Add persistence in single node

README.md

@@ -135,10 +135,7 @@ ADMIN_PRIVILEGES=true               # App privileges
     │   └── Dockerfile
     ├── LICENSE
     ├── multi-node
-    │   ├── docker-compose.yml
-    │   ├── generate-indexer-certs.yml
-    │   ├── Migration-to-Wazuh-4.3.md
-    │   ├── production_cluster
+    │   ├── config
     │   │   ├── nginx
     │   │   │   └── nginx.conf
     │   │   ├── wazuh_cluster
@@ -147,17 +144,43 @@ ADMIN_PRIVILEGES=true               # App privileges
     │   │   ├── wazuh_dashboard
     │   │   │   ├── opensearch_dashboards.yml
     │   │   │   └── wazuh.yml
-    │   │   ├── wazuh-indexer
+    │   │   ├── wazuh_indexer
     │   │   │   ├── internal_users.yml
     │   │   │   ├── wazuh1.indexer.yml
     │   │   │   ├── wazuh2.indexer.yml
     │   │   │   └── wazuh3.indexer.yml
     │   │   └── wazuh_indexer_ssl_certs
     │   │       └── certs.yml
+    │   ├── docker-compose.yml
+    │   ├── generate-indexer-certs.yml
+    │   ├── Migration-to-Wazuh-4.3.md
     │   └── volume-migrator.sh
     ├── README.md
     ├── single-node
-    │   └── docker-compose.yml
+    │   ├── config
+    │   │   ├── wazuh_cluster
+    │   │   │   └── wazuh_manager.conf
+    │   │   ├── wazuh_dashboard
+    │   │   │   ├── opensearch_dashboards.yml
+    │   │   │   └── wazuh.yml
+    │   │   ├── wazuh_indexer
+    │   │   │   ├── internal_users.yml
+    │   │   │   └── wazuh.indexer.yml
+    │   │   └── wazuh_indexer_ssl_certs
+    │   │       ├── admin-key.pem
+    │   │       ├── admin.pem
+    │   │       ├── certs.yml
+    │   │       ├── root-ca.key
+    │   │       ├── root-ca.pem
+    │   │       ├── wazuh.dashboard-key.pem
+    │   │       ├── wazuh.dashboard.pem
+    │   │       ├── wazuh.indexer-key.pem
+    │   │       ├── wazuh.indexer.pem
+    │   │       ├── wazuh.manager-key.pem
+    │   │       └── wazuh.manager.pem
+    │   ├── docker-compose.yml
+    │   ├── generate-indexer-certs.yml
+    │   └── README.md
     └── VERSION
 
 

multi-node/docker-compose.yml

@@ -32,10 +32,10 @@ services:
       - master-wazuh-wodles:/var/ossec/wodles
       - master-filebeat-etc:/etc/filebeat
       - master-filebeat-var:/var/lib/filebeat
-      - ./production_cluster/wazuh_indexer_ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
-      - ./production_cluster/wazuh_indexer_ssl_certs/wazuh.master.pem:/etc/ssl/filebeat.pem
-      - ./production_cluster/wazuh_indexer_ssl_certs/wazuh.master-key.pem:/etc/ssl/filebeat.key
-      - ./production_cluster/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.master.pem:/etc/ssl/filebeat.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.master-key.pem:/etc/ssl/filebeat.key
+      - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
 
   wazuh.worker:
     image: wazuh/wazuh-manager:4.3.0
@@ -61,10 +61,10 @@ services:
       - worker-wazuh-wodles:/var/ossec/wodles
       - worker-filebeat-etc:/etc/filebeat
       - worker-filebeat-var:/var/lib/filebeat
-      - ./production_cluster/wazuh_indexer_ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
-      - ./production_cluster/wazuh_indexer_ssl_certs/wazuh.worker.pem:/etc/ssl/filebeat.pem
-      - ./production_cluster/wazuh_indexer_ssl_certs/wazuh.worker-key.pem:/etc/ssl/filebeat.key
-      - ./production_cluster/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.worker.pem:/etc/ssl/filebeat.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.worker-key.pem:/etc/ssl/filebeat.key
+      - ./config/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf
 
   wazuh1.indexer:
     image: wazuh/wazuh-indexer:4.3.0
@@ -84,13 +84,13 @@ services:
         hard: 65536
     volumes:
       - wazuh-indexer-data-1:/var/lib/wazuh-indexer
-      - ./production_cluster/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/root-ca.pem
-      - ./production_cluster/wazuh_indexer_ssl_certs/wazuh1.indexer-key.pem:/usr/share/wazuh-indexer/config/wazuh1.indexer.key
-      - ./production_cluster/wazuh_indexer_ssl_certs/wazuh1.indexer.pem:/usr/share/wazuh-indexer/config/wazuh1.indexer.pem
-      - ./production_cluster/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/config/admin.pem
-      - ./production_cluster/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/config/admin-key.pem
-      - ./production_cluster/wazuh-indexer/wazuh1.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
-      - ./production_cluster/wazuh-indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer-key.pem:/usr/share/wazuh-indexer/config/wazuh1.indexer.key
+      - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer.pem:/usr/share/wazuh-indexer/config/wazuh1.indexer.pem
+      - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/config/admin.pem
+      - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/config/admin-key.pem
+      - ./config/wazuh_indexer/wazuh1.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
+      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
 
   wazuh2.indexer:
     image: wazuh/wazuh-indexer:4.3.0
@@ -108,11 +108,11 @@ services:
         hard: 65536
     volumes:
       - wazuh-indexer-data-2:/var/lib/wazuh-indexer
-      - ./production_cluster/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/root-ca.pem
-      - ./production_cluster/wazuh_indexer_ssl_certs/wazuh2.indexer-key.pem:/usr/share/wazuh-indexer/config/wazuh2.indexer.key
-      - ./production_cluster/wazuh_indexer_ssl_certs/wazuh2.indexer.pem:/usr/share/wazuh-indexer/config/wazuh2.indexer.pem
-      - ./production_cluster/wazuh-indexer/wazuh2.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
-      - ./production_cluster/wazuh-indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh2.indexer-key.pem:/usr/share/wazuh-indexer/config/wazuh2.indexer.key
+      - ./config/wazuh_indexer_ssl_certs/wazuh2.indexer.pem:/usr/share/wazuh-indexer/config/wazuh2.indexer.pem
+      - ./config/wazuh_indexer/wazuh2.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
+      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
 
   wazuh3.indexer:
     image: wazuh/wazuh-indexer:4.3.0
@@ -130,11 +130,11 @@ services:
         hard: 65536
     volumes:
       - wazuh-indexer-data-3:/var/lib/wazuh-indexer
-      - ./production_cluster/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/root-ca.pem
-      - ./production_cluster/wazuh_indexer_ssl_certs/wazuh3.indexer-key.pem:/usr/share/wazuh-indexer/config/wazuh3.indexer.key
-      - ./production_cluster/wazuh_indexer_ssl_certs/wazuh3.indexer.pem:/usr/share/wazuh-indexer/config/wazuh3.indexer.pem
-      - ./production_cluster/wazuh-indexer/wazuh3.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
-      - ./production_cluster/wazuh-indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh3.indexer-key.pem:/usr/share/wazuh-indexer/config/wazuh3.indexer.key
+      - ./config/wazuh_indexer_ssl_certs/wazuh3.indexer.pem:/usr/share/wazuh-indexer/config/wazuh3.indexer.pem
+      - ./config/wazuh_indexer/wazuh3.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
+      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
 
