/wazuh-docker/pull/409)
- Re-enable entrypoint scripts ([@xr09](https://github.com/xr09)) [#435](https://github.com/wazuh/wazuh-docker/pull/435)
- Add Goss binary for healthchecks ([@xr09](https://github.com/xr09)) [$441](https://github.com/wazuh/wazuh-docker/pull/441)
- Update s6-overlay to latest version
## Wazuh Docker v4.0.4_1.11.0
## Wazuh Docker v3.13.6_7.9.2
### Added
- Update to Wazuh version [4.0.4](https://github.com/wazuh/wazuh/blob/v4.0.4/CHANGELOG.md#v404)
- Update to Wazuh version 3.13.6_7.9.2
## Wazuh Docker v4.0.3_1.11.0
## Wazuh Docker v3.13.5_7.9.2
### Added
- Update to Wazuh version 4.0.3
- Update to Wazuh version 3.13.5_7.9.2
## Wazuh Docker v4.0.2_1.11.0
## Wazuh Docker v3.13.4_7.9.2
### Added
- Update to Wazuh version 4.0.2
- Update to Wazuh version 3.13.4_7.9.2
## Wazuh Docker v4.0.1_1.11.0
## Wazuh Docker v3.13.3_7.9.2
### Added
- Update to Wazuh version 4.0.1
- Opendistro 1.11.0 compatiblity
- Re-enabled dumping ossec.log to stdout
## Wazuh Docker v4.0.0_1.10.1
### Added
- Update to Wazuh version 4.0.0
- Updating Wazuh cluster key dynamically ([@1stOfHisGame](https://github.com/1stOfHisGame)) [#393](https://github.com/wazuh/wazuh-docker/pull/393)
- Switched to CentOS 7 for base image ([@xr09](https://github.com/xr09)) [#259](https://github.com/wazuh/wazuh-docker/issues/259)
- Using s6-overlay for process management ([@xr09](https://github.com/xr09)) [#274](https://github.com/wazuh/wazuh-docker/issues/274)
- Allow the creation of custom API users ([@xr09](https://github.com/xr09)) [#395](https://github.com/wazuh/wazuh-docker/issues/395)
- OpenDistro support ([@xr09](https://github.com/xr09)) [#373](https://github.com/wazuh/wazuh-docker/pull/373)
### Changed
- Removal of Elastic images
- Update to Wazuh version 3.13.3_7.9.2
## Wazuh Docker v3.13.2_7.9.1

2
LICENSE
View File

@@ -1,5 +1,5 @@
Portions Copyright (C) 2017, Wazuh Inc.
Portions Copyright (C) 2020 Wazuh, Inc.
Based on work Copyright (C) 2003 - 2013 Trend Micro, Inc.
This program is a free software; you can redistribute it and/or modify

231
README.md
View File

@@ -7,14 +7,14 @@
In this repository you will find the containers to run:
* Wazuh manager: it runs the Wazuh manager, Wazuh API and Filebeat OSS
* Wazuh dashboard: provides a web user interface to browse through alerts data and allows you to visualize agents configuration and status.
* Wazuh indexer: Wazuh indexer container (working as a single-node cluster or as a multi-node cluster). **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).**
* wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack)
* wazuh-kibana: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status.
* wazuh-nginx: Proxies the Kibana container, adding HTTPS (via self-signed SSL certificate) and [Basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Basic_authentication_scheme).
* wazuh-elasticsearch: An Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).**
The folder `build-docker-images` contains a README explaining how to build the Wazuh images and the necessary assets.
The folder `indexer-certs-creator` contains a README explaining how to create the certificates creator tool and the necessary assets.
The folder `single-node` contains a README explaining how to run a Wazuh environment with one Wazuh manager, one Wazuh indexer, and one Wazuh dashboard.
The folder `multi-node` contains a README explaining how to run a Wazuh environment with two Wazuh managers, three Wazuh indexer, and one Wazuh dashboard.
In addition, a docker-compose file is provided to launch the containers mentioned above.
* Elasticsearch cluster. In the Elasticsearch Dockerfile we can visualize variables to configure an Elasticsearch Cluster. These variables are used in the file *config_cluster.sh* to set them in the *elasticsearch.yml* configuration file. You can see the meaning of the node variables [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html) and other cluster settings [here](https://github.com/elastic/elasticsearch/blob/master/distribution/src/config/elasticsearch.yml).
## Documentation
@@ -22,199 +22,42 @@ The folder `multi-node` contains a README explaining how to run a Wazuh environm
* [Wazuh documentation for Docker](https://documentation.wazuh.com/current/docker/index.html)
* [Docker hub](https://hub.docker.com/u/wazuh)
### Setup SSL certificate
Before starting the environment it is required to provide an SSL certificate (or just generate one self-signed).
Documentation on how to provide these two can be found at [Wazuh Docker Documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#production-deployment).
## Environment Variables
Default values are included when available.
### Wazuh
```
API_USERNAME="wazuh" # Wazuh API username
API_PASSWORD="wazuh" # Wazuh API password - Must comply with requirements
# (8+ length, uppercase, lowercase, specials chars)
INDEXER_URL=https://wazuh.indexer:9200 # Wazuh indexer URL
INDEXER_USERNAME=admin # Wazuh indexer Username
INDEXER_PASSWORD=admin # Wazuh indexer Password
FILEBEAT_SSL_VERIFICATION_MODE=full # Filebeat SSL Verification mode (full or none)
SSL_CERTIFICATE_AUTHORITIES="" # Path of Filebeat SSL CA
SSL_CERTIFICATE="" # Path of Filebeat SSL Certificate
SSL_KEY="" # Path of Filebeat SSL Key
```
### Dashboard
```
PATTERN="wazuh-alerts-*" # Default index pattern to use
CHECKS_PATTERN=true # Defines which checks must to be consider by the healthcheck
CHECKS_TEMPLATE=true # step once the Wazuh app starts. Values must to be true or false
CHECKS_API=true
CHECKS_SETUP=true
EXTENSIONS_PCI=true # Enable PCI Extension
EXTENSIONS_GDPR=true # Enable GDPR Extension
EXTENSIONS_HIPAA=true # Enable HIPAA Extension
EXTENSIONS_NIST=true # Enable NIST Extension
EXTENSIONS_TSC=true # Enable TSC Extension
EXTENSIONS_AUDIT=true # Enable Audit Extension
EXTENSIONS_OSCAP=false # Enable OpenSCAP Extension
EXTENSIONS_CISCAT=false # Enable CISCAT Extension
EXTENSIONS_AWS=false # Enable AWS Extension
EXTENSIONS_GCP=false # Enable GCP Extension
EXTENSIONS_VIRUSTOTAL=false # Enable Virustotal Extension
EXTENSIONS_OSQUERY=false # Enable OSQuery Extension
EXTENSIONS_DOCKER=false # Enable Docker Extension
APP_TIMEOUT=20000 # Defines maximum timeout to be used on the Wazuh app requests
API_SELECTOR=true Defines if the user is allowed to change the selected API directly from the Wazuh app top menu
IP_SELECTOR=true # Defines if the user is allowed to change the selected index pattern directly from the Wazuh app top menu
IP_IGNORE="[]" # List of index patterns to be ignored
WAZUH_MONITORING_ENABLED=true # Custom settings to enable/disable wazuh-monitoring indices
WAZUH_MONITORING_FREQUENCY=900 # Custom setting to set the frequency for wazuh-monitoring indices cron task
WAZUH_MONITORING_SHARDS=2 # Configure wazuh-monitoring-* indices shards and replicas
WAZUH_MONITORING_REPLICAS=0 #
```
## Directory structure
├── build-docker-images
│   ├── docker-compose.yml
│   ├── wazuh-dashboard
│   │   ├── config
│   │   │   ├── config.sh
│   │   │   ├── config.yml
│   │   │   ── entrypoint.sh
│   │   │   ├── opensearch_dashboards.yml
│   │   │   ├── wazuh_app_config.sh
│   │   │   └── wazuh.yml
│   │   └── Dockerfile
│   ── wazuh-indexer
│   │   ├── config
│   │   │   ├── config.sh
│   │   │   ├── config.yml
│   │   │   ├── entrypoint.sh
│   │   │   ├── internal_users.yml
│   │   │   ├── opensearch.yml
│   │   │   ├── roles_mapping.yml
│   │   │   ├── roles.yml
│   │   │   └── securityadmin.sh
│   │   └── Dockerfile
│   ── wazuh-manager
│   ├── config
│   │   ├── create_user.py
│   │   ├── etc
│   │   │   ├── cont-init.d
│   │   │   │   ├── 0-wazuh-init
│   │   │   │   ├── 1-config-filebeat
│   │   │   │   └── 2-manager
│   │   │   └── services.d
│   │   │   ├── filebeat
│   │   │   │   ├── finish
│   │   │   │   └── run
│   │   │   └── ossec-logs
│   │   │   └── run
│   │   ├── filebeat.yml
│   │   ├── permanent_data.env
│   │   ├── permanent_data.sh
│   │   └── wazuh.repo
│   └── Dockerfile
├── CHANGELOG.md
├── indexer-certs-creator
│   ├── config
│   │   └── entrypoint.sh
│   └── Dockerfile
├── LICENSE
├── multi-node
│   ├── config
│   │   ├── nginx
│   │   │   └── nginx.conf
│   │   ├── wazuh_cluster
│   │   │   ├── wazuh_manager.conf
│   │   │   └── wazuh_worker.conf
│   │   ├── wazuh_dashboard
│   │   │   ├── opensearch_dashboards.yml
│   │   │   └── wazuh.yml
│   │   ├── wazuh_indexer
│   │   │   ├── internal_users.yml
│   │   │   ├── wazuh1.indexer.yml
│   │   │   ├── wazuh2.indexer.yml
│   │   │   └── wazuh3.indexer.yml
│   │   └── wazuh_indexer_ssl_certs
│   │   └── certs.yml
│   ├── docker-compose.yml
│   ├── generate-indexer-certs.yml
│   ├── Migration-to-Wazuh-4.3.md
│   └── volume-migrator.sh
├── README.md
├── single-node
│   ├── config
│   │   ├── wazuh_cluster
│   │   │   └── wazuh_manager.conf
│   │   ├── wazuh_dashboard
│   │   │   ├── opensearch_dashboards.yml
│   │   │   └── wazuh.yml
│   │   ├── wazuh_indexer
│   │   │   ├── internal_users.yml
│   │   │   └── wazuh.indexer.yml
│   │   └── wazuh_indexer_ssl_certs
│   │   ├── admin-key.pem
│   │   ├── admin.pem
│   │   ├── certs.yml
│   │   ├── root-ca.key
│   │   ├── root-ca.pem
│   │   ├── wazuh.dashboard-key.pem
│   │   ├── wazuh.dashboard.pem
│   │   ├── wazuh.indexer-key.pem
│   │   ├── wazuh.indexer.pem
│   │   ├── wazuh.manager-key.pem
│   │   └── wazuh.manager.pem
│   ├── docker-compose.yml
│   ├── generate-indexer-certs.yml
│   └── README.md
└── VERSION
wazuh-docker
├── docker-compose.yml
├── kibana
│   ├── config
│   │   ├── entrypoint.sh
│   │   └── kibana.yml
│   ── Dockerfile
├── LICENSE
├── nginx
│   ├── config
│   │   └── entrypoint.sh
│   ── Dockerfile
├── README.md
├── CHANGELOG.md
├── VERSION
├── test.txt
└── wazuh
├── config
│   ├── data_dirs.env
│   ├── entrypoint.sh
│   ├── filebeat.runit.service
│   ├── filebeat.yml
│   ── init.bash
│   ├── postfix.runit.service
│   ├── wazuh-api.runit.service
│   └── wazuh.runit.service
└── Dockerfile
## Branches
* `stable` branch on correspond to the latest Wazuh-Docker stable version.
* `master` branch contains the latest code, be aware of possible bugs on this branch.
* `stable` branch on correspond to the last Wazuh stable version.
## Compatibility Matrix
| Wazuh version | ODFE | XPACK |
|---------------|---------|--------|
| v4.3.2 | | |
| v4.3.1 | | |
| v4.3.0 | | |
| v4.2.7 | 1.13.2 | 7.11.2 |
| v4.2.6 | 1.13.2 | 7.11.2 |
| v4.2.5 | 1.13.2 | 7.11.2 |
| v4.2.4 | 1.13.2 | 7.11.2 |
| v4.2.3 | 1.13.2 | 7.11.2 |
| v4.2.2 | 1.13.2 | 7.11.2 |
| v4.2.1 | 1.13.2 | 7.11.2 |
| v4.2.0 | 1.13.2 | 7.10.2 |
| v4.1.5 | 1.13.2 | 7.10.2 |
| v4.1.4 | 1.12.0 | 7.10.2 |
| v4.1.3 | 1.12.0 | 7.10.2 |
| v4.1.2 | 1.12.0 | 7.10.2 |
| v4.1.1 | 1.12.0 | 7.10.2 |
| v4.1.0 | 1.12.0 | 7.10.2 |
| v4.0.4 | 1.11.0 | |
| v4.0.3 | 1.11.0 | |
| v4.0.2 | 1.11.0 | |
| v4.0.1 | 1.11.0 | |
| v4.0.0 | 1.10.1 | |
* `Wazuh.Version_ElasticStack.Version` (for example 3.13.1_7.8.0) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
## Credits and Thank you
@@ -227,7 +70,7 @@ We thank you them and everyone else who has contributed to this project.
## License and copyright
Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
## Web references

4
VERSION
View File

@@ -1,2 +1,2 @@
WAZUH-DOCKER_VERSION="4.3.2"
REVISION="40312"
WAZUH-DOCKER_VERSION="3.13.6_7.9.2"
REVISION="31314"

7
build-docker-images/README.md
View File

@@ -1,7 +0,0 @@
# Wazuh Docker Image Builder
This stack allows you to build the Wazuh manager, indexer, and dashboard images locally by running the command:
```
$ docker-compose build
```

79
build-docker-images/docker-compose.yml
View File

@@ -1,79 +0,0 @@
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
version: '3.7'
services:
wazuh.manager:
build: wazuh-manager/
image: wazuh/wazuh-manager:4.3.2
hostname: wazuh.manager
restart: always
ports:
- "1514:1514"
- "1515:1515"
- "514:514/udp"
- "55000:55000"
environment:
- INDEXER_URL=https://wazuh.indexer:9200
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=admin
- FILEBEAT_SSL_VERIFICATION_MODE=none
volumes:
- wazuh_api_configuration:/var/ossec/api/configuration
- wazuh_etc:/var/ossec/etc
- wazuh_logs:/var/ossec/logs
- wazuh_queue:/var/ossec/queue
- wazuh_var_multigroups:/var/ossec/var/multigroups
- wazuh_integrations:/var/ossec/integrations
- wazuh_active_response:/var/ossec/active-response/bin
- wazuh_agentless:/var/ossec/agentless
- wazuh_wodles:/var/ossec/wodles
- filebeat_etc:/etc/filebeat
- filebeat_var:/var/lib/filebeat
wazuh.indexer:
build: wazuh-indexer/
image: wazuh/wazuh-indexer:4.3.2
hostname: wazuh.indexer
restart: always
ports:
- "9200:9200"
environment:
- "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
wazuh.dashboard:
build: wazuh-dashboard/
image: wazuh/wazuh-dashboard:4.3.2
hostname: wazuh.dashboard
restart: always
ports:
- 443:443
environment:
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=admin
- SERVER_SSL_ENABLED=false
- WAZUH_API_URL=https://wazuh.manager
depends_on:
- wazuh.indexer
links:
- wazuh.indexer:wazuh.indexer
- wazuh.manager:wazuh.manager
volumes:
wazuh_api_configuration:
wazuh_etc:
wazuh_logs:
wazuh_queue:
wazuh_var_multigroups:
wazuh_integrations:
wazuh_active_response:
wazuh_agentless:
wazuh_wodles:
filebeat_etc:
filebeat_var:

