Merge pull request #1153 from wazuh/Bump-4.7.1-RC3

Bump 4.7.1 to RC3 revision

.env

@@ -1,3 +1,3 @@
-WAZUH_VERSION=4.6.0
+WAZUH_VERSION=4.7.1
-WAZUH_IMAGE_VERSION=4.6.0
+WAZUH_IMAGE_VERSION=4.7.1
 WAZUH_TAG_REVISION=1

.github/.goss.yaml

@@ -56,7 +56,7 @@ package:
   wazuh-manager:
     installed: true
     versions:
-    - 4.6.0-1
+    - 4.7.1-1
 port:
   tcp:1514:
     listening: true

.github/workflows/trivy-dashboard-4-4.yml

@@ -0,0 +1,71 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Trivy scan Wazuh dashboard
+
+on:
+  release:
+    types:
+    - published
+  pull_request:
+    branches:
+      - master
+      - stable
+  schedule:
+    - cron: '34 2 * * 1'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+
+    name: Build images and upload Trivy results
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with: { ref: 4.4 }
+
+      - name: Installing dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y jq
+      - name: Build Wazuh images
+        run: build-docker-images/build-images.sh
+
+      - name: Create enviroment variables
+        run: |
+          cat .env > $GITHUB_ENV
+          echo "GITHUB_REF_NAME="${GITHUB_REF_NAME%/*} >> $GITHUB_ENV
+
+      - name: Run Trivy vulnerability scanner for Wazuh dashboard
+        uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2
+        with:
+          image-ref: 'wazuh/wazuh-dashboard:${{env.WAZUH_IMAGE_VERSION}}'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results-dashboard.sarif'
+          severity: 'LOW,MEDIUM,CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results-dashboard.sarif'
+
+      - name: Slack notification
+        uses: rtCamp/action-slack-notify@v2
+        env:
+          SLACK_CHANNEL: cicd-monitoring
+          SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff'
+          #SLACK_ICON: https://github.com/rtCamp.png?size=48
+          SLACK_MESSAGE: "Check the results: https://github.com/wazuh/wazuh-docker/security/code-scanning?query=is%3Aopen+branch%3A${{ env.GITHUB_REF_NAME }}"
+          SLACK_TITLE: Wazuh docker Trivy vulnerability scan finished.
+          SLACK_USERNAME: github_actions
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}

.github/workflows/trivy-indexer-4-4.yml

@@ -0,0 +1,71 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Trivy scan Wazuh indexer
+
+on:
+  release:
+    types:
+    - published
+  pull_request:
+    branches:
+      - master
+      - stable
+  schedule:
+    - cron: '34 2 * * 1'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+
+    name: Build images and upload Trivy results
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with: { ref: 4.4 }
+
+      - name: Installing dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y jq
+      - name: Build Wazuh images
+        run: build-docker-images/build-images.sh
+
+      - name: Create enviroment variables
+        run: |
+          cat .env > $GITHUB_ENV
+          echo "GITHUB_REF_NAME="${GITHUB_REF_NAME%/*} >> $GITHUB_ENV
+
+      - name: Run Trivy vulnerability scanner for Wazuh indexer
+        uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2
+        with:
+          image-ref: 'wazuh/wazuh-indexer:${{env.WAZUH_IMAGE_VERSION}}'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results-indexer.sarif'
+          severity: 'LOW,MEDIUM,CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results-indexer.sarif'
+
+      - name: Slack notification
+        uses: rtCamp/action-slack-notify@v2
+        env:
+          SLACK_CHANNEL: cicd-monitoring
+          SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff'
+          #SLACK_ICON: https://github.com/rtCamp.png?size=48
+          SLACK_MESSAGE: "Check the results: https://github.com/wazuh/wazuh-docker/security/code-scanning?query=is%3Aopen+branch%3A${{ env.GITHUB_REF_NAME }}"
+          SLACK_TITLE: Wazuh docker Trivy vulnerability scan finished.
+          SLACK_USERNAME: github_actions
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}