   wazuh.dashboard:
     image: wazuh/wazuh-dashboard:4.3.0
@@ -148,11 +148,11 @@ services:
       - API_USERNAME=acme-user
       - API_PASSWORD=MyS3cr37P450r.*-
     volumes:
-      - ./production_cluster/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
-      - ./production_cluster/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
-      - ./production_cluster/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
-      - ./production_cluster/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
-      - ./production_cluster/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
+      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
+      - ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
+      - ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
     depends_on:
       - wazuh1.indexer
     links:
@@ -174,7 +174,7 @@ services:
       - wazuh.worker:wazuh.worker
       - wazuh.dashboard:wazuh.dashboard
     volumes:
-      - ./production_cluster/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./config/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
 
 volumes:
   master-wazuh-api-configuration:

multi-node/generate-indexer-certs.yml

@@ -6,5 +6,5 @@ services:
     image: wazuh/wazuh-certs-generator:0.0.1
     hostname: wazuh-certs-generator
     volumes:
-      - ./production_cluster/wazuh_indexer_ssl_certs/certs.yml:/config.yml
-      - ./production_cluster/wazuh_indexer_ssl_certs/:/certificates/
+      - ./config/wazuh_indexer_ssl_certs/certs.yml:/config.yml
+      - ./config/wazuh_indexer_ssl_certs/:/certificates/

single-node/README.md

@@ -0,0 +1,27 @@
+# Deploy Wazuh Docker in single node configuration
+
+This deployment generates a Docker Compose stack with 1 Wazuh Manager container, 1 Wazuh Indexer container and 1 Wazuh Dashboard container.
+
+In case of upgrading from 4.2, the deployment hosted in the multi-node directory should be reviewed
+
+For the next deployment, the following steps must be performed:
+
+1) Increase max_map_count on your host (Linux)
+
+$ sysctl -w vm.max_map_count=262144
+
+This command must be run with root permissions
+
+2) Run the certificate creation script:
+
+$ docker-compose -f generate-indexer-certs.yml run --rm generator
+
+3) Start the stack with docker-compose:
+
+In Foregroud:
+$ docker-compose up
+
+Background
+$ docker-compose up -d
+
+The stack takes about 1 minute to get up for the first time, since Wazuh Indexer must be started for the first time and the Indexes and Index Patterns must be generated.

single-node/config/wazuh_cluster/wazuh_manager.conf

@@ -0,0 +1,353 @@
+<ossec_config>
+  <global>
+    <jsonout_output>yes</jsonout_output>
+    <alerts_log>yes</alerts_log>
+    <logall>no</logall>
+    <logall_json>no</logall_json>
+    <email_notification>no</email_notification>
+    <smtp_server>smtp.example.wazuh.com</smtp_server>
+    <email_from>wazuh@example.wazuh.com</email_from>
+    <email_to>recipient@example.wazuh.com</email_to>
+    <email_maxperhour>12</email_maxperhour>
+    <email_log_source>alerts.log</email_log_source>
+    <agents_disconnection_time>10m</agents_disconnection_time>
+    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
+  </global>
+
+  <alerts>
+    <log_alert_level>3</log_alert_level>
+    <email_alert_level>12</email_alert_level>
+  </alerts>
+
+  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
+  <logging>
+    <log_format>plain</log_format>
+  </logging>
+
+  <remote>
+    <connection>secure</connection>
+    <port>1514</port>
+    <protocol>tcp</protocol>
+    <queue_size>131072</queue_size>
+  </remote>
+
+  <!-- Policy monitoring -->
+  <rootcheck>
+    <disabled>no</disabled>
+    <check_files>yes</check_files>
+    <check_trojans>yes</check_trojans>
+    <check_dev>yes</check_dev>
+    <check_sys>yes</check_sys>
+    <check_pids>yes</check_pids>
+    <check_ports>yes</check_ports>
+    <check_if>yes</check_if>
+
+    <!-- Frequency that rootcheck is executed - every 12 hours -->
+    <frequency>43200</frequency>
+
+    <rootkit_files>etc/rootcheck/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>
+
+    <skip_nfs>yes</skip_nfs>
+  </rootcheck>
+
+  <wodle name="cis-cat">
+    <disabled>yes</disabled>
+    <timeout>1800</timeout>
+    <interval>1d</interval>
+    <scan-on-start>yes</scan-on-start>
+
+    <java_path>wodles/java</java_path>
+    <ciscat_path>wodles/ciscat</ciscat_path>
+  </wodle>
+
+  <!-- Osquery integration -->
+  <wodle name="osquery">
+    <disabled>yes</disabled>
+    <run_daemon>yes</run_daemon>
+    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
+    <config_path>/etc/osquery/osquery.conf</config_path>
+    <add_labels>yes</add_labels>
+  </wodle>
+
+  <!-- System inventory -->
+  <wodle name="syscollector">
+    <disabled>no</disabled>
+    <interval>1h</interval>
+    <scan_on_start>yes</scan_on_start>
+    <hardware>yes</hardware>
+    <os>yes</os>
+    <network>yes</network>
+    <packages>yes</packages>
+    <ports all="no">yes</ports>
+    <processes>yes</processes>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <max_eps>10</max_eps>
+    </synchronization>
+  </wodle>
+
+  <sca>
+    <enabled>yes</enabled>
+    <scan_on_start>yes</scan_on_start>
+    <interval>12h</interval>
+    <skip_nfs>yes</skip_nfs>
+  </sca>
+
+  <vulnerability-detector>
+    <enabled>no</enabled>
+    <interval>5m</interval>
+    <min_full_scan_interval>6h</min_full_scan_interval>
+    <run_on_start>yes</run_on_start>
+
+    <!-- Ubuntu OS vulnerabilities -->
+    <provider name="canonical">
+      <enabled>no</enabled>
+      <os>trusty</os>
+      <os>xenial</os>
+      <os>bionic</os>
+      <os>focal</os>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Debian OS vulnerabilities -->
+    <provider name="debian">
+      <enabled>no</enabled>
+      <os>stretch</os>
+      <os>buster</os>
+      <os>bullseye</os>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- RedHat OS vulnerabilities -->
+    <provider name="redhat">
+      <enabled>no</enabled>
+      <os>5</os>
+      <os>6</os>
+      <os>7</os>
+      <os>8</os>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Amazon Linux OS vulnerabilities -->
+    <provider name="alas">
+      <enabled>no</enabled>
+      <os>amazon-linux</os>
+      <os>amazon-linux-2</os>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Arch OS vulnerabilities -->
+    <provider name="arch">
+      <enabled>no</enabled>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Windows OS vulnerabilities -->
+    <provider name="msu">
+      <enabled>yes</enabled>
+      <update_interval>1h</update_interval>
+    </provider>
+
+    <!-- Aggregate vulnerabilities -->
+    <provider name="nvd">
+      <enabled>yes</enabled>
+      <update_from_year>2010</update_from_year>
+      <update_interval>1h</update_interval>
+    </provider>
+
+  </vulnerability-detector>
+
+  <!-- File integrity monitoring -->
+  <syscheck>
+    <disabled>no</disabled>
+
+    <!-- Frequency that syscheck is executed default every 12 hours -->
+    <frequency>43200</frequency>
+
+    <scan_on_start>yes</scan_on_start>
+
+    <!-- Generate alert when new file detected -->
+    <alert_new_files>yes</alert_new_files>
+
+    <!-- Don't ignore files that change more than 'frequency' times -->
+    <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
+
+    <!-- Directories to check  (perform all possible verifications) -->
+    <directories>/etc,/usr/bin,/usr/sbin</directories>
+    <directories>/bin,/sbin,/boot</directories>
+
+    <!-- Files/directories to ignore -->
+    <ignore>/etc/mtab</ignore>
+    <ignore>/etc/hosts.deny</ignore>
+    <ignore>/etc/mail/statistics</ignore>
+    <ignore>/etc/random-seed</ignore>
+    <ignore>/etc/random.seed</ignore>
+    <ignore>/etc/adjtime</ignore>
+    <ignore>/etc/httpd/logs</ignore>
+    <ignore>/etc/utmpx</ignore>
+    <ignore>/etc/wtmpx</ignore>
+    <ignore>/etc/cups/certs</ignore>
+    <ignore>/etc/dumpdates</ignore>
+    <ignore>/etc/svc/volatile</ignore>
+
+    <!-- File types to ignore -->
+    <ignore type="sregex">.log$|.swp$</ignore>
+
+    <!-- Check the file, but never compute the diff -->
+    <nodiff>/etc/ssl/private.key</nodiff>
+
+    <skip_nfs>yes</skip_nfs>
+    <skip_dev>yes</skip_dev>
+    <skip_proc>yes</skip_proc>
+    <skip_sys>yes</skip_sys>
+
+    <!-- Nice value for Syscheck process -->
+    <process_priority>10</process_priority>
+
+    <!-- Maximum output throughput -->
+    <max_eps>100</max_eps>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
+      <max_interval>1h</max_interval>
+      <max_eps>10</max_eps>
+    </synchronization>
+  </syscheck>
+
+  <!-- Active response -->
+  <global>
+    <white_list>127.0.0.1</white_list>
+    <white_list>^localhost.localdomain$</white_list>
+    <white_list>10.0.0.106</white_list>
+  </global>
+
+  <command>
+    <name>disable-account</name>
+    <executable>disable-account</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>restart-wazuh</name>
+    <executable>restart-wazuh</executable>
+  </command>
+
+  <command>
+    <name>firewall-drop</name>
+    <executable>firewall-drop</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>host-deny</name>
+    <executable>host-deny</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>route-null</name>
+    <executable>route-null</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>win_route-null</name>
+    <executable>route-null.exe</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <command>
+    <name>netsh</name>
+    <executable>netsh.exe</executable>
+    <timeout_allowed>yes</timeout_allowed>
+  </command>
+
+  <!--
+  <active-response>
+    active-response options here
+  </active-response>
+  -->
+
+  <!-- Log analysis -->
+  <localfile>
+    <log_format>command</log_format>
+    <command>df -P</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
+    <alias>netstat listening ports</alias>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>last -n 20</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <ruleset>
+    <!-- Default ruleset -->
+    <decoder_dir>ruleset/decoders</decoder_dir>
+    <rule_dir>ruleset/rules</rule_dir>
+    <rule_exclude>0215-policy_rules.xml</rule_exclude>
+    <list>etc/lists/audit-keys</list>
+    <list>etc/lists/amazon/aws-eventnames</list>
+    <list>etc/lists/security-eventchannel</list>
+
+    <!-- User-defined ruleset -->
+    <decoder_dir>etc/decoders</decoder_dir>
+    <rule_dir>etc/rules</rule_dir>
+  </ruleset>
+
+  <rule_test>
+    <enabled>yes</enabled>
+    <threads>1</threads>
+    <max_sessions>64</max_sessions>
+    <session_timeout>15m</session_timeout>
+  </rule_test>
+
+  <!-- Configuration for wazuh-authd -->
+  <auth>
+    <disabled>no</disabled>
+    <port>1515</port>
+    <use_source_ip>no</use_source_ip>
+    <purge>yes</purge>
+    <use_password>no</use_password>
+    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
+    <!-- <ssl_agent_ca></ssl_agent_ca> -->
+    <ssl_verify_host>no</ssl_verify_host>
+    <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
+    <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
+    <ssl_auto_negotiate>no</ssl_auto_negotiate>
+  </auth>
+
+  <cluster>
+    <name>wazuh</name>
+    <node_name>node01</node_name>
+    <node_type>master</node_type>
+    <key></key>
+    <port>1516</port>
+    <bind_addr>0.0.0.0</bind_addr>
+    <nodes>
+        <node>NODE_IP</node>
+    </nodes>
+    <hidden>no</hidden>
+    <disabled>yes</disabled>
+  </cluster>
+
+</ossec_config>
+
+<ossec_config>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/ossec/logs/active-responses.log</location>
+  </localfile>
+
+</ossec_config>