109
build-docker-images/wazuh-dashboard/Dockerfile
View File

@@ -1,109 +0,0 @@
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
FROM ubuntu:focal AS builder
ARG WAZUH_VERSION=4.3.2
ARG INSTALL_DIR=/usr/share/wazuh-dashboard
# Update and install dependencies
RUN apt-get update && apt install curl libcap2-bin xz-utils -y
# Create Install dir
RUN mkdir -p $INSTALL_DIR
# Download and extract Wazuh dashboard base
RUN curl -o wazuh-dashboard-base.tar.xz https://packages.wazuh.com/stack/dashboard/base/wazuh-dashboard-base-${WAZUH_VERSION}-linux-x64.tar.xz && \
tar -xf wazuh-dashboard-base.tar.xz --directory $INSTALL_DIR --strip-components=1
# Generate certificates
COPY config/config.sh .
COPY config/config.yml /
RUN bash config.sh
# Install Wazuh App
RUN $INSTALL_DIR/bin/opensearch-dashboards-plugin install https://packages.wazuh.com/4.x/ui/dashboard/wazuh-${WAZUH_VERSION}.zip --allow-root
# Copy and set permissions to config files
COPY config/opensearch_dashboards.yml $INSTALL_DIR/config/
COPY config/wazuh.yml $INSTALL_DIR/data/wazuh/config/
RUN chown 101:101 $INSTALL_DIR/config/opensearch_dashboards.yml && chmod 664 $INSTALL_DIR/config/opensearch_dashboards.yml
# Create and set permissions to data directories
RUN mkdir -p $INSTALL_DIR/data/wazuh && chown -R 101:101 $INSTALL_DIR/data/wazuh && chmod -R 775 $INSTALL_DIR/data/wazuh
RUN mkdir -p $INSTALL_DIR/data/wazuh/config && chown -R 101:101 $INSTALL_DIR/data/wazuh/config && chmod -R 775 $INSTALL_DIR/data/wazuh/config
RUN mkdir -p $INSTALL_DIR/data/wazuh/logs && chown -R 101:101 $INSTALL_DIR/data/wazuh/logs && chmod -R 775 $INSTALL_DIR/data/wazuh/logs
################################################################################
# Build stage 1 (the current Wazuh dashboard image):
#
# Copy wazuh-dashboard from stage 0
# Add entrypoint
# Add wazuh_app_config
################################################################################
FROM ubuntu:focal
# Set environment variables
ENV USER="wazuh-dashboard" \
GROUP="wazuh-dashboard" \
NAME="wazuh-dashboard" \
INSTALL_DIR="/usr/share/wazuh-dashboard"
# Set Wazuh app variables
ENV PATTERN="" \
CHECKS_PATTERN="" \
CHECKS_TEMPLATE="" \
CHECKS_API="" \
CHECKS_SETUP="" \
EXTENSIONS_PCI="" \
EXTENSIONS_GDPR="" \
EXTENSIONS_HIPAA="" \
EXTENSIONS_NIST="" \
EXTENSIONS_TSC="" \
EXTENSIONS_AUDIT="" \
EXTENSIONS_OSCAP="" \
EXTENSIONS_CISCAT="" \
EXTENSIONS_AWS="" \
EXTENSIONS_GCP="" \
EXTENSIONS_VIRUSTOTAL="" \
EXTENSIONS_OSQUERY="" \
EXTENSIONS_DOCKER="" \
APP_TIMEOUT="" \
API_SELECTOR="" \
IP_SELECTOR="" \
IP_IGNORE="" \
WAZUH_MONITORING_ENABLED="" \
WAZUH_MONITORING_FREQUENCY="" \
WAZUH_MONITORING_SHARDS="" \
WAZUH_MONITORING_REPLICAS=""
# Install dependencies
RUN apt update && apt install -y libnss3-dev fonts-liberation libfontconfig1
# Create wazuh-dashboard user and group
RUN getent group $GROUP || groupadd -r -g 1000 $GROUP
RUN useradd --system \
--uid 1000 \
--no-create-home \
--home-dir $INSTALL_DIR \
--gid $GROUP \
--shell /sbin/nologin \
--comment "$USER user" \
$USER
# Copy and set permissions to scripts
COPY config/entrypoint.sh /
COPY config/wazuh_app_config.sh /
RUN chmod 700 /entrypoint.sh
RUN chmod 700 /wazuh_app_config.sh
RUN chown 1000:1000 /*.sh
# Copy Install dir from builder to current image
COPY --from=builder --chown=1000:1000 $INSTALL_DIR $INSTALL_DIR
# Set workdir and user
WORKDIR $INSTALL_DIR
USER wazuh-dashboard
# Services ports
EXPOSE 443
ENTRYPOINT [ "/entrypoint.sh" ]

42
build-docker-images/wazuh-dashboard/config/config.sh
View File

@@ -1,42 +0,0 @@
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
# This has to be exported to make some magic below work.
export DH_OPTIONS
export NAME=wazuh-dashboard
export TARGET_DIR=${CURDIR}/debian/${NAME}
export INSTALLATION_DIR=/usr/share/${NAME}
export CONFIG_DIR=${INSTALLATION_DIR}/config
## Variables
CERT_TOOL=wazuh-certs-tool.sh
PACKAGES_URL=https://packages.wazuh.com/4.3/
PACKAGES_DEV_URL=https://packages-dev.wazuh.com/4.3/
## Check if the cert tool exists in S3 buckets
CERT_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$CERT_TOOL | grep -E "^HTTP" | awk '{print $2}')
CERT_TOOL_PACKAGES_DEV=$(curl --silent -I $PACKAGES_DEV_URL$CERT_TOOL | grep -E "^HTTP" | awk '{print $2}')
## If cert tool exists in some bucket, download it, if not exit 1
if [ "$CERT_TOOL_PACKAGES" = "200" ]; then
curl -o $CERT_TOOL $PACKAGES_URL$CERT_TOOL
echo "Cert tool exists in Packages bucket"
elif [ "$CERT_TOOL_PACKAGES_DEV" = "200" ]; then
curl -o $CERT_TOOL $PACKAGES_DEV_URL$CERT_TOOL
echo "Cert tool exists in Packages-dev bucket"
else
echo "Cert tool does not exist in any bucket"
exit 1
fi
chmod 755 $CERT_TOOL && bash /$CERT_TOOL -A
# Create certs directory
mkdir -p ${CONFIG_DIR}/certs
# Copy Wazuh dashboard certs to install config dir
cp /wazuh-certificates/demo.dashboard.pem ${CONFIG_DIR}/certs/dashboard.pem
cp /wazuh-certificates/demo.dashboard-key.pem ${CONFIG_DIR}/certs/dashboard-key.pem
cp /wazuh-certificates/root-ca.pem ${CONFIG_DIR}/certs/root-ca.pem
chmod -R 500 ${CONFIG_DIR}/certs
chmod -R 400 ${CONFIG_DIR}/certs/*

5
build-docker-images/wazuh-dashboard/config/config.yml
View File

@@ -1,5 +0,0 @@
nodes:
# Wazuh dashboard server nodes
dashboard:
- name: demo.dashboard
ip: demo.dashboard

20
build-docker-images/wazuh-dashboard/config/entrypoint.sh
View File

@@ -1,20 +0,0 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
INSTALL_DIR=/usr/share/wazuh-dashboard
DASHBOARD_USERNAME="${DASHBOARD_USERNAME:-kibanaserver}"
DASHBOARD_PASSWORD="${DASHBOARD_PASSWORD:-kibanaserver}"
# Create and configure Wazuh dashboard keystore
$INSTALL_DIR/bin/opensearch-dashboards-keystore create --allow-root && \
echo $DASHBOARD_USERNAME | $INSTALL_DIR/bin/opensearch-dashboards-keystore add opensearch.username --stdin --allow-root && \
echo $DASHBOARD_PASSWORD | $INSTALL_DIR/bin/opensearch-dashboards-keystore add opensearch.password --stdin --allow-root
##############################################################################
# Start Wazuh dashboard
##############################################################################
/wazuh_app_config.sh
/usr/share/wazuh-dashboard/bin/opensearch-dashboards -c /usr/share/wazuh-dashboard/config/opensearch_dashboards.yml

13
build-docker-images/wazuh-dashboard/config/opensearch_dashboards.yml
View File

@@ -1,13 +0,0 @@
server.host: 0.0.0.0
server.port: 5601
opensearch.hosts: https://wazuh.indexer:9200
opensearch.ssl.verificationMode: none
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/usr/share/wazuh-dashboard/config/certs/dashboard-key.pem"
server.ssl.certificate: "/usr/share/wazuh-dashboard/config/certs/dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/config/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wazuh

155
build-docker-images/wazuh-dashboard/config/wazuh.yml
View File

@@ -1,155 +0,0 @@
---
#
# Wazuh app - App configuration file
# Copyright (C) 2017, Wazuh Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Find more information about this on the LICENSE file.
#
# ======================== Wazuh app configuration file ========================
#
# Please check the documentation for more information on configuration options:
# https://documentation.wazuh.com/current/installation-guide/index.html
#
# Also, you can check our repository:
# https://github.com/wazuh/wazuh-kibana-app
#
# ------------------------------- Index patterns -------------------------------
#
# Default index pattern to use.
#pattern: wazuh-alerts-*
#
# ----------------------------------- Checks -----------------------------------
#
# Defines which checks must to be consider by the healthcheck
# step once the Wazuh app starts. Values must to be true or false.
#checks.pattern : true
#checks.template: true
#checks.api : true
#checks.setup : true
#checks.metaFields: true
#
# --------------------------------- Extensions ---------------------------------
#
# Defines which extensions should be activated when you add a new API entry.
# You can change them after Wazuh app starts.
# Values must to be true or false.
#extensions.pci : true
#extensions.gdpr : true
#extensions.hipaa : true
#extensions.nist : true
#extensions.tsc : true
#extensions.audit : true
#extensions.oscap : false
#extensions.ciscat : false
#extensions.aws : false
#extensions.gcp : false
#extensions.virustotal: false
#extensions.osquery : false
#extensions.docker : false
#
# ---------------------------------- Time out ----------------------------------
#
# Defines maximum timeout to be used on the Wazuh app requests.
# It will be ignored if it is bellow 1500.
# It means milliseconds before we consider a request as failed.
# Default: 20000
#timeout: 20000
#
# -------------------------------- API selector --------------------------------
#
# Defines if the user is allowed to change the selected
# API directly from the Wazuh app top menu.
# Default: true
#api.selector: true
#
# --------------------------- Index pattern selector ---------------------------
#
# Defines if the user is allowed to change the selected
# index pattern directly from the Wazuh app top menu.
# Default: true
#ip.selector: true
#
# List of index patterns to be ignored
#ip.ignore: []
#
# ------------------------------ wazuh-monitoring ------------------------------
#
# Custom setting to enable/disable wazuh-monitoring indices.
# Values: true, false, worker
# If worker is given as value, the app will show the Agents status
# visualization but won't insert data on wazuh-monitoring indices.
# Default: true
#wazuh.monitoring.enabled: true
#
# Custom setting to set the frequency for wazuh-monitoring indices cron task.
# Default: 900 (s)
#wazuh.monitoring.frequency: 900
#
# Configure wazuh-monitoring-* indices shards and replicas.
#wazuh.monitoring.shards: 2
#wazuh.monitoring.replicas: 0
#
# Configure wazuh-monitoring-* indices custom creation interval.
# Values: h (hourly), d (daily), w (weekly), m (monthly)
# Default: d
#wazuh.monitoring.creation: d
#
# Default index pattern to use for Wazuh monitoring
#wazuh.monitoring.pattern: wazuh-monitoring-*
#
# --------------------------------- wazuh-cron ----------------------------------
#
# Customize the index prefix of predefined jobs
# This change is not retroactive, if you change it new indexes will be created
# cron.prefix: test
#
# ------------------------------ wazuh-statistics -------------------------------
#
# Custom setting to enable/disable statistics tasks.
#cron.statistics.status: true
#
# Enter the ID of the APIs you want to save data from, leave this empty to run
# the task on all configured APIs
#cron.statistics.apis: []
#
# Define the frequency of task execution using cron schedule expressions
#cron.statistics.interval: 0 0 * * * *
#
# Define the name of the index in which the documents are to be saved.
#cron.statistics.index.name: statistics
#
# Define the interval in which the index will be created
#cron.statistics.index.creation: w
#
# ------------------------------- App privileges --------------------------------
#admin: true
#
# ---------------------------- Hide manager alerts ------------------------------
# Hide the alerts of the manager in all dashboards and discover
#hideManagerAlerts: false
#
# ------------------------------- App logging level -----------------------------
# Set the logging level for the Wazuh App log files.
# Default value: info
# Allowed values: info, debug
#logs.level: info
#
# -------------------------------- Enrollment DNS -------------------------------
# Set the variable WAZUH_REGISTRATION_SERVER in agents deployment.
# Default value: ''
#enrollment.dns: ''
#
#-------------------------------- API entries -----------------------------------
#The following configuration is the default structure to define an API entry.
#
#hosts:
# - <id>:
# url: http(s)://<url>
# port: <port>
# username: <username>
# password: <password>

75
build-docker-images/wazuh-indexer/Dockerfile
View File

@@ -1,75 +0,0 @@
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
FROM ubuntu:focal AS builder
RUN apt-get update -y && apt-get install curl openssl xz-utils -y
COPY config/opensearch.yml /
COPY config/config.sh .
COPY config/config.yml /
COPY config/internal_users.yml /
COPY config/roles_mapping.yml /
COPY config/roles.yml /
RUN bash config.sh
################################################################################
# Build stage 1 (the actual Wazuh indexer image):
#
# Copy wazuh-indexer from stage 0
# Add entrypoint
################################################################################
FROM ubuntu:focal
ENV USER="wazuh-indexer" \
GROUP="wazuh-indexer" \
NAME="wazuh-indexer" \
INSTALL_DIR="/usr/share/wazuh-indexer"
RUN getent group $GROUP || groupadd -r -g 1000 $GROUP
RUN useradd --system \
--uid 1000 \
--no-create-home \
--home-dir $INSTALL_DIR \
--gid $GROUP \
--shell /sbin/nologin \
--comment "$USER user" \
$USER
WORKDIR $INSTALL_DIR
COPY config/entrypoint.sh /
COPY config/securityadmin.sh /
RUN chmod 700 /entrypoint.sh && chmod 700 /securityadmin.sh
RUN chown 1000:1000 /*.sh
COPY --from=builder --chown=1000:1000 /debian/wazuh-indexer/usr/share/wazuh-indexer /usr/share/wazuh-indexer
COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/systemd /usr/lib/systemd
COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/sysctl.d /usr/lib/sysctl.d
COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/tmpfiles.d /usr/lib/tmpfiles.d
RUN mkdir -p /var/lib/wazuh-indexer && chown 1000:1000 /var/lib/wazuh-indexer && \
mkdir -p /usr/share/wazuh-indexer/logs && chown 1000:1000 /usr/share/wazuh-indexer/logs && \
mkdir -p /run/wazuh-indexer && chown 1000:1000 /run/wazuh-indexer && \
mkdir -p /var/log/wazuh-indexer && chown 1000:1000 /var/log/wazuh-indexer && \
chmod 700 /usr/share/wazuh-indexer/config && \
chmod 600 /usr/share/wazuh-indexer/config/jvm.options && \
chmod 600 /usr/share/wazuh-indexer/config/opensearch.yml
USER wazuh-indexer
# Services ports
EXPOSE 9200
ENTRYPOINT ["/entrypoint.sh"]
# Dummy overridable parameter parsed by entrypoint
CMD ["opensearchwrapper"]

110
build-docker-images/wazuh-indexer/config/config.sh
View File

@@ -1,110 +0,0 @@
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
# This has to be exported to make some magic below work.
export DH_OPTIONS
export NAME=wazuh-indexer
export TARGET_DIR=${CURDIR}/debian/${NAME}
# Package build options
export USER=${NAME}
export GROUP=${NAME}
export VERSION=4.3.2
export LOG_DIR=/var/log/${NAME}
export LIB_DIR=/var/lib/${NAME}
export PID_DIR=/run/${NAME}
export INSTALLATION_DIR=/usr/share/${NAME}
export CONFIG_DIR=${INSTALLATION_DIR}/config
export BASE_DIR=${NAME}-*
export INDEXER_FILE=wazuh-indexer-base.tar.xz
export BASE_FILE=wazuh-indexer-base-${VERSION}-linux-x64.tar.xz
export REPO_DIR=/unattended_installer
rm -rf ${INSTALLATION_DIR}/
curl -o ${INDEXER_FILE} https://packages.wazuh.com/stack/indexer/base/${BASE_FILE}
tar -xf ${INDEXER_FILE}
## TOOLS
## Variables
CERT_TOOL=wazuh-certs-tool.sh
PASSWORD_TOOL=wazuh-passwords-tool.sh
PACKAGES_URL=https://packages.wazuh.com/4.3/
PACKAGES_DEV_URL=https://packages-dev.wazuh.com/4.3/
## Check if the cert tool exists in S3 buckets
CERT_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$CERT_TOOL | grep -E "^HTTP" | awk '{print $2}')
CERT_TOOL_PACKAGES_DEV=$(curl --silent -I $PACKAGES_DEV_URL$CERT_TOOL | grep -E "^HTTP" | awk '{print $2}')
## If cert tool exists in some bucket, download it, if not exit 1
if [ "$CERT_TOOL_PACKAGES" = "200" ]; then
curl -o $CERT_TOOL $PACKAGES_URL$CERT_TOOL
echo "Cert tool exists in Packages bucket"
elif [ "$CERT_TOOL_PACKAGES_DEV" = "200" ]; then
curl -o $CERT_TOOL $PACKAGES_DEV_URL$CERT_TOOL
echo "Cert tool exists in Packages-dev bucket"
else
echo "Cert tool does not exist in any bucket"
exit 1
fi
## Check if the password tool exists in S3 buckets
PASSWORD_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$PASSWORD_TOOL | grep -E "^HTTP" | awk '{print $2}')
PASSWORD_TOOL_PACKAGES_DEV=$(curl --silent -I $PACKAGES_DEV_URL$PASSWORD_TOOL | grep -E "^HTTP" | awk '{print $2}')
## If password tool exists in some bucket, download it, if not exit 1
if [ "$PASSWORD_TOOL_PACKAGES" = "200" ]; then
curl -o $PASSWORD_TOOL $PACKAGES_URL$PASSWORD_TOOL
echo "Password tool exists in Packages bucket"
elif [ "$PASSWORD_TOOL_PACKAGES_DEV" = "200" ]; then
curl -o $PASSWORD_TOOL $PACKAGES_DEV_URL$PASSWORD_TOOL
echo "Password tool exists in Packages-dev bucket"
else
echo "Password tool does not exist in any bucket"
exit 1
fi
chmod 755 $CERT_TOOL && bash /$CERT_TOOL -A
# copy to target
mkdir -p ${TARGET_DIR}${INSTALLATION_DIR}
mkdir -p ${TARGET_DIR}${CONFIG_DIR}
mkdir -p ${TARGET_DIR}${LIB_DIR}
mkdir -p ${TARGET_DIR}${LOG_DIR}
mkdir -p ${TARGET_DIR}/etc/init.d
mkdir -p ${TARGET_DIR}/etc/default
mkdir -p ${TARGET_DIR}/usr/lib/tmpfiles.d
mkdir -p ${TARGET_DIR}/usr/lib/sysctl.d
mkdir -p ${TARGET_DIR}/usr/lib/systemd/system
mkdir -p ${TARGET_DIR}${CONFIG_DIR}/certs
# Move configuration files for wazuh-indexer
mv -f ${BASE_DIR}/etc/init.d/${NAME} ${TARGET_DIR}/etc/init.d/${NAME}
mv -f ${BASE_DIR}/etc/wazuh-indexer/* ${TARGET_DIR}${CONFIG_DIR}
mv -f ${BASE_DIR}/etc/sysconfig/${NAME} ${TARGET_DIR}/etc/default/
mv -f ${BASE_DIR}/usr/lib/tmpfiles.d/* ${TARGET_DIR}/usr/lib/tmpfiles.d/
mv -f ${BASE_DIR}/usr/lib/sysctl.d/* ${TARGET_DIR}/usr/lib/sysctl.d/
mv -f ${BASE_DIR}/usr/lib/systemd/system/* ${TARGET_DIR}/usr/lib/systemd/system/
rm -rf ${BASE_DIR}/etc
rm -rf ${BASE_DIR}/usr
# Copy installation files to final location
cp -pr ${BASE_DIR}/* ${TARGET_DIR}${INSTALLATION_DIR}
# Copy the security tools
cp /$CERT_TOOL ${TARGET_DIR}${INSTALLATION_DIR}/plugins/opensearch-security/tools/
cp /$PASSWORD_TOOL ${TARGET_DIR}${INSTALLATION_DIR}/plugins/opensearch-security/tools/
# Copy Wazuh's config files for the security plugin
cp -pr /roles_mapping.yml ${TARGET_DIR}${INSTALLATION_DIR}/plugins/opensearch-security/securityconfig/
cp -pr /roles.yml ${TARGET_DIR}${INSTALLATION_DIR}/plugins/opensearch-security/securityconfig/
cp -pr /internal_users.yml ${TARGET_DIR}${INSTALLATION_DIR}/plugins/opensearch-security/securityconfig/
cp -pr /opensearch.yml ${TARGET_DIR}${CONFIG_DIR}
# Copy Wazuh indexer's certificates
cp -pr /wazuh-certificates/demo.indexer.pem ${TARGET_DIR}${CONFIG_DIR}/certs/indexer.pem
cp -pr /wazuh-certificates/demo.indexer-key.pem ${TARGET_DIR}${CONFIG_DIR}/certs/indexer-key.pem
cp -pr /wazuh-certificates/root-ca.key ${TARGET_DIR}${CONFIG_DIR}/certs/root-ca.key
cp -pr /wazuh-certificates/root-ca.pem ${TARGET_DIR}${CONFIG_DIR}/certs/root-ca.pem
cp -pr /wazuh-certificates/admin.pem ${TARGET_DIR}${CONFIG_DIR}/certs/admin.pem
cp -pr /wazuh-certificates/admin-key.pem ${TARGET_DIR}${CONFIG_DIR}/certs/admin-key.pem
chmod -R 500 ${TARGET_DIR}${CONFIG_DIR}/certs
chmod -R 400 ${TARGET_DIR}${CONFIG_DIR}/certs/*

