paulmataruso/wazuh-docker-mirror
1
0
Fork 0
mirror of https://github.com/wazuh/wazuh-docker.git synced 2025-10-23 16:13:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: paulmataruso:v4.4.5
Branches Tags
paulmataruso:main paulmataruso:4.14.1 paulmataruso:2693-delete-config-files paulmataruso:test_adapt_arm paulmataruso:4.14.0 paulmataruso:4.10.4 paulmataruso:4.13.0-rc4-tag paulmataruso:2577-test-bucket paulmataruso:6.0.0 paulmataruso:change/1824-rootless-podman-with-selinux paulmataruso:test-arm-build paulmataruso:enhancement/1624-docker-compose-v2 paulmataruso:4.9.0 paulmataruso:461-centralize-conf-files paulmataruso:4.5 paulmataruso:4.4 paulmataruso:4.4.4 paulmataruso:4.3 paulmataruso:816-persistent-files-that-should-not-be-kept paulmataruso:817-automatic-release-of-docker-images paulmataruso:4.3.11 paulmataruso:3.13 paulmataruso:4.2 paulmataruso:4.1 paulmataruso:4.0 paulmataruso:4.0.4 paulmataruso:devel paulmataruso:3.11.2_7.5.1-oss paulmataruso:3.10.2_7.5.0 paulmataruso:3.10.0_7.3.2 paulmataruso:3.10.2_7.3.2 paulmataruso:3.10-wazuh-refactor paulmataruso:3.9.5_7.2.1 paulmataruso:3.9.4_7.2.0 paulmataruso:3.9.5_7.3.0-oss paulmataruso:3.10_7.3.0 paulmataruso:3.9.4_7.1.1-opendistro-security paulmataruso:3.9.3_6.8.1 paulmataruso:3.9.1_6.8.0 paulmataruso:3.9.2_6.8.0 paulmataruso:3.9.4_6.8.2 paulmataruso:3.9.3_7.1.1-opendistro paulmataruso:3.9.3_7.1.1-opendistro-security paulmataruso:3.9.3_7.2.0_oss paulmataruso:3.9.3_7.2.0 paulmataruso:3.9.2_7.1.1 paulmataruso:3.9.0_6.7.2 paulmataruso:3.9.0_6.7.1 paulmataruso:3.8.2_6.5.4-oss paulmataruso:3.9.1_7.1.0 paulmataruso:3.8.2_6.5.4 paulmataruso:3.10.0_7.0.0 paulmataruso:3.8.2_6.7.0 paulmataruso:3.8.2_6.6.2 paulmataruso:3.8.2_6.6.1 paulmataruso:6.8.2_6.6.1 paulmataruso:3.8.1_6.5.4 paulmataruso:3.8.0_6.5.4 paulmataruso:3.7.2_6.5.4 paulmataruso:3.7.2_6.5.3 paulmataruso:3.7.1_6.5.3 paulmataruso:3.7.0_6.5.0 paulmataruso:3.7.0_6.4.3 paulmataruso:3.6.1_6.4.2 paulmataruso:3.6.1_6.4.1 paulmataruso:3.6.1_6.4.0 paulmataruso:3.6.0_6.4.0 paulmataruso:3.5.0_6.3.2 paulmataruso:3.4.0_6.3.2 paulmataruso:3.4.0_6.3.1 paulmataruso:3.3.1_6.3.1 paulmataruso:3.3.1_6.3.0 paulmataruso:3.3.1_6.2.4 paulmataruso:3.3.0_6.2.4 paulmataruso:3.2.4_6.2.4 paulmataruso:3.2.3_6.2.4 paulmataruso:3.2.2_6.2.4 paulmataruso:3.2.1_6.2.4 paulmataruso:3.2.1_6.2.3 paulmataruso:3.2.1_6.2.2 paulmataruso:3.2.0_6.2.1 paulmataruso:3.1.0_6.1.3 paulmataruso:3.1.0_6.1.2 paulmataruso:3.1.0_6.1.1 paulmataruso:3.1.0_6.1.0 paulmataruso:2.1.1_5.6.4 paulmataruso:2.1.0_5.5.2 paulmataruso:2.1.0_5.5.1 paulmataruso:2.0.1_5.5.1 paulmataruso:2.0.1_5.5.0 paulmataruso:2.0_5.4.2 paulmataruso:2.0
paulmataruso:v4.14.0 paulmataruso:v4.14.0-rc2 paulmataruso:v4.14.0-rc1 paulmataruso:v4.14.0-alpha1 paulmataruso:v4.13.1 paulmataruso:v4.13.0 paulmataruso:v4.10.3 paulmataruso:v4.10.2 paulmataruso:v4.12.0 paulmataruso:v4.11.2 paulmataruso:v4.11.1 paulmataruso:v4.11.0 paulmataruso:v4.10.1 paulmataruso:v4.10.0 paulmataruso:v4.9.2 paulmataruso:v4.9.1 paulmataruso:v4.9.0 paulmataruso:v4.8.2 paulmataruso:v4.8.1 paulmataruso:v4.8.0 paulmataruso:v4.7.5 paulmataruso:v4.7.4 paulmataruso:cloud-2.0.6 paulmataruso:cloud-2.0.7 paulmataruso:v4.7.3 paulmataruso:cloud-2.0.2 paulmataruso:cloud-2.0.4 paulmataruso:cloud-2.0.3 paulmataruso:v4.7.2 paulmataruso:v4.7.1 paulmataruso:cloud-v1.22.0 paulmataruso:v4.7.0 paulmataruso:cloud-v1.21.0 paulmataruso:cloud-v1.20.0 paulmataruso:cloud-v1.20.1 paulmataruso:v4.6.0 paulmataruso:v4.5.4 paulmataruso:v4.5.3 paulmataruso:v4.6.0-beta1 paulmataruso:v4.5.3-rc1 paulmataruso:v4.5.2 paulmataruso:v4.6.0-alpha1 paulmataruso:v4.5.1 paulmataruso:v4.5.1-rc2 paulmataruso:v4.5.1-rc1 paulmataruso:v4.5.0 paulmataruso:cloud-v1.18.5 paulmataruso:cloud-v1.18.4 paulmataruso:svc-envs-v1.18.3 paulmataruso:v4.4.5 paulmataruso:v4.6.0-pre-alpha1 paulmataruso:cloud-v1.18.1 paulmataruso:v4.4.4 paulmataruso:v4.4.3 paulmataruso:v4.4.2 paulmataruso:v4.3.11 paulmataruso:v4.4.1 paulmataruso:v4.4.0 paulmataruso:cloud-v1.17.4 paulmataruso:cloud-1.18.0 paulmataruso:v4.3.10 paulmataruso:v4.3.9 paulmataruso:cloud-v1.16.12 paulmataruso:v3.13.6_7.9.2 paulmataruso:v4.3.8 paulmataruso:v4.3.7 paulmataruso:v3.13.5 paulmataruso:cloud-v1.16.11 paulmataruso:svc-envs-v1.16.10 paulmataruso:cloud-v1.16.8 paulmataruso:v4.3.6 paulmataruso:v4.3.5 paulmataruso:cloud-v1.16.7 paulmataruso:test paulmataruso:cloud-v1.16.6 paulmataruso:v4.3.4 paulmataruso:v4.3.3 paulmataruso:cloud-v1.16.5 paulmataruso:v4.3.2 paulmataruso:v3.13.4_7.9.2 paulmataruso:v4.2.7 paulmataruso:cloud-v1.16.0 paulmataruso:v4.3.1 paulmataruso:v4.3.0 paulmataruso:v4.2.6 paulmataruso:cloud-v1.15.0 paulmataruso:v4.2.5 paulmataruso:v4.2.4 paulmataruso:v4.2.3 paulmataruso:v4.2.2 paulmataruso:v4.2.1 paulmataruso:v4.2.0 paulmataruso:v4.1.5 paulmataruso:v3.13.3_7.9.2 paulmataruso:v4.1.2 paulmataruso:v4.1.1 paulmataruso:v4.1.0 paulmataruso:v4.0.4_1.11.0 paulmataruso:cloud-v0.60.3 paulmataruso:v4.0.3_1.11.0 paulmataruso:v4.0.2_1.11.0 paulmataruso:cloud-v0.60.0 paulmataruso:v4.0.1_1.11.0 paulmataruso:v4.0.0_1.10.1 paulmataruso:v3.13.2_7.9.1 paulmataruso:v3.13.1_7.8.0 paulmataruso:cloud-v0.32.0 paulmataruso:cloud-v0.30.0 paulmataruso:v3.13.0_7.7.1 paulmataruso:cloud-v0.22.0 paulmataruso:v3.12.3_7.6.2 paulmataruso:cloud-v0.21.2 paulmataruso:cloud-v0.21.1 paulmataruso:v3.12.2_7.6.2 paulmataruso:v3.12.1_7.6.2 paulmataruso:cloud-v0.21.0 paulmataruso:v3.12.0_7.6.1 paulmataruso:cloud-v0.20.0 paulmataruso:v3.11.4_7.6.1 paulmataruso:v3.11.3_7.5.2 paulmataruso:v3.11.2_7.5.1 paulmataruso:cloud-v0.11.0 paulmataruso:v3.11.1_7.5.1 paulmataruso:v3.11.0_7.5.1 paulmataruso:cloud-v0.9.0 paulmataruso:v3.10.2_7.5.0 paulmataruso:v0.9.0-rc1 paulmataruso:v3.10.0_7.3.2 paulmataruso:v3.10.2_7.3.2 paulmataruso:cloud-v0.6.0 paulmataruso:v3.9.5_7.2.1 paulmataruso:v3.9.4_7.2.0 paulmataruso:v3.9.5_7.3.0-oss paulmataruso:v3.9.3_6.8.1 paulmataruso:v3.9.1_6.8.0 paulmataruso:v3.9.2_6.8.0 paulmataruso:v3.9.4_6.8.2 paulmataruso:v3.9.3_7.1.1-opendistro paulmataruso:v3.9.3_7.2.0-oss paulmataruso:v3.9.3_7.2.0 paulmataruso:v3.9.2_7.1.1 paulmataruso:v3.9.0_6.7.2 paulmataruso:v3.9.0_6.7.1 paulmataruso:v3.9.1_7.1.0 paulmataruso:v3.8.2_6.5.4 paulmataruso:v3.8.2_6.7.0 paulmataruso:v3.8.2_6.6.2 paulmataruso:v3.8.2_6.6.1 paulmataruso:v3.8.1_6.5.4 paulmataruso:v3.8.0_6.5.4 paulmataruso:v3.7.2_6.5.4 paulmataruso:v3.7.2_6.5.3 paulmataruso:v3.7.0_6.5.0 paulmataruso:3.1.0_6.1.1 paulmataruso:2.1.0_5.5.2 paulmataruso:2.1.0_5.5.1 paulmataruso:2.0.1_5.5.1 paulmataruso:2.0.1_5.5.0 paulmataruso:2.0_5.4.2 paulmataruso:v2.0
..
compare: paulmataruso:cloud-v0.20.0
Branches Tags
paulmataruso:main paulmataruso:4.14.1 paulmataruso:2693-delete-config-files paulmataruso:test_adapt_arm paulmataruso:4.14.0 paulmataruso:4.10.4 paulmataruso:4.13.0-rc4-tag paulmataruso:2577-test-bucket paulmataruso:6.0.0 paulmataruso:change/1824-rootless-podman-with-selinux paulmataruso:test-arm-build paulmataruso:enhancement/1624-docker-compose-v2 paulmataruso:4.9.0 paulmataruso:461-centralize-conf-files paulmataruso:4.5 paulmataruso:4.4 paulmataruso:4.4.4 paulmataruso:4.3 paulmataruso:816-persistent-files-that-should-not-be-kept paulmataruso:817-automatic-release-of-docker-images paulmataruso:4.3.11 paulmataruso:3.13 paulmataruso:4.2 paulmataruso:4.1 paulmataruso:4.0 paulmataruso:4.0.4 paulmataruso:devel paulmataruso:3.11.2_7.5.1-oss paulmataruso:3.10.2_7.5.0 paulmataruso:3.10.0_7.3.2 paulmataruso:3.10.2_7.3.2 paulmataruso:3.10-wazuh-refactor paulmataruso:3.9.5_7.2.1 paulmataruso:3.9.4_7.2.0 paulmataruso:3.9.5_7.3.0-oss paulmataruso:3.10_7.3.0 paulmataruso:3.9.4_7.1.1-opendistro-security paulmataruso:3.9.3_6.8.1 paulmataruso:3.9.1_6.8.0 paulmataruso:3.9.2_6.8.0 paulmataruso:3.9.4_6.8.2 paulmataruso:3.9.3_7.1.1-opendistro paulmataruso:3.9.3_7.1.1-opendistro-security paulmataruso:3.9.3_7.2.0_oss paulmataruso:3.9.3_7.2.0 paulmataruso:3.9.2_7.1.1 paulmataruso:3.9.0_6.7.2 paulmataruso:3.9.0_6.7.1 paulmataruso:3.8.2_6.5.4-oss paulmataruso:3.9.1_7.1.0 paulmataruso:3.8.2_6.5.4 paulmataruso:3.10.0_7.0.0 paulmataruso:3.8.2_6.7.0 paulmataruso:3.8.2_6.6.2 paulmataruso:3.8.2_6.6.1 paulmataruso:6.8.2_6.6.1 paulmataruso:3.8.1_6.5.4 paulmataruso:3.8.0_6.5.4 paulmataruso:3.7.2_6.5.4 paulmataruso:3.7.2_6.5.3 paulmataruso:3.7.1_6.5.3 paulmataruso:3.7.0_6.5.0 paulmataruso:3.7.0_6.4.3 paulmataruso:3.6.1_6.4.2 paulmataruso:3.6.1_6.4.1 paulmataruso:3.6.1_6.4.0 paulmataruso:3.6.0_6.4.0 paulmataruso:3.5.0_6.3.2 paulmataruso:3.4.0_6.3.2 paulmataruso:3.4.0_6.3.1 paulmataruso:3.3.1_6.3.1 paulmataruso:3.3.1_6.3.0 paulmataruso:3.3.1_6.2.4 paulmataruso:3.3.0_6.2.4 paulmataruso:3.2.4_6.2.4 paulmataruso:3.2.3_6.2.4 paulmataruso:3.2.2_6.2.4 paulmataruso:3.2.1_6.2.4 paulmataruso:3.2.1_6.2.3 paulmataruso:3.2.1_6.2.2 paulmataruso:3.2.0_6.2.1 paulmataruso:3.1.0_6.1.3 paulmataruso:3.1.0_6.1.2 paulmataruso:3.1.0_6.1.1 paulmataruso:3.1.0_6.1.0 paulmataruso:2.1.1_5.6.4 paulmataruso:2.1.0_5.5.2 paulmataruso:2.1.0_5.5.1 paulmataruso:2.0.1_5.5.1 paulmataruso:2.0.1_5.5.0 paulmataruso:2.0_5.4.2 paulmataruso:2.0
paulmataruso:v4.14.0 paulmataruso:v4.14.0-rc2 paulmataruso:v4.14.0-rc1 paulmataruso:v4.14.0-alpha1 paulmataruso:v4.13.1 paulmataruso:v4.13.0 paulmataruso:v4.10.3 paulmataruso:v4.10.2 paulmataruso:v4.12.0 paulmataruso:v4.11.2 paulmataruso:v4.11.1 paulmataruso:v4.11.0 paulmataruso:v4.10.1 paulmataruso:v4.10.0 paulmataruso:v4.9.2 paulmataruso:v4.9.1 paulmataruso:v4.9.0 paulmataruso:v4.8.2 paulmataruso:v4.8.1 paulmataruso:v4.8.0 paulmataruso:v4.7.5 paulmataruso:v4.7.4 paulmataruso:cloud-2.0.6 paulmataruso:cloud-2.0.7 paulmataruso:v4.7.3 paulmataruso:cloud-2.0.2 paulmataruso:cloud-2.0.4 paulmataruso:cloud-2.0.3 paulmataruso:v4.7.2 paulmataruso:v4.7.1 paulmataruso:cloud-v1.22.0 paulmataruso:v4.7.0 paulmataruso:cloud-v1.21.0 paulmataruso:cloud-v1.20.0 paulmataruso:cloud-v1.20.1 paulmataruso:v4.6.0 paulmataruso:v4.5.4 paulmataruso:v4.5.3 paulmataruso:v4.6.0-beta1 paulmataruso:v4.5.3-rc1 paulmataruso:v4.5.2 paulmataruso:v4.6.0-alpha1 paulmataruso:v4.5.1 paulmataruso:v4.5.1-rc2 paulmataruso:v4.5.1-rc1 paulmataruso:v4.5.0 paulmataruso:cloud-v1.18.5 paulmataruso:cloud-v1.18.4 paulmataruso:svc-envs-v1.18.3 paulmataruso:v4.4.5 paulmataruso:v4.6.0-pre-alpha1 paulmataruso:cloud-v1.18.1 paulmataruso:v4.4.4 paulmataruso:v4.4.3 paulmataruso:v4.4.2 paulmataruso:v4.3.11 paulmataruso:v4.4.1 paulmataruso:v4.4.0 paulmataruso:cloud-v1.17.4 paulmataruso:cloud-1.18.0 paulmataruso:v4.3.10 paulmataruso:v4.3.9 paulmataruso:cloud-v1.16.12 paulmataruso:v3.13.6_7.9.2 paulmataruso:v4.3.8 paulmataruso:v4.3.7 paulmataruso:v3.13.5 paulmataruso:cloud-v1.16.11 paulmataruso:svc-envs-v1.16.10 paulmataruso:cloud-v1.16.8 paulmataruso:v4.3.6 paulmataruso:v4.3.5 paulmataruso:cloud-v1.16.7 paulmataruso:test paulmataruso:cloud-v1.16.6 paulmataruso:v4.3.4 paulmataruso:v4.3.3 paulmataruso:cloud-v1.16.5 paulmataruso:v4.3.2 paulmataruso:v3.13.4_7.9.2 paulmataruso:v4.2.7 paulmataruso:cloud-v1.16.0 paulmataruso:v4.3.1 paulmataruso:v4.3.0 paulmataruso:v4.2.6 paulmataruso:cloud-v1.15.0 paulmataruso:v4.2.5 paulmataruso:v4.2.4 paulmataruso:v4.2.3 paulmataruso:v4.2.2 paulmataruso:v4.2.1 paulmataruso:v4.2.0 paulmataruso:v4.1.5 paulmataruso:v3.13.3_7.9.2 paulmataruso:v4.1.2 paulmataruso:v4.1.1 paulmataruso:v4.1.0 paulmataruso:v4.0.4_1.11.0 paulmataruso:cloud-v0.60.3 paulmataruso:v4.0.3_1.11.0 paulmataruso:v4.0.2_1.11.0 paulmataruso:cloud-v0.60.0 paulmataruso:v4.0.1_1.11.0 paulmataruso:v4.0.0_1.10.1 paulmataruso:v3.13.2_7.9.1 paulmataruso:v3.13.1_7.8.0 paulmataruso:cloud-v0.32.0 paulmataruso:cloud-v0.30.0 paulmataruso:v3.13.0_7.7.1 paulmataruso:cloud-v0.22.0 paulmataruso:v3.12.3_7.6.2 paulmataruso:cloud-v0.21.2 paulmataruso:cloud-v0.21.1 paulmataruso:v3.12.2_7.6.2 paulmataruso:v3.12.1_7.6.2 paulmataruso:cloud-v0.21.0 paulmataruso:v3.12.0_7.6.1 paulmataruso:cloud-v0.20.0 paulmataruso:v3.11.4_7.6.1 paulmataruso:v3.11.3_7.5.2 paulmataruso:v3.11.2_7.5.1 paulmataruso:cloud-v0.11.0 paulmataruso:v3.11.1_7.5.1 paulmataruso:v3.11.0_7.5.1 paulmataruso:cloud-v0.9.0 paulmataruso:v3.10.2_7.5.0 paulmataruso:v0.9.0-rc1 paulmataruso:v3.10.0_7.3.2 paulmataruso:v3.10.2_7.3.2 paulmataruso:cloud-v0.6.0 paulmataruso:v3.9.5_7.2.1 paulmataruso:v3.9.4_7.2.0 paulmataruso:v3.9.5_7.3.0-oss paulmataruso:v3.9.3_6.8.1 paulmataruso:v3.9.1_6.8.0 paulmataruso:v3.9.2_6.8.0 paulmataruso:v3.9.4_6.8.2 paulmataruso:v3.9.3_7.1.1-opendistro paulmataruso:v3.9.3_7.2.0-oss paulmataruso:v3.9.3_7.2.0 paulmataruso:v3.9.2_7.1.1 paulmataruso:v3.9.0_6.7.2 paulmataruso:v3.9.0_6.7.1 paulmataruso:v3.9.1_7.1.0 paulmataruso:v3.8.2_6.5.4 paulmataruso:v3.8.2_6.7.0 paulmataruso:v3.8.2_6.6.2 paulmataruso:v3.8.2_6.6.1 paulmataruso:v3.8.1_6.5.4 paulmataruso:v3.8.0_6.5.4 paulmataruso:v3.7.2_6.5.4 paulmataruso:v3.7.2_6.5.3 paulmataruso:v3.7.0_6.5.0 paulmataruso:3.1.0_6.1.1 paulmataruso:2.1.0_5.5.2 paulmataruso:2.1.0_5.5.1 paulmataruso:2.0.1_5.5.1 paulmataruso:2.0.1_5.5.0 paulmataruso:2.0_5.4.2 paulmataruso:v2.0

55 Commits
v4.4.5 ... cloud-v0.2

Author SHA1 Message Date
AlfonsoRBJ
3f206679da Add trap for sbin my init (#310) 
Former-commit-id: 7e7f97c4cd
 2020-03-04 12:24:18 +01:00
AlfonsoRBJ
2f0bb8e43c Hide index management button 
Former-commit-id: 9d61e963c7
 2020-01-10 16:23:43 +01:00
AlfonsoRBJ
c91681853e Custom logos for Kibana (#291) 
Former-commit-id: e5169cc22d
 2020-01-10 13:47:13 +01:00
AlfonsoRBJ
936b47ae57 Replace Wazuh App to allow read users access 
Former-commit-id: bc6f752e10
 2019-12-26 09:40:07 +01:00
AlfonsoRBJ
3431411eaf add workaround for vulnerability detector data published field (#282) 
Former-commit-id: e3883725b9
 2019-12-12 11:52:53 +01:00
AlfonsoRBJ
503200ea70 Remove kibana custom configuration (#279) 
Former-commit-id: fcca484a9e
 2019-12-05 11:52:03 +01:00
AlfonsoRBJ
a5013d2cf8 Remove Logstash pipeline customization (#280) 
Former-commit-id: 2b7171101b
 2019-12-05 11:48:15 +01:00
AlfonsoRBJ
bc693841fd Fixed the option to change Filebeat output (#268) 
Former-commit-id: 910caf6bd3
 2019-11-05 16:20:36 +01:00
Jesús Linares
202e1669c5 App 3.10.2 - 7.3.2 with security fix (#264) 
Former-commit-id: a8e0804e04
 2019-10-15 17:19:09 +02:00
Jesús Linares
9cdcf05d49 Merge pull request #263 from wazuh/elastic-7-cloud 
Former-commit-id: 4d6f09cec8
 2019-10-10 16:24:50 +02:00
AlfonsoRBJ
d15ea1ff51 Elasticserach 7 - Template mangement (#262) 
Former-commit-id: 2113b5b3d5
 2019-10-10 15:53:24 +02:00
AlfonsoRBJ
ddd37f0f9a Fixes for cloud Elastic 7 (#260) 
Former-commit-id: ca1578ed27
 2019-10-03 17:38:43 +02:00
AlfonsoRBJ
fdb55e8ce1 Elastic 7-x Docker refactor (#257) 
Former-commit-id: d3220826fc
 2019-10-01 13:10:01 +02:00
AlfonsoRBJ
086ba71c69 Elastic 7-x cloud adaption (#255) 
Former-commit-id: 6d9595327d
 2019-10-01 11:28:04 +02:00
Mayte Ariza
303e0f6557 Add wodles to permanent_data (#239) 
Former-commit-id: 7a8b332c93
 2019-09-06 15:29:25 +02:00
Mayte Ariza
1d35f292db Fix copy except files (#238) 
Former-commit-id: bd2fa5c40d
 2019-09-06 10:42:39 +02:00
Mayte Ariza
4c3f149428 Change v6.8.1 version to v6.8.2 (#237) 
Former-commit-id: c427c971a4
 2019-09-05 17:18:55 +02:00
Jesus Linares
7cb82937dc Update version: 3.9.4 - 6.8.1 
Former-commit-id: 0644dd36e0
 2019-09-05 10:56:51 +02:00
Jesús Linares
f494f6eca2 Merge pull request #236 from wazuh/cloud-0.6-debug 
Cloud 0.6 - fixes

Former-commit-id: 93eb42bb96
 2019-09-05 10:52:07 +02:00
AlfonsoRBJ
84a06e2fbc Wazuh 3.9.4 Elastic 6.8.1_3.9.3 
Former-commit-id: e88be1d4bb
 2019-09-05 10:29:55 +02:00
AlfonsoRBJ
c346863593 Merge branch 'issue-234-cloud0.6-wodles' into cloud-0.6-debug 
Former-commit-id: 62499ce622
 2019-09-05 10:22:32 +02:00
Mayte Ariza
dccb8aca54 Set filebeat to 6.8.1 
Former-commit-id: e22eba52b9
 2019-09-05 10:20:16 +02:00
Mayte Ariza
18971e3fde Remove 6.8.2 version 
Former-commit-id: abbe2f20e4
 2019-09-05 10:16:07 +02:00
Josemi Hernandez
7faed76e44 Added TLS version filter (#227) 
Former-commit-id: af007c69d4
 2019-09-05 09:46:55 +02:00
Mayte Ariza
f3e3abfaf0 Add agents.js 
Former-commit-id: 2c5a1f7c58
 2019-09-04 13:11:49 +02:00
Mayte Ariza
27c37d808a Changed versions: wazuh 3.9.4 and kibana 6.8.2 
Former-commit-id: 6b13810e6a
 2019-09-04 12:29:02 +02:00
AlfonsoRBJ
3a06c32e62 add minimun_master_nodes 
Former-commit-id: 816549c3b6
 2019-09-04 11:26:06 +02:00
AlfonsoRBJ
2918502fd1 save original elasticserach.yml 
Former-commit-id: eed444bbbb
 2019-09-04 11:11:59 +02:00
Mayte Ariza
d1eb6e7b98 Removed chmod command in entrypoint 
Former-commit-id: 9460780adb
 2019-09-04 08:38:43 +02:00
Mayte Ariza
6656fddf70 Added new volume: wodles folder 
Former-commit-id: 36e3fa403d
 2019-09-04 08:32:56 +02:00
AlfonsoRBJ
131d25979b improve workaround description 
Former-commit-id: 24da1f4d0f
 2019-09-03 16:31:55 +02:00
AlfonsoRBJ
abfe509753 workaround for wazuh-api issue 440 and 443 
Former-commit-id: d3cfd2234a
 2019-09-03 16:21:16 +02:00
AlfonsoRBJ
9d71a6cbcc install wazuh without custom package 
Former-commit-id: db733fc849
 2019-09-03 11:50:30 +02:00
AlfonsoRBJ
610f6f49ce add debug to S3 repository creation in elasticsearch image 
Former-commit-id: 0c571ad3f9
 2019-09-03 11:15:35 +02:00
AlfonsoRBJ
71933d6625 Merge branch 'k8s' into cloud-0.5 
Former-commit-id: 901c29c3ab
 2019-09-02 15:12:46 +02:00
Mayte Ariza
7afe64b238 Removed write permissions for group and other in Integrations folder (#226) 
* Removed go-w permissions in integrations folder