single-node/config/wazuh_dashboard/opensearch_dashboards.yml

@@ -0,0 +1,12 @@
+server.host: 0.0.0.0
+server.port: 443
+opensearch.hosts: https://wazuh.indexer:9200
+opensearch.ssl.verificationMode: certificate
+opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
+opensearch_security.multitenancy.enabled: false
+opensearch_security.readonly_mode.roles: ["kibana_read_only"]
+server.ssl.enabled: true
+server.ssl.key: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
+server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem"
+opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/root-ca.pem"]
+uiSettings.overrides.defaultRoute: /app/wazuh?security_tenant=global

single-node/config/wazuh_dashboard/wazuh.yml

@@ -0,0 +1,7 @@
+hosts:
+  - 1513629884013:
+      url: "https://wazuh.manager"
+      port: 55000
+      username: acme-user
+      password: MyS3cr37P450r.*-
+      run_as: false

single-node/config/wazuh_indexer/internal_users.yml

@@ -0,0 +1,56 @@
+---
+# This is the internal user database
+# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
+
+_meta:
+  type: "internalusers"
+  config_version: 2
+
+# Define your internal users here
+
+## Demo users
+
+admin:
+  hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO"
+  reserved: true
+  backend_roles:
+  - "admin"
+  description: "Demo admin user"
+
+kibanaserver:
+  hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
+  reserved: true
+  description: "Demo kibanaserver user"
+
+kibanaro:
+  hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
+  reserved: false
+  backend_roles:
+  - "kibanauser"
+  - "readall"
+  attributes:
+    attribute1: "value1"
+    attribute2: "value2"
+    attribute3: "value3"
+  description: "Demo kibanaro user"
+
+logstash:
+  hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
+  reserved: false
+  backend_roles:
+  - "logstash"
+  description: "Demo logstash user"
+
+readall:
+  hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
+  reserved: false
+  backend_roles:
+  - "readall"
+  description: "Demo readall user"
+
+snapshotrestore:
+  hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
+  reserved: false
+  backend_roles:
+  - "snapshotrestore"
+  description: "Demo snapshotrestore user"

single-node/config/wazuh_indexer/wazuh.indexer.yml

@@ -0,0 +1,27 @@
+network.host: "0.0.0.0"
+node.name: "wazuh.indexer"
+path.data: /var/lib/wazuh-indexer
+path.logs: /var/log/wazuh-indexer
+discovery.type: single-node
+compatibility.override_main_response_version: true
+plugins.security.ssl.http.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/wazuh.indexer.pem
+plugins.security.ssl.http.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/wazuh.indexer.key
+plugins.security.ssl.http.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/root-ca.pem
+plugins.security.ssl.transport.pemcert_filepath: ${OPENSEARCH_PATH_CONF}/wazuh.indexer.pem
+plugins.security.ssl.transport.pemkey_filepath: ${OPENSEARCH_PATH_CONF}/wazuh.indexer.key
+plugins.security.ssl.transport.pemtrustedcas_filepath: ${OPENSEARCH_PATH_CONF}/root-ca.pem
+plugins.security.ssl.http.enabled: true
+plugins.security.ssl.transport.enforce_hostname_verification: false
+plugins.security.ssl.transport.resolve_hostname: false
+plugins.security.audit.type: internal_opensearch
+plugins.security.authcz.admin_dn:
+- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
+plugins.security.check_snapshot_restore_write_privileges: true
+plugins.security.enable_snapshot_restore_privilege: true
+plugins.security.nodes_dn:
+- "CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
+plugins.security.restapi.roles_enabled:
+- "all_access"
+- "security_rest_api_access"
+plugins.security.system_indices.enabled: true
+plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]

