Change base from Wazuh manager Dockerfile

multi-node/config/wazuh_cluster/wazuh_manager.conf

@@ -10,6 +10,8 @@
     <email_to>recipient@example.wazuh.com</email_to>
     <email_maxperhour>12</email_maxperhour>
     <email_log_source>alerts.log</email_log_source>
+    <agents_disconnection_time>10m</agents_disconnection_time>
+    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
   </global>
 
   <alerts>
@@ -43,8 +45,8 @@
     <!-- Frequency that rootcheck is executed - every 12 hours -->
     <frequency>43200</frequency>
 
-    <rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
-    <rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
+    <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
 
     <skip_nfs>yes</skip_nfs>
   </rootcheck>
@@ -79,6 +81,11 @@
     <packages>yes</packages>
     <ports all="no">yes</ports>
     <processes>yes</processes>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <max_eps>10</max_eps>
+    </synchronization>
   </wodle>
 
   <sca>
@@ -91,6 +98,7 @@
   <vulnerability-detector>
     <enabled>no</enabled>
     <interval>5m</interval>
+    <min_full_scan_interval>6h</min_full_scan_interval>
     <run_on_start>yes</run_on_start>
 
     <!-- Ubuntu OS vulnerabilities -->
@@ -108,6 +116,7 @@
       <enabled>no</enabled>
       <os>stretch</os>
       <os>buster</os>
+      <os>bullseye</os>
       <update_interval>1h</update_interval>
     </provider>
 
@@ -121,6 +130,20 @@
       <update_interval>1h</update_interval>
     </provider>
 
+    <!-- Amazon Linux OS vulnerabilities -->
+    <provider name="alas">
+      <enabled>no</enabled>
+      <os>amazon-linux</os>
+      <os>amazon-linux-2</os>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Arch OS vulnerabilities -->
+    <provider name="arch">
+      <enabled>no</enabled>
+      <update_interval>1h</update_interval>
+    </provider>
+
     <!-- Windows OS vulnerabilities -->
     <provider name="msu">
       <enabled>yes</enabled>
@@ -199,70 +222,47 @@
   <global>
     <white_list>127.0.0.1</white_list>
     <white_list>^localhost.localdomain$</white_list>
-    <white_list>4.3.0.1</white_list>
-    <white_list>4.3.0.2</white_list>
-    <white_list>208.67.220.220</white_list>
+    <white_list>127.0.0.53</white_list>
   </global>
 
   <command>
     <name>disable-account</name>
-    <executable>disable-account.sh</executable>
-    <expect>user</expect>
+    <executable>disable-account</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>
 
   <command>
-    <name>restart-ossec</name>
-    <executable>restart-ossec.sh</executable>
-    <expect></expect>
+    <name>restart-wazuh</name>
+    <executable>restart-wazuh</executable>
   </command>
 
   <command>
     <name>firewall-drop</name>
-    <executable>firewall-drop.sh</executable>
-    <expect>srcip</expect>
+    <executable>firewall-drop</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>
 
   <command>
     <name>host-deny</name>
-    <executable>host-deny.sh</executable>
-    <expect>srcip</expect>
+    <executable>host-deny</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>
 
   <command>
     <name>route-null</name>
-    <executable>route-null.sh</executable>
-    <expect>srcip</expect>
+    <executable>route-null</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>
 
   <command>
     <name>win_route-null</name>
-    <executable>route-null.cmd</executable>
-    <expect>srcip</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <command>
-    <name>win_route-null-2012</name>
-    <executable>route-null-2012.cmd</executable>
-    <expect>srcip</expect>
+    <executable>route-null.exe</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>
 
   <command>
     <name>netsh</name>
-    <executable>netsh.cmd</executable>
-    <expect>srcip</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <command>
-    <name>netsh-win-2016</name>
-    <executable>netsh-win-2016.cmd</executable>
-    <expect>srcip</expect>
+    <executable>netsh.exe</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>
 
@@ -306,21 +306,25 @@
     <rule_dir>etc/rules</rule_dir>
   </ruleset>
 
+  <rule_test>
+    <enabled>yes</enabled>
+    <threads>1</threads>
+    <max_sessions>64</max_sessions>
+    <session_timeout>15m</session_timeout>
+  </rule_test>
+
   <!-- Configuration for wazuh-authd -->
   <auth>
     <disabled>no</disabled>
     <port>1515</port>
     <use_source_ip>no</use_source_ip>
-    <force_insert>yes</force_insert>
-    <force_time>0</force_time>
     <purge>yes</purge>
     <use_password>no</use_password>
-    <limit_maxagents>yes</limit_maxagents>
     <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
     <!-- <ssl_agent_ca></ssl_agent_ca> -->
     <ssl_verify_host>no</ssl_verify_host>
-    <ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
-    <ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
+    <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
+    <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
     <ssl_auto_negotiate>no</ssl_auto_negotiate>
   </auth>
 
@@ -345,4 +349,25 @@
     <log_format>syslog</log_format>
     <location>/var/ossec/logs/active-responses.log</location>
   </localfile>
-</ossec_config>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/auth.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/syslog</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/dpkg.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/kern.log</location>
+  </localfile>
+
+</ossec_config>

multi-node/config/wazuh_cluster/wazuh_worker.conf

@@ -10,6 +10,8 @@
     <email_to>recipient@example.wazuh.com</email_to>
     <email_maxperhour>12</email_maxperhour>
     <email_log_source>alerts.log</email_log_source>
+    <agents_disconnection_time>10m</agents_disconnection_time>
+    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
   </global>
 
   <alerts>
@@ -43,8 +45,8 @@
     <!-- Frequency that rootcheck is executed - every 12 hours -->
     <frequency>43200</frequency>
 
-    <rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
-    <rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
+    <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
 
     <skip_nfs>yes</skip_nfs>
   </rootcheck>
@@ -79,6 +81,11 @@
     <packages>yes</packages>
     <ports all="no">yes</ports>
     <processes>yes</processes>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <max_eps>10</max_eps>
+    </synchronization>
   </wodle>
 
   <sca>
@@ -91,6 +98,7 @@
   <vulnerability-detector>
     <enabled>no</enabled>
     <interval>5m</interval>
+    <min_full_scan_interval>6h</min_full_scan_interval>
     <run_on_start>yes</run_on_start>
 
     <!-- Ubuntu OS vulnerabilities -->
@@ -108,6 +116,7 @@
       <enabled>no</enabled>
       <os>stretch</os>
       <os>buster</os>
+      <os>bullseye</os>
       <update_interval>1h</update_interval>
     </provider>
 
@@ -121,6 +130,20 @@
       <update_interval>1h</update_interval>
     </provider>
 
+    <!-- Amazon Linux OS vulnerabilities -->
+    <provider name="alas">
+      <enabled>no</enabled>
+      <os>amazon-linux</os>
+      <os>amazon-linux-2</os>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Arch OS vulnerabilities -->
+    <provider name="arch">
+      <enabled>no</enabled>
+      <update_interval>1h</update_interval>
+    </provider>
+
     <!-- Windows OS vulnerabilities -->
     <provider name="msu">
       <enabled>yes</enabled>
@@ -199,70 +222,47 @@
   <global>
     <white_list>127.0.0.1</white_list>
     <white_list>^localhost.localdomain$</white_list>
-    <white_list>4.3.0.1</white_list>
-    <white_list>4.3.0.2</white_list>
-    <white_list>208.67.220.220</white_list>
+    <white_list>127.0.0.53</white_list>
   </global>
 
   <command>
     <name>disable-account</name>
-    <executable>disable-account.sh</executable>
-    <expect>user</expect>
+    <executable>disable-account</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>
 
   <command>
-    <name>restart-ossec</name>
-    <executable>restart-ossec.sh</executable>
-    <expect></expect>
+    <name>restart-wazuh</name>
+    <executable>restart-wazuh</executable>
   </command>
 
   <command>
     <name>firewall-drop</name>
-    <executable>firewall-drop.sh</executable>
-    <expect>srcip</expect>
+    <executable>firewall-drop</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>
 
   <command>
     <name>host-deny</name>
-    <executable>host-deny.sh</executable>
-    <expect>srcip</expect>
+    <executable>host-deny</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>
 
   <command>
     <name>route-null</name>
-    <executable>route-null.sh</executable>
-    <expect>srcip</expect>
+    <executable>route-null</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>
 
   <command>
     <name>win_route-null</name>
-    <executable>route-null.cmd</executable>
-    <expect>srcip</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <command>
-    <name>win_route-null-2012</name>
-    <executable>route-null-2012.cmd</executable>
-    <expect>srcip</expect>
+    <executable>route-null.exe</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>
 
   <command>
     <name>netsh</name>
-    <executable>netsh.cmd</executable>
-    <expect>srcip</expect>
-    <timeout_allowed>yes</timeout_allowed>
-  </command>
-
-  <command>
-    <name>netsh-win-2016</name>
-    <executable>netsh-win-2016.cmd</executable>
-    <expect>srcip</expect>
+    <executable>netsh.exe</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>
 
@@ -306,21 +306,25 @@
     <rule_dir>etc/rules</rule_dir>
   </ruleset>
 
+  <rule_test>
+    <enabled>yes</enabled>
+    <threads>1</threads>
+    <max_sessions>64</max_sessions>
+    <session_timeout>15m</session_timeout>
+  </rule_test>
+
   <!-- Configuration for wazuh-authd -->
   <auth>
     <disabled>no</disabled>
     <port>1515</port>
     <use_source_ip>no</use_source_ip>
-    <force_insert>yes</force_insert>
-    <force_time>0</force_time>
     <purge>yes</purge>
     <use_password>no</use_password>
-    <limit_maxagents>yes</limit_maxagents>
     <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
     <!-- <ssl_agent_ca></ssl_agent_ca> -->
     <ssl_verify_host>no</ssl_verify_host>
-    <ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
-    <ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
+    <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
+    <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
     <ssl_auto_negotiate>no</ssl_auto_negotiate>
   </auth>
 
@@ -345,4 +349,25 @@
     <log_format>syslog</log_format>
     <location>/var/ossec/logs/active-responses.log</location>
   </localfile>
-</ossec_config>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/auth.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/syslog</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/dpkg.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/kern.log</location>
+  </localfile>
+
+</ossec_config>