* Modified permissions command
 2019-08-27 13:31:04 +02:00
Daniel Ruiz
37f50dac1c Fix docker volumes error 
Former-commit-id: e8ecb63183
 2019-07-24 09:26:23 +02:00
Mayte Ariza
7c11a8568c Fixing remove files (#210) 2019-07-15 09:43:08 +02:00
Mayte Ariza
0bf9766883 Check if file exists before removing it (#209) 2019-07-15 08:37:31 +02:00
AlfonsoRBJ
59f60f63b6 Upgrade to 3.9.3_6.8.1 version (#207) 2019-07-12 16:35:26 +02:00
Mayte Ariza
c9ed007771 Permissions rw for group added (#206) 2019-07-12 16:03:32 +02:00
Mayte Ariza
15dbd60605 New volumes declaration in Wazuh Dockerfile (#203) 2019-07-09 13:59:36 +02:00
AlfonsoRBJ
eca30fb709 add CA correct management for Logstash (#202) 2019-07-08 18:32:36 +02:00
AlfonsoRBJ
065b5bb5cf Security for Elastic Stack (#196) 2019-07-08 14:02:19 +02:00
Mayte Ariza
d98ab1b4f3 Wazuh image improvements (#188) 2019-07-08 13:37:57 +02:00
AlfonsoRBJ
c077b496bd resolve merge conflicts from branch 3.9.2_6.8.0 2019-06-17 16:02:12 +02:00
Manuel J. Bernal
815039333d Updated CHANGELOG 2019-06-12 18:09:33 +02:00
Manuel J. Bernal
9b2ecdb47d Bump version 3.8.2_6.8.0 2019-06-12 18:08:23 +02:00
AlfonsoRBJ
651077e2c7 Update CHANGELOG.md 2019-06-04 13:12:46 +02:00
AlfonsoRBJ
d8ac9e617b Update CHANGELOG.md 2019-06-04 13:12:13 +02:00
AlfonsoRBJ
9db0001e08 conflicts resolved in merge 3.9.1_6.8.0 over k8s branch 2019-05-28 12:43:16 +02:00
Mayte Ariza
096246abcb Removing log files (#169) 2019-05-15 08:14:33 +02:00
AlfonsoRBJ
d2766454d0 Disable additionals X-Pack applications and hide unnecesary management links (#163) 2019-05-08 15:50:42 +02:00
Mayte Ariza
a88e5495d5 Merge branch '3.9.0_6.7.1' into k8s 2019-05-06 11:56:05 +02:00
Mayte Ariza
3f94f734d4 Removing logs from Wazuh image (#153) 2019-04-26 08:08:49 +02:00
124 changed files with 4108 additions and 5327 deletions
Expand all files Collapse all files

3
.env
View File

@@ -1,3 +0,0 @@
WAZUH_VERSION=4.4.5
WAZUH_IMAGE_VERSION=4.4.5
WAZUH_TAG_REVISION=1

103
.github/.goss.yaml vendored
View File

@@ -1,103 +0,0 @@
file:
/etc/filebeat/filebeat.yml:
exists: true
mode: "0644"
owner: root
group: root
filetype: file
contains: []
/var/ossec/bin/wazuh-control:
exists: true
mode: "0750"
owner: root
group: root
filetype: file
contains: []
/var/ossec/etc/lists/audit-keys:
exists: true
mode: "0660"
owner: wazuh
group: wazuh
filetype: file
contains: []
/var/ossec/etc/ossec.conf:
exists: true
mode: "0660"
owner: root
group: wazuh
filetype: file
contains: []
/var/ossec/etc/rules/local_rules.xml:
exists: true
mode: "0660"
owner: wazuh
group: wazuh
filetype: file
contains: []
/var/ossec/etc/sslmanager.cert:
exists: true
mode: "0640"
owner: root
group: root
filetype: file
contains: []
/var/ossec/etc/sslmanager.key:
exists: true
mode: "0640"
owner: root
group: root
filetype: file
contains: []
package:
filebeat:
installed: true
versions:
- 7.10.2
wazuh-manager:
installed: true
versions:
- 4.4.5-1
port:
tcp:1514:
listening: true
ip:
- 0.0.0.0
tcp:1515:
listening: true
ip:
- 0.0.0.0
tcp:55000:
listening: true
ip:
- 0.0.0.0
process:
filebeat:
running: true
wazuh-analysisd:
running: true
wazuh-authd:
running: true
wazuh-execd:
running: true
wazuh-monitord:
running: true
wazuh-remoted:
running: true
wazuh-syscheckd:
running: true
s6-supervise:
running: true
wazuh-db:
running: true
wazuh-modulesd:
running: true
user:
wazuh:
exists: true
groups:
- wazuh
home: /var/ossec
shell: /sbin/nologin
group:
wazuh:
exists: true

18
.github/multi-node-filebeat-check.sh vendored
View File

@@ -1,18 +0,0 @@
filebeatout1=$(docker exec multi-node_wazuh.master_1 sh -c 'filebeat test output')
filebeatstatus1=$(echo "${filebeatout1}" | grep -c OK)
if [[ filebeatstatus1 -eq 7 ]]; then
echo "No errors in master filebeat"
else
echo "Errors in master filebeat"
echo "${filebeatout1}"
exit 1
fi
filebeatout2=$(docker exec multi-node_wazuh.worker_1 sh -c 'filebeat test output')
filebeatstatus2=$(echo "${filebeatout2}" | grep -c OK)
if [[ filebeatstatus2 -eq 7 ]]; then
echo "No errors in worker filebeat"
else
echo "Errors in worker filebeat"
echo "${filebeatout2}"
exit 1
fi

16
.github/multi-node-log-check.sh vendored
View File

@@ -1,16 +0,0 @@
log1=$(docker exec multi-node_wazuh.master_1 sh -c 'cat /var/ossec/logs/ossec.log' | grep -P "ERR|WARN|CRIT")
if [[ -z "$log1" ]]; then
echo "No errors in master ossec.log"
else
echo "Errors in master ossec.log:"
echo "${log1}"
exit 1
fi
log2=$(docker exec multi-node_wazuh.worker_1 sh -c 'cat /var/ossec/logs/ossec.log' | grep -P "ERR|WARN|CRIT")
if [[ -z "${log2}" ]]; then
echo "No errors in worker ossec.log"
else
echo "Errors in worker ossec.log:"
echo "${log2}"
exit 1
fi

9
.github/single-node-filebeat-check.sh vendored
View File

@@ -1,9 +0,0 @@
filebeatout=$(docker exec single-node_wazuh.manager_1 sh -c 'filebeat test output')
filebeatstatus=$(echo "${filebeatout}" | grep -c OK)
if [[ filebeatstatus -eq 7 ]]; then
echo "No errors in filebeat"
else
echo "Errors in filebeat"
echo "${filebeatout}"
exit 1
fi

8
.github/single-node-log-check.sh vendored
View File

@@ -1,8 +0,0 @@
log=$(docker exec single-node_wazuh.manager_1 sh -c 'cat /var/ossec/logs/ossec.log' | grep -P "ERR|WARN|CRIT")
if [[ -z "$log" ]]; then
echo "No errors in ossec.log"
else
echo "Errors in ossec.log:"
echo "${log}"
exit 1
fi

310
.github/workflows/push.yml vendored
View File

@@ -1,310 +0,0 @@
name: Wazuh Docker pipeline
on: [pull_request]
jobs:
build-docker-images:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v3
- name: Build Wazuh images
run: build-docker-images/build-images.sh
- name: Create enviroment variables
run: cat .env > $GITHUB_ENV
- name: Create backup Docker images
run: |
mkdir -p /home/runner/work/wazuh-docker/wazuh-docker/docker-images/
docker save wazuh/wazuh-manager:${{env.WAZUH_IMAGE_VERSION}} -o /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-manager.tar
docker save wazuh/wazuh-indexer:${{env.WAZUH_IMAGE_VERSION}} -o /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-indexer.tar
docker save wazuh/wazuh-dashboard:${{env.WAZUH_IMAGE_VERSION}} -o /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-dashboard.tar
- name: Temporarily save Wazuh manager Docker image
uses: actions/upload-artifact@v3
with:
name: docker-artifact-manager
path: /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-manager.tar
retention-days: 1
- name: Temporarily save Wazuh indexer Docker image
uses: actions/upload-artifact@v3
with:
name: docker-artifact-indexer
path: /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-indexer.tar
retention-days: 1
- name: Temporarily save Wazuh dashboard Docker image
uses: actions/upload-artifact@v3
with:
name: docker-artifact-dashboard
path: /home/runner/work/wazuh-docker/wazuh-docker/docker-images/wazuh-dashboard.tar
retention-days: 1
- name: Install Goss
uses: e1himself/goss-installation-action@v1.0.3
with:
version: v0.3.16
- name: Execute Goss tests (wazuh-manager)
run: dgoss run wazuh/wazuh-manager:${{env.WAZUH_IMAGE_VERSION}}
env:
GOSS_SLEEP: 30
GOSS_FILE: .github/.goss.yaml
check-single-node:
runs-on: ubuntu-latest
needs: build-docker-images
steps:
- name: Check out code
uses: actions/checkout@v3
- name: Create enviroment variables
run: cat .env > $GITHUB_ENV
- name: Retrieve saved Wazuh indexer Docker image
uses: actions/download-artifact@v3
with:
name: docker-artifact-indexer
- name: Retrieve saved Wazuh manager Docker image
uses: actions/download-artifact@v3
with:
name: docker-artifact-manager
- name: Retrieve saved Wazuh dashboard Docker image
uses: actions/download-artifact@v3
with:
name: docker-artifact-dashboard
- name: Docker load
run: |
docker load --input ./wazuh-indexer.tar
docker load --input ./wazuh-dashboard.tar
docker load --input ./wazuh-manager.tar
- name: Create single node certficates
run: docker-compose -f single-node/generate-indexer-certs.yml run --rm generator
- name: Start single node stack
run: docker-compose -f single-node/docker-compose.yml up -d
- name: Check Wazuh indexer start
run: |
sleep 60
status_green="`curl -XGET "https://0.0.0.0:9200/_cluster/health" -u admin:SecretPassword -k -s | grep green | wc -l`"
if [[ $status_green -eq 1 ]]; then
curl -XGET "https://0.0.0.0:9200/_cluster/health" -u admin:SecretPassword -k -s
else
curl -XGET "https://0.0.0.0:9200/_cluster/health" -u admin:SecretPassword -k -s
exit 1
fi
status_index="`curl -XGET "https://0.0.0.0:9200/_cat/indices" -u admin:SecretPassword -k -s | wc -l`"
status_index_green="`curl -XGET "https://0.0.0.0:9200/_cat/indices" -u admin:SecretPassword -k -s | grep "green" | wc -l`"
if [[ $status_index_green -eq $status_index ]]; then
curl -XGET "https://0.0.0.0:9200/_cat/indices" -u admin:SecretPassword -k -s
else
curl -XGET "https://0.0.0.0:9200/_cat/indices" -u admin:SecretPassword -k -s
exit 1
fi
- name: Check Wazuh indexer nodes
run: |
nodes="`curl -XGET "https://0.0.0.0:9200/_cat/nodes" -u admin:SecretPassword -k -s | grep -E "indexer" | wc -l`"
if [[ $nodes -eq 1 ]]; then
echo "Wazuh indexer nodes: ${nodes}"
else
echo "Wazuh indexer nodes: ${nodes}"
exit 1
fi
- name: Check documents into wazuh-alerts index
run: |
docs="`curl -XGET "https://0.0.0.0:9200/wazuh-alerts*/_count" -u admin:SecretPassword -k -s | jq -r ".count"`"
if [[ $docs -gt 100 ]]; then
echo "wazuh-alerts index documents: ${docs}"
else
echo "wazuh-alerts index documents: ${docs}"
exit 1
fi
- name: Check Wazuh templates
run: |
qty_templates="`curl -XGET "https://0.0.0.0:9200/_cat/templates" -u admin:SecretPassword -k -s | grep -P "wazuh|wazuh-agent|wazuh-statistics" | wc -l`"
templates="`curl -XGET "https://0.0.0.0:9200/_cat/templates" -u admin:SecretPassword -k -s | grep -P "wazuh|wazuh-agent|wazuh-statistics"`"
if [[ $qty_templates -eq 3 ]]; then
echo "wazuh templates:"
echo "${templates}"
else
echo "wazuh templates:"
echo "${templates}"
exit 1
fi
- name: Check Wazuh manager start
run: |
services="`curl -k -s -X GET "https://0.0.0.0:55000/manager/status?pretty=true" -H "Authorization: Bearer ${{env.TOKEN}}" | jq -r .data.affected_items | grep running | wc -l`"
if [[ $services -gt 9 ]]; then
echo "Wazuh Manager Services: ${services}"
echo "OK"
else
echo "Wazuh indexer nodes: ${nodes}"
curl -k -X GET "https://0.0.0.0:55000/manager/status?pretty=true" -H "Authorization: Bearer ${{env.TOKEN}}" | jq -r .data.affected_items
exit 1
fi
env:
TOKEN: $(curl -s -u wazuh-wui:MyS3cr37P450r.*- -k -X GET "https://0.0.0.0:55000/security/user/authenticate?raw=true")
- name: Check errors in ossec.log
run: ./.github/single-node-log-check.sh
- name: Check filebeat output
run: ./.github/single-node-filebeat-check.sh
- name: Check Wazuh dashboard service URL
run: |
status=$(curl -XGET --silent https://0.0.0.0:443/app/status -k -u admin:SecretPassword -I -s | grep -E "^HTTP" | awk '{print $2}')
if [[ $status -eq 200 ]]; then
echo "Wazuh dashboard status: ${status}"
else
echo "Wazuh dashboard status: ${status}"
exit 1
fi
- name: Stop single node stack
run: docker-compose -f single-node/docker-compose.yml down
check-multi-node:
runs-on: ubuntu-latest
needs: build-docker-images
steps:
- name: Check out code
uses: actions/checkout@v3
- name: Create enviroment variables
run: cat .env > $GITHUB_ENV
- name: Retrieve saved Wazuh dashboard Docker image
uses: actions/download-artifact@v3
with:
name: docker-artifact-dashboard
- name: Retrieve saved Wazuh manager Docker image
uses: actions/download-artifact@v3
with:
name: docker-artifact-manager
- name: Retrieve saved Wazuh indexer Docker image
uses: actions/download-artifact@v3
with:
name: docker-artifact-indexer
- name: Docker load
run: |
docker load --input ./wazuh-manager.tar
docker load --input ./wazuh-indexer.tar
docker load --input ./wazuh-dashboard.tar
- name: Create multi node certficates
run: docker-compose -f multi-node/generate-indexer-certs.yml run --rm generator
- name: Start multi node stack
run: docker-compose -f multi-node/docker-compose.yml up -d
- name: Check Wazuh indexer start
run: |
sleep 120
status_green="`curl -XGET "https://0.0.0.0:9200/_cluster/health" -u admin:SecretPassword -k -s | grep green | wc -l`"
if [[ $status_green -eq 1 ]]; then
curl -XGET "https://0.0.0.0:9200/_cluster/health" -u admin:SecretPassword -k -s
else
curl -XGET "https://0.0.0.0:9200/_cluster/health" -u admin:SecretPassword -k -s
exit 1
fi
status_index="`curl -XGET "https://0.0.0.0:9200/_cat/indices" -u admin:SecretPassword -k -s | wc -l`"
status_index_green="`curl -XGET "https://0.0.0.0:9200/_cat/indices" -u admin:SecretPassword -k -s | grep -E "green" | wc -l`"
if [[ $status_index_green -eq $status_index ]]; then
curl -XGET "https://0.0.0.0:9200/_cat/indices" -u admin:SecretPassword -k -s
else
curl -XGET "https://0.0.0.0:9200/_cat/indices" -u admin:SecretPassword -k -s
exit 1
fi
- name: Check Wazuh indexer nodes
run: |
nodes="`curl -XGET "https://0.0.0.0:9200/_cat/nodes" -u admin:SecretPassword -k -s | grep -E "indexer" | wc -l`"
if [[ $nodes -eq 3 ]]; then
echo "Wazuh indexer nodes: ${nodes}"
else
echo "Wazuh indexer nodes: ${nodes}"
exit 1
fi
- name: Check documents into wazuh-alerts index
run: |
docs="`curl -XGET "https://0.0.0.0:9200/wazuh-alerts*/_count" -u admin:SecretPassword -k -s | jq -r ".count"`"
if [[ $docs -gt 100 ]]; then
echo "wazuh-alerts index documents: ${docs}"
else
echo "wazuh-alerts index documents: ${docs}"
exit 1
fi
- name: Check Wazuh templates
run: |
qty_templates="`curl -XGET "https://0.0.0.0:9200/_cat/templates" -u admin:SecretPassword -k -s | grep "wazuh" | wc -l`"
templates="`curl -XGET "https://0.0.0.0:9200/_cat/templates" -u admin:SecretPassword -k -s | grep "wazuh"`"
if [[ $qty_templates -eq 3 ]]; then
echo "wazuh templates:"
echo "${templates}"
else
echo "wazuh templates:"
echo "${templates}"
exit 1
fi
- name: Check Wazuh manager start
run: |
services="`curl -k -s -X GET "https://0.0.0.0:55000/manager/status?pretty=true" -H "Authorization: Bearer ${{env.TOKEN}}" | jq -r .data.affected_items | grep running | wc -l`"
if [[ $services -gt 10 ]]; then
echo "Wazuh Manager Services: ${services}"
echo "OK"
else
echo "Wazuh indexer nodes: ${nodes}"
curl -k -s -X GET "https://0.0.0.0:55000/manager/status?pretty=true" -H "Authorization: Bearer ${{env.TOKEN}}" | jq -r .data.affected_items
exit 1
fi
nodes=$(curl -k -s -X GET "https://0.0.0.0:55000/cluster/nodes" -H "Authorization: Bearer ${{env.TOKEN}}" | jq -r ".data.affected_items[].name" | wc -l)
if [[ $nodes -eq 2 ]]; then
echo "Wazuh manager nodes: ${nodes}"
else
echo "Wazuh manager nodes: ${nodes}"
exit 1
fi
env:
TOKEN: $(curl -s -u wazuh-wui:MyS3cr37P450r.*- -k -X GET "https://0.0.0.0:55000/security/user/authenticate?raw=true")
- name: Check errors in ossec.log
run: ./.github/multi-node-log-check.sh
- name: Check filebeat output
run: ./.github/multi-node-filebeat-check.sh
- name: Check Wazuh dashboard service URL
run: |
status=$(curl -XGET --silent https://0.0.0.0:443/app/status -k -u admin:SecretPassword -I | grep -E "^HTTP" | awk '{print $2}')
if [[ $status -eq 200 ]]; then
echo "Wazuh dashboard status: ${status}"
else
echo "Wazuh dashboard status: ${status}"
exit 1
fi

4
.gitignore vendored
View File

@@ -1,4 +0,0 @@
single-node/config/wazuh_indexer_ssl_certs/*.pem
single-node/config/wazuh_indexer_ssl_certs/*.key
multi-node/config/wazuh_indexer_ssl_certs/*.pem
multi-node/config/wazuh_indexer_ssl_certs/*.key

347
CHANGELOG.md
View File

@@ -1,330 +1,6 @@
# Change Log
All notable changes to this project will be documented in this file.
## Wazuh Docker v4.4.5
### Added
- Update Wazuh to version [4.4.5](https://github.com/wazuh/wazuh/blob/v4.4.5/CHANGELOG.md#v445)
## Wazuh Docker v4.4.4
### Added
- Update Wazuh to version [4.4.4](https://github.com/wazuh/wazuh/blob/v4.4.4/CHANGELOG.md#v444)
## Wazuh Docker v4.4.3
### Added
- Update Wazuh to version [4.4.3](https://github.com/wazuh/wazuh/blob/v4.4.3/CHANGELOG.md#v443)
## Wazuh Docker v4.4.2
### Added
- Update Wazuh to version [4.4.2](https://github.com/wazuh/wazuh/blob/v4.4.2/CHANGELOG.md#v442)
## Wazuh Docker v4.4.1
### Added
- Update Wazuh to version [4.4.1](https://github.com/wazuh/wazuh/blob/v4.4.1/CHANGELOG.md#v441)
## Wazuh Docker v4.4.0
### Added
- Update Wazuh to version [4.4.0](https://github.com/wazuh/wazuh/blob/v4.4.0/CHANGELOG.md#v440)
## Wazuh Docker v4.3.11
### Added
- Update Wazuh to version [4.3.11](https://github.com/wazuh/wazuh/blob/v4.3.11/CHANGELOG.md#v4311)
## Wazuh Docker v4.3.10
### Added
- Update Wazuh to version [4.3.10](https://github.com/wazuh/wazuh/blob/v4.3.10/CHANGELOG.md#v4310)
## Wazuh Docker v4.3.9
### Added
- Update Wazuh to version [4.3.9](https://github.com/wazuh/wazuh/blob/v4.3.9/CHANGELOG.md#v439)
## Wazuh Docker v4.3.8
### Added
- Update Wazuh to version [4.3.8](https://github.com/wazuh/wazuh/blob/v4.3.8/CHANGELOG.md#v438)
## Wazuh Docker v4.3.7
### Added
- Update Wazuh to version [4.3.7](https://github.com/wazuh/wazuh/blob/v4.3.7/CHANGELOG.md#v437)
## Wazuh Docker v4.3.6
### Added
- Update Wazuh to version [4.3.6](https://github.com/wazuh/wazuh/blob/v4.3.6/CHANGELOG.md#v436)
## Wazuh Docker v4.3.5
### Added
- Update Wazuh to version [4.3.5](https://github.com/wazuh/wazuh/blob/v4.3.5/CHANGELOG.md#v435)
## Wazuh Docker v4.3.4
### Added
- Update Wazuh to version [4.3.4](https://github.com/wazuh/wazuh/blob/v4.3.4/CHANGELOG.md#v434)
## Wazuh Docker v4.3.3
### Added
- Update Wazuh to version [4.3.3](https://github.com/wazuh/wazuh/blob/v4.3.3/CHANGELOG.md#v433)
## Wazuh Docker v4.3.2
### Added
- Update Wazuh to version [4.3.2](https://github.com/wazuh/wazuh/blob/v4.3.2/CHANGELOG.md#v432)
## Wazuh Docker v4.3.1
### Added
- Update Wazuh to version [4.3.1](https://github.com/wazuh/wazuh/blob/v4.3.1/CHANGELOG.md#v431)
## Wazuh Docker v4.3.0
### Added
- Update Wazuh to version [4.3.0](https://github.com/wazuh/wazuh/blob/v4.3.0/CHANGELOG.md#v430)
## Wazuh Docker v4.2.7
### Added
- Update Wazuh to version [4.2.7](https://github.com/wazuh/wazuh/blob/v4.2.7/CHANGELOG.md#v427)
## Wazuh Docker v4.2.6
### Added
- Update Wazuh to version [4.2.6](https://github.com/wazuh/wazuh/blob/v4.2.6/CHANGELOG.md#v426)
## Wazuh Docker v4.2.5
### Added
- Update Wazuh to version [4.2.5](https://github.com/wazuh/wazuh/blob/v4.2.5/CHANGELOG.md#v425)
## Wazuh Docker v4.2.4
### Added
- Update Wazuh to version [4.2.4](https://github.com/wazuh/wazuh/blob/v4.2.4/CHANGELOG.md#v424)
## Wazuh Docker v4.2.3
### Added
- Update Wazuh to version [4.2.3](https://github.com/wazuh/wazuh/blob/v4.2.3/CHANGELOG.md#v423)
## Wazuh Docker v4.2.2
### Added
- Update Wazuh to version [4.2.2](https://github.com/wazuh/wazuh/blob/v4.2.2/CHANGELOG.md#v422)
## Wazuh Docker v4.2.1
### Added
- Update Wazuh to version [4.2.1](https://github.com/wazuh/wazuh/blob/v4.2.1/CHANGELOG.md#v421)
## Wazuh Docker v4.2.0
### Added
- Update Wazuh to version [4.2.0](https://github.com/wazuh/wazuh/blob/v4.2.0/CHANGELOG.md#v420)
## Wazuh Docker v4.1.5
### Added
- Update Wazuh to version [4.1.5](https://github.com/wazuh/wazuh/blob/v4.1.5/CHANGELOG.md#v415)
- Update ODFE compatibility to version 1.13.2
## Wazuh Docker v4.1.4
### Added
- Update Wazuh to version [4.1.4](https://github.com/wazuh/wazuh/blob/v4.1.4/CHANGELOG.md#v414)
## Wazuh Docker v4.1.3
### Added
- Update Wazuh to version [4.1.3](https://github.com/wazuh/wazuh/blob/v4.1.3/CHANGELOG.md#v413)
## Wazuh Docker v4.1.2
### Added
- Update Wazuh to version [4.1.2](https://github.com/wazuh/wazuh/blob/v4.1.2/CHANGELOG.md#v412)
## Wazuh Docker v4.1.1
### Added
- Update Wazuh to version [4.1.1](https://github.com/wazuh/wazuh/blob/v4.1.1/CHANGELOG.md#v411)
## Wazuh Docker v4.1.0
### Added
- Update Wazuh to version [4.1.0](https://github.com/wazuh/wazuh/blob/v4.1.0/CHANGELOG.md#v410)
- Update ODFE compatibility to version 1.12.0
- Add support for Elasticsearch (xpack) images once again (7.10.2) ([@xr09](https://github.com/xr09)) [#409](https://github.com/wazuh/wazuh-docker/pull/409)
- Re-enable entrypoint scripts ([@xr09](https://github.com/xr09)) [#435](https://github.com/wazuh/wazuh-docker/pull/435)
- Add Goss binary for healthchecks ([@xr09](https://github.com/xr09)) [$441](https://github.com/wazuh/wazuh-docker/pull/441)
- Update s6-overlay to latest version
## Wazuh Docker v4.0.4_1.11.0
### Added
- Update to Wazuh version [4.0.4](https://github.com/wazuh/wazuh/blob/v4.0.4/CHANGELOG.md#v404)
## Wazuh Docker v4.0.3_1.11.0
### Added
- Update to Wazuh version 4.0.3
## Wazuh Docker v4.0.2_1.11.0
### Added
- Update to Wazuh version 4.0.2
## Wazuh Docker v4.0.1_1.11.0
### Added
- Update to Wazuh version 4.0.1
- Opendistro 1.11.0 compatiblity
- Re-enabled dumping ossec.log to stdout
## Wazuh Docker v4.0.0_1.10.1
### Added
- Update to Wazuh version 4.0.0
- Updating Wazuh cluster key dynamically ([@1stOfHisGame](https://github.com/1stOfHisGame)) [#393](https://github.com/wazuh/wazuh-docker/pull/393)
- Switched to CentOS 7 for base image ([@xr09](https://github.com/xr09)) [#259](https://github.com/wazuh/wazuh-docker/issues/259)
- Using s6-overlay for process management ([@xr09](https://github.com/xr09)) [#274](https://github.com/wazuh/wazuh-docker/issues/274)
- Allow the creation of custom API users ([@xr09](https://github.com/xr09)) [#395](https://github.com/wazuh/wazuh-docker/issues/395)
- OpenDistro support ([@xr09](https://github.com/xr09)) [#373](https://github.com/wazuh/wazuh-docker/pull/373)
### Changed
- Removal of Elastic images
## Wazuh Docker v3.13.2_7.9.1
### Added
- Update to Wazuh version 3.13.2_7.9.1
- Add CLUSTER_NETWORK_HOST environment variable ([@jfut](https://github.com/jfut)) [#372](https://github.com/wazuh/wazuh-docker/pull/372)
### Fixed
- Too many redirects when running on port 80 ([@chowmean](https://github.com/chowmean)) [#377](https://github.com/wazuh/wazuh-docker/pull/377)
- Move Filebeat installation to build stage ([@xr09](https://github.com/xr09)) [#378](https://github.com/wazuh/wazuh-docker/pull/378)
## Wazuh Docker v3.13.1_7.8.0
### Added
- Update to Wazuh version 3.13.1_7.8.0
## Wazuh Docker v3.13.0_7.7.1
### Added
- Update to Wazuh version 3.13.3_7.7.1
### Fixed
- Save agentless state ([@xr09](https://github.com/xr09)) [#350](https://github.com/wazuh/wazuh-docker/pull/350)
- Use HTTP credentials for service check when required ([@xr09](https://github.com/xr09)) [#356](https://github.com/wazuh/wazuh-docker/pull/356)
## Wazuh Docker v3.12.3_7.6.2
### Added
- Update to Wazuh version 3.12.3_7.6.2
## Wazuh Docker v3.12.2_7.6.2
### Added
- Update to Wazuh version 3.12.2_7.6.2
## Wazuh Docker v3.12.1_7.6.2
### Added
- Update to Wazuh version 3.12.1_7.6.2
### Fixed
- Agent timestamp not being properly saved ([@xr09](https://github.com/xr09)) [#323](https://github.com/wazuh/wazuh-docker/pull/323)
## Wazuh Docker v3.12.0_7.6.1
### Added
- Update to Wazuh version 3.12.0_7.6.1
## Wazuh Docker v3.11.4_7.6.1
### Added
- Update to Wazuh version 3.11.4_7.6.1
- Enable HTTP v2 on nginx ([@xr09](https://github.com/xr09)) [#308](https://github.com/wazuh/wazuh-docker/pull/308)
### Fixed
- Updated NGINX config syntax ([@xr09](https://github.com/xr09)) [#303](https://github.com/wazuh/wazuh-docker/pull/303)
## Wazuh Docker v3.11.3_7.5.2
### Added
- Update to Wazuh version 3.11.3_7.5.2
## Wazuh Docker v3.11.2_7.5.1
### Added
- Bumped Node.js to version 10 ([@xr09](https://github.com/xr09)) [#8615cd4](https://github.com/wazuh/wazuh-docker/commit/8615cd4d2152601e55becc7c3675360938e74b6a)
### Fixed
- Fix S3 Plugin ([@AnthonySendra](https://github.com/AnthonySendra)) [#293](https://github.com/wazuh/wazuh-docker/pull/293)
## Wazuh Docker v3.11.1_7.5.1
### Added
- Update to Wazuh version 3.11.1_7.5.1
- Filebeat configuration file updated to latest version ([@manuasir](https://github.com/manuasir)) [#271](https://github.com/wazuh/wazuh-docker/pull/271)
- Allow using the hostname as node_name for managers ([@JPLachance](https://github.com/JPLachance)) [#261](https://github.com/wazuh/wazuh-docker/pull/261)
## Wazuh Docker v3.11.0_7.5.1
### Added
- Update to Wazuh version 3.11.0_7.5.1
## Wazuh Docker v3.10.2_7.5.0
### Added
- Update to Wazuh version 3.10.2_7.5.0
## Wazuh Docker v3.10.2_7.3.2
### Added
@@ -350,6 +26,7 @@ All notable changes to this project will be documented in this file.
- Update to Wazuh version 3.9.4_7.2.0
- Implemented Wazuh Filebeat Module ([jm404](https://www.github.com/jm404)) [#2a77c6a](https://github.com/wazuh/wazuh-docker/commit/2a77c6a6e6bf78f2492adeedbade7a507d9974b2)
## Wazuh Docker v3.9.3_7.2.0
### Fixed
@@ -361,12 +38,21 @@ All notable changes to this project will be documented in this file.
- Update to Wazuh version 3.9.2_7.1.1
## Wazuh Docker v3.9.3_6.8.1
### Added
- Update to Wazuh version 3.9.3_6.8.1
- Option to disable additionals X-Pack applications and hide unnecesary management links ([@SitoRBJ](https://github.com/SitoRBJ)) ([#163](https://github.com/wazuh/wazuh-docker/pull/163))
## Wazuh Docker v3.9.2_6.8.0
### Added
- Update to Wazuh version 3.9.2_6.8.0
## Wazuh Docker v3.9.1_7.1.0
### Added
@@ -379,11 +65,21 @@ All notable changes to this project will be documented in this file.
### Added
- Update to Wazuh version 3.9.1_6.8.0 ([#181](https://github.com/wazuh/wazuh-docker/pull/181))
- Security for Elastic Stack in Docker implemented ([#186](https://github.com/wazuh/wazuh-docker/issues/186))
### Fixed
- Fixed `ELASTICSEARCH_KIBANA_IP` environment variable ([@manuasir](https://github.com/manuasir)) ([#181](https://github.com/wazuh/wazuh-docker/pull/181))
## Wazuh Docker v3.9.1_7.1.0
### Added
- Support for Elastic v7.1.0
- New environment variables for Kibana ([@manuasir](https://github.com/manuasir)) [#22ad43](https://github.com/wazuh/wazuh-docker/commit/22ad4360f548e54bb0c5e929f8c84a186ad2ab88)
## Wazuh Docker v3.9.0_6.7.2
### Changed
@@ -392,6 +88,7 @@ All notable changes to this project will be documented in this file.
## Wazuh Docker v3.9.0_6.7.1
### Added
- Support for xPACK authorized requests ([@manuasir](https://github.com/manuasir)) ([#119](https://github.com/wazuh/wazuh-docker/pull/119))
@@ -476,7 +173,7 @@ All notable changes to this project will be documented in this file.
- Add env credentials for nginx. ([#86](https://github.com/wazuh/wazuh-docker/pull/86))
- Improve filebeat configuration ([#88](https://github.com/wazuh/wazuh-docker/pull/88))
### Fixed
### Fixed
- Temporary fix for Wazuh cluster master node in Kubernetes. ([#84](https://github.com/wazuh/wazuh-docker/pull/84))