single-node/config/wazuh_indexer_ssl_certs/admin-key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDD40EQPXlnfl+h
+cqnWeGN7iv4p21Ukqs5ar/nMTiu1sBd3weqkHX9tEyvZjNH1kJWvAPjFr/XalCmm
+JKLoJn0lXe7CzbDJcM41D18QYen+rpUg7zINa5YwHwrVqNF4NRJkRDPaM17iYopO
+H81TinJk6x5n1SfOhvRUQ/QyUH4DRaqKVaT5eSeLJ2FQmTZ7dWWVEluhvbP33rFu
+DM74jNAAU0EbT1tcihek0kTkVVGKfHFGI+GyaMMO2epPyPf3zXe2jqEJIlmn3adz
+uykWyLpf0WOhp/592+76wg3CAIq8+DZoyIObDVA7iURMkOR6RaNyBUbf0OGLL/Mn
+EDsmVkWZAgMBAAECggEARvCoAW+h5d8YVumlpCwZKwadIR9zaEILVUBhoKG2pqfM
+9+vcQ+8C1Meam8Cp0Nq5upUJgt5ElRIPO0INVTGLJNstupKvMWSO6RxV+yLakQc8
+rp6xa7bIv0ierd3jbjsaHAGvHZh5BldVaxGNVHHRF8cmTcgeEGdDWLj7WLVZzWjs
+eSs8/ZgX6OgoLh/c4mU8AuaFxecV1POwgkhWBsEsfTD8y4KF//TqBHdswL9qt+/W
+YFi0jsdblEoMb+ILgml/4TdSuo++FJxejlmFTOmEtlskJrxEomhklGUyYKyXtCJq
+fx6wrM3ycSbY3Gl7Hyw+uXsgOEpMMeNAnylIuRmq+QKBgQD2TMSimLCLyxOXuFll
+wVdDfxnhTR4iAXczPde9psNnT5h0EcAR6liiTFpcJ9lQD4KWX6h/ZzPMrGqbsmTs
+w52jo1Sf4P+bKW/ecgnPdBm+lQJ8i3X+8vBFEhJ7KZVBx0FejuE9cj+hb+4kmRji
+B74atgOfjeHRIzdMYy4QWfhSJwKBgQDLmjkfGoKykCoJ2x+TQ68NZXsXdaQ2CsCS
+QD+BYGDbBTD/FHuTMm/TFZ8X07dQa71n38hoyuqkPZJPsbTyaYZJnZRDn2eTJqrY
+GXyAX/kGMQUb1SZgogN4EXBFUwgcyxByvwhu3zwZPlBwoJFRrQTkgaeXiQu6hjjH
+39ekHhRCPwKBgBeyAQTnjayVR/hDuw4IEL4knzfGtIxu+anLXFMZlRj+VltsTb8r
+fYV3tQXCq6yBIX4YC9zd7+TT/ZmnCwCgPS0+DGkpO04RKXsMG5eCwutL6KZUwHBb
+rPPoLjD9Kife5JIVSuQfdrGwVAffVr6AIjDtq+GQw9Xb/njx3b+i+DnnAoGAF3b5
+uFT01SF6RtKDLBSz2wZkDksXlsbcdL6E0yNJZlSN1ggFSeyZKKmoQTW8Pb98/7ix
+vyoLqswRza98XCe/O0K28KgxZqshK3CcgasN5yHFJfUFzEM/xRm1Z7fvCmp4xdCw
+Zx7BLWOaH7DRrqkTFEbBCtzXhjKr3pU0pAx3Zz8CgYEAwiia3cX1hhYE+VwF4SxG
+8OUuX1Ad7k7yeT62lv5bn1ZMpOx0SPgOV63DMJHf2DxMgwtvS548Ti18iM1/kaIC
+nN3VvXrd6Ma+Eky/J1X1zi3jg91bngCHmLCzxrhuxitzz0DNlA7FFFwPPfuqpnrV
+Ud/8jWxBp7Xirz/TzKJCbjs=
+-----END PRIVATE KEY-----

single-node/config/wazuh_indexer_ssl_certs/admin.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDDjCCAfYCFAU87O0mgSwCKgJKxO06KRVmCYLfMA0GCSqGSIb3DQEBCwUAMDUx
+DjAMBgNVBAsMBVdhenVoMQ4wDAYDVQQKDAVXYXp1aDETMBEGA1UEBwwKQ2FsaWZv
+cm5pYTAeFw0yMjAzMzExNTU4NThaFw0zMjAzMjgxNTU4NThaMFIxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQHDApDYWxpZm9ybmlhMQ4wDAYDVQQKDAVXYXp1aDEOMAwGA1UE
+CwwFV2F6dWgxDjAMBgNVBAMMBWFkbWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAw+NBED15Z35foXKp1nhje4r+KdtVJKrOWq/5zE4rtbAXd8HqpB1/
+bRMr2YzR9ZCVrwD4xa/12pQppiSi6CZ9JV3uws2wyXDONQ9fEGHp/q6VIO8yDWuW
+MB8K1ajReDUSZEQz2jNe4mKKTh/NU4pyZOseZ9Unzob0VEP0MlB+A0WqilWk+Xkn
+iydhUJk2e3VllRJbob2z996xbgzO+IzQAFNBG09bXIoXpNJE5FVRinxxRiPhsmjD
+DtnqT8j39813to6hCSJZp92nc7spFsi6X9Fjoaf+fdvu+sINwgCKvPg2aMiDmw1Q
+O4lETJDkekWjcgVG39Dhiy/zJxA7JlZFmQIDAQABMA0GCSqGSIb3DQEBCwUAA4IB
+AQAPMETJTs2cA3PFSZsXwp0MvqbGstgbtW/UgBMJJjpVg8G7Txapj9uLYZRVBa72
+nPPyBpttY0GGGuhH3TQP/jwW1HSw/fDWz7LsdLsMLAAHRDJ5Y+zuS1KkWTMTb+Ih
+M31xJvRWW+Vy7GQlx0w20UcyIV/9uOXs3smhFcXsUrk/bKqPk/xx5pPWQgU/kYNq
+Rkjg2NK7FLbR0ydNfhNAN99Q82sPtIArl3UHVslC8rW7M0fcsAp+KOi69BbNHPfO
+omGedS/XGlsPbNQObAyrJF6P9qcioL/FNECEG29J/5grAfezUIlx+eXUL69fwtwA
+RQPMsegj5KAWeULTQtIMOQKs
+-----END CERTIFICATE-----