5
build-docker-images/wazuh-indexer/config/config.yml
View File

@@ -1,5 +0,0 @@
nodes:
# Wazuh indexer server nodes
indexer:
- name: demo.indexer
ip: demo.indexer

93
build-docker-images/wazuh-indexer/config/entrypoint.sh
View File

@@ -1,93 +0,0 @@
#!/usr/bin/env bash
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
set -e
umask 0002
export USER=wazuh-indexer
export INSTALLATION_DIR=/usr/share/wazuh-indexer
export OPENSEARCH_PATH_CONF=${INSTALLATION_DIR}/config
export JAVA_HOME=${INSTALLATION_DIR}/jdk
export DISCOVERY=$(grep -oP "(?<=discovery.type: ).*" ${OPENSEARCH_PATH_CONF}/opensearch.yml)
export CACERT=$(grep -oP "(?<=plugins.security.ssl.transport.pemtrustedcas_filepath: ).*" ${OPENSEARCH_PATH_CONF}/opensearch.yml)
export CERT="${OPENSEARCH_PATH_CONF}/certs/admin.pem"
export KEY="${OPENSEARCH_PATH_CONF}/certs/admin-key.pem"
run_as_other_user_if_needed() {
if [[ "$(id -u)" == "0" ]]; then
# If running as root, drop to specified UID and run command
exec chroot --userspec=1000:0 / "${@}"
else
# Either we are running in Openshift with random uid and are a member of the root group
# or with a custom --user
exec "${@}"
fi
}
# Allow user specify custom CMD, maybe bin/opensearch itself
# for example to directly specify `-E` style parameters for opensearch on k8s
# or simply to run /bin/bash to check the image
if [[ "$1" != "opensearchwrapper" ]]; then
if [[ "$(id -u)" == "0" && $(basename "$1") == "opensearch" ]]; then
# Rewrite CMD args to replace $1 with `opensearch` explicitly,
# Without this, user could specify `opensearch -E x.y=z` but
# `bin/opensearch -E x.y=z` would not work.
set -- "opensearch" "${@:2}"
# Use chroot to switch to UID 1000 / GID 0
exec chroot --userspec=1000:0 / "$@"
else
# User probably wants to run something else, like /bin/bash, with another uid forced (Openshift?)
exec "$@"
fi
fi
# Allow environment variables to be set by creating a file with the
# contents, and setting an environment variable with the suffix _FILE to
# point to it. This can be used to provide secrets to a container, without
# the values being specified explicitly when running the container.
#
# This is also sourced in opensearch-env, and is only needed here
# as well because we use INDEXER_PASSWORD below. Sourcing this script
# is idempotent.
source /usr/share/wazuh-indexer/bin/opensearch-env-from-file
if [[ -f bin/opensearch-users ]]; then
# Check for the INDEXER_PASSWORD environment variable to set the
# bootstrap password for Security.
#
# This is only required for the first node in a cluster with Security
# enabled, but we have no way of knowing which node we are yet. We'll just
# honor the variable if it's present.
if [[ -n "$INDEXER_PASSWORD" ]]; then
[[ -f /usr/share/wazuh-indexer/config/opensearch.keystore ]] || (run_as_other_user_if_needed opensearch-keystore create)
if ! (run_as_other_user_if_needed opensearch-keystore has-passwd --silent) ; then
# keystore is unencrypted
if ! (run_as_other_user_if_needed opensearch-keystore list | grep -q '^bootstrap.password$'); then
(run_as_other_user_if_needed echo "$INDEXER_PASSWORD" | opensearch-keystore add -x 'bootstrap.password')
fi
else
# keystore requires password
if ! (run_as_other_user_if_needed echo "$KEYSTORE_PASSWORD" \
| opensearch-keystore list | grep -q '^bootstrap.password$') ; then
COMMANDS="$(printf "%s\n%s" "$KEYSTORE_PASSWORD" "$INDEXER_PASSWORD")"
(run_as_other_user_if_needed echo "$COMMANDS" | opensearch-keystore add -x 'bootstrap.password')
fi
fi
fi
fi
if [[ "$(id -u)" == "0" ]]; then
# If requested and running as root, mutate the ownership of bind-mounts
if [[ -n "$TAKE_FILE_OWNERSHIP" ]]; then
chown -R 1000:0 /usr/share/wazuh-indexer/{data,logs}
fi
fi
if [[ "$DISCOVERY" == "single-node" ]] && [[ ! -f "/var/lib/wazuh-indexer/.flag" ]]; then
# run securityadmin.sh for single node with CACERT, CERT and KEY parameter
nohup /securityadmin.sh &
touch "/var/lib/wazuh-indexer/.flag"
fi
run_as_other_user_if_needed /usr/share/wazuh-indexer/bin/opensearch <<<"$KEYSTORE_PASSWORD"

74
build-docker-images/wazuh-indexer/config/internal_users.yml
View File

@@ -1,74 +0,0 @@
---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
_meta:
type: "internalusers"
config_version: 2
# Define your internal users here
## Demo users
admin:
hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"
reserved: true
backend_roles:
- "admin"
description: "Demo admin user"
kibanaserver:
hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
reserved: true
description: "Demo kibanaserver user"
kibanaro:
hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
reserved: false
backend_roles:
- "kibanauser"
- "readall"
attributes:
attribute1: "value1"
attribute2: "value2"
attribute3: "value3"
description: "Demo kibanaro user"
logstash:
hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
reserved: false
backend_roles:
- "logstash"
description: "Demo logstash user"
readall:
hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
reserved: false
backend_roles:
- "readall"
description: "Demo readall user"
snapshotrestore:
hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
reserved: false
backend_roles:
- "snapshotrestore"
description: "Demo snapshotrestore user"
wazuh_admin:
hash: "$2y$12$d2awHiOYvZjI88VfsDON.u6buoBol0gYPJEgdG1ArKVE0OMxViFfu"
reserved: true
hidden: false
backend_roles: []
attributes: {}
opendistro_security_roles: []
static: false
wazuh_user:
hash: "$2y$12$BQixeoQdRubZdVf/7sq1suHwiVRnSst1.lPI2M0.GPZms4bq2D9vO"
reserved: true
hidden: false
backend_roles: []
attributes: {}
opendistro_security_roles: []
static: false

26
build-docker-images/wazuh-indexer/config/opensearch.yml
View File

@@ -1,26 +0,0 @@
network.host: "0.0.0.0"
node.name: "wazuh.indexer"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer
discovery.type: single-node
compatibility.override_main_response_version: true
plugins.security.ssl.http.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/indexer.pem
plugins.security.ssl.http.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/indexer-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/indexer.pem
plugins.security.ssl.transport.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/indexer-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=demo.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]

163
build-docker-images/wazuh-indexer/config/roles.yml
View File

@@ -1,163 +0,0 @@
_meta:
type: "roles"
config_version: 2
# Restrict users so they can only view visualization and dashboards on kibana
kibana_read_only:
reserved: true
# The security REST API access role is used to assign specific users access to change the security settings through the REST API.
security_rest_api_access:
reserved: true
# Allows users to view monitors, destinations and alerts
alerting_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/alerting/alerts/get'
- 'cluster:admin/opendistro/alerting/destination/get'
- 'cluster:admin/opendistro/alerting/monitor/get'
- 'cluster:admin/opendistro/alerting/monitor/search'
# Allows users to view and acknowledge alerts
alerting_ack_alerts:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/alerting/alerts/*'
# Allows users to use all alerting functionality
alerting_full_access:
reserved: true
cluster_permissions:
- 'cluster_monitor'
- 'cluster:admin/opendistro/alerting/*'
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'indices_monitor'
- 'indices:admin/aliases/get'
- 'indices:admin/mappings/get'
# Allow users to read Anomaly Detection detectors and results
anomaly_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/ad/detector/info'
- 'cluster:admin/opendistro/ad/detector/search'
- 'cluster:admin/opendistro/ad/detectors/get'
- 'cluster:admin/opendistro/ad/result/search'
- 'cluster:admin/opendistro/ad/tasks/search'
# Allows users to use all Anomaly Detection functionality
anomaly_full_access:
reserved: true
cluster_permissions:
- 'cluster_monitor'
- 'cluster:admin/opendistro/ad/*'
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'indices_monitor'
- 'indices:admin/aliases/get'
- 'indices:admin/mappings/get'
# Allows users to read Notebooks
notebooks_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/notebooks/list'
- 'cluster:admin/opendistro/notebooks/get'
# Allows users to all Notebooks functionality
notebooks_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/notebooks/create'
- 'cluster:admin/opendistro/notebooks/update'
- 'cluster:admin/opendistro/notebooks/delete'
- 'cluster:admin/opendistro/notebooks/get'
- 'cluster:admin/opendistro/notebooks/list'
# Allows users to read and download Reports
reports_instances_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/reports/instance/list'
- 'cluster:admin/opendistro/reports/instance/get'
- 'cluster:admin/opendistro/reports/menu/download'
# Allows users to read and download Reports and Report-definitions
reports_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/reports/definition/get'
- 'cluster:admin/opendistro/reports/definition/list'
- 'cluster:admin/opendistro/reports/instance/list'
- 'cluster:admin/opendistro/reports/instance/get'
- 'cluster:admin/opendistro/reports/menu/download'
# Allows users to all Reports functionality
reports_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/reports/definition/create'
- 'cluster:admin/opendistro/reports/definition/update'
- 'cluster:admin/opendistro/reports/definition/on_demand'
- 'cluster:admin/opendistro/reports/definition/delete'
- 'cluster:admin/opendistro/reports/definition/get'
- 'cluster:admin/opendistro/reports/definition/list'
- 'cluster:admin/opendistro/reports/instance/list'
- 'cluster:admin/opendistro/reports/instance/get'
- 'cluster:admin/opendistro/reports/menu/download'
# Allows users to use all asynchronous-search functionality
asynchronous_search_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/asynchronous_search/*'
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'indices:data/read/search*'
# Allows users to read stored asynchronous-search results
asynchronous_search_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/asynchronous_search/get'
wazuh_ui_user:
reserved: true
hidden: false
cluster_permissions: []
index_permissions:
- index_patterns:
- "wazuh-*"
dls: ""
fls: []
masked_fields: []
allowed_actions:
- "read"
tenant_permissions: []
static: false
wazuh_ui_admin:
reserved: true
hidden: false
cluster_permissions: []
index_permissions:
- index_patterns:
- "wazuh-*"
dls: ""
fls: []
masked_fields: []
allowed_actions:
- "read"
- "delete"
- "manage"
- "index"
tenant_permissions: []
static: false

71
build-docker-images/wazuh-indexer/config/roles_mapping.yml
View File

@@ -1,71 +0,0 @@
---
# In this file users, backendroles and hosts can be mapped to Wazuh indexer Security roles.
# Permissions for Wazuh indexer roles are configured in roles.yml
_meta:
type: "rolesmapping"
config_version: 2
# Define your roles mapping here
## Demo roles mapping
all_access:
reserved: false
backend_roles:
- "admin"
description: "Maps admin to all_access"
own_index:
reserved: false
users:
- "*"
description: "Allow full access to an index named like the username"
logstash:
reserved: false
backend_roles:
- "logstash"
kibana_user:
reserved: false
backend_roles:
- "kibanauser"
users:
- "wazuh_user"
- "wazuh_admin"
description: "Maps kibanauser to kibana_user"
readall:
reserved: false
backend_roles:
- "readall"
manage_snapshots:
reserved: false
backend_roles:
- "snapshotrestore"
kibana_server:
reserved: true
users:
- "kibanaserver"
wazuh_ui_admin:
reserved: true
hidden: false
backend_roles: []
hosts: []
users:
- "wazuh_admin"
- "kibanaserver"
and_backend_roles: []
wazuh_ui_user:
reserved: true
hidden: false
backend_roles: []
hosts: []
users:
- "wazuh_user"
and_backend_roles: []

3
build-docker-images/wazuh-indexer/config/securityadmin.sh
View File

@@ -1,3 +0,0 @@
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
sleep 30
bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/ -nhnv -cacert $CACERT -cert $CERT -key $KEY -p 9300 -icl

51
build-docker-images/wazuh-manager/Dockerfile
View File

@@ -1,51 +0,0 @@
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
FROM ubuntu:focal
ARG WAZUH_VERSION=4.3.2
ARG TEMPLATE_VERSION=4.3
ARG FILEBEAT_CHANNEL=filebeat-oss
ARG FILEBEAT_VERSION=7.10.2
ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.2.tar.gz"
RUN apt-get update && apt install curl apt-transport-https lsb-release gnupg -y
RUN apt-key adv --fetch-keys https://packages.wazuh.com/key/GPG-KEY-WAZUH && \
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list && \
apt-get update && \
apt-get install wazuh-manager=${WAZUH_VERSION}-1
RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-amd64.deb &&\
dpkg -i ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-amd64.deb && rm -f ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-amd64.deb && \
curl -s https://packages.wazuh.com/4.x/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module
RUN curl -L https://github.com/aelsabbahy/goss/releases/latest/download/goss-linux-amd64 -o /usr/local/bin/goss && chmod +rx /usr/local/bin/goss
ARG S6_VERSION="v2.2.0.3"
RUN curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \
-o /tmp/s6-overlay-amd64.tar.gz && \
tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" && \
tar xzf /tmp/s6-overlay-amd64.tar.gz -C /usr ./bin && \
rm /tmp/s6-overlay-amd64.tar.gz
COPY config/etc/ /etc/
COPY --chown=root:wazuh config/create_user.py /var/ossec/framework/scripts/create_user.py
COPY config/filebeat.yml /etc/filebeat/
RUN chmod go-w /etc/filebeat/filebeat.yml
ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat
RUN chmod go-w /etc/filebeat/wazuh-template.json
# Prepare permanent data
# Sync calls are due to https://github.com/docker/docker/issues/9547
COPY config/permanent_data.env config/permanent_data.sh /
RUN chmod 755 /permanent_data.sh && \
sync && /permanent_data.sh && \
sync && rm /permanent_data.sh
# Services ports
EXPOSE 55000/tcp 1514/tcp 1515/tcp 514/udp 1516/tcp
ENTRYPOINT [ "/init" ]

102
build-docker-images/wazuh-manager/config/create_user.py
View File

@@ -1,102 +0,0 @@
import logging
import sys
import json
import random
import string
import os
# Set framework path
sys.path.append(os.path.dirname(sys.argv[0]) + "/../framework")
USER_FILE_PATH = "/var/ossec/api/configuration/admin.json"
SPECIAL_CHARS = "@$!%*?&-_"
try:
from wazuh.rbac.orm import create_rbac_db
from wazuh.security import (
create_user,
get_users,
get_roles,
set_user_role,
update_user,
)
except Exception as e:
logging.error("No module 'wazuh' found.")
sys.exit(1)
def read_user_file(path=USER_FILE_PATH):
with open(path) as user_file:
data = json.load(user_file)
return data["username"], data["password"]
def db_users():
users_result = get_users()
return {user["username"]: user["id"] for user in users_result.affected_items}
def db_roles():
roles_result = get_roles()
return {role["name"]: role["id"] for role in roles_result.affected_items}
def disable_user(uid):
random_pass = "".join(
random.choices(
string.ascii_uppercase
+ string.ascii_lowercase
+ string.digits
+ SPECIAL_CHARS,
k=8,
)
)
# assure there must be at least one character from each group
random_pass = random_pass + ''.join([random.choice(chars) for chars in [string.ascii_lowercase, string.digits, string.ascii_uppercase, SPECIAL_CHARS]])
random_pass = ''.join(random.sample(random_pass,len(random_pass)))
update_user(
user_id=[
str(uid),
],
password=random_pass,
)
if __name__ == "__main__":
if not os.path.exists(USER_FILE_PATH):
# abort if no user file detected
sys.exit(0)
username, password = read_user_file()
# create RBAC database
create_rbac_db()
initial_users = db_users()
if username not in initial_users:
# create a new user
create_user(username=username, password=password)
users = db_users()
uid = users[username]
roles = db_roles()
rid = roles["administrator"]
set_user_role(
user_id=[
str(uid),
],
role_ids=[
str(rid),
],
)
else:
# modify an existing user ("wazuh" or "wazuh-wui")
uid = initial_users[username]
update_user(
user_id=[
str(uid),
],
password=password,
)
# disable unused default users
for def_user in ['wazuh', 'wazuh-wui']:
if def_user != username:
disable_user(initial_users[def_user])