2
LICENSE
View File

@@ -1,5 +1,5 @@
Portions Copyright (C) 2017, Wazuh Inc.
Portions Copyright (C) 2019 Wazuh, Inc.
Based on work Copyright (C) 2003 - 2013 Trend Micro, Inc.
This program is a free software; you can redistribute it and/or modify

248
README.md
View File

@@ -7,14 +7,14 @@
In this repository you will find the containers to run:
* Wazuh manager: it runs the Wazuh manager, Wazuh API and Filebeat OSS
* Wazuh dashboard: provides a web user interface to browse through alerts data and allows you to visualize agents configuration and status.
* Wazuh indexer: Wazuh indexer container (working as a single-node cluster or as a multi-node cluster). **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).**
* wazuh: It runs the Wazuh manager, Wazuh API and Filebeat (for integration with Elastic Stack)
* wazuh-kibana: Provides a web user interface to browse through alerts data. It includes Wazuh plugin for Kibana, that allows you to visualize agents configuration and status.
* wazuh-nginx: Proxies the Kibana container, adding HTTPS (via self-signed SSL certificate) and [Basic authentication](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Basic_authentication_scheme).
* wazuh-elasticsearch: An Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images. **Be aware to increase the `vm.max_map_count` setting, as it's detailed in the [Wazuh documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#increase-max-map-count-on-your-host-linux).**
The folder `build-docker-images` contains a README explaining how to build the Wazuh images and the necessary assets.
The folder `indexer-certs-creator` contains a README explaining how to create the certificates creator tool and the necessary assets.
The folder `single-node` contains a README explaining how to run a Wazuh environment with one Wazuh manager, one Wazuh indexer, and one Wazuh dashboard.
The folder `multi-node` contains a README explaining how to run a Wazuh environment with two Wazuh managers, three Wazuh indexer, and one Wazuh dashboard.
In addition, a docker-compose file is provided to launch the containers mentioned above.
* Elasticsearch cluster. In the Elasticsearch Dockerfile we can visualize variables to configure an Elasticsearch Cluster. These variables are used in the file *config_cluster.sh* to set them in the *elasticsearch.yml* configuration file. You can see the meaning of the node variables [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html) and other cluster settings [here](https://github.com/elastic/elasticsearch/blob/master/distribution/src/config/elasticsearch.yml).
## Documentation
@@ -22,216 +22,42 @@ The folder `multi-node` contains a README explaining how to run a Wazuh environm
* [Wazuh documentation for Docker](https://documentation.wazuh.com/current/docker/index.html)
* [Docker hub](https://hub.docker.com/u/wazuh)
### Setup SSL certificate
Before starting the environment it is required to provide an SSL certificate (or just generate one self-signed).
Documentation on how to provide these two can be found at [Wazuh Docker Documentation](https://documentation.wazuh.com/current/docker/wazuh-container.html#production-deployment).
## Environment Variables
Default values are included when available.
### Wazuh
```
API_USERNAME="wazuh-wui" # Wazuh API username
API_PASSWORD="MyS3cr37P450r.*-" # Wazuh API password - Must comply with requirements
# (8+ length, uppercase, lowercase, specials chars)
INDEXER_URL=https://wazuh.indexer:9200 # Wazuh indexer URL
INDEXER_USERNAME=admin # Wazuh indexer Username
INDEXER_PASSWORD=SecretPassword # Wazuh indexer Password
FILEBEAT_SSL_VERIFICATION_MODE=full # Filebeat SSL Verification mode (full or none)
SSL_CERTIFICATE_AUTHORITIES="" # Path of Filebeat SSL CA
SSL_CERTIFICATE="" # Path of Filebeat SSL Certificate
SSL_KEY="" # Path of Filebeat SSL Key
```
### Dashboard
```
PATTERN="wazuh-alerts-*" # Default index pattern to use
CHECKS_PATTERN=true # Defines which checks must to be consider by the healthcheck
CHECKS_TEMPLATE=true # step once the Wazuh app starts. Values must to be true or false
CHECKS_API=true
CHECKS_SETUP=true
EXTENSIONS_PCI=true # Enable PCI Extension
EXTENSIONS_GDPR=true # Enable GDPR Extension
EXTENSIONS_HIPAA=true # Enable HIPAA Extension
EXTENSIONS_NIST=true # Enable NIST Extension
EXTENSIONS_TSC=true # Enable TSC Extension
EXTENSIONS_AUDIT=true # Enable Audit Extension
EXTENSIONS_OSCAP=false # Enable OpenSCAP Extension
EXTENSIONS_CISCAT=false # Enable CISCAT Extension
EXTENSIONS_AWS=false # Enable AWS Extension
EXTENSIONS_GCP=false # Enable GCP Extension
EXTENSIONS_VIRUSTOTAL=false # Enable Virustotal Extension
EXTENSIONS_OSQUERY=false # Enable OSQuery Extension
EXTENSIONS_DOCKER=false # Enable Docker Extension
APP_TIMEOUT=20000 # Defines maximum timeout to be used on the Wazuh app requests
API_SELECTOR=true Defines if the user is allowed to change the selected API directly from the Wazuh app top menu
IP_SELECTOR=true # Defines if the user is allowed to change the selected index pattern directly from the Wazuh app top menu
IP_IGNORE="[]" # List of index patterns to be ignored
DASHBOARD_USERNAME=kibanaserver # Custom user saved in the dashboard keystore
DASHBOARD_PASSWORD=kibanaserver # Custom password saved in the dashboard keystore
WAZUH_MONITORING_ENABLED=true # Custom settings to enable/disable wazuh-monitoring indices
WAZUH_MONITORING_FREQUENCY=900 # Custom setting to set the frequency for wazuh-monitoring indices cron task
WAZUH_MONITORING_SHARDS=2 # Configure wazuh-monitoring-* indices shards and replicas
WAZUH_MONITORING_REPLICAS=0 ##
```
## Directory structure
├── build-docker-images
│   ├── docker-compose.yml
│   ├── wazuh-dashboard
│   │   ├── config
│   │   │   ├── config.sh
│   │   │   ├── config.yml
│   │   │   ── entrypoint.sh
│   │   │   ├── opensearch_dashboards.yml
│   │   │   ├── wazuh_app_config.sh
│   │   │   └── wazuh.yml
│   │   └── Dockerfile
│   ── wazuh-indexer
│   │   ├── config
│   │   │   ├── config.sh
│   │   │   ├── config.yml
│   │   │   ├── entrypoint.sh
│   │   │   ├── internal_users.yml
│   │   │   ├── opensearch.yml
│   │   │   ├── roles_mapping.yml
│   │   │   ├── roles.yml
│   │   │   └── securityadmin.sh
│   │   └── Dockerfile
│   ── wazuh-manager
│   ├── config
│   │   ├── create_user.py
│   │   ├── etc
│   │   │   ├── cont-init.d
│   │   │   │   ├── 0-wazuh-init
│   │   │   │   ├── 1-config-filebeat
│   │   │   │   └── 2-manager
│   │   │   └── services.d
│   │   │   ├── filebeat
│   │   │   │   ├── finish
│   │   │   │   └── run
│   │   │   └── ossec-logs
│   │   │   └── run
│   │   ├── filebeat.yml
│   │   ├── permanent_data.env
│   │   ├── permanent_data.sh
│   │   └── wazuh.repo
│   └── Dockerfile
├── CHANGELOG.md
├── indexer-certs-creator
│   ├── config
│   │   └── entrypoint.sh
│   └── Dockerfile
├── LICENSE
├── multi-node
│   ├── config
│   │   ├── nginx
│   │   │   └── nginx.conf
│   │   ├── wazuh_cluster
│   │   │   ├── wazuh_manager.conf
│   │   │   └── wazuh_worker.conf
│   │   ├── wazuh_dashboard
│   │   │   ├── opensearch_dashboards.yml
│   │   │   └── wazuh.yml
│   │   ├── wazuh_indexer
│   │   │   ├── internal_users.yml
│   │   │   ├── wazuh1.indexer.yml
│   │   │   ├── wazuh2.indexer.yml
│   │   │   └── wazuh3.indexer.yml
│   │   └── wazuh_indexer_ssl_certs
│   │   └── certs.yml
│   ├── docker-compose.yml
│   ├── generate-indexer-certs.yml
│   ├── Migration-to-Wazuh-4.3.md
│   └── volume-migrator.sh
├── README.md
├── single-node
│   ├── config
│   │   ├── wazuh_cluster
│   │   │   └── wazuh_manager.conf
│   │   ├── wazuh_dashboard
│   │   │   ├── opensearch_dashboards.yml
│   │   │   └── wazuh.yml
│   │   ├── wazuh_indexer
│   │   │   ├── internal_users.yml
│   │   │   └── wazuh.indexer.yml
│   │   └── wazuh_indexer_ssl_certs
│   │   ├── admin-key.pem
│   │   ├── admin.pem
│   │   ├── certs.yml
│   │   ├── root-ca.key
│   │   ├── root-ca.pem
│   │   ├── wazuh.dashboard-key.pem
│   │   ├── wazuh.dashboard.pem
│   │   ├── wazuh.indexer-key.pem
│   │   ├── wazuh.indexer.pem
│   │   ├── wazuh.manager-key.pem
│   │   └── wazuh.manager.pem
│   ├── docker-compose.yml
│   ├── generate-indexer-certs.yml
│   └── README.md
└── VERSION
wazuh-docker
├── docker-compose.yml
├── kibana
│   ├── config
│   │   ├── entrypoint.sh
│   │   └── kibana.yml
│   ── Dockerfile
├── LICENSE
├── nginx
│   ├── config
│   │   └── entrypoint.sh
│   ── Dockerfile
├── README.md
├── CHANGELOG.md
├── VERSION
├── test.txt
└── wazuh
├── config
│   ├── data_dirs.env
│   ├── entrypoint.sh
│   ├── filebeat.runit.service
│   ├── filebeat.yml
│   ── init.bash
│   ├── postfix.runit.service
│   ├── wazuh-api.runit.service
│   └── wazuh.runit.service
└── Dockerfile
## Branches
* `stable` branch on correspond to the latest Wazuh-Docker stable version.
* `master` branch contains the latest code, be aware of possible bugs on this branch.
* `stable` branch on correspond to the last Wazuh stable version.
## Compatibility Matrix
| Wazuh version | ODFE | XPACK |
|---------------|---------|--------|
| v4.4.5 | | |
| v4.4.4 | | |
| v4.4.3 | | |
| v4.4.2 | | |
| v4.4.1 | | |
| v4.4.0 | | |
| v4.3.11 | | |
| v4.3.10 | | |
| v4.3.9 | | |
| v4.3.8 | | |
| v4.3.7 | | |
| v4.3.6 | | |
| v4.3.5 | | |
| v4.3.4 | | |
| v4.3.3 | | |
| v4.3.2 | | |
| v4.3.1 | | |
| v4.3.0 | | |
| v4.2.7 | 1.13.2 | 7.11.2 |
| v4.2.6 | 1.13.2 | 7.11.2 |
| v4.2.5 | 1.13.2 | 7.11.2 |
| v4.2.4 | 1.13.2 | 7.11.2 |
| v4.2.3 | 1.13.2 | 7.11.2 |
| v4.2.2 | 1.13.2 | 7.11.2 |
| v4.2.1 | 1.13.2 | 7.11.2 |
| v4.2.0 | 1.13.2 | 7.10.2 |
| v4.1.5 | 1.13.2 | 7.10.2 |
| v4.1.4 | 1.12.0 | 7.10.2 |
| v4.1.3 | 1.12.0 | 7.10.2 |
| v4.1.2 | 1.12.0 | 7.10.2 |
| v4.1.1 | 1.12.0 | 7.10.2 |
| v4.1.0 | 1.12.0 | 7.10.2 |
| v4.0.4 | 1.11.0 | |
| v4.0.3 | 1.11.0 | |
| v4.0.2 | 1.11.0 | |
| v4.0.1 | 1.11.0 | |
| v4.0.0 | 1.10.1 | |
* `Wazuh.Version_ElasticStack.Version` (for example 3.10.2_7.3.2) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
## Credits and Thank you
@@ -244,7 +70,7 @@ We thank you them and everyone else who has contributed to this project.
## License and copyright
Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
## Web references

4
VERSION
View File

@@ -1,2 +1,2 @@
WAZUH-DOCKER_VERSION="4.4.5"
REVISION="40413"
WAZUH-DOCKER_VERSION="3.10.2_7.3.2"
REVISION="31020"

11
build-docker-images/README.md
View File

@@ -1,11 +0,0 @@
# Wazuh Docker Image Builder
The creation of the images for the Wazuh stack deployment in Docker is done with the build-images.yml script
To execute the process, the following must be executed in the root of the wazuh-docker repository:
```
$ build-docker-images/build-images.sh
```
This script initializes the environment variables needed to build each of the images.

17
build-docker-images/build-images.sh
View File

@@ -1,17 +0,0 @@
WAZUH_IMAGE_VERSION=4.4.5
WAZUH_VERSION=$(echo $WAZUH_IMAGE_VERSION | sed -e 's/\.//g')
WAZUH_TAG_REVISION=1
WAZUH_CURRENT_VERSION=$(curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '\"tag_name\":' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 2- | sed -e 's/\.//g')
## If wazuh manager exists in apt dev repository, change variables, if not, exit 1
if [ "$WAZUH_VERSION" -le "$WAZUH_CURRENT_VERSION" ]; then
IMAGE_VERSION=${WAZUH_IMAGE_VERSION}
else
IMAGE_VERSION=${WAZUH_IMAGE_VERSION}
fi
echo WAZUH_VERSION=$WAZUH_IMAGE_VERSION > .env
echo WAZUH_IMAGE_VERSION=$IMAGE_VERSION >> .env
echo WAZUH_TAG_REVISION=$WAZUH_TAG_REVISION >> .env
docker-compose -f build-docker-images/build-images.yml --env-file .env build --no-cache

91
build-docker-images/build-images.yml
View File

@@ -1,91 +0,0 @@
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
version: '3.7'
services:
wazuh.manager:
build:
context: wazuh-manager/
args:
WAZUH_VERSION: ${WAZUH_VERSION}
WAZUH_TAG_REVISION: ${WAZUH_TAG_REVISION}
image: wazuh/wazuh-manager:${WAZUH_IMAGE_VERSION}
hostname: wazuh.manager
restart: always
ports:
- "1514:1514"
- "1515:1515"
- "514:514/udp"
- "55000:55000"
environment:
- INDEXER_URL=https://wazuh.indexer:9200
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=admin
- FILEBEAT_SSL_VERIFICATION_MODE=none
volumes:
- wazuh_api_configuration:/var/ossec/api/configuration
- wazuh_etc:/var/ossec/etc
- wazuh_logs:/var/ossec/logs
- wazuh_queue:/var/ossec/queue
- wazuh_var_multigroups:/var/ossec/var/multigroups
- wazuh_integrations:/var/ossec/integrations
- wazuh_active_response:/var/ossec/active-response/bin
- wazuh_agentless:/var/ossec/agentless
- wazuh_wodles:/var/ossec/wodles
- filebeat_etc:/etc/filebeat
- filebeat_var:/var/lib/filebeat
wazuh.indexer:
build:
context: wazuh-indexer/
args:
WAZUH_VERSION: ${WAZUH_VERSION}
WAZUH_TAG_REVISION: ${WAZUH_TAG_REVISION}
image: wazuh/wazuh-indexer:${WAZUH_IMAGE_VERSION}
hostname: wazuh.indexer
restart: always
ports:
- "9200:9200"
environment:
- "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
wazuh.dashboard:
build:
context: wazuh-dashboard/
args:
WAZUH_VERSION: ${WAZUH_VERSION}
WAZUH_TAG_REVISION: ${WAZUH_TAG_REVISION}
image: wazuh/wazuh-dashboard:${WAZUH_IMAGE_VERSION}
hostname: wazuh.dashboard
restart: always
ports:
- 443:443
environment:
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=admin
- SERVER_SSL_ENABLED=false
- WAZUH_API_URL=https://wazuh.manager
depends_on:
- wazuh.indexer
links:
- wazuh.indexer:wazuh.indexer
- wazuh.manager:wazuh.manager
volumes:
wazuh_api_configuration:
wazuh_etc:
wazuh_logs:
wazuh_queue:
wazuh_var_multigroups:
wazuh_integrations:
wazuh_active_response:
wazuh_agentless:
wazuh_wodles:
filebeat_etc:
filebeat_var:

112
build-docker-images/wazuh-dashboard/Dockerfile
View File

@@ -1,112 +0,0 @@
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
FROM ubuntu:focal AS builder
ARG WAZUH_VERSION
ARG WAZUH_TAG_REVISION
ARG INSTALL_DIR=/usr/share/wazuh-dashboard
ARG WAZUH_UI_REVISION=1
# Update and install dependencies
RUN apt-get update && apt install curl libcap2-bin xz-utils -y
# Create Install dir
RUN mkdir -p $INSTALL_DIR
# Download and extract Wazuh dashboard base
COPY config/dl_base.sh .
RUN bash dl_base.sh
# Generate certificates
COPY config/config.sh .
COPY config/config.yml /
RUN bash config.sh
COPY config/install_wazuh_app.sh /
RUN chmod 775 /install_wazuh_app.sh
RUN bash /install_wazuh_app.sh
# Copy and set permissions to config files
COPY config/opensearch_dashboards.yml $INSTALL_DIR/config/
COPY config/wazuh.yml $INSTALL_DIR/data/wazuh/config/
RUN chown 101:101 $INSTALL_DIR/config/opensearch_dashboards.yml && chmod 664 $INSTALL_DIR/config/opensearch_dashboards.yml
# Create and set permissions to data directories
RUN mkdir -p $INSTALL_DIR/data/wazuh && chown -R 101:101 $INSTALL_DIR/data/wazuh && chmod -R 775 $INSTALL_DIR/data/wazuh
RUN mkdir -p $INSTALL_DIR/data/wazuh/config && chown -R 101:101 $INSTALL_DIR/data/wazuh/config && chmod -R 775 $INSTALL_DIR/data/wazuh/config
RUN mkdir -p $INSTALL_DIR/data/wazuh/logs && chown -R 101:101 $INSTALL_DIR/data/wazuh/logs && chmod -R 775 $INSTALL_DIR/data/wazuh/logs
################################################################################
# Build stage 1 (the current Wazuh dashboard image):
#
# Copy wazuh-dashboard from stage 0
# Add entrypoint
# Add wazuh_app_config
################################################################################
FROM ubuntu:focal
# Set environment variables
ENV USER="wazuh-dashboard" \
GROUP="wazuh-dashboard" \
NAME="wazuh-dashboard" \
INSTALL_DIR="/usr/share/wazuh-dashboard"
# Set Wazuh app variables
ENV PATTERN="" \
CHECKS_PATTERN="" \
CHECKS_TEMPLATE="" \
CHECKS_API="" \
CHECKS_SETUP="" \
EXTENSIONS_PCI="" \
EXTENSIONS_GDPR="" \
EXTENSIONS_HIPAA="" \
EXTENSIONS_NIST="" \
EXTENSIONS_TSC="" \
EXTENSIONS_AUDIT="" \
EXTENSIONS_OSCAP="" \
EXTENSIONS_CISCAT="" \
EXTENSIONS_AWS="" \
EXTENSIONS_GCP="" \
EXTENSIONS_VIRUSTOTAL="" \
EXTENSIONS_OSQUERY="" \
EXTENSIONS_DOCKER="" \
APP_TIMEOUT="" \
API_SELECTOR="" \
IP_SELECTOR="" \
IP_IGNORE="" \
WAZUH_MONITORING_ENABLED="" \
WAZUH_MONITORING_FREQUENCY="" \
WAZUH_MONITORING_SHARDS="" \
WAZUH_MONITORING_REPLICAS=""
# Install dependencies
RUN apt update && apt install -y libnss3-dev fonts-liberation libfontconfig1
# Create wazuh-dashboard user and group
RUN getent group $GROUP || groupadd -r -g 1000 $GROUP
RUN useradd --system \
--uid 1000 \
--no-create-home \
--home-dir $INSTALL_DIR \
--gid $GROUP \
--shell /sbin/nologin \
--comment "$USER user" \
$USER
# Copy and set permissions to scripts
COPY config/entrypoint.sh /
COPY config/wazuh_app_config.sh /
RUN chmod 700 /entrypoint.sh
RUN chmod 700 /wazuh_app_config.sh
RUN chown 1000:1000 /*.sh
# Copy Install dir from builder to current image
COPY --from=builder --chown=1000:1000 $INSTALL_DIR $INSTALL_DIR
# Set workdir and user
WORKDIR $INSTALL_DIR
USER wazuh-dashboard
# Services ports
EXPOSE 443
ENTRYPOINT [ "/entrypoint.sh" ]

42
build-docker-images/wazuh-dashboard/config/config.sh
View File

@@ -1,42 +0,0 @@
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
# This has to be exported to make some magic below work.
export DH_OPTIONS
export NAME=wazuh-dashboard
export TARGET_DIR=${CURDIR}/debian/${NAME}
export INSTALLATION_DIR=/usr/share/${NAME}
export CONFIG_DIR=${INSTALLATION_DIR}/config
## Variables
CERT_TOOL=wazuh-certs-tool.sh
PACKAGES_URL=https://packages.wazuh.com/4.4/
PACKAGES_DEV_URL=https://packages-dev.wazuh.com/4.4/
## Check if the cert tool exists in S3 buckets
CERT_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$CERT_TOOL | grep -E "^HTTP" | awk '{print $2}')
CERT_TOOL_PACKAGES_DEV=$(curl --silent -I $PACKAGES_DEV_URL$CERT_TOOL | grep -E "^HTTP" | awk '{print $2}')
## If cert tool exists in some bucket, download it, if not exit 1
if [ "$CERT_TOOL_PACKAGES" = "200" ]; then
curl -o $CERT_TOOL $PACKAGES_URL$CERT_TOOL
echo "Cert tool exists in Packages bucket"
elif [ "$CERT_TOOL_PACKAGES_DEV" = "200" ]; then
curl -o $CERT_TOOL $PACKAGES_DEV_URL$CERT_TOOL
echo "Cert tool exists in Packages-dev bucket"
else
echo "Cert tool does not exist in any bucket"
exit 1
fi
chmod 755 $CERT_TOOL && bash /$CERT_TOOL -A
# Create certs directory
mkdir -p ${CONFIG_DIR}/certs
# Copy Wazuh dashboard certs to install config dir
cp /wazuh-certificates/demo.dashboard.pem ${CONFIG_DIR}/certs/dashboard.pem
cp /wazuh-certificates/demo.dashboard-key.pem ${CONFIG_DIR}/certs/dashboard-key.pem
cp /wazuh-certificates/root-ca.pem ${CONFIG_DIR}/certs/root-ca.pem
chmod -R 500 ${CONFIG_DIR}/certs
chmod -R 400 ${CONFIG_DIR}/certs/*

5
build-docker-images/wazuh-dashboard/config/config.yml
View File

@@ -1,5 +0,0 @@
nodes:
# Wazuh dashboard server nodes
dashboard:
- name: demo.dashboard
ip: demo.dashboard

25
build-docker-images/wazuh-dashboard/config/dl_base.sh
View File

@@ -1,25 +0,0 @@
REPOSITORY="packages.wazuh.com/4.x"
WAZUH_CURRENT_VERSION=$(curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '\"tag_name\":' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 2-)
MAJOR_BUILD=$(echo $WAZUH_VERSION | cut -d. -f1)
MID_BUILD=$(echo $WAZUH_VERSION | cut -d. -f2)
MINOR_BUILD=$(echo $WAZUH_VERSION | cut -d. -f3)
MAJOR_CURRENT=$(echo $WAZUH_CURRENT_VERSION | cut -d. -f1)
MID_CURRENT=$(echo $WAZUH_CURRENT_VERSION | cut -d. -f2)
MINOR_CURRENT=$(echo $WAZUH_CURRENT_VERSION | cut -d. -f3)
## check version to use the correct repository
if [ "$MAJOR_BUILD" -gt "$MAJOR_CURRENT" ]; then
REPOSITORY="packages-dev.wazuh.com/pre-release"
elif [ "$MAJOR_BUILD" -eq "$MAJOR_CURRENT" ]; then
if [ "$MID_BUILD" -gt "$MID_CURRENT" ]; then
REPOSITORY="packages-dev.wazuh.com/pre-release"
elif [ "$MID_BUILD" -eq "$MID_CURRENT" ]; then
if [ "$MINOR_BUILD" -gt "$MINOR_CURRENT" ]; then
REPOSITORY="packages-dev.wazuh.com/pre-release"
fi
fi
fi
curl -o wazuh-dashboard-base.tar.xz https://${REPOSITORY}/stack/dashboard/wazuh-dashboard-base-${WAZUH_VERSION}-${WAZUH_TAG_REVISION}-linux-x64.tar.xz
tar -xf wazuh-dashboard-base.tar.xz --directory $INSTALL_DIR --strip-components=1

20
build-docker-images/wazuh-dashboard/config/entrypoint.sh
View File

@@ -1,20 +0,0 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
INSTALL_DIR=/usr/share/wazuh-dashboard
DASHBOARD_USERNAME="${DASHBOARD_USERNAME:-kibanaserver}"
DASHBOARD_PASSWORD="${DASHBOARD_PASSWORD:-kibanaserver}"
# Create and configure Wazuh dashboard keystore
yes | $INSTALL_DIR/bin/opensearch-dashboards-keystore create --allow-root && \
echo $DASHBOARD_USERNAME | $INSTALL_DIR/bin/opensearch-dashboards-keystore add opensearch.username --stdin --allow-root && \
echo $DASHBOARD_PASSWORD | $INSTALL_DIR/bin/opensearch-dashboards-keystore add opensearch.password --stdin --allow-root
##############################################################################
# Start Wazuh dashboard
##############################################################################
/wazuh_app_config.sh $WAZUH_UI_REVISION
/usr/share/wazuh-dashboard/bin/opensearch-dashboards -c /usr/share/wazuh-dashboard/config/opensearch_dashboards.yml