single-node/config/wazuh_indexer_ssl_certs/certs.yml

@@ -0,0 +1,16 @@
+nodes:
+  # Wazuh indexer server nodes
+  indexer:
+    name: wazuh.indexer
+    ip: wazuh.indexer
+
+  # Wazuh server nodes
+  # Use node_type only with more than one Wazuh manager
+  server:
+    name: wazuh.manager
+    ip: wazuh.manager
+
+  # Wazuh dashboard node
+  dashboard:
+    name: wazuh.dashboard
+    ip: wazuh.dashboard

single-node/config/wazuh_indexer_ssl_certs/root-ca.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC0HNHBVRwConob
+LgAOejIbbLkeGAQiGqpkCxoyb/HL/u3hje0TAnKozY5pxwp9Jeo7REmolorJ7YXL
+OT390Wh5cI5/Fj4tPsoYzQZuQZiy6DAWbGjKmQUjBCcoQkYftDY0PlMMjfbpvBe8
+b8qul3ZYPP9EvZ66i7OthBVwNw+dJrQXLFRCBssg6ev+Rr3jbWrxwMObaRFoXJRd
+jXFm69PA+HPpuACYQPTHvEhkh+uTU6w36/ZFpiuHeFNJsJZ+cG8sUUMdWNgvq+R3
+bzAALOCFQepONvNowKcTKNf/R3gM94r58PK0G7ehN8Kme7KFUCXUL73ucTpAeXcE
+TDAL+yTVAgMBAAECggEAAxSvHdB33y+qSQa7Z4P9kWyFqhcdEvxDx9xMwWoax7N/
+nCkSUg3rqimB8xs9ebCJViQv4ltY2mVesYA0KEBJujILre7Sd3GogU4YexBSLVU9
+ZVTLYhPF+7hZdx3TFz28453hS8it3YejHE0JOX1Lv+yjLSjVKzmyhBhLSZUXhkeY
+118drOwj4Ji0KrzTZilpWBPAPHJMkChClLbaJcbOexUkQxvoXgWUQfYi+CtY67Rm
+tRnuot29kCTq/r97Iz4NiEHGzAu6IA6xE2S1qJ2ndjoiFRhfKF8wL0f0a71zp9Vo
+jXl85qV13Kb0FN17DbmQnSx7dBKIly1Y7cLLq6PkoQKBgQDjWkkx3YqD5VW3c6fr
+lyC7Jl0AIvd/1lpOksCofVc2GUBEfR1D87YMc9H917t6rfRjgE3wgYis9Wk2AfIl
+Iky/8x+MZHZFOrAcNTArlyBBhXlXIFcAM3br+gTeJKbQwCrMbukGPuBl2+GtYcFh
+eEdb9yimAKOlaKIFDEOtt1LxmQKBgQDKzrWtsB4CGPZ1EZZXNfZ6BDtFXdStjirA
+411ffc0xNLVducD+bb8jzupOlzstvnnosCnX6QZUzjz8A89ePX6gTwwFUjp03JcK
+sb0QcIOVNNt1cHRUx5e0mMQhM/LGhWuZkwO6L7m4DcVb4B4hu12p8503USVZ/YlR
+vowtvDUKnQKBgGvm7dY8zwDKV2Q5//hQQbiQ/JKUBeMmWLXx8H4G/t0uHtJijwEx
+KbW/Qmq3eMNAzDxtKJB86eEsmEKJqeL15Hc1bEO1amxw7iR1GeeWUjjGoFA5iREP
+W+GjR6wmuQVaLvXXrcDJFrdBJFqliqI386YyJ5ihtQlMH5lFuNk5qKQBAoGAXUXW
+XqxaEMLkTpEpILDry9A4Zj2yO6Pf29h1sB5OiavhIdr1fM6Ckvht4HlDOVWaAb9L
+b0Z3p/c2Kv2hmIkVvKq+L5BS3D47pSp7dp0Ylz25FPkEN52YEvITeeXHaTAhfX8U
+vsOGWbTTqN6ZXRAsEqa9DpzeXdXyGstU8w/VIS0CgYBFzwoivG/EgFMUofcVqRf9
+DR9nbF3dAgCVP2pjPevuEUn7CgxhBNdjyBfZQ9AePh8N+snlzvWxCBCNH43/Bbzf
+KLXoP/w3i16NyhLRiNWEDWdgBmh0DexuQkXStUYItk8749WH5PItEuUbFImPJ7sz
+xMKXRy85xA+O8Ys15v/z+w==
+-----END PRIVATE KEY-----

single-node/config/wazuh_indexer_ssl_certs/root-ca.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSzCCAjOgAwIBAgIUc6jxrdFdpeRz9LqBXbPnL10xwIwwDQYJKoZIhvcNAQEL
+BQAwNTEOMAwGA1UECwwFV2F6dWgxDjAMBgNVBAoMBVdhenVoMRMwEQYDVQQHDApD
+YWxpZm9ybmlhMB4XDTIyMDMzMTE1NTg1OFoXDTMyMDMyODE1NTg1OFowNTEOMAwG
+A1UECwwFV2F6dWgxDjAMBgNVBAoMBVdhenVoMRMwEQYDVQQHDApDYWxpZm9ybmlh
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtBzRwVUcAqJ6Gy4ADnoy
+G2y5HhgEIhqqZAsaMm/xy/7t4Y3tEwJyqM2OaccKfSXqO0RJqJaKye2Fyzk9/dFo
+eXCOfxY+LT7KGM0GbkGYsugwFmxoypkFIwQnKEJGH7Q2ND5TDI326bwXvG/Krpd2
+WDz/RL2euouzrYQVcDcPnSa0FyxUQgbLIOnr/ka9421q8cDDm2kRaFyUXY1xZuvT
+wPhz6bgAmED0x7xIZIfrk1OsN+v2RaYrh3hTSbCWfnBvLFFDHVjYL6vkd28wACzg
+hUHqTjbzaMCnEyjX/0d4DPeK+fDytBu3oTfCpnuyhVAl1C+97nE6QHl3BEwwC/sk
+1QIDAQABo1MwUTAdBgNVHQ4EFgQUhwVk/zxcbNU6lDR9eD1UtbdGMqUwHwYDVR0j
+BBgwFoAUhwVk/zxcbNU6lDR9eD1UtbdGMqUwDwYDVR0TAQH/BAUwAwEB/zANBgkq
+hkiG9w0BAQsFAAOCAQEAVYq19mPRxRvfTj70gUQUuoDiHU48/VM58L0dEs2EPvzN
+IiaMI0ablsInQE1ZJZc2GYsmnPZjoAuE7R6FIMSS6XErhPeJLxLkieibmhQXpElI
+kEik3Uwhv4kjwh5TEwPqjVORRgvthLO9kl1riwlyu3rAEsohJlvUB1uWT99+emSc
+jRivo3pXHmu9PI+JBcCxbzc2mixpSuqUalVkx8r7+RayD2EMdckK0WGz9SRplx8p
+aNJI6Z0M3+yk4D5bvmAtkX0p1Wk9fk6HLsynLoSZ2CwT9rjm89lIYHEPcUsZHyor
+gW64BfUXTNJDcycEg8zDlosdi2zCe/qfmZXgC0t9dA==
+-----END CERTIFICATE-----