224
build-docker-images/wazuh-manager/config/etc/cont-init.d/0-wazuh-init
View File

@@ -1,224 +0,0 @@
#!/usr/bin/with-contenv bash
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
# Variables
source /permanent_data.env
WAZUH_INSTALL_PATH=/var/ossec
WAZUH_CONFIG_MOUNT=/wazuh-config-mount
AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
##############################################################################
# Aux functions
##############################################################################
print() {
echo -e $1
}
error_and_exit() {
echo "Error executing command: '$1'."
echo 'Exiting.'
exit 1
}
exec_cmd() {
eval $1 > /dev/null 2>&1 || error_and_exit "$1"
}
exec_cmd_stdout() {
eval $1 2>&1 || error_and_exit "$1"
}
##############################################################################
# This function will attempt to mount every directory in PERMANENT_DATA
# into the respective path.
# If the path is empty means permanent data volume is also empty, so a backup
# will be copied into it. Otherwise it will not be copied because there is
# already data inside the volume for the specified path.
##############################################################################
mount_permanent_data() {
for permanent_dir in "${PERMANENT_DATA[@]}"; do
data_tmp="${WAZUH_INSTALL_PATH}/data_tmp/permanent${permanent_dir}/"
print ${data_tmp}
# Check if the path is not empty
if find ${permanent_dir} -mindepth 1 | read; then
print "The path ${permanent_dir} is already mounted"
else
if find ${data_tmp} -mindepth 1 | read; then
print "Installing ${permanent_dir}"
exec_cmd "cp -a ${data_tmp}. ${permanent_dir}"
else
print "The path ${permanent_dir} is empty, skiped"
fi
fi
done
}
##############################################################################
# This function will replace from the permanent data volume every file
# contained in PERMANENT_DATA_EXCP
# Some files as 'internal_options.conf' are saved as permanent data, but
# they must be updated to work properly if wazuh version is changed.
##############################################################################
apply_exclusion_data() {
for exclusion_file in "${PERMANENT_DATA_EXCP[@]}"; do
if [ -e ${WAZUH_INSTALL_PATH}/data_tmp/exclusion/${exclusion_file} ]
then
DIR=$(dirname "${exclusion_file}")
if [ ! -e ${DIR} ]
then
mkdir -p ${DIR}
fi
print "Updating ${exclusion_file}"
exec_cmd "cp -p ${WAZUH_INSTALL_PATH}/data_tmp/exclusion/${exclusion_file} ${exclusion_file}"
fi
done
}
##############################################################################
# This function will rename in the permanent data volume every file
# contained in PERMANENT_DATA_MOVE
##############################################################################
move_data_files() {
for mov_file in "${PERMANENT_DATA_MOVE[@]}"; do
file_split=( $mov_file )
if [ -e ${file_split[0]} ]
then
print "moving ${mov_file}"
exec_cmd "mv -f ${mov_file}"
fi
done
}
##############################################################################
# This function will delete from the permanent data volume every file
# contained in PERMANENT_DATA_DEL
##############################################################################
remove_data_files() {
for del_file in "${PERMANENT_DATA_DEL[@]}"; do
if [ -e ${del_file} ]
then
print "Removing ${del_file}"
exec_cmd "rm -f ${del_file}"
fi
done
}
##############################################################################
# Create certificates: Manager
##############################################################################
create_ossec_key_cert() {
print "Creating wazuh-authd key and cert"
exec_cmd "openssl genrsa -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.key 4096"
exec_cmd "openssl req -new -x509 -key ${WAZUH_INSTALL_PATH}/etc/sslmanager.key -out ${WAZUH_INSTALL_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/"
}
##############################################################################
# Copy all files from $WAZUH_CONFIG_MOUNT to $WAZUH_INSTALL_PATH and respect
# destination files permissions
#
# For example, to mount the file /var/ossec/data/etc/ossec.conf, mount it at
# $WAZUH_CONFIG_MOUNT/etc/ossec.conf in your container and this code will
# replace the ossec.conf file in /var/ossec/data/etc with yours.
##############################################################################
mount_files() {
if [ -e "$WAZUH_CONFIG_MOUNT" ]
then
print "Identified Wazuh configuration files to mount..."
exec_cmd_stdout "cp --verbose -r $WAZUH_CONFIG_MOUNT/* $WAZUH_INSTALL_PATH"
else
print "No Wazuh configuration files to mount..."
fi
}
##############################################################################
# Allow users to set the container hostname as <node_name> dynamically on
# container start.
#
# To use this:
# 1. Create your own ossec.conf file
# 2. In your ossec.conf file, set to_be_replaced_by_hostname as your node_name
# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf
##############################################################################
set_custom_hostname() {
sed -i 's/<node_name>to_be_replaced_by_hostname<\/node_name>/<node_name>'"${HOSTNAME}"'<\/node_name>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf
}
##############################################################################
# Allow users to set the container cluster key dynamically on
# container start.
#
# To use this:
# 1. Create your own ossec.conf file
# 2. In your ossec.conf file, set to_be_replaced_by_cluster_key as your key
# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf
##############################################################################
set_custom_cluster_key() {
sed -i 's/<key>to_be_replaced_by_cluster_key<\/key>/<key>'"${WAZUH_CLUSTER_KEY}"'<\/key>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf
}
##############################################################################
# Modify /var/ossec/queue/rids directory owner on
# container start.
##############################################################################
set_rids_owner() {
chown -R wazuh:wazuh /var/ossec/queue/rids
}
##############################################################################
# Main function
##############################################################################
main() {
# Mount permanent data (i.e. ossec.conf)
mount_permanent_data
# Restore files stored in permanent data that are not permanent (i.e. internal_options.conf)
apply_exclusion_data
# Rename files stored in permanent data (i.e. queue/ossec)
move_data_files
# Remove some files in permanent_data (i.e. .template.db)
remove_data_files
# Generate wazuh-authd certs if AUTO_ENROLLMENT_ENABLED is true and does not exist
if [ $AUTO_ENROLLMENT_ENABLED == true ]
then
if [ ! -e ${WAZUH_INSTALL_PATH}/etc/sslmanager.key ]
then
create_ossec_key_cert
fi
fi
# Mount selected files (WAZUH_CONFIG_MOUNT) to container
mount_files
# Allow setting custom hostname
set_custom_hostname
# Allow setting custom cluster key
set_custom_cluster_key
# Delete temporary data folder
rm -rf ${WAZUH_INSTALL_PATH}/data_tmp
# Set rids directory owner
set_rids_owner
}
main

45
build-docker-images/wazuh-manager/config/etc/cont-init.d/1-config-filebeat
View File

@@ -1,45 +0,0 @@
#!/usr/bin/with-contenv bash
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
set -e
if [ "$INDEXER_URL" != "" ]; then
>&2 echo "Customize Elasticsearch ouput IP"
sed -i "s|hosts:.*|hosts: ['$INDEXER_URL']|g" /etc/filebeat/filebeat.yml
fi
# Configure filebeat.yml security settings
if [ "$INDEXER_USERNAME" != "" ]; then
>&2 echo "Configuring username."
sed -i "s|#username:.*|username: '$INDEXER_USERNAME'|g" /etc/filebeat/filebeat.yml
fi
if [ "$INDEXER_PASSWORD" != "" ]; then
>&2 echo "Configuring password."
sed -i "s|#password:.*|password: '$INDEXER_PASSWORD'|g" /etc/filebeat/filebeat.yml
fi
if [ "$FILEBEAT_SSL_VERIFICATION_MODE" != "" ]; then
>&2 echo "Configuring SSL verification mode."
sed -i "s|#ssl.verification_mode:.*|ssl.verification_mode: $FILEBEAT_SSL_VERIFICATION_MODE|g" /etc/filebeat/filebeat.yml
fi
if [ "$SSL_CERTIFICATE_AUTHORITIES" != "" ]; then
>&2 echo "Configuring Certificate Authorities."
sed -i "s|#ssl.certificate_authorities:.*|ssl.certificate_authorities: ['$SSL_CERTIFICATE_AUTHORITIES']|g" /etc/filebeat/filebeat.yml
fi
if [ "$SSL_CERTIFICATE" != "" ]; then
>&2 echo "Configuring SSL Certificate."
sed -i "s|#ssl.certificate:.*|ssl.certificate: '$SSL_CERTIFICATE'|g" /etc/filebeat/filebeat.yml
fi
if [ "$SSL_KEY" != "" ]; then
>&2 echo "Configuring SSL Key."
sed -i "s|#ssl.key:.*|ssl.key: '$SSL_KEY'|g" /etc/filebeat/filebeat.yml
fi
chmod go-w /etc/filebeat/filebeat.yml || true
chown root: /etc/filebeat/filebeat.yml || true

126
build-docker-images/wazuh-manager/config/etc/cont-init.d/2-manager
View File

@@ -1,126 +0,0 @@
#!/usr/bin/with-contenv bash
##############################################################################
# Migration sequence
# Detect if there is a mounted volume on /wazuh-migration and copy the data
# to /var/ossec, finally it will create a flag ".migration-completed" inside
# the mounted volume
##############################################################################
function __colortext()
{
echo -e " \e[1;$2m$1\e[0m"
}
function echogreen()
{
echo $(__colortext "$1" "32")
}
function echoyellow()
{
echo $(__colortext "$1" "33")
}
function echored()
{
echo $(__colortext "$1" "31")
}
function_wazuh_migration(){
if [ -d "/wazuh-migration" ]; then
if [ ! -e /wazuh-migration/.migration-completed ]; then
if [ ! -e /wazuh-migration/global.db ]; then
echoyellow "The volume mounted on /wazuh-migration does not contain all the correct files."
return
fi
\cp -f /wazuh-migration/data/etc/ossec.conf /var/ossec/etc/ossec.conf
chown root:wazuh /var/ossec/etc/ossec.conf
chmod 640 /var/ossec/etc/ossec.conf
\cp -f /wazuh-migration/data/etc/client.keys /var/ossec/etc/client.keys
chown wazuh:wazuh /var/ossec/etc/client.keys
chmod 640 /var/ossec/etc/client.keys
\cp -f /wazuh-migration/data/etc/sslmanager.cert /var/ossec/etc/sslmanager.cert
\cp -f /wazuh-migration/data/etc/sslmanager.key /var/ossec/etc/sslmanager.key
chown root:root /var/ossec/etc/sslmanager.cert /var/ossec/etc/sslmanager.key
chmod 640 /var/ossec/etc/sslmanager.cert /var/ossec/etc/sslmanager.key
\cp -f /wazuh-migration/data/etc/shared/default/agent.conf /var/ossec/etc/shared/default/agent.conf
chown wazuh:wazuh /var/ossec/etc/shared/default/agent.conf
chmod 660 /var/ossec/etc/shared/default/agent.conf
\cp -f /wazuh-migration/data/etc/decoders/* /var/ossec/etc/decoders/
chown wazuh:wazuh /var/ossec/etc/decoders/*
chmod 660 /var/ossec/etc/decoders/*
\cp -f /wazuh-migration/data/etc/rules/* /var/ossec/etc/rules/
chown wazuh:wazuh /var/ossec/etc/rules/*
chmod 660 /var/ossec/etc/rules/*
if [ -e /wazuh-migration/data/agentless/.passlist ]; then
\cp -f /wazuh-migration/data/agentless/.passlist /var/ossec/agentless/.passlist
chown root:wazuh /var/ossec/agentless/.passlist
chmod 640 /var/ossec/agentless/.passlist
fi
\cp -f /wazuh-migration/global.db /var/ossec/queue/db/global.db
chown wazuh:wazuh /var/ossec/queue/db/global.db
chmod 640 /var/ossec/queue/db/global.db
# mark volume as migrated
touch /wazuh-migration/.migration-completed
echogreen "Migration completed succesfully"
else
echoyellow "This volume has already been migrated. You may proceed and remove it from the mount point (/wazuh-migration)"
fi
fi
}
function_create_custom_user() {
if [[ ! -z $API_USERNAME ]] && [[ ! -z $API_PASSWORD ]]; then
cat << EOF > /var/ossec/api/configuration/admin.json
{
"username": "$API_USERNAME",
"password": "$API_PASSWORD"
}
EOF
# create or customize API user
if /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/create_user.py; then
# remove json if exit code is 0
rm /var/ossec/api/configuration/admin.json
else
echored "There was an error configuring the API user"
# terminate container to avoid unpredictable behavior
exec s6-svscanctl -t /var/run/s6/services
exit 1
fi
fi
}
function_entrypoint_scripts() {
# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
if [ -d "/entrypoint-scripts/" ]
then
for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
bash "$script"
done
fi
}
# Migrate data from /wazuh-migration volume
function_wazuh_migration
# create API custom user
function_create_custom_user
# run entrypoint scripts
function_entrypoint_scripts
# Start Wazuh
/var/ossec/bin/wazuh-control start

6
build-docker-images/wazuh-manager/config/etc/services.d/filebeat/finish
View File

@@ -1,6 +0,0 @@
#!/usr/bin/env sh
echo >&2 "Filebeat exited. code=${1}"
# terminate other services to exit from the container
exec s6-svscanctl -t /var/run/s6/services

4
build-docker-images/wazuh-manager/config/etc/services.d/filebeat/run
View File

@@ -1,4 +0,0 @@
#!/usr/bin/with-contenv sh
echo >&2 "starting Filebeat"
exec /usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat

4
build-docker-images/wazuh-manager/config/etc/services.d/ossec-logs/run
View File

@@ -1,4 +0,0 @@
#!/usr/bin/with-contenv sh
# dumping ossec.log to standard output
exec tail -F /var/ossec/logs/ossec.log

72
build-docker-images/wazuh-manager/config/permanent_data.env
View File

@@ -1,72 +0,0 @@
# Permanent data mounted in volumes
i=0
PERMANENT_DATA[((i++))]="/var/ossec/api/configuration"
PERMANENT_DATA[((i++))]="/var/ossec/etc"
PERMANENT_DATA[((i++))]="/var/ossec/logs"
PERMANENT_DATA[((i++))]="/var/ossec/queue"
PERMANENT_DATA[((i++))]="/var/ossec/agentless"
PERMANENT_DATA[((i++))]="/var/ossec/var/multigroups"
PERMANENT_DATA[((i++))]="/var/ossec/integrations"
PERMANENT_DATA[((i++))]="/var/ossec/active-response/bin"
PERMANENT_DATA[((i++))]="/var/ossec/wodles"
PERMANENT_DATA[((i++))]="/etc/filebeat"
export PERMANENT_DATA
# Files mounted in a volume that should not be permanent
i=0
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/etc/internal_options.conf"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/pagerduty"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/slack.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/integrations/virustotal.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/default-firewall-drop"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/disable-account"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewalld-drop"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/firewall-drop"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/host-deny"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ip-customblock"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/ipfw"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/kaspersky"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/npf"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/wazuh-slack"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/pf"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart-wazuh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/restart.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/active-response/bin/route-null"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/sshlogin.exp"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_pixconfig_diff"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_asa-fwsmconfig_diff"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_bsd"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/main.exp"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/su.exp"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_integrity_check_linux"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/register_host.sh"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_generic_diff"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_foundry_diff"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh_nopass.exp"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/agentless/ssh.exp"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/utils.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/aws/aws-s3.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/azure/azure-logs.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/docker/DockerListener.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/gcloud"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/gcloud.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/integration.py"
PERMANENT_DATA_EXCP[((i++))]="/var/ossec/wodles/gcloud/tools.py"
export PERMANENT_DATA_EXCP
# Files mounted in a volume that should be deleted
i=0
PERMANENT_DATA_DEL[((i++))]="/var/ossec/queue/db/.template.db"
export PERMANENT_DATA_DEL
i=0
PERMANENT_DATA_MOVE[((i++))]="/var/ossec/logs/ossec /var/ossec/logs/wazuh"
PERMANENT_DATA_MOVE[((i++))]="/var/ossec/queue/ossec /var/ossec/queue/sockets"
export PERMANENT_DATA_MOVE

40
build-docker-images/wazuh-manager/config/permanent_data.sh
View File

@@ -1,40 +0,0 @@
#!/bin/bash
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
# Variables
source /permanent_data.env
WAZUH_INSTALL_PATH=/var/ossec
DATA_TMP_PATH=${WAZUH_INSTALL_PATH}/data_tmp
mkdir ${DATA_TMP_PATH}
# Move exclusion files to EXCLUSION_PATH
EXCLUSION_PATH=${DATA_TMP_PATH}/exclusion
mkdir ${EXCLUSION_PATH}
for exclusion_file in "${PERMANENT_DATA_EXCP[@]}"; do
# Create the directory for the exclusion file if it does not exist
DIR=$(dirname "${exclusion_file}")
if [ ! -e ${EXCLUSION_PATH}/${DIR} ]
then
mkdir -p ${EXCLUSION_PATH}/${DIR}
fi
mv ${exclusion_file} ${EXCLUSION_PATH}/${exclusion_file}
done
# Move permanent files to PERMANENT_PATH
PERMANENT_PATH=${DATA_TMP_PATH}/permanent
mkdir ${PERMANENT_PATH}
for permanent_dir in "${PERMANENT_DATA[@]}"; do
# Create the directory for the permanent file if it does not exist
DIR=$(dirname "${permanent_dir}")
if [ ! -e ${PERMANENT_PATH}${DIR} ]
then
mkdir -p ${PERMANENT_PATH}${DIR}
fi
mv ${permanent_dir} ${PERMANENT_PATH}${permanent_dir}
done

55
docker-compose.yml Normal file
View File

@@ -0,0 +1,55 @@
# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2)
version: '2'
services:
wazuh:
image: wazuh/wazuh:3.13.6_7.9.2
hostname: wazuh-manager
restart: always
ports:
- "1514:1514/udp"
- "1515:1515"
- "514:514/udp"
- "55000:55000"
elasticsearch:
image: wazuh/wazuh-elasticsearch:3.13.6_7.9.2
hostname: elasticsearch
restart: always
ports:
- "9200:9200"
environment:
- "ES_JAVA_OPTS=-Xms1g -Xmx1g"
- ELASTIC_CLUSTER=true
- CLUSTER_NODE_MASTER=true
- CLUSTER_MASTER_NODE_NAME=es01
ulimits:
memlock:
soft: -1
hard: -1
mem_limit: 2g
kibana:
image: wazuh/wazuh-kibana:3.13.6_7.9.2
hostname: kibana
restart: always
depends_on:
- elasticsearch
links:
- elasticsearch:elasticsearch
- wazuh:wazuh
nginx:
image: wazuh/wazuh-nginx:3.13.6_7.9.2
hostname: nginx
restart: always
environment:
- NGINX_PORT=443
- NGINX_CREDENTIALS
ports:
- "80:80"
- "443:443"
depends_on:
- kibana
links:
- kibana:kibana

56
elasticsearch/Dockerfile Normal file
View File

@@ -0,0 +1,56 @@
# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
ARG ELASTIC_VERSION=7.9.2
FROM docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION}
ARG ELASTIC_VERSION
ARG S3_PLUGIN_URL="https://artifacts.elastic.co/downloads/elasticsearch-plugins/repository-s3/repository-s3-${ELASTIC_VERSION}.zip"
ENV ELASTICSEARCH_URL="http://elasticsearch:9200"
ENV ALERTS_SHARDS="1" \
ALERTS_REPLICAS="0"
ENV API_USER="foo" \
API_PASS="bar"
ENV XPACK_ML="true"
ENV ENABLE_CONFIGURE_S3="false"
ARG TEMPLATE_VERSION=v3.13.6
# Elasticearch cluster configuration environment variables
# If ELASTIC_CLUSTER is set to "true" the following variables will be added to the Elasticsearch configuration
# CLUSTER_INITIAL_MASTER_NODES set to own node by default.
ENV ELASTIC_CLUSTER="false" \
CLUSTER_NAME="wazuh" \
CLUSTER_NETWORK_HOST="0.0.0.0" \
CLUSTER_NODE_MASTER="false" \
CLUSTER_NODE_DATA="true" \
CLUSTER_NODE_INGEST="true" \
CLUSTER_NODE_NAME="wazuh-elasticsearch" \
CLUSTER_MASTER_NODE_NAME="master-node" \
CLUSTER_MEMORY_LOCK="true" \
CLUSTER_DISCOVERY_SERVICE="wazuh-elasticsearch" \
CLUSTER_NUMBER_OF_MASTERS="2" \
CLUSTER_MAX_NODES="1" \
CLUSTER_DELAYED_TIMEOUT="1m" \
CLUSTER_INITIAL_MASTER_NODES="wazuh-elasticsearch"
COPY config/entrypoint.sh /entrypoint.sh
RUN chmod 755 /entrypoint.sh
COPY --chown=elasticsearch:elasticsearch ./config/load_settings.sh ./
RUN chmod +x ./load_settings.sh
RUN bin/elasticsearch-plugin install --batch $S3_PLUGIN_URL
COPY config/configure_s3.sh ./config/configure_s3.sh
RUN chmod 755 ./config/configure_s3.sh
COPY --chown=elasticsearch:elasticsearch ./config/config_cluster.sh ./
RUN chmod +x ./config_cluster.sh
ENTRYPOINT ["/entrypoint.sh"]
CMD ["elasticsearch"]

57
elasticsearch/config/config_cluster.sh Normal file
View File

@@ -0,0 +1,57 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
remove_single_node_conf(){
if grep -Fq "discovery.type" $1; then
sed -i '/discovery.type\: /d' $1
fi
}
remove_cluster_config(){
sed -i '/# cluster node/,/# end cluster config/d' $1
}
# If Elasticsearch cluster is enable, then set up the elasticsearch.yml
if [[ $ELASTIC_CLUSTER == "true" && $CLUSTER_NODE_MASTER != "" && $CLUSTER_NODE_DATA != "" && $CLUSTER_NODE_INGEST != "" && $CLUSTER_MASTER_NODE_NAME != "" ]]; then
# Remove the old configuration
remove_single_node_conf $elastic_config_file
remove_cluster_config $elastic_config_file
if [[ $CLUSTER_NODE_MASTER == "true" ]]; then
# Add the master configuration
# cluster.initial_master_nodes for bootstrap the cluster
cat > $elastic_config_file << EOF
# cluster node
network.host: $CLUSTER_NETWORK_HOST
node.name: $CLUSTER_MASTER_NODE_NAME
node.master: $CLUSTER_NODE_MASTER
cluster.initial_master_nodes:
- $CLUSTER_MASTER_NODE_NAME
# end cluster config"
EOF
elif [[ $CLUSTER_NODE_NAME != "" ]];then
# Remove the old configuration
remove_single_node_conf $elastic_config_file
remove_cluster_config $elastic_config_file
cat > $elastic_config_file << EOF
# cluster node
network.host: $CLUSTER_NETWORK_HOST
node.name: $CLUSTER_NODE_NAME
node.master: false
discovery.seed_hosts:
- $CLUSTER_MASTER_NODE_NAME
- $CLUSTER_NODE_NAME
# end cluster config"
EOF
fi
# If the cluster is disabled, then set a single-node configuration
else
# Remove the old configuration
remove_single_node_conf $elastic_config_file
remove_cluster_config $elastic_config_file
echo "discovery.type: single-node" >> $elastic_config_file
fi

77
elasticsearch/config/configure_s3.sh Normal file
View File

@@ -0,0 +1,77 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
set -e
# Check number of arguments passed to configure_s3.sh. If it is different from 4 or 5, the process will finish with error.
# param 1: number of arguments passed to configure_s3.sh
function CheckArgs()
{
if [ $1 != 4 ] && [ $1 != 5 ];then
echo "Use: configure_s3.sh <Elastic_Server_IP:Port> <Bucket> <Path> <RepositoryName> (By default <current_elasticsearch_major_version> is added to the path and the repository name)"
echo "or use: configure_s3.sh <Elastic_Server_IP:Port> <Bucket> <Path> <RepositoryName> <Elasticsearch major version>"
exit 1
fi
}
# Create S3 repository from base_path <path>/<elasticsearch_major_version> (if there is no <Elasticsearch major version> argument, current version is added)
# Repository name would be <RepositoryName>-<elasticsearch_major_version> (if there is no <Elasticsearch major version> argument, current version is added)
# param 1: <Elastic_Server_IP:Port>
# param 2: <Bucket>
# param 3: <Path>
# param 4: <RepositoryName>
# param 5: Optional <Elasticsearch major version>
# output: It will show "acknowledged" if the repository has been successfully created
function CreateRepo()
{
elastic_ip_port="$2"
bucket_name="$3"
path="$4"
repository_name="$5"
if [ $1 == 5 ];then
version="$6"
else
version=`curl -s $elastic_ip_port | grep number | cut -d"\"" -f4 | cut -c1`
fi
if ! [[ "$version" =~ ^[0-9]+$ ]];then
echo "Elasticsearch major version must be an integer"
exit 1
fi
repository="$repository_name-$version"
s3_path="$path/$version"
curl -X PUT "$elastic_ip_port/_snapshot/$repository" -H 'Content-Type: application/json' -d'
{
"type": "s3",
"settings": {
"bucket": "'$bucket_name'",
"base_path": "'$s3_path'"
}
}
'
}
# Run functions CheckArgs and CreateRepo
# param 1: number of arguments passed to configure_s3.sh
# param 2: <Elastic_Server_IP:Port>
# param 3: <Bucket>
# param 4: <Path>
# param 5: <RepositoryName>
# param 6: Optional <Elasticsearch major version>
function Main()
{
CheckArgs $1
CreateRepo $1 $2 $3 $4 $5 $6
}
Main $# $1 $2 $3 $4 $5

52
elasticsearch/config/entrypoint.sh Normal file
View File

@@ -0,0 +1,52 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
# For more information https://github.com/elastic/elasticsearch-docker/blob/6.8.0/build/elasticsearch/bin/docker-entrypoint.sh
set -e
# Files created by Elasticsearch should always be group writable too
umask 0002
run_as_other_user_if_needed() {
if [[ "$(id -u)" == "0" ]]; then
# If running as root, drop to specified UID and run command
exec chroot --userspec=1000 / "${@}"
else
# Either we are running in Openshift with random uid and are a member of the root group
# or with a custom --user
exec "${@}"
fi
}
#Disabling xpack features
elasticsearch_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
if grep -Fq "#xpack features" "$elasticsearch_config_file";
then
declare -A CONFIG_MAP=(
[xpack.ml.enabled]=$XPACK_ML
)
for i in "${!CONFIG_MAP[@]}"
do
if [ "${CONFIG_MAP[$i]}" != "" ]; then
sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $elasticsearch_config_file
fi
done
else
echo "
#xpack features
xpack.ml.enabled: $XPACK_ML
" >> $elasticsearch_config_file
fi
# Run load settings script.
./config_cluster.sh
./load_settings.sh &
# Execute elasticsearch
run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch

61
elasticsearch/config/load_settings.sh Normal file
View File

@@ -0,0 +1,61 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
set -e
el_url=${ELASTICSEARCH_URL}
if [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
auth=""
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
fi
until curl ${auth} -XGET $el_url; do
>&2 echo "Elastic is unavailable - sleeping"
sleep 5
done
>&2 echo "Elastic is up - executing command"
if [ $ENABLE_CONFIGURE_S3 ]; then
#Wait for Elasticsearch to be ready to create the repository
sleep 10
IP_PORT="${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
if [ "x$S3_PATH" != "x" ]; then
if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then
./config/configure_s3.sh $IP_PORT $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR
else
./config/configure_s3.sh $IP_PORT $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME
fi
fi
fi
if [ ${ENABLED_XPACK} = "true" ]; then
curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/json' -d'
{
"persistent": {
"xpack.monitoring.collection.enabled": true
}
}
'
fi
# Set cluster delayed timeout when node falls
curl -X PUT "$el_url/_all/_settings" -H 'Content-Type: application/json' -d'
{
"settings": {
"index.unassigned.node_left.delayed_timeout": "'"$CLUSTER_DELAYED_TIMEOUT"'"
}
}
'
echo "Elasticsearch is ready."

12
indexer-certs-creator/Dockerfile
View File

@@ -1,12 +0,0 @@
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
FROM ubuntu:focal
RUN apt-get update && apt-get install openssl curl -y
WORKDIR /
COPY config/entrypoint.sh /
RUN chmod 700 /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]

9
indexer-certs-creator/README.md
View File

@@ -1,9 +0,0 @@
# Certificate creation image build
The dockerfile hosted in this directory is used to build the image used to boot Wazuh's single node and multi node stacks.
To create the image, the following command must be executed:
```
$ docker build -t wazuh/wazuh-certs-generator:0.0.1 .
```

61
indexer-certs-creator/config/entrypoint.sh
View File

@@ -1,61 +0,0 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
##############################################################################
# Downloading Cert Gen Tool
##############################################################################
## Variables
CERT_TOOL=wazuh-certs-tool.sh
PASSWORD_TOOL=wazuh-passwords-tool.sh
PACKAGES_URL=https://packages.wazuh.com/4.3/
PACKAGES_DEV_URL=https://packages-dev.wazuh.com/4.3/
## Check if the cert tool exists in S3 buckets
CERT_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$CERT_TOOL | grep -E "^HTTP" | awk '{print $2}')
CERT_TOOL_PACKAGES_DEV=$(curl --silent -I $PACKAGES_DEV_URL$CERT_TOOL | grep -E "^HTTP" | awk '{print $2}')
## If cert tool exists in some bucket, download it, if not exit 1
if [ "$CERT_TOOL_PACKAGES" = "200" ]; then
curl -o $CERT_TOOL $PACKAGES_URL$CERT_TOOL
echo "Cert tool exists in Packages bucket"
elif [ "$CERT_TOOL_PACKAGES_DEV" = "200" ]; then
curl -o $CERT_TOOL $PACKAGES_DEV_URL$CERT_TOOL
echo "Cert tool exists in Packages-dev bucket"
else
echo "Cert tool does not exist in any bucket"
echo "ERROR: certificates were not created"
exit 1
fi
cp /config/certs.yml /config.yml
chmod 700 /$CERT_TOOL
##############################################################################
# Creating Cluster certificates
##############################################################################
## Execute cert tool and parsin cert.yml to set UID permissions
source /$CERT_TOOL -A
nodes_server=$( cert_parseYaml /config.yml | grep nodes_server__name | sed 's/nodes_server__name=//' )
node_names=($nodes_server)
echo "Moving created certificates to destination directory"
cp /wazuh-certificates/* /certificates/
echo "changing certificate permissions"
chmod -R 500 /certificates
chmod -R 400 /certificates/*
echo "Setting UID indexer and dashboard"
chown 1000:1000 /certificates/*
echo "Setting UID for wazuh manager and worker"
cp /certificates/root-ca.pem /certificates/root-ca-manager.pem
cp /certificates/root-ca.key /certificates/root-ca-manager.key
chown 999:997 /certificates/root-ca-manager.pem
chown 999:997 /certificates/root-ca-manager.key
for i in ${node_names[@]};
do
chown 999:997 "/certificates/${i}.pem"
chown 999:997 "/certificates/${i}-key.pem"
done

75
kibana/Dockerfile Normal file
View File

@@ -0,0 +1,75 @@
# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
FROM docker.elastic.co/kibana/kibana:7.9.2
USER kibana
ARG ELASTIC_VERSION=7.9.2
ARG WAZUH_VERSION=3.13.6
ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
WORKDIR /usr/share/kibana
RUN ./bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip
WORKDIR /
USER root
COPY config/entrypoint.sh ./entrypoint.sh
RUN chmod 755 ./entrypoint.sh
ENV PATTERN="" \
CHECKS_PATTERN="" \
CHECKS_TEMPLATE="" \
CHECKS_API="" \
CHECKS_SETUP="" \
EXTENSIONS_PCI="" \
EXTENSIONS_GDPR="" \
EXTENSIONS_AUDIT="" \
EXTENSIONS_OSCAP="" \
EXTENSIONS_CISCAT="" \
EXTENSIONS_AWS="" \
EXTENSIONS_VIRUSTOTAL="" \
EXTENSIONS_OSQUERY="" \
APP_TIMEOUT="" \
WAZUH_SHARDS="" \
WAZUH_REPLICAS="" \
WAZUH_VERSION_SHARDS="" \
WAZUH_VERSION_REPLICAS="" \
IP_SELECTOR="" \
IP_IGNORE="" \
XPACK_RBAC_ENABLED="" \
WAZUH_MONITORING_ENABLED="" \
WAZUH_MONITORING_FREQUENCY="" \
WAZUH_MONITORING_SHARDS="" \
WAZUH_MONITORING_REPLICAS="" \
ADMIN_PRIVILEGES=""
ARG XPACK_CANVAS="true"
ARG XPACK_LOGS="true"
ARG XPACK_INFRA="true"
ARG XPACK_ML="true"
ARG XPACK_DEVTOOLS="true"
ARG XPACK_MONITORING="true"
ARG XPACK_APM="true"
ARG CHANGE_WELCOME="false"
COPY --chown=kibana:kibana ./config/wazuh_app_config.sh ./
RUN chmod +x ./wazuh_app_config.sh
COPY --chown=kibana:kibana ./config/kibana_settings.sh ./
RUN chmod +x ./kibana_settings.sh
COPY --chown=kibana:kibana ./config/xpack_config.sh ./
RUN chmod +x ./xpack_config.sh
RUN ./xpack_config.sh
COPY --chown=kibana:kibana ./config/welcome_wazuh.sh ./
RUN chmod +x ./welcome_wazuh.sh
RUN ./welcome_wazuh.sh
USER kibana
RUN NODE_OPTIONS="--max-old-space-size=2048" /usr/local/bin/kibana-docker --optimize
ENTRYPOINT ./entrypoint.sh

57
kibana/config/entrypoint.sh Normal file
View File

@@ -0,0 +1,57 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
set -e
##############################################################################
# Waiting for elasticsearch
##############################################################################
if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_URL}"
fi
if [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
auth=""
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
fi
until curl -XGET $el_url ${auth}; do
>&2 echo "Elastic is unavailable - sleeping"
sleep 5
done
sleep 2
>&2 echo "Elasticsearch is up."
##############################################################################
# Waiting for wazuh alerts template
##############################################################################
strlen=0
while [[ $strlen -eq 0 ]]
do
template=$(curl $el_url/_cat/templates/wazuh -s)
strlen=${#template}
>&2 echo "Wazuh alerts template not loaded - sleeping."
sleep 2
done
sleep 2
>&2 echo "Wazuh alerts template is loaded."
./wazuh_app_config.sh
sleep 5
./kibana_settings.sh &
/usr/local/bin/kibana-docker

84
kibana/config/kibana_settings.sh Normal file
View File

@@ -0,0 +1,84 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
WAZUH_MAJOR=3
##############################################################################
# Wait for the Kibana API to start. It is necessary to do it in this container
# because the others are running Elastic Stack and we can not interrupt them.
#
# The following actions are performed:
#
# Add the wazuh alerts index as default.
# Set the Discover time interval to 24 hours instead of 15 minutes.
# Do not ask user to help providing usage statistics to Elastic.
##############################################################################
##############################################################################
# Customize elasticsearch ip
##############################################################################
if [ "$ELASTICSEARCH_KIBANA_IP" != "" ]; then
sed -i "s:#elasticsearch.hosts:elasticsearch.hosts:g" /usr/share/kibana/config/kibana.yml
sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml
fi
# If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate.
if [ "$KIBANA_INDEX" != "" ]; then
if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then
sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml
fi
echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml
fi
# If XPACK_SECURITY_ENABLED was set, then change the xpack.security.enabled option from true (default) to false.
if [ "$XPACK_SECURITY_ENABLED" != "" ]; then
if grep -q 'xpack.security.enabled' /usr/share/kibana/config/kibana.yml; then
sed -i '/xpack.security.enabled/d' /usr/share/kibana/config/kibana.yml
fi
echo "xpack.security.enabled: $XPACK_SECURITY_ENABLED" >> /usr/share/kibana/config/kibana.yml
fi
if [ "$KIBANA_IP" != "" ]; then
kibana_ip="$KIBANA_IP"
else
kibana_ip="kibana"
fi
# Add auth headers if required
if [ "$ELASTICSEARCH_USERNAME" != "" ] && [ "$ELASTICSEARCH_PASSWORD" != "" ]; then
curl_auth="-u $ELASTICSEARCH_USERNAME:$ELASTICSEARCH_PASSWORD"
fi
while [[ "$(curl $curl_auth -XGET -I -s -o /dev/null -w ''%{http_code}'' $kibana_ip:5601/status)" != "200" ]]; do
echo "Waiting for Kibana API. Sleeping 5 seconds"
sleep 5
done
# Prepare index selection.
echo "Kibana API is running"
default_index="/tmp/default_index.json"
cat > ${default_index} << EOF
{
"changes": {
"defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*"
}
}
EOF
sleep 5
# Add the wazuh alerts index as default.
curl -POST "http://$kibana_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
rm -f ${default_index}
sleep 5
# Configuring Kibana TimePicker.
curl -POST "http://$kibana_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
'{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}'
sleep 5
# Do not ask user to help providing usage statistics to Elastic
curl -POST "http://$kibana_ip:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'
echo "End settings"

39
build-docker-images/wazuh-dashboard/config/wazuh_app_config.sh → kibana/config/wazuh_app_config.sh
View File

@@ -1,13 +1,14 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
wazuh_url="${WAZUH_API_URL:-https://wazuh}"
wazuh_port="${API_PORT:-55000}"
api_username="${API_USERNAME:-wazuh-wui}"
api_password="${API_PASSWORD:-wazuh-wui}"
api_run_as="${RUN_AS:-false}"
api_user="${API_USER:-foo}"
api_password="${API_PASS:-bar}"
dashboard_config_file="/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml"
kibana_config_file="/usr/share/kibana/optimize/wazuh/config/wazuh.yml"
mkdir -p /usr/share/kibana/optimize/wazuh/config/
touch $kibana_config_file
declare -A CONFIG_MAP=(
[pattern]=$PATTERN
@@ -17,49 +18,51 @@ declare -A CONFIG_MAP=(
[checks.setup]=$CHECKS_SETUP
[extensions.pci]=$EXTENSIONS_PCI
[extensions.gdpr]=$EXTENSIONS_GDPR
[extensions.hipaa]=$EXTENSIONS_HIPAA
[extensions.nist]=$EXTENSIONS_NIST
[extensions.tsc]=$EXTENSIONS_TSC
[extensions.audit]=$EXTENSIONS_AUDIT
[extensions.oscap]=$EXTENSIONS_OSCAP
[extensions.ciscat]=$EXTENSIONS_CISCAT
[extensions.aws]=$EXTENSIONS_AWS
[extensions.gcp]=$EXTENSIONS_GCP
[extensions.virustotal]=$EXTENSIONS_VIRUSTOTAL
[extensions.osquery]=$EXTENSIONS_OSQUERY
[extensions.docker]=$EXTENSIONS_DOCKER
[timeout]=$APP_TIMEOUT
[api.selector]=$API_SELECTOR
[wazuh.shards]=$WAZUH_SHARDS
[wazuh.replicas]=$WAZUH_REPLICAS
[wazuh-version.shards]=$WAZUH_VERSION_SHARDS
[wazuh-version.replicas]=$WAZUH_VERSION_REPLICAS
[ip.selector]=$IP_SELECTOR
[ip.ignore]=$IP_IGNORE
[xpack.rbac.enabled]=$XPACK_RBAC_ENABLED
[wazuh.monitoring.enabled]=$WAZUH_MONITORING_ENABLED
[wazuh.monitoring.frequency]=$WAZUH_MONITORING_FREQUENCY
[wazuh.monitoring.shards]=$WAZUH_MONITORING_SHARDS
[wazuh.monitoring.replicas]=$WAZUH_MONITORING_REPLICAS
[admin]=$ADMIN_PRIVILEGES
)
for i in "${!CONFIG_MAP[@]}"
do
if [ "${CONFIG_MAP[$i]}" != "" ]; then
sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $dashboard_config_file
sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
fi
done
# remove default API entry (new in 3.11.0_7.5.1)
sed -ie '/- default:/,+4d' $kibana_config_file
grep -q 1513629884013 $dashboard_config_file
CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013 ${auth})
grep -q 1513629884013 $kibana_config_file
_config_exists=$?
if [[ $_config_exists -ne 0 ]]; then
cat << EOF >> $dashboard_config_file
if [[ "x$CONFIG_CODE" != "x200" && $_config_exists -ne 0 ]]; then
cat << EOF > $kibana_config_file
hosts:
- 1513629884013:
url: $wazuh_url
port: $wazuh_port
username: $api_username
user: $api_user
password: $api_password
run_as: $api_run_as
EOF
else
echo "Wazuh APP already configured"
fi

23
kibana/config/welcome_wazuh.sh Normal file
View File

@@ -0,0 +1,23 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
if [[ $CHANGE_WELCOME == "true" ]]
then
rm -rf ./optimize/bundles
kibana_path="/usr/share/kibana"
# Set Wazuh app as the default landing page
echo "Set Wazuh app as the default landing page"
echo "server.defaultRoute: /app/wazuh" >> /usr/share/kibana/config/kibana.yml
# Redirect Kibana welcome screen to Discover
echo "Redirect Kibana welcome screen to Discover"
sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/global_nav/global_nav.html
sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/ui/public/chrome/directives/header_global_nav/header_global_nav.js
# Redirect Kibana welcome screen to Discover
echo "Hide undesired links"
sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/rollup/public/crud_app/index.js
sed -i 's#visible: true#visible: false#g' $kibana_path/node_modules/x-pack/plugins/license_management/public/management_section.js
fi

35
kibana/config/xpack_config.sh Normal file
View File

@@ -0,0 +1,35 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
kibana_config_file="/usr/share/kibana/config/kibana.yml"
if grep -Fq "#xpack features" "$kibana_config_file";
then
declare -A CONFIG_MAP=(
[xpack.apm.ui.enabled]=$XPACK_APM
[xpack.grokdebugger.enabled]=$XPACK_DEVTOOLS
[xpack.searchprofiler.enabled]=$XPACK_DEVTOOLS
[xpack.ml.enabled]=$XPACK_ML
[xpack.canvas.enabled]=$XPACK_CANVAS
[xpack.infra.enabled]=$XPACK_INFRA
[monitoring.enabled]=$XPACK_MONITORING
[console.enabled]=$XPACK_DEVTOOLS
)
for i in "${!CONFIG_MAP[@]}"
do
if [ "${CONFIG_MAP[$i]}" != "" ]; then
sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
fi
done
else
echo "
#xpack features
xpack.apm.ui.enabled: $XPACK_APM
xpack.grokdebugger.enabled: $XPACK_DEVTOOLS
xpack.searchprofiler.enabled: $XPACK_DEVTOOLS
xpack.ml.enabled: $XPACK_ML
xpack.canvas.enabled: $XPACK_CANVAS
xpack.infra.enabled: $XPACK_INFRA
xpack.monitoring.enabled: $XPACK_MONITORING
console.enabled: $XPACK_DEVTOOLS
" >> $kibana_config_file
fi

361
multi-node/Migration-to-Wazuh-4.3.md
View File

@@ -1,361 +0,0 @@
# Opendistro data migration to Wazuh indexer on docker.
This procedure explains how to migrate Opendistro data from Opendistro to Wazuh indexer in docker production deployments.
The example is migrating from v4.2 to v4.3.
## Procedure
Assuming that you have a v4.2 production deployment, perform the following steps.
**1. Stop 4.2 environment**
`docker-compose -f production-cluster.yml stop`
**2. List elasticsearch volumes**
`docker volume ls --filter name='wazuh-docker_elastic-data'`
**3. Inspect elasticsearch volume**
`docker volume inspect wazuh-docker_elastic-data-1`
**4. Spin down the 4.2 environment.**
`docker-compose -f production-cluster.yml down`
**Steps 5 and 6 can be done with the volume-migrator.sh script, specifying Docker compose version and project name as parameters.**
Ex: $ multi-node/volume-migrator.sh 1.25.0 multi-node
**5. Run the volume create command:** create new indexer and Wazuh manager volumes using the `com.docker.compose.version` label value from the previous command.
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=wazuh-indexer-data-1 \
multi-node_wazuh-indexer-data-1
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=wazuh-indexer-data-2 \
multi-node_wazuh-indexer-data-2
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=wazuh-indexer-data-3 \
multi-node_wazuh-indexer-data-3
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master_wazuh_api_configuration \
multi-node_master_wazuh_api_configuration
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master_wazuh_etc \
multi-node_docker_wazuh_etc
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-logs \
multi-node_master-wazuh-logs
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-queue \
multi-node_master-wazuh-queue
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-var-multigroups \
multi-node_master-wazuh-var-multigroups
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-integrations \
multi-node_master-wazuh-integrations
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-active-response \
multi-node_master-wazuh-active-response
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-agentless \
multi-node_master-wazuh-agentless
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-wodles \
multi-node_master-wazuh-wodles
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-filebeat-etc \
multi-node_master-filebeat-etc
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-filebeat-var \
multi-node_master-filebeat-var
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker_wazuh_api_configuration \
multi-node_worker_wazuh_api_configuration
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker_wazuh_etc \
multi-node_worker-wazuh-etc
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-logs \
multi-node_worker-wazuh-logs
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-queue \
multi-node_worker-wazuh-queue
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-var-multigroups \
multi-node_worker-wazuh-var-multigroups
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-integrations \
multi-node_worker-wazuh-integrations
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-active-response \
multi-node_worker-wazuh-active-response
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-agentless \
multi-node_worker-wazuh-agentless
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-wodles \
multi-node_worker-wazuh-wodles
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-filebeat-etc \
multi-node_worker-filebeat-etc
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-filebeat-var \
multi-node_worker-filebeat-var
```
**6. Copy the volume content from elasticsearch to Wazuh indexer volumes and old Wazuh manager content to new volumes.**
```
docker container run --rm -it \
-v wazuh-docker_elastic-data-1:/from \
-v multi-node_wazuh-indexer-data-1:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_elastic-data-2:/from \
-v multi-node_wazuh-indexer-data-2:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_elastic-data-3:/from \
-v multi-node_wazuh-indexer-data-3:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-api-configuration:/from \
-v multi-node_master-wazuh-api-configuration:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-etc:/from \
-v multi-node_master-wazuh-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-logs:/from \
-v multi-node_master-wazuh-logs:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-queue:/from \
-v multi-node_master-wazuh-queue:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-var-multigroups:/from \
-v multi-node_master-wazuh-var-multigroups:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-integrations:/from \
-v multi-node_master-wazuh-integrations:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-active-response:/from \
-v multi-node_master-wazuh-active-response:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-agentless:/from \
-v multi-node_master-wazuh-agentless:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-wodles:/from \
-v multi-node_master-wazuh-wodles:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_filebeat-etc:/from \
-v multi-node_master-filebeat-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_filebeat-var:/from \
-v multi-node_master-filebeat-var:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-api-configuration:/from \
-v multi-node_worker-wazuh-api-configuration:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-etc:/from \
-v multi-node_worker-wazuh-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-logs:/from \
-v multi-node_worker-wazuh-logs:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-queue:/from \
-v multi-node_worker-wazuh-queue:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-var-multigroups:/from \
-v multi-node_worker-wazuh-var-multigroups:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-integrations:/from \
-v multi-node_worker-wazuh-integrations:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-active-response:/from \
-v multi-node_worker-wazuh-active-response:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-agentless:/from \
-v multi-node_worker-wazuh-agentless:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-wodles:/from \
-v multi-node_worker-wazuh-wodles:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-filebeat-etc:/from \
-v multi-node_worker-filebeat-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-filebeat-var:/from \
-v multi-node_worker-filebeat-var:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
**7. Start the 4.3 environment.**
```
git checkout 4.3
cd multi-node
docker-compose -f generate-indexer-certs.yml run --rm generator
docker-compose up -d
```
**8. Check the access to Wazuh dashboard**: go to the Wazuh dashboard using the web browser and check the data.

26
multi-node/README.md
View File

@@ -1,26 +0,0 @@
# Deploy Wazuh Docker in multi node configuration
This deployment is defined in the `docker-compose.yml` file with two Wazuh manager containers, three Wazuh indexer containers, and one Wazuh dashboard container. It can be deployed by following these steps:
1) Increase max_map_count on your host (Linux). This command must be run with root permissions:
```
$ sysctl -w vm.max_map_count=262144
```
2) Run the certificate creation script:
```
$ docker-compose -f generate-indexer-certs.yml run --rm generator
```
3) Start the environment with docker-compose:
- In the foregroud:
```
$ docker-compose up
```
- In the background:
```
$ docker-compose up -d
```
The environment takes about 1 minute to get up (depending on your Docker host) for the first time since Wazuh Indexer must be started for the first time and the indexes and index patterns must be generated.

24
multi-node/config/certs.yml
View File

@@ -1,24 +0,0 @@
nodes:
# Wazuh indexer server nodes
indexer:
- name: wazuh1.indexer
ip: wazuh1.indexer
- name: wazuh2.indexer
ip: wazuh2.indexer
- name: wazuh3.indexer
ip: wazuh3.indexer
# Wazuh server nodes
# Use node_type only with more than one Wazuh manager
server:
- name: wazuh.master
ip: wazuh.master
node_type: master
- name: wazuh.worker
ip: wazuh.worker
node_type: worker
# Wazuh dashboard node
dashboard:
- name: wazuh.dashboard
ip: wazuh.dashboard

46
multi-node/config/nginx/nginx.conf
View File

@@ -1,46 +0,0 @@
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
server_tokens off;
gzip on;
}
# load balancer for Wazuh cluster
stream {
upstream mycluster {
hash $remote_addr consistent;
server wazuh.master:1514;
server wazuh.worker:1514;
}
server {
listen 1514;
proxy_pass mycluster;
}
}

372
multi-node/config/wazuh_cluster/wazuh_manager.conf
View File

@@ -1,372 +0,0 @@
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wazuh@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detector>
<enabled>no</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>no</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>no</enabled>
<os>stretch</os>
<os>buster</os>
<os>bullseye</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>no</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<update_interval>1h</update_interval>
</provider>
<!-- Amazon Linux OS vulnerabilities -->
<provider name="alas">
<enabled>no</enabled>
<os>amazon-linux</os>
<os>amazon-linux-2</os>
<update_interval>1h</update_interval>
</provider>
<!-- Arch OS vulnerabilities -->
<provider name="arch">
<enabled>no</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-wazuh</name>
<executable>restart-wazuh</executable>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<rule_test>
<enabled>yes</enabled>
<threads>1</threads>
<max_sessions>64</max_sessions>
<session_timeout>15m</session_timeout>
</rule_test>
<!-- Configuration for wazuh-authd -->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<purge>yes</purge>
<use_password>no</use_password>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>manager</node_name>
<node_type>master</node_type>
<key>c98b6ha9b6169zc5f67rae55ae4z5647</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>wazuh.master</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/kern.log</location>
</localfile>
</ossec_config>

372
multi-node/config/wazuh_cluster/wazuh_worker.conf
View File

@@ -1,372 +0,0 @@
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wazuh@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detector>
<enabled>no</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>no</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>no</enabled>
<os>stretch</os>
<os>buster</os>
<os>bullseye</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>no</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<update_interval>1h</update_interval>
</provider>
<!-- Amazon Linux OS vulnerabilities -->
<provider name="alas">
<enabled>no</enabled>
<os>amazon-linux</os>
<os>amazon-linux-2</os>
<update_interval>1h</update_interval>
</provider>
<!-- Arch OS vulnerabilities -->
<provider name="arch">
<enabled>no</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-wazuh</name>
<executable>restart-wazuh</executable>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<rule_test>
<enabled>yes</enabled>
<threads>1</threads>
<max_sessions>64</max_sessions>
<session_timeout>15m</session_timeout>
</rule_test>
<!-- Configuration for wazuh-authd -->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<purge>yes</purge>
<use_password>no</use_password>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>worker01</node_name>
<node_type>worker</node_type>
<key>c98b6ha9b6169zc5f67rae55ae4z5647</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>wazuh.master</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/kern.log</location>
</localfile>
</ossec_config>

12
multi-node/config/wazuh_dashboard/opensearch_dashboards.yml
View File

@@ -1,12 +0,0 @@
server.host: 0.0.0.0
server.port: 5601
opensearch.hosts: https://wazuh1.indexer:9200
opensearch.ssl.verificationMode: certificate
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wazuh

7
multi-node/config/wazuh_dashboard/wazuh.yml
View File

@@ -1,7 +0,0 @@
hosts:
- 1513629884013:
url: "https://wazuh.master"
port: 55000
username: wazuh-wui
password: MyS3cr37P450r.*-
run_as: false

56
multi-node/config/wazuh_indexer/internal_users.yml
View File

@@ -1,56 +0,0 @@
---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
_meta:
type: "internalusers"
config_version: 2
# Define your internal users here
## Demo users
admin:
hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO"
reserved: true
backend_roles:
- "admin"
description: "Demo admin user"
kibanaserver:
hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
reserved: true
description: "Demo kibanaserver user"
kibanaro:
hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
reserved: false
backend_roles:
- "kibanauser"
- "readall"
attributes:
attribute1: "value1"
attribute2: "value2"
attribute3: "value3"
description: "Demo kibanaro user"
logstash:
hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
reserved: false
backend_roles:
- "logstash"
description: "Demo logstash user"
readall:
hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
reserved: false
backend_roles:
- "readall"
description: "Demo readall user"
snapshotrestore:
hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
reserved: false
backend_roles:
- "snapshotrestore"
description: "Demo snapshotrestore user"

38
multi-node/config/wazuh_indexer/wazuh1.indexer.yml
View File

@@ -1,38 +0,0 @@
network.host: wazuh1.indexer
node.name: wazuh1.indexer
cluster.initial_master_nodes:
- wazuh1.indexer
- wazuh2.indexer
- wazuh3.indexer
cluster.name: "wazuh-cluster"
discovery.seed_hosts:
- wazuh1.indexer
- wazuh2.indexer
- wazuh3.indexer
node.max_local_storage_nodes: "3"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer
plugins.security.ssl.http.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh1.indexer.pem
plugins.security.ssl.http.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh1.indexer.key
plugins.security.ssl.http.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh1.indexer.pem
plugins.security.ssl.transport.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh1.indexer.key
plugins.security.ssl.transport.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=wazuh1.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=wazuh2.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=wazuh3.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=filebeat,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"
plugins.security.allow_default_init_securityindex: true
cluster.routing.allocation.disk.threshold_enabled: false
compatibility.override_main_response_version: true

38
multi-node/config/wazuh_indexer/wazuh2.indexer.yml
View File

@@ -1,38 +0,0 @@
network.host: wazuh2.indexer
node.name: wazuh2.indexer
cluster.initial_master_nodes:
- wazuh1.indexer
- wazuh2.indexer
- wazuh3.indexer
cluster.name: "wazuh-cluster"
discovery.seed_hosts:
- wazuh1.indexer
- wazuh2.indexer
- wazuh3.indexer
node.max_local_storage_nodes: "3"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer
plugins.security.ssl.http.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh2.indexer.pem
plugins.security.ssl.http.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh2.indexer.key
plugins.security.ssl.http.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh2.indexer.pem
plugins.security.ssl.transport.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh2.indexer.key
plugins.security.ssl.transport.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=wazuh1.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=wazuh2.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=wazuh3.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=filebeat,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"
plugins.security.allow_default_init_securityindex: true
cluster.routing.allocation.disk.threshold_enabled: false
compatibility.override_main_response_version: true

38
multi-node/config/wazuh_indexer/wazuh3.indexer.yml
View File

@@ -1,38 +0,0 @@
network.host: wazuh3.indexer
node.name: wazuh3.indexer
cluster.initial_master_nodes:
- wazuh1.indexer
- wazuh2.indexer
- wazuh3.indexer
cluster.name: "wazuh-cluster"
discovery.seed_hosts:
- wazuh1.indexer
- wazuh2.indexer
- wazuh3.indexer
node.max_local_storage_nodes: "3"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer
plugins.security.ssl.http.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh3.indexer.pem
plugins.security.ssl.http.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh3.indexer.key
plugins.security.ssl.http.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh3.indexer.pem
plugins.security.ssl.transport.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh3.indexer.key
plugins.security.ssl.transport.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=wazuh1.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=wazuh2.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=wazuh3.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=filebeat,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"
plugins.security.allow_default_init_securityindex: true
cluster.routing.allocation.disk.threshold_enabled: false
compatibility.override_main_response_version: true

204
multi-node/docker-compose.yml
View File

@@ -1,204 +0,0 @@
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
version: '3.7'
services:
wazuh.master:
image: wazuh/wazuh-manager:4.3.2
hostname: wazuh.master
restart: always
ports:
- "1515:1515"
- "514:514/udp"
- "55000:55000"
environment:
- INDEXER_URL=https://wazuh1.indexer:9200
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=SecretPassword
- FILEBEAT_SSL_VERIFICATION_MODE=full
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
- SSL_CERTIFICATE=/etc/ssl/filebeat.pem
- SSL_KEY=/etc/ssl/filebeat.key
- API_USERNAME=wazuh-wui
- API_PASSWORD=MyS3cr37P450r.*-
volumes:
- master-wazuh-api-configuration:/var/ossec/api/configuration
- master-wazuh-etc:/var/ossec/etc
- master-wazuh-logs:/var/ossec/logs
- master-wazuh-queue:/var/ossec/queue
- master-wazuh-var-multigroups:/var/ossec/var/multigroups
- master-wazuh-integrations:/var/ossec/integrations
- master-wazuh-active-response:/var/ossec/active-response/bin
- master-wazuh-agentless:/var/ossec/agentless
- master-wazuh-wodles:/var/ossec/wodles
- master-filebeat-etc:/etc/filebeat
- master-filebeat-var:/var/lib/filebeat
- ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.master.pem:/etc/ssl/filebeat.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.master-key.pem:/etc/ssl/filebeat.key
- ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
wazuh.worker:
image: wazuh/wazuh-manager:4.3.2
hostname: wazuh.worker
restart: always
environment:
- INDEXER_URL=https://wazuh1.indexer:9200
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=SecretPassword
- FILEBEAT_SSL_VERIFICATION_MODE=full
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
- SSL_CERTIFICATE=/etc/ssl/filebeat.pem
- SSL_KEY=/etc/ssl/filebeat.key
volumes:
- worker-wazuh-api-configuration:/var/ossec/api/configuration
- worker-wazuh-etc:/var/ossec/etc
- worker-wazuh-logs:/var/ossec/logs
- worker-wazuh-queue:/var/ossec/queue
- worker-wazuh-var-multigroups:/var/ossec/var/multigroups
- worker-wazuh-integrations:/var/ossec/integrations
- worker-wazuh-active-response:/var/ossec/active-response/bin
- worker-wazuh-agentless:/var/ossec/agentless
- worker-wazuh-wodles:/var/ossec/wodles
- worker-filebeat-etc:/etc/filebeat
- worker-filebeat-var:/var/lib/filebeat
- ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.worker.pem:/etc/ssl/filebeat.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.worker-key.pem:/etc/ssl/filebeat.key
- ./config/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf
wazuh1.indexer:
image: wazuh/wazuh-indexer:4.3.2
hostname: wazuh1.indexer
restart: always
ports:
- "9200:9200"
environment:
- "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
- "bootstrap.memory_lock=true"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- wazuh-indexer-data-1:/var/lib/wazuh-indexer
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/certs/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh1.indexer-key.pem:/usr/share/wazuh-indexer/config/certs/wazuh1.indexer.key
- ./config/wazuh_indexer_ssl_certs/wazuh1.indexer.pem:/usr/share/wazuh-indexer/config/certs/wazuh1.indexer.pem
- ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/config/certs/admin.pem
- ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/config/certs/admin-key.pem
- ./config/wazuh_indexer/wazuh1.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
- ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
wazuh2.indexer:
image: wazuh/wazuh-indexer:4.3.2
hostname: wazuh2.indexer
restart: always
environment:
- "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
- "bootstrap.memory_lock=true"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- wazuh-indexer-data-2:/var/lib/wazuh-indexer
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/certs/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh2.indexer-key.pem:/usr/share/wazuh-indexer/config/certs/wazuh2.indexer.key
- ./config/wazuh_indexer_ssl_certs/wazuh2.indexer.pem:/usr/share/wazuh-indexer/config/certs/wazuh2.indexer.pem
- ./config/wazuh_indexer/wazuh2.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
- ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
wazuh3.indexer:
image: wazuh/wazuh-indexer:4.3.2
hostname: wazuh3.indexer
restart: always
environment:
- "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
- "bootstrap.memory_lock=true"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- wazuh-indexer-data-3:/var/lib/wazuh-indexer
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/certs/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh3.indexer-key.pem:/usr/share/wazuh-indexer/config/certs/wazuh3.indexer.key
- ./config/wazuh_indexer_ssl_certs/wazuh3.indexer.pem:/usr/share/wazuh-indexer/config/certs/wazuh3.indexer.pem
- ./config/wazuh_indexer/wazuh3.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
- ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
wazuh.dashboard:
image: wazuh/wazuh-dashboard:4.3.2
hostname: wazuh.dashboard
restart: always
ports:
- 443:5601
environment:
- OPENSEARCH_HOSTS="https://wazuh1.indexer:9200"
- WAZUH_API_URL="https://wazuh.master"
- API_USERNAME=wazuh-wui
- API_PASSWORD=MyS3cr37P450r.*-
volumes:
- ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
- ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
- ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
depends_on:
- wazuh1.indexer
links:
- wazuh1.indexer:wazuh1.indexer
- wazuh.master:wazuh.master
nginx:
image: nginx:stable
hostname: nginx
restart: always
ports:
- "1514:1514"
depends_on:
- wazuh.master
- wazuh.worker
- wazuh.dashboard
links:
- wazuh.master:wazuh.master
- wazuh.worker:wazuh.worker
- wazuh.dashboard:wazuh.dashboard
volumes:
- ./config/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
volumes:
master-wazuh-api-configuration:
master-wazuh-etc:
master-wazuh-logs:
master-wazuh-queue:
master-wazuh-var-multigroups:
master-wazuh-integrations:
master-wazuh-active-response:
master-wazuh-agentless:
master-wazuh-wodles:
master-filebeat-etc:
master-filebeat-var:
worker-wazuh-api-configuration:
worker-wazuh-etc:
worker-wazuh-logs:
worker-wazuh-queue:
worker-wazuh-var-multigroups:
worker-wazuh-integrations:
worker-wazuh-active-response:
worker-wazuh-agentless:
worker-wazuh-wodles:
worker-filebeat-etc:
worker-filebeat-var:
wazuh-indexer-data-1:
wazuh-indexer-data-2:
wazuh-indexer-data-3:

10
multi-node/generate-indexer-certs.yml
View File

@@ -1,10 +0,0 @@
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
version: '3'
services:
generator:
image: wazuh/wazuh-certs-generator:0.0.1
hostname: wazuh-certs-generator
volumes:
- ./config/wazuh_indexer_ssl_certs/:/certificates/
- ./config/certs.yml:/config/certs.yml

279
multi-node/volume-migrator.sh
View File

@@ -1,279 +0,0 @@
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=wazuh-indexer-data-1 \
$2_wazuh-indexer-data-1
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=wazuh-indexer-data-2 \
$2_wazuh-indexer-data-2
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=wazuh-indexer-data-3 \
$2_wazuh-indexer-data-3
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master_wazuh_api_configuration \
$2_master_wazuh_api_configuration
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master_wazuh_etc \
$2_docker_wazuh_etc
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-logs \
$2_master-wazuh-logs
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-queue \
$2_master-wazuh-queue
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-var-multigroups \
$2_master-wazuh-var-multigroups
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-integrations \
$2_master-wazuh-integrations
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-active-response \
$2_master-wazuh-active-response
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-agentless \
$2_master-wazuh-agentless
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-wodles \
$2_master-wazuh-wodles
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-filebeat-etc \
$2_master-filebeat-etc
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-filebeat-var \
$2_master-filebeat-var
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker_wazuh_api_configuration \
$2_worker_wazuh_api_configuration
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker_wazuh_etc \
$2_worker-wazuh-etc
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-logs \
$2_worker-wazuh-logs
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-queue \
$2_worker-wazuh-queue
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-var-multigroups \
$2_worker-wazuh-var-multigroups
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-integrations \
$2_worker-wazuh-integrations
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-active-response \
$2_worker-wazuh-active-response
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-agentless \
$2_worker-wazuh-agentless
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-wodles \
$2_worker-wazuh-wodles
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-filebeat-etc \
$2_worker-filebeat-etc
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-filebeat-var \
$2_worker-filebeat-var
docker container run --rm -it \
-v wazuh-docker_worker-filebeat-var:/from \
-v $2_worker-filebeat-var:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_elastic-data-1:/from \
-v $2_wazuh-indexer-data-1:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_elastic-data-2:/from \
-v $2_wazuh-indexer-data-2:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_elastic-data-3:/from \
-v $2_wazuh-indexer-data-3:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-api-configuration:/from \
-v $2_master-wazuh-api-configuration:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-etc:/from \
-v $2_master-wazuh-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-logs:/from \
-v $2_master-wazuh-logs:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-queue:/from \
-v $2_master-wazuh-queue:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-var-multigroups:/from \
-v $2_master-wazuh-var-multigroups:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-integrations:/from \
-v $2_master-wazuh-integrations:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-active-response:/from \
-v $2_master-wazuh-active-response:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-agentless:/from \
-v $2_master-wazuh-agentless:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-wodles:/from \
-v $2_master-wazuh-wodles:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_filebeat-etc:/from \
-v $2_master-filebeat-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_filebeat-var:/from \
-v $2_master-filebeat-var:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-api-configuration:/from \
-v $2_worker-wazuh-api-configuration:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-etc:/from \
-v $2_worker-wazuh-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-logs:/from \
-v $2_worker-wazuh-logs:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-queue:/from \
-v $2_worker-wazuh-queue:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-var-multigroups:/from \
-v $2_worker-wazuh-var-multigroups:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-integrations:/from \
-v $2_worker-wazuh-integrations:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-active-response:/from \
-v $2_worker-wazuh-active-response:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-agentless:/from \
-v $2_worker-wazuh-agentless:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-wodles:/from \
-v $2_worker-wazuh-wodles:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-filebeat-etc:/from \
-v $2_worker-filebeat-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-filebeat-var:/from \
-v $2_worker-filebeat-var:/to \
alpine ash -c "cd /from ; cp -avp . /to"

19
nginx/Dockerfile Normal file
View File

@@ -0,0 +1,19 @@
# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
FROM nginx:latest
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update && apt-get install -y openssl apache2-utils
COPY config/entrypoint.sh /entrypoint.sh
RUN chmod 755 /entrypoint.sh
RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
VOLUME ["/etc/nginx/conf.d"]
ENV NGINX_NAME="foo" \
NGINX_PWD="bar"
ENTRYPOINT [ "/entrypoint.sh" ]

97
nginx/config/entrypoint.sh Normal file
View File

@@ -0,0 +1,97 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
set -e
# Generating certificates.
if [ ! -d /etc/nginx/conf.d/ssl ]; then
echo "Generating SSL certificates"
mkdir -p /etc/nginx/conf.d/ssl/certs /etc/nginx/conf.d/ssl/private
openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/conf.d/ssl/private/kibana-access.key -out /etc/nginx/conf.d/ssl/certs/kibana-access.pem >/dev/null
else
echo "SSL certificates already present"
fi
# Setting users credentials.
# In order to set NGINX_CREDENTIALS, before "docker-compose up -d" run (a or b):
#
# a) export NGINX_CREDENTIALS="user1:pass1;user2:pass2;" or
# export NGINX_CREDENTIALS="user1:pass1;user2:pass2"
#
# b) Set NGINX_CREDENTIALS in docker-compose.yml:
# NGINX_CREDENTIALS=user1:pass1;user2:pass2; or
# NGINX_CREDENTIALS=user1:pass1;user2:pass2
#
if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then
echo "Setting users credentials"
if [ ! -z "$NGINX_CREDENTIALS" ]; then
IFS=';' read -r -a users <<< "$NGINX_CREDENTIALS"
for index in "${!users[@]}"
do
IFS=':' read -r -a credentials <<< "${users[index]}"
if [ $index -eq 0 ]; then
htpasswd -b -c /etc/nginx/conf.d/kibana.htpasswd ${credentials[0]} ${credentials[1]} >/dev/null
else
htpasswd -b /etc/nginx/conf.d/kibana.htpasswd ${credentials[0]} ${credentials[1]} >/dev/null
fi
done
else
# NGINX_PWD and NGINX_NAME are declared in nginx/Dockerfile
htpasswd -b -c /etc/nginx/conf.d/kibana.htpasswd $NGINX_NAME $NGINX_PWD >/dev/null
fi
else
echo "Kibana credentials already configured"
fi
if [ "x${NGINX_PORT}" = "x" ]; then
NGINX_PORT=443
fi
if [ "x${KIBANA_HOST}" = "x" ]; then
KIBANA_HOST="kibana:5601"
fi
echo "Configuring NGINX"
if [ "${NGINX_PORT}" = "443" ]; then
cat > /etc/nginx/conf.d/default.conf <<EOF
server {
listen 80;
listen [::]:80;
return 301 https://\$host\$request_uri;
}
server {
listen ${NGINX_PORT} default_server ssl http2;
listen [::]:${NGINX_PORT} ssl http2;
ssl_certificate /etc/nginx/conf.d/ssl/certs/kibana-access.pem;
ssl_certificate_key /etc/nginx/conf.d/ssl/private/kibana-access.key;
location / {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
proxy_pass http://${KIBANA_HOST}/;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
}
}
EOF
else
cat > /etc/nginx/conf.d/default.conf <<EOF
server {
listen ${NGINX_PORT};
listen [::]:${NGINX_PORT};
location / {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
proxy_pass http://${KIBANA_HOST}/;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
}
}
EOF
fi
exec nginx -g 'daemon off;'

24
single-node/README.md
View File

@@ -1,24 +0,0 @@
# Deploy Wazuh Docker in single node configuration
This deployment is defined in the `docker-compose.yml` file with one Wazuh manager containers, one Wazuh indexer containers, and one Wazuh dashboard container. It can be deployed by following these steps:
1) Increase max_map_count on your host (Linux). This command must be run with root permissions:
```
$ sysctl -w vm.max_map_count=262144
```
2) Run the certificate creation script:
```
$ docker-compose -f generate-indexer-certs.yml run --rm generator
```
3) Start the environment with docker-compose:
- In the foregroud:
```
$ docker-compose up
```
- In the background:
```
$ docker-compose up -d
```
The environment takes about 1 minute to get up (depending on your Docker host) for the first time since Wazuh Indexer must be started for the first time and the indexes and index patterns must be generated.