25
build-docker-images/wazuh-dashboard/config/install_wazuh_app.sh
View File

@@ -1,25 +0,0 @@
## variables
WAZUH_APP=https://packages.wazuh.com/4.x/ui/dashboard/wazuh-${WAZUH_VERSION}-${WAZUH_UI_REVISION}.zip
WAZUH_CURRENT_VERSION=$(curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '\"tag_name\":' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 2-)
MAJOR_BUILD=$(echo $WAZUH_VERSION | cut -d. -f1)
MID_BUILD=$(echo $WAZUH_VERSION | cut -d. -f2)
MINOR_BUILD=$(echo $WAZUH_VERSION | cut -d. -f3)
MAJOR_CURRENT=$(echo $WAZUH_CURRENT_VERSION | cut -d. -f1)
MID_CURRENT=$(echo $WAZUH_CURRENT_VERSION | cut -d. -f2)
MINOR_CURRENT=$(echo $WAZUH_CURRENT_VERSION | cut -d. -f3)
## check version to use the correct repository
if [ "$MAJOR_BUILD" -gt "$MAJOR_CURRENT" ]; then
WAZUH_APP=https://packages-dev.wazuh.com/pre-release/ui/dashboard/wazuh-${WAZUH_VERSION}-${WAZUH_UI_REVISION}.zip
elif [ "$MAJOR_BUILD" -eq "$MAJOR_CURRENT" ]; then
if [ "$MID_BUILD" -gt "$MID_CURRENT" ]; then
WAZUH_APP=https://packages-dev.wazuh.com/pre-release/ui/dashboard/wazuh-${WAZUH_VERSION}-${WAZUH_UI_REVISION}.zip
elif [ "$MID_BUILD" -eq "$MID_CURRENT" ]; then
if [ "$MINOR_BUILD" -gt "$MINOR_CURRENT" ]; then
WAZUH_APP=https://packages-dev.wazuh.com/pre-release/ui/dashboard/wazuh-${WAZUH_VERSION}-${WAZUH_UI_REVISION}.zip
fi
fi
fi
# Install Wazuh App
$INSTALL_DIR/bin/opensearch-dashboards-plugin install $WAZUH_APP --allow-root

13
build-docker-images/wazuh-dashboard/config/opensearch_dashboards.yml
View File

@@ -1,13 +0,0 @@
server.host: 0.0.0.0
server.port: 5601
opensearch.hosts: https://wazuh.indexer:9200
opensearch.ssl.verificationMode: none
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/usr/share/wazuh-dashboard/config/certs/dashboard-key.pem"
server.ssl.certificate: "/usr/share/wazuh-dashboard/config/certs/dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/config/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wazuh

155
build-docker-images/wazuh-dashboard/config/wazuh.yml
View File

@@ -1,155 +0,0 @@
---
#
# Wazuh app - App configuration file
# Copyright (C) 2017, Wazuh Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Find more information about this on the LICENSE file.
#
# ======================== Wazuh app configuration file ========================
#
# Please check the documentation for more information on configuration options:
# https://documentation.wazuh.com/current/installation-guide/index.html
#
# Also, you can check our repository:
# https://github.com/wazuh/wazuh-kibana-app
#
# ------------------------------- Index patterns -------------------------------
#
# Default index pattern to use.
#pattern: wazuh-alerts-*
#
# ----------------------------------- Checks -----------------------------------
#
# Defines which checks must to be consider by the healthcheck
# step once the Wazuh app starts. Values must to be true or false.
#checks.pattern : true
#checks.template: true
#checks.api : true
#checks.setup : true
#checks.metaFields: true
#
# --------------------------------- Extensions ---------------------------------
#
# Defines which extensions should be activated when you add a new API entry.
# You can change them after Wazuh app starts.
# Values must to be true or false.
#extensions.pci : true
#extensions.gdpr : true
#extensions.hipaa : true
#extensions.nist : true
#extensions.tsc : true
#extensions.audit : true
#extensions.oscap : false
#extensions.ciscat : false
#extensions.aws : false
#extensions.gcp : false
#extensions.virustotal: false
#extensions.osquery : false
#extensions.docker : false
#
# ---------------------------------- Time out ----------------------------------
#
# Defines maximum timeout to be used on the Wazuh app requests.
# It will be ignored if it is bellow 1500.
# It means milliseconds before we consider a request as failed.
# Default: 20000
#timeout: 20000
#
# -------------------------------- API selector --------------------------------
#
# Defines if the user is allowed to change the selected
# API directly from the Wazuh app top menu.
# Default: true
#api.selector: true
#
# --------------------------- Index pattern selector ---------------------------
#
# Defines if the user is allowed to change the selected
# index pattern directly from the Wazuh app top menu.
# Default: true
#ip.selector: true
#
# List of index patterns to be ignored
#ip.ignore: []
#
# ------------------------------ wazuh-monitoring ------------------------------
#
# Custom setting to enable/disable wazuh-monitoring indices.
# Values: true, false, worker
# If worker is given as value, the app will show the Agents status
# visualization but won't insert data on wazuh-monitoring indices.
# Default: true
#wazuh.monitoring.enabled: true
#
# Custom setting to set the frequency for wazuh-monitoring indices cron task.
# Default: 900 (s)
#wazuh.monitoring.frequency: 900
#
# Configure wazuh-monitoring-* indices shards and replicas.
#wazuh.monitoring.shards: 2
#wazuh.monitoring.replicas: 0
#
# Configure wazuh-monitoring-* indices custom creation interval.
# Values: h (hourly), d (daily), w (weekly), m (monthly)
# Default: d
#wazuh.monitoring.creation: d
#
# Default index pattern to use for Wazuh monitoring
#wazuh.monitoring.pattern: wazuh-monitoring-*
#
# --------------------------------- wazuh-cron ----------------------------------
#
# Customize the index prefix of predefined jobs
# This change is not retroactive, if you change it new indexes will be created
# cron.prefix: test
#
# ------------------------------ wazuh-statistics -------------------------------
#
# Custom setting to enable/disable statistics tasks.
#cron.statistics.status: true
#
# Enter the ID of the APIs you want to save data from, leave this empty to run
# the task on all configured APIs
#cron.statistics.apis: []
#
# Define the frequency of task execution using cron schedule expressions
#cron.statistics.interval: 0 0 * * * *
#
# Define the name of the index in which the documents are to be saved.
#cron.statistics.index.name: statistics
#
# Define the interval in which the index will be created
#cron.statistics.index.creation: w
#
# ------------------------------- App privileges --------------------------------
#admin: true
#
# ---------------------------- Hide manager alerts ------------------------------
# Hide the alerts of the manager in all dashboards and discover
#hideManagerAlerts: false
#
# ------------------------------- App logging level -----------------------------
# Set the logging level for the Wazuh App log files.
# Default value: info
# Allowed values: info, debug
#logs.level: info
#
# -------------------------------- Enrollment DNS -------------------------------
# Set the variable WAZUH_REGISTRATION_SERVER in agents deployment.
# Default value: ''
#enrollment.dns: ''
#
#-------------------------------- API entries -----------------------------------
#The following configuration is the default structure to define an API entry.
#
#hosts:
# - <id>:
# url: http(s)://<url>
# port: <port>
# username: <username>
# password: <password>

65
build-docker-images/wazuh-dashboard/config/wazuh_app_config.sh
View File

@@ -1,65 +0,0 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
wazuh_url="${WAZUH_API_URL:-https://wazuh}"
wazuh_port="${API_PORT:-55000}"
api_username="${API_USERNAME:-wazuh-wui}"
api_password="${API_PASSWORD:-wazuh-wui}"
api_run_as="${RUN_AS:-false}"
dashboard_config_file="/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml"
declare -A CONFIG_MAP=(
[pattern]=$PATTERN
[checks.pattern]=$CHECKS_PATTERN
[checks.template]=$CHECKS_TEMPLATE
[checks.api]=$CHECKS_API
[checks.setup]=$CHECKS_SETUP
[extensions.pci]=$EXTENSIONS_PCI
[extensions.gdpr]=$EXTENSIONS_GDPR
[extensions.hipaa]=$EXTENSIONS_HIPAA
[extensions.nist]=$EXTENSIONS_NIST
[extensions.tsc]=$EXTENSIONS_TSC
[extensions.audit]=$EXTENSIONS_AUDIT
[extensions.oscap]=$EXTENSIONS_OSCAP
[extensions.ciscat]=$EXTENSIONS_CISCAT
[extensions.aws]=$EXTENSIONS_AWS
[extensions.gcp]=$EXTENSIONS_GCP
[extensions.virustotal]=$EXTENSIONS_VIRUSTOTAL
[extensions.osquery]=$EXTENSIONS_OSQUERY
[extensions.docker]=$EXTENSIONS_DOCKER
[timeout]=$APP_TIMEOUT
[api.selector]=$API_SELECTOR
[ip.selector]=$IP_SELECTOR
[ip.ignore]=$IP_IGNORE
[wazuh.monitoring.enabled]=$WAZUH_MONITORING_ENABLED
[wazuh.monitoring.frequency]=$WAZUH_MONITORING_FREQUENCY
[wazuh.monitoring.shards]=$WAZUH_MONITORING_SHARDS
[wazuh.monitoring.replicas]=$WAZUH_MONITORING_REPLICAS
)
for i in "${!CONFIG_MAP[@]}"
do
if [ "${CONFIG_MAP[$i]}" != "" ]; then
sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $dashboard_config_file
fi
done
grep -q 1513629884013 $dashboard_config_file
_config_exists=$?
if [[ $_config_exists -ne 0 ]]; then
cat << EOF >> $dashboard_config_file
hosts:
- 1513629884013:
url: $wazuh_url
port: $wazuh_port
username: $api_username
password: $api_password
run_as: $api_run_as
EOF
else
echo "Wazuh APP already configured"
fi

79
build-docker-images/wazuh-indexer/Dockerfile
View File

@@ -1,79 +0,0 @@
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
FROM ubuntu:focal AS builder
ARG WAZUH_VERSION
ARG WAZUH_TAG_REVISION
RUN apt-get update -y && apt-get install curl openssl xz-utils -y
COPY config/opensearch.yml /
COPY config/config.sh .
COPY config/config.yml /
COPY config/internal_users.yml /
COPY config/roles_mapping.yml /
COPY config/roles.yml /
RUN bash config.sh
################################################################################
# Build stage 1 (the actual Wazuh indexer image):
#
# Copy wazuh-indexer from stage 0
# Add entrypoint
################################################################################
FROM ubuntu:focal
ENV USER="wazuh-indexer" \
GROUP="wazuh-indexer" \
NAME="wazuh-indexer" \
INSTALL_DIR="/usr/share/wazuh-indexer"
RUN getent group $GROUP || groupadd -r -g 1000 $GROUP
RUN useradd --system \
--uid 1000 \
--no-create-home \
--home-dir $INSTALL_DIR \
--gid $GROUP \
--shell /sbin/nologin \
--comment "$USER user" \
$USER
WORKDIR $INSTALL_DIR
COPY config/entrypoint.sh /
COPY config/securityadmin.sh /
RUN chmod 700 /entrypoint.sh && chmod 700 /securityadmin.sh
RUN chown 1000:1000 /*.sh
COPY --from=builder --chown=1000:1000 /debian/wazuh-indexer/usr/share/wazuh-indexer /usr/share/wazuh-indexer
COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/systemd /usr/lib/systemd
COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/sysctl.d /usr/lib/sysctl.d
COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/tmpfiles.d /usr/lib/tmpfiles.d
RUN chown -R 1000:1000 /usr/share/wazuh-indexer
RUN mkdir -p /var/lib/wazuh-indexer && chown 1000:1000 /var/lib/wazuh-indexer && \
mkdir -p /usr/share/wazuh-indexer/logs && chown 1000:1000 /usr/share/wazuh-indexer/logs && \
mkdir -p /run/wazuh-indexer && chown 1000:1000 /run/wazuh-indexer && \
mkdir -p /var/log/wazuh-indexer && chown 1000:1000 /var/log/wazuh-indexer && \
chmod 700 /usr/share/wazuh-indexer && \
chmod 600 /usr/share/wazuh-indexer/jvm.options && \
chmod 600 /usr/share/wazuh-indexer/opensearch.yml
USER wazuh-indexer
# Services ports
EXPOSE 9200
ENTRYPOINT ["/entrypoint.sh"]
# Dummy overridable parameter parsed by entrypoint
CMD ["opensearchwrapper"]

138
build-docker-images/wazuh-indexer/config/config.sh
View File

@@ -1,138 +0,0 @@
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
# This has to be exported to make some magic below work.
export DH_OPTIONS
export NAME=wazuh-indexer
export TARGET_DIR=${CURDIR}/debian/${NAME}
# Package build options
export USER=${NAME}
export GROUP=${NAME}
export VERSION=${WAZUH_VERSION}-${WAZUH_TAG_REVISION}
export LOG_DIR=/var/log/${NAME}
export LIB_DIR=/var/lib/${NAME}
export PID_DIR=/run/${NAME}
export INSTALLATION_DIR=/usr/share/${NAME}
export CONFIG_DIR=${INSTALLATION_DIR}
export BASE_DIR=${NAME}-*
export INDEXER_FILE=wazuh-indexer-base.tar.xz
export BASE_FILE=wazuh-indexer-base-${VERSION}-linux-x64.tar.xz
export REPO_DIR=/unattended_installer
rm -rf ${INSTALLATION_DIR}/
## variables
REPOSITORY="packages.wazuh.com/4.x"
WAZUH_CURRENT_VERSION=$(curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '\"tag_name\":' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 2-)
MAJOR_BUILD=$(echo $WAZUH_VERSION | cut -d. -f1)
MID_BUILD=$(echo $WAZUH_VERSION | cut -d. -f2)
MINOR_BUILD=$(echo $WAZUH_VERSION | cut -d. -f3)
MAJOR_CURRENT=$(echo $WAZUH_CURRENT_VERSION | cut -d. -f1)
MID_CURRENT=$(echo $WAZUH_CURRENT_VERSION | cut -d. -f2)
MINOR_CURRENT=$(echo $WAZUH_CURRENT_VERSION | cut -d. -f3)
## check version to use the correct repository
if [ "$MAJOR_BUILD" -gt "$MAJOR_CURRENT" ]; then
REPOSITORY="packages-dev.wazuh.com/pre-release"
elif [ "$MAJOR_BUILD" -eq "$MAJOR_CURRENT" ]; then
if [ "$MID_BUILD" -gt "$MID_CURRENT" ]; then
REPOSITORY="packages-dev.wazuh.com/pre-release"
elif [ "$MID_BUILD" -eq "$MID_CURRENT" ]; then
if [ "$MINOR_BUILD" -gt "$MINOR_CURRENT" ]; then
REPOSITORY="packages-dev.wazuh.com/pre-release"
fi
fi
fi
curl -o ${INDEXER_FILE} https://${REPOSITORY}/stack/indexer/${BASE_FILE}
tar -xf ${INDEXER_FILE}
## TOOLS
## Variables
CERT_TOOL=wazuh-certs-tool.sh
PASSWORD_TOOL=wazuh-passwords-tool.sh
PACKAGES_URL=https://packages.wazuh.com/4.4/
PACKAGES_DEV_URL=https://packages-dev.wazuh.com/4.4/
## Check if the cert tool exists in S3 buckets
CERT_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$CERT_TOOL | grep -E "^HTTP" | awk '{print $2}')
CERT_TOOL_PACKAGES_DEV=$(curl --silent -I $PACKAGES_DEV_URL$CERT_TOOL | grep -E "^HTTP" | awk '{print $2}')
## If cert tool exists in some bucket, download it, if not exit 1
if [ "$CERT_TOOL_PACKAGES" = "200" ]; then
curl -o $CERT_TOOL $PACKAGES_URL$CERT_TOOL
echo "Cert tool exists in Packages bucket"
elif [ "$CERT_TOOL_PACKAGES_DEV" = "200" ]; then
curl -o $CERT_TOOL $PACKAGES_DEV_URL$CERT_TOOL
echo "Cert tool exists in Packages-dev bucket"
else
echo "Cert tool does not exist in any bucket"
exit 1
fi
## Check if the password tool exists in S3 buckets
PASSWORD_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$PASSWORD_TOOL | grep -E "^HTTP" | awk '{print $2}')
PASSWORD_TOOL_PACKAGES_DEV=$(curl --silent -I $PACKAGES_DEV_URL$PASSWORD_TOOL | grep -E "^HTTP" | awk '{print $2}')
## If password tool exists in some bucket, download it, if not exit 1
if [ "$PASSWORD_TOOL_PACKAGES" = "200" ]; then
curl -o $PASSWORD_TOOL $PACKAGES_URL$PASSWORD_TOOL
echo "Password tool exists in Packages bucket"
elif [ "$PASSWORD_TOOL_PACKAGES_DEV" = "200" ]; then
curl -o $PASSWORD_TOOL $PACKAGES_DEV_URL$PASSWORD_TOOL
echo "Password tool exists in Packages-dev bucket"
else
echo "Password tool does not exist in any bucket"
exit 1
fi
chmod 755 $CERT_TOOL && bash /$CERT_TOOL -A
# copy to target
mkdir -p ${TARGET_DIR}${INSTALLATION_DIR}
mkdir -p ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/
mkdir -p ${TARGET_DIR}${CONFIG_DIR}
mkdir -p ${TARGET_DIR}${LIB_DIR}
mkdir -p ${TARGET_DIR}${LOG_DIR}
mkdir -p ${TARGET_DIR}/etc/init.d
mkdir -p ${TARGET_DIR}/etc/default
mkdir -p ${TARGET_DIR}/usr/lib/tmpfiles.d
mkdir -p ${TARGET_DIR}/usr/lib/sysctl.d
mkdir -p ${TARGET_DIR}/usr/lib/systemd/system
mkdir -p ${TARGET_DIR}${CONFIG_DIR}/certs
# Move configuration files for wazuh-indexer
mv -f ${BASE_DIR}/etc/init.d/${NAME} ${TARGET_DIR}/etc/init.d/${NAME}
mv -f ${BASE_DIR}/etc/wazuh-indexer/* ${TARGET_DIR}${CONFIG_DIR}
mv -f ${BASE_DIR}/etc/sysconfig/${NAME} ${TARGET_DIR}/etc/default/
mv -f ${BASE_DIR}/usr/lib/tmpfiles.d/* ${TARGET_DIR}/usr/lib/tmpfiles.d/
mv -f ${BASE_DIR}/usr/lib/sysctl.d/* ${TARGET_DIR}/usr/lib/sysctl.d/
mv -f ${BASE_DIR}/usr/lib/systemd/system/* ${TARGET_DIR}/usr/lib/systemd/system/
rm -rf ${BASE_DIR}/etc
rm -rf ${BASE_DIR}/usr
# Copy installation files to final location
cp -pr ${BASE_DIR}/* ${TARGET_DIR}${INSTALLATION_DIR}
# Copy the security tools
cp /$CERT_TOOL ${TARGET_DIR}${INSTALLATION_DIR}/plugins/opensearch-security/tools/
cp /$PASSWORD_TOOL ${TARGET_DIR}${INSTALLATION_DIR}/plugins/opensearch-security/tools/
# Copy Wazuh's config files for the security plugin
cp -pr /roles_mapping.yml ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/
cp -pr /roles.yml ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/
cp -pr /internal_users.yml ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/
cp -pr /opensearch.yml ${TARGET_DIR}${CONFIG_DIR}
# Copy Wazuh indexer's certificates
cp -pr /wazuh-certificates/demo.indexer.pem ${TARGET_DIR}${CONFIG_DIR}/certs/indexer.pem
cp -pr /wazuh-certificates/demo.indexer-key.pem ${TARGET_DIR}${CONFIG_DIR}/certs/indexer-key.pem
cp -pr /wazuh-certificates/root-ca.key ${TARGET_DIR}${CONFIG_DIR}/certs/root-ca.key
cp -pr /wazuh-certificates/root-ca.pem ${TARGET_DIR}${CONFIG_DIR}/certs/root-ca.pem
cp -pr /wazuh-certificates/admin.pem ${TARGET_DIR}${CONFIG_DIR}/certs/admin.pem
cp -pr /wazuh-certificates/admin-key.pem ${TARGET_DIR}${CONFIG_DIR}/certs/admin-key.pem
# Delete xms and xmx parameters in jvm.options
sed '/-Xms/d' -i ${TARGET_DIR}${CONFIG_DIR}/jvm.options
sed '/-Xmx/d' -i ${TARGET_DIR}${CONFIG_DIR}/jvm.options
chmod -R 500 ${TARGET_DIR}${CONFIG_DIR}/certs
chmod -R 400 ${TARGET_DIR}${CONFIG_DIR}/certs/*

5
build-docker-images/wazuh-indexer/config/config.yml
View File

@@ -1,5 +0,0 @@
nodes:
# Wazuh indexer server nodes
indexer:
- name: demo.indexer
ip: demo.indexer

93
build-docker-images/wazuh-indexer/config/entrypoint.sh
View File

@@ -1,93 +0,0 @@
#!/usr/bin/env bash
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
set -e
umask 0002
export USER=wazuh-indexer
export INSTALLATION_DIR=/usr/share/wazuh-indexer
export OPENSEARCH_PATH_CONF=${INSTALLATION_DIR}
export JAVA_HOME=${INSTALLATION_DIR}/jdk
export DISCOVERY=$(grep -oP "(?<=discovery.type: ).*" ${OPENSEARCH_PATH_CONF}/opensearch.yml)
export CACERT=$(grep -oP "(?<=plugins.security.ssl.transport.pemtrustedcas_filepath: ).*" ${OPENSEARCH_PATH_CONF}/opensearch.yml)
export CERT="${OPENSEARCH_PATH_CONF}/certs/admin.pem"
export KEY="${OPENSEARCH_PATH_CONF}/certs/admin-key.pem"
run_as_other_user_if_needed() {
if [[ "$(id -u)" == "0" ]]; then
# If running as root, drop to specified UID and run command
exec chroot --userspec=1000:0 / "${@}"
else
# Either we are running in Openshift with random uid and are a member of the root group
# or with a custom --user
exec "${@}"
fi
}
# Allow user specify custom CMD, maybe bin/opensearch itself
# for example to directly specify `-E` style parameters for opensearch on k8s
# or simply to run /bin/bash to check the image
if [[ "$1" != "opensearchwrapper" ]]; then
if [[ "$(id -u)" == "0" && $(basename "$1") == "opensearch" ]]; then
# Rewrite CMD args to replace $1 with `opensearch` explicitly,
# Without this, user could specify `opensearch -E x.y=z` but
# `bin/opensearch -E x.y=z` would not work.
set -- "opensearch" "${@:2}"
# Use chroot to switch to UID 1000 / GID 0
exec chroot --userspec=1000:0 / "$@"
else
# User probably wants to run something else, like /bin/bash, with another uid forced (Openshift?)
exec "$@"
fi
fi
# Allow environment variables to be set by creating a file with the
# contents, and setting an environment variable with the suffix _FILE to
# point to it. This can be used to provide secrets to a container, without
# the values being specified explicitly when running the container.
#
# This is also sourced in opensearch-env, and is only needed here
# as well because we use INDEXER_PASSWORD below. Sourcing this script
# is idempotent.
source /usr/share/wazuh-indexer/bin/opensearch-env-from-file
if [[ -f bin/opensearch-users ]]; then
# Check for the INDEXER_PASSWORD environment variable to set the
# bootstrap password for Security.
#
# This is only required for the first node in a cluster with Security
# enabled, but we have no way of knowing which node we are yet. We'll just
# honor the variable if it's present.
if [[ -n "$INDEXER_PASSWORD" ]]; then
[[ -f /usr/share/wazuh-indexer/opensearch.keystore ]] || (run_as_other_user_if_needed opensearch-keystore create)
if ! (run_as_other_user_if_needed opensearch-keystore has-passwd --silent) ; then
# keystore is unencrypted
if ! (run_as_other_user_if_needed opensearch-keystore list | grep -q '^bootstrap.password$'); then
(run_as_other_user_if_needed echo "$INDEXER_PASSWORD" | opensearch-keystore add -x 'bootstrap.password')
fi
else
# keystore requires password
if ! (run_as_other_user_if_needed echo "$KEYSTORE_PASSWORD" \
| opensearch-keystore list | grep -q '^bootstrap.password$') ; then
COMMANDS="$(printf "%s\n%s" "$KEYSTORE_PASSWORD" "$INDEXER_PASSWORD")"
(run_as_other_user_if_needed echo "$COMMANDS" | opensearch-keystore add -x 'bootstrap.password')
fi
fi
fi
fi
if [[ "$(id -u)" == "0" ]]; then
# If requested and running as root, mutate the ownership of bind-mounts
if [[ -n "$TAKE_FILE_OWNERSHIP" ]]; then
chown -R 1000:0 /usr/share/wazuh-indexer/{data,logs}
fi
fi
#if [[ "$DISCOVERY" == "single-node" ]] && [[ ! -f "/var/lib/wazuh-indexer/.flag" ]]; then
# run securityadmin.sh for single node with CACERT, CERT and KEY parameter
# nohup /securityadmin.sh &
# touch "/var/lib/wazuh-indexer/.flag"
#fi
run_as_other_user_if_needed /usr/share/wazuh-indexer/bin/opensearch <<<"$KEYSTORE_PASSWORD"

74
build-docker-images/wazuh-indexer/config/internal_users.yml
View File

@@ -1,74 +0,0 @@
---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
_meta:
type: "internalusers"
config_version: 2
# Define your internal users here
## Demo users
admin:
hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"
reserved: true
backend_roles:
- "admin"
description: "Demo admin user"
kibanaserver:
hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
reserved: true
description: "Demo kibanaserver user"
kibanaro:
hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
reserved: false
backend_roles:
- "kibanauser"
- "readall"
attributes:
attribute1: "value1"
attribute2: "value2"
attribute3: "value3"
description: "Demo kibanaro user"
logstash:
hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
reserved: false
backend_roles:
- "logstash"
description: "Demo logstash user"
readall:
hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
reserved: false
backend_roles:
- "readall"
description: "Demo readall user"
snapshotrestore:
hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
reserved: false
backend_roles:
- "snapshotrestore"
description: "Demo snapshotrestore user"
wazuh_admin:
hash: "$2y$12$d2awHiOYvZjI88VfsDON.u6buoBol0gYPJEgdG1ArKVE0OMxViFfu"
reserved: true
hidden: false
backend_roles: []
attributes: {}
opendistro_security_roles: []
static: false
wazuh_user:
hash: "$2y$12$BQixeoQdRubZdVf/7sq1suHwiVRnSst1.lPI2M0.GPZms4bq2D9vO"
reserved: true
hidden: false
backend_roles: []
attributes: {}
opendistro_security_roles: []
static: false

26
build-docker-images/wazuh-indexer/config/opensearch.yml
View File

@@ -1,26 +0,0 @@
network.host: "0.0.0.0"
node.name: "wazuh.indexer"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer
discovery.type: single-node
compatibility.override_main_response_version: true
plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=demo.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]

163
build-docker-images/wazuh-indexer/config/roles.yml
View File

@@ -1,163 +0,0 @@
_meta:
type: "roles"
config_version: 2
# Restrict users so they can only view visualization and dashboards on kibana
kibana_read_only:
reserved: true
# The security REST API access role is used to assign specific users access to change the security settings through the REST API.
security_rest_api_access:
reserved: true
# Allows users to view monitors, destinations and alerts
alerting_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/alerting/alerts/get'
- 'cluster:admin/opendistro/alerting/destination/get'
- 'cluster:admin/opendistro/alerting/monitor/get'
- 'cluster:admin/opendistro/alerting/monitor/search'
# Allows users to view and acknowledge alerts
alerting_ack_alerts:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/alerting/alerts/*'
# Allows users to use all alerting functionality
alerting_full_access:
reserved: true
cluster_permissions:
- 'cluster_monitor'
- 'cluster:admin/opendistro/alerting/*'
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'indices_monitor'
- 'indices:admin/aliases/get'
- 'indices:admin/mappings/get'
# Allow users to read Anomaly Detection detectors and results
anomaly_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/ad/detector/info'
- 'cluster:admin/opendistro/ad/detector/search'
- 'cluster:admin/opendistro/ad/detectors/get'
- 'cluster:admin/opendistro/ad/result/search'
- 'cluster:admin/opendistro/ad/tasks/search'
# Allows users to use all Anomaly Detection functionality
anomaly_full_access:
reserved: true
cluster_permissions:
- 'cluster_monitor'
- 'cluster:admin/opendistro/ad/*'
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'indices_monitor'
- 'indices:admin/aliases/get'
- 'indices:admin/mappings/get'
# Allows users to read Notebooks
notebooks_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/notebooks/list'
- 'cluster:admin/opendistro/notebooks/get'
# Allows users to all Notebooks functionality
notebooks_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/notebooks/create'
- 'cluster:admin/opendistro/notebooks/update'
- 'cluster:admin/opendistro/notebooks/delete'
- 'cluster:admin/opendistro/notebooks/get'
- 'cluster:admin/opendistro/notebooks/list'
# Allows users to read and download Reports
reports_instances_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/reports/instance/list'
- 'cluster:admin/opendistro/reports/instance/get'
- 'cluster:admin/opendistro/reports/menu/download'
# Allows users to read and download Reports and Report-definitions
reports_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/reports/definition/get'
- 'cluster:admin/opendistro/reports/definition/list'
- 'cluster:admin/opendistro/reports/instance/list'
- 'cluster:admin/opendistro/reports/instance/get'
- 'cluster:admin/opendistro/reports/menu/download'
# Allows users to all Reports functionality
reports_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/reports/definition/create'
- 'cluster:admin/opendistro/reports/definition/update'
- 'cluster:admin/opendistro/reports/definition/on_demand'
- 'cluster:admin/opendistro/reports/definition/delete'
- 'cluster:admin/opendistro/reports/definition/get'
- 'cluster:admin/opendistro/reports/definition/list'
- 'cluster:admin/opendistro/reports/instance/list'
- 'cluster:admin/opendistro/reports/instance/get'
- 'cluster:admin/opendistro/reports/menu/download'
# Allows users to use all asynchronous-search functionality
asynchronous_search_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/asynchronous_search/*'
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'indices:data/read/search*'
# Allows users to read stored asynchronous-search results
asynchronous_search_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/asynchronous_search/get'
wazuh_ui_user:
reserved: true
hidden: false
cluster_permissions: []
index_permissions:
- index_patterns:
- "wazuh-*"
dls: ""
fls: []
masked_fields: []
allowed_actions:
- "read"
tenant_permissions: []
static: false
wazuh_ui_admin:
reserved: true
hidden: false
cluster_permissions: []
index_permissions:
- index_patterns:
- "wazuh-*"
dls: ""
fls: []
masked_fields: []
allowed_actions:
- "read"
- "delete"
- "manage"
- "index"
tenant_permissions: []
static: false