single-node/config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDDyjevayE979UH
+0Y8IhN6tMSiwlr8C1E4UmK1oTK+4fjy0/zoyaBfwcYVmGqqcPDvDdU4r937SPP9r
+CPGH24gUuoAL+c1E4IyR1iCPs2N8UcyRAQfZX3t3SSD7HxFmRtKlTypL1Uc70NEZ
+aXVmsBQIXBYpOfJNAEjcbvD5rB2fmYUZ8QTx+aNiwTnLJMUAkqax1NASRhnVw9jo
+MJ41q2yveR3Wk2f0ODiGYLDekIH3FOuGf1ypFIDfyrMEh5VYJnIqYrgZt2ljuMcV
+O7THkW8jhZ7l+3cMT3LXVMr4PY61ad5Nw5bz2fHZyo6rl2D7Ks7s0WVkun9kKRf9
+nCeRMArrAgMBAAECggEBAKciU4Damcjul9MRz+D8073SziJYvPvkUjcA0l7Lv+Fl
+WdtEWOC4vV7S+YZc0zGFtZq346BiqQ89ZOhw/QX1oGfZgP84IkNe0ICZ4rfo8c8p
+YNCTqaik+peshIv6THcblCvrtXaAvUtRiX4A6WhcfO1Z9s0Am1eiG5CY3/qyM6OO
+Ae+3TGF6GtMYsKPZvtbOkWs6CzAfn/cfzyM8TJQA17HhX0UVTalFWMunYJIbk9jP
+nGGzuBxeICtFmQ0c3vJq4dNs7FeGV6EHOYXeaZrPFMFWnu0aWmgVw3ONKPBXY2hb
+b+ykHXGzPZrgt01wW6S7NL3aYrd0ocZzUCsbMVGcpZECgYEA7qIjNRIym6jyr0cV
+6T7g7hHb+3u5p0BUhWZrxfzVLpZf5AOOl97tQiHRXGnNjEuddcvA5O25yWJl1Amk
+mHYkSuLfTVL+qqXKrrDEvqdwUetPjZWdo9MEoUjQvnjirsn59fMzFPSbw7sYI8/i
+ZpNyXwll2AZHDSaGPC+BOWCFukkCgYEA0gnid5+4sm8r0DWR7r1WCXbODFhNnqkA
+ptfpyp3NfX6ALJ7kT6vGzhCxC1XQXNwR61V1x6/CBTSZ779eNT9sDYr+4ZHaVz8f
+bQA2Cmes4z/3NifsWC4HtvzJxkS8ZLD1ImPMa4MFkezA/H//c27uy/8w2YSB34JD
+9KoG53y9e5MCgYBl1zpRTufcOJkBpsO6HESgNWz9gYr0zuaDW/eIsmNEk5Zu1/nF
+5LS6sXYJC3pWcnrLp941lSLhyCWO/WKKUnkgoHwOIupeZ4z9SqFcgFbWDyePVBfH
+r6ndLxcvAqYzVC1iAp19Rvsm6DTgK7sCbdC0sG0PaXZvLU7CZr+uffv0SQKBgQC1
+XiG3aC1lrwenR8rW25mCnJs6H7oOyiKs736LHo6F0gk9/oppnYwS/mjSv+wnc0Tp
+8Ka+oq8oLY7LbnUcB8L3QtHq2DYw5mnthqQjgfjRVrfShNDaKA0zXr+hPFNtozxZ
+0NGA+OeDZWwT3TcpZ14+uwJkob4/0U165KMHmzhHjwKBgQDd7RfgePWsT/pB4Imd
+I/u1KC/7AkqBHx81kCL2XTFtKoSYKAKjHo/VfoQiohPvEdpJuP7dRIdKN/leC9xF
+TGe/TRjv6Sir6a61iHAKRif7gorMMu7WMPS4gt9/A+uVRD2ywsYBUOYqJGmjbRKM
+RHwR71NJ2edSI3i6/3TBJTbnSg==
+-----END PRIVATE KEY-----

single-node/config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDdjCCAl6gAwIBAgIUBTzs7SaBLAIqAkrE7TopFWYJguIwDQYJKoZIhvcNAQEL
+BQAwNTEOMAwGA1UECwwFV2F6dWgxDjAMBgNVBAoMBVdhenVoMRMwEQYDVQQHDApD
+YWxpZm9ybmlhMB4XDTIyMDMzMTE1NTg1OFoXDTMyMDMyODE1NTg1OFowXDELMAkG
+A1UEBhMCVVMxEzARBgNVBAcMCkNhbGlmb3JuaWExDjAMBgNVBAoMBVdhenVoMQ4w
+DAYDVQQLDAVXYXp1aDEYMBYGA1UEAwwPd2F6dWguZGFzaGJvYXJkMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw8o3r2shPe/VB9GPCITerTEosJa/AtRO
+FJitaEyvuH48tP86MmgX8HGFZhqqnDw7w3VOK/d+0jz/awjxh9uIFLqAC/nNROCM
+kdYgj7NjfFHMkQEH2V97d0kg+x8RZkbSpU8qS9VHO9DRGWl1ZrAUCFwWKTnyTQBI
+3G7w+awdn5mFGfEE8fmjYsE5yyTFAJKmsdTQEkYZ1cPY6DCeNatsr3kd1pNn9Dg4
+hmCw3pCB9xTrhn9cqRSA38qzBIeVWCZyKmK4GbdpY7jHFTu0x5FvI4We5ft3DE9y
+11TK+D2OtWneTcOW89nx2cqOq5dg+yrO7NFlZLp/ZCkX/ZwnkTAK6wIDAQABo1cw
+VTAfBgNVHSMEGDAWgBSHBWT/PFxs1TqUNH14PVS1t0YypTAJBgNVHRMEAjAAMAsG
+A1UdDwQEAwIE8DAaBgNVHREEEzARgg93YXp1aC5kYXNoYm9hcmQwDQYJKoZIhvcN
+AQELBQADggEBAKatO2nfF24Z9mrYzyHBs4BN0m7H29VrYi953YB7qKlWOr8CDFGe
+olfaDgrY7Hc7MM5kzGtCF7POywVMfX6ug9WiAeYX+kaAJxHYctwy/AMyYeEhDjKx
+et/SD++rR8V6EDeuevag+21HhqzOptiRKAyg1P13B4d8/UwK/d42T8Rgujh4tAB1
+PYN269ID3tQ3GMG1y0QaAwtpPEpBv3AF/kANVkHV+rwtWyKQKK8WEVxcqAppY1ap
+AY4zUTpEO8rAZXSfOk/tJ9hPJrF6+Ld44pcxDzw1fs0LOY4r/RY9V4DT0ayForrG
+uBUpPEkB1rh1eHAi1OWfNj4sseYMysYmz5c=
+-----END CERTIFICATE-----