16
single-node/config/certs.yml
View File

@@ -1,16 +0,0 @@
nodes:
# Wazuh indexer server nodes
indexer:
- name: wazuh.indexer
ip: wazuh.indexer
# Wazuh server nodes
# Use node_type only with more than one Wazuh manager
server:
- name: wazuh.manager
ip: wazuh.manager
# Wazuh dashboard node
dashboard:
- name: wazuh.dashboard
ip: wazuh.dashboard

352
single-node/config/wazuh_cluster/wazuh_manager.conf
View File

@@ -1,352 +0,0 @@
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wazuh@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detector>
<enabled>no</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>no</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>no</enabled>
<os>stretch</os>
<os>buster</os>
<os>bullseye</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>no</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<update_interval>1h</update_interval>
</provider>
<!-- Amazon Linux OS vulnerabilities -->
<provider name="alas">
<enabled>no</enabled>
<os>amazon-linux</os>
<os>amazon-linux-2</os>
<update_interval>1h</update_interval>
</provider>
<!-- Arch OS vulnerabilities -->
<provider name="arch">
<enabled>no</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-wazuh</name>
<executable>restart-wazuh</executable>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<rule_test>
<enabled>yes</enabled>
<threads>1</threads>
<max_sessions>64</max_sessions>
<session_timeout>15m</session_timeout>
</rule_test>
<!-- Configuration for wazuh-authd -->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<purge>yes</purge>
<use_password>no</use_password>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>node01</node_name>
<node_type>master</node_type>
<key></key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>NODE_IP</node>
</nodes>
<hidden>no</hidden>
<disabled>yes</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
</ossec_config>

12
single-node/config/wazuh_dashboard/opensearch_dashboards.yml
View File

@@ -1,12 +0,0 @@
server.host: 0.0.0.0
server.port: 5601
opensearch.hosts: https://wazuh.indexer:9200
opensearch.ssl.verificationMode: certificate
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wazuh

7
single-node/config/wazuh_dashboard/wazuh.yml
View File

@@ -1,7 +0,0 @@
hosts:
- 1513629884013:
url: "https://wazuh.manager"
port: 55000
username: wazuh-wui
password: MyS3cr37P450r.*-
run_as: false

56
single-node/config/wazuh_indexer/internal_users.yml
View File

@@ -1,56 +0,0 @@
---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
_meta:
type: "internalusers"
config_version: 2
# Define your internal users here
## Demo users
admin:
hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO"
reserved: true
backend_roles:
- "admin"
description: "Demo admin user"
kibanaserver:
hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
reserved: true
description: "Demo kibanaserver user"
kibanaro:
hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
reserved: false
backend_roles:
- "kibanauser"
- "readall"
attributes:
attribute1: "value1"
attribute2: "value2"
attribute3: "value3"
description: "Demo kibanaro user"
logstash:
hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
reserved: false
backend_roles:
- "logstash"
description: "Demo logstash user"
readall:
hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
reserved: false
backend_roles:
- "readall"
description: "Demo readall user"
snapshotrestore:
hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
reserved: false
backend_roles:
- "snapshotrestore"
description: "Demo snapshotrestore user"

28
single-node/config/wazuh_indexer/wazuh.indexer.yml
View File

@@ -1,28 +0,0 @@
network.host: "0.0.0.0"
node.name: "wazuh.indexer"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer
discovery.type: single-node
compatibility.override_main_response_version: true
plugins.security.ssl.http.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.pem
plugins.security.ssl.http.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.key
plugins.security.ssl.http.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.pem
plugins.security.ssl.transport.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh.indexer.key
plugins.security.ssl.transport.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
plugins.security.allow_default_init_securityindex: true
cluster.routing.allocation.disk.threshold_enabled: false

102
single-node/docker-compose.yml
View File

@@ -1,102 +0,0 @@
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
version: '3.7'
services:
wazuh.manager:
image: wazuh/wazuh-manager:4.3.2
hostname: wazuh.manager
restart: always
ports:
- "1514:1514"
- "1515:1515"
- "514:514/udp"
- "55000:55000"
environment:
- INDEXER_URL=https://wazuh.indexer:9200
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=SecretPassword
- FILEBEAT_SSL_VERIFICATION_MODE=full
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
- SSL_CERTIFICATE=/etc/ssl/filebeat.pem
- SSL_KEY=/etc/ssl/filebeat.key
- API_USERNAME=wazuh-wui
- API_PASSWORD=MyS3cr37P450r.*-
volumes:
- wazuh_api_configuration:/var/ossec/api/configuration
- wazuh_etc:/var/ossec/etc
- wazuh_logs:/var/ossec/logs
- wazuh_queue:/var/ossec/queue
- wazuh_var_multigroups:/var/ossec/var/multigroups
- wazuh_integrations:/var/ossec/integrations
- wazuh_active_response:/var/ossec/active-response/bin
- wazuh_agentless:/var/ossec/agentless
- wazuh_wodles:/var/ossec/wodles
- filebeat_etc:/etc/filebeat
- filebeat_var:/var/lib/filebeat
- ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
- ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
wazuh.indexer:
image: wazuh/wazuh-indexer:4.3.2
hostname: wazuh.indexer
restart: always
ports:
- "9200:9200"
environment:
- "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- wazuh-indexer-data:/var/lib/wazuh-indexer
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/certs/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/config/certs/wazuh.indexer.key
- ./config/wazuh_indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/config/certs/wazuh.indexer.pem
- ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/config/certs/admin.pem
- ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/config/certs/admin-key.pem
- ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
- ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
wazuh.dashboard:
image: wazuh/wazuh-dashboard:4.3.2
hostname: wazuh.dashboard
restart: always
ports:
- 443:5601
environment:
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=SecretPassword
- WAZUH_API_URL=https://wazuh.manager
- API_USERNAME=wazuh-wui
- API_PASSWORD=MyS3cr37P450r.*-
volumes:
- ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
- ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
- ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
depends_on:
- wazuh.indexer
links:
- wazuh.indexer:wazuh.indexer
- wazuh.manager:wazuh.manager
volumes:
wazuh_api_configuration:
wazuh_etc:
wazuh_logs:
wazuh_queue:
wazuh_var_multigroups:
wazuh_integrations:
wazuh_active_response:
wazuh_agentless:
wazuh_wodles:
filebeat_etc:
filebeat_var:
wazuh-indexer-data:

10
single-node/generate-indexer-certs.yml
View File

@@ -1,10 +0,0 @@
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
version: '3'
services:
generator:
image: wazuh/wazuh-certs-generator:0.0.1
hostname: wazuh-certs-generator
volumes:
- ./config/wazuh_indexer_ssl_certs/:/certificates/
- ./config/certs.yml:/config/certs.yml

83
wazuh/Dockerfile Normal file
View File

@@ -0,0 +1,83 @@
# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
FROM phusion/baseimage:0.10.2
ARG FILEBEAT_VERSION=7.9.2
ARG WAZUH_VERSION=3.13.6-1
ENV API_USER="foo" \
API_PASS="bar"
ARG TEMPLATE_VERSION="v3.13.6"
# Set repositories.
RUN set -x && echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list && \
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - && \
curl --silent --location https://deb.nodesource.com/setup_10.x | bash - && \
echo "postfix postfix/mailname string wazuh-manager" | debconf-set-selections && \
echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections && \
groupadd -g 1000 ossec && useradd -u 1000 -g 1000 -d /var/ossec ossec
RUN add-apt-repository universe && apt-get update && apt-get upgrade -y -o Dpkg::Options::="--force-confold" && \
apt-get --no-install-recommends --no-install-suggests -y install openssl postfix bsd-mailx python-boto python-pip \
apt-transport-https vim expect nodejs python-cryptography mailutils libsasl2-modules wazuh-manager=${WAZUH_VERSION} \
wazuh-api=${WAZUH_VERSION} && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && rm -f \
/var/ossec/logs/alerts/*/*/*.log && rm -f /var/ossec/logs/alerts/*/*/*.json && rm -f \
/var/ossec/logs/archives/*/*/*.log && rm -f /var/ossec/logs/archives/*/*/*.json && rm -f \
/var/ossec/logs/firewall/*/*/*.log && rm -f /var/ossec/logs/firewall/*/*/*.json
# Adding first run script and entrypoint
COPY config/data_dirs.env /data_dirs.env
COPY config/init.bash /init.bash
RUN mkdir /entrypoint-scripts
COPY config/entrypoint.sh /entrypoint.sh
COPY config/00-wazuh.sh /entrypoint-scripts/00-wazuh.sh
COPY config/01-config_filebeat.sh /entrypoint-scripts/01-config_filebeat.sh
# Sync calls are due to https://github.com/docker/docker/issues/9547
RUN chmod 755 /init.bash && \
sync && /init.bash && \
sync && rm /init.bash && \
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${FILEBEAT_VERSION}-amd64.deb &&\
dpkg -i filebeat-${FILEBEAT_VERSION}-amd64.deb && rm -f filebeat-${FILEBEAT_VERSION}-amd64.deb && \
chmod 755 /entrypoint.sh && \
chmod 755 /entrypoint-scripts/00-wazuh.sh && \
chmod 755 /entrypoint-scripts/01-config_filebeat.sh
COPY config/filebeat.yml /etc/filebeat/
RUN chmod go-w /etc/filebeat/filebeat.yml
# Setting volumes
VOLUME ["/var/ossec/data"]
VOLUME ["/etc/filebeat"]
VOLUME ["/etc/postfix"]
VOLUME ["/var/lib/filebeat"]
# Services ports
EXPOSE 55000/tcp 1514/udp 1515/tcp 514/udp 1516/tcp
# Adding services
RUN mkdir /etc/service/wazuh && \
mkdir /etc/service/wazuh-api && \
mkdir /etc/service/postfix && \
mkdir /etc/service/filebeat
COPY config/wazuh.runit.service /etc/service/wazuh/run
COPY config/wazuh-api.runit.service /etc/service/wazuh-api/run
COPY config/postfix.runit.service /etc/service/postfix/run
COPY config/filebeat.runit.service /etc/service/filebeat/run
RUN chmod +x /etc/service/wazuh-api/run && \
chmod +x /etc/service/wazuh/run && \
chmod +x /etc/service/postfix/run && \
chmod +x /etc/service/filebeat/run
ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat
RUN chmod go-w /etc/filebeat/wazuh-template.json
ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.1.tar.gz"
RUN curl -s https://packages.wazuh.com/3.x/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module
# Run all services
ENTRYPOINT ["/entrypoint.sh"]

155
wazuh/config/00-wazuh.sh Normal file
View File

@@ -0,0 +1,155 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
# Wazuh container bootstrap. See the README for information of the environment
# variables expected by this script.
# Startup the services
source /data_dirs.env
FIRST_TIME_INSTALLATION=false
WAZUH_INSTALL_PATH=/var/ossec
DATA_PATH=${WAZUH_INSTALL_PATH}/data
WAZUH_CONFIG_MOUNT=/wazuh-config-mount
print() {
echo -e $1
}
error_and_exit() {
echo "Error executing command: '$1'."
echo 'Exiting.'
exit 1
}
exec_cmd() {
eval $1 > /dev/null 2>&1 || error_and_exit "$1"
}
exec_cmd_stdout() {
eval $1 2>&1 || error_and_exit "$1"
}
edit_configuration() { # $1 -> setting, $2 -> value
sed -i "s/^config.$1\s=.*/config.$1 = \"$2\";/g" "${DATA_PATH}/api/configuration/config.js" || error_and_exit "sed (editing configuration)"
}
for ossecdir in "${DATA_DIRS[@]}"; do
if [ ! -e "${DATA_PATH}/${ossecdir}" ]
then
print "Installing ${ossecdir}"
exec_cmd "mkdir -p $(dirname ${DATA_PATH}/${ossecdir})"
exec_cmd "cp -pr /var/ossec/${ossecdir}-template ${DATA_PATH}/${ossecdir}"
FIRST_TIME_INSTALLATION=true
fi
done
if [ -e ${WAZUH_INSTALL_PATH}/etc-template ]
then
cp -p /var/ossec/etc-template/internal_options.conf /var/ossec/etc/internal_options.conf
fi
# copy missing files from queue-template (in case this is an upgrade from previous versions)
for filename in /var/ossec/queue-template/*; do
fname=$(basename $filename)
echo $fname
if test ! -e "/var/ossec/data/queue/$fname"; then
cp -rp "/var/ossec/queue-template/$fname" /var/ossec/data/queue/
fi
done
touch ${DATA_PATH}/process_list
chgrp ossec ${DATA_PATH}/process_list
chmod g+rw ${DATA_PATH}/process_list
AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
API_GENERATE_CERTS=${API_GENERATE_CERTS:-true}
if [ $FIRST_TIME_INSTALLATION == true ]
then
if [ $AUTO_ENROLLMENT_ENABLED == true ]
then
if [ ! -e ${DATA_PATH}/etc/sslmanager.key ]
then
print "Creating ossec-authd key and cert"
exec_cmd "openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096"
exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key -out ${DATA_PATH}/etc/sslmanager.cert -days 3650 -subj /CN=${HOSTNAME}/"
fi
fi
if [ $API_GENERATE_CERTS == true ]
then
if [ ! -e ${DATA_PATH}/api/configuration/ssl/server.crt ]
then
print "Enabling Wazuh API HTTPS"
edit_configuration "https" "yes"
print "Create Wazuh API key and cert"
exec_cmd "openssl genrsa -out ${DATA_PATH}/api/configuration/ssl/server.key 4096"
exec_cmd "openssl req -new -x509 -key ${DATA_PATH}/api/configuration/ssl/server.key -out ${DATA_PATH}/api/configuration/ssl/server.crt -days 3650 -subj /CN=${HOSTNAME}/"
fi
fi
fi
##############################################################################
# Copy all files from $WAZUH_CONFIG_MOUNT to $DATA_PATH and respect
# destination files permissions
#
# For example, to mount the file /var/ossec/data/etc/ossec.conf, mount it at
# $WAZUH_CONFIG_MOUNT/etc/ossec.conf in your container and this code will
# replace the ossec.conf file in /var/ossec/data/etc with yours.
##############################################################################
if [ -e "$WAZUH_CONFIG_MOUNT" ]
then
print "Identified Wazuh configuration files to mount..."
exec_cmd_stdout "cp --verbose -r $WAZUH_CONFIG_MOUNT/* $DATA_PATH"
else
print "No Wazuh configuration files to mount..."
fi
function ossec_shutdown(){
${WAZUH_INSTALL_PATH}/bin/ossec-control stop;
}
##############################################################################
# Allow users to set the container hostname as <node_name> dynamically on
# container start.
#
# To use this:
# 1. Create your own ossec.conf file
# 2. In your ossec.conf file, set to_be_replaced_by_hostname as your node_name
# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf
##############################################################################
sed -i 's/<node_name>to_be_replaced_by_hostname<\/node_name>/<node_name>'"${HOSTNAME}"'<\/node_name>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf
# Trap exit signals and do a proper shutdown
trap "ossec_shutdown; exit" SIGINT SIGTERM
chmod -R g+rw ${DATA_PATH}
chmod 750 /var/ossec/agentless/*
##############################################################################
# Interpret any passed arguments (via docker command to this entrypoint) as
# paths or commands, and execute them.
#
# This can be useful for actions that need to be run before the services are
# started, such as "/var/ossec/bin/ossec-control enable agentless".
##############################################################################
for CUSTOM_COMMAND in "$@"
do
echo "Executing command \`${CUSTOM_COMMAND}\`"
exec_cmd_stdout "${CUSTOM_COMMAND}"
done
##############################################################################
# Change Wazuh API user credentials.
##############################################################################
pushd /var/ossec/api/configuration/auth/
echo "Change Wazuh API user credentials"
change_user="node htpasswd -b -c user $API_USER $API_PASS"
eval $change_user
popd

10
wazuh/config/01-config_filebeat.sh Normal file
View File

@@ -0,0 +1,10 @@
#!/bin/bash
# Wazuh App Copyright (C) 2020 Wazuh Inc. (License GPLv2)
set -e
# Modify the output to Elasticsearch if th ELASTICSEARCH_URL is set
if [ "$ELASTICSEARCH_URL" != "" ]; then
>&2 echo "Customize Elasticsearch ouput IP."
sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_URL'|g' /etc/filebeat/filebeat.yml
fi

8
wazuh/config/data_dirs.env Normal file
View File

@@ -0,0 +1,8 @@
i=0
DATA_DIRS[((i++))]="api/configuration"
DATA_DIRS[((i++))]="etc"
DATA_DIRS[((i++))]="logs"
DATA_DIRS[((i++))]="queue"
DATA_DIRS[((i++))]="agentless"
DATA_DIRS[((i++))]="var/multigroups"
export DATA_DIRS

14
wazuh/config/entrypoint.sh Normal file
View File

@@ -0,0 +1,14 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
bash "$script"
done
##############################################################################
# Start Wazuh Server.
##############################################################################
/sbin/my_init

4
wazuh/config/filebeat.runit.service Normal file
View File

@@ -0,0 +1,4 @@
#!/bin/sh
# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
service filebeat start
tail -f /var/log/filebeat/filebeat

11
build-docker-images/wazuh-manager/config/filebeat.yml → wazuh/config/filebeat.yml
View File

@@ -1,4 +1,3 @@
# Wazuh - Filebeat configuration file
filebeat.modules:
- module: wazuh
@@ -12,11 +11,5 @@ setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false
output.elasticsearch:
hosts: ['https://wazuh.indexer:9200']
#username:
#password:
#ssl.verification_mode:
#ssl.certificate_authorities:
#ssl.certificate:
#ssl.key:
output.elasticsearch.hosts: ['http://elasticsearch:9200']

11
wazuh/config/init.bash Normal file
View File

@@ -0,0 +1,11 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
# Initialize the custom data directory layout
source /data_dirs.env
cd /var/ossec
for ossecdir in "${DATA_DIRS[@]}"; do
mv ${ossecdir} ${ossecdir}-template
ln -s $(realpath --relative-to=$(dirname ${ossecdir}) data)/${ossecdir} ${ossecdir}
done

4
wazuh/config/postfix.runit.service Normal file
View File

@@ -0,0 +1,4 @@
#!/bin/sh
# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
service postfix start
tail -f /var/log/mail.log

4
wazuh/config/wazuh-api.runit.service Normal file
View File

@@ -0,0 +1,4 @@
#!/bin/sh
# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
service wazuh-api start
tail -f /var/ossec/data/logs/api.log

4
wazuh/config/wazuh.runit.service Normal file
View File

@@ -0,0 +1,4 @@
#!/bin/sh
# Wazuh Docker Copyright (C) 2020 Wazuh Inc. (License GPLv2)
service wazuh-manager start
tail -f /var/ossec/data/logs/ossec.log