.github/workflows/trivy-manager-4-4.yml

@@ -0,0 +1,71 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Trivy scan Wazuh manager
+
+on:
+  release:
+    types:
+    - published
+  pull_request:
+    branches:
+      - master
+      - stable
+  schedule:
+    - cron: '34 2 * * 1'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+
+    name: Build images and upload Trivy results
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with: { ref: 4.4 }
+
+      - name: Installing dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y jq
+      - name: Build Wazuh images
+        run: build-docker-images/build-images.sh
+
+      - name: Create enviroment variables
+        run: |
+          cat .env > $GITHUB_ENV
+          echo "GITHUB_REF_NAME="${GITHUB_REF_NAME%/*} >> $GITHUB_ENV
+
+      - name: Run Trivy vulnerability scanner for Wazuh manager
+        uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2
+        with:
+          image-ref: 'wazuh/wazuh-manager:${{env.WAZUH_IMAGE_VERSION}}'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results-manager.sarif'
+          severity: 'LOW,MEDIUM,CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results-manager.sarif'
+
+      - name: Slack notification
+        uses: rtCamp/action-slack-notify@v2
+        env:
+          SLACK_CHANNEL: cicd-monitoring
+          SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff'
+          #SLACK_ICON: https://github.com/rtCamp.png?size=48
+          SLACK_MESSAGE: "Check the results: https://github.com/wazuh/wazuh-docker/security/code-scanning?query=is%3Aopen+branch%3A${{ env.GITHUB_REF_NAME }}"
+          SLACK_TITLE: Wazuh docker Trivy vulnerability scan finished.
+          SLACK_USERNAME: github_actions
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}

CHANGELOG.md

@@ -1,6 +1,16 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+## Wazuh Docker v4.7.1
+### Added
+
+- Update Wazuh to version [4.7.1](https://github.com/wazuh/wazuh/blob/v4.7.1/CHANGELOG.md#v471)
+
+## Wazuh Docker v4.7.0
+### Added
+
+- Update Wazuh to version [4.7.0](https://github.com/wazuh/wazuh/blob/v4.7.0/CHANGELOG.md#v470)
+
 ## Wazuh Docker v4.6.0
 ### Added
 

README.md

@@ -195,6 +195,8 @@ WAZUH_MONITORING_REPLICAS=0         ##
 
 | Wazuh version | ODFE    | XPACK  |
 |---------------|---------|--------|
+| v4.7.1        |         |        |
+| v4.7.0        |         |        |
 | v4.6.0        |         |        |
 | v4.5.4        |         |        |
 | v4.5.3        |         |        |

VERSION

@@ -1,2 +1,2 @@
-WAZUH-DOCKER_VERSION="4.6.0"
+WAZUH-DOCKER_VERSION="4.7.1"
-REVISION="40603"
+REVISION="40709"

build-docker-images/README.md

@@ -24,9 +24,9 @@ $ build-docker-images/build-images.sh -h
 Usage: build-docker-images/build-images.sh [OPTIONS]
 