71
build-docker-images/wazuh-indexer/config/roles_mapping.yml
View File

@@ -1,71 +0,0 @@
---
# In this file users, backendroles and hosts can be mapped to Wazuh indexer Security roles.
# Permissions for Wazuh indexer roles are configured in roles.yml
_meta:
type: "rolesmapping"
config_version: 2
# Define your roles mapping here
## Demo roles mapping
all_access:
reserved: false
backend_roles:
- "admin"
description: "Maps admin to all_access"
own_index:
reserved: false
users:
- "*"
description: "Allow full access to an index named like the username"
logstash:
reserved: false
backend_roles:
- "logstash"
kibana_user:
reserved: false
backend_roles:
- "kibanauser"
users:
- "wazuh_user"
- "wazuh_admin"
description: "Maps kibanauser to kibana_user"
readall:
reserved: false
backend_roles:
- "readall"
manage_snapshots:
reserved: false
backend_roles:
- "snapshotrestore"
kibana_server:
reserved: true
users:
- "kibanaserver"
wazuh_ui_admin:
reserved: true
hidden: false
backend_roles: []
hosts: []
users:
- "wazuh_admin"
- "kibanaserver"
and_backend_roles: []
wazuh_ui_user:
reserved: true
hidden: false
backend_roles: []
hosts: []
users:
- "wazuh_user"
and_backend_roles: []

3
build-docker-images/wazuh-indexer/config/securityadmin.sh
View File

@@ -1,3 +0,0 @@
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
sleep 30
bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/opensearch-security/ -nhnv -cacert $CACERT -cert $CERT -key $KEY -p 9200 -icl

57
build-docker-images/wazuh-manager/Dockerfile
View File

@@ -1,57 +0,0 @@
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
FROM ubuntu:focal
RUN rm /bin/sh && ln -s /bin/bash /bin/sh
ARG WAZUH_VERSION
ARG WAZUH_TAG_REVISION
ARG TEMPLATE_VERSION=4.4
ARG FILEBEAT_CHANNEL=filebeat-oss
ARG FILEBEAT_VERSION=7.10.2
ARG WAZUH_FILEBEAT_MODULE="wazuh-filebeat-0.2.tar.gz"
RUN apt-get update && apt install curl apt-transport-https lsb-release gnupg -y
COPY config/check_repository.sh /
RUN chmod 775 /check_repository.sh
RUN source /check_repository.sh
RUN apt-get update && \
apt-get install wazuh-manager=${WAZUH_VERSION}-${WAZUH_TAG_REVISION}
RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-amd64.deb &&\
dpkg -i ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-amd64.deb && rm -f ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-amd64.deb && \
curl -s https://packages.wazuh.com/4.x/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module
RUN curl -L https://github.com/aelsabbahy/goss/releases/latest/download/goss-linux-amd64 -o /usr/local/bin/goss && chmod +rx /usr/local/bin/goss
ARG S6_VERSION="v2.2.0.3"
RUN curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \
-o /tmp/s6-overlay-amd64.tar.gz && \
tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" && \
tar xzf /tmp/s6-overlay-amd64.tar.gz -C /usr ./bin && \
rm /tmp/s6-overlay-amd64.tar.gz
COPY config/etc/ /etc/
COPY --chown=root:wazuh config/create_user.py /var/ossec/framework/scripts/create_user.py
COPY config/filebeat.yml /etc/filebeat/
RUN chmod go-w /etc/filebeat/filebeat.yml
ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat
RUN chmod go-w /etc/filebeat/wazuh-template.json
# Prepare permanent data
# Sync calls are due to https://github.com/docker/docker/issues/9547
COPY config/permanent_data.env config/permanent_data.sh /
RUN chmod 755 /permanent_data.sh && \
sync && /permanent_data.sh && \
sync && rm /permanent_data.sh
# Services ports
EXPOSE 55000/tcp 1514/tcp 1515/tcp 514/udp 1516/tcp
ENTRYPOINT [ "/init" ]

29
build-docker-images/wazuh-manager/config/check_repository.sh
View File

@@ -1,29 +0,0 @@
## variables
APT_KEY=https://packages.wazuh.com/key/GPG-KEY-WAZUH
REPOSITORY="deb https://packages.wazuh.com/4.x/apt/ stable main"
WAZUH_CURRENT_VERSION=$(curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '\"tag_name\":' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 2-)
MAJOR_BUILD=$(echo $WAZUH_VERSION | cut -d. -f1)
MID_BUILD=$(echo $WAZUH_VERSION | cut -d. -f2)
MINOR_BUILD=$(echo $WAZUH_VERSION | cut -d. -f3)
MAJOR_CURRENT=$(echo $WAZUH_CURRENT_VERSION | cut -d. -f1)
MID_CURRENT=$(echo $WAZUH_CURRENT_VERSION | cut -d. -f2)
MINOR_CURRENT=$(echo $WAZUH_CURRENT_VERSION | cut -d. -f3)
## check version to use the correct repository
if [ "$MAJOR_BUILD" -gt "$MAJOR_CURRENT" ]; then
APT_KEY=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
REPOSITORY="deb https://packages-dev.wazuh.com/pre-release/apt/ unstable main"
elif [ "$MAJOR_BUILD" -eq "$MAJOR_CURRENT" ]; then
if [ "$MID_BUILD" -gt "$MID_CURRENT" ]; then
APT_KEY=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
REPOSITORY="deb https://packages-dev.wazuh.com/pre-release/apt/ unstable main"
elif [ "$MID_BUILD" -eq "$MID_CURRENT" ]; then
if [ "$MINOR_BUILD" -gt "$MINOR_CURRENT" ]; then
APT_KEY=https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH
REPOSITORY="deb https://packages-dev.wazuh.com/pre-release/apt/ unstable main"
fi
fi
fi
apt-key adv --fetch-keys ${APT_KEY}
echo ${REPOSITORY} | tee -a /etc/apt/sources.list.d/wazuh.list

102
build-docker-images/wazuh-manager/config/create_user.py
View File

@@ -1,102 +0,0 @@
import logging
import sys
import json
import random
import string
import os
# Set framework path
sys.path.append(os.path.dirname(sys.argv[0]) + "/../framework")
USER_FILE_PATH = "/var/ossec/api/configuration/admin.json"
SPECIAL_CHARS = "@$!%*?&-_"
try:
from wazuh.rbac.orm import create_rbac_db
from wazuh.security import (
create_user,
get_users,
get_roles,
set_user_role,
update_user,
)
except ModuleNotFoundError as e:
logging.error("No module 'wazuh' found.")
sys.exit(1)
def read_user_file(path=USER_FILE_PATH):
with open(path) as user_file:
data = json.load(user_file)
return data["username"], data["password"]
def db_users():
users_result = get_users()
return {user["username"]: user["id"] for user in users_result.affected_items}
def db_roles():
roles_result = get_roles()
return {role["name"]: role["id"] for role in roles_result.affected_items}
def disable_user(uid):
random_pass = "".join(
random.choices(
string.ascii_uppercase
+ string.ascii_lowercase
+ string.digits
+ SPECIAL_CHARS,
k=8,
)
)
# assure there must be at least one character from each group
random_pass = random_pass + ''.join([random.choice(chars) for chars in [string.ascii_lowercase, string.digits, string.ascii_uppercase, SPECIAL_CHARS]])
random_pass = ''.join(random.sample(random_pass,len(random_pass)))
update_user(
user_id=[
str(uid),
],
password=random_pass,
)
if __name__ == "__main__":
if not os.path.exists(USER_FILE_PATH):
# abort if no user file detected
sys.exit(0)
username, password = read_user_file()
# create RBAC database
create_rbac_db()
initial_users = db_users()
if username not in initial_users:
# create a new user
create_user(username=username, password=password)
users = db_users()
uid = users[username]
roles = db_roles()
rid = roles["administrator"]
set_user_role(
user_id=[
str(uid),
],
role_ids=[
str(rid),
],
)
else:
# modify an existing user ("wazuh" or "wazuh-wui")
uid = initial_users[username]
update_user(
user_id=[
str(uid),
],
password=password,
)
# disable unused default users
for def_user in ['wazuh', 'wazuh-wui']:
if def_user != username:
disable_user(initial_users[def_user])

51
build-docker-images/wazuh-manager/config/etc/cont-init.d/1-config-filebeat
View File

@@ -1,51 +0,0 @@
#!/usr/bin/with-contenv bash
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
set -e
if [ "$INDEXER_URL" != "" ]; then
>&2 echo "Customize Elasticsearch ouput IP"
sed -i "s|hosts:.*|hosts: ['$INDEXER_URL']|g" /etc/filebeat/filebeat.yml
fi
# Configure filebeat.yml security settings
if [ "$INDEXER_USERNAME" != "" ]; then
>&2 echo "Configuring username."
sed -i "s|#username:.*|username:|g" /etc/filebeat/filebeat.yml
sed -i "s|username:.*|username: '$INDEXER_USERNAME'|g" /etc/filebeat/filebeat.yml
fi
if [ "$INDEXER_PASSWORD" != "" ]; then
>&2 echo "Configuring password."
sed -i "s|#password:.*|password:|g" /etc/filebeat/filebeat.yml
sed -i "s|password:.*|password: '$INDEXER_PASSWORD'|g" /etc/filebeat/filebeat.yml
fi
if [ "$FILEBEAT_SSL_VERIFICATION_MODE" != "" ]; then
>&2 echo "Configuring SSL verification mode."
sed -i "s|#ssl.verification_mode:.*|ssl.verification_mode:|g" /etc/filebeat/filebeat.yml
sed -i "s|ssl.verification_mode:.*|ssl.verification_mode: '$FILEBEAT_SSL_VERIFICATION_MODE'|g" /etc/filebeat/filebeat.yml
fi
if [ "$SSL_CERTIFICATE_AUTHORITIES" != "" ]; then
>&2 echo "Configuring Certificate Authorities."
sed -i "s|#ssl.certificate_authorities:.*|ssl.certificate_authorities:|g" /etc/filebeat/filebeat.yml
sed -i "s|ssl.certificate_authorities:.*|ssl.certificate_authorities: ['$SSL_CERTIFICATE_AUTHORITIES']|g" /etc/filebeat/filebeat.yml
fi
if [ "$SSL_CERTIFICATE" != "" ]; then
>&2 echo "Configuring SSL Certificate."
sed -i "s|#ssl.certificate:.*|ssl.certificate:|g" /etc/filebeat/filebeat.yml
sed -i "s|ssl.certificate:.*|ssl.certificate: '$SSL_CERTIFICATE'|g" /etc/filebeat/filebeat.yml
fi
if [ "$SSL_KEY" != "" ]; then
>&2 echo "Configuring SSL Key."
sed -i "s|#ssl.key:.*|ssl.key:|g" /etc/filebeat/filebeat.yml
sed -i "s|ssl.key:.*|ssl.key: '$SSL_KEY'|g" /etc/filebeat/filebeat.yml
fi
chmod go-w /etc/filebeat/filebeat.yml || true
chown root: /etc/filebeat/filebeat.yml || true

126
build-docker-images/wazuh-manager/config/etc/cont-init.d/2-manager
View File

@@ -1,126 +0,0 @@
#!/usr/bin/with-contenv bash
##############################################################################
# Migration sequence
# Detect if there is a mounted volume on /wazuh-migration and copy the data
# to /var/ossec, finally it will create a flag ".migration-completed" inside
# the mounted volume
##############################################################################
function __colortext()
{
echo -e " \e[1;$2m$1\e[0m"
}
function echogreen()
{
echo $(__colortext "$1" "32")
}
function echoyellow()
{
echo $(__colortext "$1" "33")
}
function echored()
{
echo $(__colortext "$1" "31")
}
function_wazuh_migration(){
if [ -d "/wazuh-migration" ]; then
if [ ! -e /wazuh-migration/.migration-completed ]; then
if [ ! -e /wazuh-migration/global.db ]; then
echoyellow "The volume mounted on /wazuh-migration does not contain all the correct files."
return
fi
\cp -f /wazuh-migration/data/etc/ossec.conf /var/ossec/etc/ossec.conf
chown root:wazuh /var/ossec/etc/ossec.conf
chmod 640 /var/ossec/etc/ossec.conf
\cp -f /wazuh-migration/data/etc/client.keys /var/ossec/etc/client.keys
chown wazuh:wazuh /var/ossec/etc/client.keys
chmod 640 /var/ossec/etc/client.keys
\cp -f /wazuh-migration/data/etc/sslmanager.cert /var/ossec/etc/sslmanager.cert
\cp -f /wazuh-migration/data/etc/sslmanager.key /var/ossec/etc/sslmanager.key
chown root:root /var/ossec/etc/sslmanager.cert /var/ossec/etc/sslmanager.key
chmod 640 /var/ossec/etc/sslmanager.cert /var/ossec/etc/sslmanager.key
\cp -f /wazuh-migration/data/etc/shared/default/agent.conf /var/ossec/etc/shared/default/agent.conf
chown wazuh:wazuh /var/ossec/etc/shared/default/agent.conf
chmod 660 /var/ossec/etc/shared/default/agent.conf
\cp -f /wazuh-migration/data/etc/decoders/* /var/ossec/etc/decoders/
chown wazuh:wazuh /var/ossec/etc/decoders/*
chmod 660 /var/ossec/etc/decoders/*
\cp -f /wazuh-migration/data/etc/rules/* /var/ossec/etc/rules/
chown wazuh:wazuh /var/ossec/etc/rules/*
chmod 660 /var/ossec/etc/rules/*
if [ -e /wazuh-migration/data/agentless/.passlist ]; then
\cp -f /wazuh-migration/data/agentless/.passlist /var/ossec/agentless/.passlist
chown root:wazuh /var/ossec/agentless/.passlist
chmod 640 /var/ossec/agentless/.passlist
fi
\cp -f /wazuh-migration/global.db /var/ossec/queue/db/global.db
chown wazuh:wazuh /var/ossec/queue/db/global.db
chmod 640 /var/ossec/queue/db/global.db
# mark volume as migrated
touch /wazuh-migration/.migration-completed
echogreen "Migration completed succesfully"
else
echoyellow "This volume has already been migrated. You may proceed and remove it from the mount point (/wazuh-migration)"
fi
fi
}
function_create_custom_user() {
if [[ ! -z $API_USERNAME ]] && [[ ! -z $API_PASSWORD ]]; then
cat << EOF > /var/ossec/api/configuration/admin.json
{
"username": "$API_USERNAME",
"password": "$API_PASSWORD"
}
EOF
# create or customize API user
if /var/ossec/framework/python/bin/python3 /var/ossec/framework/scripts/create_user.py; then
# remove json if exit code is 0
rm /var/ossec/api/configuration/admin.json
else
echored "There was an error configuring the API user"
# terminate container to avoid unpredictable behavior
exec s6-svscanctl -t /var/run/s6/services
exit 1
fi
fi
}
function_entrypoint_scripts() {
# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
if [ -d "/entrypoint-scripts/" ]
then
for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
bash "$script"
done
fi
}
# Migrate data from /wazuh-migration volume
function_wazuh_migration
# create API custom user
function_create_custom_user
# run entrypoint scripts
function_entrypoint_scripts
# Start Wazuh
/var/ossec/bin/wazuh-control start

6
build-docker-images/wazuh-manager/config/etc/services.d/filebeat/finish
View File

@@ -1,6 +0,0 @@
#!/usr/bin/env sh
echo >&2 "Filebeat exited. code=${1}"
# terminate other services to exit from the container
exec s6-svscanctl -t /var/run/s6/services

4
build-docker-images/wazuh-manager/config/etc/services.d/filebeat/run
View File

@@ -1,4 +0,0 @@
#!/usr/bin/with-contenv sh
echo >&2 "starting Filebeat"
exec /usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat

4
build-docker-images/wazuh-manager/config/etc/services.d/ossec-logs/run
View File

@@ -1,4 +0,0 @@
#!/usr/bin/with-contenv sh
# dumping ossec.log to standard output
exec tail -F /var/ossec/logs/ossec.log

31
build-docker-images/wazuh-manager/config/filebeat.yml
View File

@@ -1,31 +0,0 @@
# Wazuh - Filebeat configuration file
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false
output.elasticsearch:
hosts: ['https://wazuh.indexer:9200']
#username:
#password:
#ssl.verification_mode:
#ssl.certificate_authorities:
#ssl.certificate:
#ssl.key:
logging.metrics.enabled: false
seccomp:
default_action: allow
syscalls:
- action: allow
names:
- rseq

92
docker-compose.yml Normal file
View File

@@ -0,0 +1,92 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
version: '2'
services:
wazuh:
image: wazuh/wazuh:3.10.2_7.3.2
hostname: wazuh-manager
restart: always
ports:
- "1514:1514/udp"
- "1515:1515"
- "514:514/udp"
- "55000:55000"
# depends_on:
# - logstash
# logstash:
# image: wazuh/wazuh-elasticsearch:3.10.2_7.3.2
# hostname: logstash
# restart: always
# links:
# - elasticsearch:elasticsearch
# ports:
# - "5000:5000"
# depends_on:
# - elasticsearch
# environment:
# - LS_HEAP_SIZE=2048m
# - SECURITY_ENABLED=no
# - SECURITY_LOGSTASH_USER=service_logstash
# - SECURITY_LOGSTASH_PASS=logstash_pass
# - LOGSTASH_OUTPUT=https://elasticsearch:9200
# - ELASTICSEARCH_URL=https://elasticsearch:9200
# - SECURITY_CA_PEM=server.TEST-CA-signed.pem
elasticsearch:
image: wazuh/wazuh-elasticsearch:3.10.2_7.3.2
hostname: elasticsearch
restart: always
ports:
- "9200:9200"
environment:
- "ES_JAVA_OPTS=-Xms1g -Xmx1g"
- ELASTICSEARCH_PROTOCOL=http
- ELASTICSEARCH_IP=elasticsearch
- ELASTICSEARCH_PORT=9200
- SECURITY_ENABLED=no
- SECURITY_ELASTIC_PASSWORD=elastic_pass
- SECURITY_MAIN_NODE=elasticsearch
- ELASTIC_CLUSTER=true
- CLUSTER_NODE_MASTER=true
- CLUSTER_MASTER_NODE_NAME=elasticsearch
- CLUSTER_NODE_DATA=true
- CLUSTER_NODE_INGEST=true
- CLUSTER_MAX_NODES=3
ulimits:
memlock:
soft: -1
hard: -1
mem_limit: 2g
kibana:
image: wazuh/wazuh-kibana:3.10.2_7.3.2
hostname: kibana
restart: always
depends_on:
- elasticsearch
links:
- elasticsearch:elasticsearch
- wazuh:wazuh
environment:
- ELASTICSEARCH_URL=https://elasticsearch:9200
- SECURITY_ENABLED=no
- SECURITY_KIBANA_USER=service_kibana
- SECURITY_KIBANA_PASS=kibana_pass
- ELASTICSEARCH_KIBANA_IP=https://elasticsearch:9200
- SECURITY_CA_PEM=server.TEST-CA-signed.pem
ports:
- "5601:5601"
nginx:
image: wazuh/wazuh-nginx:3.10.2_7.3.2
hostname: nginx
restart: always
environment:
- NGINX_PORT=443
- NGINX_CREDENTIALS
ports:
- "80:80"
- "443:443"
depends_on:
- kibana
links:
- kibana:kibana

96
elasticsearch/Dockerfile Normal file
View File

@@ -0,0 +1,96 @@
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
ARG ELASTIC_VERSION=7.3.2
FROM docker.elastic.co/elasticsearch/elasticsearch:${ELASTIC_VERSION}
ARG TEMPLATE_VERSION=v3.10.2
ENV ELASTICSEARCH_URL="http://elasticsearch:9200"
ENV API_USER="foo" \
API_PASS="bar"
ENV XPACK_ML="true"
ENV ENABLE_CONFIGURE_S3="false"
ENV WAZUH_ALERTS_SHARDS="1" \
WAZUH_ALERTS_REPLICAS="0"
ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /usr/share/elasticsearch/config
RUN yum install epel-release -y && \
yum install jq -y
# This CA is created for testing. Please set your own CA zip containing the key and the signed certificate.
# command: $ docker build <elasticsearch_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION> --build-arg SECURITY_CA_KEY_LOCATION=<CA_KEY_LOCATION>
# ENV variables are necessary: SECURITY_CA_PEM, SECURITY_CA_KEY, SECURITY_CA_TRUST, SECURITY_OPENSSL_CONF
# Example:
# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem"
# ARG SECURITY_CA_KEY_LOCATION="config/server.TEST-CA.key"
# ARG SECURITY_OPENSSL_CONF_LOCATION="config/TEST_openssl.cnf"
# ARG SECURITY_CA_TRUST_LOCATION="config/server.TEST-CA-signed.pem"
ARG SECURITY_CA_PEM_LOCATION=""
ARG SECURITY_CA_KEY_LOCATION=""
ARG SECURITY_OPENSSL_CONF_LOCATION=""
ARG SECURITY_CA_TRUST_LOCATION=""
# Elasticearch cluster configuration environment variables
# If ELASTIC_CLUSTER is set to "true" the following variables will be added to the Elasticsearch configuration
# CLUSTER_INITIAL_MASTER_NODES set to own node by default.
ENV ELASTIC_CLUSTER="false" \
CLUSTER_NAME="wazuh" \
CLUSTER_NODE_MASTER="false" \
CLUSTER_NODE_DATA="true" \
CLUSTER_NODE_INGEST="true" \
CLUSTER_MEMORY_LOCK="true" \
CLUSTER_DISCOVERY_SERVICE="wazuh-elasticsearch" \
CLUSTER_NUMBER_OF_MASTERS="2" \
CLUSTER_MAX_NODES="1" \
CLUSTER_DELAYED_TIMEOUT="1m" \
CLUSTER_INITIAL_MASTER_NODES="wazuh-elasticsearch" \
CLUSTER_DISCOVERY_SEED="elasticsearch"
# CA cert for Transport SSL
ADD $SECURITY_CA_PEM_LOCATION /usr/share/elasticsearch/config
ADD $SECURITY_CA_KEY_LOCATION /usr/share/elasticsearch/config
ADD $SECURITY_OPENSSL_CONF_LOCATION /usr/share/elasticsearch/config
ADD $SECURITY_CA_TRUST_LOCATION /usr/share/elasticsearch/config
RUN mkdir /entrypoint-scripts
COPY config/entrypoint.sh /entrypoint.sh
RUN chmod 755 /entrypoint.sh
RUN bin/elasticsearch-plugin install repository-s3 -b
COPY --chown=elasticsearch:elasticsearch ./config/10-config_cluster.sh /entrypoint-scripts/10-config_cluster.sh
COPY --chown=elasticsearch:elasticsearch ./config/15-get_CA_key.sh /entrypoint-scripts/15-get_CA_key.sh
COPY --chown=elasticsearch:elasticsearch ./config/20-security_instances.sh /entrypoint-scripts/20-security_instances.sh
COPY --chown=elasticsearch:elasticsearch ./config/22-security_certs.sh /entrypoint-scripts/22-security_certs.sh
COPY --chown=elasticsearch:elasticsearch ./config/24-security_configuration.sh /entrypoint-scripts/24-security_configuration.sh
COPY --chown=elasticsearch:elasticsearch ./config/26-security_keystore.sh /entrypoint-scripts/26-security_keystore.sh
COPY --chown=elasticsearch:elasticsearch ./config/30-decrypt_credentials.sh /entrypoint-scripts/30-decrypt_credentials.sh
COPY --chown=elasticsearch:elasticsearch ./config/35-entrypoint.sh /entrypoint-scripts/35-entrypoint.sh
COPY --chown=elasticsearch:elasticsearch ./config/35-entrypoint_load_settings.sh ./
COPY config/35-load_settings_configure_s3.sh ./config/35-load_settings_configure_s3.sh
COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_users_management.sh ./
COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_policies.sh ./
COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_templates.sh ./
COPY --chown=elasticsearch:elasticsearch ./config/35-load_settings_aliases.sh ./
RUN chmod +x /entrypoint-scripts/10-config_cluster.sh && \
chmod +x /entrypoint-scripts/15-get_CA_key.sh && \
chmod +x /entrypoint-scripts/20-security_instances.sh && \
chmod +x /entrypoint-scripts/22-security_certs.sh && \
chmod +x /entrypoint-scripts/24-security_configuration.sh && \
chmod +x /entrypoint-scripts/26-security_keystore.sh && \
chmod +x /entrypoint-scripts/30-decrypt_credentials.sh && \
chmod +x /entrypoint-scripts/35-entrypoint.sh && \
chmod +x ./35-entrypoint_load_settings.sh && \
chmod 755 ./config/35-load_settings_configure_s3.sh && \
chmod +x ./35-load_settings_users_management.sh && \
chmod +x ./35-load_settings_policies.sh && \
chmod +x ./35-load_settings_templates.sh && \
chmod +x ./35-load_settings_aliases.sh
ENTRYPOINT ["/entrypoint.sh"]
CMD ["elasticsearch"]

93
elasticsearch/config/10-config_cluster.sh Normal file
View File

@@ -0,0 +1,93 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
elastic_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
original_file="/usr/share/elasticsearch/config/original-elasticsearch.yml"
ELASTIC_HOSTAME=`hostname`
echo "CLUSTER: - Prepare Configuration"
echo "CLUSTER: - Hostname"
echo $ELASTIC_HOSTAME
echo "CLUSTER: - Security main node"
echo $SECURITY_MAIN_NODE
echo "CLUSTER: - Discovery seed"
echo $CLUSTER_DISCOVERY_SEED
echo "CLUSTER: - Elastic cluster flag"
echo $ELASTIC_CLUSTER
echo "CLUSTER: - Node Master"
echo $CLUSTER_NODE_MASTER
echo "CLUSTER: - Node Data"
echo $CLUSTER_NODE_DATA
echo "CLUSTER: - Node Ingest"
echo $CLUSTER_NODE_INGEST
cp $elastic_config_file $original_file
remove_single_node_conf(){
if grep -Fq "discovery.type" $1; then
sed -i '/discovery.type\: /d' $1
fi
}
remove_cluster_config(){
sed -i '/# cluster node/,/# end cluster config/d' $1
}
# If Elasticsearch cluster is enable, then set up the elasticsearch.yml
if [[ $ELASTIC_CLUSTER == "true" && $CLUSTER_NODE_MASTER != "" && $CLUSTER_NODE_DATA != "" && $CLUSTER_NODE_INGEST != "" && $ELASTIC_HOSTAME != "" ]]; then
# Remove the old configuration
remove_single_node_conf $elastic_config_file
remove_cluster_config $elastic_config_file
echo "CLUSTER: - Remove old configuration"
if [[ $ELASTIC_HOSTAME == $SECURITY_MAIN_NODE ]]; then
# Add the master configuration
# cluster.initial_master_nodes for bootstrap the cluster
echo "CLUSTER: - Add the master configuration"
cat > $elastic_config_file << EOF
# cluster node
cluster.name: $CLUSTER_NAME
bootstrap.memory_lock: $CLUSTER_MEMORY_LOCK
network.host: 0.0.0.0
node.name: $ELASTIC_HOSTAME
node.master: $CLUSTER_NODE_MASTER
node.data: $CLUSTER_NODE_DATA
node.ingest: $CLUSTER_NODE_INGEST
node.max_local_storage_nodes: $CLUSTER_MAX_NODES
cluster.initial_master_nodes:
- $ELASTIC_HOSTAME
# end cluster config"
EOF
elif [[ $CLUSTER_DISCOVERY_SEED != "" ]]; then
# Remove the old configuration
remove_single_node_conf $elastic_config_file
remove_cluster_config $elastic_config_file
echo "CLUSTER: - Add standard cluster configuration."
cat > $elastic_config_file << EOF
# cluster node
cluster.name: $CLUSTER_NAME
bootstrap.memory_lock: $CLUSTER_MEMORY_LOCK
network.host: 0.0.0.0
node.name: $ELASTIC_HOSTAME
node.master: $CLUSTER_NODE_MASTER
node.data: $CLUSTER_NODE_DATA
node.ingest: $CLUSTER_NODE_INGEST
node.max_local_storage_nodes: $CLUSTER_MAX_NODES
discovery.seed_hosts:
- $CLUSTER_DISCOVERY_SEED
# end cluster config"
EOF
fi
# If the cluster is disabled, then set a single-node configuration
else
# Remove the old configuration
remove_single_node_conf $elastic_config_file
remove_cluster_config $elastic_config_file
echo "discovery.type: single-node" >> $elastic_config_file
echo "CLUSTER: - Discovery type: single-node"
fi
echo "CLUSTER: - Configured"

11
elasticsearch/config/15-get_CA_key.sh Normal file
View File

@@ -0,0 +1,11 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Decrypt credentials.
# If the CA key is encrypted, it must be decrypted for later use.
##############################################################################
echo "TO DO"
# TO DO

21
elasticsearch/config/20-security_instances.sh Normal file
View File

@@ -0,0 +1,21 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# instances.yml
# This file is necessary for the creation of the Elasticsaerch certificate.
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "SECURITY - Setting Elasticserach security."
# instance.yml to be added by the user.
# Example:
# echo "
# instances:
# - name: \"elasticsearch\"
# dns:
# - \"elasticsearch\"
# " > /user/share/elasticsearch/instances.yml
fi

16
elasticsearch/config/22-security_certs.sh Normal file
View File

@@ -0,0 +1,16 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Creation and management of certificates.
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "SECURITY - Elasticserach security certificates."
# Creation of the certificate for Elasticsearch.
# After the execution of this script will have generated
# the Elasticsearch certificate and related keys and passphrase.
# Example: TO DO
fi

32
elasticsearch/config/24-security_configuration.sh Normal file
View File

@@ -0,0 +1,32 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Adapt elasticsearch.yml configuration file
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "SECURITY - Elasticserach security configuration."
echo "SECURITY - Setting configuration options."
# Settings for elasticsearch.yml to be added by the user.
# Example:
# echo "
# # Required to set the passwords and TLS options
# xpack.security.enabled: true
# xpack.security.transport.ssl.enabled: true
# xpack.security.transport.ssl.verification_mode: certificate
# xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
# xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
# xpack.security.transport.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/ca.cert.pem\"]
# # HTTP layer
# xpack.security.http.ssl.enabled: true
# xpack.security.http.ssl.verification_mode: certificate
# xpack.security.http.ssl.key: /usr/share/elasticsearch/config/elasticsearch/elasticsearch.key
# xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/elasticsearch.cert.pem
# xpack.security.http.ssl.certificate_authorities: [\"/usr/share/elasticsearch/config/ca.cert.pem\"]
# " >> /usr/share/elasticsearch/config/elasticsearch.yml
fi

21
elasticsearch/config/26-security_keystore.sh Normal file
View File

@@ -0,0 +1,21 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Adapt elasticsearch.yml keystore management
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "SECURITY - Elasticserach keystore management."
# Create keystore
# /usr/share/elasticsearch/bin/elasticsearch-keystore create
# Add keys to keystore by the user.
# Example
# echo -e "$abcd_1234" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.secure_key_passphrase --stdin
# echo -e "$abcd_1234" | /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase --stdin
else
echo "SECURITY - Elasticsearch security not established."
fi

15
elasticsearch/config/30-decrypt_credentials.sh Normal file
View File

@@ -0,0 +1,15 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Decrypt credentials.
# If the credentials of the users to be created are encrypted,
# they must be decrypted for later use.
##############################################################################
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "Security credentials file not used. Nothing to do."
else
echo "TO DO"
fi
# TO DO

70
elasticsearch/config/35-entrypoint.sh Normal file
View File

@@ -0,0 +1,70 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# For more information https://github.com/elastic/elasticsearch-docker/blob/6.8.1/build/elasticsearch/bin/docker-entrypoint.sh
set -e
# Files created by Elasticsearch should always be group writable too
umask 0002
run_as_other_user_if_needed() {
if [[ "$(id -u)" == "0" ]]; then
# If running as root, drop to specified UID and run command
exec chroot --userspec=1000 / "${@}"
else
# Either we are running in Openshift with random uid and are a member of the root group
# or with a custom --user
exec "${@}"
fi
}
#Disabling xpack features
elasticsearch_config_file="/usr/share/elasticsearch/config/elasticsearch.yml"
if grep -Fq "#xpack features" "$elasticsearch_config_file" ;
then
declare -A CONFIG_MAP=(
[xpack.ml.enabled]=$XPACK_ML
)
for i in "${!CONFIG_MAP[@]}"
do
if [ "${CONFIG_MAP[$i]}" != "" ]; then
sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $elasticsearch_config_file
fi
done
else
echo "
#xpack features
xpack.ml.enabled: $XPACK_ML
" >> $elasticsearch_config_file
fi
# Run load settings script.
bash /usr/share/elasticsearch/35-entrypoint_load_settings.sh &
# Execute elasticsearch
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "Change Elastic password"
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
run_as_other_user_if_needed echo "$SECURITY_ELASTIC_PASSWORD" | elasticsearch-keystore add -xf 'bootstrap.password'
else
input=${SECURITY_CREDENTIALS_FILE}
ELASTIC_PASSWORD_FROM_FILE=""
while IFS= read -r line
do
if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ELASTIC_PASSWORD_FROM_FILE=${arrIN[1]}
fi
done < "$input"
run_as_other_user_if_needed echo "$ELASTIC_PASSWORD_FROM_FILE" | elasticsearch-keystore add -xf 'bootstrap.password'
fi
echo "Elastic password changed"
fi
run_as_other_user_if_needed /usr/share/elasticsearch/bin/elasticsearch

265
elasticsearch/config/35-entrypoint_load_settings.sh Normal file
View File

@@ -0,0 +1,265 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
##############################################################################
# Set Elasticsearch API url and Wazuh API url.
##############################################################################
if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
fi
if [[ "x${WAZUH_API_URL}" = "x" ]]; then
wazuh_url="https://wazuh"
else
wazuh_url="${WAZUH_API_URL}"
fi
echo "LOAD SETTINGS - Elasticsearch url: $el_url"
##############################################################################
# If Elasticsearch security is enabled get the elastic user password and
# WAZUH API credentials.
##############################################################################
ELASTIC_PASS=""
WAZH_API_USER=""
WAZH_API_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
WAZH_API_USER=${API_USER}
WAZH_API_PASS=${API_PASS}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ELASTIC_PASS=${arrIN[1]}
elif [[ $line == *"WAZUH_API_USER"* ]]; then
arrIN=(${line//:/ })
WAZH_API_USER=${arrIN[1]}
elif [[ $line == *"WAZUH_API_PASSWORD"* ]]; then
arrIN=(${line//:/ })
WAZH_API_PASS=${arrIN[1]}
fi
done < "$input"
fi
##############################################################################
# Set authentication for curl if Elasticsearch security is enabled.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-uelastic:${ELASTIC_PASS} -k"
echo "LOAD SETTINGS - authentication for curl established."
elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
auth=""
echo "LOAD SETTINGS - authentication for curl not established."
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
echo "LOAD SETTINGS - authentication for curl established."
fi
##############################################################################
# Wait until Elasticsearch is active.
##############################################################################
until curl ${auth} -XGET $el_url; do
>&2 echo "LOAD SETTINGS - Elastic is unavailable - sleeping"
sleep 5
done
>&2 echo "LOAD SETTINGS - Elastic is up - executing command"
##############################################################################
# Configure S3 repository for Elasticsearch snapshots.
##############################################################################
if [ $ENABLE_CONFIGURE_S3 ]; then
#Wait for Elasticsearch to be ready to create the repository
sleep 10
>&2 echo "S3 - Configure S3"
if [ "x$S3_PATH" != "x" ]; then
>&2 echo "S3 - Path: $S3_PATH"
if [ "x$S3_ELASTIC_MAJOR" != "x" ]; then
>&2 echo "S3 - Elasticsearch major version: $S3_ELASTIC_MAJOR"
echo "LOAD SETTINGS - Run 35-load_settings_configure_s3.sh."
bash /usr/share/elasticsearch/config/35-load_settings_configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME $S3_ELASTIC_MAJOR
else
>&2 echo "S3 - Elasticserach major version not given."
echo "LOAD SETTINGS - Run 35-load_settings_configure_s3.sh."
bash /usr/share/elasticsearch/config/35-load_settings_configure_s3.sh $el_url $S3_BUCKET_NAME $S3_PATH $S3_REPOSITORY_NAME
fi
fi
fi
##############################################################################
# Load custom policies.
##############################################################################
echo "LOAD SETTINGS - Loading custom Elasticsearch policies."
bash /usr/share/elasticsearch/35-load_settings_policies.sh
##############################################################################
# Modify wazuh-alerts template shards and replicas
##############################################################################
echo "LOAD SETTINGS - Change shards and replicas of wazuh-alerts template."
sed -i 's:"index.number_of_shards"\: "3":"index.number_of_shards"\: "'$WAZUH_ALERTS_SHARDS'":g' /usr/share/elasticsearch/config/wazuh-template.json
sed -i 's:"index.number_of_replicas"\: "0":"index.number_of_replicas"\: "'$WAZUH_ALERTS_REPLICAS'":g' /usr/share/elasticsearch/config/wazuh-template.json
##############################################################################
# Load default templates
##############################################################################
echo "LOAD SETTINGS - Loading wazuh-alerts template"
bash /usr/share/elasticsearch/35-load_settings_templates.sh
##############################################################################
# Load custom aliases.
##############################################################################
echo "LOAD SETTINGS - Loading custom Elasticsearch aliases."
bash /usr/share/elasticsearch/35-load_settings_aliases.sh
##############################################################################
# Elastic Stack users creation.
# Only security main node can manage users.
##############################################################################
echo "LOAD SETTINGS - Run users_management.sh."
MY_HOSTNAME=`hostname`
echo "LOAD SETTINGS - Hostname: $MY_HOSTNAME"
if [[ $SECURITY_MAIN_NODE == $MY_HOSTNAME ]]; then
bash /usr/share/elasticsearch/35-load_settings_users_management.sh &
fi
##############################################################################
# Prepare Wazuh API credentials
##############################################################################
API_PASS_Q=`echo "$WAZH_API_PASS" | tr -d '"'`
API_USER_Q=`echo "$WAZH_API_USER" | tr -d '"'`
API_PASSWORD=`echo -n $API_PASS_Q | base64`
echo "LOAD SETTINGS - Setting API credentials into Wazuh APP"
CONFIG_CODE=$(curl -s -o /dev/null -w "%{http_code}" -XGET $el_url/.wazuh/_doc/1513629884013 ${auth})
if [ "x$CONFIG_CODE" != "x200" ]; then
curl -s -XPOST $el_url/.wazuh/_doc/1513629884013 ${auth} -H 'Content-Type: application/json' -d'
{
"api_user": "'"$API_USER_Q"'",
"api_password": "'"$API_PASSWORD"'",
"url": "'"$wazuh_url"'",
"api_port": "55000",
"insecure": "true",
"component": "API",
"cluster_info": {
"manager": "wazuh-manager",
"cluster": "Disabled",
"status": "disabled"
},
"extensions": {
"oscap": true,
"audit": true,
"pci": true,
"aws": true,
"virustotal": true,
"gdpr": true,
"ciscat": true
}
}
' > /dev/null
else
echo "LOAD SETTINGS - Wazuh APP already configured"
echo "LOAD SETTINGS - Check if it is an upgrade from Elasticsearch 6.x to 7.x"
wazuh_search_request=`curl -s ${auth} "$el_url/.wazuh/_search?pretty"`
full_type=`echo $wazuh_search_request | jq .hits.hits | jq .[] | jq ._type`
elasticsearch_request=`curl -s $auth "$el_url"`
full_elasticsearch_version=`echo $elasticsearch_request | jq .version.number`
type=`echo "$full_type" | tr -d '"'`
elasticsearch_version=`echo "$full_elasticsearch_version" | tr -d '"'`
elasticsearch_major="${elasticsearch_version:0:1}"
if [[ $type == "wazuh-configuration" ]] && [[ $elasticsearch_major == "7" ]]; then
echo "LOAD SETTINGS - Elasticsearch major = $elasticsearch_major."
echo "LOAD SETTINGS - Reindex .wazuh in .wazuh-backup."
curl -s ${auth} -XPOST "$el_url/_reindex" -H 'Content-Type: application/json' -d'
{
"source": {
"index": ".wazuh"
},
"dest": {
"index": ".wazuh-backup"
}
}
'
echo "LOAD SETTINGS - Remove .wazuh index."
curl -s ${auth} -XDELETE "$el_url/.wazuh"
echo "LOAD SETTINGS - Reindex .wazuh-backup in .wazuh."
curl -s ${auth} -XPOST "$el_url/_reindex" -H 'Content-Type: application/json' -d'
{
"source": {
"index": ".wazuh-backup"
},
"dest": {
"index": ".wazuh"
}
}
'
curl -s ${auth} -XPUT "https://elasticsearch:9200/.wazuh-backup/_settings?pretty" -H 'Content-Type: application/json' -d'
{
"index" : {
"number_of_replicas" : 0
}
}
'
fi
fi
sleep 5
curl -XPUT "$el_url/_cluster/settings" ${auth} -H 'Content-Type: application/json' -d'
{
"persistent": {
"xpack.monitoring.collection.enabled": true
}
}
'
##############################################################################
# Set cluster delayed timeout when node falls
##############################################################################
curl -X PUT "$el_url/_all/_settings" ${auth} -H 'Content-Type: application/json' -d'
{
"settings": {
"index.unassigned.node_left.delayed_timeout": "'"$CLUSTER_DELAYED_TIMEOUT"'"
}
}
'
echo "LOAD SETTINGS - cluster delayed timeout changed."
echo "LOAD SETTINGS - Elasticsearch is ready."

86
elasticsearch/config/35-load_settings_aliases.sh Normal file
View File

@@ -0,0 +1,86 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
##############################################################################
# Set Elasticsearch API url
##############################################################################
if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
fi
echo "ALIASES - Elasticsearch url: $el_url"
##############################################################################
# If Elasticsearch security is enabled get the elastic user password.
##############################################################################
ELASTIC_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ELASTIC_PASS=${arrIN[1]}
fi
done < "$input"
fi
##############################################################################
# If Elasticsearch security is enabled get the users credentials.
##############################################################################
# The user must get the credentials of the users.
# TO DO.
##############################################################################
# Set authentication for curl if Elasticsearch security is enabled.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-uelastic:${ELASTIC_PASS} -k"
echo "ALIASES - authentication for curl established."
elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
auth=""
echo "ALIASES - authentication for curl not established."
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
echo "ALIASES - authentication for curl established."
fi
##############################################################################
# Wait until Elasticsearch is active.
##############################################################################
until curl ${auth} -XGET $el_url; do
>&2 echo "ALIASES - Elastic is unavailable - sleeping"
sleep 5
done
>&2 echo "ALIASES - Elastic is up - executing command"
##############################################################################
# Add custom aliases.
##############################################################################
# The user must add the credentials of the users.
# TO DO.
# Example
# echo "ALIASES - Add custom_user password and role:"
# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_ilm/policy/my_policy?pretty' -d'
# { "policy": { "phases": { "hot": { "actions": { "rollover": {"max_size": "50GB", "max_age": "5m"}}}}}}'

107
elasticsearch/config/35-load_settings_configure_s3.sh Normal file
View File

@@ -0,0 +1,107 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
##############################################################################
# If Secure access to Kibana is enabled, we must set the credentials for
# monitoring
##############################################################################
ELASTIC_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ELASTIC_PASS=${arrIN[1]}
fi
done < "$input"
fi
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-u elastic:${ELASTIC_PASS} -k"
else
auth=""
fi
# Check number of arguments passed to configure_s3.sh. If it is different from 4 or 5, the process will finish with error.
# param 1: number of arguments passed to configure_s3.sh
function CheckArgs()
{
if [ $1 != 4 ] && [ $1 != 5 ];then
echo "Use: configure_s3.sh <Elastic_Server_IP:Port> <Bucket> <Path> <RepositoryName> (By default <current_elasticsearch_major_version> is added to the path and the repository name)"
echo "or use: configure_s3.sh <Elastic_Server_IP:Port> <Bucket> <Path> <RepositoryName> <Elasticsearch major version>"
exit 1
fi
}
# Create S3 repository from base_path <path>/<elasticsearch_major_version> (if there is no <Elasticsearch major version> argument, current version is added)
# Repository name would be <RepositoryName>-<elasticsearch_major_version> (if there is no <Elasticsearch major version> argument, current version is added)
# param 1: <Elastic_Server_IP:Port>
# param 2: <Bucket>
# param 3: <Path>
# param 4: <RepositoryName>
# param 5: Optional <Elasticsearch major version>
# output: It will show "acknowledged" if the repository has been successfully created
function CreateRepo()
{
elastic_ip_port="$2"
bucket_name="$3"
path="$4"
repository_name="$5"
if [ $1 == 5 ];then
version="$6"
else
version=`curl ${auth} -s $elastic_ip_port | grep number | cut -d"\"" -f4 | cut -c1`
fi
if ! [[ "$version" =~ ^[0-9]+$ ]];then
echo "Elasticsearch major version must be an integer"
exit 1
fi
repository="$repository_name-$version"
s3_path="$path/$version"
>&2 echo "Create S3 repository"
until curl ${auth} -X PUT "$elastic_ip_port/_snapshot/$repository" -H 'Content-Type: application/json' -d' {"type": "s3", "settings": { "bucket": "'$bucket_name'", "base_path": "'$s3_path'"} }'; do
>&2 echo "Elastic is unavailable, S3 repository not created - sleeping"
sleep 5
done
>&2 echo "S3 repository created"
}
# Run functions CheckArgs and CreateRepo
# param 1: number of arguments passed to configure_s3.sh
# param 2: <Elastic_Server_IP:Port>
# param 3: <Bucket>
# param 4: <Path>
# param 5: <RepositoryName>
# param 6: Optional <Elasticsearch major version>
function Main()
{
CheckArgs $1
CreateRepo $1 $2 $3 $4 $5 $6
}
Main $# $1 $2 $3 $4 $5

86
elasticsearch/config/35-load_settings_policies.sh Normal file
View File

@@ -0,0 +1,86 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
##############################################################################
# Set Elasticsearch API url
##############################################################################
if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
fi
echo "POLICIES - Elasticsearch url: $el_url"
##############################################################################
# If Elasticsearch security is enabled get the elastic user password.
##############################################################################
ELASTIC_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ELASTIC_PASS=${arrIN[1]}
fi
done < "$input"
fi
##############################################################################
# If Elasticsearch security is enabled get the users credentials.
##############################################################################
# The user must get the credentials of the users.
# TO DO.
##############################################################################
# Set authentication for curl if Elasticsearch security is enabled.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-uelastic:${ELASTIC_PASS} -k"
echo "POLICIES - authentication for curl established."
elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
auth=""
echo "POLICIES - authentication for curl not established."
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
echo "POLICIES - authentication for curl established."
fi
##############################################################################
# Wait until Elasticsearch is active.
##############################################################################
until curl ${auth} -XGET $el_url; do
>&2 echo "POLICIES - Elastic is unavailable - sleeping"
sleep 5
done
>&2 echo "POLICIES - Elastic is up - executing command"
##############################################################################
# Add custom policies.
##############################################################################
# The user must add the credentials of the users.
# TO DO.
# Example
# echo "POLICIES - Add custom_user password and role:"
# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_ilm/policy/my_policy?pretty' -d'
# { "policy": { "phases": { "hot": { "actions": { "rollover": {"max_size": "50GB", "max_age": "5m"}}}}}}'

81
elasticsearch/config/35-load_settings_templates.sh Normal file
View File

@@ -0,0 +1,81 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
##############################################################################
# Set Elasticsearch API url
##############################################################################
if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
fi
echo "TEMPLATES - Elasticsearch url: $el_url"
##############################################################################
# If Elasticsearch security is enabled get the elastic user password.
##############################################################################
ELASTIC_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ELASTIC_PASS=${arrIN[1]}
fi
done < "$input"
fi
##############################################################################
# If Elasticsearch security is enabled get the users credentials.
##############################################################################
# The user must get the credentials of the users.
# TO DO.
##############################################################################
# Set authentication for curl if Elasticsearch security is enabled.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-uelastic:${ELASTIC_PASS} -k"
echo "TEMPLATES - authentication for curl established."
elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
auth=""
echo "TEMPLATES - authentication for curl not established."
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
echo "TEMPLATES - authentication for curl established."
fi
##############################################################################
# Wait until Elasticsearch is active.
##############################################################################
until curl ${auth} -XGET $el_url; do
>&2 echo "TEMPLATES - Elastic is unavailable - sleeping"
sleep 5
done
>&2 echo "TEMPLATES - Elastic is up - executing command"
##############################################################################
# Add wazuh-alerts templates.
##############################################################################
echo "TEMPLATES - Loading default wazuh-alerts template."
cat /usr/share/elasticsearch/config/wazuh-template.json | curl -XPUT "$el_url/_template/wazuh" ${auth} -H 'Content-Type: application/json' -d @-

100
elasticsearch/config/35-load_settings_users_management.sh Normal file
View File

@@ -0,0 +1,100 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
##############################################################################
# Set Elasticsearch API url
##############################################################################
if [[ "x${ELASTICSEARCH_PROTOCOL}" = "x" || "x${ELASTICSEARCH_IP}" = "x" || "x${ELASTICSEARCH_PORT}" = "x" ]]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_PROTOCOL}://${ELASTICSEARCH_IP}:${ELASTICSEARCH_PORT}"
fi
echo "USERS - Elasticsearch url: $el_url"
##############################################################################
# If Elasticsearch security is enabled get the elastic user password.
##############################################################################
ELASTIC_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
ELASTIC_PASS=${SECURITY_ELASTIC_PASSWORD}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"ELASTIC_PASSWORD"* ]]; then
arrIN=(${line//:/ })
ELASTIC_PASS=${arrIN[1]}
fi
done < "$input"
fi
##############################################################################
# If Elasticsearch security is enabled get the users credentials.
##############################################################################
# The user must get the credentials of the users.
# TO DO.
##############################################################################
# Set authentication for curl if Elasticsearch security is enabled.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-uelastic:${ELASTIC_PASS} -k"
echo "USERS - authentication for curl established."
elif [[ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]]; then
auth=""
echo "USERS - authentication for curl not established."
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
echo "USERS - authentication for curl established."
fi
##############################################################################
# Wait until Elasticsearch is active.
##############################################################################
until curl ${auth} -XGET $el_url; do
>&2 echo "USERS - Elastic is unavailable - sleeping"
sleep 5
done
>&2 echo "USERS - Elastic is up - executing command"
##############################################################################
# Setup passwords for Elastic Stack users.
##############################################################################
# The user must add the credentials of the users.
# TO DO.
# Example
# echo "USERS - Add custom_user password and role:"
# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/role/custom_user_role ' -d '
# { "indices": [ { "names": [ ".kibana*" ], "privileges": ["read"] }, { "names": [ "wazuh-monitoring*"], "privileges": ["all"] }] }'
# curl ${auth} -k -XPOST -H 'Content-Type: application/json' 'https://localhost:9200/_xpack/security/user/custom_user' -d '
# { "password":"'$CUSTOM_USER_PASSWORD'", "roles" : [ "kibana_system", "custom_user_role"], "full_name" : "Custom User" }'
##############################################################################
# Remove credentials file.
##############################################################################
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "USERS - Security credentials file not used. Nothing to do."
else
shred -zvu ${SECURITY_CREDENTIALS_FILE}
echo "USERS - Security credentials file removed."
fi

132
elasticsearch/config/TEST_openssl.cnf Normal file
View File

@@ -0,0 +1,132 @@
# OpenSSL intermediate CA configuration file.
# Copy to `/root/ca/intermediate/openssl.cnf`.
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = /root/ca/intermediate
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
# The root key and root certificate.
private_key = $dir/private/intermediate.key.pem
certificate = $dir/certs/intermediate.cert.pem
# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/intermediate.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_loose
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = GB
stateOrProvinceName_default = England
localityName_default =
0.organizationName_default = Alice Ltd
organizationalUnitName_default =
emailAddress_default =
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

8
elasticsearch/config/entrypoint.sh Normal file
View File

@@ -0,0 +1,8 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
bash "$script"
done

12
indexer-certs-creator/Dockerfile
View File

@@ -1,12 +0,0 @@
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
FROM ubuntu:focal
RUN apt-get update && apt-get install openssl curl -y
WORKDIR /
COPY config/entrypoint.sh /
RUN chmod 700 /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]

9
indexer-certs-creator/README.md
View File

@@ -1,9 +0,0 @@
# Certificate creation image build
The dockerfile hosted in this directory is used to build the image used to boot Wazuh's single node and multi node stacks.
To create the image, the following command must be executed:
```
$ docker build -t wazuh/wazuh-certs-generator:0.0.1 .
```

61
indexer-certs-creator/config/entrypoint.sh
View File

@@ -1,61 +0,0 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
##############################################################################
# Downloading Cert Gen Tool
##############################################################################
## Variables
CERT_TOOL=wazuh-certs-tool.sh
PASSWORD_TOOL=wazuh-passwords-tool.sh
PACKAGES_URL=https://packages.wazuh.com/4.4/
PACKAGES_DEV_URL=https://packages-dev.wazuh.com/4.4/
## Check if the cert tool exists in S3 buckets
CERT_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$CERT_TOOL | grep -E "^HTTP" | awk '{print $2}')
CERT_TOOL_PACKAGES_DEV=$(curl --silent -I $PACKAGES_DEV_URL$CERT_TOOL | grep -E "^HTTP" | awk '{print $2}')
## If cert tool exists in some bucket, download it, if not exit 1
if [ "$CERT_TOOL_PACKAGES" = "200" ]; then
curl -o $CERT_TOOL $PACKAGES_URL$CERT_TOOL
echo "Cert tool exists in Packages bucket"
elif [ "$CERT_TOOL_PACKAGES_DEV" = "200" ]; then
curl -o $CERT_TOOL $PACKAGES_DEV_URL$CERT_TOOL
echo "Cert tool exists in Packages-dev bucket"
else
echo "Cert tool does not exist in any bucket"
echo "ERROR: certificates were not created"
exit 1
fi
cp /config/certs.yml /config.yml
chmod 700 /$CERT_TOOL
##############################################################################
# Creating Cluster certificates
##############################################################################
## Execute cert tool and parsin cert.yml to set UID permissions
source /$CERT_TOOL -A
nodes_server=$( cert_parseYaml /config.yml | grep nodes_server__name | sed 's/nodes_server__name=//' )
node_names=($nodes_server)
echo "Moving created certificates to destination directory"
cp /wazuh-certificates/* /certificates/
echo "changing certificate permissions"
chmod -R 500 /certificates
chmod -R 400 /certificates/*
echo "Setting UID indexer and dashboard"
chown 1000:1000 /certificates/*
echo "Setting UID for wazuh manager and worker"
cp /certificates/root-ca.pem /certificates/root-ca-manager.pem
cp /certificates/root-ca.key /certificates/root-ca-manager.key
chown 101:101 /certificates/root-ca-manager.pem
chown 101:101 /certificates/root-ca-manager.key
for i in ${node_names[@]};
do
chown 101:101 "/certificates/${i}.pem"
chown 101:101 "/certificates/${i}-key.pem"
done