single-node/config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC8V/BRL1YWMZmO
+YCNBMtSxLnyBUOkVneF+o6fNuAF2szv/H2CpH9oEpmH4gB9x66bNNuwfb2THOwfO
+fYySA3IGwyKk8xyC1+6mW0QIWzNvAYROBpDD0lZwMxLwf3PecFXzN2hEuTOPavS6
+B6BaTlhYfOgSFwKQUJIKLzq+/TfwzJUW87/5uI6+GpSXdVBFFOrjcmntxahMrnBv
+3mxJlsr60LHcfXcPc+qtrNGVmmD/V0sFE0Gi9m07vpK2nDnja0IME4A6s/Jo0TlX
+pGKlXi8BXixjas1WZn9gfe7VrTtCYpkGFLjWC+Rz1tHBnwKkjoVNQrxrvd7h7tU/
+OmSs7gTHAgMBAAECggEBALIbWvf7EqakOvknss8aGYaAVl8Xu4OkrLRMYQgqZL/y
+WN82tfrZUxuol+ceih354eAYewxzE9NP4F8F3SPLPE5mw+FGwYR+XIFWtyxLyoTD
+43DBxq5Xv0QVGGjzrggBJVZ95A1xMfADDfDJ+3rKscLkQ7Wvqs38U05sQVqRLRB5
+VnArp6hn5Lj4Y37/6ER2hyB/CahE5i6SQTe8dWHlvs3eiXfeXx7AmJzvNRezH9Zo
+LVUDoGpdU7Zm5eo0kQevfHjs1Wrtn4Oq+tev+WSninOWR1j/2T0T7SLNI6cABP/K
+LtObnhdZhpMEiWe7AN/oDxrkEo954QZTkj3Dkub2QWECgYEA7DEDBYMEGMmvQbKx
+jF1qtWqHABdbjR29YtFfpcAm8yAadaftvX0qZq7Ym2DwHCwPX8O8kpGUpN5zYr+W
+xsja1s/bUDat82on2RRn1+e5cBfJ1dyLGisvMu1QN1/b/593WfZwbPGxDq5nFjUd
+1SyJE0/EKSCnNjcTNpgLbEB9+XECgYEAzCOj48yhIfhQY8UhUgDojiEhEhAmrMBY
+MYb+LZvTg5b2fruPwgsA/MADoL68pwF0LSSoysbS7SIFEUTvyHv3zjNvtPR3kEuE
+/JHS4vppFvuFKozf+tMHcIIF7pigyLRkGpePgPaeQ86AvKitq8YHn0I8nVD15n2f
+0TlLl+hZhbcCgYBd+8q2AMI6ktZ4EADyV6HEepUphiHZ70GS9rlWnTVifR3KP34s
+bofWwDBU86fXrfiYJKz+rYs2Z4YGfzIh+36JB8C/FGL3fwBIMwR3Ny/k2LJptQ5s
+5U4st525yx0hhHTbiWKHF01bCC7g+VXbo5MP6iemLeYbfqLYkHvLIYZ/IQKBgENe
+T6vR0Cthw0XpvIFPg2/ERyGq6th/8ZsGrcNndXory9UvGNY0w3Kl+4yE5cVHmYt8
+WafxzZIsc/erBGbpYnJOT0MsmnioM48WoL3/XccT4nKUYyZnlkDu5/5BqG4T+iU8
+d0NcIAbIk3uvPwE9LS7FsTNJkJ0sQB3QBr5vE3wpAoGBAM5aCO/GIa++tCQZ5N9x
+eNd3Uta8C6JI+KVROCNda8auFHeh9lfYgv1Kj64nmJZErG4PwuYwdWQ8FnDrpM+f
+YMRz/rpcvqL01XswnYgr72EV/qnEDtVLG4x6rY0n2Rd2/i4NMMIcqxVZZdnoAh7A
+Y+IqIDCAvPM/NjRTAMUDqFj3
+-----END PRIVATE KEY-----

single-node/config/wazuh_indexer_ssl_certs/wazuh.indexer.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDcjCCAlqgAwIBAgIUBTzs7SaBLAIqAkrE7TopFWYJguAwDQYJKoZIhvcNAQEL
+BQAwNTEOMAwGA1UECwwFV2F6dWgxDjAMBgNVBAoMBVdhenVoMRMwEQYDVQQHDApD
+YWxpZm9ybmlhMB4XDTIyMDMzMTE1NTg1OFoXDTMyMDMyODE1NTg1OFowWjELMAkG
+A1UEBhMCVVMxEzARBgNVBAcMCkNhbGlmb3JuaWExDjAMBgNVBAoMBVdhenVoMQ4w
+DAYDVQQLDAVXYXp1aDEWMBQGA1UEAwwNd2F6dWguaW5kZXhlcjCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBALxX8FEvVhYxmY5gI0Ey1LEufIFQ6RWd4X6j
+p824AXazO/8fYKkf2gSmYfiAH3Hrps027B9vZMc7B859jJIDcgbDIqTzHILX7qZb
+RAhbM28BhE4GkMPSVnAzEvB/c95wVfM3aES5M49q9LoHoFpOWFh86BIXApBQkgov
+Or79N/DMlRbzv/m4jr4alJd1UEUU6uNyae3FqEyucG/ebEmWyvrQsdx9dw9z6q2s
+0ZWaYP9XSwUTQaL2bTu+kracOeNrQgwTgDqz8mjROVekYqVeLwFeLGNqzVZmf2B9
+7tWtO0JimQYUuNYL5HPW0cGfAqSOhU1CvGu93uHu1T86ZKzuBMcCAwEAAaNVMFMw
+HwYDVR0jBBgwFoAUhwVk/zxcbNU6lDR9eD1UtbdGMqUwCQYDVR0TBAIwADALBgNV
+HQ8EBAMCBPAwGAYDVR0RBBEwD4INd2F6dWguaW5kZXhlcjANBgkqhkiG9w0BAQsF
+AAOCAQEAXAgTFAGo4BVcGSCSRtqpW2Y6NmYOx2n60sN+1Gkvqkto8qngimr/D3o0
+Biy14GO5Y8he9lVVXaM/r5UTm96VRYRoTP2jug6J2wBAag/gTIBbwwwV71luBAq6
+jiccjPSdrZumHj0alO1yMYAxTowqg9wiBlzYgDiURmaX6Yty+48BGiwetAxdb9FI
+XW9fJgWdvjdPzbdtB60ce9mqdKKg1gHzIQaBKYuYxNfHaJ6NEO6NqBGiXKJ0RFDG
+cZ8L5U+vieD/9re0v0wUPjfOyccqg684/Hexiad3uQpeppFGKqdwSMR4WjYIsvWu
+55a2YACV03UKQrwTb+Kn4ejlWKF8rA==
+-----END CERTIFICATE-----