     -d, --dev <ref>              [Optional] Set the development stage you want to build, example rc1 or beta1, not used by default.
-    -f, --filebeat-module <ref>  [Optional] Set Filebeat module version. By default 0.2.
+    -f, --filebeat-module <ref>  [Optional] Set Filebeat module version. By default 0.3.
     -r, --revision <rev>         [Optional] Package revision. By default 1
-    -v, --version <ver>          [Optional] Set the Wazuh version should be builded. By default, 4.6.0.
+    -v, --version <ver>          [Optional] Set the Wazuh version should be builded. By default, 4.7.1.
     -h, --help                   Show this help.
 
 ```

build-docker-images/build-images.sh

@@ -1,4 +1,8 @@
-#!/bin/bash
+WAZUH_IMAGE_VERSION=4.7.1
+WAZUH_VERSION=$(echo $WAZUH_IMAGE_VERSION | sed -e 's/\.//g')
+WAZUH_TAG_REVISION=1
+WAZUH_CURRENT_VERSION=$(curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '\"tag_name\":' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 2- | sed -e 's/\.//g')
+IMAGE_VERSION=${WAZUH_IMAGE_VERSION}
 
 # Wazuh package generator
 # Copyright (C) 2023, Wazuh Inc.
@@ -8,10 +12,10 @@
 # License (version 2) as published by the FSF - Free Software
 # Foundation.
 
-WAZUH_IMAGE_VERSION="4.6.0"
+WAZUH_IMAGE_VERSION="4.7.1"
 WAZUH_TAG_REVISION="1"
 WAZUH_DEV_STAGE=""
-FILEBEAT_MODULE_VERSION="0.2"
+FILEBEAT_MODULE_VERSION="0.3"
 
 # -----------------------------------------------------------------------------
 

build-docker-images/wazuh-dashboard/Dockerfile

@@ -80,9 +80,6 @@ ENV PATTERN="" \
     WAZUH_MONITORING_SHARDS="" \
     WAZUH_MONITORING_REPLICAS=""
 
-# Install dependencies
-RUN apt update && apt install -y libnss3-dev fonts-liberation libfontconfig1
-
 # Create wazuh-dashboard user and group
 RUN getent group $GROUP || groupadd -r -g 1000 $GROUP
 RUN useradd --system \

build-docker-images/wazuh-dashboard/config/config.sh

@@ -9,8 +9,8 @@ export CONFIG_DIR=${INSTALLATION_DIR}/config
 
 ## Variables
 CERT_TOOL=wazuh-certs-tool.sh
-PACKAGES_URL=https://packages.wazuh.com/4.6/
+PACKAGES_URL=https://packages.wazuh.com/4.7/
-PACKAGES_DEV_URL=https://packages-dev.wazuh.com/4.6/
+PACKAGES_DEV_URL=https://packages-dev.wazuh.com/4.7/
 
 ## Check if the cert tool exists in S3 buckets
 CERT_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$CERT_TOOL | grep -E "^HTTP" | awk  '{print $2}')

build-docker-images/wazuh-dashboard/config/wazuh.yml

@@ -16,7 +16,7 @@
 # https://documentation.wazuh.com/current/installation-guide/index.html
 #
 # Also, you can check our repository:
-# https://github.com/wazuh/wazuh-kibana-app
+# https://github.com/wazuh/wazuh-dashboard-plugins
 #
 # ------------------------------- Index patterns -------------------------------
 #

build-docker-images/wazuh-indexer/config/config.sh

@@ -53,8 +53,8 @@ tar -xf ${INDEXER_FILE}
 ## Variables
 CERT_TOOL=wazuh-certs-tool.sh
 PASSWORD_TOOL=wazuh-passwords-tool.sh
-PACKAGES_URL=https://packages.wazuh.com/4.6/
+PACKAGES_URL=https://packages.wazuh.com/4.7/
-PACKAGES_DEV_URL=https://packages-dev.wazuh.com/4.6/
+PACKAGES_DEV_URL=https://packages-dev.wazuh.com/4.7/
 
 ## Check if the cert tool exists in S3 buckets
 CERT_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$CERT_TOOL | grep -E "^HTTP" | awk  '{print $2}')