101
kibana/Dockerfile Normal file
View File

@@ -0,0 +1,101 @@
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
FROM docker.elastic.co/kibana/kibana:7.3.2
ARG ELASTIC_VERSION=7.3.2
ARG WAZUH_VERSION=3.10.2
ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
USER root
# App: 3.10.2 - 7.3.2 with this fix: https://github.com/wazuh/wazuh-kibana-app/issues/1815
#ADD https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
COPY config/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
USER kibana
RUN /usr/share/kibana/bin/kibana-plugin install --allow-root file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip
USER root
RUN rm -rf /tmp/wazuhapp-${WAZUH_APP_VERSION}.zip
COPY config/entrypoint.sh ./entrypoint.sh
RUN chmod 755 ./entrypoint.sh
RUN mkdir /entrypoint-scripts
USER kibana
ENV CONFIGURATION_FROM_FILE="false"
ENV PATTERN="" \
CHECKS_PATTERN="" \
CHECKS_TEMPLATE="" \
CHECKS_API="" \
CHECKS_SETUP="" \
EXTENSIONS_PCI="" \
EXTENSIONS_GDPR="" \
EXTENSIONS_AUDIT="" \
EXTENSIONS_OSCAP="" \
EXTENSIONS_CISCAT="" \
EXTENSIONS_AWS="" \
EXTENSIONS_VIRUSTOTAL="" \
EXTENSIONS_OSQUERY="" \
APP_TIMEOUT="" \
WAZUH_SHARDS="" \
WAZUH_REPLICAS="" \
WAZUH_VERSION_SHARDS="" \
WAZUH_VERSION_REPLICAS="" \
IP_SELECTOR="" \
IP_IGNORE="" \
XPACK_RBAC_ENABLED="" \
WAZUH_MONITORING_ENABLED="" \
WAZUH_MONITORING_FREQUENCY="" \
WAZUH_MONITORING_SHARDS="" \
WAZUH_MONITORING_REPLICAS="" \
ADMIN_PRIVILEGES=""
ARG XPACK_CANVAS="false"
ARG XPACK_LOGS="false"
ARG XPACK_INFRA="false"
ARG XPACK_ML="false"
ARG XPACK_DEVTOOLS="false"
ARG XPACK_MONITORING="false"
ARG XPACK_APM="false"
ARG XPACK_MAPS="false"
ARG XPACK_UPTIME="false"
ARG XPACK_SIEM="false"
ARG CHANGE_WELCOME="true"
COPY --chown=kibana:kibana ./config/10-wazuh_app_config.sh /entrypoint-scripts/10-wazuh_app_config.sh
COPY --chown=kibana:kibana ./config/12-custom_logos.sh /entrypoint-scripts/12-custom_logos.sh
COPY --chown=kibana:kibana ./config/15-decrypt_credentials.sh /entrypoint-scripts/15-decrypt_credentials.sh
COPY --chown=kibana:kibana ./config/20-entrypoint.sh /entrypoint-scripts/20-entrypoint.sh
COPY --chown=kibana:kibana ./config/20-entrypoint_kibana_settings.sh ./
COPY --chown=kibana:kibana ./config/20-entrypoint_certs_management.sh ./
RUN chmod +x /entrypoint-scripts/10-wazuh_app_config.sh && \
chmod +x /entrypoint-scripts/12-custom_logos.sh && \
chmod +x /entrypoint-scripts/15-decrypt_credentials.sh && \
chmod +x /entrypoint-scripts/20-entrypoint.sh && \
chmod +x ./20-entrypoint_kibana_settings.sh && \
chmod +x ./20-entrypoint_certs_management.sh
COPY --chown=kibana:kibana ./config/xpack_config.sh ./
RUN chmod +x ./xpack_config.sh
RUN ./xpack_config.sh
COPY --chown=kibana:kibana ./config/welcome_wazuh.sh ./
RUN chmod +x ./welcome_wazuh.sh
RUN ./welcome_wazuh.sh
RUN /usr/local/bin/kibana-docker --optimize
USER root
RUN chmod 660 /usr/share/kibana/plugins/wazuh/config.yml && \
chmod 775 /usr/share/kibana/plugins/wazuh && \
chown root:kibana /usr/share/kibana/plugins/wazuh/config.yml && \
chown root:kibana /usr/share/kibana/plugins/wazuh
USER kibana
ENTRYPOINT ./entrypoint.sh

40
kibana/config/10-wazuh_app_config.sh Normal file
View File

@@ -0,0 +1,40 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
kibana_config_file="/usr/share/kibana/plugins/wazuh/config.yml"
declare -A CONFIG_MAP=(
[pattern]=$PATTERN
[checks.pattern]=$CHECKS_PATTERN
[checks.template]=$CHECKS_TEMPLATE
[checks.api]=$CHECKS_API
[checks.setup]=$CHECKS_SETUP
[extensions.pci]=$EXTENSIONS_PCI
[extensions.gdpr]=$EXTENSIONS_GDPR
[extensions.audit]=$EXTENSIONS_AUDIT
[extensions.oscap]=$EXTENSIONS_OSCAP
[extensions.ciscat]=$EXTENSIONS_CISCAT
[extensions.aws]=$EXTENSIONS_AWS
[extensions.virustotal]=$EXTENSIONS_VIRUSTOTAL
[extensions.osquery]=$EXTENSIONS_OSQUERY
[timeout]=$APP_TIMEOUT
[wazuh.shards]=$WAZUH_SHARDS
[wazuh.replicas]=$WAZUH_REPLICAS
[wazuh-version.shards]=$WAZUH_VERSION_SHARDS
[wazuh-version.replicas]=$WAZUH_VERSION_REPLICAS
[ip.selector]=$IP_SELECTOR
[ip.ignore]=$IP_IGNORE
[xpack.rbac.enabled]=$XPACK_RBAC_ENABLED
[wazuh.monitoring.enabled]=$WAZUH_MONITORING_ENABLED
[wazuh.monitoring.frequency]=$WAZUH_MONITORING_FREQUENCY
[wazuh.monitoring.shards]=$WAZUH_MONITORING_SHARDS
[wazuh.monitoring.replicas]=$WAZUH_MONITORING_REPLICAS
[admin]=$ADMIN_PRIVILEGES
)
for i in "${!CONFIG_MAP[@]}"
do
if [ "${CONFIG_MAP[$i]}" != "" ]; then
sed -i 's/.*#'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
fi
done

14
kibana/config/12-custom_logos.sh Normal file
View File

@@ -0,0 +1,14 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Kibana logos
##############################################################################
if [[ $CUSTOM_LOGO == "true" ]]; then
echo "CUSTOM LOGO - Change Kibana logos."
# TO DO
fi

15
kibana/config/15-decrypt_credentials.sh Normal file
View File

@@ -0,0 +1,15 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Decrypt credentials.
# If the credentials of the users to be created are encrypted,
# they must be decrypted for later use.
##############################################################################
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "Security credentials file not used. Nothing to do."
else
echo "TO DO"
fi
# TO DO

126
kibana/config/20-entrypoint.sh Normal file
View File

@@ -0,0 +1,126 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
##############################################################################
# Set Elasticsearch API url.
##############################################################################
if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_URL}"
fi
echo "ENTRYPOINT - Set Elasticsearc url:${ELASTICSEARCH_URL}"
##############################################################################
# If there are credentials for Kibana they are obtained.
##############################################################################
KIBANA_USER=""
KIBANA_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
KIBANA_USER=${SECURITY_KIBANA_USER}
KIBANA_PASS=${SECURITY_KIBANA_PASS}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"KIBANA_PASSWORD"* ]]; then
arrIN=(${line//:/ })
KIBANA_PASS=${arrIN[1]}
elif [[ $line == *"KIBANA_USER"* ]]; then
arrIN=(${line//:/ })
KIBANA_USER=${arrIN[1]}
fi
done < "$input"
fi
echo "ENTRYPOINT - Kibana credentials obtained."
##############################################################################
# Establish the way to run the curl command, with or without authentication.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-u ${KIBANA_USER}:${KIBANA_PASS} -k"
elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
auth=""
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
fi
echo "ENTRYPOINT - Kibana authentication established."
##############################################################################
# Waiting for elasticsearch.
##############################################################################
until curl -XGET $el_url ${auth}; do
>&2 echo "ENTRYPOINT - Elastic is unavailable: sleeping"
sleep 5
done
sleep 2
>&2 echo "ENTRYPOINT - Elasticsearch is up."
##############################################################################
# Waiting for wazuh alerts template.
##############################################################################
strlen=0
while [[ $strlen -eq 0 ]]
do
template=$(curl $auth $el_url/_cat/templates/wazuh -s)
strlen=${#template}
>&2 echo "ENTRYPOINT - Wazuh alerts template not loaded - sleeping."
sleep 2
done
sleep 2
>&2 echo "ENTRYPOINT - Wazuh alerts template is loaded."
##############################################################################
# Create keystore if security is enabled.
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "ENTRYPOINT - Create Keystore."
/usr/share/kibana/bin/kibana-keystore create
# Add keys to keystore
echo -e "$KIBANA_PASS" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.password --stdin
echo -e "$KIBANA_USER" | /usr/share/kibana/bin/kibana-keystore add elasticsearch.username --stdin
echo "ENTRYPOINT - Keystore created."
fi
##############################################################################
# If security is enabled set Kibana configuration.
# Create the ssl certificate.
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
bash /usr/share/kibana/20-entrypoint_certs_management.sh
fi
##############################################################################
# Run kibana_settings.sh script.
##############################################################################
bash /usr/share/kibana/20-entrypoint_kibana_settings.sh &
/usr/local/bin/kibana-docker

14
kibana/config/20-entrypoint_certs_management.sh Normal file
View File

@@ -0,0 +1,14 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Kibana certs and keystore management
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "CERTS_MANAGEMENT - Create certificates. TO DO."
# TO DO
fi

183
kibana/config/20-entrypoint_kibana_settings.sh Normal file
View File

@@ -0,0 +1,183 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
WAZUH_MAJOR=3
##############################################################################
# Wait for the Kibana API to start. It is necessary to do it in this container
# because the others are running Elastic Stack and we can not interrupt them.
#
# The following actions are performed:
#
# Add the wazuh alerts index as default.
# Set the Discover time interval to 24 hours instead of 15 minutes.
# Do not ask user to help providing usage statistics to Elastic.
##############################################################################
##############################################################################
# Customize elasticsearch ip
##############################################################################
if [[ "$ELASTICSEARCH_KIBANA_IP" != "" && "$CONFIGURATION_FROM_FILE" == "false" ]]; then
sed -i "s:#elasticsearch.hosts:elasticsearch.hosts:g" /usr/share/kibana/config/kibana.yml
sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_KIBANA_IP'|g' /usr/share/kibana/config/kibana.yml
fi
echo "SETTINGS - Update Elasticsearch host."
# If KIBANA_INDEX was set, then change the default index in kibana.yml configuration file. If there was an index, then delete it and recreate.
if [[ "$KIBANA_INDEX" != "" && "$CONFIGURATION_FROM_FILE" == "false" ]]; then
if grep -q 'kibana.index' /usr/share/kibana/config/kibana.yml; then
sed -i '/kibana.index/d' /usr/share/kibana/config/kibana.yml
fi
echo "kibana.index: $KIBANA_INDEX" >> /usr/share/kibana/config/kibana.yml
fi
# If XPACK_SECURITY_ENABLED was set, then change the xpack.security.enabled option from true (default) to false.
if [[ "$XPACK_SECURITY_ENABLED" != "" && "$CONFIGURATION_FROM_FILE" == "false" ]]; then
if grep -q 'xpack.security.enabled' /usr/share/kibana/config/kibana.yml; then
sed -i '/xpack.security.enabled/d' /usr/share/kibana/config/kibana.yml
fi
echo "xpack.security.enabled: $XPACK_SECURITY_ENABLED" >> /usr/share/kibana/config/kibana.yml
fi
##############################################################################
# Get Kibana credentials
##############################################################################
if [ "$KIBANA_IP" != "" ]; then
kibana_ip="$KIBANA_IP"
else
kibana_ip="kibana"
fi
KIBANA_USER=""
KIBANA_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
KIBANA_USER=${SECURITY_KIBANA_USER}
KIBANA_PASS=${SECURITY_KIBANA_PASS}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"KIBANA_PASSWORD"* ]]; then
arrIN=(${line//:/ })
KIBANA_PASS=${arrIN[1]}
elif [[ $line == *"KIBANA_USER"* ]]; then
arrIN=(${line//:/ })
KIBANA_USER=${arrIN[1]}
fi
done < "$input"
fi
echo "SETTINGS - Kibana credentials obtained."
##############################################################################
# Set url authentication.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-k -u $KIBANA_USER:${KIBANA_PASS}"
kibana_secure_ip="https://$kibana_ip"
else
auth=""
kibana_secure_ip="http://$kibana_ip"
fi
echo "SETTINGS - Kibana authentication established."
##############################################################################
# Waiting for Kibana.
##############################################################################
while [[ "$(curl $auth -XGET -I -s -o /dev/null -w ''%{http_code}'' $kibana_secure_ip:5601/status)" != "200" ]]; do
echo "SETTINGS - Waiting for Kibana API. Sleeping 5 seconds"
sleep 5
done
echo "SETTINGS - Kibana API is running"
##############################################################################
# Prepare index selection.
##############################################################################
echo "SETTINGS - Prepare index selection."
default_index="/tmp/default_index.json"
if [[ $PATTERN == "" ]]; then
cat > ${default_index} << EOF
{
"changes": {
"defaultIndex": "wazuh-alerts-${WAZUH_MAJOR}.x-*"
}
}
EOF
else
cat > ${default_index} << EOF
{
"changes": {
"defaultIndex": "$PATTERN"
}
}
EOF
fi
sleep 5
##############################################################################
# Add the wazuh alerts index as default.
##############################################################################
echo "SETTINGS - Add the wazuh alerts index as default."
curl $auth -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d@${default_index}
rm -f ${default_index}
sleep 5
##############################################################################
# Configuring Kibana TimePicker.
##############################################################################
echo "SETTINGS - Configuring Kibana TimePicker."
curl $auth -POST "$kibana_secure_ip:5601/api/kibana/settings" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d \
'{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}'
sleep 5
##############################################################################
# Do not ask user to help providing usage statistics to Elastic.
##############################################################################
echo "SETTINGS - Do not ask user to help providing usage statistics to Elastic."
curl $auth -POST "$kibana_secure_ip:5601/api/telemetry/v2/optIn" -H "Content-Type: application/json" -H "kbn-xsrf: true" -d '{"enabled":false}'
##############################################################################
# Remove credentials file.
##############################################################################
echo "SETTINGS - Remove credentials file."
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "Security credentials file not used. Nothing to do."
else
shred -zvu ${SECURITY_CREDENTIALS_FILE}
fi
echo "End settings"

8
kibana/config/entrypoint.sh Normal file
View File

@@ -0,0 +1,8 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
bash "$script"
done

1
kibana/config/wazuhapp-3.10.2_7.3.2.zip.REMOVED.git-id Normal file
View File

@@ -0,0 +1 @@
1bda3f0db629fab2a64f859fe0769afc8a359fc7

30
kibana/config/welcome_wazuh.sh Normal file
View File

@@ -0,0 +1,30 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
if [[ $CHANGE_WELCOME == "true" ]]
then
rm -rf ./optimize/bundles
kibana_path="/usr/share/kibana"
# Set Wazuh app as the default landing page
echo "Set Wazuh app as the default landing page"
echo "server.defaultRoute: /app/wazuh" >> $kibana_path/config/kibana.yml
# Redirect Kibana welcome screen to Discover
echo "Redirect Kibana welcome screen to Discover"
sed -i "s:'/app/kibana#/home':'/app/wazuh':g" $kibana_path/src/core/public/chrome/chrome_service.js
# Hide management undesired links
echo "Hide management undesired links"
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/rollup/public/crud_app/index.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/license_management/public/management_section.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/index_lifecycle_management/public/register_management_section.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/cross_cluster_replication/public/register_routes.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/remote_clusters/public/index.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/upgrade_assistant/public/index.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/snapshot_restore/public/plugin.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/remote_clusters/public/plugin.js
sed -i 's#visible: true#visible: false#g' $kibana_path/x-pack/legacy/plugins/index_management/public/register_management_section.js
fi

43
kibana/config/xpack_config.sh Normal file
View File

@@ -0,0 +1,43 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
kibana_config_file="/usr/share/kibana/config/kibana.yml"
if grep -Fq "#xpack features" "$kibana_config_file";
then
declare -A CONFIG_MAP=(
[xpack.apm.ui.enabled]=$XPACK_APM
[xpack.grokdebugger.enabled]=$XPACK_DEVTOOLS
[xpack.searchprofiler.enabled]=$XPACK_DEVTOOLS
[xpack.ml.enabled]=$XPACK_ML
[xpack.canvas.enabled]=$XPACK_CANVAS
[xpack.logstash.enabled]=$XPACK_LOGS
[xpack.infra.enabled]=$XPACK_INFRA
[xpack.monitoring.enabled]=$XPACK_MONITORING
[xpack.maps.enabled]=$XPACK_MAPS
[xpack.uptime.enabled]=$XPACK_UPTIME
[xpack.siem.enabled]=$XPACK_SIEM
[console.enabled]=$XPACK_DEVTOOLS
)
for i in "${!CONFIG_MAP[@]}"
do
if [ "${CONFIG_MAP[$i]}" != "" ]; then
sed -i 's/.'"$i"'.*/'"$i"': '"${CONFIG_MAP[$i]}"'/' $kibana_config_file
fi
done
else
echo "
#xpack features
xpack.apm.ui.enabled: $XPACK_APM
xpack.grokdebugger.enabled: $XPACK_DEVTOOLS
xpack.searchprofiler.enabled: $XPACK_DEVTOOLS
xpack.ml.enabled: $XPACK_ML
xpack.canvas.enabled: $XPACK_CANVAS
xpack.logstash.enabled: $XPACK_LOGS
xpack.infra.enabled: $XPACK_INFRA
xpack.monitoring.enabled: $XPACK_MONITORING
xpack.maps.enabled: $XPACK_MAPS
xpack.uptime.enabled: $XPACK_UPTIME
xpack.siem.enabled: $XPACK_SIEM
console.enabled: $XPACK_DEVTOOLS
" >> $kibana_config_file
fi

46
logstash/Dockerfile Normal file
View File

@@ -0,0 +1,46 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
ARG LOGSTASH_VERSION=7.3.2
FROM docker.elastic.co/logstash/logstash:${LOGSTASH_VERSION}
COPY --chown=logstash:logstash config/entrypoint.sh /entrypoint.sh
RUN chmod 755 /entrypoint.sh
RUN rm -f /usr/share/logstash/pipeline/logstash.conf
ENV PIPELINE_FROM_FILE="false"
COPY config/01-wazuh.conf /usr/share/logstash/pipeline/01-wazuh.conf
# This CA is created for testing. Please set your own CA pem signed certificate.
# command: $ docker build <logstash_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION> --build-arg SECURITY_CA_PEM_ARG=<CA_PEM_NAME>
# ENV variables are necessary: SECURITY_CA_PEM
# Sample:
# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem"
# ARG SECURITY_CA_PEM_ARG="server.TEST-CA-signed.pem"
ARG SECURITY_CA_PEM_LOCATION=""
ARG SECURITY_CA_PEM_ARG=""
# CA for secure communication with Elastic
ADD $SECURITY_CA_PEM_LOCATION /usr/share/logstash/config
# Set permissions for CA
USER root
RUN if [[ "x$SECURITY_CA_PEM_LOCATION" == x ]] ; then echo Nothing to do ; else chown logstash: /usr/share/logstash/config/$SECURITY_CA_PEM_ARG ; fi
RUN if [[ "x$SECURITY_CA_PEM_LOCATION" == x ]] ; then echo Nothing to do ; else chmod 400 /usr/share/logstash/config/$SECURITY_CA_PEM_ARG ; fi
# Add entrypoint scripts
RUN mkdir /entrypoint-scripts
RUN chmod -R 774 /entrypoint-scripts
RUN chown -R logstash:logstash /entrypoint-scripts
COPY --chown=logstash:logstash ./config/05-decrypt_credentials.sh /entrypoint-scripts/05-decrypt_credentials.sh
COPY --chown=logstash:logstash ./config/10-entrypoint.sh /entrypoint-scripts/10-entrypoint.sh
COPY --chown=logstash:logstash ./config/10-entrypoint_configuration.sh ./config/10-entrypoint_configuration.sh
RUN chmod +x /entrypoint-scripts/05-decrypt_credentials.sh && \
chmod +x /entrypoint-scripts/10-entrypoint.sh && \
chmod +x ./config/10-entrypoint_configuration.sh
USER logstash
ENTRYPOINT /entrypoint.sh

64
logstash/config/01-wazuh.conf Normal file
View File

@@ -0,0 +1,64 @@
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# Wazuh - Logstash configuration file
## Remote Wazuh Manager - Filebeat input
input {
beats {
port => 5000
# ssl => true
# ssl_certificate => "/etc/logstash/logstash.crt"
# ssl_key => "/etc/logstash/logstash.key"
}
}
filter {
json {
source => "message"
}
}
filter {
if [data][srcip] {
mutate {
add_field => [ "@src_ip", "%{[data][srcip]}" ]
}
}
if [data][aws][sourceIPAddress] {
mutate {
add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
}
}
}
filter {
geoip {
source => "@src_ip"
target => "GeoLocation"
fields => ["city_name", "country_name", "region_name", "location"]
}
date {
match => ["timestamp", "ISO8601"]
target => "@timestamp"
}
mutate {
remove_field => [ "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]
}
}
filter {
# Workarounds for vulnerability-detector
if "vulnerability-detector" in [rule][groups] {
# Drop vulnerability-detector events from Manager
if [agent][id] == "000"{
drop { }
}
# if exists, remove data.vulnerability.published field due to conflicts
if [data][vulnerability][published] {
mutate {
remove_field => [ "[data][vulnerability][published]" ]
}
}
}
}
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
}
}

15
logstash/config/05-decrypt_credentials.sh Normal file
View File

@@ -0,0 +1,15 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
##############################################################################
# Decrypt credentials.
# If the credentials of the users to be created are encrypted,
# they must be decrypted for later use.
##############################################################################
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "Security credentials file not used. Nothing to do."
else
echo "TO DO"
fi
# TO DO

163
logstash/config/10-entrypoint.sh Normal file
View File

@@ -0,0 +1,163 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
#
# OSSEC container bootstrap. See the README for information of the environment
# variables expected by this script.
#
set -e
##############################################################################
# Set elasticsearch url.
##############################################################################
if [ "x${ELASTICSEARCH_URL}" = "x" ]; then
el_url="http://elasticsearch:9200"
else
el_url="${ELASTICSEARCH_URL}"
fi
echo "ENTRYPOINT - Elasticsearch url: $el_url"
##############################################################################
# Get Logstash credentials.
##############################################################################
LOGSTASH_USER=""
LOGSTASH_PASS=""
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
LOGSTASH_USER=${SECURITY_LOGSTASH_USER}
LOGSTASH_PASS=${SECURITY_LOGSTASH_PASS}
else
input=${SECURITY_CREDENTIALS_FILE}
while IFS= read -r line
do
if [[ $line == *"LOGSTASH_PASSWORD"* ]]; then
arrIN=(${line//:/ })
LOGSTASH_PASS=${arrIN[1]}
elif [[ $line == *"LOGSTASH_USER"* ]]; then
arrIN=(${line//:/ })
LOGSTASH_USER=${arrIN[1]}
fi
done < "$input"
fi
echo "ENTRYPOINT - Logstash credentials obtained."
##############################################################################
# Set authentication for curl command.
##############################################################################
if [ ${SECURITY_ENABLED} != "no" ]; then
auth="-u ${LOGSTASH_USER}:${LOGSTASH_PASS} -k"
elif [ ${ENABLED_XPACK} != "true" || "x${ELASTICSEARCH_USERNAME}" = "x" || "x${ELASTICSEARCH_PASSWORD}" = "x" ]; then
auth=""
else
auth="--user ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD}"
fi
echo "ENTRYPOINT - curl authentication established"
##############################################################################
# Customize logstash output ip.
##############################################################################
if [ "$LOGSTASH_OUTPUT" != "" ]; then
>&2 echo "ENTRYPOINT - Customize Logstash ouput ip."
sed -i 's|http://elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/config/logstash.yml
if [[ "$PIPELINE_FROM_FILE" == "false" ]]; then
sed -i 's|elasticsearch:9200|'$LOGSTASH_OUTPUT'|g' /usr/share/logstash/pipeline/01-wazuh.conf
fi
fi
##############################################################################
# Waiting for elasticsearch.
##############################################################################
until curl $auth -XGET $el_url; do
>&2 echo "ENTRYPOINT - Elastic is unavailable - sleeping."
sleep 5
done
sleep 2
>&2 echo "ENTRYPOINT - Elasticsearch is up."
##############################################################################
# Create keystore if security is enabled.
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "ENTRYPOINT - Create Keystore."
## Create secure keystore
SECURITY_RANDOM_PASS=`date +%s | sha256sum | base64 | head -c 32 ; echo`
export LOGSTASH_KEYSTORE_PASS=$SECURITY_RANDOM_PASS
/usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config create
## Settings for logstash.yml
bash /usr/share/logstash/config/10-entrypoint_configuration.sh
## Add keys to the keystore
echo -e "$LOGSTASH_USER" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_USER
echo -e "$LOGSTASH_PASS" | /usr/share/logstash/bin/logstash-keystore --path.settings /usr/share/logstash/config add LOGSTASH_KS_PASS
fi
##############################################################################
# Waiting for wazuh alerts template
##############################################################################
strlen=0
while [[ $strlen -eq 0 ]]
do
template=$(curl $auth $el_url/_cat/templates/wazuh -s)
strlen=${#template}
>&2 echo "ENTRYPOINT - Wazuh alerts template not loaded - sleeping."
sleep 2
done
sleep 2
>&2 echo "ENTRYPOINT - Wazuh alerts template is loaded."
##############################################################################
# Remove credentials file
##############################################################################
>&2 echo "ENTRYPOINT - Removing unnecessary files."
if [[ "x${SECURITY_CREDENTIALS_FILE}" == "x" ]]; then
echo "ENTRYPOINT - Security credentials file not used. Nothing to do."
else
shred -zvu ${SECURITY_CREDENTIALS_FILE}
fi
>&2 echo "ENTRYPOINT - Unnecessary files removed."
##############################################################################
# Map environment variables to entries in logstash.yml.
# Note that this will mutate logstash.yml in place if any such settings are found.
# This may be undesirable, especially if logstash.yml is bind-mounted from the
# host system.
##############################################################################
env2yaml /usr/share/logstash/config/logstash.yml
export LS_JAVA_OPTS="-Dls.cgroup.cpuacct.path.override=/ -Dls.cgroup.cpu.path.override=/ $LS_JAVA_OPTS"
if [[ -z $1 ]] || [[ ${1:0:1} == '-' ]] ; then
exec logstash "$@"
else
exec "$@"
fi

27
logstash/config/10-entrypoint_configuration.sh Normal file
View File

@@ -0,0 +1,27 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
#
# OSSEC container bootstrap. See the README for information of the environment
# variables expected by this script.
#
set -e
##############################################################################
# Adapt logstash.yml configuration.
##############################################################################
if [[ $SECURITY_ENABLED == "yes" ]]; then
echo "CONFIGURATION - TO DO"
# Settings for logstash.yml
# Example:
# echo "
# xpack.monitoring.enabled: true
# xpack.monitoring.elasticsearch.username: LOGSTASH_USER
# xpack.monitoring.elasticsearch.password: LOGSTASH_PASS
# xpack.monitoring.elasticsearch.ssl.certificate_authority: /usr/share/logstash/config/CA.pem
# " >> /usr/share/logstash/config/logstash.yml
fi

8
logstash/config/entrypoint.sh Normal file
View File

@@ -0,0 +1,8 @@
#!/bin/bash
# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
# It will run every .sh script located in entrypoint-scripts folder in lexicographical order
for script in `ls /entrypoint-scripts/*.sh | sort -n`; do
bash "$script"
done

361
multi-node/Migration-to-Wazuh-4.4.md
View File

@@ -1,361 +0,0 @@
# Opendistro data migration to Wazuh indexer on docker.
This procedure explains how to migrate Opendistro data from Opendistro to Wazuh indexer in docker production deployments.
The example is migrating from v4.2 to v4.4.
## Procedure
Assuming that you have a v4.2 production deployment, perform the following steps.
**1. Stop 4.2 environment**
`docker-compose -f production-cluster.yml stop`
**2. List elasticsearch volumes**
`docker volume ls --filter name='wazuh-docker_elastic-data'`
**3. Inspect elasticsearch volume**
`docker volume inspect wazuh-docker_elastic-data-1`
**4. Spin down the 4.2 environment.**
`docker-compose -f production-cluster.yml down`
**Steps 5 and 6 can be done with the volume-migrator.sh script, specifying Docker compose version and project name as parameters.**
Ex: $ multi-node/volume-migrator.sh 1.25.0 multi-node
**5. Run the volume create command:** create new indexer and Wazuh manager volumes using the `com.docker.compose.version` label value from the previous command.
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=wazuh-indexer-data-1 \
multi-node_wazuh-indexer-data-1
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=wazuh-indexer-data-2 \
multi-node_wazuh-indexer-data-2
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=wazuh-indexer-data-3 \
multi-node_wazuh-indexer-data-3
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master_wazuh_api_configuration \
multi-node_master_wazuh_api_configuration
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master_wazuh_etc \
multi-node_docker_wazuh_etc
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-logs \
multi-node_master-wazuh-logs
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-queue \
multi-node_master-wazuh-queue
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-var-multigroups \
multi-node_master-wazuh-var-multigroups
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-integrations \
multi-node_master-wazuh-integrations
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-active-response \
multi-node_master-wazuh-active-response
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-agentless \
multi-node_master-wazuh-agentless
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-wazuh-wodles \
multi-node_master-wazuh-wodles
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-filebeat-etc \
multi-node_master-filebeat-etc
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=master-filebeat-var \
multi-node_master-filebeat-var
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker_wazuh_api_configuration \
multi-node_worker_wazuh_api_configuration
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker_wazuh_etc \
multi-node_worker-wazuh-etc
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-logs \
multi-node_worker-wazuh-logs
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-queue \
multi-node_worker-wazuh-queue
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-var-multigroups \
multi-node_worker-wazuh-var-multigroups
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-integrations \
multi-node_worker-wazuh-integrations
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-active-response \
multi-node_worker-wazuh-active-response
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-agentless \
multi-node_worker-wazuh-agentless
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-wazuh-wodles \
multi-node_worker-wazuh-wodles
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-filebeat-etc \
multi-node_worker-filebeat-etc
```
```
docker volume create \
--label com.docker.compose.project=multi-node \
--label com.docker.compose.version=1.25.0 \
--label com.docker.compose.volume=worker-filebeat-var \
multi-node_worker-filebeat-var
```
**6. Copy the volume content from elasticsearch to Wazuh indexer volumes and old Wazuh manager content to new volumes.**
```
docker container run --rm -it \
-v wazuh-docker_elastic-data-1:/from \
-v multi-node_wazuh-indexer-data-1:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_elastic-data-2:/from \
-v multi-node_wazuh-indexer-data-2:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_elastic-data-3:/from \
-v multi-node_wazuh-indexer-data-3:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-api-configuration:/from \
-v multi-node_master-wazuh-api-configuration:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-etc:/from \
-v multi-node_master-wazuh-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-logs:/from \
-v multi-node_master-wazuh-logs:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-queue:/from \
-v multi-node_master-wazuh-queue:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-var-multigroups:/from \
-v multi-node_master-wazuh-var-multigroups:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-integrations:/from \
-v multi-node_master-wazuh-integrations:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-active-response:/from \
-v multi-node_master-wazuh-active-response:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-agentless:/from \
-v multi-node_master-wazuh-agentless:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_ossec-wodles:/from \
-v multi-node_master-wazuh-wodles:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_filebeat-etc:/from \
-v multi-node_master-filebeat-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_filebeat-var:/from \
-v multi-node_master-filebeat-var:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-api-configuration:/from \
-v multi-node_worker-wazuh-api-configuration:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-etc:/from \
-v multi-node_worker-wazuh-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-logs:/from \
-v multi-node_worker-wazuh-logs:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-queue:/from \
-v multi-node_worker-wazuh-queue:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-var-multigroups:/from \
-v multi-node_worker-wazuh-var-multigroups:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-integrations:/from \
-v multi-node_worker-wazuh-integrations:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-active-response:/from \
-v multi-node_worker-wazuh-active-response:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-agentless:/from \
-v multi-node_worker-wazuh-agentless:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-ossec-wodles:/from \
-v multi-node_worker-wazuh-wodles:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-filebeat-etc:/from \
-v multi-node_worker-filebeat-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
```
docker container run --rm -it \
-v wazuh-docker_worker-filebeat-var:/from \
-v multi-node_worker-filebeat-var:/to \
alpine ash -c "cd /from ; cp -avp . /to"
```
**7. Start the 4.4 environment.**
```
git checkout 4.4
cd multi-node
docker-compose -f generate-indexer-certs.yml run --rm generator
docker-compose up -d
```
**8. Check the access to Wazuh dashboard**: go to the Wazuh dashboard using the web browser and check the data.