single-node/config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDe35HaipLAWf9F
+PxdMNeH6e3iQS39iQs9TgVsnxMw3Xvhi17kyt42sEfZkzxT0nHirQXNI5cAYHZR8
+baa25vMdNPQTX1OxdeL8ptsvDnn37pREbxlqZN4rZ7mIrIVSbCoS0f/nrk2EZVeD
+vTqU6zWtVPmXMfRGl/cAQLP+ieTB8ZkmKzwNn7/hyj3qVbX2201JLZIKhUlo02gD
+u5XnVuQZJG244G6BmBJTb9Bq8K7NwJmAKRxVgAWLrbwneyn3X67UoZn7tbO2QyyG
+JRR5dnapi6EpSx27uMHNWptUp51/TxgIuP7bw8ZAv81RTy2jlYHzR3tZGapWVAeH
+B8S+SCnJAgMBAAECggEBAJWLIcynyowyVuxZxwIl7Xkqu9zmK5T9CywW0dk/XV+R
+48w+v09ehjr82n0NzhvLmdQfWIGDV39W6bkLwh9bm6jvTQ5qmjeqyCGKu+s5JXHM
+rcO1YDJZeBFbycwBJnwFg72ZFsKX2/+IGE6W++XMZPnm2IowxJ1RfjS3NY8Ha20N
+s9Pilp801fnBkEXr5dFwMggeD9mbALa9MW0KuXCGwIIeXbsIP7C/HohTxgwp+cxg
+0FqagILBcQ0Gw+cx2f2WFY5d238OMWF9S6587T8A1wIXUVfqyv0TIwJh8kQWgUxz
+LXYZYQxC4bty8TEh58hsTlrBw4Y0vtNM51yevGtjdGECgYEA/4c3vHANOKY25z/j
+LkRAhhBqQxSO2Hl3tTC0l54yZ6KJ/pdQik+66mRe10hUcfCES/5FzHlJIiF1sVFa
+N6n4AigrzF8opjRYLoM/JEMFZKBITkYT9huh9CY1MN5gvXJgEjxHaZ3gr7BBhNfj
+/Ds/v7oP4sGx8c4RxxC5lxpa7i0CgYEA30jqtHQpF4AuIqKZTbfbClThfOgvCX93
+mEPEmckcv8GUpfZvhNqmul/IYxPSwGtNh875DheDg37COAwhqVZhqPH5R4vAaJgt
+BqDqsLjzRtstWDmAsyue+HfJmujLmaBqdv+ZZWzPS285gLL3AuoHUEnF7t43wZ0d
+CUCtEI4Gx40CgYEAlDJe7+nosRctNncGEhpBdb9lcZwlsITaGXqy8lAsmZBaCg7G
+BkFxfWlS2/a2CxLcF5rT7l/VO3c+Y+Vztl7cWJvlsvTphWNMVUWHREeehBq1dLgN
+8albB1d1d+8xGg6Qi2LsY+PNoPdPOHVhYzMVqOOHPRLrWfsSsmoPyQPfAs0CgYBN
+PX0rpY9deNL82kCsGPDl9wz116AF6hlmC/Nju6V9VCrm6oQTckwA5wd79qyOMdBl
+LZ0MWef9wgjPuKqgWKh5+BLixB5wUEwrIdlt/tzxYvqhrWqvEGTy0QVl2CguYcbS
+mYLoCib/kl9S/RXj5S9Yf9y/0BF7oa0cuUnlEyyXNQKBgFktEg1mnIZ4NNurwVVy
+GscbGTaNqiLCVar5/sEICAb46oWeEiTubm9nIrml7L5PHgWBX8ko0bCNECvZB6oP
+hsHTw5q7mSPT//TO9hQhNK2WvK82e8yuuNGEiAZ1TIHILqxDCcTKPATIU/PO//aZ
+ziy5/xTwidJVHqPBuZrjHLD9
+-----END PRIVATE KEY-----

single-node/config/wazuh_indexer_ssl_certs/wazuh.manager.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDcjCCAlqgAwIBAgIUBTzs7SaBLAIqAkrE7TopFWYJguEwDQYJKoZIhvcNAQEL
+BQAwNTEOMAwGA1UECwwFV2F6dWgxDjAMBgNVBAoMBVdhenVoMRMwEQYDVQQHDApD
+YWxpZm9ybmlhMB4XDTIyMDMzMTE1NTg1OFoXDTMyMDMyODE1NTg1OFowWjELMAkG
+A1UEBhMCVVMxEzARBgNVBAcMCkNhbGlmb3JuaWExDjAMBgNVBAoMBVdhenVoMQ4w
+DAYDVQQLDAVXYXp1aDEWMBQGA1UEAwwNd2F6dWgubWFuYWdlcjCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAN7fkdqKksBZ/0U/F0w14fp7eJBLf2JCz1OB
+WyfEzDde+GLXuTK3jawR9mTPFPSceKtBc0jlwBgdlHxtprbm8x009BNfU7F14vym
+2y8OeffulERvGWpk3itnuYishVJsKhLR/+euTYRlV4O9OpTrNa1U+Zcx9EaX9wBA
+s/6J5MHxmSYrPA2fv+HKPepVtfbbTUktkgqFSWjTaAO7ledW5BkkbbjgboGYElNv
+0Grwrs3AmYApHFWABYutvCd7KfdfrtShmfu1s7ZDLIYlFHl2dqmLoSlLHbu4wc1a
+m1SnnX9PGAi4/tvDxkC/zVFPLaOVgfNHe1kZqlZUB4cHxL5IKckCAwEAAaNVMFMw
+HwYDVR0jBBgwFoAUhwVk/zxcbNU6lDR9eD1UtbdGMqUwCQYDVR0TBAIwADALBgNV
+HQ8EBAMCBPAwGAYDVR0RBBEwD4INd2F6dWgubWFuYWdlcjANBgkqhkiG9w0BAQsF
+AAOCAQEAJzaP0Ui4dnXJnruBNIu/XjZUC82+BmQ+DhwfQO5BKT9DXSllGLli2ZcQ
+fRmaaqtgO8T3ar/eMVH7296qZNrLvNLBjyuxm1fOKyDtANTUsJdXbpHJuzWrq9rT
+BvovBkrP3HJQNX3R9nHM+ZcrONA4uQCgDTqNnvle9N3R7FhXVMFtrMlha1N1jehJ
+hs9JGfVA0W3txw8nPiyLs1xyenQSALpROntIr5e8zN+GVRGtYCDjk4Mcuiw9TNqc
+mVKADqxH2CBOQ/+tpOvmUFC6iLf2hPcp/gQ2Bgp/6L2ko4KYsLGTeA34OZJuSjIh
+9zldYNWPUbg4IcpMhQ8rXE1qetOlug==
+-----END CERTIFICATE-----

single-node/docker-compose.yml

@@ -14,8 +14,13 @@ services:
     environment:
       - INDEXER_URL=https://wazuh.indexer:9200
       - INDEXER_USERNAME=admin
-      - INDEXER_PASSWORD=admin
-      - FILEBEAT_SSL_VERIFICATION_MODE=none
+      - INDEXER_PASSWORD=SecretPassword
+      - FILEBEAT_SSL_VERIFICATION_MODE=full
+      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
+      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
+      - SSL_KEY=/etc/ssl/filebeat.key
+      - API_USERNAME=acme-user
+      - API_PASSWORD=MyS3cr37P450r.*-
     volumes:
       - wazuh_api_configuration:/var/ossec/api/configuration
       - wazuh_etc:/var/ossec/etc
@@ -28,6 +33,10 @@ services:
       - wazuh_wodles:/var/ossec/wodles
       - filebeat_etc:/etc/filebeat
       - filebeat_var:/var/lib/filebeat
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/etc/ssl/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
+      - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
 
   wazuh.indexer:
     image: wazuh/wazuh-indexer:4.3.0
@@ -46,6 +55,13 @@ services:
         hard: 65536
     volumes:
       - wazuh-indexer-data:/var/lib/wazuh-indexer
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/config/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/config/wazuh.indexer.key
+      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/config/wazuh.indexer.pem
+      - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/config/admin.pem
+      - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/config/admin-key.pem
+      - ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/config/opensearch.yml
+      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
 
   wazuh.dashboard:
     image: wazuh/wazuh-dashboard:4.3.0
@@ -57,6 +73,14 @@ services:
       - INDEXER_USERNAME=admin
       - INDEXER_PASSWORD=admin
       - WAZUH_API_URL=https://wazuh.manager
+      - API_USERNAME=acme-user
+      - API_PASSWORD=MyS3cr37P450r.*-
+    volumes:
+      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
+      - ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
+      - ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
     depends_on:
       - wazuh.indexer
     links:

single-node/generate-indexer-certs.yml

@@ -0,0 +1,10 @@
+# Wazuh App Copyright (C) 2021 Wazuh Inc. (License GPLv2)
+version: '3'
+
+services:
+  generator:
+    image: wazuh/wazuh-certs-generator:0.0.1
+    hostname: wazuh-certs-generator
+    volumes:
+      - ./config/wazuh_indexer_ssl_certs/certs.yml:/config.yml
+      - ./config/wazuh_indexer_ssl_certs/:/certificates/