build-docker-images/wazuh-manager/Dockerfile

@@ -13,16 +13,15 @@ ARG WAZUH_FILEBEAT_MODULE
 RUN apt-get update && apt install curl apt-transport-https lsb-release gnupg -y
 
 COPY config/check_repository.sh /
-
 RUN chmod 775 /check_repository.sh
 RUN source /check_repository.sh
 
 RUN apt-get update && \
     apt-get install wazuh-manager=${WAZUH_VERSION}-${WAZUH_TAG_REVISION}
 
-RUN curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-amd64.deb &&\
+COPY config/filebeat_module.sh /
-    dpkg -i ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-amd64.deb && rm -f ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-amd64.deb && \
+RUN chmod 775 /filebeat_module.sh
-    curl -s https://packages.wazuh.com/4.x/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module
+RUN source /filebeat_module.sh
 
 ARG S6_VERSION="v2.2.0.3"
 RUN curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \
@@ -49,6 +48,18 @@ RUN chmod 755 /permanent_data.sh && \
     sync && /permanent_data.sh && \
     sync && rm /permanent_data.sh
 
+#Make mount directories for keep permissions
+
+RUN mkdir -p /var/ossec/var/multigroups && \
+    chown root:wazuh /var/ossec/var/multigroups && \
+    chmod 770 /var/ossec/var/multigroups && \
+    mkdir -p /var/ossec/agentless && \
+    chown root:wazuh /var/ossec/agentless && \
+    chmod 770 /var/ossec/agentless && \
+    mkdir -p /var/ossec/active-response/bin && \
+    chown root:wazuh /var/ossec/active-response/bin && \
+    chmod 770 /var/ossec/active-response/bin
+
 # Services ports
 EXPOSE 55000/tcp 1514/tcp 1515/tcp 514/udp 1516/tcp
 

build-docker-images/wazuh-manager/config/filebeat_module.sh

@@ -0,0 +1,25 @@
+REPOSITORY="packages.wazuh.com/4.x"
+WAZUH_CURRENT_VERSION=$(curl --silent https://api.github.com/repos/wazuh/wazuh/releases/latest | grep '\"tag_name\":' | sed -E 's/.*\"([^\"]+)\".*/\1/' | cut -c 2-)
+MAJOR_BUILD=$(echo $WAZUH_VERSION | cut -d. -f1)
+MID_BUILD=$(echo $WAZUH_VERSION | cut -d. -f2)
+MINOR_BUILD=$(echo $WAZUH_VERSION | cut -d. -f3)
+MAJOR_CURRENT=$(echo $WAZUH_CURRENT_VERSION | cut -d. -f1)
+MID_CURRENT=$(echo $WAZUH_CURRENT_VERSION | cut -d. -f2)
+MINOR_CURRENT=$(echo $WAZUH_CURRENT_VERSION | cut -d. -f3)
+
+## check version to use the correct repository
+if [ "$MAJOR_BUILD" -gt "$MAJOR_CURRENT" ]; then
+  REPOSITORY="packages-dev.wazuh.com/pre-release"
+elif [ "$MAJOR_BUILD" -eq "$MAJOR_CURRENT" ]; then
+  if [ "$MID_BUILD" -gt "$MID_CURRENT" ]; then
+    REPOSITORY="packages-dev.wazuh.com/pre-release"
+  elif [ "$MID_BUILD" -eq "$MID_CURRENT" ]; then
+    if [ "$MINOR_BUILD" -gt "$MINOR_CURRENT" ]; then
+      REPOSITORY="packages-dev.wazuh.com/pre-release"
+    fi
+  fi
+fi
+
+curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-amd64.deb &&\
+dpkg -i ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-amd64.deb && rm -f ${FILEBEAT_CHANNEL}-${FILEBEAT_VERSION}-amd64.deb && \
+curl -s https://${REPOSITORY}/filebeat/${WAZUH_FILEBEAT_MODULE} | tar -xvz -C /usr/share/filebeat/module

indexer-certs-creator/config/entrypoint.sh

@@ -8,8 +8,8 @@
 ## Variables
 CERT_TOOL=wazuh-certs-tool.sh
 PASSWORD_TOOL=wazuh-passwords-tool.sh
-PACKAGES_URL=https://packages.wazuh.com/4.6/
+PACKAGES_URL=https://packages.wazuh.com/4.7/