26
multi-node/README.md
View File

@@ -1,26 +0,0 @@
# Deploy Wazuh Docker in multi node configuration
This deployment is defined in the `docker-compose.yml` file with two Wazuh manager containers, three Wazuh indexer containers, and one Wazuh dashboard container. It can be deployed by following these steps:
1) Increase max_map_count on your host (Linux). This command must be run with root permissions:
```
$ sysctl -w vm.max_map_count=262144
```
2) Run the certificate creation script:
```
$ docker-compose -f generate-indexer-certs.yml run --rm generator
```
3) Start the environment with docker-compose:
- In the foregroud:
```
$ docker-compose up
```
- In the background:
```
$ docker-compose up -d
```
The environment takes about 1 minute to get up (depending on your Docker host) for the first time since Wazuh Indexer must be started for the first time and the indexes and index patterns must be generated.

24
multi-node/config/certs.yml
View File

@@ -1,24 +0,0 @@
nodes:
# Wazuh indexer server nodes
indexer:
- name: wazuh1.indexer
ip: wazuh1.indexer
- name: wazuh2.indexer
ip: wazuh2.indexer
- name: wazuh3.indexer
ip: wazuh3.indexer
# Wazuh server nodes
# Use node_type only with more than one Wazuh manager
server:
- name: wazuh.master
ip: wazuh.master
node_type: master
- name: wazuh.worker
ip: wazuh.worker
node_type: worker
# Wazuh dashboard node
dashboard:
- name: wazuh.dashboard
ip: wazuh.dashboard

46
multi-node/config/nginx/nginx.conf
View File

@@ -1,46 +0,0 @@
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
server_tokens off;
gzip on;
}
# load balancer for Wazuh cluster
stream {
upstream mycluster {
hash $remote_addr consistent;
server wazuh.master:1514;
server wazuh.worker:1514;
}
server {
listen 1514;
proxy_pass mycluster;
}
}

357
multi-node/config/wazuh_cluster/wazuh_manager.conf
View File

@@ -1,357 +0,0 @@
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wazuh@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detector>
<enabled>no</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>no</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>no</enabled>
<os>stretch</os>
<os>buster</os>
<os>bullseye</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>no</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<update_interval>1h</update_interval>
</provider>
<!-- Amazon Linux OS vulnerabilities -->
<provider name="alas">
<enabled>no</enabled>
<os>amazon-linux</os>
<os>amazon-linux-2</os>
<update_interval>1h</update_interval>
</provider>
<!-- Arch OS vulnerabilities -->
<provider name="arch">
<enabled>no</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-wazuh</name>
<executable>restart-wazuh</executable>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<rule_test>
<enabled>yes</enabled>
<threads>1</threads>
<max_sessions>64</max_sessions>
<session_timeout>15m</session_timeout>
</rule_test>
<!-- Configuration for wazuh-authd -->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<purge>yes</purge>
<use_password>no</use_password>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>manager</node_name>
<node_type>master</node_type>
<key>c98b6ha9b6169zc5f67rae55ae4z5647</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>wazuh.master</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
</ossec_config>

357
multi-node/config/wazuh_cluster/wazuh_worker.conf
View File

@@ -1,357 +0,0 @@
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wazuh@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detector>
<enabled>no</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>no</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>no</enabled>
<os>stretch</os>
<os>buster</os>
<os>bullseye</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>no</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<update_interval>1h</update_interval>
</provider>
<!-- Amazon Linux OS vulnerabilities -->
<provider name="alas">
<enabled>no</enabled>
<os>amazon-linux</os>
<os>amazon-linux-2</os>
<update_interval>1h</update_interval>
</provider>
<!-- Arch OS vulnerabilities -->
<provider name="arch">
<enabled>no</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-wazuh</name>
<executable>restart-wazuh</executable>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<rule_test>
<enabled>yes</enabled>
<threads>1</threads>
<max_sessions>64</max_sessions>
<session_timeout>15m</session_timeout>
</rule_test>
<!-- Configuration for wazuh-authd -->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<purge>yes</purge>
<use_password>no</use_password>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>worker01</node_name>
<node_type>worker</node_type>
<key>c98b6ha9b6169zc5f67rae55ae4z5647</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>wazuh.master</node>
</nodes>
<hidden>no</hidden>
<disabled>no</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/dpkg.log</location>
</localfile>
</ossec_config>

12
multi-node/config/wazuh_dashboard/opensearch_dashboards.yml
View File

@@ -1,12 +0,0 @@
server.host: 0.0.0.0
server.port: 5601
opensearch.hosts: https://wazuh1.indexer:9200
opensearch.ssl.verificationMode: certificate
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wazuh

7
multi-node/config/wazuh_dashboard/wazuh.yml
View File

@@ -1,7 +0,0 @@
hosts:
- 1513629884013:
url: "https://wazuh.master"
port: 55000
username: wazuh-wui
password: "MyS3cr37P450r.*-"
run_as: false

56
multi-node/config/wazuh_indexer/internal_users.yml
View File

@@ -1,56 +0,0 @@
---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
_meta:
type: "internalusers"
config_version: 2
# Define your internal users here
## Demo users
admin:
hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO"
reserved: true
backend_roles:
- "admin"
description: "Demo admin user"
kibanaserver:
hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
reserved: true
description: "Demo kibanaserver user"
kibanaro:
hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
reserved: false
backend_roles:
- "kibanauser"
- "readall"
attributes:
attribute1: "value1"
attribute2: "value2"
attribute3: "value3"
description: "Demo kibanaro user"
logstash:
hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
reserved: false
backend_roles:
- "logstash"
description: "Demo logstash user"
readall:
hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
reserved: false
backend_roles:
- "readall"
description: "Demo readall user"
snapshotrestore:
hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
reserved: false
backend_roles:
- "snapshotrestore"
description: "Demo snapshotrestore user"

38
multi-node/config/wazuh_indexer/wazuh1.indexer.yml
View File

@@ -1,38 +0,0 @@
network.host: wazuh1.indexer
node.name: wazuh1.indexer
cluster.initial_master_nodes:
- wazuh1.indexer
- wazuh2.indexer
- wazuh3.indexer
cluster.name: "wazuh-cluster"
discovery.seed_hosts:
- wazuh1.indexer
- wazuh2.indexer
- wazuh3.indexer
node.max_local_storage_nodes: "3"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer
plugins.security.ssl.http.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh1.indexer.pem
plugins.security.ssl.http.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh1.indexer.key
plugins.security.ssl.http.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh1.indexer.pem
plugins.security.ssl.transport.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh1.indexer.key
plugins.security.ssl.transport.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=wazuh1.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=wazuh2.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=wazuh3.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=filebeat,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"
plugins.security.allow_default_init_securityindex: true
cluster.routing.allocation.disk.threshold_enabled: false
compatibility.override_main_response_version: true

38
multi-node/config/wazuh_indexer/wazuh2.indexer.yml
View File

@@ -1,38 +0,0 @@
network.host: wazuh2.indexer
node.name: wazuh2.indexer
cluster.initial_master_nodes:
- wazuh1.indexer
- wazuh2.indexer
- wazuh3.indexer
cluster.name: "wazuh-cluster"
discovery.seed_hosts:
- wazuh1.indexer
- wazuh2.indexer
- wazuh3.indexer
node.max_local_storage_nodes: "3"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer
plugins.security.ssl.http.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh2.indexer.pem
plugins.security.ssl.http.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh2.indexer.key
plugins.security.ssl.http.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh2.indexer.pem
plugins.security.ssl.transport.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh2.indexer.key
plugins.security.ssl.transport.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=wazuh1.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=wazuh2.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=wazuh3.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=filebeat,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"
plugins.security.allow_default_init_securityindex: true
cluster.routing.allocation.disk.threshold_enabled: false
compatibility.override_main_response_version: true

38
multi-node/config/wazuh_indexer/wazuh3.indexer.yml
View File

@@ -1,38 +0,0 @@
network.host: wazuh3.indexer
node.name: wazuh3.indexer
cluster.initial_master_nodes:
- wazuh1.indexer
- wazuh2.indexer
- wazuh3.indexer
cluster.name: "wazuh-cluster"
discovery.seed_hosts:
- wazuh1.indexer
- wazuh2.indexer
- wazuh3.indexer
node.max_local_storage_nodes: "3"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer
plugins.security.ssl.http.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh3.indexer.pem
plugins.security.ssl.http.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh3.indexer.key
plugins.security.ssl.http.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh3.indexer.pem
plugins.security.ssl.transport.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/certs/wazuh3.indexer.key
plugins.security.ssl.transport.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=wazuh1.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=wazuh2.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=wazuh3.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
- "CN=filebeat,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"
plugins.security.allow_default_init_securityindex: true
cluster.routing.allocation.disk.threshold_enabled: false
compatibility.override_main_response_version: true

206
multi-node/docker-compose.yml
View File

@@ -1,206 +0,0 @@
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
version: '3.7'
services:
wazuh.master:
image: wazuh/wazuh-manager:4.4.5
hostname: wazuh.master
restart: always
ports:
- "1515:1515"
- "514:514/udp"
- "55000:55000"
environment:
- INDEXER_URL=https://wazuh1.indexer:9200
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=SecretPassword
- FILEBEAT_SSL_VERIFICATION_MODE=full
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
- SSL_CERTIFICATE=/etc/ssl/filebeat.pem
- SSL_KEY=/etc/ssl/filebeat.key
- API_USERNAME=wazuh-wui
- API_PASSWORD=MyS3cr37P450r.*-
volumes:
- master-wazuh-api-configuration:/var/ossec/api/configuration
- master-wazuh-etc:/var/ossec/etc
- master-wazuh-logs:/var/ossec/logs
- master-wazuh-queue:/var/ossec/queue
- master-wazuh-var-multigroups:/var/ossec/var/multigroups
- master-wazuh-integrations:/var/ossec/integrations
- master-wazuh-active-response:/var/ossec/active-response/bin
- master-wazuh-agentless:/var/ossec/agentless
- master-wazuh-wodles:/var/ossec/wodles
- master-filebeat-etc:/etc/filebeat
- master-filebeat-var:/var/lib/filebeat
- ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.master.pem:/etc/ssl/filebeat.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.master-key.pem:/etc/ssl/filebeat.key
- ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
wazuh.worker:
image: wazuh/wazuh-manager:4.4.5
hostname: wazuh.worker
restart: always
environment:
- INDEXER_URL=https://wazuh1.indexer:9200
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=SecretPassword
- FILEBEAT_SSL_VERIFICATION_MODE=full
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
- SSL_CERTIFICATE=/etc/ssl/filebeat.pem
- SSL_KEY=/etc/ssl/filebeat.key
volumes:
- worker-wazuh-api-configuration:/var/ossec/api/configuration
- worker-wazuh-etc:/var/ossec/etc
- worker-wazuh-logs:/var/ossec/logs
- worker-wazuh-queue:/var/ossec/queue
- worker-wazuh-var-multigroups:/var/ossec/var/multigroups
- worker-wazuh-integrations:/var/ossec/integrations
- worker-wazuh-active-response:/var/ossec/active-response/bin
- worker-wazuh-agentless:/var/ossec/agentless
- worker-wazuh-wodles:/var/ossec/wodles
- worker-filebeat-etc:/etc/filebeat
- worker-filebeat-var:/var/lib/filebeat
- ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.worker.pem:/etc/ssl/filebeat.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.worker-key.pem:/etc/ssl/filebeat.key
- ./config/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf
wazuh1.indexer:
image: wazuh/wazuh-indexer:4.4.5
hostname: wazuh1.indexer
restart: always
ports:
- "9200:9200"
environment:
- "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
- "bootstrap.memory_lock=true"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- wazuh-indexer-data-1:/var/lib/wazuh-indexer
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh1.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh1.indexer.key
- ./config/wazuh_indexer_ssl_certs/wazuh1.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh1.indexer.pem
- ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
- ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
- ./config/wazuh_indexer/wazuh1.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
- ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
wazuh2.indexer:
image: wazuh/wazuh-indexer:4.4.5
hostname: wazuh2.indexer
restart: always
environment:
- "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
- "bootstrap.memory_lock=true"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- wazuh-indexer-data-2:/var/lib/wazuh-indexer
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh2.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh2.indexer.key
- ./config/wazuh_indexer_ssl_certs/wazuh2.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh2.indexer.pem
- ./config/wazuh_indexer/wazuh2.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
- ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
wazuh3.indexer:
image: wazuh/wazuh-indexer:4.4.5
hostname: wazuh3.indexer
restart: always
environment:
- "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
- "bootstrap.memory_lock=true"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- wazuh-indexer-data-3:/var/lib/wazuh-indexer
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh3.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh3.indexer.key
- ./config/wazuh_indexer_ssl_certs/wazuh3.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh3.indexer.pem
- ./config/wazuh_indexer/wazuh3.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
- ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
wazuh.dashboard:
image: wazuh/wazuh-dashboard:4.4.5
hostname: wazuh.dashboard
restart: always
ports:
- 443:5601
environment:
- OPENSEARCH_HOSTS="https://wazuh1.indexer:9200"
- WAZUH_API_URL="https://wazuh.master"
- API_USERNAME=wazuh-wui
- API_PASSWORD=MyS3cr37P450r.*-
- DASHBOARD_USERNAME=kibanaserver
- DASHBOARD_PASSWORD=kibanaserver
volumes:
- ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
- ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
- ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
depends_on:
- wazuh1.indexer
links:
- wazuh1.indexer:wazuh1.indexer
- wazuh.master:wazuh.master
nginx:
image: nginx:stable
hostname: nginx
restart: always
ports:
- "1514:1514"
depends_on:
- wazuh.master
- wazuh.worker
- wazuh.dashboard
links:
- wazuh.master:wazuh.master
- wazuh.worker:wazuh.worker
- wazuh.dashboard:wazuh.dashboard
volumes:
- ./config/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
volumes:
master-wazuh-api-configuration:
master-wazuh-etc:
master-wazuh-logs:
master-wazuh-queue:
master-wazuh-var-multigroups:
master-wazuh-integrations:
master-wazuh-active-response:
master-wazuh-agentless:
master-wazuh-wodles:
master-filebeat-etc:
master-filebeat-var:
worker-wazuh-api-configuration:
worker-wazuh-etc:
worker-wazuh-logs:
worker-wazuh-queue:
worker-wazuh-var-multigroups:
worker-wazuh-integrations:
worker-wazuh-active-response:
worker-wazuh-agentless:
worker-wazuh-wodles:
worker-filebeat-etc:
worker-filebeat-var:
wazuh-indexer-data-1:
wazuh-indexer-data-2:
wazuh-indexer-data-3:

10
multi-node/generate-indexer-certs.yml
View File

@@ -1,10 +0,0 @@
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
version: '3'
services:
generator:
image: wazuh/wazuh-certs-generator:0.0.1
hostname: wazuh-certs-generator
volumes:
- ./config/wazuh_indexer_ssl_certs/:/certificates/
- ./config/certs.yml:/config/certs.yml

279
multi-node/volume-migrator.sh
View File

@@ -1,279 +0,0 @@
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=wazuh-indexer-data-1 \
$2_wazuh-indexer-data-1
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=wazuh-indexer-data-2 \
$2_wazuh-indexer-data-2
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=wazuh-indexer-data-3 \
$2_wazuh-indexer-data-3
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master_wazuh_api_configuration \
$2_master_wazuh_api_configuration
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master_wazuh_etc \
$2_docker_wazuh_etc
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-logs \
$2_master-wazuh-logs
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-queue \
$2_master-wazuh-queue
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-var-multigroups \
$2_master-wazuh-var-multigroups
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-integrations \
$2_master-wazuh-integrations
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-active-response \
$2_master-wazuh-active-response
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-agentless \
$2_master-wazuh-agentless
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-wazuh-wodles \
$2_master-wazuh-wodles
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-filebeat-etc \
$2_master-filebeat-etc
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=master-filebeat-var \
$2_master-filebeat-var
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker_wazuh_api_configuration \
$2_worker_wazuh_api_configuration
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker_wazuh_etc \
$2_worker-wazuh-etc
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-logs \
$2_worker-wazuh-logs
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-queue \
$2_worker-wazuh-queue
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-var-multigroups \
$2_worker-wazuh-var-multigroups
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-integrations \
$2_worker-wazuh-integrations
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-active-response \
$2_worker-wazuh-active-response
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-agentless \
$2_worker-wazuh-agentless
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-wazuh-wodles \
$2_worker-wazuh-wodles
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-filebeat-etc \
$2_worker-filebeat-etc
docker volume create \
--label com.docker.compose.project=$2 \
--label com.docker.compose.version=$1 \
--label com.docker.compose.volume=worker-filebeat-var \
$2_worker-filebeat-var
docker container run --rm -it \
-v wazuh-docker_worker-filebeat-var:/from \
-v $2_worker-filebeat-var:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_elastic-data-1:/from \
-v $2_wazuh-indexer-data-1:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_elastic-data-2:/from \
-v $2_wazuh-indexer-data-2:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_elastic-data-3:/from \
-v $2_wazuh-indexer-data-3:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-api-configuration:/from \
-v $2_master-wazuh-api-configuration:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-etc:/from \
-v $2_master-wazuh-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-logs:/from \
-v $2_master-wazuh-logs:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-queue:/from \
-v $2_master-wazuh-queue:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-var-multigroups:/from \
-v $2_master-wazuh-var-multigroups:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-integrations:/from \
-v $2_master-wazuh-integrations:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-active-response:/from \
-v $2_master-wazuh-active-response:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-agentless:/from \
-v $2_master-wazuh-agentless:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_ossec-wodles:/from \
-v $2_master-wazuh-wodles:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_filebeat-etc:/from \
-v $2_master-filebeat-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_filebeat-var:/from \
-v $2_master-filebeat-var:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-api-configuration:/from \
-v $2_worker-wazuh-api-configuration:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-etc:/from \
-v $2_worker-wazuh-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-logs:/from \
-v $2_worker-wazuh-logs:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-queue:/from \
-v $2_worker-wazuh-queue:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-var-multigroups:/from \
-v $2_worker-wazuh-var-multigroups:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-integrations:/from \
-v $2_worker-wazuh-integrations:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-active-response:/from \
-v $2_worker-wazuh-active-response:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-agentless:/from \
-v $2_worker-wazuh-agentless:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-ossec-wodles:/from \
-v $2_worker-wazuh-wodles:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-filebeat-etc:/from \
-v $2_worker-filebeat-etc:/to \
alpine ash -c "cd /from ; cp -avp . /to"
docker container run --rm -it \
-v wazuh-docker_worker-filebeat-var:/from \
-v $2_worker-filebeat-var:/to \
alpine ash -c "cd /from ; cp -avp . /to"

19
nginx/Dockerfile Normal file
View File

@@ -0,0 +1,19 @@
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
FROM nginx:latest
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update && apt-get install -y openssl apache2-utils
COPY config/entrypoint.sh /entrypoint.sh
RUN chmod 755 /entrypoint.sh
RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
VOLUME ["/etc/nginx/conf.d"]
ENV NGINX_NAME="foo" \
NGINX_PWD="bar"
ENTRYPOINT /entrypoint.sh

79
nginx/config/entrypoint.sh Normal file
View File

@@ -0,0 +1,79 @@
#!/bin/bash
# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
set -e
# Generating certificates.
if [ ! -d /etc/nginx/conf.d/ssl ]; then
echo "Generating SSL certificates"
mkdir -p /etc/nginx/conf.d/ssl/certs /etc/nginx/conf.d/ssl/private
openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/conf.d/ssl/private/kibana-access.key -out /etc/nginx/conf.d/ssl/certs/kibana-access.pem >/dev/null
else
echo "SSL certificates already present"
fi
# Setting users credentials.
# In order to set NGINX_CREDENTIALS, before "docker-compose up -d" run (a or b):
#
# a) export NGINX_CREDENTIALS="user1:pass1;user2:pass2;" or
# export NGINX_CREDENTIALS="user1:pass1;user2:pass2"
#
# b) Set NGINX_CREDENTIALS in docker-compose.yml:
# NGINX_CREDENTIALS=user1:pass1;user2:pass2; or
# NGINX_CREDENTIALS=user1:pass1;user2:pass2
#
if [ ! -f /etc/nginx/conf.d/kibana.htpasswd ]; then
echo "Setting users credentials"
if [ ! -z "$NGINX_CREDENTIALS" ]; then
IFS=';' read -r -a users <<< "$NGINX_CREDENTIALS"
for index in "${!users[@]}"
do
IFS=':' read -r -a credentials <<< "${users[index]}"
if [ $index -eq 0 ]; then
echo ${credentials[1]}|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd ${credentials[0]} >/dev/null
else
echo ${credentials[1]}|htpasswd -i /etc/nginx/conf.d/kibana.htpasswd ${credentials[0]} >/dev/null
fi
done
else
# NGINX_PWD and NGINX_NAME are declared in nginx/Dockerfile
echo $NGINX_PWD|htpasswd -i -c /etc/nginx/conf.d/kibana.htpasswd $NGINX_NAME >/dev/null
fi
else
echo "Kibana credentials already configured"
fi
if [ "x${NGINX_PORT}" = "x" ]; then
NGINX_PORT=443
fi
if [ "x${KIBANA_HOST}" = "x" ]; then
KIBANA_HOST="kibana:5601"
fi
echo "Configuring NGINX"
cat > /etc/nginx/conf.d/default.conf <<EOF
server {
listen 80;
listen [::]:80;
return 301 https://\$host:${NGINX_PORT}\$request_uri;
}
server {
listen ${NGINX_PORT} default_server;
listen [::]:${NGINX_PORT};
ssl on;
ssl_certificate /etc/nginx/conf.d/ssl/certs/kibana-access.pem;
ssl_certificate_key /etc/nginx/conf.d/ssl/private/kibana-access.key;
location / {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/conf.d/kibana.htpasswd;
proxy_pass http://${KIBANA_HOST}/;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
}
}
EOF
nginx -g 'daemon off;'

24
single-node/README.md
View File

@@ -1,24 +0,0 @@
# Deploy Wazuh Docker in single node configuration
This deployment is defined in the `docker-compose.yml` file with one Wazuh manager containers, one Wazuh indexer containers, and one Wazuh dashboard container. It can be deployed by following these steps:
1) Increase max_map_count on your host (Linux). This command must be run with root permissions:
```
$ sysctl -w vm.max_map_count=262144
```
2) Run the certificate creation script:
```
$ docker-compose -f generate-indexer-certs.yml run --rm generator
```
3) Start the environment with docker-compose:
- In the foregroud:
```
$ docker-compose up
```
- In the background:
```
$ docker-compose up -d
```
The environment takes about 1 minute to get up (depending on your Docker host) for the first time since Wazuh Indexer must be started for the first time and the indexes and index patterns must be generated.

16
single-node/config/certs.yml
View File

@@ -1,16 +0,0 @@
nodes:
# Wazuh indexer server nodes
indexer:
- name: wazuh.indexer
ip: wazuh.indexer
# Wazuh server nodes
# Use node_type only with more than one Wazuh manager
server:
- name: wazuh.manager
ip: wazuh.manager
# Wazuh dashboard node
dashboard:
- name: wazuh.dashboard
ip: wazuh.dashboard

352
single-node/config/wazuh_cluster/wazuh_manager.conf
View File

@@ -1,352 +0,0 @@
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wazuh@example.wazuh.com</email_from>
<email_to>recipient@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<check_files>yes</check_files>
<check_trojans>yes</check_trojans>
<check_dev>yes</check_dev>
<check_sys>yes</check_sys>
<check_pids>yes</check_pids>
<check_ports>yes</check_ports>
<check_if>yes</check_if>
<!-- Frequency that rootcheck is executed - every 12 hours -->
<frequency>43200</frequency>
<rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
<rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
<skip_nfs>yes</skip_nfs>
</rootcheck>
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>wodles/java</java_path>
<ciscat_path>wodles/ciscat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<log_path>/var/log/osquery/osqueryd.results.log</log_path>
<config_path>/etc/osquery/osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detector>
<enabled>no</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>no</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>no</enabled>
<os>stretch</os>
<os>buster</os>
<os>bullseye</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>no</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<update_interval>1h</update_interval>
</provider>
<!-- Amazon Linux OS vulnerabilities -->
<provider name="alas">
<enabled>no</enabled>
<os>amazon-linux</os>
<os>amazon-linux-2</os>
<update_interval>1h</update_interval>
</provider>
<!-- Arch OS vulnerabilities -->
<provider name="arch">
<enabled>no</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
<skip_dev>yes</skip_dev>
<skip_proc>yes</skip_proc>
<skip_sys>yes</skip_sys>
<!-- Nice value for Syscheck process -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- Active response -->
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-wazuh</name>
<executable>restart-wazuh</executable>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.exe</executable>
<timeout_allowed>yes</timeout_allowed>
</command>
<!--
<active-response>
active-response options here
</active-response>
-->
<!-- Log analysis -->
<localfile>
<log_format>command</log_format>
<command>df -P</command>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
<alias>netstat listening ports</alias>
<frequency>360</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 20</command>
<frequency>360</frequency>
</localfile>
<ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<rule_test>
<enabled>yes</enabled>
<threads>1</threads>
<max_sessions>64</max_sessions>
<session_timeout>15m</session_timeout>
</rule_test>
<!-- Configuration for wazuh-authd -->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<purge>yes</purge>
<use_password>no</use_password>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<cluster>
<name>wazuh</name>
<node_name>node01</node_name>
<node_type>master</node_type>
<key>aa093264ef885029653eea20dfcf51ae</key>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>wazuh.manager</node>
</nodes>
<hidden>no</hidden>
<disabled>yes</disabled>
</cluster>
</ossec_config>
<ossec_config>
<localfile>
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
</ossec_config>

Some files were not shown because too many files have changed in this diff Show More