-PACKAGES_DEV_URL=https://packages-dev.wazuh.com/4.6/
+PACKAGES_DEV_URL=https://packages-dev.wazuh.com/4.7/
 
 ## Check if the cert tool exists in S3 buckets
 CERT_TOOL_PACKAGES=$(curl --silent -I $PACKAGES_URL$CERT_TOOL | grep -E "^HTTP" | awk  '{print $2}')

multi-node/config/wazuh_cluster/wazuh_manager.conf

@@ -137,6 +137,7 @@
       <enabled>no</enabled>
       <os>amazon-linux</os>
       <os>amazon-linux-2</os>
+      <os>amazon-linux-2023</os>
       <update_interval>1h</update_interval>
     </provider>
 

multi-node/config/wazuh_cluster/wazuh_worker.conf

@@ -137,6 +137,7 @@
       <enabled>no</enabled>
       <os>amazon-linux</os>
       <os>amazon-linux-2</os>
+      <os>amazon-linux-2023</os>
       <update_interval>1h</update_interval>
     </provider>
 

multi-node/docker-compose.yml

@@ -3,7 +3,7 @@ version: '3.7'
 
 services:
   wazuh.master:
-    image: wazuh/wazuh-manager:4.6.0
+    image: wazuh/wazuh-manager:4.7.1
     hostname: wazuh.master
     restart: always
     ulimits:
@@ -45,7 +45,7 @@ services:
       - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
 
   wazuh.worker:
-    image: wazuh/wazuh-manager:4.6.0
+    image: wazuh/wazuh-manager:4.7.1
     hostname: wazuh.worker
     restart: always
     ulimits:
@@ -81,7 +81,7 @@ services:
       - ./config/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf
 
   wazuh1.indexer:
-    image: wazuh/wazuh-indexer:4.6.0
+    image: wazuh/wazuh-indexer:4.7.1
     hostname: wazuh1.indexer
     restart: always
     ports:
@@ -107,7 +107,7 @@ services:
       - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
 
   wazuh2.indexer:
-    image: wazuh/wazuh-indexer:4.6.0
+    image: wazuh/wazuh-indexer:4.7.1
     hostname: wazuh2.indexer
     restart: always
     environment:
@@ -129,7 +129,7 @@ services:
       - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
 
   wazuh3.indexer:
-    image: wazuh/wazuh-indexer:4.6.0
+    image: wazuh/wazuh-indexer:4.7.1
     hostname: wazuh3.indexer
     restart: always
     environment:
@@ -151,7 +151,7 @@ services:
       - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
 
   wazuh.dashboard:
-    image: wazuh/wazuh-dashboard:4.6.0
+    image: wazuh/wazuh-dashboard:4.7.1
     hostname: wazuh.dashboard
     restart: always
     ports:

single-node/config/wazuh_cluster/wazuh_manager.conf

@@ -137,6 +137,7 @@
       <enabled>no</enabled>
       <os>amazon-linux</os>
       <os>amazon-linux-2</os>
+      <os>amazon-linux-2023</os>
       <update_interval>1h</update_interval>
     </provider>
 

single-node/docker-compose.yml

@@ -3,7 +3,7 @@ version: '3.7'
 
 services:
   wazuh.manager:
-    image: wazuh/wazuh-manager:4.6.0
+    image: wazuh/wazuh-manager:4.7.1
     hostname: wazuh.manager
     restart: always
     ulimits:
@@ -46,7 +46,7 @@ services:
       - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
 
   wazuh.indexer:
-    image: wazuh/wazuh-indexer:4.6.0
+    image: wazuh/wazuh-indexer:4.7.1
     hostname: wazuh.indexer
     restart: always
     ports:
@@ -71,7 +71,7 @@ services:
       - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
 
   wazuh.dashboard:
-    image: wazuh/wazuh-dashboard:4.6.0
+    image: wazuh/wazuh-dashboard:4.7.1
     hostname: wazuh.dashboard
     restart: always
     ports: